AIST Privacy Complaints Policy and Process
- the types of personal information we collect
- the reasons we collect the information
- how we collect the information
- how we use and disclose the information, including any overseas disclosure
- to whom we might disclose the information
- how we keep the information secure
- how the information can be accessed and amended
The Privacy Complaints Process aims to ensure procedural fairness in the handling of complaints, standardise complaints investigation practices and establish mechanisms to improve AIST privacy practices.
A privacy complaint is an expression of dissatisfaction or concern regarding the handling of a person's personal information or some other form of breach of privacy. Such a complaint can be raised verbally or in writing with an AIST representative or addressed specifically to the Privacy Officer.
This procedure does not apply to complaints regarding the handling of personal information or a breach of privacy relating to AIST's activities as a Registered Training Organisation. The complaints process for alleged RTO breaches can be found here.
Roles and responsibilities
Complainant: The person making the complaint. This can include anyone whose personal information AIST has collected, stored, used or disclosed.
Receiving Officer: The person who initially receives a complaint. Where possible, the receiving officer will attempt to resolve the complaint at first instance, if this can be achieved. If not, the receiving officer will request that the person document their complaint in writing for review by the Privacy Officer.
There are five phases to the privacy complaints process:
- Receipt of complaint
- Assessment of complaint
- Actions taken to resolve the complaint
- Recording of outcome and monitoring
- System improvements, where appropriate
Receiving a complaint
Complaints can be received by any AIST representative, whether received verbally (in person or by telephone) or in writing (letter, email or facsimile).
If the matter can be dealt with quickly by the Receiving Officer, the Receiving Officer will document:
- The name and contact details of the complainant
- Their own name
- The date of the complaint
- The nature of the complaint
- The agreed resolution
This will then be forwarded to the Privacy Officer to be properly recorded.
If the matter requires further investigation or action, the Receiving Officer will encourage the complainant to document their complaint for the Privacy Officer to investigate. If the complainant does not wish to make a written complaint, the Receiving Officer can take the information from the complainant and pass it on to the Privacy Officer to action.
The Privacy Officer documents all complaints in the Privacy Complaints Register.
Assessing a complaint
A Receiving Officer may be able to achieve a rapid resolution of a matter being complained of, if the complainant is seeking to bring the matter to AIST's decision and to ensure that the breach is not repeated (a Level 1 complaint). In such an event, the complaint will be recorded and provided to the Privacy Officer and the agreed resolution may take the form of a system improvement and an apology to the complainant.
If the complaint requires further investigation and action, the matter is to be assessed by the Privacy Officer (a Level 2 complaint). A Level 2 complaint will be acknowledged in writing by the Privacy Officer, or a delegate, within ten working days of the complaint being received. This acknowledgement will describe the process and timeframe for resolution of the complaint. The outcome of the investigation and resolution of the complaint will be advised to the complainant within 30 days of the complaint being received. If the complaint is unable to be finalised within that timeframe, the Privacy Officer must advise the complainant as soon as possible and alert them of the expected finalisation of the complaint.
Resolving a complaint
A complaint can be resolved with acknowledgement, recording, system improvements and an apology in the case of a Level 1 complaint.
For a Level 2 complaint the Privacy Officer may need to conduct an investigation. The Privacy Officer will make an assessment of the complaint following an investigation and make a decision, including any appropriate remedy. Remedies may include an explanation, an apology, a correction, system improvements, or a combination of these.
A complainant can appeal the outcome of their Level 2 complaint if they believe the outcome to be unsatisfactory. Such an appeal should be requested in writing and within a reasonable timeframe upon receiving the outcomes of any investigation and AIST's resolution of the complaint. This appeal will be undertaken at the discretion of the CEO.
In considering a review of the Privacy Officer's decision the CEO, or their delegate (not someone who made the original decision) will consider the original decision and reasons for that decision, the original complaint and any other relevant material.
A complainant that wishes to appeal the CEO's review decision can apply for a review to the Office of the Australian Information Commissioner.
Recording and monitoring
All complaints are to be recorded in the Privacy Complaints Register. This includes all complaints received in writing, and those received verbally but documented by an AIST representative.
Any action taken pursuant to receipt of a complaint, and its resolution, are also to be recorded. The Privacy Officer will monitor privacy complaints and determine if system or process improvements are required.
A complaint may alert AIST to a system or process failure that requires correction to ensure that people's personal information and privacy is protected. When considering improvements the Privacy Officer will act to prevent recurrence of any breaches and will promote continuous improvement of AIST's privacy practices.
Any improvement considerations will include policy and process reviews, practice reviews, and training.
Policy last updated on 12 May 2015.