OAIC Complaints: How to Report a Privacy Breach in Australia

If an Australian business, agency, or organisation has mishandled your personal information, you have the right to do something about it. The Office of the Australian Information Commissioner (OAIC) is the federal regulator responsible for protecting your privacy under the Privacy Act 1988. This guide explains exactly how to report a privacy breach to the OAIC, what happens after you lodge a complaint, and how to maximise your chances of a meaningful outcome.

What Is the OAIC and What Does It Do?

The Office of the Australian Information Commissioner (OAIC) is the independent statutory agency that regulates privacy and freedom of information at the Commonwealth level in Australia. It enforces the Australian Privacy Principles (APPs), investigates complaints, runs the Notifiable Data Breaches (NDB) scheme, and can issue determinations, fines, and enforceable undertakings against organisations that fail to protect personal information.

You can lodge a complaint with the OAIC if you believe an APP entity — generally Australian Government agencies and private sector organisations with an annual turnover above AU$3 million, plus some smaller entities like health service providers and credit reporting bodies — has interfered with your privacy.

What Counts as a Privacy Breach?

A privacy breach occurs when an organisation collects, uses, discloses, stores, or secures your personal information in a way that breaches the Australian Privacy Principles or another binding privacy obligation. It is not limited to cyberattacks or data leaks — many complaints stem from everyday mishandling of information.

Common Examples of Reportable Breaches

• An organisation losing a laptop, USB, or paper file containing your details.
• An employee accessing your records without a legitimate work reason ("browsing").
• A company sending your information to the wrong email address or postal address.
• A hacker accessing a customer database containing your data.
• An organisation refusing to give you access to, or correct, your own personal information.
• Marketing emails or SMS being sent after you have opted out.
• Collection of information that is excessive, unsolicited, or not reasonably necessary.
• Use or disclosure of your personal information for a secondary purpose without consent.

What Personal Information Is Protected?

The Privacy Act protects "personal information" — any information or opinion about an identified individual, or one who is reasonably identifiable. This includes:

• Name, address, phone number, and email
• Date of birth and government identifiers (e.g. tax file number, Medicare number)
• Bank account and credit information
• Health and medical records (treated as "sensitive information" with stronger protections)
• Biometric data, racial or ethnic origin, religious beliefs, sexual orientation
• Location data, IP addresses, and online identifiers in many contexts

Step 1: Complain to the Organisation First

Before the OAIC will generally accept your complaint, you must first give the organisation an opportunity to respond. This is a mandatory step in most cases and is set out in section 40(1A) of the Privacy Act.

How to Lodge an Internal Complaint

1. Find the privacy officer or privacy contact. Every APP entity must have a published privacy policy that includes contact details. Check the website footer or search "[company name] privacy policy".
2. Write to them in clear, factual terms. State what happened, when, what information was involved, and what outcome you want — for example, an apology, deletion of data, correction of records, or compensation.
3. Keep your communication in writing. Email is best because it creates a timestamped record.
4. Give them a reasonable time to respond. The OAIC considers 30 days reasonable in most cases.

If the organisation does not respond within 30 days, refuses to engage, or gives a response you are unhappy with, you can then escalate to the OAIC.

Step 2: Gather Your Evidence

A well-evidenced complaint moves faster and is more likely to result in action. Before lodging with the OAIC, collect everything that supports your version of events.

Evidence Checklist

• Copies of the original complaint you sent to the organisation
• The organisation's response (or proof they did not respond)
• Screenshots of relevant emails, web pages, account settings, or notifications
• Data breach notification letters or emails you received
• Any phishing emails, scam calls, or identity theft attempts that followed the breach
• A written timeline of events with dates
• Notes of any phone calls (date, time, person spoken to, summary)
• Evidence of harm — financial loss, distress, time spent on remediation

Tip: when sharing long URLs as evidence (for example, links to a public breach notification or news article), a tidy shortened link is easier to include in forms and PDFs. A trusted shortener like Lunyb can keep your evidence pack readable without losing the original destination.

Step 3: Lodge Your Complaint with the OAIC

Once you have given the organisation a chance to respond and gathered your evidence, you can formally complain to the OAIC. Complaints are free and you do not need a lawyer.

How to Lodge

1. Online form: The fastest method is the privacy complaint form on oaic.gov.au.
2. Post or email: You can download a PDF form and send it by post to GPO Box 5288, Sydney NSW 2001, or email it to enquiries@oaic.gov.au.
3. Phone: Call the OAIC enquiries line on 1300 363 992 if you need help completing the form. Translating and Interpreting Service (TIS) is available on 131 450.
4. Auslan or accessibility support: The National Relay Service can be used for callers who are deaf or have hearing or speech impairments.

What to Include in Your Complaint

• Your full name and contact details (anonymous complaints are not generally investigated, though you can request the OAIC not share your identity in some cases)
• The name of the organisation or agency complained about
• A clear description of what happened and when
• The personal information involved
• Which Australian Privacy Principles you believe were breached (you don't need to identify them precisely — describe the conduct)
• What you have done to resolve it directly with the organisation
• The outcome you are seeking
• Supporting documents

What Happens After You Lodge?

Once received, the OAIC will assess your complaint. The process generally moves through several stages, though not every complaint goes through every step.

The OAIC Complaint Process

Stage	What Happens	Typical Timeframe
Acknowledgement	OAIC confirms receipt and assigns a case officer.	1–4 weeks
Preliminary assessment	OAIC checks jurisdiction and whether you've complained to the entity first.	4–8 weeks
Conciliation	OAIC contacts the organisation and tries to facilitate a resolution.	2–6 months
Investigation	If conciliation fails, the Commissioner can formally investigate and make a determination.	6–18 months
Determination	Binding decision with remedies — apology, change of practice, or compensation.	End of process

Possible Outcomes

• Apology: A written or public apology from the organisation
• Corrective action: Deletion, correction, or improved handling of your information
• Systemic changes: The organisation must update policies, staff training, or security controls
• Compensation: Payment for financial loss and/or non-economic loss (e.g. distress, humiliation)
• Enforceable undertakings or civil penalties: In serious or repeated cases, the Commissioner can apply to the Federal Court for penalties up to AU$50 million or more for body corporates under the strengthened post-2022 penalty regime

The Notifiable Data Breaches (NDB) Scheme

The Notifiable Data Breaches scheme requires APP entities to notify both affected individuals and the OAIC when an "eligible data breach" occurs — that is, a breach likely to result in serious harm.

What This Means for You

If your data was caught in a major incident, the organisation should send you a notification explaining what happened, what data was affected, and steps you can take. If you receive such a notification, keep it — it is powerful evidence if you decide to complain.

If you suspect a breach occurred and you were not notified, that itself may be a separate breach of the NDB scheme that you can raise with the OAIC.

Time Limits and Limitations

The OAIC generally expects complaints to be lodged within 12 months of you becoming aware of the conduct. Late complaints may still be accepted in exceptional circumstances, but acting promptly preserves evidence and improves outcomes.

The OAIC may also decline to investigate where:

• The complaint is trivial, vexatious, or made in bad faith
• The conduct is being handled by another regulator (e.g. ACMA for spam, AFCA for financial services)
• You did not give the organisation a chance to respond first
• An adequate remedy has already been provided

Protecting Yourself After a Breach

Lodging a complaint is only part of the response. If your personal information has been exposed, take immediate practical steps to limit harm.

Immediate Actions

1. Change passwords on the affected account and anywhere you reused them. Use a password manager and enable multi-factor authentication.
2. Place a credit ban with Equifax, Experian, and illion if financial data was exposed. Bans are free and last at least 21 days, renewable indefinitely.
3. Apply for IDCARE support — Australia's national identity and cyber support service offers free case management.
4. Replace compromised documents. Driver's licences, Medicare cards, and passports can be reissued; some states will waive fees if you can prove a breach.
5. Watch for scams. Breach victims are heavily targeted by phishing emails, SMS, and phone calls referencing the breach.
6. Tighten your browsing privacy. Use encrypted DNS (DoH or DoT), a privacy-focused browser, and review which apps have access to your accounts.

If you regularly share links — for work, research, or social media — also consider how much metadata those links leak. Using a reputable link management tool like Lunyb lets you control, expire, or replace shortened URLs without exposing underlying tracking parameters. For a broader comparison of options, see our 2026 buyer's guide to URL shorteners.

When to Get Legal Help

Most OAIC complaints can be handled without a lawyer. However, you may want professional advice if:

• You suffered significant financial loss or identity theft
• The breach affects your employment, immigration status, or health
• You want to join or start a representative (class) action — major breaches often trigger these in the Federal Court
• The organisation is threatening legal action against you

Community legal centres, Legal Aid in each state, and law school clinics often offer free initial advice on privacy matters.

How to Strengthen Your Complaint

Case officers handle hundreds of complaints. Clear, organised, and factual submissions stand out and tend to progress faster.

Best-Practice Tips

• Be specific. Replace "they messed up my data" with "on 14 March 2026 they emailed my home address to another customer".
• Stay factual. Avoid emotional language; let the facts demonstrate the seriousness.
• Quantify harm. Note dollar amounts, hours spent, medical impacts, or specific scams received.
• Reference the APPs where you can. For example, APP 6 (use and disclosure) or APP 11 (security of personal information).
• Propose a remedy. Tell the OAIC what would resolve the matter for you.
• Keep going. Respond promptly to OAIC requests for further information.

Frequently Asked Questions

How much does it cost to lodge an OAIC privacy complaint?

Lodging a complaint with the OAIC is completely free. There are no application fees, and you do not need to hire a lawyer. The OAIC also offers free interpreter services and accessibility support to help you lodge.

Can I get compensation for a privacy breach?

Yes. The Australian Information Commissioner can order an organisation to pay compensation for both economic loss (such as the cost of replacing identity documents) and non-economic loss (such as distress, anxiety, and humiliation). Awards in determinations typically range from a few thousand dollars to tens of thousands, depending on the severity and impact.

How long does an OAIC complaint take?

Simple matters resolved through conciliation can take 3–6 months. Complaints that proceed to formal investigation and a Commissioner's determination can take 12–24 months or longer, especially for complex or large-scale incidents. Acknowledgement typically arrives within a few weeks of lodging.

What if the organisation is overseas?

The Privacy Act has extraterritorial reach. If an overseas organisation carries on business in Australia and collects Australian personal information, it is generally subject to the APPs and you can complain to the OAIC. Cross-border enforcement is harder in practice, but the OAIC cooperates with overseas regulators through agreements like the Global Privacy Assembly.

Can I stay anonymous when lodging a complaint?

The OAIC generally requires your identity to investigate, because they need to verify the conduct relates to your information and contact you for updates. However, you can ask the OAIC to keep your identity confidential from the organisation in certain situations, particularly where you fear retaliation. Discuss this with the case officer when you lodge.

Final Thoughts

Reporting a privacy breach to the OAIC is one of the strongest consumer rights Australians have. The process rewards complainants who act early, complain to the organisation first, gather evidence, and present their case clearly. Even where the OAIC does not order compensation, complaints often drive real changes in how organisations handle personal information — protecting not just you, but everyone whose data they hold.

If you suspect your privacy has been breached, don't wait. Document what you know, escalate internally, and lodge with the OAIC if you are not satisfied. Privacy law in Australia only works when people use it.