A complaint can be reported to the National Data Commissioner through Dataplace using the 'Contact us' tile. Alternatively, you may go to make a complaint on the ONDC website.
This guidance note provides information for Scheme entities and others about how the Commissioner will handle complaints. Under the Data Availability and Transparency Act 2022 (Cth) (the Act), one of the Commissioner’s regulatory functions is to handle complaints about the data sharing scheme (DATA Scheme) - see Part 5.3 of the Act.
Complaints will be handled in line with the Commissioner’s Regulatory Approach and the Commonwealth Ombudsman’s Better Practice Complaints Handling Guide. Handling complaints is one of the of the key priorities set out in the Commissioner’s Regulation and Compliance Priorities (Priority 3).
The complaints function provides a way to manage disputes between DATA Scheme entities (scheme complaint) and for any person to raise concerns with the operation and administration of the DATA Scheme (general complaint). The complaints function is a form of redress available under the DATA Scheme, and a means for the Commissioner to identify potential cases of non-compliance and areas to improve or support implementation of the DATA Scheme.
Types of complaints
There are two kinds of complaints the Commissioner is responsible for handling under the Act:
- Scheme Complaints (made under section 88 of the Act), which are complaints made by a DATA Scheme entity about another DATA Scheme entity’s breach, or potential breach, of the Act or a data sharing agreement they were both party to when the alleged breach occurred; and
- General Complaints (made under section 94 of the Act), which are complaints made by any person (including a DATA Scheme entity) about any matter relating to the administration or operation of the DATA Scheme.
Scheme complaints
DATA Scheme entities (or an entity that was a DATA Scheme entity within the previous 12 months) may complain to the Commissioner if the complainant reasonably suspects that another DATA Scheme entity has breached the Act or a data sharing agreement to which both entities were party to when the alleged breach occurred.
For Scheme complaints, DATA Scheme entities are data custodians, accredited users and accredited data service providers (see section 11(1)).
For example, an accredited user could make a scheme complaint to the Commissioner about a data custodian not providing reasons for refusing to share data.
What happens after a Scheme complaint is made
After receiving a scheme complaint, the ONDC will conduct an initial assessment and send an acknowledgement of the complaint. The ONDC aims to do this within 3 business days of receipt of the complaint.
If necessary, the Commissioner will make preliminary inquiries to determine whether (and how) to deal with the complaint (see section 91(1)(a)).
The Commissioner will provide the complainant with a written notice within 30 calendar days after receipt of the complaint (see section 90). The written notice may be:
- A request for further information (see section 90(2));
- Advice on how the Commissioner will deal with the complaint (see section 90(1)); or
- A decision to not deal with the complaint (see section 90(4)).
Requesting further information
The Commissioner may request in writing that the complainant must, within a period specified, provide further information relating to the complaint (see section 90(2)).
If the Commissioner makes this request, the Commissioner does not need to take any further action in relation to the complaint until the complainant provides the requested information (see section 90(3)).
Dealing with the complaint
The Commissioner will consider whether conciliation may be appropriate to seek to resolve the matter (see section 91(1)(b)).
Generally, if the complaint is dealt with by conciliation, evidence of anything said or done in the course of the conciliation is not admissible in any legal proceedings under the Act or any other law.
The Commissioner must investigate an entity’s conduct in respect to DATA Scheme complaints, unless the Commissioner is satisfied that a ground for not dealing with the matter exists under section 92.
Grounds for not dealing with Scheme complaints
The grounds for not dealing with a scheme complaint (see section 92) include, but are not limited to:
- The Commissioner is satisfied that the alleged breach did not occur, or it is not material.
- The complainant fails to satisfy the Commissioner that the complainant has complained about the alleged breach to the entity, or failed to prove it would not be appropriate for the complainant to do so.
- The complainant has complained about the alleged breach to the entity before complaining to the Commissioner, and the Commissioner is satisfied that the entity has dealt, or is dealing, adequately with the complaint, or has not had an adequate opportunity to deal with the complaint.
- The complaint was made more than 12 months after the complainant first reasonably suspected the breach of the Act or data sharing agreement.
- The complaint is frivolous, vexatious, misconceived, lacking in substance or not made in good faith.
- An investigation, or further investigation, of the alleged breach is impracticable or otherwise unwarranted.
- The complainant has not responded to a request for information within the period specified by the Commissioner.
- The Commissioner deems it appropriate to pursue conciliation or an external dispute resolution scheme to seek to resolve the matter.
- The complaint is being resolved by conciliation or an external dispute resolution scheme.
- The complaint would be more appropriately handled by another authority or agency, and the matter is transferred accordingly.
- The complainant has withdrawn the complaint.
The decision to not deal with a complaint is a reviewable decision under Part 6.2 of the Act and the Commissioner must notify the complainant of this decision. If the Commissioner notified the respondent of the complaint, the Commissioner must also give a copy of the notice to not deal with a complaint to the respondent.
General complaints
Any person may make a general complaint to the Commissioner about any matter relating to the administration or operation of the DATA Scheme. The complainant may, but does not have to be, a DATA Scheme entity.
For example, a person could make a general complaint expressing concerns about the details of a particular data sharing agreement, or the accreditation of a particular Scheme entity due to their conduct outside the DATA Scheme. A general complaint could also be made about ONDC staff handling of matters under the Act or a Data Custodian’s conduct in handling a request for data.
What happens after a general complaint is made
After receiving a general complaint, the ONDC will conduct an initial assessment and send an acknowledgement of the complaint. The ONDC aims to do this within 3 business days of receipt of the complaint.
If necessary, the Commissioner will make preliminary inquiries to determine whether (and how) to deal with the complaint (see section 95(a)).
Within 30 calendar days after receipt of the complaint, the Commissioner aims to advise the complainant how they will deal with the complaint (see section 95). This may include a request for further information (see section 95(b)) or a decision to take no action with the complaint (see section 95(e)).
Dealing with the complaint
The Commissioner may conduct an assessment or investigation into a DATA Scheme entity’s conduct (see section 95(c) and section 95(f)).
The Commissioner may consider whether conciliation, or an external dispute resolution scheme recognised under the Act (at this stage, there are not any schemes recognised under the Act), may be appropriate to seek to resolve the matter (see section 95(d)).
Generally, if the complaint is dealt with by conciliation, evidence of anything said or done in the course of the conciliation is not admissible in any legal proceedings under the Act or any other law.
The Commissioner may also transfer the matter to other agencies as appropriate (see section 95(f)).
Investigations
The Commissioner’s powers to investigate DATA Scheme entities are set out under section 101 of the Act.
With respect to Scheme complaints, an entity’s conduct must be investigated by the Commissioner unless the Commissioner is satisfied that there are grounds for not dealing with the matter (see section 101(1)).
If a general complaint involves a DATA Scheme entity, the Commissioner may also investigate the entity if the Commissioner reasonably suspects that the entity has breached, is breaching or is proposing to breach the Act or a data sharing agreement (see section 101(2)).
An investigation may be conducted while the entity is, or after it has ceased to be, a DATA Scheme entity.
Further, the Commissioner may discontinue an investigation relating to a Scheme complaint if the Commissioner is satisfied that grounds exist for not dealing with the matter. The Commissioner may cease an investigation if they no longer reasonably suspect the entity has breached the Act or a data sharing agreement, or otherwise considers it appropriate to cease the investigation.
The Commissioner may conduct an investigation in any matter they consider appropriate, and may obtain information from any person and make any inquiries that are considered appropriate for the purposes of the investigation.
Determinations and recommendations
Upon completion of an investigation, the Commissioner must provide a written determination to the investigated entity that outlines the Commissioner’s opinion regarding whether the entity has breached (or is breaching, or is proposing to breach) the Act or a data sharing agreement. This must include reasons why the Commissioner has formed this opinion.
If the Commissioner concludes that the entity has breached (or is breaching, or proposes to breach) the Act or a data sharing agreement, the determination must also advise of any action the Commissioner intends to take in relation to:
- the entity’s accreditation (such as varying conditions attached to the entity’s accreditation; or suspending or cancelling the accreditation under section 77A)
- enforcement activity (such as issuing a direction or an infringement notice to the entity).
The Commissioner may make the determination publicly available and vary or revoke a determination.
In addition, the Commissioner may give the respondent written recommendations about any action the Commissioner considers the entity should take following the Commissioner’s completion of an investigation.
Responsibility to report complaints to the Commissioner for the Annual Report
To assist the Commissioner with preparing annual reports, data custodians must notify the Commissioner as soon as practicable after the end of a financial year whether they have received any complaints that financial year related to the DATA Scheme or their conduct in relation to it.
If a data custodian did receive complaints, the data custodian must also notify the Commissioner of the number of complaints received and provide information about the subject matter of the complaints.
Seeking your own legal advice on matters covered by this guidance
This guidance note is not intended to be legal advice. You should seek your own legal advice if you would like further clarification on the matters raised in this guidance.
Guidance note 2023:10
Last updated: 30 August 2023