Individuals can complain to the VI Commissioner about an act or practice that may breach a Victorian IPP. The alleged breach must be in relation to the personal information of a living person. The VI Commissioner deals with complaints in the same way as the previous Victoria Commissioner for Privacy and Data Protection.
There are provisions under the PDP Act that enable minors or people who are unable to complain because of a physical or mental disability to have someone complain on their behalf (ss 59, 60).
The VI Commissioner must try to conciliate complaints wherever possible. Where appropriate, complaints can be referred to the Victorian Ombudsman, the Victorian Health Complaints Commissioner, the Australian Privacy Commissioner, the Disability Services Commissioner, the Commissioner for Children and Young People, or the Mental Health Complaints Commissioner.
Under the Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017 (Vic) (“FOI Amendment Act 2017”), the VI Commissioner can decide to investigate complaints received under the PDP Act as if received under the Freedom of Information Act 1982 (Vic), and vice versa.
In conducting investigations, the VI Commissioner has enforceable powers to obtain information and documents and take evidence on oath. These powers were enhanced by the FOI Amendment Act 2017; these powers apply to all the VI Commissioner’s investigations.
The VI Commissioner has the power to decline to investigate complaints in certain circumstances (s 62), including where:
• the organisation complained about is adequately dealing with, or has adequately dealt with, the complaint;
• the complainant has not complained to the organisation before making a complaint to the VI Commissioner;
• the VI Commissioner believes the complaint is frivolous, vexatious or lacking in substance;
• the complainant does not make a complaint to the VI Commissioner within 45 days of becoming aware of the alleged privacy breach.
If the VI Commissioner declines to investigate a complaint – or conciliation of the complaint is not possible, or has been attempted but has failed – a complainant may, in writing, direct the VI Commissioner to refer their complaint to the Victorian Civil and Administrative Tribunal (VCAT).
A referral to VCAT is considered to be a fresh hearing of the complaint. The VI Commissioner can decide to intervene in any proceeding before VCAT, and can be joined by VCAT as a party to the proceeding. If VCAT upholds a complaint as a breach of privacy, potential remedies include:
• orders to correct information;
• restraint orders;
• reimbursement of expenses;
• compensation orders of up to $100,000.
The VI Commissioner can serve a compliance notice on an organisation when that organisation has seriously breached one of the IPPs (or an approved Code of Practice). A notice can also be served on an organisation if the act that breached one of the IPPs (whether serious or not) has occurred five times in the last two years.
If an organisation is served with a compliance notice, penalties apply for failure to comply and it is an indictable offence. An individual or organisation whose interests are affected by a compliance notice can seek a review from VCAT.
The website, www.cpdp.vic.gov.au, contains a number of resources under “Resources > privacy”, including information sheets, background papers, reports, case notes, VCAT decisions and checklists. It reproduces the guidelines for organisations working with the IPPs produced by the Victorian Privacy Commissioner. The website’s “link library” provides links to a variety of resources in Australia and overseas and links to other privacy organisations. Case notes are also published in the privacy law library at www.austlii.edu.au.