OAIC Complaints: How to Report a Privacy Breach in Australia
If your personal information has been mishandled by an Australian organisation or government agency, you have the right to make a complaint to the Office of the Australian Information Commissioner (OAIC). The OAIC is the national regulator responsible for enforcing the Privacy Act 1988 and protecting Australians from misuse of their personal data. This guide walks you through everything you need to know about lodging an OAIC complaint about a privacy breach in 2026 — from eligibility and timelines to what happens after you submit.
What Is the OAIC and What Does It Do?
The Office of the Australian Information Commissioner (OAIC) is the independent Commonwealth regulator that oversees privacy, freedom of information, and government information policy in Australia. Established under the Australian Information Commissioner Act 2010, the OAIC investigates privacy complaints, conducts assessments of regulated entities, and can issue civil penalties for serious or repeated breaches of the Australian Privacy Principles (APPs).
The OAIC handles complaints involving:
- Australian Government agencies (including Services Australia, the ATO, and Medicare)
- Private sector organisations with an annual turnover of more than A$3 million
- Health service providers of any size
- Credit reporting bodies and credit providers
- Tax File Number (TFN) recipients
- Organisations that trade in personal information
What Counts as a Privacy Breach Under Australian Law?
A privacy breach occurs when an entity covered by the Privacy Act mishandles your personal information in a way that contravenes one of the 13 Australian Privacy Principles. Personal information includes any data that can identify you — such as your name, address, date of birth, financial records, health information, or even your IP address in some contexts.
Common Examples of Reportable Privacy Breaches
- Unauthorised disclosure: A company shares your details with a third party without your consent.
- Data breaches: Hackers access a database containing your personal information.
- Excessive collection: An organisation demands more information than is reasonably necessary.
- Failure to secure data: Records left unencrypted, emailed in plain text, or stored on insecure servers.
- Refusal of access: A business refuses to give you a copy of the personal information it holds about you.
- Refusal to correct: The entity won't update inaccurate information you've identified.
- Direct marketing misuse: You receive marketing communications after opting out.
Before You Lodge an OAIC Complaint: Required Steps
The OAIC will generally not investigate your complaint unless you have first attempted to resolve the issue directly with the organisation involved. This is a mandatory step under section 40(1A) of the Privacy Act.
Step 1: Complain Directly to the Organisation
Contact the entity in writing — email is acceptable and creates a useful paper trail. Clearly state:
- What happened and when
- Which personal information was affected
- How you believe the Privacy Act or APPs were breached
- What outcome you want (e.g., deletion of data, an apology, compensation)
Step 2: Wait 30 Days for a Response
The organisation has a reasonable time — generally 30 calendar days — to respond. If they fail to reply, give an inadequate response, or refuse to address your concerns, you can escalate to the OAIC.
Step 3: Gather Your Evidence
Before lodging your complaint, collect:
- Copies of all correspondence with the organisation
- Screenshots of the breach (e.g., emails sent to wrong recipients)
- Dates and times of relevant events
- Any data breach notification you received
- Records of financial or emotional harm caused
How to Lodge an OAIC Privacy Complaint: Step-by-Step
The OAIC offers several ways to submit a complaint. The online form is fastest and recommended for most users.
Step 1: Access the Online Complaint Form
Visit oaic.gov.au and navigate to "Privacy complaints." The online portal walks you through each section. You'll need approximately 30–45 minutes to complete it.
Step 2: Provide Your Details
You'll need to supply your full name, contact information, and preferred communication method. The OAIC generally does not accept anonymous complaints because they need to contact you for clarification and to share the respondent's reply.
Step 3: Identify the Respondent
Name the organisation or agency you're complaining about. Include the trading name, ABN if known, and the specific department or staff member involved.
Step 4: Describe the Breach
In plain language, explain what happened. Be chronological, factual, and concise. Reference specific Australian Privacy Principles if you can — for example, "This appears to breach APP 6 (use or disclosure of personal information)."
Step 5: Upload Supporting Documents
Attach your evidence, including the original complaint to the organisation and their response (or lack of one).
Step 6: State the Outcome You Seek
Possible remedies include a formal apology, correction or deletion of data, changes to the organisation's practices, or compensation for financial loss or non-economic harm such as distress.
Alternative Lodgement Methods
| Method | Details | Best For |
|---|---|---|
| Online form | oaic.gov.au privacy complaint portal | Most complainants |
| enquiries@oaic.gov.au | Those with large file attachments | |
| Post | GPO Box 5288, Sydney NSW 2001 | Hard-copy evidence or no internet |
| Phone | 1300 363 992 | Initial enquiries and accessibility needs |
| National Relay Service | 133 677 then 1300 363 992 | Deaf or hearing-impaired users |
What Happens After You Lodge a Complaint?
The OAIC follows a structured process governed by Part V of the Privacy Act. Here's what to expect.
1. Acknowledgement (Within 14 Days)
You'll receive written acknowledgement with a reference number. Quote this number in all future correspondence.
2. Preliminary Assessment
An OAIC officer reviews your complaint to confirm it falls within jurisdiction and meets the formal requirements. They may ask for additional information.
3. Conciliation
The OAIC heavily favours conciliation — a negotiated settlement between you and the organisation. The Commissioner has the power under section 40A to require participation. Most complaints (over 80%) are resolved at this stage.
4. Investigation
If conciliation fails, the Commissioner may formally investigate under section 40. They can compel the production of documents and require witnesses to give evidence.
5. Determination
The Commissioner issues a written determination under section 52. This can include declarations that the conduct was unlawful, orders to take corrective action, and awards of compensation for financial loss, expenses, or non-economic harm.
Timeframes and Limitations
The OAIC aims to finalise most complaints within 12 months, although complex matters can take longer. Importantly, you generally must lodge your complaint within 12 months of becoming aware of the breach. Complaints lodged after this period may be declined unless you can show exceptional circumstances.
Notifiable Data Breaches Scheme
Since February 2018, Australia has operated the Notifiable Data Breaches (NDB) scheme. Organisations covered by the Privacy Act must notify both the OAIC and affected individuals when an "eligible data breach" is likely to result in serious harm. If you've received an NDB notification, that letter is strong evidence to attach to your complaint.
If you're concerned about minimising your digital footprint while online — particularly when sharing links that might expose tracking data — using privacy-respecting tools matters. Services like Lunyb offer URL shortening without invasive analytics, which is one small but practical step toward reducing the personal data trail you leave online. For a deeper look, see our honest review of Lunyb.
Possible Outcomes and Remedies
| Remedy | Description | Typical Range |
|---|---|---|
| Apology | Formal written acknowledgement | Standard |
| Corrective action | Update or delete records, change practices | Standard |
| Non-economic loss compensation | For distress, humiliation, anxiety | A$1,000 – A$20,000+ |
| Economic loss compensation | Reimbursement of out-of-pocket expenses | Actual loss |
| Aggravated damages | For particularly egregious conduct | Variable |
| Civil penalty (paid to government) | For serious/repeated interferences | Up to A$50 million per breach |
When the OAIC May Decline Your Complaint
Under section 41 of the Privacy Act, the Commissioner can decline to investigate if:
- You haven't first complained to the respondent
- More than 12 months have passed since you became aware of the breach
- The complaint is frivolous, vexatious, or lacking in substance
- Another body (such as a state privacy commissioner) is better placed to handle it
- The matter has already been adequately dealt with
- An adequate remedy is available elsewhere (such as a tribunal)
Pros and Cons of Using the OAIC Process
Pros
- Free for complainants
- No need for legal representation
- Binding determinations enforceable in the Federal Court
- Can result in compensation for distress alone
- Confidential and informal process
Cons
- Can be slow — backlogs sometimes exceed 12 months
- Conciliation can favour repeat-player organisations
- Compensation amounts historically modest
- Limited jurisdiction (small businesses under A$3 million often excluded)
- No right of appeal on findings of fact (only on questions of law via the AAT)
Tips for a Strong OAIC Complaint
- Be specific. Vague allegations rarely succeed. Name dates, people, and documents.
- Quantify harm. If you've suffered financial loss, anxiety, or reputational damage, document it — including any medical or counselling records.
- Cite the APPs. Referencing specific Australian Privacy Principles signals you understand the framework.
- Stay professional. Avoid emotive language; let the facts carry the weight.
- Engage in good faith. Participate genuinely in conciliation — refusing reasonable offers can affect your final outcome.
- Keep records. Maintain a complete file of all communications throughout the process.
State and Territory Alternatives
If your complaint involves a state or territory government agency, the OAIC may not have jurisdiction. Instead, contact the relevant body:
- NSW: Information and Privacy Commission NSW
- Victoria: Office of the Victorian Information Commissioner
- Queensland: Office of the Information Commissioner Queensland
- WA: Currently no dedicated privacy commissioner; the Ombudsman handles some matters
- SA: Privacy Committee of South Australia
- Tasmania: Tasmanian Ombudsman
- ACT: ACT Human Rights Commission (referred to OAIC)
- NT: NT Information Commissioner
Frequently Asked Questions
How long does an OAIC complaint take to resolve?
Most complaints are resolved within 6 to 12 months. Straightforward matters that settle at conciliation can close in a few months, while complex investigations leading to a formal determination may take 18 months or longer.
Can I get compensation through an OAIC complaint?
Yes. The Commissioner can order compensation for both economic loss (such as out-of-pocket expenses) and non-economic loss (such as distress, anxiety, or humiliation). Recent determinations have awarded amounts ranging from A$1,000 to over A$20,000 for individuals, with class-action style representative complaints producing larger collective awards.
Do I need a lawyer to lodge an OAIC complaint?
No. The process is designed to be accessible without legal representation. However, for complex matters — especially those involving significant financial loss or potential class-action issues — legal advice can be valuable. Community legal centres often provide free assistance.
What if the OAIC dismisses my complaint?
You can request internal review and, in some cases, seek review by the Administrative Appeals Tribunal (AAT) on questions of law. You may also have separate rights under common law, contract, or consumer protection laws.
Is my complaint confidential?
Yes. OAIC complaint handling is confidential. The respondent will know who you are (they need to respond to the allegations), but the OAIC does not publish complainant names in determinations unless you consent. Determinations themselves are public to help guide future compliance.
Final Thoughts
Lodging an OAIC complaint is a powerful — and free — way to hold organisations accountable for mishandling your personal information. While the process can be slow and outcomes vary, it remains the primary mechanism Australians have to enforce their privacy rights under federal law. Document everything, follow the mandatory pre-complaint steps, and present your case clearly. With reforms to the Privacy Act continuing through 2026, including stronger penalties and a possible direct right of action in the Federal Court, the regulatory landscape is shifting in favour of individuals. Knowing how to use the existing OAIC process puts you in a strong position to defend your privacy today.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Singapore PDPA: Your Personal Data Protection Rights Explained
Singapore's PDPA gives individuals strong rights over how their personal data is collected, used, and disclosed. This guide explains each right in plain English, shows you how to exercise them, and outlines what to do when organisations fall short.
Australian Data Breach Notification Scheme: Complete 2026 Compliance Guide
The Australian Notifiable Data Breaches (NDB) scheme requires covered entities to report eligible breaches to the OAIC and affected individuals. This complete 2026 guide explains obligations, the 30-day assessment window, penalties up to AUD $50M, and how to build a compliant response plan.
PIPEDA vs GDPR: Canadian Privacy Law Explained for 2026
PIPEDA and GDPR both protect personal data, but they differ in scope, rights, and penalties. This guide breaks down the key differences, compliance requirements, and what Canadian businesses need to know in 2026 — including how Bill C-27 is reshaping Canadian privacy law.
UK Data Protection Act vs GDPR Explained: Key Differences in 2026
The UK Data Protection Act 2018 and UK GDPR work together to govern how personal data is handled in Britain. This guide explains the key differences, similarities, and compliance steps for UK businesses in 2026.