Members of the public may raise concerns about how your organisation has handled their personal information. These complaints may come to you directly or you may be notified of a complaint through OVIC.
Either way, it is likely that you will be involved in investigating the concerns, working out whether there has been an interference with privacy and trying to resolve the complaint.
Direct complaints from individuals
Where a member of the public has privacy concerns, they should usually complain directly to the organisation first.
Direct complaints give your organisation an opportunity to resolve complaints quickly and efficiently before they have a chance to escalate.
If the individual remains dissatisfied with the response or you are not able to reach agreement, then the individual can make a formal complaint to OVIC.
Privacy complaints are sometimes made to front-line staff who do not identify a privacy issue and so do not recognise the need to refer the individual on to the organisation’s Privacy Officer. It’s important to ensure your organisation’s staff know how to refer a privacy complaint internally to avoid complaints escalating to OVIC before the Privacy Officer has had a chance to respond to it directly.
Bear in mind that usually the person or business unit a complaint is about will have the best chance of resolving a complaint, if it responds to the complaint directly. So you may wish to support your colleagues to respond to complaints rather than being primarily responsible for the management of complaints yourself.
Respond in a timely manner
In general, complaints get harder to resolve the longer they stay open. This can be because complainants become frustrated with delays, their expectations of a significant outcome increase, or they can start to raise new issues.
Many complaints escalate to OVIC because the complainant is frustrated by not receiving a timely response to their complaint, or because they have not been kept updated on the progress of the complaint.
Respond fairly and in a way that respect privacy
Often a complainant will not ultimately achieve what they hoped from a complaint process. However, some complainants will nevertheless be satisfied if they feel the respondent organisation has genuinely listened to their concerns, treated them respectfully, and that the process has been fair.
In responding to the Complainant, try to set out specific steps that your organisation took to investigate the allegations. Even if the investigation has not resulted in evidence to substantiate the allegation, this will demonstrate a genuine attempt to get to the truth of the matter. It can also allow the complainant to suggest further investigative steps that, if reasonable, may assist the organisation in its inquiries.
In most cases it will not be practical to investigate a complaint if you cannot contact the complainant for further information or disclose their identity. However, you should ensure you manage the complaint in accordance with the IPPs. To avoid any inappropriate disclosures, make sure that any sharing of the complainant’s personal information within your organisation is restricted to a ‘need to know’ basis.
Provide a clear response
When you respond to the complainant and present your investigation’s findings, make sure the response is accessible and your organisation’s reasoning is clearly set out. Your organisation may have a good reason for a particular policy or practice, but if it is poorly explained, the complaint may escalate to OVIC unnecessarily.
Consider remedies, if appropriate
Where your organisation has made a mistake when handling the complainant’s personal information, you should be prepared to admit this and try to reach an agreement for resolving the complaint.
Remedies should be fair, practical and proportionate to the seriousness of the issue. So, you should listen to the Complainant’s description of how they have been harmed. Remember that the same issue will not affect everyone in the same way, so be conscious of the Complainant’s particular circumstances and experiences.
Also remember that this can involve negotiating and being flexible. If you can’t provide the outcomes that the Complainant has asked for initially, consider if there is anything else you can offer as an alternative to resolve the complaint.
If you conclude that your organisation made a mistake, you should apologise. If you are considering making an apology it should usually be a full apology. A partial apology, that acknowledges the individual’s suffering without accepting any responsibility, can be worse than no apology at all.
Also consider the timing of the apology and how it may be perceived by the Complainant. If offered too early in the process, before the Complainant has had an opportunity to tell their story, they may feel dismissed. Also consider how the apology should be offered, the format and which representative of your organisation should be making the apology.
Best practice complaint management
You can find out more information about complaint handling by reading the Victorian Ombudsman’s Good Practice Guide to Complaint Handling for Victorian Public Sector Agencies. The Guide outlines the guiding principles and practical steps involved in the three key stages of good complaint handling.
Complaints notified by OVIC
At OVIC, our main role is to try to resolve privacy complaints through an alternative dispute resolution process called conciliation. If we are unable to resolve a complaint, the complainant has the right to have the matter referred to the Victorian Civil and Administrative Tribunal (VCAT).
The role of the OVIC conciliator may involve gathering information from both parties; providing our non-binding views on the interpretation of the PDP Act; and testing different options for reaching a settlement.
It may also involve hosting a conciliation meeting between the parties (either in person, via telephone or video conference)
Our Privacy complaints at OVIC – Guide for Respondents outlines our complaint process and includes information about how to best approach it.