facebook-pixel
L
Lunyb

OAIC Complaints: How to Report a Privacy Breach in Australia

L
Lunyb Security Team
··10 min read

If an Australian business, agency or organisation has mishandled your personal information, you have the right to take action. The Office of the Australian Information Commissioner (OAIC) is the federal regulator responsible for upholding the Privacy Act 1988 and investigating complaints about privacy breaches. This guide explains exactly how to report a privacy breach to the OAIC, what evidence you need, how long the process takes, and what outcomes you can realistically expect.

What Is an OAIC Privacy Complaint?

An OAIC privacy complaint is a formal report made to the Office of the Australian Information Commissioner alleging that an entity covered by the Privacy Act 1988 has interfered with your personal information. This includes mishandling, unauthorised disclosure, inaccurate records, refusal of access, or failing to comply with the Australian Privacy Principles (APPs).

The OAIC has the legal authority to investigate, conciliate, make determinations and, in serious or repeated cases, seek civil penalties through the Federal Court. Complaints are a key mechanism that gives individuals real leverage against organisations that fail to protect their data.

Who Can the OAIC Investigate?

The OAIC's jurisdiction covers:

  • Australian Government agencies (including most departments and statutory bodies).
  • Private sector organisations with an annual turnover above AUD $3 million.
  • All health service providers, regardless of size.
  • Credit reporting bodies and credit providers.
  • Tax File Number (TFN) recipients.
  • Businesses that trade in personal information or are contracted service providers to the Commonwealth.

Small businesses with turnover under $3 million are generally exempt unless they fall into one of the categories above. State and territory government agencies are usually handled by state-based privacy regulators instead.

What Counts as a Privacy Breach?

A privacy breach occurs when personal information is accessed, used, disclosed, lost or modified without authorisation or in a way that contravenes the Australian Privacy Principles. Not every annoying data practice is a breach — but many are.

Common Examples of Reportable Breaches

  • Data leaks and cyber incidents: A company is hacked and your name, address, ID documents or financial data are exposed.
  • Unauthorised disclosure: A staff member shares your medical records with someone who shouldn't see them.
  • Misdirected information: Your bank statement is posted or emailed to the wrong person.
  • Refusal of access or correction: An organisation won't let you see or fix incorrect personal information it holds about you.
  • Excessive collection: A business collects far more personal information than it needs for a stated purpose.
  • Direct marketing without consent: You're targeted with marketing despite never opting in, or after opting out.
  • Misuse of TFN or credit information: Your tax file number or credit history is handled improperly.

The Notifiable Data Breaches (NDB) Scheme

Since 2018, organisations covered by the Privacy Act must notify both the OAIC and affected individuals about "eligible data breaches" likely to result in serious harm. If you've received a data breach notification letter or email, the organisation has already self-reported — but you can still lodge your own complaint if you believe the response was inadequate or you suffered loss.

Step 1: Complain to the Organisation First

Before the OAIC will accept your complaint, you generally must give the organisation a chance to fix the problem. This is a mandatory step under section 40(1A) of the Privacy Act, with limited exceptions.

  1. Identify the right contact: Most organisations have a privacy officer or a dedicated privacy email (often listed in their privacy policy).
  2. Put your complaint in writing: Email or letter is best because it creates a clear paper trail.
  3. Be specific: Describe what happened, when, what information was involved, and what you want resolved (apology, deletion, compensation, system change).
  4. Set a reasonable deadline: The OAIC typically expects organisations to be given 30 days to respond.
  5. Keep copies: Save every email, reference number and response.

If the organisation refuses to respond, doesn't respond within 30 days, or gives an unsatisfactory answer, you're free to escalate to the OAIC.

Step 2: Prepare Your Evidence

Strong complaints are built on clear documentation. Before submitting, gather everything that supports your version of events.

Evidence Checklist

  • A clear timeline of what happened, with dates.
  • Copies of the data breach notification (if one was issued).
  • All correspondence with the organisation (emails, letters, chat transcripts).
  • Screenshots of websites, accounts, or messages showing the breach.
  • Evidence of any harm: scam attempts, identity theft alerts, financial loss, distress impact statements, medical reports if relevant.
  • Police report numbers if identity crime is involved (report to IDCARE and your local police).
  • Bank or credit bureau records showing fraudulent activity tied to the breach.

Step 3: Lodge Your Complaint With the OAIC

Once you've given the organisation a chance to respond and gathered your evidence, you can formally lodge a complaint. The OAIC offers several channels.

Ways to Submit

Method Best For Details
Online form Most complainants Submit via the OAIC website's privacy complaint portal — the fastest and recommended route.
Email Complex cases with attachments Send to enquiries@oaic.gov.au with a completed complaint form attached.
Post Those without digital access GPO Box 5288, Sydney NSW 2001.
Phone Initial enquiries only 1300 363 992 — staff can guide you, but the complaint itself must be in writing.
National Relay Service / Translating & Interpreting Service Accessibility needs Available for people with hearing/speech needs or non-English speakers.

What to Include in the Complaint Form

  1. Your full name and contact details.
  2. The name of the organisation or agency you're complaining about.
  3. A clear description of what happened, in chronological order.
  4. The Australian Privacy Principle(s) you believe were breached, if you know.
  5. Evidence of the harm or distress caused.
  6. Confirmation that you have already complained to the organisation, with copies attached.
  7. The outcome you're seeking (apology, correction, compensation, systemic change).

Step 4: What Happens After You Lodge

After you submit, the OAIC follows a structured process. Understanding each stage helps you set realistic expectations.

The OAIC Complaint Process

  1. Acknowledgement: You'll receive confirmation that your complaint has been received, usually within a few business days.
  2. Preliminary assessment: The OAIC checks jurisdiction, whether you've complained to the organisation first, and whether the complaint is within time limits.
  3. Early resolution: Many matters are resolved informally at this stage, with the OAIC contacting the organisation to seek a remedy.
  4. Conciliation: If informal resolution fails, the Commissioner can require the parties to attend conciliation — a confidential negotiation process.
  5. Investigation: For serious or systemic matters, the Commissioner can launch a formal investigation, demand documents and interview witnesses.
  6. Determination: The Commissioner can make a binding determination, including declarations about compensation, apologies, or required conduct changes.
  7. Enforcement: Where determinations are ignored or breaches are serious, civil penalty proceedings can be commenced in the Federal Court.

How Long Does It Take?

Timelines vary widely. Simple matters resolved at early resolution can close in a few weeks. Conciliated cases typically take 3–9 months. Formal investigations and determinations can take 12–24 months or more, especially for complex cyber incidents involving many affected individuals.

Possible Outcomes and Remedies

The OAIC cannot send anyone to prison or impose criminal punishment, but it can deliver meaningful remedies.

What You Might Receive

  • A formal apology from the organisation.
  • Correction or deletion of inaccurate personal information.
  • Access to information that was previously refused.
  • Compensation for economic loss (out-of-pocket costs, identity restoration expenses).
  • Compensation for non-economic loss (humiliation, anxiety, distress) — typically ranging from a few hundred to tens of thousands of dollars in determined cases.
  • Commitments to change policies, train staff, or implement new security controls.
  • Public reporting, which can damage the organisation's reputation and deter future breaches.

Pros and Cons of Lodging an OAIC Complaint

Pros:

  • Free to lodge — no filing fees.
  • No legal representation required.
  • Can result in real compensation and systemic change.
  • Backed by federal investigative powers.
  • Confidential conciliation process.

Cons:

  • Can be slow, especially for complex matters.
  • You must complain to the organisation first.
  • Compensation amounts are often modest.
  • Not all small businesses are within jurisdiction.
  • Determinations can sometimes be appealed, extending the process.

Reducing Your Exposure Before the Next Breach

Filing a complaint helps after the fact, but minimising the personal information you expose to organisations is the best long-term defence. A few practical habits make a major difference:

  • Use unique, long passwords stored in a reputable password manager.
  • Enable multi-factor authentication on every account that supports it — preferably with an authenticator app or hardware key rather than SMS.
  • Use email aliases or secondary addresses when signing up for services you don't fully trust.
  • Be cautious with shortened links from unknown sources. Trusted shorteners like Lunyb let you create branded, trackable links with privacy-respecting analytics — useful when you want to share content without leaking unnecessary metadata. You can read our honest review of Lunyb or compare options in our 2026 URL shortener buyer's guide.
  • Regularly check Have I Been Pwned to see whether your email has appeared in known data leaks.
  • Place a free credit ban with the major Australian credit bureaus (Equifax, Experian, illion) if you suspect ID theft.

When to Get Additional Help

For serious incidents, the OAIC is not your only resource. Consider also contacting:

  • IDCARE — Australia's national identity and cyber support service, free for individuals.
  • ScamWatch — if the breach has led to scam contact.
  • Australian Cyber Security Centre (ACSC) — for ongoing cyber threats.
  • State-based privacy regulators — if a state government agency is involved.
  • Community legal centres or a privacy lawyer — for complex compensation claims or large-scale breaches.

Frequently Asked Questions

How long do I have to lodge an OAIC complaint?

There is no strict statutory deadline, but the OAIC generally expects complaints to be lodged within 12 months of you becoming aware of the breach. Older matters can still be accepted if you can explain the delay, but evidence often becomes harder to obtain over time.

Does it cost money to complain to the OAIC?

No. Lodging a privacy complaint with the OAIC is completely free. You do not need a lawyer, and there are no filing fees. The only costs you might incur are optional, such as obtaining medical reports to evidence distress or paying for legal advice on a complex matter.

Can I get compensation for a privacy breach in Australia?

Yes. The Information Commissioner can make a determination requiring an organisation to pay compensation for both economic loss (such as identity restoration costs) and non-economic loss (such as anxiety, humiliation or distress). Awards in determinations have historically ranged from a few hundred dollars to tens of thousands, with the largest awards reserved for serious or sensitive breaches.

What if the organisation isn't covered by the Privacy Act?

If the entity is a small business under the $3 million threshold and doesn't fall into a covered category (health, credit, TFN, etc.), the OAIC may not have jurisdiction. In that case, consider state privacy regulators, the Australian Competition and Consumer Commission (ACCC) for misleading conduct, or seek legal advice about common-law claims like breach of confidence.

Can I stay anonymous when complaining?

You can make an anonymous enquiry or general tip-off to the OAIC, and the regulator may use that information when deciding whether to open an own-motion investigation. However, to receive a personal remedy such as compensation or an apology, you generally need to identify yourself so the OAIC can investigate your specific circumstances and communicate outcomes to you.

Final Thoughts

An OAIC complaint is one of the most powerful tools Australians have when a business or agency mishandles their personal information. The process is free, accessible, and supported by federal investigative powers — but it works best when you do your homework: complain to the organisation first, gather solid evidence, and clearly articulate the harm you've suffered. Combined with smart everyday privacy habits, knowing how to use the OAIC complaints process turns you from a passive victim into an active participant in Australia's privacy framework.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles

Singapore Online Safety Act 2026: Complete Guide for Businesses and Users

Singapore's Online Safety Act 2026 expands platform obligations around harmful content, scams, deepfakes, and child safety. This complete guide explains who it applies to, the key compliance duties, IMDA enforcement powers, and what businesses and users should do to prepare.

10 min

Data Protection Act 2018 Ireland: Complete Guide

A complete guide to Ireland's Data Protection Act 2018: how it works with GDPR, the rights it grants, the obligations it imposes on businesses, and the penalties for non-compliance. Includes a practical compliance checklist and FAQs for Irish organisations.

10 min

ePrivacy Regulations Ireland: Latest Updates for 2026

A practical 2026 guide to ePrivacy regulations in Ireland, covering S.I. 336/2011, the latest DPC enforcement priorities, cookie consent rules, direct marketing requirements, and step-by-step compliance actions for Irish businesses.

10 min

How Canadian Businesses Should Handle Data Privacy in 2026

A practical 2026 guide for Canadian businesses on handling data privacy under PIPEDA, Quebec's Law 25, and provincial laws. Covers consent, security safeguards, breach notification, cross-border transfers, and the upcoming CPPA reforms.

9 min