Privacy and your rights

Individuals can complain to the Victorian Information Commissioner (‘VI Commissioner’) about an act or practice that may breach a Victorian Information Privacy Principles (IPP). The alleged breach must be in relation to the personal information of a living person.

There are provisions under the Privacy and Data Protection Act 2014 (Vic) (‘PDP Act’) (ss 59, 60) that enable minors or people who are unable to complain because of a physical or mental disability to have someone complain on their behalf.

The VI Commissioner must try to conciliate complaints wherever possible; there is a range of remedies available for the parties’ consideration.

Where appropriate, complaints can be referred to the:

• Victorian Ombudsman
• Victorian Health Complaints Commissioner
• Australian Information Commissioner
• Victorian Disability Services Commissioner
• Victorian Commissioner for Children and Young People
• Victorian Mental Health Complaints Commissioner.

Note that for certain complainants (e.g. those who are in prison), communications to and from the VI Commissioner – and to and from most of the complaint bodies listed above and several other entities – are treated as privileged communications under the Corrections Act 1986 (Vic).

Under the Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017 (Vic) (‘FoI Amendment Act 2017’), the VI Commissioner can investigate complaints received under the PDP Act as if received under the Freedom of Information Act 1982 (Vic) and vice versa.

In conducting investigations, the VI Com­missioner has enforceable powers to obtain information and documents, and to take evidence on oath. The FoI Amendment Act 2017 enhanced these powers and they apply to all the VI Commissioner’s investigations.

The VI Commissioner has the power to decline to investigate and conciliate in certain circumstances (s 62). 

These include where:

• the organisation complained about is adequately dealing with, or has adequately dealt with, the complaint;
• the complainant has not complained to the organisation before making a complaint to the VI Commissioner;
• the VI Commissioner believes the complaint is frivolous, vexatious or lacking in substance;
• the complainant does not make a complaint to the VI Commissioner within 45 days of becoming aware of the alleged privacy breach.

Traditionally – and in relation to the ground of ‘complainant delay in bringing a complaint’ – the VI Commissioner has exercised this discretion sparingly (i.e. in a way that is favourable to complainants who have not met the 45-day timeframe).

If an alleged privacy breach is done by an employee or an agent acting on behalf of an organisation, the organisation is held responsible unless it can establish that it took reasonable precautions and exercised due diligence to avoid the privacy breach (s 118 PDP Act).

In the case of TSJ v Department of Health and Human Services (Human Rights) [2016] VCAT 687, a social worker employed by the Department of Health and Human Services (DHHS) sent personal information about the complainant to the wrong email address. The person who received the information immediately contacted the social worker, who took steps to retrieve the information, notified the complainant, and apologised for the breach. VCAT found that the DHHS had taken reasonable precautions and exercised due diligence to prevent the privacy breach under IPP 2, and to protect the personal information under IPP 4, and dismissed the complaint.

If the VI Commissioner declines to investigate a complaint – or conciliation of the complaint is not possible or has been attempted but has failed – a complainant may, in writing, direct the VI Commissioner to refer their complaint to VCAT.

The VI Commissioner sends VCAT the documents setting out the complaint and the grounds for the complaint under the PDP Act. A referral to VCAT is considered to be a fresh hearing of the complaint.

VCAT’s Human Rights List determines complaints made under the PDP Act. The proceeding is generally managed through a series of interlocutory steps before a final hearing.

These steps include:

• one or more directions hearings;
• a consensual referral to mediation, or referral to a compulsory conference;
• a schedule for the exchange between the parties of points of complaint, points of defence, and witness statements.

The VI Commissioner can decide to intervene in any proceeding before VCAT and can be joined by VCAT as a party to the proceeding.

If VCAT upholds a complaint as a breach of privacy, potential remedies include:

• orders to correct information;
• restraint orders;
• reimbursement of expenses;
• compensation orders of up to $100 000.

Note that due to the operation of the Open Courts Act 2013 (Vic), PDP Act complaints that reach a final determination in VCAT are generally published in identifying format unless an application for suppression is approved.

The VI Commissioner can serve a compliance notice on an organisation when that organisation has seriously breached one of the IPPs (or an approved Code of Practice). A notice can also be served on an organisation if the act that breached one of the IPPs (whether serious or not) has occurred five times in the last two years.

If an organisation is served with a compliance notice, penalties apply for failure to comply and it is an indictable offence. An individual or organisation whose interests are affected by a compliance notice can seek a review from VCAT.