OAIC Complaints: How to Report a Privacy Breach in Australia
If an Australian organisation has mishandled your personal information, you have the right to complain to the Office of the Australian Information Commissioner (OAIC). This guide explains exactly how to lodge an OAIC complaint about a privacy breach, what evidence you'll need, how long the process takes, and what outcomes you can realistically expect.
What Is the OAIC and What Does It Do?
The Office of the Australian Information Commissioner (OAIC) is the independent federal regulator responsible for enforcing the Privacy Act 1988 and the Australian Privacy Principles (APPs). It investigates privacy complaints against Australian Government agencies and most private sector organisations with an annual turnover above AU$3 million, along with certain smaller entities such as health service providers and credit reporting bodies.
The OAIC has three core functions when it comes to complaints:
- Conciliation — helping you and the organisation reach a resolution.
- Investigation — examining whether an interference with privacy has occurred.
- Determination and enforcement — issuing binding decisions, requiring compensation, or pursuing civil penalties for serious or repeated breaches.
What Counts as a Privacy Breach Under Australian Law?
A privacy breach occurs when an APP entity mishandles personal information in a way that contravenes the Australian Privacy Principles. This includes data leaks, but also more subtle conduct such as collecting information you didn't consent to share, refusing to give you access to your own records, or using your data for marketing without permission.
Common Examples of Reportable Conduct
- An organisation suffers a cyber incident and your name, address, or identity documents are exposed.
- A staff member accesses your file without a legitimate business reason ("browsing").
- Your details are disclosed to a third party without consent — for example, sent to the wrong email address.
- A company refuses to correct inaccurate information or won't give you access to data it holds about you.
- You receive direct marketing after opting out, or from a list you never consented to.
- Sensitive information (health, biometric, financial) is collected without a clear lawful basis.
The Notifiable Data Breaches (NDB) Scheme
Under the NDB scheme, organisations covered by the Privacy Act must notify both affected individuals and the OAIC when an "eligible data breach" is likely to result in serious harm. If you've received a data breach notification letter from a company like a telco, bank, or retailer, that organisation has already reported the incident to the OAIC — but you can still lodge your own complaint about how it was handled or the harm it caused.
Before You Complain: Contact the Organisation First
The OAIC will generally not accept a complaint until you have given the organisation a reasonable opportunity to respond — usually 30 days. This is a mandatory step under section 40(1A) of the Privacy Act, so don't skip it.
How to Make an Effective Initial Complaint
- Find the privacy officer. Every APP entity must have a clear avenue for privacy complaints, usually listed in their privacy policy.
- Put it in writing. Email is ideal because it creates a timestamped record.
- State the facts clearly. Include dates, what happened, which of your information was affected, and how you discovered the breach.
- Identify the APP that was breached if you can (for example, APP 6 — use or disclosure, or APP 11 — security of personal information).
- Specify what you want. An apology, deletion of data, correction, compensation for out-of-pocket expenses, or a change to the organisation's practices.
- Set a deadline. Request a substantive response within 30 days.
If the organisation refuses, gives you an unsatisfactory response, or simply ignores you after 30 days, you can escalate to the OAIC.
How to Lodge an OAIC Complaint: Step-by-Step
Lodging a complaint with the OAIC is free and you don't need a lawyer. The process is designed to be accessible for individuals.
Step 1: Gather Your Evidence
Before you start the form, collect:
- Copies of all correspondence with the organisation (emails, letters, chat logs).
- The organisation's privacy policy at the time of the breach (use the Wayback Machine if it has changed).
- Any data breach notification you received.
- Screenshots, account statements, or other documents showing the breach.
- Evidence of harm — financial loss, identity theft, distress, time spent remediating.
Step 2: Complete the Online Privacy Complaint Form
The OAIC's online form is available at oaic.gov.au. You can also submit by post, email, or via the National Relay Service. The form asks for:
- Your contact details.
- The name of the organisation you're complaining about.
- A description of what happened and when.
- What steps you've already taken.
- The outcome you're seeking.
Step 3: Acknowledgement and Initial Assessment
The OAIC typically acknowledges receipt within a few business days. A case officer then assesses whether the complaint falls within jurisdiction. They may decline to investigate if the matter is frivolous, more than 12 months old without good reason, or already being handled by another body (such as a state-based commissioner or the Telecommunications Industry Ombudsman).
Step 4: Conciliation
Most complaints — over 80% historically — are resolved through conciliation. The OAIC contacts the organisation, shares the substance of your complaint, and works with both parties to negotiate an outcome. This is informal, confidential, and usually conducted by phone or email.
Step 5: Formal Investigation (If Needed)
If conciliation fails, the Commissioner can open a formal investigation under section 40 of the Privacy Act. The OAIC can compel documents, interview witnesses, and ultimately issue a binding determination under section 52, which may order the organisation to:
- Stop the conduct.
- Take specific steps to redress loss or damage.
- Pay compensation, including for non-economic loss such as humiliation or distress.
- Issue an apology.
OAIC Complaint Process at a Glance
| Stage | Typical Timeframe | What Happens |
|---|---|---|
| Complaint to organisation | 30 days | You raise the issue directly; they must respond. |
| Lodgement with OAIC | Same day (online) | You submit the form with supporting documents. |
| Acknowledgement | 1–10 business days | OAIC confirms receipt and assigns a case officer. |
| Preliminary inquiries | 1–3 months | Jurisdiction check and request for information. |
| Conciliation | 3–9 months | Negotiated resolution between the parties. |
| Investigation & determination | 9–24 months | Formal findings and enforceable orders. |
What Compensation Can You Receive?
The OAIC can award compensation for both economic and non-economic loss. Economic loss covers measurable costs such as replacing identity documents, credit monitoring subscriptions, or lost wages. Non-economic loss covers distress, embarrassment, or anxiety caused by the breach.
In published determinations, non-economic loss awards have historically ranged from around AU$1,000 for minor distress to AU$20,000+ for serious cases involving sensitive health or financial data. Class action settlements for large breaches (such as the Medibank and Optus incidents) operate separately and can result in much higher per-person payouts.
Strengthening Your Own Privacy Going Forward
Lodging a complaint addresses past harm, but it's equally important to reduce your exposure to future breaches. A few practical habits make a meaningful difference:
- Minimise the data you share. Don't fill in optional fields. Use a secondary email address for sign-ups and marketing.
- Use unique, strong passwords with a reputable password manager, and enable multi-factor authentication everywhere.
- Audit your accounts annually. Close dormant accounts so old databases don't expose your details when the next breach hits.
- Be cautious with shortened links. Shortened URLs can hide phishing destinations. Use a transparent, privacy-respecting shortener such as Lunyb when you share links yourself, and preview unfamiliar short links before clicking. For a broader comparison of options, see our 2026 buyer's guide to URL shorteners or our honest review of Lunyb.
- Monitor your credit file. All three Australian bureaus (Equifax, Experian, illion) allow free credit bans after a suspected identity compromise.
When the OAIC Isn't the Right Body
Not every privacy concern goes to the OAIC. Use this quick reference:
| Issue | Where to Complain |
|---|---|
| State/territory government agency | State privacy commissioner (e.g., IPC NSW, OVIC Victoria) |
| Health records in NSW, VIC, ACT | State health complaints body |
| Telco or ISP service issue | Telecommunications Industry Ombudsman (TIO) |
| Credit reporting dispute (first instance) | The credit provider, then AFCA |
| Spam emails or SMS | Australian Communications and Media Authority (ACMA) |
| Small business (under $3M turnover, not health) | Usually no federal jurisdiction — try fair trading |
Tips to Maximise Your Chances of a Good Outcome
- Be specific and chronological. A clear timeline helps the case officer understand the breach quickly.
- Quantify the harm. Receipts, bank statements, and medical or counselling notes carry weight.
- Stay professional. Avoid emotional language; let the facts speak.
- Respond promptly to OAIC requests for information. Delays of more than 14 days can lead to the file being closed.
- Keep records of everything — including phone calls, with date, time and the name of the person you spoke to.
- Consider what you'll accept. Going into conciliation with a realistic figure speeds resolution.
Recent Reforms You Should Know About
Australia's Privacy Act has been under significant reform. The Privacy and Other Legislation Amendment Act 2024 introduced a statutory tort for serious invasions of privacy, new civil penalties for non-serious interferences, and expanded powers for the Information Commissioner to issue infringement notices. From late 2025 onwards, individuals will increasingly be able to sue directly in the Federal Court for serious privacy invasions, in addition to lodging an OAIC complaint. This dual pathway gives you more leverage but also more strategic choices to weigh up before deciding which avenue to pursue.
FAQ
How long do I have to lodge an OAIC complaint?
You should generally complain within 12 months of becoming aware of the breach. The Commissioner can decline older complaints unless you have a good reason for the delay, such as ongoing negotiations with the organisation or a recent disclosure that revealed the full extent of the breach.
Does it cost anything to complain to the OAIC?
No. Lodging a complaint is completely free, and you do not need legal representation. The OAIC provides interpreter services and accessibility support at no charge.
Can I stay anonymous when complaining?
You can raise general concerns anonymously, but to receive a remedy — including compensation or correction of records — the OAIC needs to identify you and share details with the respondent organisation. Your contact details are not made public in published determinations unless you consent.
What if the organisation is overseas?
The Privacy Act applies extraterritorially to overseas organisations that carry on business in Australia and collect or hold personal information here. The OAIC has investigated and made determinations against several global companies. Enforcement against entities with no Australian presence can be harder, but it is not impossible.
Will making a complaint hurt my relationship with the organisation?
It is unlawful for an APP entity to victimise or retaliate against someone for making a privacy complaint. If you experience adverse treatment — such as account closure or service refusal — that itself can become a further ground of complaint.
What's the difference between an OAIC complaint and a class action?
An OAIC complaint is an administrative process focused on your individual situation, with conciliation and possible compensation. A class action is court-based litigation on behalf of a large group, typically run by a law firm on a no-win-no-fee basis. You can sometimes participate in both, but read class action notices carefully — some require you to opt out if you want to keep your OAIC matter separate.
This article provides general information only and does not constitute legal advice. For advice about your specific situation, consult a qualified Australian privacy lawyer or contact the OAIC directly on 1300 363 992.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Singapore Online Safety Act 2026: A Complete Compliance Guide
Singapore's Online Safety Act has matured into a comprehensive 2026 regime covering harmful content, child safety, and scams. This complete guide explains scope, duties, penalties, and a practical compliance roadmap for platforms and businesses serving Singapore users.
GDPR in Ireland: Your Privacy Rights Explained
A clear, practical guide to your GDPR privacy rights in Ireland — including how to make Subject Access Requests, file complaints with the Data Protection Commission, and protect your personal data online in 2026.
Singapore PDPA vs GDPR: Key Differences for Businesses
Singapore's PDPA and the EU's GDPR both protect personal data, but they differ in scope, consent rules, DPO requirements, penalties, and breach notification timelines. This guide compares the two regimes side-by-side and offers practical compliance tips for businesses operating across both jurisdictions.
Singapore PDPA: Your Personal Data Protection Rights Explained
Singapore's PDPA gives individuals strong rights over their personal data, including access, correction, consent withdrawal, and data portability. This guide explains every key right, how to exercise them, and what to do if an organisation violates the law.