As the Code Administrator, ADIA (formerly AMSRO) is required to monitor compliance by member organisations and investigate serious and repeated breaches and systemic issues about Code compliance. This requirement supports ADIA’s reporting responsibility to the Office of the Australian Information Commissioner (OAIC) and ensures that due process is followed. This requirement is outlined in Part H of the Privacy Code.
Member organisations must maintain a culture of privacy protection and review all privacy breaches with ADIA to ensure that they implement appropriate improvements in privacy protection. Organisations, therefore, need to ensure they implement practices, procedures and systems for handling enquiries and complaints with respect to compliance with the Industry Privacy Code and the Australian Privacy Principles (APPs). To ensure the process is fair and consistent, complaints and enquiries should be referred to a single point of contact, the Privacy Officer. Details of complaints must also be logged to make sure that any serious or systemic issues are identified and acted upon.
(Consider any mandatory notification requirements under US or EU law, if applicable, and under Australian law, if and when it is passed.)
|A complaint is received about an alleged breach of the Privacy Code/APPs|
|Complaint must be forwarded to the Privacy Officer||7 days|
|The Privacy Officer must make a determination on the complaint and advise the complainant in writing.||30 days from date of receipt|
|Privacy Officer will keep a record of all complaints and determinations. This will comprise a register and file records that will be securely stored in accordance with the Code /APP 11.||On-going|
|If the Privacy Officer determines there has been a breach of the Code/APPs he/she will, upon notification to the complainant, advise the relevant personnel in writing of any action required to remedy the breach.||Upon determination|
|If the breach is incapable of being rectified and is not rectified within 30 days, the Privacy Officer must inform the Managing Director and ADIA about the failure to rectify the breach.||30 days from the determination|
Should the Privacy Officer be aware that the complainant remains unsatisfied following the completion of the above process, they must inform ADIA using the online reporting form (following).