Make a privacy complaint
This video provides an overview of how to make a privacy complaint under the Privacy and Data Protection Act 2014
What is a privacy complaint?
A privacy breach occurs when an organisation does not comply with privacy laws. If you believe that an organisation has breached your privacy, you have the right to make a complaint — but it is important to direct your complaint to the right place:
• The federal Privacy Act covers government agencies such as Centrelink and the Tax Office as well as large private organisations including insurance companies, banks and telecommunications providers. For complaints about these organisations, go to www.oaic.gov.au or telephone 1300 363 992.
• The Victorian Health Records Act covers health information collected and handled by Victorian health service providers. For complaints about these organisations, go to www.health.vic.gov.au/hsc or telephone 1300 582 113.
• The Privacy and Data Protection Act 2014 (the Act) protects non-health related personal information that is collected and handled by:
o Victorian Government organisations
o local councils, and
o some private or community-based organisations providing services for the Victorian community on behalf of the Victorian or local government.
The Act has ten Information Privacy Principles — or IPPs — that these entities must comply with. A privacy complaint can involve a breach of one or more of these IPPs. You can find more information about the IPPs here.
“Personal information” is defined as information or an opinion recorded in any form that can reasonably identify someone whether true or not (and excludes information of a kind to which the Health Records 2001 applies). Examples of personal information include a name, signature, address, telephone number, date of birth, ratepayer information or email account details.
Making a complaint involves a two-stage process. The first stage involves contacting the organisation directly. The second stage involves the handling of your complaint by the Commissioner for Privacy and Data Protection, also known as CPDP.
Stage one: contacting the organisation
If you think that an organisation or local council has mishandled your personal information, you should complain to them first. All complaints should be put in writing in the form of an email or letter.
In this document, you should:
• tell the organisation how you believe your privacy has been breached
• explain the effect the breach has had on you
• outline what you would like the organisation to do in response to your complaint
• give the organisation time to respond.
Remember to keep a copy of your complaint.
Stage two: making a complaint to the CPDP
If the organisation does not respond within approximately 30 days, or you are unsatisfied with their response, you can then complain to the CPDP.
It is free to lodge a complaint and you do not need a lawyer.
You can make a complaint in any language.
Complaints to the CPDP must be made in writing. You can make a complaint using:
• the secure online form
• by mail
• by fax
You may choose to use the complaint form.
If you do not use the complaint form, please make sure that you provide all the required information.
Your complaint should include:
• your contact details
• the name of the organisation involved
• a brief description of your privacy problem and the contact you have had with the organisation about your complaint
• any action the organisation has taken to fix the problem, and
• copies of any relevant documents, including copies of your original complaint to the organisation and its response.
What happens to your complaint?
If we can’t investigate your complaint we will contact you to explain why. If appropriate, we will refer you to someone who can help.
The CPDP may decide not to deal with a complaint for one or more of the ten reasons outlined in the Act, including where:
• there has been no interference with your privacy
• you have not first complained to the organisation, or you have complained to the organisation but the organisation has not yet been given an adequate opportunity to deal with the complaint
• the complaint was made more than 45 days after you became aware of the act or practice
• complaint is frivolous, vexatious, misconceived or lacking in substance
• the complaint has been dealt with under another Act, or another Act provides a more appropriate remedy.
If the CPDP decides not to deal with the complaint, you will be notified in writing of the decision, and the reasons for it.
If we can deal with your matter, we will contact the organisation to advise them of your complaint. We will outline the details you have provided and ask the organisation to contact you to attempt to resolve the issue.
We will also ask them to provide a response to the CPDP that explains their view of the matter.
After the organisation has investigated your complaint, we will convey its response to you and seek your comments.
How is your complaint resolved?
Once a response is received from the organisation, the CPDP is required to consider if there are grounds to decline it.
If none are found, the CPDP must decide if conciliation is appropriate. If it is, we will assist you and the organisation to resolve the issues through negotiation.
We act as an impartial third party in this process. We do not act as an advocate for either party.
We aim to resolve complaints as quickly as possible. Complaints are typically resolved in a few weeks but some may take longer.
If a complaint can’t be resolved through conciliation, or if the CPDP declines the complaint, we will explain your rights to you, including your right to request the CPDP to refer your complaint to the Victorian Civil and Administrative Tribunal — also known as VCAT — for hearing.
• Guide for Complainants under the Privacy and Data Protection Act 2014
• Guide for Respondents under the Privacy and Data Protection Act 2014
• Guide to the handling of complaints under the Privacy and Data Protection Act 2014 by the Victorian Civil and Administrative Tribunal.