Privacy complaints and breaches policy and procedure
1. Policy statement
The Office of the Queensland Ombudsman (the Office) is committed to the responsible handling of personal information that it collects, holds, uses and discloses in the discharge of its functions under the Ombudsman Act 2001, and to ensuring that it complies with the requirements of the Information Privacy Act 2009 (IP Act) when dealing with personal information.
As the Information Commissioner notes:
Privacy breaches can occur because of a technical problem, human error, inadequate policies and training, a misunderstanding of the law, or a deliberate act. Some of the more common privacy breaches happen when personal information is lost, stolen or mistakenly disclosed (e.g., a USB flash drive is lost or an email is sent to unintended recipients).
Individuals (including employees of the Office) may make a complaint to the Office if they consider that the Office has failed, in handling the individual's personal information, to comply with the obligations contained in the IP Act.
The purpose of this policy and procedure is to outline how privacy complaints and breaches will be managed. It should be read in conjunction with:
- the requirements of the IP Act regarding the handling of personal information and the making of privacy complaints;
- the Office's Complaints management system (CMS) and internal review policy (CMS policy); and
- the Office's Privacy Plan.
A privacy complaint or breach may also involve a breach of the secrecy provision contained in s.92 of the Ombudsman Act. If both arise in relation to one complaint, they will be dealt with in accordance with the CMS policy, and the Deputy Ombudsman will liaise with General Counsel about management of the process.
2. Principles
'Personal information' is defined in the IP Act as 'information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion'.
The IP Act contains 11 Information Privacy Principles (IPPs) (see Schedule 3) with which agencies are required to comply when handling personal information.
The Office's Privacy Plan outlines the obligations on the Office and its employees in relation to the collection, management, use and disclosure of personal information held by the Office.
3. Application/scope
This policy and procedure applies to all permanent and temporary employees of the Office as well as contractors, employment agency staff, sub-contractors, work experience students and volunteers (who are defined as workers in the Work Health and Safety Act 2011) while working in the workplace.
The RTI/IP Coordinator is responsible for the administrative aspects of dealing with applications (including complaints) made under the IP Act, including the receipt, acknowledgement, logging applications and complaints, and the maintenance of the Privacy complaints and breaches register.
General Counsel has primary responsibility for managing privacy complaints and breaches. In General Counsel's absence, these will be managed by the Deputy Ombudsman.
4. Procedures
4.1 Who may receive a complaint?
A complaint (internal or external) may be received by any employee of the Office in the course of everyday business. It may be received in person, online, by phone, email or post.
An employee receiving a complaint about a possible privacy breach must refer the complaint and all associated material to the RTI/IP Coordinator within 24 hours of receipt. In the absence of the Coordinator, the complaint must be referred to General Counsel.
If an inquiry is received by a person who wishes to forward a written privacy complaint to the Office by post, they should be advised to make it attention to the RTI/IP Coordinator or send an email.
4.2 What must the complaint contain?
A formal privacy complaint may be made verbally or in writing, although complainants should be encouraged to submit their complaint in writing.
If it is not possible for the complainant to lodge their complaint in writing, or they do not wish to do so, a record of complaint must be made by the employee who receives the verbal complaint.
The complaint must:
- include an address of the complainant to which notices may be forwarded;
- give particulars of the act or practice complained of; and
- be made within 12 months of the occurrence of the act or practice.
A complaint that is made more than 12 months after the occurrence of the act or practice complained of may not be able to be investigated, due to the difficulty in obtaining reliable evidence because of the length of time that has passed.
4.3 Refusal to deal with the complaint
The following are situations where the Office may decline to deal with a complaint:
- the complaint does not concern the personal information of the complainant
- the complaint concerns the personal information of a child and the person making the complaint is not the parent or guardian of the child
- the complaint concerns the personal information of an individual and the person lodging the complaint is not an agent of the individual authorised to act on the individual's behalf
- 12 months have elapsed since the complainant first became aware of the act or practice that is the subject of the complaint.
4.4 Acknowledgement and allocation
The RTI/IP Coordinator will acknowledge receipt of the complaint within seven business days and will advise the complainant that an outcome is due within 45 business days of receipt.
The RTI/IP Coordinator will create a file and allocate the matter to General Counsel (or, in the absence of General Counsel, to the Deputy Ombudsman).
The RTI/IP Coordinator will create an entry in the Privacy complaints and breaches register.
4.5 Internal notification
Employees of the Office may identify a suspected breach of privacy, including the misuse of information which breaches another person’s privacy, in the absence of a complaint.
If an employee reasonably believes or becomes aware that they, or another employee of the Office have, or may have, breached the obligations contained in the IP Act in their handling of an individual's personal information, they must immediately notify their manager who will refer the matter to the RTI/IP Coordinator and General Counsel. The procedure for handling complaints and breaches is to be followed with appropriate variation.
4.6 Initial management
Where a privacy breach is received, or breach is identified (through external or internal complaint), the RTI/IP Coordinator and/or General Counsel will escalate the matter internally as appropriate, take steps to contain the breach (if ongoing) and evaluate associated risks.
An assessment of the breach will consider:
- the type of personal information involved
- who is affected by the breach
- the cause of the breach
- any foreseeable harm to affected individuals.
4.7 Consider whether to notify affected individuals
General Counsel will consider whether it is appropriate to notify any affected individuals.
4.8 Consider whether to notify the Information Commissioner
General Counsel will consider whether it is appropriate to inform the Information Commissioner.
4.9 Preliminary informal resolution
Where appropriate, an initial attempt will be made to resolve a complaint or breach informally (e.g., by discussion with the employee complained about and their manager).
General Counsel will oversee the process and, where appropriate, will advise the complainant (if applicable) of any proposed informal resolution outcome (e.g., offering an apology, or amending an Office procedure). If the complainant is satisfied with the outcome and any recommendations arising from the informal resolution process have been implemented, the matter can be finalised. An assessment will be made by General Counsel about whether written advice of the outcome should be sent to the complainant.
If the matter cannot be resolved informally, an assessment will be made by General Counsel (in consultation with the Ombudsman/Deputy Ombudsman) about what, if any, further action should be taken, including whether a formal investigation will be conducted.
4.10 Who investigates the complaint/breach?
Where it is decided that a formal investigation of the complaint or breach is appropriate, General Counsel must brief the Ombudsman and seek approval to proceed with the investigation.
Formal privacy complaints may be assessed and investigated by:
- General Counsel; or
- the Deputy Ombudsman; or
- a third person approved by the Ombudsman (including an external investigator where appropriate).
4.11 How is the investigation conducted?
The investigator must:
- if a complaint has been made about a specific employee, advise the employee complained about that a complaint has been made and that an investigation will be undertaken (unless advising them could prejudice the investigation)
- gather information relevant to the complaint, including interviewing employees or third parties who may have information relevant to the investigation
- keep the complainant advised about the progress of the matter
- prepare a report about the investigation, including conclusions and any recommendations for remedial action
- submit the report to the Ombudsman within 30 business days after receipt of the complaint
- advise the relevant parties to the investigation of the outcome of the investigation, including any remedies that are considered appropriate to resolve the complaint in conjunction with the Deputy Ombudsman
- oversee the implementation of any remedial action.
Complaints will be investigated without prejudice to any other remedies a complainant may have. Procedural fairness will be provided to all parties during the conduct of the investigation.
The privacy of the parties to the complaint will be protected to the extent possible without impeding the conduct of the investigation, and having regard to the need to accord procedural fairness.
Anonymous complaints may be investigated where considered appropriate, but it will not be possible to advise the complainant about the outcome of the investigation.
4.12 Vexatious complaints
If a complaint is considered vexatious, the investigator may, in consultation with the Ombudsman, decide to limit or cease correspondence with the complainant. This decision will be communicated to the complainant in writing.
A complaint is vexatious if it is a frivolous complaint which has been brought maliciously. 'Vexatious' indicates that there is an element of bad faith in the complaint. A complaint may be considered vexatious if it was made for a purpose other than addressing the subject matter of the complaint.
4.13 Possible outcomes
If the investigator is satisfied that the alleged breach occurred, investigative or informal resolution outcomes may include one or more of the following:
- an apology to the complainant
- a change to work responsibilities, and/or work practices, and/or Office policies and procedures
- an explanation of how and why the problem occurred and what steps the Office is taking to prevent it from recurring
- a promise not to repeat the action constituting the breach
- offering practical assistance to deal with the consequences of the breach
- disciplinary action against an employee in cases of misuse of information or other misconduct.
If the alleged breach is not proven, the parties to the investigation must still be advised about the outcome of the investigation.
The RTI/IP Coordinator will enter the outcome in the Privacy complaints and breaches register.
General Counsel will consider whether the Queensland Ombudsman Audit Committee and/or the Information Commissioner should be notified about the outcome.
4.14 Preventing a repeat
If a breach is substantiated, measures to prevent any recurrence must be identified and implemented. Preventative actions may include a:
- security audit of both physical and technical security controls
- review of policies and procedures
- review of employee training practices
- review of contractual obligations with contracted service providers.
5. Further action
5.1 Information Commissioner
If the complainant is not satisfied with the outcome of the Office's investigation (or informal resolution process), they may complain to the Information Commissioner.
A complainant may not refer a privacy complaint to the Information Commissioner unless they have made a complaint to the Office in accordance with the process outlined above, and are dissatisfied with the outcome, or they have not received a response from the Office within the 45 business day time limit.
The Information Commissioner will make an assessment about whether the complaint could be resolved through mediation. If so, the Information Commissioner must take all reasonable steps to mediate the complaint (see s.171 of the IP Act).
5.2 QCAT
If a complaint is referred to the Information Commissioner and it does not appear it can be resolved through mediation or it is referred for mediation but the mediation is unsuccessful, the complainant may ask the Information Commissioner to refer the matter to the Queensland Civil and Administrative Tribunal (QCAT).
If QCAT is satisfied that the complaint has been substantiated, it may make an order that:
- the respondent agency not repeat or continue a particular act or practice
- the respondent agency apologise to the complainant
- the respondent agency make stated amendments to documents it holds
- the respondent agency take certain action to compensate the complainant for loss or damage suffered
- the complainant is entitled to an amount up to $100,000 to compensate them for loss or damage suffered, including injured feelings or humiliation
- the complainant be reimbursed for their reasonable expenses in connection with making the complaint.
6. Procedures for suspected misuse of information
Where a privacy breach includes a suspected misuse of information, General Counsel will consider whether it is appropriate to refer the matter to the Crime and Corruption Commission and/or the Queensland Police Service prior to commencing any disciplinary investigation. Considerations will include:
- the accessibility of the confidential information
- whether any personal benefit, financial gain or commercial advantage was obtained from access to the information
- the number of alleged breaches
- an impact assessment.
7. Responsibilities
Task
|
Responsibility
|
Immediately notify manager on becoming
aware of a breach or potential breach of the
obligations in the IP Act in respect of the
handling of an individual's personal information |
All staff |
Refer notification of breach or potential breach to RTI/IP Coordinator, General Counsel or Deputy Ombudsman |
Manager |
Refer privacy complaint and associated material to RTI/IP Coordinator within 24 hours of receipt |
All staff |
Acknowledge receipt of complaint; open file; and allocate complaint within seven business days of receipt |
RTI/IP Coordinator |
Assess complaint and oversee informal
resolution |
General Counsel or Deputy Ombudsman |
Brief Ombudsman if formal investigation
appropriate |
General Counsel or Deputy Ombudsman |
Appoint investigator |
Ombudsman |
Conduct investigation |
Investigator |
Prepare report for Ombudsman |
Investigator |
Advise parties of outcome |
Investigator |
Make appropriate referrals to external bodies (if required) |
Investigator / General Counsel |
Oversee implementation of remedial action |
General Counsel or Deputy Ombudsman |
Coordinate response to OIC review |
General Counsel or Deputy Ombudsman |
Maintain Privacy complaints and breaches register |
RTI/IP Coordinator |
8. Supporting information
Legislation
- Information Privacy Act 2009
- Information Privacy Regulation 2009
- Ombudsman Act 2001
Internal policies
- Complaints management system (CMS) and internal review policy
- Privacy Plan
External documents
The Office of the Information Commissioner has produced detailed guidelines on the operation of the IP Act (including Privacy breach management and notification and Tips for resolving privacy complaints) which are available from the Office of the Information Commissioner.
The Crime and Corruption Commission has developed a guide to assessing allegations about misuse of confidential information which is available on its website.