Individuals can complain to the VI Commissioner about an act or practice that may breach a Victorian IPP. The alleged breach must be in relation to the personal information of a living person. The VI Commissioner deals with complaints in the same way as the previous Victoria Commissioner for Privacy and Data Protection.
There are provisions under the PDP Act that enable minors or people who are unable to complain because of a physical or mental disability to have someone complain on their behalf (ss 59, 60).
The VI Commissioner must try to conciliate complaints wherever possible. Where appropriate, complaints can be referred to the Victorian Ombudsman, the Victorian Health Complaints Commissioner, the Australian Privacy Commissioner, the Disability Services Commissioner, the Commissioner for Children and Young People, or the Mental Health Complaints Commissioner.
Under the Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017 (Vic) (“FoI Amendment Act 2017”), the VI Commissioner can decide to investigate complaints received under the PDP Act as if received under the Freedom of Information Act 1982 (Vic), and vice versa.
In conducting investigations, the VI Commissioner has enforceable powers to obtain information and documents and take evidence on oath. The FoI Amendment Act 2017 enhanced these powers and they apply to all the VI Commissioner’s investigations.
The VI Commissioner has the power to decline to investigate complaints in certain circumstances (s 62), including where:
• the organisation complained about is adequately dealing with, or has adequately dealt with, the complaint;
• the complainant has not complained to the organisation before making a complaint to the VI Commissioner;
• the VI Commissioner believes the complaint is frivolous, vexatious or lacking in substance;
• the complainant does not make a complaint to the VI Commissioner within 45 days of becoming aware of the alleged privacy breach.
If an alleged privacy breach is done by an employee or an agent acting on behalf of an organisation, the organisation is held responsible unless it can establish that it took reasonable precautions and exercised due diligence to avoid the privacy breach (s 118 PDP Act).
In the case of TSJ v Department of Health and Human Services (Human Rights)  VCAT 687, a social worker employed by the Department of Health and Human Services (DHHS) sent personal information about the complainant to the wrong email address. The person who received the information immediately contacted the social worker, who took steps to retrieve the information, notified the complainant, and apologised for the breach.
VCAT found that the DHHS had taken reasonable precautions and exercised due diligence to prevent the privacy breach under IPP 2, and to protect the personal information under IPP 4, and dismissed the complaint.
If the VI Commissioner declines to investigate a complaint – or conciliation of the complaint is not possible, or has been attempted but has failed – a complainant may, in writing, direct the VI Commissioner to refer their complaint to the Victorian Civil and Administrative Tribunal (VCAT). A referral to VCAT is considered to be a fresh hearing of the complaint.
The VI Commissioner can decide to intervene in any proceeding before VCAT, and can be joined by VCAT as a party to the proceeding.
If VCAT upholds a complaint as a breach of privacy, potential remedies include:
• orders to correct information;
• restraint orders;
• reimbursement of expenses;
• compensation orders of up to $100,000.
The VI Commissioner can serve a compliance notice on an organisation when that organisation has seriously breached one of the IPPs (or an approved Code of Practice). A notice can also be served on an organisation if the act that breached one of the IPPs (whether serious or not) has occurred five times in the last two years.
If an organisation is served with a compliance notice, penalties apply for failure to comply and it is an indictable offence. An individual or organisation whose interests are affected by a compliance notice can seek a review from VCAT.