OAIC Complaints: How to Report a Privacy Breach in Australia
If your personal information has been mishandled, leaked, or accessed without your consent, you have the right to take action. In Australia, the Office of the Australian Information Commissioner (OAIC) is the federal regulator responsible for investigating privacy breaches and enforcing the Privacy Act 1988. This guide explains exactly how to lodge an OAIC complaint, what to expect during the process, and how to strengthen your digital privacy going forward.
What Is the OAIC and When Can You Complain?
The Office of the Australian Information Commissioner (OAIC) is the independent statutory body that oversees privacy and freedom of information at the Commonwealth level. It handles complaints about how Australian government agencies and businesses with an annual turnover above A$3 million (plus some smaller entities such as health service providers) manage personal information.
You can make a privacy complaint to the OAIC if you believe an organisation covered by the Privacy Act has:
- Collected your personal information unlawfully or without consent
- Used or disclosed your data for a purpose you didn't agree to
- Failed to keep your information secure, leading to a data breach
- Refused to give you access to your own personal information
- Refused to correct inaccurate information about you
- Sent unwanted direct marketing without an opt-out
- Mishandled your tax file number, credit information, or health records
The OAIC's jurisdiction is wide but not unlimited. It generally does not handle complaints against state or territory government agencies, most small businesses under the turnover threshold, or political parties acting in a political capacity. For those, you may need to contact a state privacy commissioner or another regulator.
Step 1: Complain Directly to the Organisation First
Before the OAIC will accept your complaint, you usually must give the organisation a chance to fix the problem. This is a mandatory first step under the Privacy Act, with limited exceptions.
How to Lodge an Internal Complaint
- Find the privacy contact. Look for a Privacy Officer, Data Protection Officer, or a privacy email address in the organisation's privacy policy (usually linked in the website footer).
- Put your complaint in writing. Email is best because it creates a paper trail. Include the date, your contact details, and a clear description of what happened.
- State what you want. Be specific: an apology, deletion of data, correction, compensation, or a change to internal practices.
- Set a deadline. The OAIC expects organisations to respond within 30 days. Politely request a reply within that timeframe.
- Keep copies of everything. Save emails, screenshots, and any breach notification letters you received.
If 30 days pass without a satisfactory response, or the organisation refuses to engage, you can escalate the matter to the OAIC.
Step 2: Gather Your Evidence
A well-documented complaint is far more likely to succeed. Before submitting anything to the OAIC, assemble the following:
- A timeline of events — when the breach occurred, when you discovered it, and every interaction since
- Copies of correspondence with the organisation, including their final response
- Data breach notifications you received under the Notifiable Data Breaches (NDB) scheme
- Screenshots of the offending content, websites, or settings
- Evidence of harm — financial loss, identity theft attempts, emotional distress, or reputational damage
- The organisation's privacy policy (download a PDF copy in case it changes later)
If your data was exposed in a large-scale incident such as the Optus, Medibank, or Latitude Financial breaches, also note any reference numbers from those incident response programs.
Step 3: Lodge Your Complaint With the OAIC
Once you've given the organisation a fair chance to respond, you can formally lodge a complaint with the OAIC. There are three main ways to do this.
Online Form (Recommended)
Visit oaic.gov.au and use the secure online privacy complaint form. It walks you through each section and lets you attach supporting documents up to 20MB.
By Post or Email
You can download a PDF complaint form, complete it, and send it to:
GPO Box 5288, Sydney NSW 2001
or email: enquiries@oaic.gov.au
By Phone
Call 1300 363 992 if you need help completing the form or have accessibility requirements. The OAIC can arrange interpreters and alternative formats.
What the Complaint Form Asks
| Section | What to Include |
|---|---|
| Your details | Full name, address, phone, email, preferred contact method |
| The respondent | Name of the organisation or agency you're complaining about |
| What happened | Plain-language description of the breach with dates |
| Internal complaint | Proof you contacted the organisation and their response |
| Impact on you | Financial, emotional, or practical consequences |
| Desired outcome | What you want the OAIC to achieve for you |
| Attachments | Evidence files, screenshots, correspondence |
Step 4: What Happens After You Lodge
The OAIC follows a structured process that usually unfolds in four phases.
- Acknowledgement (within 1–2 weeks). You'll receive a reference number and a case officer's contact details.
- Preliminary assessment. The OAIC decides whether your complaint falls within its jurisdiction and has enough substance to proceed. They may ask for more information.
- Conciliation. This is the most common pathway. The OAIC acts as a neutral party between you and the organisation to negotiate a resolution. Most complaints resolve here.
- Investigation and determination. If conciliation fails and the matter is serious, the Information Commissioner can launch a formal investigation and issue a binding determination, including orders for compensation, apologies, or changes to practices.
Timelines vary widely. Simple matters can close in two to three months; complex cases involving multiple parties or systemic issues can take a year or more.
Possible Outcomes of an OAIC Complaint
The OAIC has a broad toolkit for resolving privacy disputes. Outcomes can include:
- A formal apology from the organisation
- Correction or deletion of inaccurate personal information
- Compensation for financial loss or non-economic harm (such as humiliation, anxiety, or stress)
- Staff training requirements or updates to internal procedures
- Public determinations in serious matters, which act as precedent
- Civil penalties of up to A$50 million per serious or repeated interference with privacy (under the 2022 amendments)
Compensation amounts in conciliated outcomes are typically modest — often a few hundred to a few thousand dollars — but determinations in landmark cases have awarded significantly more.
The Notifiable Data Breaches Scheme
The Notifiable Data Breaches (NDB) scheme requires covered entities to notify the OAIC and affected individuals when a data breach is likely to result in serious harm. If you receive an NDB notification:
- Read the letter carefully — it should explain what was exposed and what steps to take
- Change passwords on the affected service and any other accounts using the same password
- Enable multi-factor authentication wherever possible
- Watch for phishing emails and SMS messages referencing the breach
- Place a credit ban with Equifax, Experian, and illion if financial data was exposed
- Keep the notification — you may need it if you later complain or claim damages
Receiving an NDB notification does not bar you from making an OAIC complaint. In fact, it's often strong evidence that a breach occurred.
Protecting Yourself After a Breach
Lodging a complaint is one part of the recovery process. The other is reducing your exposure going forward. Consider these practical measures.
Reduce What You Share
The safest data is data you never handed over. Use disposable email aliases for sign-ups, decline optional fields on forms, and revisit which apps still have access to your accounts. When sharing links on social media or in messages, use a privacy-respecting link manager such as Lunyb instead of platforms that aggressively profile your traffic. Our honest review of Lunyb explains how the platform handles user data.
Harden Your Accounts
- Use a password manager and unique passwords for every site
- Turn on multi-factor authentication, preferably with an authenticator app or hardware key rather than SMS
- Review login activity monthly on critical accounts (bank, email, myGov)
- Switch DNS to an encrypted resolver such as Cloudflare 1.1.1.1 or Quad9 to limit network-level snooping
Monitor for Misuse
Set up free identity monitoring through services like Have I Been Pwned, and check your credit report at least once a year. If you spot suspicious activity, report it immediately to IDCARE (1800 595 160) — Australia's national identity and cyber support service.
Audit Your Link and Sharing Tools
Marketers and small businesses often share links containing tracking parameters that can leak customer data. If you handle any kind of audience data, review your shortening and analytics stack. Our 2026 buyer's guide to URL shorteners compares the privacy posture of major providers, and our Rebrandly review looks at one of the most popular paid options.
When the OAIC Isn't the Right Path
Not every privacy concern belongs at the OAIC. Use this quick reference to find the right body.
| Issue | Where to Go |
|---|---|
| NSW, VIC, QLD state agency mishandling data | State privacy commissioner (IPC NSW, OVIC, OIC QLD) |
| Spam emails or SMS | ACMA (Australian Communications and Media Authority) |
| Scams and identity theft | Scamwatch and IDCARE |
| Cybercrime in progress | ReportCyber via the Australian Cyber Security Centre |
| Defamatory or harmful online content | eSafety Commissioner |
| Consumer issues with a service | State fair trading office or the ACCC |
Tips for a Strong Complaint
- Be concise. Case officers read hundreds of complaints. A clear, chronological narrative beats a 20-page rant.
- Stick to facts. Save emotion for the impact section. Elsewhere, dates and quotes speak louder.
- Cite the Australian Privacy Principles (APPs) if you can. For example, mishandled marketing usually engages APP 7, while security failures engage APP 11.
- Be realistic about outcomes. The OAIC cannot punish individual staff or order criminal penalties. It focuses on systemic fixes and proportionate remedies.
- Respond promptly. If your case officer asks for more information, reply within their deadline or your matter may be closed.
Frequently Asked Questions
How long do I have to lodge an OAIC privacy complaint?
You should lodge within 12 months of becoming aware of the privacy breach. The OAIC can decline complaints that are older unless you provide a reasonable explanation for the delay, such as ongoing negotiations with the organisation or new evidence coming to light.
Does it cost anything to complain to the OAIC?
No. Lodging a privacy complaint with the OAIC is free. You don't need a lawyer, although you can engage one if your case is complex or involves significant damages. Community legal centres and Legal Aid offices can also provide free advice on privacy matters.
Can I get compensation through an OAIC complaint?
Yes. The OAIC can facilitate compensation during conciliation, and the Information Commissioner can order compensation in a formal determination. Awards cover both economic loss (such as fraud-related costs) and non-economic harm (such as distress and humiliation). Amounts vary widely depending on the severity of the breach and the impact on you.
What if the organisation is overseas?
The Privacy Act applies to overseas organisations with an "Australian link" — broadly, those that carry on business in Australia and collect or hold information about Australians. The OAIC can investigate global companies such as social media platforms and cloud providers, although enforcement against foreign entities can be slower and more complex.
Will my complaint be public?
Most conciliated complaints are confidential between you, the organisation, and the OAIC. However, formal determinations published by the Information Commissioner are public documents and may be cited in future cases. The OAIC will typically de-identify complainants in published decisions unless there is a strong public interest in naming them.
Final Thoughts
Reporting a privacy breach to the OAIC may feel intimidating, but the process is designed to be accessible to ordinary Australians without legal representation. The key is to act methodically: complain to the organisation first, gather solid evidence, lodge a clear and well-documented complaint, and follow through on the case officer's requests. Combined with strong personal cyber hygiene — unique passwords, multi-factor authentication, encrypted DNS, and careful link-sharing tools — you can both hold organisations to account and meaningfully reduce your future exposure.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
PIPEDA vs GDPR: Canadian Privacy Law Explained for 2026
PIPEDA and GDPR both protect personal data, but they differ in scope, consent rules, individual rights, and penalties. This guide explains the key differences and what Canadian businesses need to do to stay compliant with both in 2026.
GDPR in Ireland: Your Privacy Rights Explained
GDPR gives everyone in Ireland eight powerful rights over their personal data — from accessing what's held about them to demanding deletion. This guide explains each right in plain language, how to use it, and what to do when an organisation gets it wrong.
ICO Fines 2026: Biggest Data Protection Penalties in the UK
The biggest ICO fines of 2026 have reshaped UK data protection enforcement. From £14M retail breaches to NHS data exposures, we break down the top penalties, why they happened, and how your organisation can stay compliant under UK GDPR.
Australia Privacy Act 2026: Your Rights Explained
The Australia Privacy Act 2026 introduces sweeping reforms, including new rights to erasure, a direct right to sue for serious invasions of privacy, and stronger obligations on businesses. Here's a complete guide to what's changed and how to exercise your rights.