top of page

Making a Complaint

In a seashell:


You also have the right to complain to an organisation if you think the organisation has not used your personal information responsibly, ethically, fairly, lawfully, and in line with good practice.


If you have sent your request to an organisation and you still haven’t received a response, or if you remain unhappy with the organisation’s handling of your personal information and/or your PIPA rights request, you can make a written complaint to PrivCom.


People ask:


1. When can I make a complaint to an organisation?


You can complain to an organisation about how it is using your personal information, if the organisation:


•has not properly responded to your PIPA rights request (see the previous section, pp. 26-27);

•is not keeping information secure;

•holds inaccurate information about you;

•has shared information about you in a way that is not described in its privacy notice;

•is keeping information about you for longer than is necessary;

•has collected information for one purpose and is using it for something else; and/or

•has not upheld any of your privacy rights (i.e., right to access your personal information, right to access your medical records, right to have your information corrected, right to have your information blocked, right to have your information erased or destroyed).


2. How do I make a complaint to an organisation?


Step 1. Address your complaint directly to the organisation.


Before bringing your complaint to PrivCom, you should give the organisation an opportunity to address the issue at hand and sort it out. Many privacy complaints can be resolved quickly and easily with the organisation. Make sure to double check the organisation’s address and contact details are correct.


You can use the master template provided on pp. 18-19 to email or send a letter to the organisation.


Include full details of your concern at the beginning of your email/letter. Include all relevant details in your email/letter, such as an account/patient/customer reference number to help the organisation identify you. To evidence your complaint, enclose copies of all relevant documents that you have available. Do not send the originals: you might need them later. Don’t include unnecessary documentation.


If the organisation responds to your complaint but it looks like they have misunderstood you or not fully addressed the concern that you previously communicated to them, follow up with the organisation in writing and let them know that your concern remains unresolved.


Step 2. Give the organisation 45 days to respond to your complaint.


It may take the organisation time to consider your complaint. However, the organisation should acknowledge receipt of your complaint promptly and let you know the estimated date of their response.


If you have not heard back from the organisation within 45 days of submitting the complaint, or your complaint remains unresolved after 45 days following the organisation’s acknowledgement of your complaint, follow up with the organisation politely.


Step 3. If you don’t understand or you’re unhappy with the response you receive from the organisation, ask them for clarification.


Organisations are obliged to explain to you why they use your personal information in the manner they do and/or why they have refused your PIPA rights request.


If the organisation responds to the complaint in a way that you do not understand, follow up in writing and ask for clarification. You may want to use the master template on pp. 18-19.


Step 4. If you are unhappy with the organisation’s response to your complaint, report your complaint to PrivCom.


If the organisation does not respond to your written request within 45 days and/or you remain unsatisfied with the outcome of your PIPA rights request, you may submit a written complaint to PrivCom.


3. What do I need to do before I can complain to PrivCom?


You can complain to PrivCom about the way an organisation has handled personal information.
Before you complain to us, you need to have:


•complained directly to the organisation;

•followed up with the organisation if you have not received an acknowledgement of your complaint after 45 days;

•followed up with the organisation if you have received an acknowledgement of your complaint and it remains unresolved after 45 days;

 

and/or 

​

•asked for clarification from the organisation if you have had a response you don’t understand.

If you have taken these steps and the organisation is still refusing to respond to you, you can submit a complaint to PrivCom.


Remember that PrivCom cannot:


•act as legal representation;

•award compensation for financial or emotional harm caused;

or

•determine whether an organisation has committed an offence.


However, if PrivCom is of the view that the organisation has not processed your request as it should have, PrivCom can:


•give the organisation advice on how to properly respond to a PIPA rights request;

•provide instructions on how the organisation may address the problem;

•issue public admonishments and formal warnings;

•issue directive orders requiring the organisation to act;

and

•refer the matter to the Department of Public Prosecutions (the “DPP”) where the organisation may be subject to criminal penalties following litigation in court.


When submitting a written complaint to PrivCom, send copies of all the documents you have in order to support your complaint.


If you suffer financial loss or emotional distress as a result of an organisation’s failure to comply with PIPA, a court may grant you compensation from the organisation.

​

bottom of page