How can I make a complaint about a potential privacy violation?

In Plain English

If you believe your privacy has been violated, here's what you can do:

• For Credit Reporting Issues: If your complaint involves a credit reporting body or a credit provider potentially breaching privacy rules, you can complain directly to them. They have to investigate and respond to you within a specific timeframe. If you're not happy with their decision, you can escalate the matter to an external dispute resolution scheme or the Commissioner.
• For General Privacy Concerns: For other privacy violations, you can lodge a complaint with the Commissioner. They will investigate the matter, and you may need to provide your complaint in writing.
• Cyberbullying: If you are or were the target of cyberbullying you can make a complaint to the Commissioner.
• Digital ID: If you believe an entity handling your digital ID information has violated your privacy, you can complain to the Commissioner.
• Market and Social Research: If you believe a research organisation has violated your privacy, you can complain to the research organisation itself.

Detailed Explanation

The process for making a complaint about a potential privacy violation depends on the nature of the violation and the entities involved. Here's a breakdown based on the provided legislative context:

1. Complaints Regarding Credit Reporting Bodies or Credit Providers:

• Who can complain: An individual can complain to a credit reporting body or credit provider about an act or practice that may be a breach of the provisions in Part IIIA of the Privacy Act 1988 or the registered CR code (excluding sections 20R, 20T, 21T, and 21V, or provisions related to those sections) - see section 23A of the Privacy Amendment (Enhancing Privacy Protection) Act 2012.
• How to complain: The individual must specify the nature of the complaint (section 23A(3) of the Privacy Amendment (Enhancing Privacy Protection) Act 2012). The complaint can relate to personal information that has been destroyed or de-identified (section 23A(4) of the Privacy Amendment (Enhancing Privacy Protection) Act 2012).
• What the credit reporting body/provider must do:
  • Acknowledge the complaint in writing within 7 days, outlining how they will deal with it (section 23B(1)(a) of the Privacy Amendment (Enhancing Privacy Protection) Act 2012).
  • Investigate the complaint (section 23B(1)(b) of the Privacy Amendment (Enhancing Privacy Protection) Act 2012).
  • Consult with other relevant credit reporting bodies or providers if necessary (section 23B(2) of the Privacy Amendment (Enhancing Privacy Protection) Act 2012).
  • Make a decision about the complaint within 30 days (or a longer period agreed to in writing by the individual) (section 23B(4) and (5) of the Privacy Amendment (Enhancing Privacy Protection) Act 2012).
  • Provide a written notice of the decision, including the option to access a recognised external dispute resolution scheme or make a complaint to the Commissioner if the individual is not satisfied (section 23B(4) of the Privacy Amendment (Enhancing Privacy Protection) Act 2012).
• Notification requirements for correction complaints: If the complaint relates to a breach of sections 20S or 21U (correction of personal information), the credit reporting body or provider must notify relevant parties (other credit providers or credit reporting bodies) about the complaint and the decision (section 23C of the Privacy Amendment (Enhancing Privacy Protection) Act 2012). They must also notify recipients of disclosed information about the complaint if a decision hasn't been made yet (section 23C(4) and (5) of the Privacy Amendment (Enhancing Privacy Protection) Act 2012).

2. Complaints to the Commissioner (General Privacy Concerns):

• Who can complain: An individual can complain to the Commissioner about an act or practice that may be an interference with their privacy (section 36(1) of the Privacy Act 1988). This includes potential breaches of the Australian Privacy Principles (APPs).
• Representative complaints: A representative complaint can be lodged on behalf of multiple individuals if their complaints are against the same entity, arise from similar circumstances, and involve a common issue of law or fact (section 38 of the Privacy Act 1988).
• How to complain: The complaint must be in writing (section 36(3) of the Privacy Act 1988) and specify the respondent (section 36(5) of the Privacy Act 1988). Staff of the Commissioner must provide assistance to those who need help formulating the complaint (section 36(4) of the Privacy Act 1988).
• Commissioner's role: The Commissioner will investigate the complaint (section 40 of the Privacy Act 1988), and has powers to:
  • Make preliminary inquiries of any person.
  • Require a person to give information or documents, or to attend a compulsory conference.
  • Transfer matters to an alternative complaint body in certain circumstances.
• Commissioner's determination: After the investigation, the Commissioner may dismiss the complaint or find it substantiated and make a determination that includes declarations about the respondent's conduct and required actions (section 52 of the Privacy Act 1988).

3. Complaints under the Online Safety Act 2021:

• Cyberbullying: A child, a responsible person on behalf of a child, or an adult who was the target of cyberbullying as a child can complain to the Commissioner about cyberbullying material (section 30 of the Online Safety Act 2021).
• Intimate Images: A person can complain to the Commissioner about intimate images being shared without their consent (section 36 of the Online Safety Act 2021).
• Online Content: A person can complain to the Commissioner about class 1 or class 2 material being accessible to end-users in Australia (section 38 of the Online Safety Act 2021).
• Prior Complaint to Service Provider: For complaints about material on social media, relevant electronic services, or designated internet services, the complaint to the Commissioner must be accompanied by evidence that the material was previously the subject of a complaint to the service provider (sections 30(4) and 36(3) of the Online Safety Act 2021).
• Commissioner's Investigation: The Commissioner may investigate complaints and has the power to obtain information and make inquiries (section 31 and 37 of the Online Safety Act 2021).

4. Complaints under the Digital ID Act 2024:

• If an accredited entity violates Division 2 of the Digital ID Act 2024 or section 136 in relation to personal information, it is considered an interference with privacy and can be subject to a complaint under section 36 of the Privacy Act 1988 (section 38 of the Digital ID Act 2024).

5. Complaints under the Crimes Act 1914:

• A person may complain to the Information Commissioner about an act or practice of another person or of a Commonwealth authority or State authority that may be a breach of Division 2 or 3 (section 85ZZA of the Crimes Act 1914).

6. Complaints under the Telecommunications Regulations 2021:

• An authorised research entity must have internal dispute resolution procedures enabling it to deal with inquiries or complaints from a contacted person about its use or disclosure of any research information relating to the person (section 30(5) of the Telecommunications Regulations 2021).

7. Complaints under the Privacy (Market and Social Research) Code 2021:

• A research organisation must have a clearly expressed and up-to-date research information privacy policy about the management of identifiable research information by the Organisation (section 9 of the Privacy (Market and Social Research) Code 2021).
• The research information privacy policy must contain information about how an individual may complain about a breach of this Code, and how the organisation will deal with such a complaint (section 9 of the Privacy (Market and Social Research) Code 2021).

It's important to note that this information is based on the specific legislative context provided. Depending on the specific circumstances of your situation, other laws and regulations may also be relevant.