Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

More Accept ×

We respect your Do Not Track preference.

Close ×

opc header logo

Print | Email this page

Handling privacy complaints: a step-by-step guide

When your organisation receives a privacy complaint from someone you need to act quickly and decisively. Individuals need to try and work with organisations first to resolve their complaint before they can complain to the Privacy Commissioner, so it’s important that you have a process to deal with complaints. 

Read more detailed guidance on handling privacy complaints in our Poupou Matatapu guidance.

Step one: acknowledge the complaint

  • Your organisation should do this as quickly as possible. Outline your understanding of the issue and say who at your organisation will be looking into the complaint (who is your privacy officer).
  • Provide clear, reasonable timeframes and provide regular updates on progress if you can’t meet the timeframes. It’s always better to under promise and over deliver.

Step two: listen to complainant

  • Understand the complainant’s main concerns so that you can address the right issue. This may be underlying the initial complaint, so ask appropriate questions.
  • What is the harm they have suffered? Some types of harm can be specific damage, loss of benefit, and/or emotional harm.

Step three: investigate the issues the complainant raised

  • Identify the issue – is it privacy related?
  • What systems do you have in place to help you investigate complaints? How can you find the facts to determine whether the claim is correct? Investigative tools could include audit logs (for understanding who has looked at information), policies and procedures in place for staff, training, or breach reporting obligations.
  • Is it a one-off issue or a systemic issue?

Step four: try to resolve the issue

  • Proactively work with the complainant to try to resolve their concerns.
  • Understand what they want. Common desired resolution outcomes include an apology, process or system changes, and/or financial compensation.
  • Think laterally – not all complaints require money to resolve them. Fruit baskets, gift cards, and cleared bills/a comped service are all offers we’ve seen accepted as settlement.

Step five: rebuild the relationship

  • You are likely to have an ongoing relationship with the complainant, so it’s important to consider how to rebuild the relationship following a complaint process. What steps can you put in place to provide reassurance to the complainant that this won’t happen again?

Top tips for handling privacy complaints:

Keep the complainant in the loop

  • The biggest barrier to resolving a complaint is leaving the complainant in the dark while you’re working on things in the back end. Providing regular updates, even if it’s that you’re still working on it goes a long way to reassure them that they haven’t been forgotten.

Keep good records

  • While the complaint is ongoing don’t get rid of any information relating to it. Once you’ve resolved the complaint assess whether you should continue to hold the information or delete it.
  • Take clear notes of what happened with detail, considering the who, what, when, where, why, and how – write as if OPC will be reading your report.

Don’t panic

  • If the complainant asks for financial compensation or something your organisation can’t do, don’t stop engaging in the process at that point. Work with them to reach a resolution that works for everyone.

 

A chart describing 5 steps to handling a privacy complaint.

Back to top