Privacy Complaint Handling policy by byrnetown74


									           Office of the Information Commissioner (Qld)
Privacy Complaint Handling Policy

 1       Who we are

      The Office of the Information Commissioner (OIC) is an independent statutory body
      established under the Freedom of Information Act 1992 (Qld) and continued under
      the Right to Information Act 2009 (Qld) (RTI Act) to promote the principles and
      practices of Right to Information and Information Privacy and foster improvements
      in the quality of practice in Right to Information and Information Privacy in
      Queensland Government agencies. OIC is responsible for championing the
      responsible use by government of individual’s personal information and the
      protection of people’s rights to privacy under the Information Privacy Act 2009
      (Qld) (IP Act).

      OIC is the primary body for providing information and assistance to Queensland
      government agencies (such as state government departments, local councils and
      universities), Ministers and the community on rights and responsibilities under the IP

      OIC also endeavours, under chapter 5 of the IP Act, to effect a resolution in privacy
      complaints where the complainant has previously lodged a complaint with a
      government agency but remains dissatisfied with the outcome of that process. This
      Policy sets out how OIC will handle such complaints.

 2       Definitions

      Agency means:
       •  a Minister
       •  a department
       •  a local government; or
       •  a public authority.

      Personal information is information or an opinion, including information or an
      opinion forming part of a database, whether true or not, and whether recorded in
      a material form or not, about an individual whose identity is apparent, or can
      reasonably be ascertained, from the information or opinion.

      Privacy Complaint is a complaint by an individual in relation to that individual’s
      personal information that an act or practice of a relevant entity is a breach of an
      obligation under the IP Act to comply with a privacy principle.

      Privacy Principles are:
       •    Information Privacy Principles (IPP)
       •    National Privacy Principles (NPP)
       •    the transfer of personal information outside Australia principles; and
       •    the bound contracted service provider principles.

      QCAT is the Queensland Civil and Administrative Tribunal.

      Relevant entity is an agency, or a bound contracted service provider in relation to
      documents held for the purposes of performing obligations under a service

                                   Privacy Complaint Handling Policy                 1
                             Privacy Complaint Handling Policy
3           How we operate

3.1.        Ethical Obligations

       OIC staff are employed under the Public Service Act 2008 (Queensland). OIC staff
       must comply with the following five ethics principles and related obligations under
       the Public Service Ethics Act 2004 (Queensland). The principles and obligations
       form the basis of OIC’s Code of Conduct:

        •     respect for law and the system of Government
        •     respect for persons
        •     integrity
        •     diligence; and
        •     economy and efficiency.

3.2.        Independence

       OIC’s performance of its statutory functions is independent of executive
       government. The Information Commissioner is an officer of the Queensland
       Parliament, appointed by the Governor in Council under the RTI Act. The
       Information Commissioner is directly responsible to Queensland Parliament through
       the Law, Justice and Safety Committee and cannot be directed by any person in
       carrying out functions under the legislation. OIC staff can only be directed by the
       Information Commissioner.

       It is an offence under the IP Act for persons to direct OIC staff responsible for
       making decisions by any means to make a decision a certain way. It is similarly an
       offence for any person to direct OIC staff to act contrary to the requirements of the
       IP Act.

4           Complaints

       Individuals who consider that a relevant agency has failed to comply with the
       privacy principles or an approval under section 157 of the IP Act, in relation to the
       individual’s personal information can lodge a privacy complaint with OIC. The
       individual must first have lodged the complaint with the relevant entity concerned
       and given it a reasonable opportunity – a minimum of 45 business days – to
       respond to the complaint.

       OIC provides an informal resolution service to the individual and the relevant entity.
       The OIC is obligated to consider whether a resolution can be reached between
       the parties to a complaint and if so, OIC must take all reasonable steps to effect
       the resolution.

       OIC’s complaint process is strictly confidential. While OIC is obligated to comply
       with the principles of natural justice and procedural fairness, the exchange of
       information is limited to that concerning the subject matter of the complaint.
       Other than the information necessary for the agency to respond to the complaint,
       a complainant’s personal information – including the fact that they have lodged a
       privacy complaint with OIC – will not be disclosed to persons, agencies or bodies
       outside of relevant OIC staff members.

                               Office of the Information Commissioner                2
               Office of the Information Commissioner (Qld)
Privacy Complaint Handling Policy

        In particular, information concerning the informal resolution discussions will not be
        provided to QCAT. Neither the Information Commissioner nor a member of OIC
        staff can be compelled to produce a privacy document or disclose privacy
        information in third-party legal proceedings.

        Some complaints may be more appropriately dealt with by other complaint
        handling agencies such as the Queensland Ombudsman and the Health Quality
        and Complaints Commission and OIC may refer the complaint to the other
        agency. OIC will liaise with the complainant on the potential referral of the
        complaint to these agencies.

        OIC is obligated under the Crime and Misconduct Act 2001(Qld) to report issues of
        official misconduct (including those involving OIC staff) to the Crime and
        Misconduct Commission.

 4.1.        Assistance

        OIC aims to make its complaint handling processes as accessible as possible. OIC
        provides both an electronic and hard-copy mechanism for lodging complaints but
        will also accept other written forms of complaint including e-mail, facsimile and

        The IP Act requires that a complaint be in writing but if an individual has difficulty in
        complying with this requirement, OIC will assist the individual to put the complaint
        into written form.

 5           Privacy Complaint handling Process

 5.1.        Chapter 5 of the IP Act

        OIC’s privacy complaint handling function is statutorily-based. A commencing
        point for OIC’s process for administering privacy complaints is Chapter 5 of the IP
        Act which includes the following parts:

         •     Part 1 – Making privacy complaints. Part 1 defines the privacy complaints the
               OIC is authorised to deal with.
         •     Part 2 – Dealing with privacy complaints. Part 2 sets out the OIC’s powers
               concerning the administration of privacy complaints.
         •     Part 3 – Mediation of privacy complaints. Part 3 provides for the OIC’s
               obligation to consider the informal resolution of privacy complaints and the
               process once a resolution is reached.
         •     Part 4 – Referral of privacy complaints to QCAT. Part 4 sets out the processes
               to be followed if resolution is not attempted or reached and the complainant
               wishes for the complaint to be heard by QCAT.

        OIC must at all times comply with the requirements in Chapter 5 in its handling of

                                       Privacy Complaint Handling Policy                3
                               Privacy Complaint Handling Policy
5.2.          Privacy Complaints Management System

         OIC’s privacy complaint handling process addresses the following elements:

5.2.1.        Visibility and Access

          •     Information on how and where to lodge a privacy complaint and on OIC’s
                handling of complaints is available on OIC’s web-site at
                or available upon request to OIC’s Enquiry Service on (07) 3234 7373.
          •     OIC will provide all reasonable assistance to individuals wishing to make a
                privacy complaint.

5.2.2.        Responsiveness

          •     OIC’s role in privacy complaints is clearly set out in the IP Act and all
                government agencies should be aware of this function.
          •     OIC will endeavour to acknowledge receipt of a complaint within 5 business
          •     OIC endeavours to process the complaint in a timely manner.
          •     OIC will endeavour to finalise all complaints within 90 days of receipt.
          •     OIC will keep the parties to a complaint informed of the complaint’s progress.
          •     OIC may make preliminary inquiries of the parties to complaint before
                accepting the complaint.          The complexity of the inquiries and the
                responsiveness of the parties will determine the timeframe for acceptance.

5.2.3.        Assessment and Action

          •     OIC will deal with all complaints fairly, professionally and independently of
                the parties.
          •     OIC is required under the IP Act to assess the complaint against stated
                criteria and if the criteria are not met, OIC may decline to deal with the
          •     Privacy complaints are dealt with by a dedicated team within OIC which has
                expertise in both the fields of privacy and alternative dispute resolution.
          •     OIC may enter into arrangements in place with the Queensland
                Ombudsman and the Health Quality and Complaints Commission to refer
                complaints more appropriately dealt with by those agencies.

5.2.4.        Communication

          •     OIC will keep the complainant informed of the progress in processing the
                complaint. As an independent body with expertise in this area, OIC is also
                able to provide authoritative information on the application of the privacy
                principles to government processes.
          •     If a resolution is not achievable for a complaint, OIC is obligated under the IP
                Act to advise the complainant of their right to request their complaint be
                referred to QCAT.
          •     OIC also has responsibility for monitoring and reporting on agency
                compliance with the IP Act. This includes the capacity to conduct audits on
                relevant entities’ compliance with the privacy principles.

                                  Office of the Information Commissioner                4
                    Office of the Information Commissioner (Qld)
Privacy Complaint Handling Policy

    5.2.5.        Monitoring Effectiveness

              •     OIC reports on its effectiveness as a complaint handling body in its annual
                    report. The OIC reports on:
                       ○ number of privacy complaints received
                       ○ proportion of privacy complaints in which a resolution was achieved
                       ○ proportion of privacy complaints referred to QCAT; and
                       ○ median days to finalise a privacy complaint.

              •     OIC’s case management database, Contact, will inform complaint trends
                    and this information is used to target education resources and potential
                    subjects for compliance audits.

              •     OIC also conducts customer satisfaction surveys of complainants and
                    agencies. The information obtained through the surveys, from Contact and
                    from the annual statistics will identify areas of improvement in the way OIC
                    deals with privacy complaints.

             OIC will review the operation of this Policy and its complaint handling process

    6             Access and amendment

             The RTI Act allows people to access information held by Queensland government
             agencies; Chapter 3 of the IP Act allows people to access and amend their
             personal information held by Queensland government agencies. However, these
             Acts also provide that neither an access nor an amendment application may be
             made to the Information Commissioner, Privacy Commissioner or RTI
             Commissioner 1 .

             The privacy principles in the IP Act also provide for access to, and amendment of,
             personal information as follows:

              •     IPP 6 – An individual may access documents containing their personal
                    information; and
              •     IPP 7 – An individual may amend documents containing their personal

             While OIC is obligated to comply with the privacy principles, IPP 6(2)(a) and IPP 7(2)
             permit the OIC to refuse to give access to, or amend, a document containing
             personal information if that document is expressly excluded from the operation of
             an access or amendment law. Because both the RTI Act and chapter 3 of the IP
             Act exclude OIC's Commissioners from their operation, documents of OIC are
             excluded from the operation of State access and amendment laws.

    Section 26 RTI Act, section 46 IP Act.

                                             Privacy Complaint Handling Policy            5
                                 Privacy Complaint Handling Policy

       As a matter of policy, OIC will rely on the operation of IPP 6(2)(a) and IPP 7(2) in
       relation to privacy complaint material. Privacy complaint material will include:

        •        material submitted by the complainant
        •        material submitted by the agency; and
        •        documents created by OIC for the purpose of administering the privacy

       OIC may make an exception where a complainant formally requests a copy of
       privacy complaint material they submitted to OIC.

6.1.        Policy rationale

       It is well-established that settlement discussions conducted in an environment of
       confidentiality promote frank and candid communications between the parties. In
       addition, it encourages the parties to propose and consider a wider range of
       settlement options when they are able to confidently make proposals on a without
       prejudice basis.

       Confidentiality also ensures the integrity of the settlement process. It confirms the
       status of the mediator as a neutral party whose role is to explore all relevant issues
       without a concern about being drawn into future legal action between the parties.

       OIC adopts Rule 4 of the Conciliation Rules of Australian Institute of Arbitrators and

        RULE 4 Confidentiality

            1. The Conciliator, the parties and all advisers and representatives of the parties shall:
                 a) except as provided in paragraph 2 of this Rule, keep all information disclosed
                    during the conciliation process confidential;
                 b) not use any information disclosed during the conciliation process for any
                    purpose other than the conciliation;
                 c) if requested by the Conciliator or a party to do so, sign Confidentiality
                    Agreements in the terms of this Rule.

            2.    The obligation of confidentiality under sub-paragraph a of paragraph 1 above shall
                  apply except:
                   a) if disclosure is compelled by law;
                   b) to the extent necessary to give effect to the Agreement, or to enforce an
                        agreement to settle or resolve the whole or any part of the Dispute;
                   c) where disclosure is only of the occurrence of the conciliation (and not any
                        communication during the conciliation), and the occurrence of the conciliation
                        is relevant to subsequent arbitral, adjudicative or judicial proceedings relating
                        to the Dispute.

       OIC’s policy position is underpinned by the immunity provided in section 153 of the
       IP Act. It provides that any member of OIC cannot be compelled to produce a
       ‘privacy document’ and/or disclose ‘privacy information’ in a third party legal
       proceedings – including, as a matter of course, QCAT proceedings involving a
       complainant and an agency about a privacy issue.

                                    Office of the Information Commissioner                      6
              Office of the Information Commissioner (Qld)
Privacy Complaint Handling Policy

 7         Privacy complaints about us

      OIC is committed to providing a timely and professional service to both agencies
      and individuals. OIC requires its staff to be fair, independent and courteous in all its

      If an agency or individual does not consider that the service OIC has provided
      meets the expected standard, they can complain to the Information Commissioner
      about the service. Information on OIC’s staff complaints process can be found at
      Appendix A in the OIC’s Privacy Plan at
      or is available on request.

      The OIC must comply with the privacy principles. Accordingly, there is the capacity
      for an individual to make a privacy complaint about the actions of OIC. The
      individual must first make their complaint directly to OIC and give it the opportunity
      to respond to the issues raised in the complaint.

 8         Feedback

      The complaints process is a valuable source of feedback and comment on the
      government’s use of personal information. Even where a privacy complaint is
      made about an agency’s act or practice which does not constitute a breach of
      the privacy principles, the complaint has value in that it can identify:

       •      lack of accessible information on the privacy principle that is the subject of
              the complaint
       •      lack of publicly-available information on the particular government act or
              practice; and/or
       •      areas for improvement in the communication between individuals and
              government agencies.

      For privacy complaints about acts of practices of an agency that constitute a
      breach of the privacy principles, the catalyst for the breach may have been a
      failure of the agency’s systems or processes for dealing with personal information.
      The informal resolution process offered through OIC is a mechanism whereby the
      failure can be acknowledged and remedied. Some of the outcomes achievable
      through a resolution can include:

       •      an undertaking by the relevant entity to rectify the act or practice that is the
              subject of the complaint
       •      that the relevant entity undertake reasonable actions to remedy the act or
              practice that is the subject of the complaint
       •      an apology
       •      changes to relevant entity’s systems, processes and/or practices
       •      amendment of affected documents; and/or
       •      financial compensation for loss suffered by the complainant and/or for pain
              and suffering, hurt and humiliation.

                                   Last updated 9 December 2009
           Changes to legislation after the above date are not included in this document.

                                       Privacy Complaint Handling Policy                    7

To top