Privacy Commissioner releases guidelines for external dispute resolution schemes under section 35A of the Privacy Act 1988

August 8, 2013 |

Last week, on 1 August, the Office of the Information Commissioner commenced the consulation process of Guidelines for recognising external dispute resolution schemes under section 35A of the Privacy Act 1988.  The Privacy Commissioner’s post on line is found here.  The consultation process closes on 30 August 2013.

The draft guidelines relevantly provides as follows:

Key messages

  1. In developing these guidelines, the Information Commissioner acknowledges the expertise and experience of existing industry external dispute resolution (EDR) schemes, and the important role these schemes play alongside the Office of the Australian Information Commissioner (OAIC) in relation to privacy complaint handling.
  2. The Information Commissioner also acknowledges that there are a range of existing recognition mechanisms for those schemes, and the importance of not unduly burdening existing schemes where their existing recognition mechanism generally covers the same matters required by the Privacy Act 1988 (the Privacy Act) for recognition.
  3. Recognition of an EDR scheme is undertaken by the Information Commissioner under s 35A of the Privacy Act. EDR schemes must demonstrate their accessibility, independence, fairness, accountability, efficiency and effectiveness to be recognised by the Information Commissioner. The recognition requirements, as set out in s35A, are based on the Benchmarks for Industry Based Customer Dispute Resolution Schemes developed in 1997 by the then Australian Government Department of Industry, Science and Tourism. Most existing EDR schemes are required to, or do, design their operations in accordance with these benchmarks.
  4. To be recognised under the Privacy Act, EDR schemes should also meet additional requirements in relation to privacy-related complaints. In most cases existing schemes handling privacy complaints will already be meeting most of these additional requirements.
  5. Additional requirements for recognition of an EDR scheme under the Privacy Act involve accountability, reporting and regular reviews. Again, most existing schemes will already be subject to similar requirements from their existing recognition mechanism. Wherever possible these existing requirements can be utilised by existing schemes in relation to the requirements under these guidelines. Some additional supplementary requirements may be required for ongoing Privacy Act recognition.
  6. The detail in these guidelines should generally assist a proposed new EDR scheme which is not already recognised under another recognition scheme, and/or does not have a statutory basis for their operation, in seeking recognition under the Privacy Act to understand the full extent of what is required for initial and ongoing recognition.

Part 1 – Purpose and objectives of the guidelines

The purpose of these guidelines

1.1              The Office of the Australian Information Commissioner (OAIC) developed these guidelines to assist external dispute resolution (EDR) schemes to understand:

  • the Information Commissioner’s process for recognising EDR schemes
  • how the Information Commissioner will assess the matters that must be taken into account when recognising an EDR scheme
  • the conditions relating to privacy complaints that the Information Commissioner may require of an EDR scheme for recognition
    • if necessary, how the Information Commissioner may vary or revoke an EDR scheme’s recognition.

The legislation

1.2              The Privacy Act 1988 (the Privacy Act) gives the Information Commissioner the discretion to recognise EDR schemes to handle privacy-related complaints (s 35A). The Privacy Act also gives the Information Commissioner the discretion to decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made, or which the Information Commissioner has accepted, if the Information Commissioner is satisfied that the act or practice:

  • is being dealt with by a recognised EDR scheme (s 41(1)(dc)), or
  • would be more effectively or appropriately dealt with by a recognised EDR scheme (s 41(1)(dd)).

1.3              Additionally, a credit provider must be a member of a recognised EDR scheme to be able to participate in the credit reporting system (s 21D(2)(a)(i)).

1.4              The OAIC supports the use of EDR schemes by individuals seeking to have a privacy-related complaint resolved. Information about how and when the Information Commissioner will decide not to investigate a complaint or will transfer the complaint to a recognised EDR scheme is set out in enforcement guidelines issued by the OAIC.

Complaint-handling for entities under the Privacy Act

Complaint-handling by Australian Privacy Principles entities

1.5              An entity bound by the Australian Privacy Principles (an APP entity) must implement practices, procedures and systems to deal with privacy-related inquiries or complaints from individuals (APP 1.2).

1.6              An individual’s complaint will generally follow a three-stage process:

  • the individual first makes a complaint to an APP entity
  • if the individual is not satisfied with the outcome, the individual may make a complaint to a recognised EDR scheme of which that APP entity is a member
  • if an APP entity is not a member of a recognised EDR scheme, or the individual is not satisfied with the outcome of the EDR process, the individual may make a complaint to the Information Commissioner under s 36 of the Privacy Act.

Complaint-handling by credit reporting bodies and credit providers

1.7              The Privacy Act contains more prescriptive requirements for credit reporting bodies’ and credit providers’ complaint handling processes. Like APP entities, credit reporting bodies and credit providers must implement practices, procedures and systems to deal with privacy-related enquiries or complaints from individuals (ss 20B(2) and 21B(2)). In addition, Division 5 of Part IIIA of the Privacy Act sets out how credit reporting bodies and credit providers must deal with complaints about credit-related information.

1.8              A credit provider must also be a member of a recognised EDR scheme to be able to disclose information to credit reporting bodies (s 21D).

1.9              The general complaint-handling scheme for credit-related complaints is modified for credit reporting bodies and credit providers where the complaint relates to an individual’s request for access to, or correction of, their credit-related information. If an individual requests access to, or correction of, their credit-related information and the request is refused, the individual will not have to  then make a complaint to that credit reporting body or credit provider. Rather, the individual may make a complaint directly to a recognised EDR scheme of which the credit reporting body or credit provider is a member, or to the Information Commissioner (s 40(1B)).

The Privacy Act process for EDR scheme recognition

1.10          The process by which the Information Commissioner exercises his or her discretion to recognise EDR schemes is outlined in s 35A of the Privacy Act as follows:

  1. The Commissioner may, by written notice, recognise an EDR scheme for an entity or a class of entities; or for a specified purpose.
  2. In considering whether to recognise an EDR scheme, the Commissioner must take the following matters into account:
    1. the accessibility of the EDR scheme
    2. the independence of the EDR scheme
    3. the fairness of the EDR scheme
    4. the accountability of the EDR scheme
    5. the efficiency of the EDR scheme
    6. the effectiveness of the EDR scheme
    7. any other matter the Commissioner considers relevant.
  3. The Commissioner may:
    1. specify a period for which the recognition of an EDR scheme is in force
    2. make the recognition of an EDR scheme subject to specified conditions, including conditions relating to the conduct of an independent review of the operation of the EDR scheme; and
    3. vary or revoke:

                                                              i.      the recognition of an EDR scheme

                                                            ii.      the period for which the recognition is in force

                                                          iii.      a condition to which the recognition is subject.

1.11          In general, the Information Commissioner will recognise an EDR scheme ‘for a specified purpose’. That is, an EDR scheme will be recognised for dealing with a particular type or range of complaints, such as ‘complaints relating to an act or practice that is an interference with the privacy of an individual under ss 13-13F of the Privacy Act’.

1.12          A recognised EDR scheme is not expected to handle complaints outside its scope, or terms of reference (where applicable).

1.13          A notice of recognition of the EDR scheme will be recorded on a register of recognised EDR schemes maintained by the OAIC on its website. This notice will include the purpose of the EDR scheme’s recognition.

The Information Commissioner’s objectives in recognising EDR schemes

1.14          In exercising the discretion to recognise an EDR scheme, the Information Commissioner’s aims are to:

  • simplify the resolution of privacy-related complaints for individuals
  • ensure credit providers can become members of schemes, a prerequisite for credit providers to disclose credit information to a credit reporting body
  • implement Parliament’s decision to formally create a tiered complaint process in relation to privacy complaints
  • increase consistency and best practice in privacy-related complaint-handling across industries
  • maximise the use of specialist industry knowledge
    • avoid fragmenting among multiple dispute resolution bodies an individual’s complaint, which may include a privacy and service-delivery aspect
    • align the requirements for recognition as much as possible with relevant existing regulatory schemes for EDR recognition.

1.15          By achieving these aims, the following outcomes for individuals, EDR schemes and the Information Commissioner’s Privacy Act functions should be realised:

Outcomes for individuals

1.16          Recognising EDR schemes under the Privacy Act benefits individuals by:

  • providing a free, quick and informal alternative dispute resolution process to resolve an individual’s privacy-related complaint
  • simplifying the complaints process where it involves multiple issues, not just a privacy aspect.
Outcomes for EDR schemes

1.17          Recognising EDR schemes under the Privacy Act benefits EDR schemes by:

  • empowering EDR schemes with the ability to offer its members and individuals a dispute resolution process, for complaints which include a privacy aspect, that is recognised by the Privacy Act
  • developing industry specific privacy compliance knowledge and enhancing privacy practices in the industry.
Outcomes for APP entities

1.18          Recognising EDR schemes under the Privacy Act benefits APP entities by:

  • developing industry standards for complaint handling across all entities bound by the code
  • providing an opportunity for APP entities to demonstrate their commitment to privacy by offering customers an additional avenue for privacy-related concerns through the EDR schemeoffering support and expertise in privacy-related complaint handling from EDR schemes which APP entities choose to join.
Outcomes for the Information Commissioner’s Privacy Act functions

1.19          The performance of the Information Commissioner’s functions under the Privacy Act will be enhanced by the recognition of EDR schemes by: 

  • formally acknowledging and supporting the role that EDR schemes play in resolving privacy complaints
  • providing an opportunity to increase consistency in how privacy-related complaints are dealt with across different industries
  • decreasing the fragmentation of complaints across multiple dispute resolution bodies when the complaint arises from a single set of facts
  • leveraging existing specialist knowledge and practices in particular industry sectors to resolve disputes.

Part 2: The external dispute resolution scheme benchmarks

2.1  Under s 35A(2)(a) to (f) of the Privacy Act, when considering whether to recognise an EDR scheme the Information Commissioner must take into account the accessibility, independence, fairness, accountability, efficiency and effectiveness of the EDR scheme and, under s35A(2)(g), any other matter the Commissioner considers relevant (for the latter see Part 3).

2.2  The matters which the Information Commissioner must take into account are based on the benchmarks developed in 1997 by the then Department of Industry, Science and Tourism (DIST) for industry-based customer dispute resolution schemes (DIST benchmarks). These benchmarks are still considered best practice requirements. The underlying principle for each DIST benchmark is set out in Appendix A: DIST Benchmarks of these guidelines. DIST also identified the purpose of each benchmark and key practices that could be used to assess whether an EDR scheme meets each benchmark.

2.3  Outlined below is some detail about the benchmarks and key practices that will assist applicants in understanding how the Information Commissioner will consider the matters in s 35A(2)(a) to (f), which must be taken into account in considering an application for recognition. Most existing schemes will be able to readily demonstrate that they meet these criteria through providing information on their existing recognition process or their statutory basis where that is relevant. More information about how existing schemes can practically demonstrate they meet these criteria is outlined in Part 5. 

Accessibility of an EDR scheme

2.4  An EDR scheme can demonstrate accessibility through, for example:

  • actively promoting its services to individuals
  • ensuring access to and the ease of use of its services
  • generally providing its services to individuals free of charge
  • training its staff to handle complaints and to be able to explain the functions and powers of the EDR scheme in simple and clear terms
  • encouraging informal and alternative methods of dispute resolution
  • encouraging parties to only involve legal representatives when special circumstances require this expertise.

The independence of the EDR scheme

2.5  An EDR scheme must be able to undertake its dispute resolution work independent of those sectors of industry that fall within its jurisdiction and provide its funding. Approaches demonstrating an EDR scheme’s independence from its members may include, for example:

  • establishing a governance body to oversee the EDR scheme’s operation
  • having a principal decision-maker responsible for deciding complaints and appropriate delegations in place
  • ensuring the principal decision-maker and staff of the EDR scheme are not able to be inappropriately influenced by EDR scheme members in relation to the EDR scheme’s decisions or operation
  • being resourced appropriately to carry out the scheme’s functions
  • consulting widely with relevant stakeholders in developing or changing the EDR scheme’s scope.

The fairness of the EDR scheme

2.6  An EDR scheme’s procedures should accord procedural fairness and should be transparent to all parties to a complaint. An EDR scheme can achieve fairness through, for example:

  • basing decisions on what is fair and reasonable in all the circumstances
  • affording procedural fairness to all parties using the EDR scheme
  • requiring EDR scheme members to provide all information that they hold, relevant to a complaint, to the EDR scheme
  • ensuring the EDR scheme appropriately respects  the confidentiality of information provided to it for the purposes of resolving complaints  

The accountability of the EDR scheme

2.7  Accountability ensures continuing public confidence in the EDR scheme. It also assists EDR scheme members to assess and improve their personal information handling practices. An EDR scheme can publicly account for its operations by, for example, publishing in accessible formats:

  • notable decisions
  • the EDR scheme’s rules
  • an annual report.

The efficiency of the EDR scheme

2.8  An EDR scheme operates efficiently when, for example, it:

  • deals only with complaints within its scope
  • does not handle complaints that have been dealt with, or are being dealt with, by another dispute resolution forum
  • keeps track of complaints
  • regularly reviews its performance.

The effectiveness of the EDR scheme

2.9   An EDR scheme can demonstrate its effectiveness by, for example:

  • ensuring the scope of the EDR scheme is clear and sufficient to deal with privacy-related complaints
  • ensuring systems are in place to refer complaints about the EDR scheme to an overseeing entity (where applicable)
  • having mechanisms in place to bind EDR scheme members to the rules and decisions of the EDR scheme.

Part 3: Privacy and other considerations

3.1  Under s 35A(2)(g) of the Privacy Act, the Information Commissioner must take into account any other matter he or she considers relevant when considering whether to recognise an EDR scheme.

3.2  Matters considered relevant for this purpose are related to an EDR scheme’s ability to handle privacy-related complaints and the benefits of recognising EDR schemes that operate under existing regulatory regimes. This includes:

a)      the remedies the EDR scheme can provide for privacy-related complaints

b)      the EDR scheme’s commitment to privacy

c)      the impact on credit providers of not recognising a particular EDR scheme.

Remedies for privacy-related complaints

3.3  The Information Commissioner will consider whether the EDR scheme has appropriate powers to provide individuals with sufficient remedies for their privacy-related complaints. The Information Commissioner will consider the extent to which those remedies are:

  • generally consistent with relevant remedies available to the individual if the individual complained to the Information Commissioner rather than the EDR scheme
    • generally used consistently with remedies awarded if the individual complained to the Information Commissioner rather than the EDR scheme.

3.4  An EDR scheme should be able to provide information to the parties on appropriate remedies to assist them in their attempt to settle their dispute. The EDR scheme should be open and transparent about the types of remedies it can order when making a decision.

Remedies in the course of settling a dispute

3.5  The aim of an alternative dispute resolution process, such as conciliation, negotiation or mediation, is to reach a settlement that will resolve the complaint of the individual. In general, a resolution that the parties reach together, rather than having imposed upon them, leads to a greater commitment to the outcome and to a greater likelihood of compliance.

3.6  In resolving the complaint, the parties can reach an arrangement that includes any remedy that is lawful. The facilitator overseeing the alternative dispute resolution process should consider and provide information to parties on the range of remedies that could be pursued.

3.7  Remedies for privacy-related complaints may include one or more of the following:

  • an apology to the individual
  • being provided with access to information or charges for access being reduced
  • compensation
  • correction or amendment of a record
  • extra services or services at reduced costs
  • the respondent entity improving systems or procedures, including changed or upgraded security arrangements for personal information
  • privacy notices being changed or updated
  • staff training for the respondent entity.

Remedies in the course of making a decision

3.8  An EDR scheme’s decision-maker should have the power to make binding decisions on the respondents. Those powers should include the ability to provide remedies that are generally consistent with the declarations available to the Information Commissioner when he or she makes a determination under s 52 of the Privacy Act.

Review of dispute resolution process

3.9  An EDR scheme may conduct an internal review of the outcome if an individual is not satisfied with the EDR scheme’s alternative dispute resolution process or decision. EDR schemes should conduct internal reviews where appropriate.

3.10                      An EDR scheme should also provide the individual with information about making a complaint to the Information Commissioner either at the end of the internal review process, or if no review process is available, at the time of decision.

Commitment to privacy

3.11                      The Information Commissioner notes that some EDR schemes may not be APP entities and so will not be subject to the APPs in the Privacy Act (although they may be covered by state or territory laws for handling personal information). Where EDR schemes are not bound by the APPs, the Commissioner will require them to have a privacy policy to explain how the scheme manages the personal information it collects, and the information flows associated with that information. Without limiting the contents of the privacy policy, the policy should include information similar to that required by  APP 1.4

3.12                      If there are significant differences between the way the EDR scheme handles personal information and the requirements of the Privacy Act, the EDR scheme should draw this to the Commissioner’s attention and outline those differences.

3.13                      An EDR scheme must take such steps as are reasonable in the circumstances to make its privacy policy available free of charge, in an appropriate form and readily accessible.

Impact on credit providers

3.14                      A credit provider must be a member of a recognised EDR scheme to be able to disclose credit information to a credit reporting body (s 21D(2)(a)(i)).Therefore the Information Commissioner will consider the impact on credit providers of not recognising a particular EDR scheme. For the credit reporting system to function as intended, at least one EDR scheme that credit providers can join must be recognised.

Avoiding the need for credit providers to join an additional EDR scheme

3.15                      Credit providers, as defined in s 6G of the Privacy Act, include entities from a range of industries including banks, utility providers and telecommunication service providers. The Information Commissioner is aware that many credit providers are already members of EDR schemes. In some instances, other regulatory regimes require those credit providers to be members of particular EDR schemes.

3.16                      The Information Commissioner is mindful of the burden that would be imposed on credit providers if they were required to join an additional EDR scheme for the purposes of participating in the credit reporting system. The Information Commissioner is also mindful that privacy-related complaints are often part of a wider complaint about the provision of goods or services. If a credit provider was required to join an EDR scheme in relation to privacy-related complaints, but was a member of a different EDR scheme in relation to other complaints, there would be the risk of fragmenting the individual’s complaints between two or more EDR schemes. This may make resolving disputes more difficult, impose extra costs on industry, and lead to confusion for individuals making privacy-related complaints. This outcome will be avoided where possible.

Ensuring that all credit providers are eligible to join a recognised EDR scheme

3.17                      The Information Commissioner is aware that EDR schemes may limit their membership to certain entities for legitimate reasons. The Information Commissioner is mindful that if a credit provider is not eligible to join any recognised EDR scheme the credit provider will be unable to participate in the credit reporting system.

3.18                      While it is not the responsibility of the Information Commissioner to ensure that a recognised EDR scheme exists for each credit provider to join, the Information Commissioner will take this consideration into account. The Information Commissioner may, for example, conditionally recognise an EDR scheme as outlined in Part 4 of these guidelines.

Part 4: The conditions for continuing recognition

4.1  Under s 35A(3) of the Privacy Act, the Information Commissioner may:

a)      specify a period for which the recognition of an EDR scheme is in force

b)      make the recognition of an EDR scheme subject to specified conditions, including conditions relating to the conduct of an independent review of the operation of the EDR scheme.

4.2  The Information Commissioner will generally recognise EDR schemes on an on-going basis. However, the recognition will be subject to specified conditions with which the EDR scheme must continue to comply for the recognition to remain in force.

Specified period of recognition

4.3  In some circumstances, the Information Commissioner may recognise an EDR scheme for a specified period of time, and review the EDR scheme’s recognition at the end of that period. These circumstances include when:

  • the EDR scheme’s role in the regulatory framework for the industry is changing
  • the EDR scheme is at risk of having its recognition revoked under another regulatory regime, or
  • the EDR scheme is going to cease operating, or cease to handle the types of complaints that the EDR scheme has been recognised for.

4.4  The Information Commissioner may also recognise an EDR scheme for a specified period of time or subject to additional conditions where the EDR scheme substantially meets the Commissioner’s requirements for recognition, but requires more time to fully implement the necessary changes to meet those requirements. In such circumstances the Commissioner may recognise the EDR scheme in a limited capacity to minimise the risk of fragmenting the handling of complaints related to the same goods and services that involve both privacy and service delivery related aspects.

Specified conditions of recognition

4.5  The Information Commissioner will make the recognition of all EDR schemes subject to the following specified conditions (as discussed further below):

  • providing the Commissioner with an independent review of the EDR scheme at least once every five years
  • meeting the Commissioner’s requirements for reporting serious or repeated interferences with privacy  and systemic issues and data on privacy-related complaints
    • other general conditions appropriate for handling privacy-related complaints.

Independent review

4.6  Regular and independent review of an EDR scheme’s performance is a key practice to indicate an EDR scheme’s efficiency. The Information Commissioner may make the recognition of an external dispute resolution scheme subject to specified conditions, including the conduct of an independent review of the operation of the EDR scheme (s 35A(3)(b)).

4.7  The Information Commissioner requires a recognised EDR scheme to commission an independent review of the EDR scheme’s privacy-related complaint-handling, operations and procedures at least once every five years. The independent review of the EDR scheme’s privacy-related complaint-handling, operations and procedures can be conducted as part of a broader independent review of the EDR scheme.

4.8  The EDR scheme should notify the Information Commissioner about the terms of the review and the appointment of an independent reviewer before the review commences. The Commissioner may request that the review examine other matters the Commissioner considers relevant.

4.9  The review should be undertaken in consultation with relevant stakeholders (such as the EDR scheme’s members and relevant consumer groups) and should examine:

  • the EDR scheme’s ongoing ability to satisfy the matters the Information Commissioner must take into account when recognising an EDR scheme as outlined in Parts 2 and 3 of these guidelines
  • the EDR scheme’s ongoing ability to satisfy the conditions of the EDR scheme’s recognition as outlined in Part 4 of these guidelines
  • how satisfied individuals and EDR scheme members are with the operation of the scheme
    • any other relevant matters, including matters the Commissioner considers relevant following notification by the EDR scheme to the Commissioner of the independent review’s terms of reference.

4.10                      The EDR scheme should provide relevant parts of the report of the review to the Information Commissioner. The Commissioner may publish relevant parts of the report on its website after consultation with the EDR scheme.

Reporting data on privacy-related complaints including serious or repeated interferences with privacy and systemic issues

4.11                      The Information Commissioner considers that systematic monitoring and regular reporting of privacy-related complaints by EDR schemes will improve industry practice and help reduce the risk of privacy-related issues occurring.

4.12                      In general, the objectives of requiring EDR schemes to monitor and report privacy-related complaint information is to:

  • improve the privacy practices of members of the EDR schemes
  • facilitate high-risk issues or conduct being identified and addressed in a timely manner
  • provide the Information Commissioner with data from a range of EDR schemes so that he or she can examine whether there are systemic issues across a range of sectors
    • assist the Commissioner to target community and industry awareness programs about appropriate personal information handling practices.

4.13                      If an EDR scheme believes these conditions should be tailored to its membership and complaints profile, then the EDR scheme should outline these matters to the Information Commissioner when it applies for recognition.

General reporting on privacy-related complaints

4.14                      In addition to their annual reporting, the Information Commissioner will generally require EDR schemes to provide privacy-related complaint information to the OAIC on an annual basis for inclusion in the OAIC’s Annual Report.[9] The information should place the information in its appropriate context – for example, by explaining why there may have been an increase in privacy-related complaints compared to the previous year.

4.15                      Where possible EDR schemes should provide information about:

a)      the number of privacy-related complaints received in the financial year

b)      the average time taken to resolve privacy-related complaints

c)      for complaints finalised in the financial year:

  • the outcome of the complaint (e.g. conciliated, withdrawal)
  • the nature of any remedy awarded in finalising the complaint (eg compensation, apology, staff training).

d)      any systemic privacy-related issues or trends.

Monitoring and reporting serious or repeated interferences with privacy and systemic issues

4.16                      To register an EDR scheme, the Information Commissioner requires the EDR scheme to have processes in place to identify, through complaints and other information received by the scheme, serious or repeated interferences with privacy, and systemic privacy issues of the EDR scheme’s members. An EDR scheme should also have processes in place to refer serious or repeated interferences with privacy and systemic privacy issues to relevant EDR scheme members for response and action or to the industry regulator where appropriate.

4.17                      Serious or repeated interferences with privacy and systemic privacy issues should be reported to the Information Commissioner when an EDR scheme becomes aware of them.

4.18                      If EDR scheme members do not appropriately rectify serious or repeated interferences with privacy or systemic issues within a reasonable period of time, the Information Commissioner may investigate the act or practice of an entity on the Commissioner’s own initiative under Part V of the Privacy Act. The Commissioner may also chose to investigate the act or practices of an entity under certain circumstances, such as when it is in the public interest to do so.

4.19                      Serious or repeated interferences with privacy can attract a civil penalty under s 13G of the Privacy Act. More information in relation to serious or repeated interferences with privacy is available on the OAIC’s website.

Other general conditions

4.20                      In addition to conditions requiring regular independent reviews and regular reports regarding privacy-related complaints, an EDR scheme’s recognition will be subject to the following general conditions. An EDR scheme must:

  • accept relevant privacy-related complaints referred to the EDR scheme by the Information Commissioner, provided the complaint falls within the EDR scheme’s scope or terms of reference (see 1.12)
  • advise the Commissioner if there is an anticipated change to the EDR scheme that is relevant to its role as a recognised EDR scheme under the Privacy Act. For example, if the EDR scheme is going to cease operating, cease to be the EDR scheme for a specific industry, or is at risk of having its recognition revoked under another regulatory regime
  • advise the Commissioner if the EDR scheme anticipates it will no longer be able to satisfy any of the matters in Parts 2, 3 or 4 of these guidelines
  • inform the Commissioner if there is an anticipated change to the EDR scheme’s ability to deal with privacy-related complaints
    • have a process in place for handling privacy-related complaints of an EDR scheme member where that EDR scheme member ceases to carry on a business, becomes insolvent or is liquidated.

Part 5: The  registration process for recognition of an EDR scheme

5.1  An EDR scheme seeking to be recognised should make a written application which includes all relevant documentation. Relevant documentation, for this purpose, will be dependent on whether the EDR scheme is already recognised under another recognition scheme or has a statutory basis for its operation.

5.2  The Information Commissioner may publish an EDR scheme’s application, and any relevant documentation, on the OAIC website in the interests of transparency of the application process. Furthermore, any information provided as part of an EDR scheme’s application may be subject to obligations under the Freedom of Information Act 1982.

Schemes already recognised and/or which have a statutory basis

5.3  Existing EDR schemes that are already recognised under another recognition scheme, and/or which have a statutory basis for their operation,  should include in their application:

  • a covering letter addressed to the Information Commissioner requesting recognition
  • details of previous recognition under another regulatory EDR recognition scheme and any conditions attached to that recognition (this be met by a copy of any certificate of recognition) and/or the statutory basis for their operation
  • documentation that demonstrates adherence with the DIST benchmarks, or, in lieu of such documentation, a declaration from the Chief Executive Officer (or equivalent) that the EDR scheme works or will work within these benchmarks
  • an outline of how the EDR scheme will implement the additional privacy-related requirements set out in these guidelines
  • the relevant parts of the most recent independent review of the EDR scheme (if any)
  • if relevant:
    • how and why conditions for reporting data on privacy-related complaints should be tailored to the EDR scheme’s membership and complaints profile
    • details of communications with members, potential members, consumer representatives and other regulatory bodies about the EDR scheme being recognised by the Information Commissioner so as to demonstrate that these parties have been consulted with about the registration and informing the Information Commissioner of any outstanding issues from those consultations

Other schemes

5.4  Other EDR schemes, not already recognised under another recognition system or not having a statutory basis should include the following in their application:

  • a covering letter addressed to the Information Commissioner
  • detailed and specific information about how the EDR scheme satisfies or will satisfy the matters in Parts 2, 3 and 4 of these guidelines
  • membership details of the EDR scheme and details of any membership conditions
  • the articles of association, constitution and terms of reference, where applicable, and details of any proposals to amend these
  • if relevant, details of the membership of, and appointment to, an overseeing body
  • the most recent independent review of the EDR scheme (if any)
    • the EDR scheme’s most recent annual report
  • a summary of the complaints information the EDR scheme collectsdetails of any consultation with members, potential members, consumer representatives and other regulatory bodies about the EDR scheme being recognised by the Commissioner.
    • if relevant – how and why conditions for reporting data on privacy-related complaints should be tailored to the EDR scheme’s membership and complaints profile

All schemes

5.5  The Information Commissioner may request further documents and information from the EDR scheme during the registration process and may consider information provided by industry, consumer representatives and other interested stakeholders. If the Commissioner considers material not provided by the EDR scheme, the EDR scheme will have an opportunity to respond.

5.6  The Information Commissioner will provide a written notice of recognition to each EDR scheme that is recognised. The notice will be a public document available on a register of recognised EDR schemes maintained by the OAIC on its website and will contain details of:

  • the entity, class of entities or purpose for which the EDR scheme is recognised
  • the period for which the recognition of the EDR scheme is in force
    • any specified conditions under which the EDR scheme is recognised.

5.7  The EDR scheme should notify its members in writing that it has been recognised.

5.8  In order for the recognition to remain in force, the EDR scheme must continue to satisfy the matters in Parts 2, 3 and 4 of these guidelines and any conditions imposed by the Information Commissioner.

Varying and revoking recognition

5.9  Under s 35A(3)(c) of the Privacy Act, the Information Commissioner may vary or revoke:

a)      the recognition of an EDR scheme

b)      the period for which the recognition is in force

c)      a condition to which the recognition is subject.

5.10                      Matters that may cause the Information Commissioner to vary or revoke an EDR scheme’s recognition include, but are not limited to:

  • if the EDR scheme has not complied with a condition of its recognition, for instance:an independent review finds the EDR scheme does not meet one or more of the matters in Parts 2, 3 and 4 of these guidelines
    • it has been more than five years since the EDR scheme was last independently reviewed, as discussed in 4.27
    • the EDR scheme is unable to satisfy the Commissioner it meets the matters in Parts 2, 3 and 4 of these guidelines
    • a persistent failure to provide annual reports to the Commissioner and / or to report any serious or repeated interferences with privacy or systemic issues
    • the EDR scheme’s ability to deal with privacy-related complaints changes without notification to the Information Commissioner
  • the EDR scheme is no longer adequately funded to have the capacity to handle privacy-related complaints
    • conditions previously imposed by the Commissioner on the EDR scheme’s recognition are no longer warranted.

The Information Commissioner’s process for varying or revoking recognition

5.11                      The Information Commissioner will provide a notice of intention in writing to the recognised EDR scheme about changes that are proposed to be made to its recognition, and provide reasons for the proposed changes. The Commissioner may also request that the EDR scheme consult its members about the proposed changes.

5.12                      The EDR scheme will be given a specified period to respond to the Commissioner’s notice and provide any information that it would like the Commissioner to take into account.

5.13                      In addition to the information provided by the EDR scheme, the Commissioner may consider information provided by industry, consumer representatives and other interested stakeholders as part of this process. The EDR scheme will be given an opportunity to respond to the information and evidence provided by other stakeholders.

5.14                      In considering whether to vary or revoke an EDR scheme’s recognition, the Information Commissioner will consider whether:

  • the EDR scheme is able or willing to demonstrate the matters the Commissioner must take into account under s 35A(2) of the Privacy Act, as detailed in Parts 2 and 3 of these guidelines
  • the EDR scheme is able or willing to comply with conditions imposed on its recognition by the Commissioner under s 35A(3) of the Privacy Act, as detailed in Part 4 of these guidelines
  • the EDR scheme is able or willing to comply with any other conditions the Commissioner considers appropriate
    • varying or revoking the EDR scheme’s recognition would have an impact on its members and on individuals who have existing complaints lodged with the EDR scheme.

5.15                      An EDR scheme may also write to the Information Commissioner requesting its terms of recognition be varied or revoked. The request should be made in writing and give reasons for its request, including details of any consultation the EDR scheme has had with its members and any supporting documentation.

5.16                      If the Information Commissioner considers varying or revoking an EDR scheme’s recognition to be appropriate he or she will provide a written notice with reasons outlining why the decision was made. The notice will set out the changes to the EDR scheme’s recognition and date the change takes effect. The EDR scheme will be required to inform its members in writing of the variation or revocation of its recognition.

5.17                      The notice and reasons will be publicly available and will be made available on the OAIC’s website and the EDR scheme’s details on the OAIC’s register of recognised EDR schemes will be updated.

Transitional arrangements

5.18                      If the Information Commissioner varies or revokes an EDR scheme’s recognition, the EDR scheme may be required to take steps to ensure existing privacy-related complaints it is processing are dealt with appropriately. For example, that individuals with complaints being handled by the EDR scheme are notified of the revocation or variation to the EDR scheme’s recognition and are notified of their right to lodge their complaint with the Commissioner or, if relevant, another EDR scheme.

Appendix A: DIST Benchmarks

Accessibility                The EDR scheme makes itself readily available to customers by promoting knowledge of its existence, being easy to use and having no cost barriers.

Independence             The decision-making process and administration of the EDR scheme are independent from EDR scheme members.

Fairness                       The EDR scheme produces decisions which are fair and seen to be fair by observing the principles of procedural fairness, by making decisions on the information before it and by having specific criteria upon which its decisions are based.

Accountability             The EDR scheme publicly accounts for its operations by publishing its decisions and information about complaints and highlighting any systemic industry problems.

Efficiency                    The EDR scheme operates efficiently by keeping track of complaints, ensuring complaints are dealt with by appropriate process or forum and regularly reviewing its performance.

Effectiveness               The EDR scheme is effective by having appropriate and comprehensive terms of reference and periodic independent review of its performance.

Excerpt from the Benchmarks for Industry-Based Customer Dispute Resolution Schemes, published by the then Department of Industry, Science and Tourism in 1997.

Leave a Reply