Privacy Awareness Week
Privacy regulators from across Australia have issued a joint statement to mark the start of Privacy Awareness Week 2023 (PDF, 90.2 KB) (1 to 7 May).
Personal Information Protection
The Personal Information Protection Act 2004 (the Act) gives you the right to complain to the Ombudsman about an alleged breach of principles designed to protect your personal information. You can complain to the Ombudsman after you have raised the matter with the relevant personal information custodian and you are not satisfied with its response.
Personal information custodians include Tasmanian public authorities like state government departments, local councils, statutory bodies, the University of Tasmania, Tasmania Police, state owned companies and, in some circumstances, organisations providing services for the State.
What is personal information?
Personal information means any information or opinion in any recorded format about an individual whose identity is apparent or is reasonably ascertainable from the information or opinion and who is alive or has not been dead for more than 25 years.
Examples of personal information include your name, gender, date of birth, address, financial details, marital status, education and employment history.
Some personal information is classified as ‘sensitive information’. This is information about your racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual preferences or practices, criminal record, and health information.
Generally, an agency needs to obtain consent from an individual to collect sensitive information.
Personal Information Protection Principles
The Act gives you the right to complain to the Ombudsman about an alleged breach of one or more of the 10 Personal Information Protection Principles (PIPP).
You can find the PIPP in Schedule 1 of the Act (external link). A summary of the PIPP is available on this website to download and print.
You can only complain to the Ombudsman after you have raised the matter with the relevant personal information custodian and you are not satisfied with its response.
Making a complaint about a breach of PIPP
Who can I complain about?
Complaints can only be made against ‘personal information custodians’. This includes Tasmanian public authorities like state government departments, local councils, statutory bodies, the University of Tasmania, Tasmania Police, state owned companies and, in some circumstances, organisations providing services for the State. Private organisations are not covered by the Act unless they have entered into a contract with a personal information custodian relating to the collection, use or storage of personal information.
Who can complain?
The general rule is that you can only complain about an act that amounts to breach of a PIPP involving your own personal information. However, you may be able to complain on behalf of someone else in some circumstances.
What can I complain about?
Complaints can only be made about an alleged breach of one or more of the ten Personal Information Protection Principles in the Act.
When can I make a complaint?
A complaint, other than a complaint about a decision to refuse a request to amend personal information, must be made within 6 months of an alleged breach (or any further period the Ombudsman may allow).
A complaint about a decision to refuse a request to amend personal information must be made within 20 working days of the date on which the notice of decision is given. Complaints can only be about personal information that is recorded in some form.
PIPP complaint process
What happens when the Ombudsman receives your complaint?
The Ombudsman will conduct a preliminary assessment of the complaint to decide whether he will deal with it. This generally involves more information being sought about your complaint from you or from the personal information custodian.
The Ombudsman may decide not to deal with a complaint if it is frivolous, vexatious, lacking in substance, trivial or if the alleged breach is permitted under law. If so, you will be notified and given reasons why.
What happens when the Ombudsman decides to investigate your complaint?
An Ombudsman Tasmania investigation officer will be assigned to handle your complaint. They will seek to resolve your complaint, but are not your advocate.
They will write to the personal information custodian outlining your complaint and request a response. Depending on the response, you and/or the agency may be asked to provide more information.
What can be done to resolve your complaint?
If the Ombudsman is of the opinion that a personal information custodian has contravened a PIPP, the Ombudsman is to advise the complainant and the agency involved and may make any recommendations he considers appropriate. The Ombudsman is to provide a copy of the advice and any recommendation to the relevant Minister for tabling in Parliament.
Resources
Ten Personal Information Protection Principles
Draft guidelines - Requirements to collect personal information for contact tracing purposes (DOCX, 198.2 KB) from Office of the Australian Information Commissioner
Requirements to collect personal information for contact tracing purposes (external link)
For further information please telephone 1800 001 170 to speak to an officer about your enquiry.
Where to next?
Managing other people's personal information - Personal Information Protection for public authorities