OAIC Complaints: How to Report a Privacy Breach in Australia

If an Australian business, government agency or organisation has mishandled your personal information, you have the right to complain to the Office of the Australian Information Commissioner (OAIC). This guide walks you through exactly how OAIC complaints work, what counts as a privacy breach under the Privacy Act 1988, and the step-by-step process to lodge a complaint that gets results.

What Is the OAIC and What Does It Do?

The Office of the Australian Information Commissioner (OAIC) is the independent federal regulator responsible for enforcing the Privacy Act 1988 and the Australian Privacy Principles (APPs). It investigates complaints, conducts assessments, and can take enforcement action against organisations that mishandle personal information.

The OAIC oversees most Australian Government agencies and private sector organisations with an annual turnover of more than $3 million, along with some smaller businesses such as health service providers, credit reporting bodies, and entities that trade in personal information.

Who the OAIC Can and Cannot Investigate

Can investigate: Federal government agencies, large businesses, private health providers, credit reporters, tax file number recipients, and contracted service providers.
Cannot investigate: State or territory government agencies (these have their own privacy regulators), most small businesses under $3 million turnover, and registered political parties in some circumstances.

What Counts as a Privacy Breach Under Australian Law?

A privacy breach occurs when personal information is collected, used, disclosed, stored, or destroyed in a way that breaches the Australian Privacy Principles or other obligations under the Privacy Act. This includes both deliberate misuse and accidental data exposure.

Common examples of privacy breaches include:

An organisation losing your personal data through a cyber incident or data leak
A company using your information for marketing without consent
An employee accessing your records without authorisation
Refusal to give you access to your own personal information
Refusal to correct inaccurate personal information held about you
Disclosure of your information to a third party without lawful basis
Failure to notify you of an eligible data breach under the Notifiable Data Breaches (NDB) scheme

The 13 Australian Privacy Principles (APPs)

The APPs are the cornerstone of Australian privacy law. They cover open and transparent management of personal information, anonymity, collection limits, use and disclosure rules, data quality, security, access, and correction. A complaint to the OAIC typically alleges a breach of one or more APPs.

Step 1: Complain Directly to the Organisation First

Before the OAIC will investigate, you must usually give the organisation 30 days to respond to your complaint. This is a mandatory first step in almost all cases.

Identify the right contact. Look for the organisation's Privacy Officer or Privacy Policy on their website. Larger entities are required to publish contact details.
Put your complaint in writing. Email or letter is preferred so you have a record. Clearly describe what happened, when, and which information was affected.
State the outcome you want. This might be an apology, deletion of data, correction of records, compensation, or changes to their practices.
Set a deadline. Tell them you expect a response within 30 days, as required before escalation to the OAIC.
Keep copies of everything. Save sent emails, postal receipts, and any replies you receive.

If the organisation responds and you're satisfied, the matter ends. If they don't respond within 30 days, refuse to engage, or give you an inadequate response, you can escalate to the OAIC.

Step 2: Lodge a Complaint with the OAIC

You can lodge an OAIC privacy complaint online, by post, by email, or by phone. The online form at oaic.gov.au is the fastest route and lets you upload supporting documents directly.

Information You'll Need to Provide

Your full name and contact details
The name of the organisation you're complaining about
A clear description of what happened, including dates
What personal information was involved
The original complaint you sent the organisation and any response
Evidence such as emails, screenshots, letters, or notification messages
The outcome or remedy you are seeking

Time Limits for Lodging a Complaint

The OAIC generally expects complaints to be lodged within 12 months of becoming aware of the breach. Older complaints may still be accepted but the Commissioner has discretion to decline matters that are out of time, frivolous, or already adequately dealt with.

Step 3: What Happens After You Lodge

Once received, your complaint goes through several stages. Understanding this process helps you manage expectations on timing and outcomes.

The OAIC Complaints Process Stages

Acknowledgement: The OAIC confirms receipt, usually within a few business days.
Preliminary assessment: Staff review whether the complaint falls within jurisdiction and whether you've complained to the organisation first.
Early resolution: The OAIC may attempt informal conciliation between you and the organisation. Many complaints resolve at this stage.
Formal investigation: If early resolution fails, the Commissioner can open a formal investigation, request documents, and interview parties.
Determination: The Commissioner can issue a binding determination, including orders to apologise, change practices, or pay compensation.

Typical Timeframes

Stage	Typical Duration
Acknowledgement	1–7 business days
Preliminary assessment	4–8 weeks
Conciliation / early resolution	2–6 months
Formal investigation	6–18 months
Commissioner's determination	Up to 24+ months total

Possible Outcomes of an OAIC Complaint

The OAIC has broad remedial powers under section 52 of the Privacy Act. Outcomes range from a simple apology to substantial compensation orders.

Apology: A formal written or public apology from the organisation
Practice changes: Orders requiring the organisation to amend its policies, training, or systems
Correction or deletion: Orders to fix or remove your personal information
Compensation: Payments for economic loss, hurt feelings, or humiliation — recent determinations have ranged from a few hundred dollars to tens of thousands
Civil penalties: For serious or repeated interference with privacy, the Federal Court can impose penalties on the organisation
Enforceable undertakings: Binding commitments by the organisation to improve practices

The Notifiable Data Breaches Scheme

If you've been told an organisation suffered a data breach involving your information, that notification comes from the Notifiable Data Breaches (NDB) scheme. Under this scheme, organisations covered by the Privacy Act must notify both you and the OAIC about eligible data breaches likely to cause serious harm.

Receiving an NDB notification does not automatically mean you have a complaint, but it does give you grounds to ask questions. You can complain to the OAIC if you believe:

The organisation failed to notify you when it should have
The notification was misleading or too late
The breach itself was caused by inadequate security under APP 11
The organisation has not taken adequate remediation steps

How to Strengthen Your Complaint

Well-evidenced complaints move faster and are more likely to result in meaningful outcomes. Here's how to build a strong case before lodging.

Evidence Checklist

A timeline of events with specific dates and times
Screenshots of websites, apps, or messages showing the breach
Copies of correspondence with the organisation
Any notification letters or emails (especially NDB notices)
Records of harm: financial loss, identity theft attempts, stress, time spent remedying
Identification of which APPs you believe were breached

Protecting Yourself Going Forward

Even while a complaint is being investigated, you should take steps to limit further harm. Change passwords on affected accounts, enable multi-factor authentication, monitor your credit file through Equifax, Experian or illion, and consider a credit ban if identity fraud is a real risk. For ongoing privacy hygiene, use encrypted DNS resolvers, privacy-respecting browsers, and avoid sharing personal information through untrusted short links. Tools like Lunyb let you share links without exposing tracking parameters, which is a small but useful habit when you're trying to reduce your data footprint after a breach.

OAIC Complaints vs Other Avenues

The OAIC is not your only option. Depending on your situation, other regulators or courts may also be appropriate.

Avenue	Best For	Cost
OAIC complaint	Federal Privacy Act breaches	Free
State privacy regulator	State government agency breaches (e.g. NSW IPC, OVIC)	Free
Australian Financial Complaints Authority	Breaches by banks, insurers, super funds	Free
Telecommunications Industry Ombudsman	Telco and ISP privacy issues	Free
Federal Court action	Serious cases seeking large damages	Significant legal fees
Australian Cyber Security Centre (ACSC)	Reporting cybercrime (not a complaint mechanism)	Free

Recent Trends in OAIC Enforcement

Following high-profile breaches in recent years, the OAIC has become increasingly active. Penalties under the Privacy Act were significantly increased in 2022 — for serious or repeated breaches, body corporates can now face fines of up to $50 million, three times the benefit obtained, or 30% of adjusted turnover, whichever is greater.

The Commissioner has also been more willing to publish determinations naming organisations, conduct own-motion investigations without waiting for individual complaints, and accept representative (group) complaints where many people are affected by the same incident.

Tips for a Successful OAIC Complaint

Be specific. Vague complaints take longer to assess. Identify the exact information, dates, and APPs involved.
Stay factual. Avoid emotional language. Stick to what happened and what evidence supports it.
Quantify harm. If you've suffered financial loss or distress, document it with receipts, medical evidence, or a written impact statement.
Engage constructively. If the OAIC offers conciliation, participate in good faith. Many complainants get faster outcomes this way.
Keep records. Maintain a folder of every communication throughout the process.

Frequently Asked Questions

How much does it cost to lodge an OAIC complaint?

Lodging a privacy complaint with the OAIC is completely free. You don't need a lawyer, though you can engage one if your case is complex or involves significant potential compensation.

How long does an OAIC investigation take?

Simple matters resolved through conciliation may close in 2 to 6 months. Formal investigations leading to a Commissioner's determination can take 12 to 24 months or longer, depending on complexity and the organisation's cooperation.

Can I get compensation through the OAIC?

Yes. The Commissioner can order compensation for economic loss and for non-economic loss such as hurt feelings, humiliation, or psychological distress. Awards typically range from a few hundred dollars for minor breaches to tens of thousands of dollars for serious cases involving sensitive information.

What if the organisation is a small business?

Most businesses with annual turnover under $3 million are exempt from the Privacy Act, so the OAIC generally cannot investigate them. Exceptions include health service providers, credit reporting bodies, and businesses that trade in personal information. If your complaint involves an exempt small business, you may need to consider state fair trading bodies or civil action.

Can I remain anonymous when I complain?

No. The OAIC needs your identity to investigate properly and to share details with the organisation so it can respond. However, your information is handled confidentially, and the OAIC will discuss with you what is shared at each stage.

What if I'm not happy with the OAIC's decision?

You can apply to the Administrative Appeals Tribunal (or its successor body) for review of certain OAIC decisions. For Commissioner's determinations, parties can seek enforcement or review through the Federal Court of Australia.