Preparing for Complaints After a Privacy Breach in Australia: Legal and Business Tips
Preparing for managing customer complaints after a privacy breach is a critical step in your data breach response planning. In this post, we delve into the steps organisations can take to ensure that it’s not the breach itself that’s memorable, but your well-executed response to it.
Managing Your Legal Obligations to Your Customers in Australia After a Privacy Breach
Your customers may make a complaint to the Office of the Australian Information Commissioner (OAIC) if they believe their personal information has been mishandled in a manner that breaches the Australian Privacy Principles. However, they must follow a specific process – and your organisation has an opportunity to resolve the complaints and improve customer sentiments at the first stage.
Stage 1 – The Customer Complains to Your Organisation.
Individuals must first bring their complaint to your organisation if they think you have mishandled their data before they can go to the OAIC.
There is no specific format or other requirements covering how the complaint has to be lodged or handled by your organisation. Instead, customers are directed to the organisation’s privacy policy to find those contact details.
This is where you have an opportunity to improve customer relations. Try and make it as easy as possible for customers to contact you. It will only make things worse if you make an already unhappy customer jump through more hoops.
Contacting you should be easy. Your privacy policy should clearly set out:
- Where your customers should direct their complaints (and this should be easy … do not require them to send a stamped, self-addressed letter to a PO Box in the Cook Islands).
- What information they should include.
- What they should expect after they make a complaint (eg. a response within 30 days).
The OAIC provides a template letter for privacy complaints. And we think sharing a template can be helpful too. It helps your customers understand the information you’re after and helps your organisation better manage the complaints, since the information is more likely to be shared logically and clearly. You can even provide the customer with an opportunity to tell you what they want out of it, which can make resolving the complaint easier.
Here’s the OAIC’s template:
Source: https://www.oaic.gov.au/privacy/privacy-complaints/complain-to-an-organisation-or-agency
Your Response to The Customer’s Privacy Complaint
Legally, you are not required to respond to the complaint. However, again, it does offer an opportunity for you to improve customer relations.
As we outlined above, offering a template can prove helpful when you give your customers the opportunity to let you know what a successful resolution looks like.
You could also review the OAIC’s likely resolutions and use them for inspiration for your response.
The OAIC, if asked to investigate, may seek the following resolutions:
- Giving the customer access to personal information or having a record corrected.
- An apology.
- Changes to practices or procedures at your organization.
- Mandating training for your team.
- Compensation for financial or non-financial losses.
- Other non-financial options, like providing a subscription to an identity protection service.
You might choose to use this list as a guide when offering solutions to your customer complaints following a privacy breach. However, often people are interested in a genuine apology and an undertaking to ensure that the same issue doesn’t reoccur.
Remember, if you can resolve the complaint at this stage, then it won’t proceed to the OAIC.
Stage 2 – The Customer May Make a Formal Complaint to the OAIC (If Their Complaint is Not Resolved at the First Stage)
Once the customer complains to the OAIC, the process is largely out of your hands.
From there, this is what will happen:
- The OAIC will determine whether it can consider their complaint. They will consider (amongst other things) whether your organisation is a covered entity under the APPs, if it relates to their personal information, and whether the complaint is about something the customer found out about more than 12 months ago.
- If the OAIC decides to proceed with the customer’s complaint, they will likely write to your organisation and ask for your response. They will provide a copy of the customer’s privacy complaint at this stage.
- Then, the OAIC will attempt to mediate a solution. It prefers to have the organisation and the customer agree on a solution instead of telling either party what will happen. It will close the case if your organisation proposes a reasonable solution that the customer does not accept.
Managing Concerned (And Likely Upset) Customer Complaints After a Privacy Breach
Your legal obligations following a breach are one thing, but you will also need to consider your reputation and how to best manage it with your customers in the aftermath.
Here are some quick tips for managing complaints and queries from concerned (and upset) customers following a privacy breach:
- Be prepared to offer solutions. It’s best to stay away from vague statements about how you care and, instead, offer concrete steps your customers can take to protect themselves.
- Ensure your team are prepared to answer their questions. You don’t need to have all the answers immediately, but you do need to prepare your team to answer common questions and manage likely concerns.
- Have a plan to scale up your resources to handle the volume of complaints. You’re likely going to receive an influx of communications from concerned customers after a breach. It’s best to plan ahead regarding if or how you’ll scale your operations to deal with the influx of complaints and queries.
If you need assistance developing your processes for handling customer privacy complaints or your data breach response plan, reach out. Our experienced privacy consultants would love to help.
Jodie Siganto
Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.