Privacy Complaints at OVIC – Guide for Individuals
You have a right to complain to us about possible breaches of the Information Privacy Principles (IPPs) by Victorian public sector organisations.
We can help you explain your complaint to the respondent, and to discuss an agreement with the respondent about what should be done about it. It is not our role to investigate complaints, to decide if the respondent organisation has breached the IPPs, or award a remedy.
If your complaint cannot be resolved, you have a right to take your complaint to the Victorian Civil and Administrative Tribunal (VCAT). VCAT can make a formal decision about whether the IPPs have been breached by your agency, and what an appropriate remedy is.
The Privacy and Data Protection Act 2014 (Vic) (PDP Act) is a Victorian law that protects the privacy of your personal information when it is handled by Victorian public sector organisations, including Victorian government departments, local councils, statutory offices, government schools, universities and TAFEs. The PDP Act can also protect your personal information when it is handled by private or community sector organisations who are carrying out functions for or on behalf of a Victorian public sector organisation.
The PDP Act contains ten IPPs that govern the collection, management, use and disclosure of personal information, and gives the Information Commissioner a range of powers by which he can examine or investigate the acts or practices of public sector organisations and hold them to account.
The PDP Act also gives you a right to complain if you think that an organisation has breached one of the IPPs. Privacy complaints are primarily about setting things right for you, rather than punishing individuals or organisations for doing the wrong thing. When making a privacy complaint, the first step is always to talk to the organisation involved. If that doesn’t resolve the issue, you can bring your complaint to us.
When you bring your complaint to us, our job is to try to resolve it through conciliation. That means we don’t take sides, we don’t decide who is right or wrong, and we don’t determine whether your privacy has been breached. As conciliators, our job is to help you and the organisation talk through the issues and resolve your complaint in a way that is acceptable to everyone, and which upholds the objectives of the PDP Act.
If we cannot resolve your complaint though conciliation, you can request for your complaint to be referred to VCAT for hearing.
What do the IPPs say?
The IPPs outline how Victorian public sector organisations can collect, manage, use and disclose personal information. Being principles, the IPPs operate at a high level, establishing a set of broad obligations that organisations must comply with, but in most cases not specifying the precise detail of how those obligations should be met. In very broad terms, they cover:
- when, how and from whom personal information can be collected (IPP 1);
- how personal information can be used and disclosed (IPP 2);
- what kinds of steps need to be taken to keep personal information accurate, up to date and secure (IPPs 3 and 4);
- your right to access and correct your personal information (IPP 6);
- when and how ‘unique identifiers’, which can facilitate data matching, are used to identify you (IPP 7);
- an individual having the option of transacting anonymously or using a pseudonym where practicable (IPP 8);
- ensuring that privacy protections are still maintained when personal information travels outside Victoria (IPP 9); and
- special protections for certain specified categories of information (IPP 10).
The full text of the IPPs is set out in Schedule 1 to the PDP Act. View our Short guide to the Information Privacy Principles for guidance on their application. If you need help interpreting the IPPs, or understanding how they may apply in a specific situation, contact us
Who must comply with the IPPs?
The IPPs apply to all Victorian public sector organisations, including Victorian government departments, local councils, statutory offices, government schools, universities and TAFEs. The PDP Act can also apply to private or community sector organisations who are carrying out functions for or on behalf of a Victorian public sector organisation.
Who doesn’t have to comply with the IPPs?
Individuals acting in their personal capacity do not have to comply with the IPPs. This is because the PDP Act only applies to Victorian government organisations, local councils and contracted service providers to government or councils. Unless an individual is acting in an official capacity for an organisation that is covered by the PDP Act, they don’t have to comply.
Unless they are carrying out functions for or on behalf of a covered organisation, private organisations (such as insurance companies, banks, real estate agents and telecommunications providers) aren’t covered by the PDP Act, and so don’t need to comply with the IPPs. Similarly, Australian government agencies (such as Centrelink and the Tax Office) are not covered by the PDP Act and so don’t need to comply with the IPPs.
Note: Australian government agencies and private organisations may need to comply with the Privacy Act 1988(Cth), which has its own set of privacy principles called the Australian Privacy Principles (APPs). The APPs are similar to the IPPs, but not the same. If you have questions about the APPs, or if you would like to make a complaint about an Australian government agency or a private organisation, you can contact the Office of the Australian Information Commissioner on 1300 363 992 or go to http://oaic.gov.au for more information.
Complaints about health information
There are special rules that govern the handling of ‘health information’, meaning any information about a person’s:
- physical, mental or psychological health;
- use and future use of health services;
- wishes regarding specific health services or treatments;
- personal information collected in relation to the provision of health services; or
- genetic information.
Examples of records containing health information include hospital admission forms, medical histories, test results, sick leave certificates, medication lists and more.
When organisations are handling health information, they must comply with the Health Privacy Principles, (HPPs) which are set out in the Health Records Act 2001(Vic). The HPPs are similar to the IPPs, but not the same. If you have questions about the HPPs, or if you would like to make a complaint about the handling of health information, you can contact the Victorian Health Complaints Commissioner on 1300 582 113 or go to https://hcc.vic.gov.au/ for more information.
Complain to the organisation first
If you have not attempted to resolve your complaint with the organisation directly, you should do this before brining your complaint to us. All organisations should have a designated Privacy Officer who can receive your complaint and help you resolve it.
When you complain to an organisation, be sure to give them time to respond and remember to keep a copy of what you sent them. It’s best if you can outline:
- how you believe your privacy has been breached;
- the effect the breach has had on you; and
- what you would like the organisation to do in response to your complaint.
If you’re having trouble making a complaint to an organisation, or if you’re not sure where to direct your complaint, contact us.
If you’re not satisfied with the organisation’s response, bring your complaint to us
If the organisation does not respond within approximately 30 days, or you are unsatisfied with their response, you can then bring your complaint to us. This must be done in writing. You can complete our complaint form at the top of this page and send it to us by post or email. If you would like to fill out our form in hardcopy and you don’t have a printer, let us know and can send a form to you by post.
If you have difficulty completing the form or formulating your complaint, our staff are available to assist you. We can also arrange translation and interpretation facilities.
Who can make a privacy complaint?
Ordinarily, you can only complain about an act that is a breach of your own privacy. Individuals can, however, appoint representatives to make their complaint on their behalf. A representative can be a lawyer, or they could be a family member or a friend.
Where a single act or practice has interfered with the privacy of two or more people, the PDP Act allows for a complaint to be made by one of those individuals on behalf of the whole group, but only with their consent.
Complaints by minors
There are special provisions in the PDP Act that allow for the making of complaints by and on behalf of minors. These allow minors to make complaints in their own name, or for complaints to be made on behalf of a minor by a parent, a chosen representative, or any other individual who the Commissioner is satisfied has a sufficient interest in the complaint. A minor who is capable of understanding the general nature and effect of choosing a representative may do so even if they are otherwise incapable of exercising powers.
Complaints on behalf of people with a disability
If a person is unable to complain because of a disability, the PDP Act allows for their complaint to be made by another individual authorised by that person. If a person with a disability is unable to authorise another individual, their complaint may be made by any other individual who the Commissioner is satisfied has a sufficient interest in the complaint.
Do I need a lawyer?
No. Most people who bring complaints to us do not have lawyers. The conciliation process is designed to be accessible to anyone, and our staff will guide you through the process. However, it is important to remember that our staff must remain independent — they cannot represent you, or tell you what to do. If you want to seek legal advice you can do so at any time.
Our main function is to try and help you and the organisation resolve your complaint. This process is called conciliation, and it’s all about finding ways to resolve disputes, rather than assigning blame or determining fault.
As conciliators, our staff remain independent. We do not take sides, and we do not represent either party. Our job is to help you and the organisation talk through the issues and resolve your complaint in a way that is acceptable to everyone.
OVIC’s complaints process
When we receive your complaint, we will conduct an initial review to confirm that we have all the information we need and that it’s within our jurisdiction to consider. Sometimes complaints are about matters that the Commissioner does not have the power to try to resolve, and will need to be referred to a different organisation.
If your complaint is incomplete or unclear, we can help you to refine it. We may also contact you and/or the organisation you have complained about to ask questions or to explore options for early resolution of your complaint.
After our initial review, we will formally notify the organisation by sending them a copy of your complaint (or a summary of the complaint if one has been prepared by our staff and approved by you). We will ask the organisation to contact us to have a preliminary discussion about the complaint and to explore options for resolving it. Depending on their response, we may come back to you for more information, or to get your views on alternative options for resolving matters.
If it is appropriate in the circumstances, we will try to conciliate. Conciliation may be conducted indirectly (where the parties communicate with each other through the OVIC Conciliator), over the phone or at a face to face meeting. The OVIC conciliator will decide on the best approach to conciliation in each case.
In some cases, we might decline to entertain your complaint. For example, if we think that the act or practice you have complained about does not breach the IPPs, or if we think that the organisation has already dealt adequately with your complaint.
If we think conciliation is inappropriate or has failed, or if we decline to entertain your complaint, we’ll let you know. If this happens, you can have the complaint referred to VCAT.
What is conciliation?
Conciliation is a form of alternative dispute resolution, similar to mediation. Conciliation processes can look quite different in different contexts, but they usually involve an independent person with expert knowledge (the conciliator) helping the parties to identify and agree on a fair resolution of their dispute. The conciliator cannot adjudicate or otherwise determine the outcome of your dispute. However, if required, a conciliator may use their expert knowledge of the legislative context and apply the relevant provisions of the law to challenge positions or raise relevant issues for consideration. That means a conciliator might talk to the parties about the reasonableness of their demands and arguments, or provide an opinion on other matters, such as the prospects of the complaint succeeding at VCAT.
Conciliation is voluntary and facilitated by a staff member acting as the conciliator. One of the many advantages of conciliation is that it is significantly less demanding than arguing a case before VCAT. Conciliation is also confidential — any evidence of things said or done in conciliation is not admissible before the tribunal or other legal proceedings, unless you and the organisation agree. You can find out more about conciliation here.
What happens if conciliation is inappropriate?
While it’s a very effective tool for dispute resolution, not every complaint can be resolved through conciliation. For example, this might be because:
- the parties views of the facts and/or acceptable options for resolving the matter are so different that it’s unlikely that we can find any common ground;
- the relationship between the parties has deteriorated so much that talking is unlikely to help;
- either party refuses to participate in conciliation (conciliation is voluntary, and relies on consent and collaboration to be effective).
If it doesn’t look like we will be able to resolve a complaint through conciliation, we will close the complaint and you will have an opportunity to have the matter referred to VCAT for hearing.
What happens if conciliation is unsuccessful?
If an agreement cannot be reached through conciliation, the Commissioner will write to the parties to tell them that conciliation has failed. If this happens, we will close the complaint and you will have an opportunity to have the matter referred to VCAT for hearing.
Can the Commissioner decline to entertain my complaint?
Yes. The Commissioner may decline to entertain some complaints, for example, where it doesn’t appear that the act or practice complained about is an interference with your privacy, or where the organisation has already responded adequately. The Commissioner may also decline to entertain a complaint if:
- you didn’t complain to the organisation and give them time to respond before complaining the Commissioner;
- your complaint has been dealt with under another Act, or another Act provides you with a more appropriate remedy;
- your complaint is frivolous, vexatious, misconceived or lacking in substance.
If the Commissioner declines to entertain your complaint, you will be notified in writing and provided with an explanation of the Commissioner’s reasoning. Even if the Commissioner declines to entertain your complaint, you will still have an opportunity to have the matter referred to VCAT for hearing.
What happens if OVIC can’t resolve my complaint?
If we don’t think that we can resolve your complaint through conciliation, we will write to you (and the organisation you complained about) to explain why. This might be because we decline to entertain your complaint for one of the reasons outlined above, or it might be because we have decided that conciliation is inappropriate or has failed. If we can’t resolve your complaint, you may choose:
- to have the matter referred to VCAT for hearing and determination; or
- not to pursue the matter further, or to pursue it through some other legal or political mechanism, rather than as a privacy complaint under the PDP Act.
Referral to the Victorian Civil and Administrative Tribunal
If you decide you want your complaint referred to VCAT you must tell us in writing within 60 days of receiving the Commissioner’s decision. The Commissioner has no power to extend the 60 day period. If you do not notify us in time you will lose your right to have your complaint heard by VCAT.
Unlike us, VCAT will hear evidence from both parties and make a formal determination about whether or not your privacy has been interfered with. If VCAT is satisfied that you have proven your complaint on the balance of probabilities, it can order the organisation to pay compensation or to take certain actions to remedy any harm you have suffered. You are encouraged to discuss the option of referring your complaint to VCAT with the staff member who has been dealing with your matter. You can find more information in our guidance on privacy complaints at VCAT.
Dismissing your complaint
If you decide not to have your complaint referred to VCAT, the Commissioner may dismiss the complaint. Once a complaint has been dismissed, no further action can be taken under the PDP Act in relation to the subject matter of the complaint. That is, you can’t come back later and make a new privacy complaint about the same act or practice.