Accountability mechanisms

46.47 The Privacy Commissioner and the OPC are subject to a number of accountability mechanisms to ensure that decisions made, and conduct engaged in, by the Commissioner and the OPC are legal and correct. These mechanisms include judicial review, merits review and review by the Commonwealth Ombudsman.

46.48 In addition to the review rights that, as discussed below, are primarily held by individuals (in the sense that an individual can initiate them through making a complaint or instituting proceedings), the Commissioner is also subject to another form of accountability—that is, the Commissioner is subject to parliamentary scrutiny with regard to the substance of legislative instruments issued by the Commissioner. Most of the binding instruments issued by the Commissioner—such the s 17 Tax File Number Guidelines and Public Interest Determinations[65]—are ‘disallowable instruments’, which means they are subject to parliamentary oversight and disallowance under the Legislative Instruments Act 2003 (Cth). This provides further oversight and scrutiny of the substance of decisions made by the Commissioner.

Judicial review

46.49 Complainants and respondents may apply under the Administrative Decisions (Judicial Review) Act 1977 (Cth) (ADJR Act) to the Federal Court or Federal Magistrates Court for a review of ‘administrative decisions’, or ‘conduct’ preparatory to the making of a decision by the Privacy Commissioner under the Privacy Act.[66]

46.50 The ADJR Act provides an aggrieved person with broad grounds to apply for review. These grounds include a breach of natural justice; error of law; and an improper exercise of power, which includes having an improper purpose, taking an irrelevant consideration into account, failing to take a relevant consideration into account, an abuse of power and unreasonableness.[67]

46.51 Judicial review is to be distinguished from merits review. Under the ADJR Act, the court reviews the legality of the process followed to make the decision, not the substance of the decision (which is the subject of merits review). The court cannot hear the matter afresh or substitute the decision of the Commissioner with its own. If the court finds that the grounds for review are made out, it can make an order setting aside or quashing the decision and can remit the matter back to the Privacy Commissioner for further reconsideration according to law.[68]

46.52 Matters that could be the subject of an application for review under the ADJR Act include a decision not to investigate (or investigate further) a privacy complaint under s 41, a decision not to make a determination under s 52, and a failure to give reasons to a person adversely affected by a decision of the Commissioner.[69]

Merits review

46.53 As noted above, merits review is concerned with the substance of a decision and, in particular, whether the decision was the correct or preferable decision. There are very limited rights to merits review under the Privacy Act. There is a right to apply to the Administrative Appeals Tribunal for a review of the Commissioner’s decision to refuse to approve the medical research and genetics guidelines under ss 95, 95A and 95AA of the Privacy Act.[70]

46.54 Secondly, merits review is available in respect of determinations against agencies, but only in relation to decisions made to include or not include a declaration for compensation or costs.[71] Merits review is not available for other decisions made by the Privacy Commissioner in the complaints process. For instance, there is no right to merits review of a decision by the Commissioner under s 41 of the Act not to investigate a complaint, or to cease investigations, on the basis that the Commissioner considers that the respondent has dealt adequately with the complaint—regardless of whether the complainant is satisfied with the respondent’s response.[72]

Commonwealth Ombudsman

46.55 The Commissioner and the OPC are also subject to review by the Commonwealth Ombudsman with respect to ‘a matter of administration’.[73] The Ombudsman is an independent statutory office holder who can investigate administrative actions of Australian Government officials and agencies, such as the OPC, either on receipt of a complaint or on the Ombudsman’s own motion. The Ombudsman investigates and resolves disputes through consultation and negotiation, and, where necessary, by making formal, non-binding recommendations to senior levels of government. The type of actions the Ombudsman may report on include where the action: appears to have been contrary to law; was unreasonable, unjust, oppressive or improperly discriminatory; or was otherwise, in all the circumstances, wrong.[74]

46.56 The Ombudsman and the OPC entered into a memorandum of understanding (MOU) in November 2006. The MOU addresses a number of issues and is intended to ensure, among other things, that complaints made to one party about the other are handled efficiently and fairly.

ALRC’s view

46.57 In DP 72, the ALRC identified stakeholder views on whether the accountability measures to which the OPC is subject under the Privacy Act are appropriate. While the issue of merits review was raised by several stakeholders (and is addressed in detail in Chapter 49), any significant concerns about the other accountability measures were not addressed in submissions.

46.58 The current accountability mechanisms of judicial review and review by the Commonwealth Ombudsman are appropriate. The fact that the Commissioner’s decisions are subject to judicial review is an important oversight mechanism to ensure the legality of the exercise of the Commissioner’s powers and that proper processes are followed. The oversight by the Ombudsman is consistent with other federal regulators, and provides a necessary avenue for individuals who have a complaint against the administrative workings of the OPC.

46.59 The current rights to merits review, however, are not sufficient, particularly in relation to complaint determinations. The concerns raised by stakeholders about the inability to challenge the merits of the Commissioner’s decisions are addressed in Chapter 49, with a recommendation made to provide merits review of determinations made by the Commissioner under s 52 of the Privacy Act.[75]

[65] Other disallowable instruments issued by the OPC include the Credit Reporting Code of Conduct, and determinations made under Part IIIA. Note that privacy codes approved under Part IIIAA of the Privacy Act are legislative instruments but are not subject to disallowance by Parliament: see Legislative Instruments Act 2003 (Cth) s 44(2), item 44; Legislative Instruments Regulations 2004 (Cth) sch 2, item 8.

[66]Administrative Decisions (Judicial Review) Act 1977 (Cth) ss 3, 5, 6.

[67] Ibid ss 5, 6.

[68] Ibid s 16. See also Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 129.

[69] See Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 129; Administrative Decisions (Judicial Review) Act 1977 (Cth) s 16.

[70] See Privacy Act 1988 (Cth) ss 95(5), 95A(7), 95AA(3). Under s 95A(7), an application may also be made to the Administrative Appeals Tribunal for review of a decision of the Commissioner to revoke an approval of guidelines.

[71] Ibid s 61. Merits review is discussed in detail in Ch 49.

[72] See the concerns raised about this point in Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 138–139.

[73]Ombudsman Act 1976 (Cth) s 5; Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 128.

[74]Ombudsman Act 1976 (Cth) s 15(1). There are a number of other circumstances set out in this section.

[75] Rec 49–7.