Complaining about a breach of your privacy
Complaining to the Privacy Commissioner
What can I complain to the Privacy Commissioner about?
If talking directly with the organisation and/or their Privacy Officer doesn’t resolve the issue, you can go to the Privacy Commissioner.
You can complain to the Privacy Commissioner if:
- there’s been a breach of the privacy rules (for example, a breach of one of the privacy principles in the Privacy Act or the rules in a code of practice), and
- that breach caused (or may cause) some kind of loss or harm, including non-financial harm such as humiliation or loss of dignity.
For example, if your insurance company turns down an insurance claim on the basis of medical information that your doctor told your insurer without your permission, your doctor’s potential breach of the privacy rules might have caused you harm.
It’s also an interference with your privacy if an organisation refuses, without a proper basis, to give you access to your information or to correct information after you’ve asked for a correction (see: “How you can access your information and correct it if necessary”). But in these cases, unlike with other breaches of the privacy rules, you don’t have to show that the breach caused you some kind of loss or harm.
You can make a complaint to the Privacy Commissioner if the breach happened to you, or if you want to complain on behalf of someone else or a group of people.
How do I complain to the Privacy Commissioner?
You can complain verbally or in writing, but if you complain verbally you should put the complaint in writing as soon as possible. The Privacy Commissioner can help you with putting the complaint in writing.
To complain in writing you can write a letter yourself or you can fill in the complaint form that’s available from the Privacy Commissioner. The Commissioner also provides guidance on the type of information to include in the complaint.
What can the Privacy Commissioner do about my complaint?
Privacy Act 2020, ss 74–78, 123, 133
The Privacy Commissioner will decide whether to investigate your complaint, and if they do investigate, will decide whether there’s been a breach of the privacy laws that has caused you, or someone else, loss or harm. The Commissioner can refer the complaint to the Ombudsman if the Commissioner thinks this would be more appropriate (see: “The Ombudsman: Watchdogs over government”). At every stage of the investigation the Commissioner will try to help the two sides resolve the complaint.
The Privacy Commissioner has the power to issue compliance notices to make an organisation do or stop something. If they don’t comply, they could get a penalty of up to $10,000.
What happens if my complaint can’t be resolved?
If your complaint isn’t settled during the investigation, the Privacy Commissioner will send both sides a letter with an initial opinion of how the law should apply to the complaint. Both sides will get an opportunity to comment. Once the Commissioner has taken those comments into account, and if the complaint is still not settled or withdrawn, the Commissioner will come to a final opinion.
The Privacy Commissioner’s opinions on privacy complaints aren’t legally binding, but they’re taken seriously.
If the Commissioner decides that your complaint is justified, they may refer it to the Director of Human Rights Proceedings, who will decide whether to take the case to the Human Rights Review Tribunal. If the Privacy Commissioner thinks there hasn’t been an interference of your privacy, you can take the matter to the Human Rights Review Tribunal yourself.
What can the Human Rights Review Tribunal do?
If your complaint goes to the Human Rights Review Tribunal, the Tribunal will make a decision about whether there has been a breach of the privacy laws, and can award you damages (money) and other remedies. For more information about going to the Tribunal, see: “Taking action: what you can do if you’re discriminated against”.
