facebook-pixel
L
Lunyb

OAIC Complaints: How to Report a Privacy Breach in Australia

L
Lunyb Security Team
··9 min read

If an Australian business or government agency has mishandled your personal information, you have the right to complain to the Office of the Australian Information Commissioner (OAIC). The OAIC is the national regulator responsible for enforcing the Privacy Act 1988 and the Australian Privacy Principles (APPs). This guide explains exactly how to report a privacy breach, what evidence you need, how long the process takes, and what outcomes you can realistically expect.

What Is the OAIC and What Does It Regulate?

The Office of the Australian Information Commissioner (OAIC) is the independent statutory authority that oversees privacy, freedom of information, and government information policy in Australia. It investigates complaints about how organisations handle personal information under the Privacy Act 1988.

The OAIC has jurisdiction over:

  • Australian Government agencies (including most departments and statutory bodies)
  • Private sector organisations with an annual turnover of more than $3 million
  • All private health service providers, regardless of turnover
  • Credit reporting bodies and credit providers
  • Tax File Number (TFN) recipients
  • Some small businesses that trade in personal information or contract with the Commonwealth

If your complaint involves a state or territory government agency, a small business not covered above, or an employer's handling of employee records, the OAIC may not have jurisdiction — and you may need to contact a state privacy commissioner instead (for example, the IPC in NSW or OVIC in Victoria).

What Counts as a Privacy Breach?

A privacy breach occurs when an entity covered by the Privacy Act mishandles your personal information in a way that contravenes the Australian Privacy Principles. Personal information includes any information or opinion that could reasonably identify you, even if it isn't your name — things like your address, phone number, IP address, health data, or biometric identifiers.

Common Examples of Reportable Breaches

  • Unauthorised disclosure: Your data was leaked to a third party without consent.
  • Data breach incidents: A hack, ransomware attack, or accidental email exposed your details.
  • Collection without consent: An organisation gathered sensitive information you didn't agree to provide.
  • Failure to provide access: A business refused your request to view the personal data it holds about you.
  • Refusal to correct inaccurate data: The organisation won't fix wrong information after you've asked.
  • Direct marketing without opt-out: You can't unsubscribe, or marketing continues despite your request to stop.
  • Misuse of TFN, government identifiers, or credit information: These have stricter rules under the Act.

Before You Complain: Contact the Organisation First

The OAIC will almost always require you to raise your concern directly with the organisation before lodging a formal complaint. This is a mandatory first step under section 40(1A) of the Privacy Act — except in cases where it would be unreasonable to expect you to do so (such as where contact information isn't available).

How to Contact the Organisation

  1. Find their privacy officer. Most APP-covered entities must publish a privacy policy listing a contact point for privacy complaints.
  2. Put the complaint in writing. Email is ideal because it creates a timestamped record. Clearly state that you are making a "privacy complaint" under the Privacy Act.
  3. Be specific. Identify which APPs you believe were breached, what happened, and the outcome you want (an apology, deletion, correction, compensation, or policy change).
  4. Set a deadline. The OAIC generally expects organisations to be given 30 days to respond.
  5. Keep records. Save copies of every email, letter, screenshot, and reference number.

If the organisation refuses, ignores you, or gives an inadequate response after 30 days, you can escalate to the OAIC.

How to Lodge an OAIC Complaint: Step-by-Step

Lodging an OAIC complaint is free and can be done entirely online. Here's the process in order.

Step 1: Gather Your Evidence

Before opening the form, collect:

  • Your full name, postal address, email and phone number
  • The full legal name of the organisation (check ABN Lookup if unsure)
  • Dates and a chronological timeline of what happened
  • Copies of your initial complaint to the organisation and their reply
  • Screenshots, emails, notification letters, or any evidence of the breach
  • The specific outcome you are seeking

Step 2: Submit the Online Complaint Form

Go to oaic.gov.au and select "Privacy complaint." The online form takes around 20–30 minutes. You can also lodge by post or email using the downloadable PDF form, or call the enquiries line on 1300 363 992 if you need assistance.

Step 3: Acknowledgement

You will receive written acknowledgement, typically within a few business days. The OAIC will assign a case officer and may ask follow-up questions.

Step 4: Preliminary Assessment

The OAIC reviews whether the complaint falls within its jurisdiction and whether you have given the respondent a reasonable opportunity to resolve the matter. They may decline to investigate if the complaint is frivolous, vexatious, lacking in substance, or already being handled by another body.

Step 5: Conciliation

The OAIC strongly favours conciliation — a structured negotiation between you and the organisation, facilitated by a case officer. Most matters resolve at this stage, often via apology, correction, deletion, compensation, or commitments to change practices.

Step 6: Formal Investigation and Determination

If conciliation fails, the Commissioner may launch a formal investigation under section 40 of the Privacy Act and ultimately issue a determination under section 52. Determinations can require the entity to stop conduct, take remedial action, and pay compensation for loss (including hurt feelings and humiliation).

OAIC Complaint Process at a Glance

StageTypical TimeframeWhat Happens
Complaint to organisation30 daysYou raise the issue directly and wait for a response.
Lodging with OAICSame day (online)You submit the form and supporting documents.
Acknowledgement1–10 business daysOAIC confirms receipt and allocates a case officer.
Preliminary inquiries1–3 monthsOAIC checks jurisdiction and reviews the file.
Conciliation3–9 monthsOAIC mediates a resolution between the parties.
Formal investigation9–18+ monthsReserved for serious or unresolved matters; ends in a determination.

Notifiable Data Breaches: A Separate but Related Scheme

Australia's Notifiable Data Breaches (NDB) scheme requires organisations covered by the Privacy Act to notify both the OAIC and affected individuals when an "eligible data breach" occurs — that is, a breach likely to result in serious harm.

If you have received a data breach notification from a company (for example, after a large incident involving health, telco or retail providers), you do not need to wait for them to act. You can:

  1. Follow the protective steps in the notification (reset passwords, monitor credit, replace identity documents).
  2. Complain to the organisation if their response is inadequate.
  3. Lodge an OAIC complaint if you believe your personal information was mishandled.
  4. Apply to IDCARE (idcare.org) for free identity recovery support.

Reducing your digital footprint can also limit your exposure to future breaches. Using disposable email addresses for sign-ups, enabling multi-factor authentication, and choosing link-management tools that don't resell click data — such as Lunyb — are practical steps to take. For a broader review of privacy-aware link tools, see our Best URL Shorteners Reviewed and Compared: 2026 Buyer's Guide.

What Outcomes Can You Realistically Expect?

The OAIC has a range of remedies available, but expectations should be realistic. The regulator is not a court, and conciliated outcomes are usually modest.

Common Conciliated Outcomes

  • A written apology
  • Correction or deletion of personal information
  • Staff training or revised internal procedures
  • Ex gratia payments — historically in the range of a few hundred to a few thousand dollars for non-economic loss

Determinations and Civil Penalties

For serious or systemic breaches, the Commissioner can issue binding determinations, accept enforceable undertakings, or seek civil penalties through the Federal Court. Following 2022 reforms, penalties for serious or repeated interferences with privacy can reach the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover during the breach period for body corporates.

Pros and Cons of Lodging an OAIC Complaint

Pros

  • Free to lodge — no legal fees required
  • No need for legal representation
  • Conciliation is informal and confidential
  • Can result in compensation for hurt feelings, not just financial loss
  • Helps regulators identify systemic problems

Cons

  • Can take many months — sometimes over a year
  • Outcomes are often modest compared to court action
  • OAIC has broad discretion to decline complaints
  • Limited transparency during investigation
  • Conciliated settlements are usually confidential, limiting public accountability

Tips for a Stronger Complaint

  1. Reference specific Australian Privacy Principles. For example, cite APP 6 (use and disclosure) or APP 11 (security of personal information). This shows the OAIC you have done your research.
  2. Quantify the harm. Note stress, anxiety, time spent dealing with the breach, and any financial loss. Keep a diary.
  3. Stay factual and concise. Avoid emotive language; let the evidence speak.
  4. Propose a specific remedy. Tell the OAIC exactly what you want — apology, deletion, compensation of a specific amount, or systemic change.
  5. Respond promptly. Delays in returning information to your case officer are a common reason complaints stall or are closed.

Protecting Your Privacy Going Forward

Filing a complaint addresses past harm, but reducing future risk is just as important. A few practical habits go a long way:

  • Use a password manager with unique passwords per service
  • Enable multi-factor authentication wherever available
  • Switch to encrypted DNS and a privacy-respecting browser
  • Minimise the personal data you share when signing up for services
  • Audit your data brokers and request deletion under APP 12 and APP 13
  • Choose privacy-respecting tools for everyday tasks — for example, when sharing links, services like Lunyb avoid tracking-heavy redirects compared with some alternatives reviewed in our Rebrandly Review 2026

FAQ: OAIC Complaints and Privacy Breaches

How long do I have to lodge an OAIC complaint?

You should lodge as soon as possible, but generally within 12 months of becoming aware of the breach. The Commissioner may decline complaints lodged after this period unless there is a reasonable explanation for the delay.

Can I sue an organisation directly for a privacy breach in Australia?

There is currently no general statutory cause of action for serious invasions of privacy in Australia, although reform proposals are ongoing. In most cases, the OAIC complaints process is the primary avenue. You may also have claims in tort (e.g. breach of confidence, negligence) or under consumer law depending on the circumstances — speak to a lawyer.

Will lodging a complaint cost me anything?

No. Lodging a complaint with the OAIC is free, and you do not need legal representation. The OAIC also cannot award costs against you.

What if the OAIC decides not to investigate?

You can request internal review or, in some cases, seek review by the Administrative Review Tribunal (ART). You may also approach other bodies such as the Australian Financial Complaints Authority (AFCA) for financial services matters, or a state privacy commissioner if jurisdiction was the issue.

Can I claim compensation for stress and anxiety?

Yes. The OAIC can recommend or determine compensation for non-economic loss, including hurt feelings, humiliation and embarrassment. Amounts vary widely depending on the severity of the breach and the impact on you.

This article is general information only and does not constitute legal advice. If your matter is serious or complex, consult a qualified Australian privacy lawyer.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles

ePrivacy Regulations Ireland: Latest Updates for 2026

Ireland's ePrivacy regulations govern cookies, tracking, and electronic marketing. This 2026 guide covers the latest DPC guidance, enforcement trends, and a practical compliance checklist for businesses operating in Ireland.

9 min

Australia Privacy Act 2026: Your Rights Explained

The Australia Privacy Act 2026 introduces sweeping new rights for individuals and tougher obligations for businesses. This guide explains your right to access, correct, and erase your data, the new statutory tort for serious privacy invasions, and practical steps to protect your personal information.

10 min

Singapore PDPA: Your Personal Data Protection Rights Explained

A clear, practical guide to your rights under Singapore's Personal Data Protection Act. Learn how to access, correct, and control your personal data, lodge complaints with the PDPC, and protect yourself in 2026.

11 min

GDPR in Ireland: Your Privacy Rights Explained

GDPR gives everyone in Ireland eight powerful rights over their personal data, enforced by the Data Protection Commission in Dublin. This guide explains what those rights are, how to make a Subject Access Request, how to complain about misuse, and the practical steps you can take to protect your privacy online in 2026.

11 min