Peter A Clarke

The Privacy Commissioner has released the last tranche of draft guides:

• Chapter 2 – Privacy Complaint handling process,
• Chapter 5 – Determinations,
• Chapter 6 – Injunctions.

The draft chapters are open for consultation until Friday 5 June 2015.  That is a quite a short response time unfortunately.

The release provides:

The Office of the Australian Information Commissioner (OAIC) is seeking public comment on an exposure draft of the remaining three chapters of the Guide to privacy regulatory action (the Guide). Exposure drafts of the other six chapters of the Guide were released for public comment in November 2014 and are in the process of being finalised.

The OAIC has consulted and finalised a Privacy regulatory action policy. The Policy explains the range of powers the Commissioner has and the way in which those powers are used. In addition, the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 explain the OAIC’s approach to regulatory action in relation to the personally controlled electronic health records system.

The Guide supports both the Privacy regulatory action policy and the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013. The Guide provides stakeholders with a more detailed explanation of how the OAIC will exercise its regulatory powers. The Guide will also provide practical guidance for OAIC staff involved in the exercise of those powers.

Exposure draft — Part 2

The chapters of the Guide were drafted in stages, and released for public exposure in two parts. This is the second part. The final guide will consist of nine Chapters.

Three draft chapters of the guide that have been released for public exposure in May 2015:

• Chapter 2: Privacy complaint handling process
• Chapter 5: Determinations
• Chapter 6: Injunctions

Question for comment

The OAIC is seeking comment from interested stakeholders on whether each chapter clearly outlines the Office’s approach to exercising that particular regulatory power.

Chapter 2 — Privacy complaint handling process provides, absent footnotes:

Legislative framework

1. Section 36(1) of the Privacy Act 1988 (the Act) provides for an individual (the complainant) to complain to the Commissioner about an interference with their privacy by certain Australian Government agencies or private sector organisations (the respondent).
2. A complaint about an act or practice can be made by an individual on their own behalf, or on behalf of themselves and other individuals affected by that act or practice with those individuals’ consent.
3. The Act also provides for representative complaints to be made on behalf of a class of people where all the class members are affected by an interference with privacy (s 38(1)).
4. Section 13 of the Act sets out the acts and practices that may be an interference with the privacy of an individual. These include:
   • a breach of an Australian Privacy Principle (APP) or a registered APP privacy code
   • a breach of rules under s 17 in relation to tax file number information
   • a breach of a provision of Part IIIA or the registered CR code, and
   • a breach of provisions of the Personally Controlled Electronic Health Records Act 2010 (Cth) (PCEHR Act).
5. Other legislation can also provide that an act or practice is an interference with privacy and therefore can be investigated by the Commissioner, for example, s 29 of the Healthcare Identifiers Act 2010 (Cth).
6. Part V of the Act outlines the processes by which privacy complaints can be handled. This may include one or more of the following steps – conducting preliminary enquiries, opening an investigation, attempting to conciliate a complaint, and making a determination.
7. The Commissioner has a wide range of powers relating to the privacy complaint handling process including to:
   • assist a person to formulate and make a complaint (s 36(4))
   • make preliminary inquiries of any person (s 42)
   • transfer matters to an alternative complaint body in certain circumstances (s 50)
   • attempt to conciliate the complaint (s 40A)
   • conduct an investigation into the complaint (s 40)
   • at any stage, not investigate, or cease to investigate or not investigate further, the complaint on various grounds (generally referred to as a ‘decline’) (ss 41, 49, 49A)
   • require a person to give information or documents, or to attend a compulsory conference (ss 44, 45, 46, 47)
   • enter premises to inspect documents (s 68)
   • accept an enforceable undertaking (s 33E)
   • make a determination about the complaint (s 52) – by the Commissioner
   • seek to enforce a determination in a court (s 55A)
8. Not all of these powers will be used in resolving any particular complaint. These powers are explained further throughout this Chapter or elsewhere in this Guide.
9. To facilitate the complaint handling process the Commissioner delegates complaint handling functions to Office staff, other than the s 52 power to determine a matter. Throughout the rest of this Chapter we have used ‘the Office’ unless the power or function can only be performed by the Commissioner.
10. The Commissioner also has an agreement with the ACT Government to handle complaints under the Information Privacy Act 2014 (ACT) about breaches of the Territory Privacy Principles by ACT public sector agencies. The powers in relation to handling those complaints are outlined in the ACT legislation and, in some respects differ from the Privacy Act powers. For more information see our ACT privacy webpage.

General approach to handling privacy complaints

11. The Office provides a free, informal and accessible complaint process. Parties do not require legal representation to participate in the complaint handling process or the determination process. The privacy jurisdiction is not a costs jurisdiction so parties bear their own costs if they do use legal representation.
12. Where appropriate, the Office endeavours to resolve complaints through conciliation. Generally where a complaint is not declined for some reason, or it cannot be resolved through conciliation, the complaint may be determined by the Commissioner under s 52.
13. The Office has an impartial role so does not advocate for any party in handling a privacy complaint.
14. In carrying out the Office’s functions to investigate and, if appropriate, to attempt to resolve privacy complaints through conciliation, the Office will:
    • use a process that is accessible, flexible and timely, and done in accordance with the principles of natural justice and procedural fairness
    • focus on providing an opportunity for the parties to resolve complaints through conciliation.

How the Office handles privacy complaints

15. Complaints must be in writing and must identify the person making the complaint, the respondent and the alleged act or practice that is an interference with privacy. The Office cannot accept anonymous complaints.
16. Complaints are assessed on receipt. If the complaint does not reach the threshold required because it does not identify an interference with privacy the Office will contact the complainant and advise them why their matter cannot be dealt with as a complaint. Where appropriate the Office may refer the complainant to another agency or organisation that may be able to assist them.
17. Where a matter reaches the required threshold to be a complaint under s 36 the Office will consider how best to deal with it. The Office can, at any stage of the process, attempt to conciliate the complaint or decline to investigate the complaint based on the information available to the Office.
18. Generally a complainant must have complained to the respondent and given them a chance to respond to the complaint before the Office can investigate (s 40(1A)). However, the Office may decide to investigate the complaint if it is considered that it was not appropriate for the complainant to first complain to the respondent, for example:
    • where there is a significant power differential between the complainant and respondent and the complainant may be disadvantaged in a direct approach to the respondent to resolve the issues in the complaint
    • where there is a history of similar issues associated with the respondent
    • where the complaint identifies a systemic issue.
19. Section 40(1B) of the Act also provides for additional circumstances in which the Office can investigate a complaint without requiring a complainant to first complain to the respondent. This relates to complaints about access to and correction of credit reporting information.
20. Where a complaint raises an issue that could be an interference with privacy the Office may conduct preliminary inquiries to obtain relevant information of any person to assist with the handling of the complaint. These inquiries may be made, for example, to clarify the allegations in the complaint or to confirm that the Office has jurisdiction.
21. Where the Office is unlikely to open an investigation for a reason provided for by s 41 of the Act  the Office will contact the complainant and advise them of our view. The Office will generally write to the complainant outlining our reasons for that view and ask if they have any further relevant information that they wish to provide. In these cases the Office does not generally advise the respondent of the complaint if it looks like the matter can be dealt with on the available information.
22. The Act obliges the Office to make a reasonable attempt to conciliate the complaint where the Office is of the view it is reasonably possible that a complaint could be successfully conciliated (s 40A). Conciliation can be attempted at any stage of the complaint handling process.
23. When the Office has opened an investigation into the complaint, under s 40, the Office can compel the production of relevant documents and information or require witnesses to attend and answer questions (s 44), if that will assist the investigation. Where a complaint is not declined or finalised on some other basis, and cannot be resolved through conciliation, and an investigation has been opened, the Commissioner may determine the complaint under s 52 of the Act.
24. A complainant can withdraw a complaint at any time without penalty.

Representative complaints

25. The Privacy Act allows for representative or class complaints to be made where an interference with privacy affects a large group of people. Particular conditions apply to a class complaint and these are outlined in ss 38 to 39 of the Act. A representative complaint does not need to identify the class members by name or how many class members there are.
26. Conditions for making a representative complaint include
    • that the class members have a complaint against the same respondent
    • the complaints all arise out of the same or similar circumstances, and
    • the complaints give rise to a substantial common issue of law or fact.
27. A representative complaint must address each of these conditions in the complaint and also identify the remedy or relief sought. A representative complaint may be lodged by a complainant who is a class member or a person or organisation who is not a class member.
28. The Office may not accept or continue with a representative complaint where the Office is not satisfied the complainant can adequately represent the interests of the class members. A person who is part of a class where a representative complaint has been lodged cannot bring an individual complaint unless they withdraw from the representative complaint.

Confidentiality

29. The Office is bound by confidentiality in handling complaints, and by the APPs when handling complaint related personal information. As such, the Office does not disclose the particulars of a complaint during the complaint handling process to persons other than the parties to a complaint or third parties with information relevant to the inquiry that can assist the inquiry. This is to ensure that parties will participate fully and frankly in the complaint process.
30. The parties to a complaint, however, are not bound by any form of confidentiality during the complaint process as the Privacy Act does not impose an obligation of confidentiality on the parties to a complaint. However, APP obligations do apply to APP entities and information they obtain during the course of a complaint. If the parties have settled the matter with an agreement that includes a confidentiality clause they may be bound by that agreement.
31. In addition, conciliation, where that is occurring, works best in an atmosphere where parties can raise issues in a frank way without fear of the information being disseminated further and the Office encourages parties not to disseminate information while involved in the conciliation process.

Investigating privacy complaints

32. Where possible the Office tries to handle privacy complaints informally and flexibly. In some cases, before commencing an investigation under s 40 of the Privacy Act, the Office may conduct preliminary inquiries and obtain information that will assist the Office to explain an issue to a complainant that may resolve an issue or lead the complainant to withdraw the complaint on the basis they are satisfied with the explanation that has been provided.
33. Where the Office has established jurisdiction to investigate it will generally notify a respondent of the complaint under the investigation power (s 40). The respondent will be provided with a copy of the complaint, asked to respond to the specific issues in the complaint and to tell the Office whether they are willing to try to resolve the complaint through conciliation.
34. In many cases a complaint can be quickly resolved prior to a detailed written response being provided. This occurs in circumstances where a respondent is willing to try to resolve the complaint on the terms the complainant has identified, or is willing to negotiate terms of resolution with the complainant.
35. For procedural fairness and transparency, generally any substantive information provided by a party to a complaint will be provided to the other party to facilitate the handling of the complaint. This includes the complaint, the respondent’s response, offers of resolution and other relevant information.
36. Generally the Office does not accept confidential submissions. If information that is commercially sensitive or is sensitive for some other reason has to be provided to assist the Office with its investigation the Office will usually ask that the information be provided in a form that can be provided to the other party.
37. At each stage of the complaint process the officer handling the matter will assess the available information and keep the parties advised of the Office’s views on the matter. Where an investigation has been commenced the Office may decline to continue to investigate a matter, or attempt to conciliate a matter, at any stage during the investigation where that appears to be the appropriate course of action.
38. Where the Office’s investigation indicates that it is likely that an interference with privacy has occurred and conciliation is not considered appropriate or conciliation has been attempted without resolution, then the Office will consider whether to take enforcement action and, if so, what enforcement action to take. The Office will review the matter against either the Privacy regulatory action policy (including the factors set out in paragraph 38) or the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013 as applicable to assess the appropriate enforcement response.
39. Generally the appropriate enforcement response for a complaint, where an investigation has been opened, conciliation has not resolved the matter and the complaint has not been declined, will be a determination under s 52. However other enforcement action may also be considered appropriate, in addition to a determination, for example seeking a civil penalty for a serious or repeated interference with privacy.
40. Where the Office considers that there is a likelihood that it will decide to seek a civil penalty for a serious or repeated interference with privacy, the complaint investigation will be conducted with a view to ensuring that sufficient admissible evidence will be available to allow that case to be pursued in court if necessary. For more information see Chapter 7 on civil penalties.

Conciliating a complaint

41. Where the Office considers it is reasonably possible a complaint may be conciliated successfully there must be a reasonable attempt to conciliate (s 40A(1)).
42. The Office is not required to attempt to resolve the complaint through conciliation where the Office has decided not to investigate, or not to further investigate, a complaint.
43. Factors the Office may take into account in assessing whether it is possible to successfully conciliate a complaint may include:
    • the approach taken by the parties to conciliation i.e. willingness to discuss conciliation, whether resolution proposals are generally appropriate and proportionate to the nature of the complaint and outcomes generally applicable to privacy complaints
    • previous resolution attempts and any outcomes achieved or actions taken by either party regarding the complaint
    • the responsiveness of the parties to the Office’s attempts to assist the parties to resolve a complaint, and
    • the length of time the Office and the parties have taken to try to resolve a complaint.
44. The Office will generally ask the complainant to outline what they are seeking to resolve the complaint and ask the respondent to consider that proposal or propose an alternative basis for resolution.

Types of outcomes in conciliated matters

45. Outcomes that may be achieved in privacy complaints may include:
    • change in practice, procedure or policy
    • access to information
    • staff training
    • review of privacy policies and procedures
    • statement of regret or a private or public apology
    • financial compensation.
46. Parties will be advised of resources and information to help them develop or respond to a proposal for resolution, for example, determinations by the Commissioner, information about conciliated matters the Office has published in annual reports or on its website, similar jurisdictions, for example, New Zealand and New South Wales privacy jurisdictions and the Commonwealth discrimination jurisdiction.

How the Office tries to conciliate matters

47. The Office generally tries to resolve complaints through conciliation by:
    • phone and email based shuttle negotiations – where the parties are separately communicated with
    • teleconferences involving all parties
    • face to face meetings with the parties (where practicable and appropriate).
48. In each case the officer handling the matter will contact the parties to discuss the issues in the complaint and the outcome being sought. The officer will try to assist the parties to negotiate a satisfactory resolution to the complaint.
49. Where a matter is resolved the parties may enter into a conciliation agreement or deed of release prepared by one of the parties to the complaint or the Office. In limited situations the Commissioner may accept an enforceable undertaking from the respondent as part of the resolution of a complaint (for more information see Chapter 4 Enforceable undertakings).
50. Sometimes a party to a complaint may be legally represented. To ensure fairness in the process the Office will generally recommend to the parties that they get legal or other professional advice if they are entering into a legal deed or agreement.
51. Where conciliation is successful the file will be finalised and closed based on the basis the matter has been resolved.
52. Where a complaint is not able to be resolved through conciliation the Commissioner or delegate may finalise the matter under s40A on the basis there is no reasonable likelihood that the matter will be resolved by conciliation.

Compulsory conciliation conference

53. The Office can require a complainant or respondent or other relevant party to attend a conciliation conference (s 46). A person who has been directed to attend and fails to attend is guilty of an offence.
54. Generally, the Office relies on voluntary participation in a conciliation process as resolution generally relies on the understanding that parties are participating in good faith to genuinely resolve the matter.
55. In some cases where a matter is not able to be resolved through voluntary participation the Office may consider compelling a person to attend a conciliation conference where the Office is of the view the matter may be able to be resolved if the parties were to deal directly with each other over the complaint. Factors that may contribute to this view are where:
    • the proposals for resolution are appropriate to the interference with privacy raised by the complaint
    • a party indicates they are willing to resolve a complaint but are unwilling to commit to a resolution process or outcome
    • the parties have been involved in extended negotiations and it is likely the matter may resolve if the parties are required to deal with the remaining issues at hand.
56. The Office may advise the parties of the intention to issue a notice compelling their attendance at a conciliation conference where the matter has been unable to be resolved through usual conciliation processes.
57. The Office may take into account the parties circumstances in issuing a notice to compel attendance at a conciliation conference, for example, whether the parties are legally represented, geographic considerations, and constraints on time to ensure the parties are able to comply with the notice to attend.

Use of conciliation information

58. Where a complaint cannot be resolved through conciliation and the Commissioner decides to determine the matter under s 52 of the Act the Commissioner cannot consider any information provided in the course of conciliation in hearings or legal proceedings related to the complaint, unless all the parties consent.
59. Generally this will mean that the Commissioner will not consider anything said or done in conciliation in any determination hearing or determination decision. If a party seeks a review, by the AAT or Federal Court, of a decision in a determination the Commissioner cannot refer to information about the conciliation process in those proceedings.

Deciding not to investigate a complaint

60. The Office may at any time during the complaint process exercise the discretion not to investigate a complaint or not to investigate a complaint further for a reason provided for in s 41 of the Act. This is commonly referred to as ‘declining a complaint’.
61. The Office will consider all the information provided by the parties and any other relevant information in deciding whether to decline to investigate or further investigate a complaint.
    • The Commissioner or delegate may decide not to investigate or investigate further for a range of reasons provided for by s 41 which include where he or she is satisfied that:
    • the act or practice is not an interference with privacy
    • the complaint was made more than 12 months after the complainant became aware of the act or practice
    • the complaint is frivolous, vexatious, misconceived, lacking in substance or not made in good faith
    • a recognised external dispute resolution scheme has dealt with, or would more effectively deal with, the act or practice , for example, the Telecommunications Industry Ombudsman, Financial Ombudsman Service, Credit & Investments Ombudsman or a state or territory based energy, water or transport related Ombudsman
    • the act or practice is subject to an application, or would be more appropriately dealt with, under another Commonwealth, state or territory law, for example, this might include discrimination law or other court proceedings, or
    • the respondent has dealt with, or is adequately dealing with the complaint, for example, where a deed of release about the same subject matter has previously been entered into.
62. A decision to decline a complaint for one of the reasons in s 41 is a discretion exercised by the Commissioner or his delegate and consequently subject to review under the Administrative Decisions (Judicial Review) Act. Given this there is a requirement that a decision to decline a complaint is based on information that can be subject to rigorous review. As such, there are circumstances where the Office seeks information from a respondent to assist in that decision making process.
63. Where the Office is intending to decline a complaint the Office will advise the complainant, in writing, of that view and the reasons for it and provide an opportunity for the complainant to provide any further information they think is relevant. The Office will consider any additional information before making a final decision on how to proceed with the complaint.

Referral of matters

64. Section 50 of the Privacy Act allows the Office to not investigate, or not investigate further, a matter and to transfer it to an ‘alternative complaint body’ where the Office forms the opinion that:
    • a complaint (or application where applicable) relating to that matter has been, or could have been, made by the complainant to the alternative complaint body, and
    • the matter could be more conveniently or effectively dealt with by that alternative complaint body.
65. The ‘alternative complaint bodies’ to which the Office can transfer matters include the Australian Human Rights Commission, the Commonwealth Ombudsman, and an external dispute resolution scheme recognised by the Commissioner under s 35A of the Privacy Act.

Purpose of the Office’s complaint referral powers

66. Referral of a complaint to an alternative complaint body is likely to arise in very limited cases where the Office’s jurisdiction overlaps with that of an alternative complaint body, and the complaint (or application) may be made about the act or practice to either the Office or the other body and the referral will ensure that the complaint is dealt with in the most convenient and effective manner.
67. The Office will generally only use the referral power where:
    • it considers that a complaint or application relating to the matter has been, or could have been made, to an alternative complaint body which provides a better or more effective remedy for the subject matter of the complaint
    • there is no relevant ground on which the Office should decline to investigate the complaint, and
    • the complainant does not accept the Office’s advice to withdraw their complaint and make a complaint or application to the alternative complaint body.
68. Affording an individual the opportunity to first withdraw their complaint and make a complaint or application to the alternative complaint body themselves is intended to allow an individual to, as much as possible, retain responsibility and control over how their matter is dealt with.

Chapter 5:Determinations provides:

Legislative framework

1. After investigating a complaint, the Commissioner may make a determination which either dismisses the complaint or finds that the complaint is substantiated (s 52(1)).
2. The complaint handling process under the Privacy Act is free and informal. Parties do not require legal representation to participate in the complaint handling process or the determination process. Parties generally bear their own costs in the complaint handling process.
3. The Commissioner can also make a determination after conducting an investigation on his or her own initiative (s 52(1A)).

When will a determination be made?

Following an investigation of a complaint

4. The Commissioner generally tries to resolve complaints through conciliation as provided for by the Privacy Act (s 40A). In some cases, where a matter is not able to be resolved through conciliation, and where the complaint is not able to be finalised on some other basis (for example, because the complaint is declined under s 41(1)), the Commissioner may make a determination under s 52.
5. When deciding whether to make a determination in response to a complaint under s 36, the Commissioner will take into account a number of factors. Factors that would weigh in favour of a determination include that:
   • it appears there is a prima facie interference with privacy, the parties are unable to resolve the matter through conciliation, and the matter cannot otherwise be finalised
   • one or both of the parties has requested that the matter be finalised by way of a determination and the Commissioner considers that making a determination would be the appropriate resolution in the particular circumstances
   • the issues raised by the complaint are complex and/or systemic
   • the investigation process has not been able to resolve whether an interference with privacy has occurred, and it is likely that the determination process would resolve that question.
6. The Office will also review the matter against either the Privacy regulatory action policy (including the factors set out in paragraph 38) or the PCEHR (Information Commissioner Enforcement Powers) Guidelines as applicable when considering whether to make a determination.

Following an investigation on the Commissioner’s own initiative

7. Following an investigation on the Commissioner’s own initiative, the Commissioner may make a determination under s 40(1A).
8. A determination is one of a number of possible outcomes of a Commissioner initiated investigation where a breach appears likely to have occurred. Rather than finalising an investigation by determination, the Commissioner might, for example, accept an enforceable undertaking offered by the respondent. The possible outcomes are discussed in Chapter 3 – Commissioner Initiated Investigations.
9. When deciding whether to make a determination, the Commissioner will take into account a number of factors. Factors that would weigh in favour of a determination include that:
   • it appears there is a prima facie interference with privacy
   • the respondent has not cooperated with the Commissioner’s enquiries or investigation, and the Commissioner believes that it is necessary to make formally binding declarations that the respondent must take certain steps to address the interference with privacy
   • there is a disagreement between the Commissioner and the respondent about whether an interference with privacy has occurred, and the determination would allow that question to be resolved, and
   • there is a public interest in the Commissioner making a declaration setting out his or her reasons for finding that an interference with privacy has occurred, and the appropriate response by the respondent.
10. The Office will also review the matter against either the Privacy regulatory action policy (including the factors set out in paragraph 38) or the PCEHR (Information Commissioner Enforcement Powers) Guidelines as applicable when considering whether to make a determination.

Procedural steps in making a determination

11. In making a determination, the Commissioner may conduct further investigation, and consider additional submissions and information provided by the parties.
12. The procedural steps below relate to a determination following investigation of a complaint, but will generally apply in the case of a determination following a Commissioner initiated investigation. However, some of the processes may not be relevant in a Commissioner initiated investigation, given that there is no ‘complainant’ or conciliation process.
13. Where a matter is to proceed to determination the Office will generally take the following steps:
    • The Office will notify the parties in writing about its decision to make a determination and the basis for that decision. The notice will state if submissions are required, and if so, how to make such submissions and the timeframe for making submissions. In limited cases oral submissions may be sought. The Commissioner may also seek specific information about the remedies sought by the complainant.
    • The Commissioner cannot consider any action done or information provided during the course of conciliation unless the complainant and respondent both agree (s 40A).
    • If the Commissioner requires further relevant information, and it is not voluntarily forthcoming on request, the Commissioner may, under s 44 of the Privacy Act, require the production of that information from the complainant, the respondent or a third party. The Commissioner may also, under s 45, require a witness to attend and answer questions.
    • The Commissioner will adhere to the principles of natural justice and procedural fairness in determining a matter. Those principles include the parties having the opportunity to examine and comment on the information the Commissioner relies on in making the determination. On this basis, the Office will provide each party with the submissions and information received from the other party.
    • Submissions will generally not be accepted on a confidential basis. This is because any determination made by the Commissioner would not be able to explicitly refer to the contents of such a submission and, in addition, a determination based on material in the submission would generally not satisfy the ‘procedural fairness’ principle unless the other party has been given a chance to respond to it.
    • In exceptional circumstances where confidential or commercially sensitive information is essential to the determination process, the Commissioner will accept that information on a confidential basis and provide access to a summary of that material to ensure the other party is not disadvantaged.
    • Parties may request that the Commissioner hold a hearing before making a determination under s 43A of the Act. However, whether a hearing is held is at the discretion of the Commissioner (s 43A(2)(c)). Where a party has requested a hearing, the Commissioner will give all interested parties a reasonable opportunity to make a submission about the request (s 43A(2)(b)).
    • Where the Commissioner has allowed an oral submission to be made or a hearing to be held, both parties will generally be invited to participate. The format of a hearing generally consists of the parties providing their oral submissions and responding to questions that the Commissioner may have. The format will also depend on a range of matters including whether the hearing is held by phone, by video conference or at the Office’s, or another, premise.
    • The Commissioner may seek external expert opinion, independent of the parties, in relation to a determination where the subject matter raises issues that would benefit from specific technical or other expertise. In those cases, the parties will be advised of the name and qualifications of the external expert and their role in the proceedings.
    • In making the determination, the Commissioner will determine whether, on the balance of probabilities, an interference with privacy occurred, having regard to all information available to the Commissioner.

Content of determinations

14. A determination will generally contain the following information:
    • the relevant parties, including, where relevant, the class members who are to be affected by the determination in relation to a representative complaint (s 53)
    • the background to and summary of the complaint or Commissioner initiated investigation, which may include a chronology of events
    • the Office’s investigation process
    • the legislative framework
    • a summary of the parties’ submissions
    • any findings of fact (s 52((2))
    • for determinations following an investigation of a complaint, whether the complaint is substantiated (s 52(1)(b)) or is dismissed (s 52(1)(a))
    • any relevant declarations or orders which may include:
      • a declaration that the respondent has engaged in conduct that interfered with the privacy of an individual and that the respondent should not repeat or continue the conduct (s 52(1)(b)(i); s 52(1A)(a))
      • a declaration that respondent must take specified steps within a specified period to ensure that such conduct is not repeated or continued (s 52(1)(b)(ia); s 52(1A)(b))
      • a declaration that the respondent must perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant (s 52(1)(b)(ii)), or in the case of a Commissioner-initiated investigation, any loss or damage suffered by one or more of the individuals whose privacy has been interfered with (s 52(1A)(c))
      • a declaration that the complainant (or in the case of a Commissioner-initiated investigation, one or more of the individuals whose privacy has been interfered with) is entitled to compensation (s 52(1)(b)(iii); s 52(1A)(d))
      • a declaration that it would be inappropriate for any further action to be taken in the matter (52(1)(b)(iv); s 52(1A)(e))
      • for determination following a complaint, a declaration that the complainant is entitled to a specified amount to reimburse the complainant for expenses reasonably incurred by the complainant in connection with the making of the complaint and the investigation of the complaint (s 52(3))
      • in relation to representative complaints, the Commissioner may specify amounts or a way to work out amounts for payment to the complainants concerned (s 52 (4)) and may make directions in relation to the manner in which a class member is to establish his or her entitlement to the payment of an amount under the determination; and the manner for determining any dispute regarding the entitlement of a class member to the payment (s 52(5)).
    • the relevant review and enforcement mechanisms (discussed below).

Compensation

Following an investigation of a complaint

15. Where the Commissioner makes a declaration that a complainant is entitled to an amount of compensation, the Commissioner is guided by the following principles on awarding compensation, drawn from a Federal Court decision:
    • where a complaint is substantiated and loss or damage is suffered, the legislation contemplates some form of redress in the ordinary course
    • awards should be restrained but not minimal
    • in measuring compensation the principles of damages applied in tort law will assist, although the ultimate guide is the words of the statute
    • in an appropriate case, aggravated damages may be awarded
    • compensation should be assessed having regard to the complainant’s reaction and not to the perceived reaction of the majority of the community or of a reasonable person in similar circumstances.
16. In addition, the Commissioner is also guided by the principle that once loss is proved, there would need to be good reason as to why compensation for that loss should not be awarded.Loss or damage in this context can include hurt feelings and/or humiliation suffered by the complainant. The Commissioner is also able to award an amount to reimburse the complainant for expenses reasonably incurred in connection with the making of the complaint and the investigation of the complaint.
17. In deciding whether to award compensation and in assessing the appropriate amount of compensation, the Commissioner will consider the information submitted by the parties as well as previous privacy determinations.
18. The Commissioner can also award aggravated damages in addition to general damages where he or she is of the view it is warranted. The principles for awarding aggravated damages, drawn from Federal Court decisions, include
    • aggravated damages may be awarded where the respondent behaved ‘high-handedly, maliciously, insultingly or oppressively in committing the act’ complained about
    • the ‘manner in which a defendant conducts his or her case may exacerbate the hurt and injury suffered by the plaintiff so as to warrant the award of additional compensation in the form of aggravated damages’.

Following an investigation on the Commissioner’s own initiative

19. The Commissioner also has power to award compensation following a determination made after an investigation conducted on the Commissioner’s own initiative.
20. However, a Commissioner initiated investigation is less likely to determine the quantum of loss or damage suffered by individuals affected by an interference with privacy. Rather than awarding compensation by determination, the OAIC would typically inform affected individuals to make a complaint about the act or practice if the individual believes they have suffered compensable loss or damage.

Publication of determinations

21. Once made, and sent to the parties, determinations will be published on the Office’s website and on the AustLII website.
22. The Commissioner will generally publish the name of the respondent. However, the Commissioner will generally not publish the names of complainants, respondent individuals or any third party individuals.

Review rights

23. A party may apply under s 96 of the Privacy Act to have a decision under subsection 52(1) or (1A) to make a determination reviewed by the AAT. The AAT provides independent merits review of administrative decisions and has power to set aside, vary, or affirm a privacy determination. An application to the AAT must be made within 28 days after the day on which the person is given the privacy determination (s 29(2) of the Administrative Appeals Tribunal Act 1975). An application fee may be payable when lodging an application for review to the AAT.
24. A party may also apply under s 5 of the Administrative Decisions (Judicial Review) Act 1977 to have the determination reviewed by the Federal Circuit Court or the Federal Court of Australia. The Court may refer the matter back to the Commissioner for further consideration if it finds the decision was wrong in law or the Commissioner’s powers were not exercised properly. An application to the Court must be lodged within 28 days of the date of the determination. An application fee may be payable when lodging an application to the Court.

Enforcement of determinations

25. Under s 55 of the Privacy Act, where a determination applies to a respondent that is not a government agency, the respondent must comply with any declarations made in the determination within the period specified in the determination.
26. Under s 58 of the Privacy Act, where a determination applies to a government agency it is obliged to comply with any declarations made by the Commissioner in that determination.

27. Either the complainant or Commissioner may commence proceedings in the Federal Court or the Federal Circuit Court for an order to enforce a determination. However different rules apply depending on who the respondent is, for example, if the respondent is not a government agency the Court will re-examine whether there has been an interference with privacy.

Chapter 6 — Injunctions provides:

Legislative framework

1. An injunction is a court order directing a person to do a specific thing or, more commonly, to not do a specific thing.
2. Both the Privacy Act 1988 (Privacy Act) and the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act) empower the Commissioner to apply to a federal court for an injunction against a person. This chapter relates to an injunction application made by the Commissioner.

Injunctions under the Privacy Act

3. Section 98 of the Privacy Act empowers the Commissioner (or any other person) to apply to the Federal Court or Federal Circuit Court for an injunction.
4. Where a person has engaged, is engaging, or is proposing to engage, in any conduct that constituted or would constitute a contravention of the Privacy Act, the Court may grant an injunction:
   • restraining a person from engaging in the conduct; and
   • if in the Court’s opinion it is desirable to do so, requiring the person to do an act or thing (s 98(1)).
5. The Court may also grant an injunction requiring a person to do an act or thing where the person has refused or failed, is refusing or failing, or is proposing to refuse or fail, to do that act or thing where that refusal or failure was, is, or would be a contravention of the Privacy Act (s 98(2)).
6. Where an application is made to a court for an injunction under s 98, the Court may, if in the Court’s opinion it is desirable to do so, grant an interim injunction restraining a person from engaging in conduct pending the determination of the application (s 98(3)).
7. ‘Person’ in s 98 includes natural persons, bodies politic, corporations, companies and bodies corporate.[1]

Injunctions under the PCEHR Act

8. Section 96 of the PCEHR Act empowers the Commissioner (or the PCEHR System Operator[2]) to apply to a court for an injunction.
9. If a person has engaged, is engaging or is proposing to engage in any conduct that constituted, constitutes or would constitute a contravention of the PCEHR Act, a Court may grant an injunction:
   • restraining the person from engaging in the conduct; and
   • if in the Court’s opinion it is desirable to do so, requiring the person to do any act or thing (s 96(1)).
10. The Court may also grant an injunction requiring a person to do an act or thing if the person has refused or failed, is refusing or failing, or is proposing to refuse or fail, to do that act or thing and that refusal or failure was, is, or would be a contravention of the PCEHR Act (s 96(2)).
11. Under the PCEHR Act, a ‘Court’ means the Federal Court of Australia, the Federal Circuit Court, or a court of a State or Territory that has jurisdiction in relation to matters arising under the PCEHR Act (s 5).
12. If an application is made to a Court for an injunction under this section, the Court may, if in the Court’s opinion it is desirable to do so, grant an interim injunction before considering the application, pending the determination of the application (s 96(3)).
13. ‘Person’ in s 96 includes natural persons, bodies politic, corporations, companies and bodies corporate.[3]

Which Act to use?

14. Conduct that interferes, or would interfere, with an individual’s privacy but does not relate to a contravention of the PCEHR Act is governed by the Privacy Act, and the Commissioner may apply to a court for an injunction under that Act.
15. Conduct that contravenes certain provisions of the PCEHR Act are breaches of the PCEHR Act and are also deemed by s 73 of that Act to be an interference with an individual’s privacy for the purposes of the Privacy Act. Depending on the circumstances, the Commissioner may apply to a court in relation to conduct that contravenes or would contravene certain provisions of the PCEHR Act, for an injunction under the PCEHR Act or the Privacy Act.
16. Section 96 of the PCEHR Act also empowers the PCEHR System Operator to make an application for an injunction. The Office may consult with the System Operator when investigating a complaint and considering whether to apply for an injunction, in line with the Agreement for information sharing and complaint referral relating to the personally controlled electronic health (eHealth) record system[4] between the Office and the System Operator.

Purpose and key features of an injunction

17. Injunctions are an important enforcement tool for compelling a person to modify their behaviour in order to prevent them from contravening, or from continuing to contravene, the Privacy Act or the PCEHR Act.
18. Generally, an injunction may be appropriate in circumstances where the conduct:
    • is serious or has had, or is likely to have, serious or extensive adverse consequences
    • is systemic or poses ongoing compliance or enforcement issues
    • is deliberate or reckless or where the entity involved is not being cooperative, or
    • raises significant concerns of public interest.
19. The Commissioner may seek an injunction on its own or in conjunction with civil penalty proceedings, or other enforcement action.

Interim injunctions

20. The Office may seek and obtain a temporary injunction (known as an ‘interim injunctions’) on an urgent basis pending the Court’s determination of an application for a permanent injunction under s 98 of the Privacy Act or s 96 of the PCEHR Act. The purpose of an interim injunction is to prevent further harm or maintain the status quo. The interim injunction will be effective from the time the interim injunction is granted to the time that the Court’s final decision is made.
21. The Office may seek an interim injunction on an ‘ex parte’ basis, meaning that the Court may consider whether to make the order without the respondent participating in the hearing. Ex parte interim injunctions will generally be sought by the Office at the start of court proceedings and in urgent circumstances, where an injunction is required as soon as possible and it is not practicable for the Office to first contact the respondent. This type of injunction will usually only be effective for a short period of time – typically no more than one week. After this period, the Office will be required to participate in a further court hearing with the respondent present.
22. Under the Privacy Act, the Court can grant an interim injunction restraining a person from engaging in conduct only (s 98(3)). However, under the PCEHR Act, the Court has a general power to grant interim injunctions (s 96(3)) – meaning that an interim injunction compelling a person to do a particular act or thing may also be possible depending upon the circumstances.
23. To obtain an interim injunction under s 98(3) of the Privacy Act or s 96(3) of the PCEHR Act, the Commissioner must establish that:
    • there is a serious question to be tried in relation to the facts asserted in support of the injunction application
    • the balance of convenience favours the granting of an injunction, in that the harm or inconvenience that would be caused by the refusal of an injunction outweighs the harm or inconvenience that the respondent would suffer if the injunction were granted, and
    • it is desirable in all the circumstances to grant the interim injunction.
24. Factors relevant to the balance of convenience include:
    • the strength of the Commissioner’s case
    • the purpose that would be served by the interim injunction (for example, is it designed to prevent the respondent from taking an action that would render the granting of a final injunction futile)
    • the effect of the injunction on the respondent and any third parties
    • the availability of alternative remedies
    • any delay in making the application, and
    • any undertakings offered by the respondent to cease (or not to commence) the relevant conduct.[5]
25. Where the Commissioner is applying for an ex parte interim injunction, the Commissioner will also be subject to a special ethical obligation usually described as the ‘duty of utmost disclosure’. This means that the Commissioner must disclose all factors relevant to a consideration of whether to grant an interim injunction – especially those factors which go against the granting of an injunction.
26. This duty is treated most seriously by the court, and a failure to comply will normally result in a discharge of the injunction, with costs ordered against the applicant. A failure by the Commissioner to disclose relevant factors would also be a breach of the Commonwealth’s obligation to act as a model litigant under the Legal Services Directions.

Permanent injunctions

27. For a permanent injunction, the Commissioner is required to establish on the balance of probabilities that the facts asserted to support the injunction are made out.
28. The power to grant an injunction is a discretionary power and the Court will also consider whether it is desirable in all the circumstances to exercise that power having regard to the scope and purpose of the relevant Act.

Injunctions restraining a person from engaging in conduct

29. To grant an injunction restraining a person from engaging in conduct, the Court must be satisfied that:
    • a person has engaged in conduct in contravention of either the Privacy Act or the PCEHR Act, or
    • if an injunction is not granted, it is likely that the person will engage in conduct of that kind in contravention of either the Privacy Act or the PCEHR Act.
30. If the Court is satisfied that the person has engaged in conduct in breach of the Privacy Act or the PCEHR Act, the Commissioner is not required to establish that the person intends to engage again, or to continue to engage, in conduct of that kind (s 98(5)(a) of the Privacy Act and s 96(5)(a) of the PCEHR Act).
31. If the Court is satisfied that a person is likely to engage in conduct in contravention of either Act if an injunction is not granted, the Commissioner is not required to establish:
    • that the person has previously engaged in conduct of that kind, and
    • that there is an imminent danger of substantial damage to any person if the first mentioned person were to engage in conduct of that kind.

    (s 98(5)(b) of the Privacy Act and s 96(5)(b) of the PCEHR Act).

32. Where the Court grants an injunction restraining a person from engaging in conduct that is, or would be, a contravention of the Privacy Act or the PCEHR Act, the Court may also make an order requiring the person to do any act or thing, if it is in the Court’s opinion desirable to do so (s 98(1)(b) of the Privacy Act and s 96(1)(b) of the PCEHR Act).
33. For example, a court may grant a permanent injunction restraining a person from collecting certain information about consumers and requiring them to put in place specified risk management practices to prevent similar breaches from occurring again.

Injunctions requiring a person to do a particular act or thing

34. To grant an injunction requiring a person to do a particular act or thing, the Court must be satisfied that:
    • a person has refused or failed to do an act or thing in contravention of either the Privacy Act or the PCEHR Act; or
    • if an injunction is not granted, it is likely that the person will refuse or fail to do an act or thing in contravention of either the Privacy Act or the PCEHR Act.
35. If the Court is satisfied that a person has refused or failed to do a particular act or thing, the Commissioner is not required to establish that the person intends to refuse or fail again, or to continue to refuse or fail, to do that act or thing (s 98(6)(a) of the Privacy Act and s 96(6)(a) of the PCEHR Act).
36. If the Court is satisfied that a person is likely to refuse or fail to do a particular act or thing, the Commissioner is not required to establish:
    • that the person has previously refused or failed to do that act or thing, and
    • that there is an imminent danger of substantial damage to any person if the first mentioned person were to refuse or fail to do that act or thing

    (s 98(6)(b) of the Privacy Act and s 96(6)(b) of the PCEHR Act).

37. For example, a court may grant a mandatory injunction requiring a person to correct personal information it holds about individuals.

The content of injunctions

38. The form of any injunction sought must be certain and capable of enforcement. It must be clear and unambiguous to the affected person, and to the Court, what it is that they are required to do or not do.
39. The Court will not grant an injunction that simply requires a person to ‘comply with the Act’. An injunction must set out the specific acts that the person is required to do or not do.
40. An injunction should not prohibit conduct falling outside the boundaries of s 98 of the Privacy Act or s 96 of the PCEHR Act. That is, an injunction cannot operate on conduct that is not related to ensuring compliance with the Privacy Act or PCEHR Act.

Procedural steps in seeking an injunction

41. When seeking an injunction, the Office will generally use the following process:
    • Where the Office becomes aware that an entity might have engaged, be engaging, or proposes to engage in conduct that would contravene the Privacy Act or PCEHR Act, the Office will make preliminary inquiries about the matter.
    • The Office will review the matter against either the Privacy regulatory action policy (including the factors set out in paragraph 38) or the PCEHR (Information Commissioner Enforcement Powers) Guidelines, as applicable, as well as the additional factors outlined above to assess whether seeking an injunction is an appropriate regulatory response, either by itself or in conjunction with other remedies.
    • Where an injunction is identified as an appropriate regulatory response in the circumstances, the Office will assess the matter to determine whether or not sufficient admissible evidence and arguments exist to satisfy the Court of the matters it must consider in determining whether to grant an injunction. The amount and type of evidence required to support an application for an injunction will depend on the type of injunction being sought (see above). External legal counsel may be briefed at this time.
    • Where the available evidence and arguments are considered sufficient, the Commissioner will consider and decide whether to commence proceedings. To make this decision, the Commissioner will refer to either the Privacy regulatory action policy (including the factors set out in paragraph 38) or the PCEHR (Information Commissioner Enforcement Powers) Guidelines as applicable. Where proceedings are to be commenced, external legal counsel will usually be engaged to run the matter.
    • The appropriate court documents to initiate proceedings will be prepared and lodged with the court, and served on the respondent entity.
      • Generally, only persons who are parties to the legal proceedings in which an injunction is granted will be bound by the injunction. As such, it is important to ensure that all persons the Commissioner seeks to bind by an injunction are joined as respondents in the proceedings.
      • This application would generally need to be accompanied by a supporting affidavit of the Commissioner, setting out:
        • the conduct, refusals or failures the Commissioner considers is, or would be, a breach of the Privacy Act or the PCEHR Act
        • the evidence on which the Commissioner bases this view, and
        • the specific orders that the Commissioner is seeking from the court.
      • In very urgent circumstances, including where a matter is heard on an ex parte basis, (such as where the need for an injunction becomes apparent a matter of hours before the relevant conduct is likely to occur), the Commissioner may be able to provide the above information orally at hearing.
    • Following receipt of the Commissioner’s application, the Court will set down a time to hear the application for an injunction.
    • The Office will pursue the application in accordance with its model litigant obligations, any relevant court rules and procedures, and any directions or orders issued by the court.
    • Following judgment in the matter, the Office will generally publicly communicate the outcome of the proceedings.
    • If the Office is dissatisfied with the court’s decision (for example, if the court refused to grant an injunction), the Office may consider the possible grounds for appeal and whether or not to institute appeal proceedings. In making this decision, the Office will act in accordance with its model litigant obligations.
    • If the respondent appeals the decision, the Office will participate in the appeal proceedings and will act in accordance with its model litigant obligations.

After an injunction has been granted

42. The Court may discharge or vary an injunction granted under s 98 of the Privacy Act or s 96 of the PCEHR Act (s 98(4) and s 96(4)).
43. If a person who is the subject of an injunction breaches the injunction, they may be held in contempt of court, which is punishable by fines and/or imprisonment.
44. Where the Office believes that a respondent has breached the terms of an injunction, the Office will generally first bring the issue of suspected or actual non-compliance to the attention of the respondent and seek a response. This notification and response may be sufficient to resolve the breach.
45. If the breach remains unresolved, the Office may then consider whether it would be appropriate to bring proceedings for contempt of court. This process requires the Office to make a formal application to the court, supported by evidence and submissions. The burden of proof for contempt proceedings is the criminal standard: the breach must be proven beyond reasonable doubt. Legal advice should be sought before any decision is made to bring contempt proceedings.

Publication

46. Generally, the Office will publicly communicate the following information in connection with an injunction application:
    • the fact that proceedings seeking an injunction against a particular respondent have been initiated[6]
    • the outcome of the injunction proceedings
    • where an injunction is granted, the orders made by the court (other than any order that is inappropriate to publish because of statutory secrecy provisions or for reasons of privacy, confidentiality, commercial sensitivity, security or privilege)
    • the lodgement of appeal proceedings by either the Office or the respondent, and
    • the outcome of any appeal proceedings.
47. Where an interim injunction has been granted, the Office will take care in its communications to avoid any suggestion that a finding has been made that a person has breached the Act. By their nature interim injunctions are granted without the Court having yet made a decision about whether there has been a breach of the Act.
48. Where a court grants an injunction, the Office will, on its website <www.oaic.gov.au>, either publish, or provide a link to, the orders made by the court. Where it is inappropriate to publish the orders because of statutory secrecy provisions or for reasons of privacy, confidentiality, commercial sensitivity, security or privilege, the Office may publish a redacted version of the orders, or a summary of the orders.
49. In addition, the Office may publicly communicate the fact that the respondent has breached the injunction, and any fine or other punishment given to the respondent in connection with that breach.