Individuals can complain to the Victorian Commissioner for Privacy and Data Protection (“PDP Commissioner”) about an act or practice that may breach a Victorian Information Privacy Principle (IPP). The alleged breach must be in relation to the personal information of a living person.
There are provisions under the Privacy and Data Protection Act 2014 (Vic) (“PDP Act”) that enable minors or people who are unable to complain because of a physical or mental disability to have someone complain on their behalf (ss 59, 60).
The PDP Commissioner must try to conciliate complaints wherever possible. Where appropriate, complaints can be referred to the Victorian Ombudsman, the Health Services Commissioner, the Australian Privacy Commissioner, the Disability Services Commissioner, the Freedom of Information Commissioner, the Commissioner for Children and Young People, or the Mental Health Complaints Commissioner.
In conducting investigations, the PDP Commissioner has enforceable powers to obtain information and documents and take evidence on oath.
The PDP Commissioner has the power to decline to investigate complaints in certain circumstances (s 62), including where:
•the organisation complained about is adequately dealing with, or has adequately dealt with, the complaint;
•the complainant has not complained to the organisation before making a complaint to the PDP Commissioner;
•the PDP Commissioner believes the complaint is frivolous, vexatious or lacking in substance;
•the complainant does not make a complaint to the PDP Commissioner within 45 days of becoming aware of the alleged privacy breach.
If the PDP Commissioner declines to investigate a complaint – or conciliation of the complaint is not possible, or has been attempted but has failed – a complainant may, in writing, direct the PDP Commissioner to refer their complaint to the Victorian Civil and Administrative Tribunal (VCAT).
A referral to VCAT is considered to be a fresh hearing of the complaint. The PDP Commissioner can decide to intervene in any proceeding before VCAT, and can be joined by VCAT as a party to the proceeding. If VCAT upholds a complaint as a breach of privacy, potential remedies include:
•orders to correct information;
•reimbursement of expenses;
•compensation orders of up to $100,000.
The PDP Commissioner can serve a compliance notice on an organisation when that organisation has seriously breached one of the IPPs (or an approved Code of Practice). A notice can also be served on an organisation if the act that breached one of the IPPs (whether serious or not) has occurred five times in the last two years.
If an organisation is served with a compliance notice, penalties apply for failure to comply and it is an indictable offence. An individual or organisation whose interests are affected by a compliance notice can seek a review from VCAT.
The PDP Commissioner’s website (www.cpdp.vic.gov.au) contains a number of resources under “privacy”, including information sheets, background papers, reports and checklists. It reproduces the guidelines for organisations working with the IPPs produced by the Victorian Privacy Commissioner. The website’s “link library” provides links to a variety of resources in Australia and overseas and links to other privacy organisations. Case notes are published under “Archives” and in the privacy law library at www.austlii.edu.au.