Privacy Law

Penalties and Remedies

Complaints and OAIC's response

A person can complain to the Commissioner about an interference with their privacy, or that of another person. The Commissioner can do any of the following:

 

  • assist a person to formulate and make a complaint (s 36(4)),

  • make preliminary inquiries of any person (s 42),

  • transfer matters to an alternative complaint body in certain circumstances (s 50),

  • attempt to conciliate the complaint (s 40A),

  • at any stage, not investigate, or cease to investigate or not investigate further, the complaint on various grounds (ss 41, 49, 49A),

  • require a person to give information or documents, or to attend a compulsory conference (ss 44, 45, 46, 47),

  • enter premises to inspect documents (s 68),

  • accept an enforceable undertaking (s 33E),

  • make a determination about the complaint (s 52),

  • seek to enforce a determination in a court (s 55A).

 

Own motion actions

The Commissioner can investigate a matter relating to data breach without a complaint being raised, if the commissioner thinks it desirable to do so. Such an investigation can then lead to further action if interference with privacy has occurred.

 

Determinations

After investigating the Commissioner can reach a determination either that the complaint is substantiated or not substantiated. Usually the complaint is sent to conciliation, which is an easier, cheaper and much less strenuous process than court. A Conciliator mediates between the parties and encourages agreement. Where the investigation was on the Commissioner’s own initiative, an enforceable undertaking may instead be required of the party in breach. Court action can lead to fines, injunctions and where a crime is concerned, imprisonment.