1. When to use this document
Other complaints may be related to privacy, but not related to a specific Privacy Obligation. It is optional to follow this document for those complaints.
2. What is a privacy complaint?
A privacy complaint is a complaint about:
- how we collect, handle, store, deal with or destroy personal information; or
- any complaint about how we comply with Privacy Obligations.
Personal information means information or an opinion about an identified individual (or an individual who is reasonably identifiable):
- whether or not the information is true; and
- whether or not the information or opinion is recorded in a material form.
Any information linked to a person’s name is likely to be personal information. However, information can still be personal information if it does not identify a person by name but otherwise makes them identifiable (e.g. licence numbers, car registration numbers).
Information is only ‘personal information’ if it is about an individual. For example, information about a company may be able to be linked to certain individuals (e.g. its directors or executives), however that information may not be about those individuals.
Personal information includes an individual’s:
- name, address, phone number, email address;
- employer, place of work and job position;
- date of birth;
- health (which is also sensitive information);
- passport or drivers’ licence number; and
- personal interests.
We have more rigorous Privacy Obligations to protect sensitive information. Please contact the Privacy Officer if you are unsure whether information is personal information or sensitive information.
3. Notify the Privacy Officer
You must notify the Privacy Officer as soon as you receive a privacy complaint and forward the complaint to them.
Our Privacy Officer is:
The Company Secretary – Mrs Katina Nadebaum
08 9334 0666
Once you notify the Privacy Officer of the privacy complaint, they will look after it (by following the steps in this document). You should not communicate further with the complainant about the complaint unless instructed to do so by the Privacy Officer.
4. Acknowledge the privacy complaint
The Privacy Officer will write to the complainant acknowledging receipt of the privacy complaint (acknowledgment). The acknowledgment must:
- be made within 5 Business Days of receiving the privacy complaint (or earlier, if possible);
- give the Privacy Officer’s name, title and contact details;
- explain that the Privacy Officer is a person independent of the alleged conduct (if that is the case);
- clarify the Privacy Officer’s understanding of the complaint;
- explain the steps that we will take in response to the privacy complaint, including whether we will conduct an investigation;
- ask the complainant to clarify the outcome they expect (if it is not clear); and
- state that we will endeavour to respond to the privacy complaint substantively within 30 days.
If the privacy complaint was not made in writing, the acknowledgment should also request the complainant set out the privacy complaint in writing and submit that to the Privacy Officer.
5. Do we have authority to talk to the complainant about the complaint?
Dealing with a privacy complaint will generally require us to talk to the complainant about specific personal information the subject of their complaint. We must ensure that we do not disclose a person’s personal information to someone other than that person (or someone otherwise authorised to receive it).
As such, the Privacy Officer must satisfy themselves that the complainant is complaining in relation to their own personal information (or the relevant person the subject of the information has given their consent for us to discuss their personal information with the complainant).
The Privacy Officer must verify the complainant’s identity using the minimum amount of information to establish their identity. The personal information used to verify their identity should be sighted or checked rather than copied or collected for inclusion in a record.
If the Privacy Officer determines the complainant is complaining about another person’s personal information, they should request the complainant provide evidence of their authority to complain on behalf of the person whose personal information is the subject of the complaint.
The Privacy Officer must not proceed to the next step until the complainant verifies their identity and, where necessary, provides authority to complain.
6. Characterise the privacy complaint
The Privacy Officer should examine the complaint and consider which of the following issues the complaint concerns:
- collection of personal or sensitive information;
- use or disclosure of personal information;
- accuracy of personal information;
- security of personal information (including any data breaches);
- refusal to give access to personal information;
- refusal to correct personal information;
- refusal to give an option of anonymity or pseudonymity;
- direct marketing; or
- other matters addressed by Privacy Obligations.
If the privacy complaint does not address any of the above matters, the Privacy Officer should write to the complainant asking them to clarify their complaint.
7. Investigate the privacy complaint
The Privacy Officer should gather information from all relevant sources.
Relevant sources of information may include our IT, marketing, sales, finance and human resources teams. As well as from our internal business teams, the Privacy Officer may gather information from our service providers and agents.
The Privacy Officer should focus their investigation on the issues identified in the previous step. The Privacy Officer must also remain alert to any other breaches of Privacy Obligations which they may come across. However, the Privacy Officer should be vigilant against collecting and collating information about the complainant (or other persons) that is irrelevant to the complaint, as the complainant may have a right to access personal information about them that we hold.
The Privacy Officer may need to ask the complainant for more information if required to investigate the privacy complaint. However, where the Privacy Officer requests more personal information, they may only request the minimum personal information necessary to properly investigate the complaint.
8. Analyse the privacy complaint
The Privacy Officer must determine:
- whether the alleged conduct has occurred;
- which (if any) Privacy Obligations have been breached;
- how (if at all) Privacy Obligations have been breached;
- whether there are any applicable exceptions to the Privacy Obligations;
- whether there has been a data breach; and
- if there is a breach of a Privacy Obligation, whether that breach is due to a one-off mistake or intentional act, or a systematic issue with our policies or procedures.
At this stage, the Privacy Officer should consider whether to obtain external legal advice about the complaint.
If the Privacy Officer determines that there has been a data breach, they must follow the Data Breach Response Plan. A data breach involves one of the following events:
- misuse, interference or loss of personal information; or
- unauthorised access, modification or disclosure of personal information.
Unauthorised access, unauthorised disclosure or loss of personal information may constitute a notifiable data breach in certain circumstances. We may have obligations to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if such a breach occurs.
9. Respond to the privacy complaint
After determining what has occurred (based on available information) and analysing whether there has been a breach of Privacy Obligations, the Privacy Officer will prepare a response to the complainant.
The Privacy Officer should use their best efforts to respond within 30 days of the complaint. If the Privacy Officer is unable to respond to the complaint within 30 days, they should provide an update to the complainant after 30 days notifying them of the timeframe in which they can expect a response and the reason for the additional time.
To respond to the complainant, the Privacy Officer should first call the complainant (if possible), and follow up that call in writing.
‘Regardless of whether we have breached a Privacy Obligation, the response must provide:
- details about the information the Privacy Officer has relied upon in determining the response;
- an invitation for the complainant to reply to the response (if appropriate);
- the offer of a meeting or discussion (if appropriate); and
- information about how the complainant can make a further complaint to the OAIC (specified below).
In responding to the complaint, the Privacy Officer must not include any personal information of people other than the complainant (unless the complainant is complaining with authority about another person’s personal information, in which case the Privacy Officer may refer to that person’s personal information).
Details of the complainant’s right to complain to the OAIC should be provided as follows:
You have a right to make a complaint to the Office of the Australian Information Commissioner if you are unsatisfied with our response. To do so, you must complain in writing. For more information on how to make a complaint, see https://www.oaic.gov.au/privacy/privacy-complaints/lodge-a-privacy-complaint-with-us/.
9.2 Response for a Breach of a Privacy Obligation
If the Privacy Officer determines that we have breached a Privacy Obligation, they will determine what measures we will put in place to contain the breach, minimise any damage caused, and to make sure it does not happen again. For example, we may:
- review how our policies and procedures failed to prevent the breach and ensure that they are amended to prevent any future breaches; and
- provide additional training to our staff on specific Privacy Obligations.
In addition to the matters set out in section 10.1, the response to the complainant should include:
- an apology;
- an explanation of which relevant Privacy Obligations we have breached and how we have breached those obligations;
- any offer of compensation or other redress (if appropriate, see further below); and
- the steps we are taking to avoid another breach (as determined above).
In determining the appropriate response, the Privacy Officer must consider:
- our commitment to respecting the privacy of customers’ personal information;
- the remedies to which the complainant may be entitled under the Privacy Act 1988 (Cth) if they complain to the OAIC and the OAIC makes a determination in their favour;
- the ability of the OAIC to seek other remedies (including orders requiring us to take specific actions) if we have breached Privacy Obligations; and
- the impact which regulatory and court proceedings have on our reputation.
If we do conclude that there has been a breach of someone’s privacy, we should be mindful of the possible legal orders that can be made if their complaint is escalated. In particular, this guidance will be useful when determining what remediation and compensation is appropriate to offer (if any).
The potential consequences include:
9.3 Response if there has been no breach of Privacy Obligations
If the Privacy Officer determines we have complied with all Privacy Obligations, they should respond respectfully in a manner which best addresses the complaint and minimises the possibility of further complaints.
In addition to the matters set out in section 9.1, the response must provide an explanation of why we believe we have not breached any Privacy Obligations.
10. Close the complaint
Austin maintains an electronic Privacy Complaints Register and documentation and other related data regarding privacy complaints are retained as such.
11. About this document
This procedure was approved by the Board on 28/10/2021 ad shall be reviewed by the Board annually.