Practice Note - Information Privacy Act 2009
This practice note gives tips for handling privacy complaints that could mean the difference between a complaint that is successfully resolved, or a complaint that is escalated to the Office of the Information Commissioner (OIC) or onto the Queensland Civil and Administrative Tribunal (QCAT).
1. Acknowledge the complaint promptly
Acknowledge receipt of the complaint as soon as possible after it is received. Even if the complaint requires further investigation or will be dealt with informally, promptly acknowledging receipt of the complaint can build the foundation for effective communication with the complainant. You can also take this opportunity to manage the complainant’s expectations about the complaints management process by:
- explaining the steps in the complaint process and expected timeframes for handling the complaint
- providing information about how the agency collects, uses and discloses personal information in the course of handling a complaint; and
- giving a contact telephone number, preferably with the name of a contact person, from the business area within the agency that will be handling the complaint.
This may avoid unnecessary escalation of a complaint to an external complaints agency or a Ministerial Office.
2. Understand the reason for the complaint
It is unlikely that the initial complaint will contain all the information you need to decide how it should be dealt with. Talking with a complainant gives them a chance to tell their story and to know that they have been listened to. Asking questions or summarising your understanding of the issue back to the complainant will help ensure you fully understand their position.
It also gives you the opportunity to find out what the complainant’s concerns are and why they have made the complaint. This in turn may help you identify potential ways in which you could resolve their complaint.
A complainant who believes they have been listened to, that their concerns have been acknowledged and that they have been treated with respect will be more willing to resolve their complaint.
3. Make personal contact with the complainant
Personal contact with a complainant by telephone or, where appropriate, face-to-face is a key way of building trust, and is a great help in moving towards resolution. For example, ringing a complainant ahead of a letter giving a decision that will disappoint them can help manage the complainant’s disappointment and increase the likelihood that the complainant will be more accepting of the decision.
HintsPrepare for talking with a complaint by first considering what information you require from the complainant and what information the complainant might wish to know.
A practical way of managing difficult or challenging behaviour, such as where the complainant is angry, or is insisting on outcomes that are unattainable, is to plan possible key responses ahead of talking with the complainant.
The Commonwealth Ombudsman’s Better Practice Guide to Managing Unreasonable Complainant Conduct provides script ideas that cover scenarios such as defining a complaint, reframing a complainant’s expectations, and responding to disappointment. The responses in the script ideas are suggestions only and should be used flexibly within the context of your agency’s policies and practices and the circumstances of the individual complainant.
4. Make regular contact with the complainant
If complainants are not kept informed about what is happening, they are likely to make negative assumptions. This can tip a cooperative person into being adversarial or looking for redress in some other way, such as through escalating their complaint to a third party.
Good communication establishes goodwill and can mean that a complainant will be more accepting of a decision or outcome that is not what they anticipated.
Provide the complainant with anticipated (and realistic) timeframes of when they can expect to be updated on the progress of their complaint. Ensure that you follow through on what you tell the complainant, even if there is no progress to update. Where possible, provide an explanation for any delays.
If an unreasonable amount of time is being spent responding to repeated inquiries from a complainant who has already been given appropriate advice, consider setting limits on when and/or how the complainant can interact with you and notify the complainant of these arrangements.
Monitor the effectiveness of communication with complainants by reviewing the:
- maximum number of days between contacts with a complainant; and
- percentage of contact with complainants that is made by telephone.
5. Give a meaningful apologyOIC’s experience is that complainants commonly seek an apology as an outcome of mediation.
Providing an apology does not necessarily mean that an agency accepts its actions were in breach of the IP Act, nor does it stop an agency from providing information on how its actions were compliant with the obligations in the IP Act.
A person makes a complaint because they are unhappy or dissatisfied. Even where the act or practice being complained about is not a breach of the agency’s obligations under the IP Act (for example, where the agency has disclosed personal information in a circumstance permitted by the IP Act), the fact that a complaint has been made indicates that the actions of the agency has negatively impacted the individual. Apologising for this impact, especially where the apology is communicated sincerely, can go a long way towards resolving a complaint informally and restoring the relationship between the individual and the agency.
Attempts at resolution often fail where an agency does not provide an apology in a timely manner or the apology is so qualified that it appears insincere.
In some instances, complaints brought to OIC for mediation were escalated by the complainant because the agency focussed on whether its actions were technically in breach of the IP Act, and/or shifted blame or responsibility to the complainant. Focussing on what can be done rather than who was wrong will help achieve resolution, and allows for service improvement opportunities.
It is a common misconception that if an apology is provided, it constitutes an admission of liability which can then be used in legal proceedings. This is not correct, as section 72D of the Civil Liability Act 2003 (Qld) explicitly states that an apology does not constitute an express or implied admission of fault or liability, and is not relevant to the determination of fault or liability in relation to the matter.
To give an effective apology, you should:
- describe the issue that is the subject of the complaint
- acknowledge the effect it has had on the complainant
- explain the reason for the agency’s actions, for example, legislative and/or policy compliance
- include a sincere statement of sorrow or regret; and
- where appropriate, state what is being done to ensure that the issue does not reoccur.
A ‘faux’ apology that focusses on the reaction of the complainant, or questions whether any harm has been done, may appear dismissive and will make it harder to resolve the complaint.
For example, avoid phrases such as:
- ‘I’m sorry you feel that way’.
- ‘I am sorry that you felt the agency breached your privacy’.
- ‘I’m sorry you took offence at what was said’.
Take into account the nature of the harm done and the needs of the complainant when deciding whether to make the apology in person, in writing, or both. Finally, ensure that the apology is given by the right person; either the person who committed the act or practice, or the person who has overall responsibility for the service or business area.
6. Give clear reasons for the agency’s decision
Another common reason why complainants bring their complaint to OIC is because a decision was given without adequate reasons. A statement that ‘We were unable to uphold your complaint’, ‘We were unable to confirm your version of events’, ‘Your complaint did not reveal anything improper’, without supporting evidence and reasoning, is not a reason – it is a conclusion.
A reason addresses:
- why you were unable to uphold the complaint
- why you were unable to confirm the complainant’s version of events; or
- why what was alleged was not improper or in breach of the IP Act.
At a minimum, your complaint outcome letter should demonstrate that, as an agency, you have:
- addressed the context, nature and extent of the complaint
- assessed the complaint against the relevant privacy principles
- considered all other relevant criteria, such as legislation applicable to the agency and any relevant policies, standards or directives; and
- determined the extent to which the complaint is or is not substantiated and all the reasons for this.
Consider the following examples:
Your complaint has been investigated and our Agency is satisfied that appropriate action by Agency staff was taken in relation to this matter. Consequently, no further action will be taken in relation to this complaint.
Example BQueensland government agencies are obliged to comply with the privacy principles in the Information Privacy Act 2009 (Qld). Under Information Privacy Principle 11 (IPP 11), an agency must not disclose personal information to a third party unless one of the permitted exemptions apply. One of these exemptions is where the disclosure is authorised or required under a law.
The Compulsory Registration of Goldfish Regulation 2006 (Qld) requires that our Agency publish particular information about the selling of goldfish. Section 12B of this Regulation specifically requires that the name and address of a registered seller is published on our website.
The privacy principles do not override other legislation. When a disclosure of personal information is in accordance with another law, there can be no privacy breach.
However, I acknowledge your concern that not everybody may be aware that their address will be made publicly available when they register as a goldfish seller and that this may raise security concerns for some individuals.
Our Agency has reviewed the process by which individuals apply to be a registered goldfish seller and as a consequence, will be updating our online form to provide clearer advice about what will happen to your personal information once it is collected.
I am sincerely sorry that this advice was not readily accessible at the time you registered as a goldfish seller and for the distress that having your address published has caused you.
I thank you for bringing this matter to my attention.
The decision letter should also advise the complainant of their right to bring their complaint to OIC after the 45 business day period has passed if they are not satisfied with your agency’s response.
7. Look at what other remedies could be provided
In order to resolve a substantiated privacy complaint, you will generally need to consider remedial actions for the breach.
While you cannot undo what has happened, explaining how and why the problem occurred and what steps the agency will take or has taken to avoid it recurring, may help to resolve the complaint and allow complainants to feel that their complaint has had a positive outcome. Ways to prevent a privacy breach from recurring include:
- developing or updating policies, procedures or work instructions
- giving an undertaking that employees will attend refresher privacy training
- improving collection notices or the way a collection notice is provided to enhance awareness of what will or may happen to personal information once it is collected
- undertaking a physical or technical security audit; or
- revisiting and revising outsourcing contracts which involve the handling of personal information.
You could also consider what action can be taken to remedy the harm from the breach. In theory, remedial measures are geared at restoring the individual to the position they were in before their privacy was breached. In many cases, it may be possible to provide an effective non-financial remedy such as:
- correcting misleading or inaccurate documents by amending the document or providing the complainant with the opportunity to provide a notation which can then be added to the document
- implementing additional security measures to documents which contain the complainant’s personal information
- taking practical steps to recall the personal information or to take it down off a website
- clarifying precisely what personal information was involved in the breach by providing the complainant with administrative access to the relevant documents; or
- providing information and assistance to the complainant to deal with the consequences of the breach (for example, how to request a copy of their credit report for free or to access an employee assistance program).
Agencies could also consider the potential for an ex-gratia payment for the harm suffered by the complainant as a result of the breach, including for hurt feelings.
These options are not exhaustive. Ask the complainant what outcomes they are seeking. If you cannot agree with a complainant’s proposed remedy, discuss the reasons for this with them and ask what else they suggest. Often they’ll surprise you by asking for less than you may think, especially when they have received a meaningful apology.