Guide for respondents under the Privacy and Data Protection Act 2014

 Download this page as a PDF


Many complaints can be resolved at an early stage with the help of an officer from the Office of the Commissioner for Privacy and Data Protection. The officer may talk to you about the possibility of early resolution before any investigation takes place, discuss options with both you and the complainant, and try to negotiate an outcome suitable to both parties. This option is quicker and less onerous on both parties.

A discussion about early resolution does not mean that the Commissioner for Privacy and Data Protection (Commissioner) has formed any view about the complaint. If it does not resolve he may still decline to entertain it after investigation (see below). 

It is important to remember that even if the parties try to resolve the complaint early, and this is unsuccessful, the complaint will still proceed through the Office of the Commissioner for Privacy and Data Protection’s normal complaint handling procedures.



Under the Privacy and Data Protection Act 2014 (the Act) an individual has the right to make a complaint about a breach of one or more of the 10 Information Privacy Principles, in relation to his or her personal information.
A complaint can only be made about an alleged breach that occurred after 1 September 2002.

What happens when the Commissioner receives a complaint?

When the Commissioner receives a complaint he will decide whether, on the face of it, he has jurisdiction to investigate the matter.

If appropriate, he may refer a complaint to Federal Privacy Commissioner, the Health Services Commissioner, the Disability Services Commissioner or the State Ombudsman. In that case the organisation named as respondent to the complaint will be notified in writing of the referral.

If the Commissioner decides that the subject matter of the complaint is within jurisdiction, the respondent will be informed as soon as possible. A decision that a complaint is within jurisdiction does not mean that the Commissioner has decided a complaint has been upheld. The Commissioner does not have the power to make such a determination.

Details of the complaint will be sent to the respondent in writing and the respondent will be asked to respond within a certain period of time.

After a response has been received, more information may be required from the complainant and/or respondent. It is important to remember that on occasions, complainants seek, and may be provided a copy of the respondent’s response.

To assist in the investigation, the Commissioner can, by written notice, invite a person to attend the offices of the Commissioner for Privacy and Data Protection to discuss the complaint or produce documents.

Can the Commissioner refuse to investigate a complaint?

The Commissioner has the power to decline to entertain a complaint under section 62 of the Act. A decision to decline a complaint must be made within 90 days of the Commissioner accepting a complaint.

The grounds for declining a complaint are:

  • • There has not been an interference with the complainant’s privacy
  • • The complainant did not complain to the respondent before complaining to the Commissioner
  • • The complainant has complained to the respondent, and the respondent has either dealt with the complaint adequately, or has not had adequate opportunity to deal with it
  • • The complaint was made 45 days after the complainant became aware of the alleged breach
  • • The complaint has been dealt with under another Act, or another Act provides a more appropriate remedy
  • • The complaint is frivolous, vexatious misconceived or lacking in substance
  • • The complaint is made on behalf of a person with a disability or a child and the person complaining does not have sufficient interest in the complaint

Note that the Commissioner can take into account what efforts the respondent has made to resolve the complaint when considering whether to decline a complaint. A respondent needs an effective internal complaint handling procedure, and should respond promptly to complaints received direct.

The Victorian Ombudsman has produced a Good Practice Guide to Complaint Handling for Victorian Public Sector Agencies available at

It is in a respondent’s interest to promptly provide the Office of the Commissioner for Privacy and Data Protection with as much information as possible in response to a complaint. Especially if the respondent believes there may be grounds for the Commissioner to decline the complaint.

What happens if the complaint is not declined?

The Commissioner must try and conciliate complaints. Conciliation can occur at any time. The Act does not specify when conciliation must occur, save that it cannot occur formally once the complaint has been declined.

The Office of the Commissioner for Privacy and Data Protection will encourage parties to explore early resolution of a complaint. Conciliation of a complaint does not equate with admitting a breach has occurred. One of the purposes of conciliation is to bring the parties to an understanding of each other’s position. A complainant may be satisfied with a respondent’s explanation of why it took the action it did, or why it didn’t act.

The two guides for Conciliation under the Privacy and Data Protection Act 2014 available here provide more information about the conciliation process.

What happens if the complaint is declined or is not resolved?

If the Commissioner declines the complaint the complainant and respondent will be notified of the decision in writing.

The Commissioner might decide conciliation is not possible, for example if the respondent or complainant make it clear they will not conciliate, or the nature of the complaint is such that conciliation is inappropriate.

If conciliation has been attempted but the complaint is not resolved, the Commissioner may form the view that conciliation has failed.

The complainant and respondent will be notified in writing of the Commissioner’s decision that conciliation is not possible, or has failed.

When a complainant is notified that a complaint is declined, or conciliation is not possible or has failed, the complainant has the right to ask the Commissioner to refer the complaint to the Victorian Civil and Administrative Tribunal (VCAT) for determination. The complainant must exercise this right within 60 days of receiving notice of the decision.

If the complainant does not request the Commissioner to refer the complaint to VCAT then the Commissioner may dismiss the complaint. Once a complaint has been dismissed the complainant can take no further action.

For more information about procedures in VCAT relating to privacy complaints see


Office of the Commissioner for Privacy and Data Protection
Level 6, 121 Exhibition Street
PO Box 24274
Melbourne Victoria 3001
Telephone: 1300 666 444 (local call)
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.



Publication date: Feb 2016

Please note that the contents of this information sheet are for general information purposes only, and should not be relied upon as legal advice. CPDP does not guarantee or accept legal liability whatsoever arising from, or connected to the accuracy and reliability of the contents of this document. We encourage your organisation to obtain independent legal advice as necessary.