Investigation Process

If you find you are subject of an investigation or inquiry into your organisation by the ODPA you may be wondering what to expect.

The process we follow is determined by the Law, and is briefly summarised below: 

1. If we receive a complaint about the way in which you have handled personal data, or if an inquiry is instigated, you will receive formal notice. This may include our initial questions.
2. Following this, and if we haven’t already, we will ask your organisation questions or require you to provide us with certain information. You will be updated on the status and where appropriate, the outcome of the investigation, every three months.
3. Where we have found no grounds for any further action, you will be informed.
4. Where we have decided to make a determination in respect of the investigation, we will provide you with written notice of our proposed determination and the reasons for it.
5. Where we have made a determination that a breach has occurred, you will be informed and have a period of 28 days to make representations before we issue our final determination. We will review any representations made to us carefully.
6. Consideration will be given as to the appropriate sanction. In accordance with our statutory duties, all sanctions must be proportionate and effective. The Law provides for the following:
   • A reprimand
   • A warning
   • An order
   • A fine
7. Should we decide that a reprimand or warning is appropriate, you will be notified.
8. Should we decide that an enforcement order (this includes fines) is appropriate, we will notify you of our proposed enforcement order. You will have a period of 28 days to make representations before we issue our final enforcement order along with your right to appeal that enforcement order.
9. At the conclusion of the investigation or inquiry the Authority may, in accordance with Section 64 of the Law, issue a public statement.