Procedure - Information Privacy Complaint Handling

---

Purpose
1.	Process
1.1	Definitions
1.2	General
1.3	Complaint processing requirements
2.	Complaint handling
2.1	Formal complaints
2.2	Informal (generally verbal) complaints
2.3	Internal review
3.	Registering information
4.	Conflict of interest

Purpose

To provide a complaint process relating to privacy issues in accordance with Information Standard 42 - Information Privacy (IS42) and to ensure consistent complaint handling across Queensland Corrective Services (QCS).

1. Process

1.1 Definitions

Personal information for IPPs 1-5 and 8-9 means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Personal information for IPPs 6-7 is limited to information concerning an individual's “personal affairs” as the phrase “personal affairs” has been interpreted in the Freedom of Information Act 1992.

Privacy Contact Officer (PCO) means the authorised privacy contact officer located within the Legal Services Unit (LSU). There are two authorised privacy contact officers, the Manager, Freedom of Information (FOI) and Privacy and the Senior FOI and Privacy Officer.

Formal complaints mean those received in writing. They must include contact details and the signature of the complainant.

Informal complaints generally mean those made in person, by telephone or where an informal response is requested by the complainant/enquirer. For the purposes of this procedure informal complaints and enquiries will both be referred to as informal complaints received from complainants. Informal complaints may be made anonymously.

Internal review provides for a review of an initial response to a complaint and is only available for formal complaints. Internal reviews will be dealt with by a Privacy Contact Officer other than the Privacy Contact Officer who investigated the original complaint or the Director/Manager of the relevant directorate/unit/facility/office. An internal review may affirm or remake an original complaint response either in whole or in part.

1.2 General

All officers are responsible for complying with the Queensland Government's information privacy principles (IPPs) contained within IS42. A QCS complaint process is a mandatory requirement of IS42.

A complaint handling process provides assurance to offenders, families, victims, staff and members of the public that sensitive personal information held by QCS is appropriately managed and protected.

Privacy complaints concerning the services performed under contract by the QCS engaged service providers must also be dealt with in accordance with this procedure.

This procedure does not override any existing complaint or investigation processes such as those conducted by the Ethical Standards Unit or the staff grievance process that is established under the Public Service Directives. Refer procedure - Grievance Resolution (in-confidence). Only complaints dealing with issues that involve personal information should be dealt with under this procedure.

Privacy complaints will be investigated by a PCO with the assistance of the Director/Manager of the area in which the complaint arose. This will ensure that any underlying issues are also dealt with and the same situation does not recur. It will also provide a wider understanding and appreciation of QCS and individual officer's responsibilities for handling and managing personal information.

All QCS officers are required to assist complainants and on request, should provide the complainant with administrative form - Privacy Complaint and appendix - Privacy Complaints Guide to facilitate the correct lodgment of complaints.

1.3 Complaint processing requirements

If an individual believes that QCS has not dealt with their personal information in accordance with an IPP, they may make a complaint. A complaint must be made within six months from the date the breach of the IPP allegedly occurred, or came to the attention of the complainant.

All privacy complaints must be forwarded to a PCO in the Legal Services Unit. Refer appendix - Privacy Complaints Guide

If a privacy complaint is received involving access to or amendment of personal information, then this must be dealt with through existing Freedom of Information (FOI) processes and should be forwarded to the FOI and Privacy Unit.

Complaints must be dealt with in a thorough and professional manner with responses clearly setting out-

1. the facts of the matter;
2. evidence to support the facts;
3. conclusions based on the facts and evidence;
4. wherever possible a resolution to the issue from which the complaint arose; and
5. rights of review for formal complaints.

Any personal information concerning third parties must not be included in the response to the complainant without the consent of the third party. Responses to complaints must not be made in a way that would constitute a breach of Corrective Services Act 2006 s 341 or the QCS Code of Conduct. A PCO should be prepared to justify their investigation and response.

All documentation concerning complaints should be placed on a dedicated privacy complaints file and marked as “Strictly Confidential”. Responsibility for security, storage and access to the files is controlled by the PCO.

2. Complaint handling

2.1 Formal complaints

Formal complaints must be in writing, signed by the complainant and contain contact details including an address and telephone number. Complaints may be lodged using administrative form Privacy Complaint, although no specific complaint or application form is necessary.

The following should be provided to all prospective complainants-

1. contact details of the PCO;
2. appendix - Privacy Complaints Guide; and
3. administrative form - Privacy Complaint.

All QCS officers should provide assistance with composing and lodging complaints where this is needed or requested and/or redirect complaint enquiries to a PCO.

When a formal complaint is made the following will occur-

1. written complaint received, dated and stamped;
2. complaint immediately forwarded to a PCO if received elsewhere;
3. PCO to check complaint-
   
   
   1. is relevant to QCS;
   2. concerns the personal information of the complainant (not a third party);
   3. includes sufficient information in order to respond; and
   4. has been lodged within six months of the alleged incident occurring or coming to the attention of the complainant;
   
   
4. a letter acknowledging complaint or letter refusing to accept complaint is sent to the complainant by the PCO within 10 working days. Appendix - Privacy Complaints Guide should be included with the acknowledgment if not previously provided (refer to the Privacy Complaints Kit for draft acknowledgement);
5. the Director/Manager of the relevant area is notified about the complaint in their area. If needed, the Director/Manager will appoint a staff member in the relevant area to assist PCO with the investigation;
6. the complaint is investigated. Refer to the Privacy Complaints Kit and the Ethical Standards Unit investigations manual;
7. appropriate research and consultation with parties involved is undertaken;
8. the response is drafted (refer to the Privacy Complaints Kit);
9. the response is cleared with the appropriate Director/Manager if necessary. The response is sent to the complainant within 30 working days (the complainant must be advised if a response is not possible within this timeframe and a new timeline should be negotiated and recorded);
10. the complaint's details are recorded by the PCO on the Privacy Register;
11. all documentation concerning the complaint must be filed on a dedicated file entitled Privacy Complaints - Strictly Confidential with the QCS directorate/unit/facility/office included in the file title. Complaint letters should be registered on a document tracking system for ease of reference and must be classified as restricted access;
12. dissemination of privacy issue in de-identified form to executive management if wider implications for QCS is apparent; and
13. immediate referral of any request for internal review to the appropriate PCO along with all original decision-making material.

2.2 Informal (generally verbal) complaints

On receipt of a verbal complaint the complainant must be asked whether they would like the matter to be formally investigated and responded to in writing. If the complainant is satisfied to receive a verbal, or otherwise informal response, then the complaint will be treated as informal.

Anonymous complaints are acceptable but because the identity of the complainant cannot be checked, responses can be of a general nature only. Sufficient detail must be obtained from the complainant to satisfy the reporting requirements identified on administrative form - Notification of Informal Privacy Complaint.

The following should be provided to all prospective complainants-

1. contact details of the PCO;
2. appendix - Privacy Complaints Guide; and
3. administrative form - Privacy Complaint.

All QCS officers should provide assistance with composing and lodging complaints where this is needed or requested and/or redirect complaint enquiries to the PCO.

When an informal complaint is made the following will occur-

1. complaint received and date recorded;
2. complaint immediately referred to PCO if received elsewhere, and Administrative Form - Notification of Informal Privacy Complaint forwarded via email to the PCO at privacy@correctiveservices.qld.gov.au;
3. PCO to check complaint -
   
   
   1. is relevant to QCS;
   2. concerns the personal information of the complainant (unless lodged anonymously), not a third party;
   3. includes sufficient information in order to respond; and
   4. has been lodged within six months of the alleged incident occurring or coming to the attention of the complainant;
   
   
4. complaint investigated as appropriate;
5. complainant advised verbally or in writing of outcome of investigation and/or provided with requested information (should be within 30 working days, unless otherwise negotiated);
6. PCO to record complaint on Privacy Register;
7. The file note and any other documentation concerning complaint must be filed on a file entitled Informal Privacy Complaints - Strictly Confidential within the Legal Services Unit;
8. If not satisfied with the outcome, complainant should be advised to lodge a formal written complaint after which the internal review process will become available (refer appendix - Privacy Complaints Guide); and
9. dissemination of privacy issue in de-identified format to executive management if wider implications for QCS is apparent.

2.3 Internal review

If a complainant has lodged a formal complaint and is not satisfied with the response, they may request an internal review. Internal reviews must be lodged within 30 working days of receiving a response to the original complaint. All internal review requests must be forwarded immediately to the PCO for action and/or referral to the appropriate internal review officer. The appropriate internal review officer will seek copies of all prior documentation and must ensure the review request is-

1. acknowledged within 10 working days;
2. investigated appropriately;
3. responded to within 30 working days, unless otherwise negotiated; and
4. recorded on the appropriate file and database of complaints.

3. Registering information

The PCO must ensure that all complaints are registered on a database to enable analysis, review and management of the complaints process.

Details of complaints (eg. type and location) must be recorded for statistical purposes in order to ascertain the predominance of complaints. This enables the identification of practices causing privacy complaints and the development of best practice processes to prevent subsequent complaints. The statistics gathered will also be used for audit purposes, for reporting to the Board of Management and the Department of Justice and Attorney General. All reporting will use de-identified information only.

4. Conflict of interest

Any complaint that would constitute a conflict of interest, or perceived conflict of interest, should be dealt with by a PCO who has not been party to the originating issue. Any concerns or difficulties encountered in dealing with a complaint should be discussed with the Director, Legal Services.

F P Rockett
Director-General

---