How to lodge a Privacy Complaint
If an individual believes that the Hospital and Health Service has not dealt with their personal information in accordance with the National Privacy Principles (NPPs) in the Information Privacy Act 2009 (Qld) (IP Act) (PDF, 858KB) (IP Act), they may lodge an information privacy complaint.
An information privacy complaint can be regarded as either a perceived breach or actual breach of the National Privacy Principles (NPPs) contained in the Information Privacy Act 2009 Queensland (the IP Act).
Privacy complaints made to the Hospital and Health Service must:
- be in writing;
- be lodged with the correct agency (where the breach was suspected to have occurred)*;
- state an address of the complainant to which notices may be forwarded under the IP Act;
- anonymous complaints will be accepted and processed in accordance with the complaints management policy, however, an anonymous complaint may be difficult to thoroughly investigate and a response may be unable to be provided;
- provide certified evidence of identification (refer to information sheet);
- concern the personal information of the complainant (not a third party); and
- give particulars of the act or practice which is the subject of the complaint.
*Privacy complaints need to be marked Private and Confidential and forwarded to the relevant Privacy and Confidentiality Contact Officer within the Hospital and Health Service where the breach was suspected to have occurred:
Privacy complaints should be made as soon as possible after you become aware that your privacy may have been breached. While it is recognised that individual circumstances may vary, it is strongly suggested that you make your complaint no later than six (6) months from the time you become aware of the alleged breach. A failure to do so may impact on the agency's ability to retrieve records relevant to the complaint and may affect your ability to escalate the matter to the Office of the Information Commissioner (s168 Chapter 5, IPA).
Complaints will be acknowledged in writing within 5 business days from the date on which the complaint is received and as response to the complainant provided within 45 business days.
Should the complaint involve complex matters or require extensive investigation and consultation it may not be possible to respond within this timeframe. In these circumstances, to ensure the agency has the opportunity to properly and effectively address complaints, we may need to notify the complainant in writing if the timeframe cannot be met with a view to negotiating an extension of time.
On completion, the complainant will be advised in writing of the outcome, including any remedies that are considered appropriate to resolve the complaint.
How do we ensure we are dealing with the correct person?
To ensure the appropriate protection of personal information held by government, specific precautions such as verifying the identity of complainants are taken before processing privacy complaints.
For more information download the Privacy Rights: A quick guide to rights and responsibilities under the Information Privacy Act 2009 (Qld) brochure (PDF, 280KB)
Other avenues of complaint
If the complainant is not satisfied with the response provided by the agency, the IP Act provides that they may refer the privacy complaint to the Office of the Information Commissioner (OIC).
A privacy complaint lodged with the OIC must be:
- in writing;
- state an address to which notices under the IP Act can be sent; and
- give particulars of the act or practice which is the subject of your privacy complaint.
Privacy complaints may be lodged with the OIC in any of the following ways:
Further information regarding privacy complaints is available on the website of the OIC at:
http://www.oic.qld.gov.au/about/privacy or you can contact the OIC by telephone on (07) 3234 7373.