PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013

Link to law: https://www.comlaw.gov.au/Details/F2013L01085

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now
PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013
Personally Controlled Electronic Health Records Act 2012
I, JOHN MCMILLAN, Australian Information Commissioner, make this legislative instrument under subsection 111(2) of the Personally Controlled Electronic Health Records Act 2012.
Dated                  19 June            2013
JOHN MCMILLAN
Australian Information Commissioner
 
Contents
Part 1                          Preliminary                                                                                    3
                        1      Name of instrument                                                                             3
                        2      Commencement                                                                                  3
                        3      Definitions                                                                                          3
                        4      Introduction                                                                                        4
Part 2                          General principles relating to enforcement action and the exercise of investigative powers under the PCEHR Act and the Privacy Act      7
                        5      Types of enforcement powers and investigative powers available to the Information Commissioner                                                                                    7
                        6      Enforcement action – general principles                                               9
Part 3                          Use of enforcement powers under the PCEHR Act        14
                        7      Civil penalties                                                                                  14
                        8      Accepting and enforcing undertakings                                              15
                        9      Injunctions                                                                                       18
Part 4                          Use of enforcement powers under the Privacy Act         20
                       10      Determinations                                                                                 20
 
 
Part 1                 Preliminary
  
1              Name of instrument
                This instrument is the PCEHR (Information Commissioner Enforcement Powers) Guidelines 2013.
2              Commencement
                This instrument commences on the day after it is registered.
3              Definitions
3.1           In this instrument, unless the contrary intention appears, terms used in these Guidelines have the same meaning as in the PCEHR Act.
3.2           In this instrument:
                agency has the same meaning as in section 6 of the Privacy Act.
                AIC Act means the Australian Information Commissioner Act 2010.
                Court means:
(a)    the Federal Court of Australia;
(b)   the Federal Circuit Court of Australia; or
(c)    a court of a State or Territory that has jurisdiction in relation to matters arising under the PCEHR Act.
                Information Commissioner  means the person appointed as Australian Information Commissioner under subsection 14(1) of the AIC Act.
PCEHR National Repositories Service means the National Repositories Service referred to in paragraph 15(i) of the PCEHR Act.
                participant in the PCEHR system means any of the following:
(a)   the System Operator;
(b)   a registered healthcare provider organisation;
(c)   the operator of the National Repositories Service;
(d) a registered repository operator;
(e)   a registered portal operator; or
(f)   a registered contracted service provider, so far as the
contracted service provider provides services to a registered healthcare provider.
PCEHR means a personally controlled electronic health record.
PCEHR Act means the Personally Controlled Electronic Health Records Act 2012.
PCEHR Rules  means the rules made under section 109 of the PCEHR Act.
PCEHR system means the personally controlled electronic health record system established under the PCEHR Act, and as defined in section 5 of that Act.
PCEHR System Operator has the meaning given by section 14 of the PCEHR Act.
Privacy Act means the Privacy Act 1988.
registered repository operator means a person that:
(a)   holds, or can hold, records of information included in personally controlled electronic health records for the purposes of the PCEHR system; and
(b)   is registered as a repository operator under section 49 of the PCEHR Act.
4              Introduction        
                 The Information Commissioner
4.1           The Information Commissioner is a statutory office holder appointed by the Governor-General under subsection 14(1) of the AIC Act. The Information Commissioner performs functions and exercises powers conferred on the Information Commissioner by the AIC Act and other Acts.
4.2           The PCEHR Act and the Privacy Act both confer functions and powers on the Information Commissioner in relation to the PCEHR system.
                Overview of the PCEHR system
4.3           The PCEHR system is established under and is regulated by the PCEHR Act. The PCEHR system aims to enable the secure sharing of health information between a consumer's registered healthcare provider organisations, while enabling the consumer to control who can access his or her PCEHR.
4.4           The PCEHR system is decentralised, with a consumer's health information held in repositories across multiple locations and able to be accessed online by the consumer and their registered healthcare provider organisation(s). The PCEHR National Repositories Service will hold key records about consumers, including the consumer's shared health summary (created by a  nominated healthcare provider and uploaded to the PCEHR National Repositories Service), discharge summaries, event summaries and consumer entered information.
4.5           Private and public sector bodies may also register as repository operators. When a registered healthcare provider organisation wishes to and is authorised to access a consumer's health information that is contained in a repository (other than the PCEHR National Repositories Service), that information may be able to be called up and viewed by the healthcare provider organisation, although its location remains with the relevant public or private sector body repository. For example, a healthcare provider organisation can view a pathology report for a consumer that is located at a particular pathology lab, if that pathology lab is a registered repository operator.
4.6           The PCEHR System Operator is responsible for the operation of the PCEHR system.
                Regulation of health information
4.7           The PCEHR Act and regulations and rules made under that Act regulate the collection, use and disclosure of health information contained in a consumer's PCEHR.
4.8           In addition to the requirements in the PCEHR Act, the PCEHR System Operator is subject to the Privacy Act.
4.9           In addition to the requirements in the PCEHR Act, other participants in the PCEHR system are subject to the Privacy Act and relevant State and Territory privacy laws.    
                Functions of the Information Commissioner in relation to PCEHR System
4.10         The Information Commissioner's role in the PCEHR system includes investigating alleged contraventions of the PCEHR Act and seeking to address contraventions as appropriate through conciliation, education and enforcement action.
4.11         Alleged contraventions of the PCEHR Act may be brought to the Information Commissioner's attention by a range of avenues including:
a)      a complaint by an individual or other notification from an individual or a participant in the PCEHR system;
b)      as the result of a data breach notification provided in accordance with section 75 of the PCEHR Act;
c)      as a result of a voluntary data breach notification made by an entity not covered by section 75 of the PCEHR Act;
d)     as a referral from another regulator in certain circumstances;
e)      as a result of media reporting;
f)       as a result of information provided by an informant;
g)      as a result of information provided by a law enforcement agency;
h)      as a result of information received from the PCEHR System Operator;
i)        during the course of an investigation conducted by the Information Commissioner.
                The role of these guidelines
4.12         Section 111 of the PCEHR Act requires the Information Commissioner to formulate, and have regard to, guidelines regarding the exercise of the Information Commissioner's powers under the PCEHR Act or a power under another Act that is related to such a power. The Privacy Act is a related Act.
4.13         These guidelines are made under section 111 of the PCEHR Act. These guidelines set out the Information Commissioner's general approach to the exercise of enforcement powers and investigative powers under both the PCEHR Act and the Privacy Act, in relation to the PCEHR system.
4.14         While these guidelines seek to provide guidance to participants in the PCEHR system, the Information Commissioner has a discretion to exercise the available powers that he or she considers most appropriate in the particular circumstances of each case.
Part 2                 General principles relating to enforcement action and the exercise of investigative powers under the PCEHR Act and the Privacy Act
5              Types of enforcement powers and investigative powers available to the Information Commissioner
5.1           The Information Commissioner has enforcement powers and investigative powers under both the PCEHR Act and the Privacy Act in relation to the PCEHR system. The general approach the Information Commissioner will take when determining which Act to apply is set out in Part 6.
                Investigative powers under the PCEHR Act
 
5.2           The Information Commissioner has power under subsection 73(4) of the PCEHR Act to do all things necessary or convenient to investigate an alleged contravention of the PCEHR Act in relation to the PCEHR system, either in connection with health information in a consumer's PCEHR or as a result of a breach of a civil penalty provision. The civil penalty provisions in the PCEHR Act are listed below at clause 7.2. 
                Investigative powers under the Privacy Act
5.3           As a contravention of the PCEHR Act in connection with health information included in a consumer’s PCEHR or a provision of Part 4 or 5 is an interference with privacy for the purposes of the Privacy Act, the Information Commissioner may investigate the act or practice under the Privacy Act.
5.4           Part V of the Privacy Act sets out the investigative powers and processes available when the Information Commissioner conducts an investigation under the Privacy Act into an alleged contravention of the PCEHR Act.
5.5           The range of investigative powers given to the Information Commissioner under Part V of the Privacy Act when conducting investigations include the power to compel disclosure of information, examine witnesses, enter premises to examine documents and, in certain circumstances, to call compulsory conferences. Part V also provides detail on how an investigation should be conducted, including procedural elements.
                Enforcement powers under the PCEHR Act
 
5.6           The Information Commissioner has enforcement powers under the PCEHR Act that include the ability to:       
a)      apply to a Court for an order that a person who is alleged to have contravened a civil penalty provision in the PCEHR Act pay the Commonwealth a pecuniary penalty;
 
b)      accept a written undertaking by a person that the person will take specified action or refrain from taking specified action, in order to comply with the PCEHR Act and to ensure that the person does not or is unlikely to contravene the PCEHR Act in the future;
 
c)      apply to a Court for an order where the Information Commissioner considers that a person has breached an undertaking;
            
d)     apply to a Court for an injunction to require a person to do, or to refrain from doing, specified actions.
5.7           The Information Commissioner's use of each of these enforcement powers is discussed below at clause 7 (civil penalty orders), clause 8 (enforceable undertakings) and clause 9 (injunctions).
                Enforcement powers under the Privacy Act
 
5.8           The Information Commissioner has enforcement powers under the Privacy Act that include the ability to:
a)      make a non-binding determination either dismissing a complaint or finding it substantiated (if the Information Commissioner finds that the complaint is substantiated, the determination may include a declaration that a respondent perform a reasonable act or course of conduct to redress loss to the complainant or a declaration that the complainant is entitled to compensation for loss or damage suffered);
b)      apply to the Federal Court or the Federal Circuit Court for an order to enforce a determination (in certain circumstances);
c)      apply to the Federal Court or the Federal Circuit Court for an injunction to restrain a person from engaging in conduct contravening the Privacy Act, or requiring the person to do any act or thing.
 
5.9           Further enforcement powers under the Privacy Act will commence on 12 March 2014. These will include powers to accept enforceable undertakings and seek civil penalties. From 12 March 2014, the Information Commissioner may also use these new enforcement powers in relation to the PCEHR system.
5.10         The Information Commissioner's use of the determination power is discussed below at clause 10.
6              Enforcement action – general principles
6.1           When investigating an alleged contravention and deciding whether to take enforcement action, the Information Commissioner will act consistently with general principles of good decision making, as explained in the Best Practice Guides published by the Administrative Review Council in 2007. In particular, the Information Commissioner will strive to act fairly, transparently, and in accordance with principles of natural justice (or procedural fairness).
Note: the Administrative Review Council Best Practice Guides are published at www.arc.ag.gov.au/Publications/Reports/Pages/OtherDocuments.aspx
                Policy considerations
6.2           When deciding whether to take enforcement action against a person in relation to the PCEHR system, the Information Commissioner will take the following policy considerations into account:
a)      the object of the PCEHR Act;
b)      the importance of promoting and facilitating privacy compliance by all participants in the PCEHR system;
c)      the range of enforcement mechanisms available to the Information Commissioner under the PCEHR Act and the Privacy Act and what is an appropriate response in the particular circumstances of a case;
d)     whether that action is proportionate to the nature and consequences of the conduct concerned;
e)      any other policy considerations which the Information Commissioner considers relevant in the particular circumstances of the case.
                Discretionary factors
6.3           When determining whether to take enforcement action against a person in relation to the PCEHR system, the Information Commissioner may also take into account the following factors:
a)      the seriousness of the conduct, including:
                                                                 i.            the number of persons affected;
                                                               ii.            the detriment caused by the conduct;
                                                             iii.            whether disadvantaged or vulnerable groups have been particularly affected or targeted;
                                                             iv.            whether the conduct was deliberate or reckless;
                                                               v.            the seniority and level of experience of the person or persons responsible for the conduct;
                                                             vi.            whether urgent action or intervention by the Information Commissioner is required;
b)      the specific and general educational, deterrent or precedential value of the particular enforcement action;
c)      whether the individual or entity which engaged in the conduct has been the subject of prior compliance or enforcement action in relation to the PCEHR system, and the outcome of that action;
d)     the likelihood of the individual or entity contravening the PCEHR Act in the future;
e)      whether the conduct is widespread or increasing, or whether the conduct is likely to continue if no intervention is taken;
f)       whether the conduct is an isolated instance, or whether it indicates systemic issues which may pose ongoing compliance or enforcement issues;
g)      the subsequent action taken by the individual or entity to remedy and address the consequences of the conduct;
h)      whether the individual or entity has co-operated with the Information Commissioner;
i)        whether the conduct is of significant public interest or concern;
j)        whether the conduct was unconscionable;
k)      whether the conduct has affected the security or integrity of the PCEHR system or impacted on healthcare provider or consumer confidence in the PCEHR system;
l)        the time since the conduct occurred;
m)    the cost and time required to achieve an appropriate remedy through enforcement action;
n)      whether pursuing court action (where appropriate) would test or clarify the law;
o)      whether there is adequate evidence available and admissible in a court to prove a contravention. This includes whether the available admissible evidence is likely to:
                                                                 i.            establish any applicable mental element; and
                                                               ii.            be able to prove a contravention on the balance of probabilities;
p)      any other factors which the Information Commissioner considers relevant in the circumstances.
                General investigative principles
6.4           The Information Commissioner will give individual consideration to any alleged contravention and have regard to all relevant circumstances.
6.5           In any litigation, the Information Commissioner will act in accordance with the obligations set out in The Commonwealth's obligation to act as a model litigant, Appendix B to the Legal Services Directions 2005.
                General approach to complaints
6.6           A complaint received by the Information Commissioner relating to the PCEHR system will, unless there is a reason to act under the PCEHR Act, be treated as a complaint made under section 36 of the Privacy Act,and will be investigated under the provisions of Part V of that Act.
 6.7          In investigating a complaint relating to the PCEHR system, the Information Commissioner will attempt by conciliation to effect a settlement of the matter between the complainant and the respondent before deciding to take other enforcement action under the PCEHR Act or the Privacy Act.
                General approach to own motion investigations
6.8           The Information Commissioner will conduct own motion investigations relating to the PCEHR system under Part V of the Privacy Act rather than under the PCEHR Act, unless there is a reason to conduct the investigation under the latter Act.
6.9           Upon completing  an investigation, the Information Commissioner may choose to take enforcement action under the Privacy Act or the PCEHR Act.
                General approach to conducting investigations under section 73 of the PCEHR Act
               
6.10         Where the Information Commissioner decides to conduct an investigation under section 73 of the PCEHR Act (as an alternative to an investigation under Part V of the Privacy Act), the Commissioner will follow a process that, so far as practicable, corresponds with the investigative processes set out in Part V of the Privacy Act.
6.11         Upon completing an investigation under section 73 of the PCEHR Act, the Information Commissioner may take enforcement action under that Act. The Commissioner will consider the suitability of attempting by conciliation to effect a settlement of a matter under paragraph 73(3)(a) of the PCEHR Act before deciding to take other enforcement action.
                Administrative action of the PCEHR System Operator
6.12         Section 73A of the PCEHR Act authorises the Information Commissioner to disclose to the PCEHR System Operator any information or documents that relate to an investigation that the Information Commissioner conducts because of the operation of section 73 of that Act, if the Information Commissioner is satisfied that to do so will enable the PCEHR System Operator to monitor or improve the operation or security of the PCEHR system.
6.13         A disclosure under section 73A of the PCEHR Act may also assist the  PCEHR System Operator in exercising the power to cancel, suspend or vary a person's registration with the PCEHR system in certain circumstances in accordance with the PCEHR Act.
 
Part 3                 Use of enforcement powers under the PCEHR Act
7                      Civil penalties
                Legislative basis for seeking a civil penalty order
7.1           Under section 79 of the PCEHR Act, the Information Commissioner may apply to a Court for an order that a person who is alleged to have contravened a civil penalty provision pay a pecuniary penalty to the Commonwealth. The Information Commissioner must make the application within 6 years of the alleged contravention.
7.2           An overview of the civil penalty provisions in the PCEHR Act is provided below:
a)      sections 59 and 60 – unauthorised collection, use or disclosure, as well as secondary disclosure, of health information in a consumer's PCEHR;
b)      section 74 –a registered healthcare provider organisation providing insufficient information to identify the individual who requests access to a consumer's PCEHR on behalf of the registered healthcare provider organisation;
c)      section 75 – failure of an entity which is, or has at any time been, a registered repository operator or registered portal operator to report either a suspected contravention of the PCEHR Act or an actual or suspected data breach or event compromising the security or integrity of the PCEHR system;
d)     section 76 – failure to notify the PCEHR System Operator, within the required timeframe in writing, of becoming ineligible to be registered as a registered healthcare provider organisation, a registered repository operator, a registered portal operator or a registered contracted service provider;
e)      section 77 – certain system participants holding or taking PCEHR records outside Australia;
f)       section 78 – contravention of the PCEHR Rules by a person who is, or has been, a registered repository operator or a registered portal operator.
7.3           Subsection 79(5) of the PCEHR Act specifies the maximum pecuniary penalty that a Court may impose. The pecuniary penalty imposed on a person who is not a body corporate must not be more than the penalty specified in the relevant civil penalty provision. The pecuniary penalty imposed on a body corporate must not be more than five times the penalty specified in the relevant civil penalty provision.
                General approach to civil penalties
7.4           The Information Commissioner will commence civil penalty proceedings only in appropriate cases, after taking into account:
a)      the particular facts of the matter;
b)      the policy considerations referred to at clause 6.2;
c)      the discretionary factors referred to at clause 6.3;
d)     the Commonwealth's model litigant obligations referred to at clause 6.5.
7.5           The Information Commissioner will be guided by the principle that civil penalty proceedings are more appropriately reserved for serious or repeated contraventions of the provisions of the PCEHR Act or Privacy Act, and not for minor or inadvertent contraventions where the person or entity responsible for the contravention has cooperated with the investigation and taken steps to avoid future contraventions.
8                      Accepting and enforcing undertakings
                Legislative basis for accepting undertakings
8.1           Under section 94 of the PCEHR Act, the Information Commissioner may accept a written undertaking given by a person that the person will:
a)      take specified action in order to comply with the PCEHR Act;
b)      refrain from taking specified action, in order to comply with the PCEHR Act; or
c)      take specified action directed towards ensuring that the person does not contravene the PCEHR Act, or is unlikely to contravene the PCEHR Act, in the future.
8.2           The person may withdraw or vary the undertaking at any time, but only with the written consent of the Information Commissioner.
8.3           The Information Commissioner may cancel the undertaking by written notice.
8.4           The Information Commissioner may publish a copy of the undertaking on the Office of the Australian Information Commissioner website at www.oaic.gov.au.
                Legislative basis for enforcing undertakings
8.5           Under section 95 of the PCEHR Act, if the Information Commissioner considers that a person has breached an undertaking they have given under section 94, the Information Commissioner may apply to a Court for one or more of the following orders:
a)      an order directing the person to comply with the undertaking;
b)      an order directing the person to pay to the Commonwealth an amount equivalent to any financial benefit that the person has obtained directly or indirectly and that is reasonably attributable to thecontravention;
c)      any order that the Court thinks appropriate directing the person to compensate any other person who has suffered loss or damage as a result of the contravention;
d)     any other order that the Court thinks appropriate.
                Requirements for undertakings
8.6           An undertaking must be in writing and must be expressed as an undertaking under section 94.
                Offering an enforceable undertaking
8.7           The individual offering the undertaking must have the authority to negotiate on behalf of, and bind, the respondent person or entity.
                Terms of an undertaking    
8.8           The Information Commissioner will not accept an enforceable undertaking that:
a)      denies responsibility for an alleged contravention of the PCEHR Act or Privacy Act;
b)      seeks to defend the contravention or justify the conduct that gave rise to it;
c)      merely undertakes to comply with the law without explaining how compliance will be achieved;
d)     seeks to impose terms or conditions on the Information Commissioner.
8.9           To be acceptable to the Information Commissioner, the terms of an enforceable undertaking should:
a)      contain a commitment to take action that is a necessary and proportionate response to the contravention of the PCEHR Act or the Privacy Act;
b)      be capable of implementation;
c)      include action which is capable of being measured or tested objectively;
d)     include a compliance monitoring and reporting framework.
                General approach to accepting undertakings
8.10         When deciding whether to accept an undertaking, the Information Commissioner will take into account:
a)      the particular circumstances of the matter;
b)      the policy considerations referred to at clause 6.2;
c)      the discretionary factors referred to at clause 6.3;
d)     whether the respondent acknowledges the Information Commissioner's concerns and the need to address those concerns in a transparent manner;
e)      whether the Information Commissioner believes that the offered undertaking will achieve an effective regulatory outcome, including for those individuals who have been affected by the conduct;
f)       whether the Information Commissioner believes that the respondent has the ability to, and genuinely intends to, comply with the terms of the undertaking.
8.11         The acceptance by the Information Commissioner of an enforceable undertaking in a particular set of circumstances should not be regarded as a binding precedent for future action.
8.12         If there are a number of issues that are the subject of concern, it is open to the Information Commissioner to accept an enforceable undertaking in relation to certain aspects of the matter whilst also pursuing other remedies under the PCEHR Act or the Privacy Act in respect of other aspects of that matter.
                General approach to enforcing undertakings
8.13         The Information Commissioner may seek an order from a Court under section 95 of the PCEHR Act where the Information Commissioner considers that a person has breached an undertaking.
8.14          When deciding whether to seek an order from a Court to enforce an undertaking, the Information Commissioner will take into account:
a)      the particular circumstances of the matter;
b)      the policy considerations referred to at clause 6.2;
c)      the discretionary factors referred to at clause 6.3;
d)     the Commonwealth's model litigant obligations referred to at clause 6.5
9              Injunctions
                Legislative basis for injunctions
9.1           Under section 96 of the PCEHR Act, the Information Commissioner may apply to a Court for an injunction:
a)      requiring a person to do an act or thing, if the refusal or failure to do that act or thing would be a contravention of the PCEHR Act; or
b)      restraining a person from engaging in conduct that constituted, constitutes or would constitute a contravention of the PCEHR Act.
9.2           The Information Commissioner may apply for an injunction under section 98 of the Privacy Act to restrain conduct that is in contravention of that Act. The Commissioner will consider whether to use this alternative power to restrain conduct that is also in contravention of the PCEHR Act.
9.3           If a Court grants an injunction restraining a person from engaging in particular conduct that is in contravention of the PCEHR Act or the Privacy Act, the injunction may also require the person to do any act or thing if the Court thinks it desirable to do so.
                General approach to seeking injunctions
9.4           The Information Commissioner will decide whether to commence proceedings seeking an injunction after taking into account:
a)      the particular facts of the matter;
b)      the policy considerations referred to at clause 6.2;
c)      the discretionary factors referred to at clause 6.3;
d)     the Commonwealth's model litigant obligations referred to at clause 6.5.
9.5           The Information Commissioner will generally only commence proceedings seeking an injunction where the conduct cannot be adequately resolved by voluntary action or other enforcement mechanisms such as enforceable undertakings.
Part 4                 Use of enforcement powers under the Privacy Act
10            Determinations
                Legislative basis for making a determination
10.1         Upon completing the investigation of a complaint made under section 36 of the Privacy Act, the Information Commissioner may, under section 52 of that Act, make a determination that either dismisses the complaint or, if the Information Commissioner has found the complaint to be substantiated, make one or more of the declarations specified in paragraph 52(1)(b) of the Privacy Act. 
                Legislative basis for enforcing determination
10.2         Under section 55A of the Privacy Act, the Information Commissioner may apply to the Federal Court or the Federal Circuit Court for an order to enforce a determination made under section 52 against a person or entity.
                Legislative basis for enforcing determination against an agency
10.3         Under section 62 of the Privacy Act, the Information Commissioner may apply to the Federal Court or the Federal Circuit Court for an order to enforce a determination made under section 52 against an agency.
10.4         The Information Commissioner may only make an application under section 62 if the agency has failed to comply with its obligations under section 58 of the Privacy Act. Section 58 requires an agency that is the respondent to a section 52 determination to refrain from conduct that has been declared to be an interference with privacy, and to perform any act or course of conduct that was declared, in the section 52 determination, to be appropriate to redress any loss or damage suffered by the complainant.
                General approach to making determinations
10.5         The Information Commissioner has a discretion, upon finding that a complaint under section 36 of the Privacy Act is substantiated, to make a determination under section 52 of the Act or to complete the investigation in some other manner permitted by the Act, including by conciliation between the parties.
10.6         The Information Commissioner's policy is to, where appropriate, facilitate conciliation between the parties as a primary dispute resolution model for a privacy complaint. However, in some circumstances, it will be in the interests of both the parties and the broader administration of the Privacy Act for the Information Commissioner to make a determination under section 52 of the Privacy Act.
10.7         Determinations under section 52 of the Privacy Act will not be limited to the most serious matters, and should not necessarily be seen as a punitive measure.
10.8         When deciding whether to make a determination under section 52 of the Privacy Act, the Information Commissioner will take into account the policy considerations referred to at clause 6.2 and the discretionary factors referred to at clause 6.3.
10.9         In addition, the following factors will also be relevant:
a)      whether the parties agree that there has been an interference with privacy, but disagree on the appropriate course of action to resolve the matter, including the payment of compensation, or the amount of compensation to be payable;
b)      whether one or both of the parties has requested that the matter be finalised by way of a determination and the Information Commissioner considers that there would be a benefit in making a determination in the particular circumstance;
c)      whether the parties are unable to resolve the matter through conciliation and the matter cannot otherwise be brought to a close.
                Publishing determinations
10.10       A determination made under section 52 of the Privacy Act will be published on:
a)      the Office of the Australian Information Commissioner website (www.oaic.gov.au); and
b)      the Australasian Legal Information Institute website (www.austlii.edu.au).
10.11       The general practice the Information Commissioner will adopt, unless there is a special reason to the contrary in any matter, is to publish the name of the respondent, but not the name of the complainant or any third party.
                General approach to enforcing determinations
10.12       Where a respondent has failed to comply with the terms of a determination made under section 52 of the Privacy Act, the Information Commissioner will consider whether to commence proceedings in a Court to enforce the determination.
10.13       When deciding whether to commence proceedings to enforce a determination, the Information Commissioner will take into account:
a)      the particular facts of the matter;
b)      the policy considerations referred to at clause 6.2;
c)      the discretionary factors referred to at clauses 6.3 and 10.9;
d)     the Commonwealth's model litigant obligations referred to at clause 6.5.
 
 
Note
1.       All legislative instruments and compilations are registered on the Federal Register of Legislative Instruments kept under the Legislative Instruments Act 2003. See www.comlaw.gov.au.