Step 3: How OVIC handles privacy complaints
OVIC’s role
When handling a privacy complaint, OVIC aims to help you and the organisation try to resolve the complaint. This is called ‘conciliation’, and OVIC is only empowered to conciliate privacy complaints.
Conciliation is a type of alternative dispute resolution (ADR) that involves an impartial, independent third party, with specific legal expertise, that helps parties come to an agreement to resolve the complaint.
Within OVIC’s privacy complaint process, this means that OVIC advocates for the correct interpretation and application of the 10 Information Privacy Principles (IPPs)– we do not advocate for the Complainant or Respondent.
In conciliating privacy complaints, OVIC can:
- give you and/or the organisation guidance on how the IPPs are interpreted and applied
- explore possible outcomes with you and/or the organisation that can be reached
- share our experience of realistic, fair and proportionate outcomes that have resolved complaint
- provide OVIC’s perspective of whether there has, or has not, been an interference with your privacy
- discuss the strengths and weaknesses of your position (we call this reality testing) to help you consider how best to proceed with your complain
- help the parties come to an agreement, where possible, to avoid the need for further litigation.
In conciliating privacy complaints, OVIC cannot:
- advocate for you, or represent you, during conciliation
- investigate the actions of the organisation you complain about
- make a binding determination of whether the organisation has, or has not, interfered with your privacy
- make an organisation take (or not take) a particular action to resolve your complaint
- punish, fine or prosecute an organisation
- provide legal advice
- publish the outcome or a decision about a complaint
- overturn an administrative decision an organisation has made.
Most privacy complaints raised under the Privacy and Data Protection Act 2014 (Vic)(PDP Act) are resolved through OVIC’s process. It usually takes six months from start to finish.
Stages of OVIC’s complaint process
OVIC’s privacy complaint process can be flexible.
OVIC will work with both you and the organisation to try to resolve a privacy complaint in the easiest and most effective way.
OVIC’s privacy complaint process usually follows the below process.
1 – OVIC assessment and clarification of complaint
Upon submitting your privacy complaint, OVIC will assess your complaint to:
- ensure it is within our jurisdiction to handle
- understand what has happened
- identify what further information we need to progress the complaint
- consider whether informal resolution or conciliation is the best method to progress your complaint.
If you have asked for assistance formulating or refining your complaint, OVIC helps in preparing a written complaint outline of your concerns for your endorsement. We can assist you in identifying which Information Privacy Principles may be most relevant to your complaint.
OVIC can’t assess documents or evidence to identify acts or practices for you – we only present your concerns as you have raised them to the organisation, and if your complaint cannot be resolved during conciliation we can refer the matter to VCAT.
Once we have assessed your complaint, we will contact you via email to carry out ‘intake’.
During intake, we will:
- explain what we can or cannot help with, including the reasons for this (for example we cannot handle a privacy where it relates to the handling of health information, or the complaint is about a private organisation)
- explain OVIC’s role under the PDP Act and how we apply it
- outline which IPPsappear relevant to your complaint
- ask you questions to help us better understand what has happened
- talk through the strengths and weakness of your complaint (we call this reality testing)
- explain to you possible and realistic outcomes that may resolve the complaint
- outline the next steps for your complaint whether it be via informal resolution, or conciliation.
During intake, we won’t give you legal advice.
At any stage within 90 days after OVIC has received your complaint, we have the power to decline to consider the complaint.
OVIC may do this if:
- we believe there has been no interference with your privacy
- you have not complained to the organisation first
- another regulator is addressing the same issue
- the organisation has already dealt with your complaint fairly.
OVIC will tell you in writing if this is being considered and give you the opportunity to respond with any information you think we should know.
2 – Notifying the organisation of your complaint
Whether we handle the complaint informally, or via conciliation, OVIC must write to the organisation to notify it of your complaint.
At this time, OVIC provides them with a copy of the complaint form you submitted with your direct contact information redacted, or your complaint outline, along with a letter asking the organisation to provide a written response detailing its view of:
- what has occurred
- how the IPPs apply to the circumstances
- whether there has, or has not, been an interference with your privacy
- what outcomes, if any, it is willing to provide to resolve your complaint.
Organisations are given 4-6 weeks to provide a written response. Organisations may request an extension of time, which OVIC can give where appropriate.
OVIC may also ask the organisation further questions, or require an additional response, which can make this process take longer.
Sometimes OVIC may notify an organisation of your complaint but not ask for a written response. In rare cases, we may go straight to scheduling a conciliation meeting.
3 – Receiving a response from the organisation
When OVIC receives the organisation’s response, we assess it against our interpretation and application of the IPPs. We then provide you with the organisation’s position to you alongside our understanding of how the IPPs would apply, for you to consider how to proceed.
At this stage, both parties may come to an agreement based on the response and outcomes offered and the complaint is resolved.
The organisation may disagree that it has breached your privacy. They can also disagree on the outcomes you want to resolve the complaint.
At this stage, OVIC will consider whether conciliation is the right approach to resolve your complaint.
We may ask for more information from you and the organisation. For example, we may ask both parties to provide information or evidence where there is a disagreement on what has happened.
In some cases, conciliation is not possible. This may be because we do not believe there has been an interference with your privacy, or because both parties have very different views on what has happened or show it should be resolved.
Stage 4 – Ongoing conciliation
Where OVIC thinks conciliation is possible, OVIC will continue to conduct conciliation to help you and the organisation negotiate with one another about how the complaint may be resolved.
This conciliation may be indirect or direct.
Indirect conciliation
This is where you and the organisation will continue to engage through OVIC, exchanging written responses and evidence via email.
Here you can ask questions to better understand what has happened, and negotiate outcomes until an agreement can be reached.
Most of OVIC’s conciliation process occurs indirectly. OVIC will make an assessment throughout its handling of the complaint about whether indirect conciliation is the most appropriate approach to resolve the complaint.
Direct conciliation
This is where OVIC organises a meeting with you and the organisation by video conference or in-person.
These meetings are hosted by OVIC and run for two to three hours. During this time, OVIC will facilitate a discussion between you and the organisation. You will both discuss what happened and the issues relevant to the complaint, before considering what options are available for resolving the complaint.
OVIC does not advocate for you or the organisation at these meetings. OVIC ‘s role is to interpret and apply the IPPs and share insight into how they apply to the complaint.
Parties may reach agreement on the day, or negotiations may continue indirectly after the meeting.
If you are going to participate in a conciliation meeting, OVIC staff will meet with you beforehand to explain exactly how it will run and how you should prepare.
Stage – 5 Finalising the complaint
If a complaint is resolved
If both parties agree to resolve the complaint, this must be formalised in writing. Sometimes both parties sign what is known as a ‘settlement agreement’ which is certified by OVIC.
If an agreement is reached, the conciliation is considered successful, and the complaint is closed. This means no further action can be taken in relation to this complaint.
Parties should be aware that OVIC’s conciliation process is confidential. OVIC does not publish any details about the complaint or settlement once it is finalised.
If a complaint is not resolved
OVIC may decide to close your complaint without it being resolved if:
- we decide to decline to entertain your complaint
- we consider conciliation is not reasonably possible
- we have tried conciliation, and it has failed.
In any of these cases, you have the right to direct OVIC to refer your complaint to the Victorian Civil and Administrative Tribunal (VCAT) for decision.
Once it is referred to VCAT, OVIC is no longer involved, and the burden of proof is on you to:
- demonstrate that the act or practice you complain about occurred,
- explain why the act or practice did not comply with the IPPs, and
- substantiate the harm you have suffered was caused by the act or practice.
You can find out more about bringing your complaint to VCAT in our section on After OVIC: Litigating at VCAT.
You can withdraw your complaint at any stage, and we can close it on this basis.
Example case studies
Example case study 1
Jess lodged a complaint with OVIC alleging that the organisation did not keep their personal information accurate, complete, and up to date. Jess had already complained directly to organisation, but was not satisfied with the response.
A few days after submitting the form, OVIC contacted Jess by email to schedule a time to discuss their complaint. The complaint was complex, and during this call OVIC helped Jess to separate some non-privacy issues from their complaint, and explained why those particular issues couldn’t be considered as part of the privacy complaint.
OVIC also explained the complaint handling process, which Information Privacy Principles were relevant to the allegations, and how they might have applied to the allegations. The conciliator discussed Jess’ requested outcomes and clarified what was, and was not, possible to achieve through the complaints process.
Due to the complexity of the complaint, and because certain parts were not privacy related, OVIC drafted an outline of the complaint to be endorsed by Jess and shared with the organisation. Jess reviewed the outline to make sure it accurately reflected her concerns. OVIC let Jess know when the organisation had been notified.
Five weeks later, OVIC contacted Jess, and explained the organisation’s response, and informed Jess that – based on the response and the original complaint – OVIC had decided that conciliation may be possible, and that a conciliation meeting was therefore appropriate for the complaint.
OVIC provided Jess with guidance on how to prepare for the conciliation meeting, and Jess arranged the evidence they wanted to submit to support their claims. OVIC clarified the key issues in dispute, and discussed with Jess whether some of the outcomes they had requested were realistic or appropriate.
Several weeks later, Jess participated in the OVIC facilitated conciliation by teleconference with the organisation, and the complaint was resolved. After hearing from one another, the organisation agreed to write a letter of apology, and Jess accepted that this would resolve the complaint. OVIC then closed the complaint on the basis that conciliation was successful.
Example case study 2
John made a complaint to OVIC about an organisation inappropriately sharing his personal information with a third party. He had previously taken the complaint to the organisation directly but had not been satisfied. OVIC assisted John to clarify his complaint, and notified the organisation of it, attaching John’s complaint form and evidence. OVIC asked the organisation about its view of the complaint.
Four weeks later, OVIC contacted John to discuss the response. OVIC then sent John a letter setting out OVIC’s perspective of the complaint. The letter said that in OVIC’s interpretation of the IPPs the organisation was authorised under the PDP Act to share his personal information with the third party.
OVIC’s letter explained the reasons why OVIC had reached this view, and John had two weeks to submit any further evidence he had for OVIC to consider.
John accepted OVIC’s view of how the Information Privacy Principles applied to the complaint, and decided to withdraw his complaint.
Example case study 3
Roger has had disagreements with his neighbour for years, and regularly made complaints to his local council about his neighbour.
The council had investigated the complaints, and issued a warning to them.
Roger’s neighbour then approached him and claimed that they knew Roger complained about them to the council.
After being unhappy with how Council handled his direct complaint, Roger complained to OVIC and alleged that the council disclosed his identity as the complainant to their neighbour in investigating his concerns.
OVIC spoke with Roger and confirmed that he had no evidence that a disclosure happened apart from his neighbour saying he knew Roger was the complainant. OVIC discussed with Roger whether it was possible his neighbour would likely know he complained because of their history, Roger agreed this may be possible.
OVIC proceeded to notify the council to get an explanation of its actions. The council disputed Roger’s position, and explained that Roger’s neighbour likely knew his identity as the complainant due to their prior disputes about the same issue. The council also explained the steps it had taken to investigate whether the disclosure happened, which included reviewing its file notes; call recordings and interviewing relevant staff.
OVIC shared the council’s response with Roger. Roger still did not believe council that the disclosure did not occur.
OVIC gave Roger guidance on how VCAT handles privacy complaints, the challenges he would have if he proceeded to seek a determination, and VCAT’s previous decisions on similar matters. Roger realised that even with evidence, he was unlikely to be successful at VCAT.
Roger accepted OVIC’s guidance and withdrew his complaint.