Personal Information Protection

How to make a complaint about a breach of a Personal Information Protection Principle

The Personal Information Protection Act 2004 (the Act) gives you the right to complain to the Ombudsman about an alleged breach of principles designed to protect your personal information.

The Act contains ten Personal Information Protection Principles (PIPP) and, if breached, you may consider complaining to the Ombudsman.

You can only complain to the Ombudsman after you have raised the matter with the relevant personal information custodian and you are not satisfied with its response.

Who can I complain about?

Complaints can only be made against ‘personal information custodians’.  This includes Tasmanian public authorities like state government departments, local councils, statutory bodies, the University of Tasmania, Tasmania Police, state owned companies and, in some circumstances, organisations providing services for the State. Private organisations are not covered by the Act unless they have entered into a contract with a personal information custodian relating to the collection, use or storage of personal information.

What is personal information?

Personal information means any information or opinion in any recorded format about an individual whose identity is apparent or is reasonably ascertainable from the information or opinion and who is alive or has not been dead for more than 25 years.

Examples of personal information include your name, gender, date of birth, address, financial details, marital status, education and employment history.

Some personal information is classified as ‘sensitive information’.  This is information about your racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual preferences or practices, criminal record, and health information.

Generally, an agency needs to obtain consent from an individual to collect sensitive information.

Who can complain?

The general rule is that you can only complain about an act that amounts to breach of a PIPP involving your own personal information.  However, you may be able to complain on behalf of someone else in some circumstances.

What can I complain about?

Complaints can only be made about an alleged breach of one or more of the ten PIPP in the Act. The PIPP are as follows:

1. Collection

An organisation can only collect your personal information if it is necessary to fulfil one or more of its functions or activities. It must take reasonable steps to notify you of its contact details, your rights of access and the main consequences if you do not provide the information.

2. Use and Disclosure

Generally your personal information can only be used and disclosed for the purpose for which it was collected, for a secondary purpose that you would reasonably expect or if you have consented to the use or disclosure. The law allows some uses without consent, such as to protect public health or law enforcement purposes.

3. Data Quality

Organisations must take reasonable steps to ensure your personal information is accurate, complete, up to date and relevant to its functions.

4. Data Security

Organisations must take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure.  An organisation must take reasonable steps to destroy or permanently de-identify your personal information when it is no longer needed.

5. Openness

Organisations must have clear policies on the way they manage personal information. You may ask a personal information custodian, in general terms, what information it holds, how it collects it and for what purpose is the information used.

6. Access and correction

You have a right to access your personal information and seek corrections if the information is incorrect, incomplete, out of date or misleading.

7. Unique identifiers

A personal information custodian must not assign a unique identifier to an individual unless it is necessary to carry out its functions efficiently.

8. Anonymity

Where it is lawful and practicable, you should have the option of not identifying yourself when transacting with a personal information custodian.

9. Disclosure of information outside Tasmania

A custodian may disclose personal information about an individual to a body outside of Tasmania if the disclosure is required by law or is necessary for the performance of a legal contract.

10. Sensitive information

This includes your racial or ethnic origin, political opinions and membership of political associations, religious or philosophical beliefs, membership of professional or trade associations or trade unions, sexual preferences, health information and criminal record. The Act puts special restrictions on the collection of sensitive information.

When can I make a complaint?

A complaint, other than a complaint about a decision to refuse a request to amend personal information, must be made within 6 months of an alleged breach (or any further period the Ombudsman may allow).

A complaint about a decision to refuse a request to amend personal information must be made within 20 working days of the date on which the notice of decision is given. Complaints can only be about personal information that is recorded in some form.

What happens when the Ombudsman receives your complaint?

The Ombudsman will conduct a preliminary assessment of the complaint to decide whether he will deal with it. This generally involves more information being sought about your complaint from you or from the personal information custodian.

The Ombudsman may decide not to deal with a complaint if it is frivolous, vexatious, lacking in substance, trivial or if the alleged breach is permitted under law.  If so, you will be notified and given reasons why.

What happens when the Ombudsman decides to investigate your complaint?

An Ombudsman Tasmania investigation officer will be assigned to handle your complaint. They will seek to resolve your complaint, but are not your advocate.

They will write to the personal information custodian outlining your complaint and request a response. Depending on the response, you and/or the agency may be asked to provide more information.

What can be done to resolve your complaint?

If the Ombudsman is of the opinion that a personal information custodian has contravened a PIPP, the Ombudsman is to advise the complainant and the agency involved and may make any recommendations he considers appropriate.  The Ombudsman is to provide a copy of the advice and any recommendation to the relevant Minister for tabling in Parliament.

For further information please call us on 1800 001 170.

Download the Fact Sheet (pdf, 65.8 KB)


For agencies: How to manage other people’s personal information

The Personal Information Protection Act 2004 (the Act) gives people the right to complain to the Ombudsman about an alleged breach of a personal information principle (PIPP) by a personal information custodian.

Personal information custodians include Tasmanian public authorities like state government departments, local councils, statutory bodies, the University of Tasmania, Tasmania Police, state owned companies and, in some circumstances, organisations providing services for the State.

What is personal information?

Personal information means any information or opinion in any recorded format about an individual whose identity is apparent or is reasonably ascertainable from the information or opinion and who is alive or has not been dead for more than 25 years.

Examples of personal information include a person’s name, gender, date of birth, address, financial details, marital status, education and employment history.

Some personal information is classified as ‘sensitive information’.  This is information about a person’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual preferences or practices, criminal record and health information.

Generally, an agency needs to obtain consent from a person to collect sensitive information.

Personal information custodians must comply with the PIPPs.

What are Personal Information Protection Principles?

Complaints can only be made about an alleged breach of one or more of the ten PIPPs in the Act.

Good practice principles for the management of personal information

Personal information custodians should:

  • Have a publicly available policy that tells people how it will handle personal information.
  • Take reasonable steps to notify people of the organisation’s contact details, their rights of access and the main consequences if the personal information is not provided.
  • Generally not use personal information for a secondary purpose unrelated to the main purpose for which it was collected.
  • Think before disclosing personal information and get consent from the individual if there is a reason for disclosing personal information that is different from the reason for which it was collected.
  • If people ask, give them access to the personal information held about them.
  • Keep personal information secure and safe from unauthorised access, misuse or disclosure.
  • Not keep information that is no longer needed or that is no longer required to be retained.
  • Take reasonable steps to keep personal information accurate and up to date.
  • Consider making someone in the organisation responsible for its responsibilities under the Act and promoting compliance.

What happens when the Ombudsman receives a complaint?

The Ombudsman will conduct a preliminary assessment of the complaint to decide whether to ‘deal with it’.  This generally involves considering if the Ombudsman has jurisdiction and seeking further information from the complainant or the custodian.

The Ombudsman may decide not to deal with a complaint if it is frivolous, vexatious, lacking in substance, trivial or if the alleged breach is permitted under law.

What happens when the Ombudsman decides to investigate a complaint?

An Ombudsman Tasmania investigation officer will be assigned to handle the complaint.

As the first step in the process, the complaint will be outlined to the custodian and a response will be sought.

If the matter proceeds to an investigation, it is conducted in accordance with Division 3 of the Ombudsman Act 1978.   The investigation will generally be ‘on the papers’ but interviews or inspection of premises may be required.

What can be done to resolve a complaint?

If the Ombudsman is of the opinion that a personal information custodian has contravened a PIPP, the Ombudsman is to advise the complainant and the agency involved and may make any recommendations considered appropriate.  The Ombudsman is to provide a copy of the advice and any recommendation to the relevant Minister for tabling in Parliament.

For further information please telephone 1800 001 170 to speak to an officer about your enquiry.

Download the Fact Sheet (pdf, 73.5 KB)