Insights / March 18th, 2021

Someone has sent me a privacy complaint! What next?

The Privacy Act 1988 (Cth) and the Australian Privacy Principles (‘APPs’) regulate the types of complaints you receive as well as how you should respond to individuals with privacy concerns.

In the course of business, you can receive complaints regarding a wide range of matters including how you collect, use, store and handle personal information. Individuals can also request access to the information businesses store about them as well as ask that information be updated.


In nearly all instances, the first port of call for an individual concerned about the handling of their personal information is the business which holds it. The APPs require that all businesses subject to the Privacy Act have a complaints procedure set out in their Privacy Policy (which should be freely and publicly available on websites or upon request).

Where a complaint relates to the accuracy of or access to personal information, entities must respond to those complaints within a ‘reasonable period’. This is generally considered to be 30 calendar days. When a complaint relates to another matter (i.e. alleged mishandling, unauthorised use, etc), there are no fixed timelines set out in the Privacy Act, but the privacy regulator – the Office of the Australian Information Commissioner (‘OAIC’) - has previously indicated that a similar timeframe should be used.


An individual can lodge complaints with the OAIC. While the structure of the Privacy Act requires individuals to have made a complaint to the relevant entity before the OAIC will investigate, the OAIC has a broad discretion to investigate complaints and can conduct investigations outside of the normal procedures.

The OAIC has a broad dispute resolution process dependent on the circumstances. The process can involve consideration of preliminary written submissions, mediations and formal hearings dependent on the nature and seriousness of the complaint.

To avoid expensive and drawn out complaint resolution processes, all Australian businesses subject to the Privacy Act should ensure that they have policies and procedures in place to manage complaints at the time it is received. Productive handling of complaints from the outset can assist in quickly resolving privacy complaints and prevent them from being unnecessarily escalated.

If complaints are escalated, it is important to utilise the policies and procedures you have in place to ensure efficient dealings with the OAIC.

Avoiding Complaints

Clear policies and procedures for the collection, use, disclosure and storage of personal information are essential to mitigating the risk of complaint escalation. This includes:

  • setting out procedures for staff to follow when complaints are received;

  • having designated persons to respond to and manage any complaints; and

  • maintaining records of any conversations and other relevant information connected with the complaint.

If you have any queries regarding your privacy obligations or wish to discuss privacy law, data protection and your business, contact us and our consumer protection and privacy law experts can assist you.

This publication has been prepared for general guidance on matters of interest only and does not constitute professional legal advice. You should not act upon the information contained in this publication without obtaining specific professional legal advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication and to the extent permitted by law, Cowell Clarke does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting or refraining to act in relation on the information contained in this publication or for any decision based on it.

Related Expertise