Complaining about a breach of your privacy
Complaining to the Privacy Commissioner
What issues can I complain to the Privacy Commissioner about?
You can complain to the Privacy Commissioner if:
- there’s been a breach of the privacy rules (for example, a breach of one of the privacy principles in the Privacy Act or the rules in a code of practice), and
- that breach caused you (or may cause you) some kind of loss or harm, including non-financial harm such as humiliation or loss of dignity.
An example could be if your doctor discloses medical information about you to an insurance company without your permission, and on the basis of that information your insurance claim is turned down.
It’s also an interference with your privacy if an organisation refuses, without a proper basis, to give you access to your information or to correct information after you’ve asked for a correction (see in this chapter “How you can access your information, and correct it if necessary”). But in these cases, unlike with other breaches of the privacy rules, you don’t have to show that the breach caused you some kind of loss or harm.
How do I complain to the Privacy Commissioner?
You can complain verbally or in writing, but if you complain verbally you should put the complaint in writing as soon as practicable. The Privacy Commissioner can help you with putting the complaint in writing.
To complain in writing you can write a letter yourself or you can fill in the complaint form that’s available from the Privacy Commissioner. The Commissioner also provides guidance on the type of information to include in the complaint.
What can the Privacy Commissioner do about my complaint?
The Privacy Commissioner will decide whether to investigate your complaint, and if they do investigate, will decide whether there’s been a breach of the privacy laws that has caused you loss or harm. The Commissioner can refer the complaint to the Ombudsmen if the Commissioner thinks this would be more appropriate (for information about the Ombudsmen, see the chapter “Dealing with government agencies”). At every stage of the investigation the Commissioner will try to help the two sides resolve the complaint.
Note: Under the Privacy Act 1993 the Privacy Commissioner couldn’t fine or prosecute an organisation, or order it to pay compensation, for breaching the privacy laws. From 1 December 2020 the Privacy Commissioner has the power to issue compliance notices to make an organisation do or stop something. If they don’t comply they could get a penalty of up to $10,000.
What happens if my complaint can’t be resolved?
If your complaint isn’t settled during the investigation, the Privacy Commissioner will form a provisional opinion on how the law applies to the complaint. This will be sent to both sides, giving both sides an opportunity to comment. Once the Commissioner has taken those comments into account, and if the complaint is still not settled or withdrawn, the Commissioner will come to a final opinion.
The Privacy Commissioner’s opinions on privacy complaints aren’t legally binding, but they’re taken seriously.
If the Commissioner decides that your complaint is justified, they may refer it to the Director of Human Rights Proceedings, who will decide whether to take the case to the Human Rights Review Tribunal.
What can the Human Rights Review Tribunal do?
If your complaint goes to the Human Rights Review Tribunal, it will make a decision about whether there has been a breach of the privacy laws, and can award you damages (the payment of money) and other remedies. (For more information about going to the tribunal, see “Taking action: what you can do if you’re discriminated against” in the chapter “Discrimination”.)
Note: If the Privacy Commissioner thinks there hasn’t been an interference you’re your privacy, you can still take the matter to the Human Rights Review Tribunal yourself.