Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.

Step 3: How OVIC handles privacy complaints

OVIC’s role

Once you have made a privacy complaint, we will work with you and the organisation to try to resolve the complaint.

We do this by providing an alternative dispute resolution process where we act as a neutral ‘conciliator’.

This means:

  • We can’t make a binding determination about whether your privacy has been breached or make an organisation carry out a particular action;
  • However, we may give you and the organisation guidance based on our understanding of relevant privacy law and our experience. This helps assess the strengths and weaknesses of each party’s case. It may include providing our non-binding view on whether there has been an interference with your privacy;
  • We may also provide advice on options for resolving the complaint. This can include weighing up how realistic or appropriate each party’s position is; providing guidance on outcomes that have been achieved in other cases; and assisting the parties to assess their alternatives to resolving the complaint through OVIC’s conciliation process; and
  • We will try to help the parties come to an agreement where this is possible – and try to help you and the organisation avoid the need for further litigation.

Stages of OVIC’s complaint process

Our process can be flexible and we will work with both you and the organisation to try to resolve a complaint in the most efficient and effective way.

However, you can usually expect the complaint process to follow the below stages.


Stage 1 – OVIC intake

During this call, we will:

  • Explain if we have the power to handle the complaint and outline our processes;
  • Explain the Privacy and Data Protection Act 2014 (PDP Act) and which Information Privacy Principles are relevant to your complaint;
  • Ask you questions to help us understand what has occurred;
  • Talk through the strengths and weakness of your complaint;
  • Help you to identify realistic outcomes to resolve the complaint; and
  • Discuss options to resolve your complaint informally if appropriate.

At any stage within 90 days after you have complained, OVIC has the power to decline to entertain a complaint.

We may do this if we believe there has been no interference with your privacy; the complaint is too old; you have not complained to the organisation first; or the organisation has adequately dealt with your complaint.

We will tell you if we are considering this.


Stage 2 – Notifying the organisation of your complaint

We then write to the organisation to notify them of your complaint. We do this by sending the complaint form you submitted, but sometimes we will draft an outline of the complaint instead.

We usually ask the organisation specific questions about your allegations and the organisation’s view on whether there has been an interference with your privacy. We also ask the organisation for its views on the outcomes you have requested to resolve the complaint.

The organisation usually has approximately four weeks to respond to the notification. This might take longer if we have to ask further questions and require an additional response from them.

In some cases, we might not ask the organisation for a formal response and will instead go straight to scheduling a conciliation meeting.


Stage 3 – When we receive a response from the organisation

When we receive the organisation’s response, we analyse it and will share the response or relay the organisation’s position on your complaint with you.

Sometimes complaints are resolved at this stage – you and the organisation may come to an agreement based on the response. Other times the organisation may deny it has breached your privacy or say that it is not willing to provide the outcomes you want to resolve it.

We may seek further information from you and the organisation. We may ask you each to comment on the other’s position on whether there has been an interference with privacy, for example.

At this stage we will decide whether we think it is possible to resolve the complaint through conciliation and, if so, how we should try to conciliate it.

We may ultimately decide not to proceed to conciliation. This may be because we do not believe there has been an interference with your privacy. Or you and the organisation may have such different views on what happened and how the complaint should be resolved that conciliation would not be useful. This can be the case where there is a factual dispute, for example.


Stage 4 – Conciliation

Where we decide that conciliation is reasonably possible, an OVIC conciliator will conduct conciliation directly or indirectly. This will involve you and the organisation negotiating with one another about how the complaint may be resolved.

Indirect conciliation

This is where you and the organisation communicate via email or telephone with the OVIC conciliator and they relay the information to the other party. It may involve a series of offers and counter-offers to try and settle the complaint.

Direct conciliation

This is where the conciliator conducts a conciliation meeting with you and the organisation by video conference or in-person.

OVIC-led conciliation meetings usually run for approximately 2 – 3 hours. The OVIC conciliator will facilitate a discussion between you and the organisation. You will both discuss what happened and the issues relevant to the complaint before looking forward to options for resolving the complaint.

Sometimes parties reach agreement on the day or negotiations may continue indirectly after the meeting.

If you are going to participate in a conciliation meeting, the OVIC conciliator will meet with you beforehand to explain exactly how it will run and how you should prepare.


Stage – 5 Finalising the complaint

If a complaint is resolved

If you and the organisation reach an agreement to resolve your complaint, we will close the complaint on the basis that conciliation was successful. This will mean you can take no further action in relation to it.

If conciliation is successful, you and the organisation may formalise this in a formal written agreement that sets out the terms of the settlement. But this is not always necessary and complaints are sometimes resolved more informally.

If a complaint is not resolved

OVIC may decide to close your complaint without it being resolved where:

  • we have tried conciliation and it has failed;
  • we decide not to conciliate as it would not be possible to reach agreement; or
  • we decide to decline to entertain your complaint.

In any of these cases, you have the right to direct OVIC to refer your complaint to the Victorian Civil and Administrative Tribunal (VCAT) where you can litigate the matter further. You can find out more about bringing your complaint to VCAT in our section on After OVIC: Litigating at VCAT.

Otherwise, you may wish to withdraw your complaint at any stage and we can close it on this basis.


Example case studies

Example case study 1

The complainant lodges a complaint with OVIC alleging that the organisation did not keep their personal information accurate, complete, and up to date. The complainant had already complained directly to organisation, but they were not satisfied with the response.

A few days after submitting the form, an OVIC conciliator phones the complainant to discuss their complaint. The complaint is complex and the conciliator assists them to separate some non-privacy issues from the privacy allegations.

The conciliator sets out OVIC’s complaint handling process and explains which Information Privacy Principles are relevant to the complainant’s allegations. The conciliator discusses the complainant’s requested outcomes and clarifies what is and is not possible to achieve through the complaints process.

Due to the complexity of the complaint, the conciliator drafts a summary of the complaint to send to the organisation. The complainant receives an email from OVIC to let them know when the organisation has been notified.

Approximately five weeks later, the complainant is contacted by the conciliator, who explains the organisation’s response and that OVIC has decided that a conciliation meeting is appropriate for the complaint.

The conciliator provides the complainant with guidance on how to prepare for the conciliation meeting and the complainant arranges the evidence they want to submit to support their claims. The conciliator helps the complainant to clarify the key issues in dispute, and helps them think about whether some of the outcomes they have requested are realistic or appropriate.

Several weeks later, the complainant participates in an OVIC facilitated conciliation by teleconference with the organisation and the complaint is resolved. After hearing from one another, the organisation agrees to write a letter of apology and the complainant accepts that this would resolve the complaint for them. OVIC then closes the complaint on the basis that conciliation was successful.

Example case study 2

The complainant makes a complaint to OVIC about the organisation inappropriately sharing their personal information with a third party. OVIC writes to the organisation, attaching the complainant’s complaint form and asks the organisation a series of questions about its view of the complaint.

Several weeks later, the OVIC conciliator contacts the complainant to discuss the response. OVIC then sends the complainant a preliminary view in writing, explaining that it appears that the organisation was authorised under the PDP Act to share the complainant’s personal information with the third party.

The preliminary view explains the reasons why OVIC has reached this view, and that the complainant has the option to put in written submissions if they disagree.

The complainant accepts the preliminary view and decides to withdraw the complaint.

Contents

Back to Index

Details

Return to the Privacy complaints home page

Back to top
Back to Top