OAIC Complaints: How to Report a Privacy Breach in Australia
If your personal information has been mishandled by an Australian business or government agency, you have the right to take action. The Office of the Australian Information Commissioner (OAIC) is the national regulator that investigates privacy breaches under the Privacy Act 1988. This guide explains how to prepare, lodge and follow up on an OAIC complaint, what evidence you need, and what outcomes you can realistically expect.
What Is an OAIC Privacy Complaint?
An OAIC privacy complaint is a formal request asking the Information Commissioner to investigate an organisation that may have interfered with your privacy under the Privacy Act 1988 (Cth). It applies to most Australian Government agencies and to private sector organisations with an annual turnover of more than $3 million, plus some smaller entities such as health providers, credit reporting bodies and businesses that trade in personal information.
A "privacy breach" in this context is broader than a data breach. It includes any conduct that breaches one of the 13 Australian Privacy Principles (APPs), such as collecting personal information you didn't need to provide, refusing to give you access to your own data, sending unsolicited direct marketing, or failing to keep your information secure.
When the OAIC Can Help
The OAIC can typically investigate complaints involving:
- Unauthorised disclosure of your personal information to a third party
- Failure to secure your data, resulting in a leak or hack
- Refusal to provide access to or correct your personal information
- Misuse of your tax file number (TFN)
- Inaccurate credit reporting information
- Unwanted direct marketing where you cannot opt out
- Mishandling of health information by a provider
When the OAIC Cannot Help
Some matters fall outside the OAIC's jurisdiction. These include complaints about state or territory government agencies (which usually have their own privacy regulators), most small businesses with turnover under $3 million, employee records held by your current or former employer, and journalism by media organisations bound by published privacy standards. In those cases the OAIC will redirect you to the correct body.
Step 1: Complain Directly to the Organisation First
Before the OAIC will accept your complaint, you generally need to give the organisation a chance to fix the problem. This is a mandatory first step in almost every case.
- Find the privacy contact. Look for a "Privacy Officer", "Privacy Contact" or complaints email on the organisation's privacy policy page.
- Put your complaint in writing. Email is best because it creates a timestamped record. Clearly describe what happened, when, and what outcome you want (an apology, deletion of data, compensation, a process change).
- Set a reasonable deadline. The OAIC considers 30 days a reasonable response window. Mention this in your email.
- Keep every reply. Save emails, letters, reference numbers and screenshots in a single folder.
If the organisation responds with a fix that satisfies you, the matter is resolved. If they ignore you, refuse to engage, or offer an inadequate response after 30 days, you can escalate to the OAIC.
Step 2: Gather Your Evidence
A well-evidenced complaint is investigated faster and taken more seriously. Before you lodge, assemble a clear timeline and supporting documents.
Core Evidence Checklist
- Your full name, contact details and any account or customer reference numbers
- The full legal name of the organisation you are complaining about
- Dates, times and a chronological summary of what happened
- Copies of the original complaint you sent to the organisation
- The organisation's reply (or proof you received no reply)
- Screenshots of breach notifications, suspicious emails or exposed data
- Any financial loss, identity theft reports, or emotional impact you've experienced
Redact sensitive details you do not need to share, but keep originals for your own records. If you found your data exposed on a public link or a leaked database, capture the URL and a screenshot showing the date.
Step 3: Lodge Your Complaint With the OAIC
Once the organisation has had its chance to respond, you can lodge a formal complaint with the OAIC. There are several ways to do this.
Online Privacy Complaint Form
The fastest method is the OAIC's online complaint form at oaic.gov.au. The form walks you through the required information section by section and lets you upload attachments. You will receive an automatic acknowledgement with a reference number.
Other Lodgement Channels
| Channel | Best For | Typical Acknowledgement |
|---|---|---|
| Online form | Most individuals | Instant email receipt |
| Email (enquiries@oaic.gov.au) | Complex matters with many attachments | 1–3 business days |
| Post (GPO Box 5288, Sydney NSW 2001) | People without reliable internet | 1–2 weeks |
| Phone (1300 363 992) | Initial enquiry or assistance | Same call |
| National Relay Service | Hearing or speech impairment | Varies |
What to Include in the Complaint
Your written complaint should answer five questions clearly:
- Who are you complaining about?
- What did they do (or fail to do)?
- When did it happen?
- How has it affected you?
- What outcome are you seeking?
Keep the tone factual. Investigators read hundreds of complaints, and a calm, structured submission is far more persuasive than an emotional one.
Step 4: What Happens After You Lodge
After the OAIC receives your complaint, it usually moves through several stages. Timeframes vary based on complexity and current caseload.
Initial Assessment
An OAIC officer reviews the complaint to confirm it falls within jurisdiction and that you've given the organisation a chance to respond. They may contact you for more information. If the complaint is outside jurisdiction, they will redirect you, for example to the Telecommunications Industry Ombudsman, a state privacy commissioner, or the Australian Communications and Media Authority.
Conciliation
The OAIC's preferred outcome is conciliation — a negotiated resolution between you and the organisation. The officer will contact the organisation, share your complaint, and try to broker an agreement. Common outcomes include a written apology, deletion or correction of data, a process change, staff retraining or, occasionally, financial compensation for stress or loss.
Formal Investigation
If conciliation fails or the matter is serious, the Commissioner can open a formal investigation under section 40 of the Privacy Act. The Commissioner has power to compel documents, examine witnesses and make a binding determination. Determinations can order an organisation to stop the conduct, take corrective steps, or pay compensation.
Typical Timelines
| Stage | Typical Duration |
|---|---|
| Acknowledgement | Within 10 business days |
| Initial assessment | 4–8 weeks |
| Conciliation | 3–6 months |
| Formal investigation | 6–18 months |
| Determination (if needed) | 12–24 months total |
Notifiable Data Breaches: A Different Process
If you've been told your data was caught up in a major hack — such as those affecting telcos, retailers or health insurers — the organisation is required to report it under the Notifiable Data Breaches (NDB) scheme. You can still complain to the OAIC if you believe the organisation:
- Failed to notify you within a reasonable timeframe
- Did not adequately secure your data in the first place
- Has not given you enough information to protect yourself
- Refuses to delete the data now that it's been exposed
While you wait, take protective steps: place a credit ban with Equifax, Experian and illion; turn on multi-factor authentication; and be alert for phishing. Reduce future exposure by sharing only essential data online and using privacy-friendly tools — for example, when you need to share a link from your social media profile or a sign-up page, a shortener like Lunyb lets you cloak the destination and track who clicked without handing personal data to a third-party tracker.
Possible Outcomes and Remedies
The Privacy Act doesn't allow the OAIC to fine individuals directly on your behalf, but it can secure meaningful outcomes:
- Apology — Written or public.
- Correction or deletion — The organisation amends or removes the personal information.
- Process changes — Updated privacy policies, staff training, new security controls.
- Compensation — For financial loss, time spent fixing the issue, and non-economic loss such as humiliation or anxiety. Awards typically range from a few hundred to tens of thousands of dollars.
- Civil penalties — In serious or repeated cases, the Commissioner can pursue penalties through the Federal Court, currently up to $50 million for companies.
If You're Not Happy With the Outcome
If your complaint is dismissed or you disagree with how it was handled, you have options:
- Internal review — Ask the OAIC to reconsider the decision in writing.
- Commonwealth Ombudsman — Complain about the OAIC's process, not the underlying privacy issue.
- Administrative Review Tribunal — Apply for review of a formal determination.
- Federal Court — Some determinations can be enforced or challenged in court.
For sector-specific issues you may also have parallel rights: the Australian Financial Complaints Authority for banks and insurers, the Telecommunications Industry Ombudsman for telcos, or your state health complaints commissioner for health providers.
Practical Tips to Strengthen Your Complaint
- Be specific. Quote which Australian Privacy Principle you believe was breached (for example APP 6 — Use or Disclosure, or APP 11 — Security).
- Stick to facts. Avoid speculation about motive; focus on what was done.
- Quantify the impact. If you spent 12 hours changing passwords or paid for credit monitoring, say so.
- Stay responsive. Reply quickly when the OAIC asks for more information; delays can cause closure.
- Keep records of everything. A single PDF timeline is invaluable months later.
Reducing the Risk of Future Breaches
Lodging a complaint is reactive. Equally important is reducing the data you expose in the first place. Consider:
- Using a password manager and unique passwords for every site
- Enabling multi-factor authentication everywhere it's offered
- Switching to an encrypted DNS resolver on your home router
- Using a privacy-respecting browser with tracker blocking enabled
- Shortening and cloaking the links you share publicly so your raw analytics and source URLs aren't exposed — see our 2026 buyer's guide to URL shorteners for options, or our honest review of Lunyb for one Australian-friendly choice
- Limiting the personal information you give to loyalty programs and online forms
Frequently Asked Questions
How long do I have to lodge an OAIC complaint?
There is no strict statutory deadline, but the Commissioner can decline complaints made more than 12 months after you became aware of the breach. Lodge as soon as practical after the organisation responds (or fails to respond) to your direct complaint.
Does it cost anything to complain to the OAIC?
No. Lodging a privacy complaint with the OAIC is free. You don't need a lawyer, although you can engage one if the matter is complex or involves significant compensation.
Can I complain anonymously?
You can raise a confidential concern with the OAIC, but a formal complaint generally requires the organisation to know who you are so they can investigate and respond. The OAIC will, however, keep your details confidential from the public.
What if the organisation is overseas?
The Privacy Act has extraterritorial reach. If an overseas business carries on business in Australia and collects information from Australians, the OAIC may still have jurisdiction. Outcomes can be harder to enforce, but the Commissioner regularly investigates global platforms.
Will my complaint stop the organisation from contacting me?
Not automatically. If you also want to stop marketing or other contact, make that request directly to the organisation in writing and reference the Spam Act 2003 and the Do Not Call Register where relevant.
Final Thoughts
Australia's privacy framework gives you real, enforceable rights — but they only work if you use them. By complaining directly first, gathering solid evidence, and presenting a clear, factual case to the OAIC, you maximise your chance of a meaningful outcome. Even when individual remedies are modest, your complaint contributes to regulatory action that protects every Australian's personal information.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Australian Data Breach Notification Scheme: Complete 2026 Guide
Australia's Notifiable Data Breaches scheme requires organisations to report serious breaches to the OAIC and affected individuals. This complete guide explains who must comply, the 30-day assessment window, penalties up to AUD $50 million, and step-by-step response procedures.
Singapore PDPA vs GDPR: Key Differences Every Business Must Know
Singapore's PDPA and the EU's GDPR both protect personal data but differ in consent rules, DPO requirements, penalties, and breach timelines. This guide breaks down the key differences so businesses can confidently comply with both frameworks.
Singapore PDPA: Your Personal Data Protection Rights Explained
Singapore's PDPA gives you powerful rights over your personal data — from access and correction to withdrawal and breach notification. This 2026 guide explains every right, how to exercise it, and what organisations must do in response.
Privacy Rights in Canada 2026: A Complete Guide to PIPEDA, Bill C-27 and Your Digital Protections
Privacy rights in Canada have evolved dramatically with Bill C-27, the CPPA, and Quebec's Law 25 reshaping the legal landscape. This 2026 guide explains your rights, how to exercise them, and what businesses must do to stay compliant.