The Information Privacy Act 2009 (Qld) (IP Act) gives the Information Commissioner the power to issue a compliance notice where there has been a serious or a flagrant breach of the obligation to comply with the privacy principles, or a breach which has occurred five times in the preceding two years.
An agency must comply with a compliance notice, but can appeal against the decision to issue the compliance notice to the Queensland Civil and Administration Tribunal (QCAT).
In order to issue a compliance notice, the Information Commissioner must be satisfied on reasonable grounds that an agency has done an act or engaged in a practice that is a contravention of the agency's obligation to comply with the privacy principles. The act or practice must be one of the following:
'Flagrant' is particularly concerned with how the breach occurred; 'serious' with the outcomes or result of the breach.
For a breach to be serious, it must not be unimportant or trivial. The seriousness of a breach can be determined by any or all of the following:
The breach must be such that it would cause apprehension or concern to the individuals the information is about and could have, or has had, harmful or undesired consequences.
For a breach to be flagrant, it must be obvious and blatant. Generally, an accidental breach or one that occurs as a result of a genuine misunderstanding would not be a flagrant breach. Flagrancy requires an element of deliberateness, carelessness, negligence or an obvious or deliberate disregard.
Examples of a flagrant breach:
In order to fit within this section, the agency must have done the act at least five times in the two years prior to the matter coming to the Information Commissioner's attention.
While breaches of this kind will often come to the Information Commissioner's attention as a result of receiving privacy complaints about the action, it is not necessary for the Information Commissioner to have received a complaint in order to issue a compliance notice.
Under section 197 of the IP Act, if the Information Commissioner is satisfied on reasonable grounds that a person has information relevant the Commissioner’s decision to give an agency a compliance notice, the Commissioner may give the person a written notice requiring the person to:
The written notice must state:
The Information Commissioner may choose to administer an oath or affirmation to the person attending to answer questions that the person will answer the questions truthfully.
There are very few limitations placed on what the Information Commissioner can require an agency to do in a compliance notice. Section 158(2) sets out that the compliance notice may require an agency to take a stated action, within a stated period, for the purposes of ensuring compliance with the obligation.
The action must be one which will cause the agency, once it has followed it, to comply with the privacy principle or principles that they breached. A compliance notice could not, for example, require an agency to pay compensation to an individual whose personal information was involved in a breach, or to make an apology.
There is no guidance in the IP Act as to what is a reasonable time for an agency to comply with the notice, but a reasonable time would be one which took into consideration:
Relevant considerations could include:
Section 160 of the IP Act states that an agency that is given a compliance notice must take all reasonable steps to comply with the notice. The maximum penalty for non-compliance is 100 penalty units.
Failure to take all reasonable steps to comply with a compliance notice is an offence against the IP Act.
If an agency is having difficulty complying with a notice in the time given, it should apply to the Information Commissioner for an extension of time under section 159 of the IP Act.
An agency may apply for additional time to comply with a compliance notice, but they must make that application before the time allowed in the original notice has expired.
An agency may apply for a general extension or for a set number of extra days. When applying for the extension, it is important that an agency sets out why it needs the additional time and any other relevant factors, so that the Information Commissioner can properly assess it.
If the time has expired, then an agency may not request extra time. This means it is very important that an agency tell the Office of the Information Commissioner if it is having any difficulties or issues complying with the compliance notice so that the time does not expire before they can request an extension.
On receiving a request for an extension of time, the Information Commissioner may:
Before granting the extension, the agency must give the Information Commissioner an undertaking to comply with the notice within the granted extension of time.
Before the Information Commissioner can make a decision on an application for additional time under section 159 of the IP Act, the Information Commissioner must be satisfied that it is not reasonably practicable for the agency to comply with the notice in the time stated in the notice.
'Reasonably practicable' is discussed in Key privacy concepts - practicable and impracticable but generally 'not practicable' does not simply mean difficult or undesirable.
To be impracticable, the action must be nearly impossible or extremely difficult to carry out within the time provided. The fact that compliance within the time set out in the compliance notice would be inconvenient or would involve expenditure of some effort or resources would not be sufficient to make it not practicable.
Under section 161, an agency which has been given a compliance notice may apply, as provided under the Queensland Civil and Administrative Tribunal Act 2009 (Qld) (QCAT Act), to QCAT for a review of the decision to give it the notice. When such an application is made, QCAT must exercise its review jurisdiction under the QCAT Act.
The time in which a review must be sought is not specified in the IP Act, but generally an agency should apply before the expiry of the time provided for compliance. To do otherwise might mean that, by the time the agency sought the review, the agency could have committed an offence under section 153 by not complying with the notice.
Where an application is made to QCAT, both the agency to which the notice was given and the Information Commissioner are parties to both the application for review and the review, if QCAT decides to conduct one.
QCAT may, on its own initiative or as a result of an application by the individual, at any time join an individual as a party to the proceedings. However, QCAT may only do this if it considers that the individual is affected by the decision to give a compliance notice.
Under section 163, if QCAT decides to review a decision of the Information Commissioner to issue a compliance notice, it may make any of the following orders:
Current as at: July 19, 2013