Currently, there is no common law action (i.e. a right to sue) for a privacy breach.

However, if the organisation you're complaining about falls under NSW or Commonwealth laws, there are statutory remedies available.

NSW or Australian-based law?

The most important thing to do first, is to figure out if the organisation you want to complain about is covered under the NSW legislation, or the Commonwealth legislation.

NSW LAWS COMMONWEALTH LAWS
· state government agencies,

· local councils,

· universities in NSW, and

· Ministers and Minister's offices.

 Organisations (a sole trader, body corporate, company, trust and others) with a turnover of $3million or more per year*

*exceptions apply

If the organisation you're complaining about falls under the NSW laws, you need to look at:

  • the Privacy and Personal Information Protection Act 1998 (PPIP Act), and
  • the Health Records Information Privacy Act 2002 (HRIP Act).

Complaints under both of these acts fall to the NSW Information and Privacy Commissioner ('IPC).

If the organisation was under Commonwealth laws, you'll need to look at the Privacy Act 1988 (Cth). The body that oversees that Act is the Office of the Australian Information Commissioner ('OAIC).

Actioning a NSW-based privacy breach complaint

In NSW, you can go straight to the IPC to make the initial complaint. Alternatively, you can go directly to the agency in which the complaint is about. The complaint needs to be in writing, and made within six months of the alleged conduct.

You should include:

  • You name/identification details;
  • Contact details
  • the nature of the complaint;
  • the IPP/HPIP that was breached and why you say it was breached;
  • your proposed solution.

Make sure you keep a record of your complaint and when and how it was sent.

Following the completion of an internal review, an agency may do one or more of the following:

  • take no further action on the matter
  • make a formal apology to you
  • ensure that the conduct will not occur again (e.g.change practices and/or provide training to staff), and/or
  • take appropriate remedial action (e.g., correct an inaccurate record).

The NSW Privacy Commissioner does not have the power to award compensation from a complaint or internal review.

You will be informed of the findings of the review, and the action proposed to be taken by the agency, if any. The internal review report should also advise you of your further review rights.

Review a NSW decision

If no review has been completed with 60 days, or you are unsatisfied with the findings, you can make an application under section 55 of the PPIP Act to NCAT for a review of the original complaint.

The NSW Privacy Commissioner is independent, and does not represent applicants or agencies at NCAT.

You must lodge your application with NCAT within 28 days of receiving the report telling you about the outcome of your internal review from the agency (or 28 days after the 60-day time limit expired).

NCAT can make various decisions including:

  • not to take any action
  • awarding compensation (damages) of up to $40,000 for any financial loss, or psychological or physical harm, because of the conduct of the agency or body
  • requiring the agency or body to stop any conduct or action which contravenes an information protection principle or a health privacy principle
  • requiring the performance of an information protection principle or a health privacy principle
  • correcting personal information that has been disclosed.

If you are not satisfied with NCAT's decision you may have the right of appeal to the Appeal Panel, if you can establish that the Tribunal went wrong either in the procedure it followed, or the way it applied the law to the facts of your case. Learn more about appeals.

In some instances there is also a right of appeal to the NSW Supreme Court- external site. If you are not sure of your appeal rights you should seek legal advice.

Actioning a Commonwealth-based complaint

To action a complaint under the Privacy Act, you must complaint to the original organisation before you can approach the OAIC.

The complaint needs to be made within twelve months of your discovery the alleged conduct.

You should include:

  • Your name/identification details;
  • Contact details
  • the nature of the complaint;
  • the APP that was breached and why you say it was breached;
  • your proposed solution.

The OAIC has provided an example template for complaints:

Dear Privacy Officer,

I am writing to you to make a privacy complaint, about how [name of agency/organisation] has handled my personal information.

On [date].[provide an explanation of what happened, including as much detail as possible].

As a result of this.[explain the impact the incident has had on you and why you are concerned about this].

To resolve this complaint, I would like your organisation to.[outline what you are seeking to resolve the complaint].

Please call me on [your phone number] to discuss the complaint.

If I do not receive a response from [name of agency/organisation] within a reasonable time (generally 30 days) or the complaint is not resolved, I may contact the Office of the Australian Information Commissioner (OAIC) to make a privacy complaint.

Yours sincerely,

[Your name]

You then need to give the organisation at least 30 days to respond.

Next Steps in a privacy breach complaint

If you're not happy with the outcome, or they don't respond to your complaint within 30 days, you can lodge a complaint with the OAIC.

The complaint must be in writing and you can use an online form or download a form to email, mail, or fax.

If you decide to write to the OAIC (by email, fax or post) make sure your complaint includes:

  1. your name and contact details - the OAIC can't investigate an anonymous complaint
  2. any relevant reference numbers or identifiers
  3. the name of the organisation or agency you're complaining about
  4. a brief description of your privacy complaint (what happened and when)
  5. any action the organisation or agency you complained to has taken to fix the problem
  6. a copy of any relevant document (such as your complaint to the organisation or agency and their response)
  7. what outcome you'd like

The OAIC will often then write to the organisation to agency complained about and ask for their response. The response is then provided to you.

The matter will then usually go to a conciliation. The Conciliation will be an opportunity for the complaining and the organisation to try and work out a solution that best fits them.

If the matter doesn't resolve at conciliation, the OAIC will decide whether to investigate the complaint in detail, or to close the complaint with no resolution.

The OAIC can make the following possible outcomes for a complaint that is substantiated:

  • taking steps to address the matter (such as being given access to personal information or having a record corrected)
  • an apology
  • a change to the practices or procedures of the organisation or agency you complained about
  • training staff
  • compensation for financial or non-financial loss
  • other non-financial options (such as a complimentary subscription to a service)

Review of OAIC Determination

If you're unhappy with the determination of the complaint by the OAIC, you can seek a judicial review.

If you think the result was not legally correct under the Privacy Act 1988 (Cth), you may apply to the Federal Court of Australia or the Federal Circuit Court for a review of:

  • the decision not to investigate or not to investigate further your complaint, or
  • the determination made following the investigation of the complaint.

You may also apply to the Administrative Appeals Tribunal for a merit review of the OAIC determination.

You must apply to the court within 28 calendar days of the OAIC decision or determination.

The court won't review the merits of your complaint, but they may refer the matter back to the OAIC to reconsider - if they find the OAIC decision or determination was wrong in law or they didn't exercise our powers properly.