Complaints are valuable assets for every organisation. There is no better way to highlight and fix problems in an organisation’s systems and processes. This is what we tell the agencies we investigate, and many of them take the opportunity to learn from complaints to improve their practices. It’s also a view that was echoed in an excellent Auditor-General report about ACC’s complaint’s processes.
But how do we practice what we preach? How do you give us the opportunity to fix inadequacies in the way we do things? In other words, how do you complain about the Privacy Commissioner?
Give us a chance
If you’re unhappy with any stage of your privacy complaint, you should let us know first. We will almost always escalate your concerns to a more-senior staff member for a second look. While you don’t necessarily have to do this, it is faster and involves less paperwork than going through formal oversight channels – and it certainly doesn’t stop you from using those channels in the future!
If you do this, the decision may be changed in your favour; and if not, you’ll at least get a more detailed explanation of our decision.
We appreciate complainants who do this because it gives our investigators the opportunity to learn in a hands-on way.
The Ombudsman and the assessment
When you make a Privacy Act complaint, our first move is to assess your complaint and determine whether or not to launch a full investigation. There are a number of reasons we may decline to investigate. For example, the case may not be covered under the Privacy Act, the breach may have been a long time ago or the issue may be too minor to merit an investigation.
Sometimes we will suggest that complainants take up another avenue for their concerns, such as in the courts, or an industry specific dispute resolution scheme.
If we decide not to investigate, we are exercising a discretion. We are answerable in the way we exercise that discretion to the Ombudsman. So if you disagree with our decision not to investigate, you can ask the Ombudsman to investigate our decision. If the Ombudsman thinks we have not taken into account all relevant factors, or have otherwise acted unreasonably, they can suggest we reconsider our decision. In most cases we would accept a Ombudsman’s recommendation.
You can file your complaint to the Office of the Ombudsman online:
Settling your case
If, after beginning an investigation it seems as though there is some basis for the complaint, we will try and identify opportunities to help the parties resolve the problem. When the parties agree to a settlement, that is the end of the story. Each party gives up their right to pursue a full legal determination, for the sake of an early settlement.
The Investigation and the Tribunal
If the case doesn’t settle, there are three different possible outcomes:
1) We may find an interference with your privacy and refer your case to the Director of Human Rights Proceedings, who may choose to represent your case before the Human Rights Review Tribunal.
We don’t exercise this right very often. We reserve it for ‘edge cases,’ such as cases where a privacy breach has caused significant harm, where new legal precedents need to be set, or where we suspect there are other people suffering from the same privacy breach. Further, a referral to the Director doesn’t guarantee that you’ll be heard in front of the Human Rights Review Tribunal, as the Director may choose not to take your case.
2) We may find that your privacy has been breached, but choose not to refer the case to the Director of Human Rights Proceedings.
3) We may find that there has been no interference with your privacy, and close the case.
All three of these circumstances have the same recourse if you are dissatisfied: take the case to the Human Rights Review Tribunal yourself. The Tribunal will hear evidence afresh, and make up its own mind, independent of any finding we might have made.
A recent example of this practice in action was Taylor v Orcon. Mr Taylor complained to our office about telecommunications company Orcon disclosing inaccurate information about his credit history. We concluded our investigation on the basis that the breach by Orcon did not cause all the harm Mr Taylor claimed to have suffered.
Mr Taylor, dissatisfied with this outcome, took Orcon to the Tribunal and won $25,000. The Tribunal disagreed with the way we had applied the legal tests, and not only did he get the outcome he wanted, he also provided us with valuable guidance for the future (although he’s probably happier with the $25,000).
So, the Privacy Commissioner, like all public sector organisations, functions in a world of checks, balances and oversight. If you think we’ve made the wrong call, we encourage you to avail yourself of these mechanisms. Otherwise, how will we get it right next time?
Image credit: Upset Lion by Toby Oxborrow via Flickr