Asserting Privacy Rights
Contributed by Dr Bruce Baer Arnold, University of Canberra and current to February 2022.
At a glance
An implication of the preceding parts of this chapter is that if people are concerned about their own privacy and that of others, for example their children, they need to do three things.
The first is to recognise that although the erosion of privacy through new technologies is not unprecedented and is not unmanageable people should be conscious of particular risks and actively manage those risks. A classic dictum – relevant in Shakespeare’s time and our own – is to protect your privacy by drawing the curtains, closing the door and not confiding intimate details to entities who are likely to gab. Self-help is important: use passwords on mobile phones and laptops, don’t share your wifi network with strangers, do recognise that the ‘hottie’ on Tindr or Grindr may not be authentic. Just because you can provide moment by moment coverage of your life on Facebook or Twitter does not mean you should.
A second is to engage in law reform. This chapter has highlighted the patchwork and in places distinctly threadbare nature of privacy law, alongside delays by Governments in responding to hardheaded recommendations by law reform bodies and civil society advocates such as the Australian Privacy Foundation for updated legislation that better protects ordinary Australians.
The third is that people should assert their privacy rights rather than assuming rights will look after themselves, a regulator will come to the rescue or that rights are meaningless in the age of big data, big government and social media.
Assertion requires people to identify relevant law, remembering that the best outcome may not be under the national
Privacy Act 1988, and use appropriate mechanisms. In responding to some disregard of privacy the best mechanism might be contact with the ACT Police, given that invasions of privacy may be a criminal offence. Responses to other disregard might be a matter of an initial complaint to the organisation response for that disregard, followed up by a formal complaint to a regulatory body or other entity.
This part of the chapter deals with such complaints. In essence, there is no cost to lodge a complaint with the ACT and national privacy commissioners, or with the ACT Health Commissioner or with a business’ external dispute resolution (EDR) service provider (in contrast to taking civil action in ACT or national courts). Those bodies emphasise conciliation and do not require representation by a legal practitioner. They do require relevant information as the basis of investigation and conciliation. Their resolution of complaints may not be quick and may not satisfy people who expect that complaints will result in exemplary compensation to victims of privacy abuses and fines or imprisonment of those who caused the abuses.
Internal Review mechanisms
A common-sense response to a disregard of your privacy is to complain to the public/private sector organisation that caused the disregard. In some instances that complaint will result in an apology, a correction, a commitment or other action that addresses your concerns. In other instances you will not get a response or will get no satisfaction, meaning that you can take your complaint to an entity such as the OAIC (aka the Privacy Commioner) or ACT Human Rights Commission.
As highlighted earlier in this chapter, organisations are required under the information privacy enactments to provide contact details and guidance about complaint mechanisms, typically through a specific privacy officer with a dedicated email address and number. The organisation’s privacy policy should be available on its website and will often feature in leaflets and other documentation.
People are not required to make a complaint via a legal aid service or a legal practitioner who operates on a commercial basis. A complaint to the organisation is free of charge. Organisations are required to respond to a complaint within thirty days. (Note that the response does not necessarily mean that the complaint will be partly/fully resolved within that period: the timing in essence involves acknowledgement.) You can withdraw your complaint at any time. Note that if you are representing someone else in lodging the complaint you must make this clear and provide a written authority to act on that person’s behalf.
If you do not receive a response or are unsatisfied by the resolution you are able under the enactments to take the complaint to the body that supervises the enactments. The key bodies are highlighted below. Note that complaints about disregard of privacy by the print media can be addressed to the Australian Press Council, a non-government body. Complaints about commercial broadcasters can be addressed to the Australian Communications & Media Authority (ACMA), a government agency that historically been faster and more rigorous than the OAIC. Complaints relating to credit reporting may be addressed to the external dispute resolution service provider used by some finance-sector businesses and identified in their website/print material.
Many complaints involve correspondence – by post, email or fax – between the person complaining of disregard and the entity that is claimed to disregarded that person’s privacy. Correspondence provides scope for unemotional explanation and a record that can be used by the complainant if the matter is referred to the OAIC or another body. Don’t throw out the paper!
Grounds for complaint
What are the grounds for complaint? In essence, under the information privacy enactments a complaint is restricted to an act or omission that is contrary to the privacy principles identified in the preceding two parts of this chapter. Acts/omissions outside those enactments and accordingly beyond the privacy principles are disregarded by the Privacy and Health Commissioners. Personal distress or outrage does not mean that an entity has breached the enactments and is therefore expected to reach an agreement that a complainant considers to be appropriate and adequate.
Readers should recall that the principles are high level statements that feature notions of what is ‘reasonable’ in particular circumstances. Their interpretation is aided by guidelines that may be complex; individual principles do not stand alone and in several instances will be interpreted by the Privacy Commissioners through reference to other parts of the Act and emerging case law.
Making a complaint to the Australian and ACT Privacy Commissioners
Complaints to the Privacy Commissioner, ie to the Australian Privacy Commissioner regarding the national
Privacy Act or to the Territory Privacy Commissioner under the Territory’s Information
Privacy Act, must be made in writing rather than by phone or in person.
They do not need to be made by a community legal aid service or commercial legal practitioner on your behalf. Note that reporting by the Commissioner regarding the resolution of complaints anonymises that action, so the complainant’s name typically will not appear on the Commissioner’s website.
Complainants should remember that the complaint mechanisms are founded on conciliation rather than punishment or compensation. Remember also the Territory Government has sought to save money by using the under-resourced national Commissioner as the separate Territory Commissioner: one person within the Office of the Australian Information Commissioner wearing two discrete hats and dealing with separate Territory and Commonwealth enactments. The Commissioner is located in Sydney (contact details are provided in the following part of this chapter).
The written complaint should include:
- the complainant’s contact details
- any relevant reference numbers or identifiers
- the name of the entity (government agency or organisation) involved
- a concise and clear description of the basis of the complaint
- any action taken by the agency or organisation to fix the problem
- what outcome is sought by the complainant regarding resolution of the complaint
- copies of any relevant documents, including copies of your complaint to the agency/organisation and its response.
Complaints regarding credit reporting should include a copy of the complainant’s credit file.
Note that health records held by ACT Government agencies (including public hospitals) are covered by the
Health Records (Privacy and Access) Act 1997 (ACT), with complaints being handled by the Health Commissioner within the ACT Human Rights Commissioner – noted below.
The Commissioners will choose not to resolve complaints in instances where the complainant has not acted on a timely basis (for example took more than 12 months to complain under the Territory Information
Privacy Act, inferred as meaning there wasn’t a serious harm), the complaint is more properly addressed under another law or by another a body, the respondent has already adequately dealt with the matter or has had insufficient time to deal with the complaint, or the complaint lacks substance.
Potential outcomes facilitated by the Commissioner (or by an enterprise’s EDR service provider) include an apology, a change to the entity’s practice and procedure, staff training, compensation (exceptionally) and action that addresses specific matters such as correction/annotation of records in line with APP 13.
Making a complaint to the ACT Human Rights Commission
The ACT Human Rights Commission handles health record privacy complaints under the ACT’s
Health Records (Privacy and Access) Act 1997. The Commissioner is independent of the Information Privacy Commissioner.
Complaints may be made about acts or omissions relating to the Privacy Principles under the Health Records Act.
The complaint must be in writing rather than by phone or in person and should include:
- the complainant’s contact details
- any relevant reference numbers or identifiers
- the name of the agency or organisation involved
- a concise and clear description of the basis of the complaint
- any action taken by the agency or organisation to fix the problem
- what outcome is sought by the complainant regarding resolution of the complaint
- copies of any relevant documents, including copies of your complaint to the agency/organisation and its response.
The courts
Previous parts of this chapter have noted scope for action under tort and other law regarding a disregard of privacy or other injury. Readers contemplating such action should refer to this Handbook’s explanation of the court system and seek advice from a legal aid service or commercial practitioner.
Under the ACT Information
Privacy Act there is specific provision for enforcement by an ACT court. If the Privacy Commissioner finds that there has been an interference with privacy under that Act and the complaint is not resolved by agreement with the respondent, the Commissioner will issue a notice that outlines findings as the basis for application to the ACT Magistrates Court for a court order that covers one or more of the following. The respondent must:
- stop the matter that is the subject of the complaint
- undertake a reasonable act or practice to compensate the complainant
- make certain amendments to its records
- compensate for economic loss incurred by the complainant as a result of the matter that is the subject of the complaint
Note that compensation does not cover embarrassment, grief or other distress. The Court might however dismiss the application on the basis that there was no interference with privacy under the Information
Privacy Act or that no further action now needs to be taken by the respondent.
As of February 2022, no such orders have been issued. Readers should note the application for an order needs to be made within six months of the Commissioner’s notice. The Court may order reimbursement of costs reasonably incurred in making the complaint. Importantly, the Commissioner does not litigate on behalf of complainants or assist them taking the matter to court.