Investigating privacy complaints

Background

49.3 The Commissioner’s powers to investigate complaints of a breach of the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs) are established in separate paragraphs of s 27(1) of the Privacy Act.[1] These powers are activated by a ‘complaint’. The Act confers rights on individuals to complain to the Commissioner about acts or practices that may be an interference with individuals’ privacy rights, as created by the Act.[2]

Matters the Commissioner must not investigate

49.4 The Commissioner generally is required to investigate an act or practice if it may be an interference with an individual’s privacy and a complaint has been made about it under s 36.[3] The Commissioner must not investigate a complaint, however, if the complainant did not first complain to the respondent, unless the Commissioner considers that it was not appropriate for the complainant to do so.[4] The Commissioner also must cease investigating if certain offences have been committed, or where the Auditor-General already is investigating the matter.[5] These last two situations are discussed later in this chapter.

Discretion not to investigate or to defer investigation

49.5 The Commissioner has the discretion to decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made under s 36, or accepted under s 40(1B), where the:

  • act or practice is not an interference with privacy; the complaint was made over 12 months after the complainant became aware of the act or practice; the complaint is frivolous, vexatious, misconceived or lacking in substance; the act or practice is the subject of an application under another federal, state or territory law and the complaint is being dealt with adequately under that law; or another law provides a more appropriate remedy for the complaint;[6]
  • complainant has complained to the respondent about the act or practice and the respondent is dealing adequately with the complaint or has not yet had an adequate opportunity to deal with the complaint;[7] or
  • respondent has applied for a public interest determination and the Commissioner is satisfied that the interests of persons affected by the act or practice would not be prejudiced unreasonably if the investigation were deferred until the application has been disposed of.[8]

Submissions and consultations

49.6 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC noted a number of concerns raised by stakeholders about the requirement to complain to the respondent before complaining to the Privacy Commissioner, and the limitations on the Commissioner’s ability to dismiss minor or stale complaints.

49.7 The ALRC made a number of proposals to expand the Commissioner’s powers under s 41, including that the Commissioner may decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made, if the Commissioner is satisfied that:

  • the complainant has withdrawn the complaint;
  • the complainant has not responded to the Commissioner for a specified period following a request by the Commissioner for a response in relation to the complaint; or
  • an investigation, or further investigation, of the act or practice is not warranted having regard to all the circumstances.[9]

49.8 This proposal was supported by a number of stakeholders.[10] Some stakeholders, however, expressed concern about giving the Commissioner a broader power to decline to investigate. These concerns were based on a perception that the OPC did not have a strong record in investigating complaints, and would be likely to refuse complaints even where there were potentially serious and systemic concerns.[11] The Public Interest Advocacy Centre (PIAC) agreed with the ALRC that there was a need for systemic issues to be addressed in privacy legislation. It argued, however, that:

this should not be at the expense of individual complaints. In PIAC’s experience, many systemic issues only become evident as a result of a number of individual complaints about the same or similar issues.[12]

49.9 The Cyberspace Law and Policy Centre broadly supported the proposal, but was concerned that allowing the Commissioner to decline to investigate where it is not warranted in the circumstances would be open to abuse. In the Centre’s view, where the Commissioner makes such an assessment, a complainant should be given the right to require a determination under s 52 of the Privacy Act.[13]

ALRC’s view

49.10 A central tension in the regulation of compliance with the Privacy Act is how to strike a balance between resolving individual complaints and remedying systemic issues. By systemic issues, the ALRC is referring to ‘issues that are about an organisation’s or industry’s practice rather than about an isolated incident’.[14] Systemic issues can be distinguished from issues that have no implications beyond the immediate actions and rights of the parties to the complaint.[15] They can be identified out of the consideration of a single complaint, however, ‘because the effect of the particular issue will clearly extend beyond the parties to the complaint’.[16]

49.11 A compromise needs to be made between addressing individual complaints and addressing systemic issues. The compromise recommended by the ALRC is to give the Commissioner more discretion not to investigate individual complaints in certain circumstances. First, the Commissioner should be given a discretion not to investigate an act or practice if he or she is satisfied that an investigation, or further investigation, of the act or practice is not warranted having regard to all the circumstances. This discretion would enable the Commissioner to dismiss trivial complaints, or complaints that have no prospect of a practical or satisfactory resolution. The same discretion is available to the Commonwealth Ombudsman[17] and a similar test is used in state legislation such as the Anti-Discrimination Act 1977 (NSW).[18] While the ALRC notes the concerns of stakeholders based on past experience, the OPC has worked steadily over the past two years, with additional funding, to improve the overall efficiency of its complaint-handling processes. This should allow the OPC to allocate more resources to important investigations.[19]

49.12 The Commissioner’s powers to dismiss stale complaints also should be clarified. The Privacy Act should be amended to give the Commissioner the specific discretion to cease investigating a complaint that has been withdrawn by the complainant; or where the Commissioner has had no substantive response from the complainant for a certain period, following a request by the Commissioner for a response in relation to the complaint.[20]

49.13 The ALRC does not recommend any reform to the requirement of first complaining to the respondent. The ALRC agrees with the OPC that where a complaint can be resolved between the complainant and respondent without involving the OPC, this is likely to be the most efficient means of resolving it. This approach also is consistent with other privacy legislation and the approach taken in external dispute resolution (EDR) schemes such as the Banking and Financial Service Ombudsman (BFSO) and the Telecommunications Industry Ombudsman (TIO).[21] The obligation of complaining first to the respondent, however, should be supported by agencies and organisations adopting internal dispute resolution processes and making the avenues of complaint clear in their Privacy Policies.[22]

Recommendation 49–1 The Privacy Act should be amended to provide that, in addition to existing powers not to investigate, the Privacy Commissioner may decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made, or which the Commissioner has accepted under s 40(1B), if the Commissioner is satisfied that:

(a) the complainant has withdrawn the complaint;

(b) the complainant has not responded to the Commissioner for a specified period following a request by the Commissioner for a response in relation to the complaint; or

(c) an investigation, or further investigation, of the act or practice is not warranted having regard to all the circumstances.

[1]Privacy Act 1988 (Cth) ss 27(1)(a), 27(1)(ab).

[2] Ibid s 36. Note, there is no right to complain to the Commissioner about acts or practices of an organisation bound by an approved privacy code where the code contains a procedure for making and dealing with complaints to an adjudicator, and the code is relevant to the act or practice in question: see s 36(1A).

[3] Ibid s 40(1). The power to investigate on the Commissioner’s own motion is discussed in Ch 50.

[4] Ibid s 40(1A). In practice, the OPC requires that complainants provide it with a copy of their letter to the respondent and a copy of any response received by the complainant. The OPC requires that the complainant give the respondent 30 days to reply to the letter of complaint: see Office of the Privacy Commissioner, Privacy Complaints <www.privacy.gov.au/privacy_rights/complaints/index.html> at 1 August 2007.

[5]Privacy Act 1988 (Cth) ss 49, 51.

[6] See Ibids 41(1).

[7] Ibids 41(2).

[8] Ibids 41(3).

[9] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 45–1.

[10] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007; Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[11] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Consumer Action Law Centre, Submission PR 510, 21 December 2007; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Consumer Action Law Centre, Submission PR 510, 21 December 2007.

[12] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[13] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[14] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 130 fn 102.

[15] Australian Securities and Investments Commission, Approval of External Complaints Resolution Schemes: ASIC Policy Statement 139, 8 July 1999, [PS 139.131]–[PS 139.133].

[16] Ibid, [PS 139.131]–[PS 139.133]. A similar definition was put forward in Consumer Credit Legal Centre (NSW) Inc, Submission PR 160, 31 January 2007.

[17]Ombudsman Act 1976 (Cth) s 6.

[18]Anti-Discrimination Act 1977 (NSW) s 92(1)(a)(iii).

[19] In 2006–07, the OPC closed 1,210 complaints, 7% more than the 1,131 complaints closed in 2005–06: Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2006–30 June 2007 (2007), [3.3.2].

[20] Examples of similar provisions include: Health Records Act 2001 (Vic) s 53(1); Information Privacy Act 2000 (Vic) s 30.

[21] See, eg, Information Privacy Act 2000 (Vic) s 29; Health Records Act 2001 (Vic) s 51; Ombudsman Act 1976 (Cth) s 6; Banking and Financial Services Ombudsman, About Us <www.abio.org.au> at 5 May 2008; Telecommunications Industry Ombudsman Constitution, 20 May 2006, [5].

[22] This is consistent with Rec 24–1.