Privacy and your rights

Individuals can complain to the VI Commissioner about an act or practice that may breach a Victorian IPP. The alleged breach must be in relation to the personal information of a living person. There are provisions under the PDP Act that enable minors or people who are unable to complain because of a physical or mental disability to have someone complain on their behalf (ss 59, 60).

The VI Commissioner must try to conciliate complaints wherever possible; there are a range of remedies available for the parties’ consideration.

Where appropriate, complaints can be referred to the Victorian Ombudsman, the Victorian Health Complaints Commissioner, the Australian Privacy Commissioner, the Disability Services Commissioner, the Commissioner for Children and Young People, or the Mental Health Complaints Commissioner. Note that for complainants who are in prison custody, communications to and from the VI Commissioner, most of the complaint bodies listed above, and a number of other entities, are treated as privileged communications under the Corrections Act 1986 (Vic).

Under the Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017 (Vic) (‘FoI Amendment Act 2017’), the VI Commissioner can investigate complaints received under the PDP Act as if received under the FoI Act (Vic) and vice versa.

In conducting investigations, the VI Com­ missioner has enforceable powers to obtain information and documents, and to take evidence on oath. The FoI Amendment Act 2017 enhanced these powers and they apply to all the VI Commissioner’s investigations.

The VI Commissioner has the power to decline to investigate and conciliate complaints in certain circumstances (s 62). These include where:

• the organisation complained about is adequately dealing with, or has adequately dealt with, the complaint;
• the complainant has not complained to the organisation before making a complaint to the VI Commissioner;
• the VI Commissioner believes the complaint is frivolous, vexatious or lacking in substance; or
• the complainant does not make a complaint to the VI Commissioner within 45 days of becoming aware of the alleged privacy breach. Traditionally – and in relation to the ground of ‘complainant delay in bringing a complaint’ – the VI Commissioner has exercised this discretion sparingly (i.e. in a way that is favourable to complainants who have not met the 45-day timeframe). If an alleged privacy breach is done by an employee or an agent acting on behalf of an organisation, the organisation is held responsible unless it can establish that it took reasonable precautions and exercised due diligence to avoid the privacy breach (s 118 PDP Act). In the case of TSJ v Department of Health and Human Services (Human Rights) [2016] VCAT 687, a social worker employed by the Victorian Government Department of Health (‘Department of Health (Vic)’) sent personal information about the complainant to the wrong email address. The person who received the information immediately contacted the social worker, who took steps to retrieve the information, notified the complainant, and apologised for the breach. VCAT found that the Department of Health (Vic) had taken reasonable precautions and exercised due diligence to prevent the privacy breach under IPP 2, and to protect the personal information under IPP 4, and dismissed the complaint.

If the VI Commissioner declines to investigate a complaint – or conciliation of the complaint is not possible or has been attempted but has failed – a complainant may, in writing, direct the VI Commissioner to refer their complaint to VCAT. The VI Commissioner sends VCAT the documents setting out the complaint and the grounds of the complaint under the PDP Act. A referral to VCAT is considered to be a fresh hearing of the complaint.

VCAT’s Human Rights List determines complaints made under the PDP Act. The proceeding is generally managed through a series of steps before a final hearing. These steps include:

• one or more directions hearings;
• a consensual referral to mediation, or referral to a compulsory conference; and
• a schedule for the exchange between the parties of points of complaint, points of defence, and witness statements. The VI Commissioner can decide to intervene in any proceeding before VCAT and can be joined by VCAT as a party to the proceeding. If VCAT upholds a complaint as a breach of privacy, potential remedies include:
• orders to correct information;
• restraint orders;
• reimbursement of expenses; and
• compensation orders of up to $100 000. Note that due to the operation of the Open Courts Act 2013 (Vic), PDP Act complaints that reach a final determination in VCAT are generally published in identifying format unless an application for suppression is approved.

The VI Commissioner can serve a compliance notice on an organisation when that organisation has seriously breached one of the IPPs (or an approved Code of Practice). A notice can also be served on an organisation if the act that breached one of the IPPs (whether serious or not) has occurred five times in the last two years.

If an organisation is served with a compliance notice, penalties apply for failure to comply and it is an indictable offence. An individual or organisation whose interests are affected by a compliance notice can seek a review from VCAT.

Unlike the PA 1988, the PDP Act has no formal Notifiable Data Breaches Scheme. Rather, the PDP Commissioner invites regulated agencies to report data breaches on a voluntary basis and publishes guidance for the public sector on dealing with data breaches.