OAIC Complaints: How to Report a Privacy Breach in Australia
If your personal information has been mishandled by an Australian business or government agency, you have a legal right to complain. The Office of the Australian Information Commissioner (OAIC) is the national regulator responsible for investigating privacy breaches under the Privacy Act 1988. This guide explains exactly how to report a privacy breach to the OAIC, what evidence you need, how long the process takes, and what remedies you can realistically expect.
What Is an OAIC Complaint?
An OAIC complaint is a formal report lodged with the Office of the Australian Information Commissioner alleging that an organisation covered by the Privacy Act 1988 has interfered with your privacy. This includes mishandling personal information, failing to secure data, disclosing information without consent, or refusing to give you access to your own records.
The OAIC has statutory powers to investigate, conciliate disputes, and in serious cases, make determinations that require organisations to apologise, change their practices, or pay compensation. Since the Notifiable Data Breaches (NDB) scheme commenced in 2018, the OAIC also receives mandatory notifications from organisations when eligible data breaches occur.
Who Can the OAIC Investigate?
Not every organisation falls under OAIC jurisdiction. Generally, the OAIC can handle complaints about:
- Australian Government agencies (federal departments and most statutory bodies)
- Private sector organisations with an annual turnover of more than $3 million
- All health service providers, regardless of size
- Businesses that trade in personal information or provide services under a Commonwealth contract
- Credit reporting bodies and credit providers
- Tax File Number (TFN) recipients
State and territory government agencies are generally covered by their own state-based privacy regulators, not the OAIC. Small businesses under the $3 million threshold are often exempt unless they fall into a special category.
What Counts as a Privacy Breach?
A privacy breach occurs when an entity covered by the Privacy Act breaches one of the 13 Australian Privacy Principles (APPs) or a related code. Common examples include:
- Unauthorised disclosure — sharing your personal data with a third party without consent or legal authority.
- Data security failures — leaving personal information exposed through weak systems, unencrypted databases, or lost devices.
- Collection without consent — gathering sensitive information (health, biometric, financial) without a lawful basis.
- Refusal of access or correction — denying your APP 12 or APP 13 rights to see or fix your records.
- Direct marketing misuse — using your data for marketing when you have opted out.
- Overseas disclosure — sending personal information offshore without adequate safeguards under APP 8.
The 2022 Optus and Medibank incidents are the most high-profile recent examples, but the OAIC receives thousands of individual complaints each year covering issues as small as a single misdirected email.
Before You Complain: Contact the Organisation First
The OAIC will almost always ask whether you have already raised the issue with the organisation involved. This is a mandatory first step in most cases. The regulator wants entities to have a genuine opportunity to fix the problem before it gets involved.
How to Lodge an Internal Complaint
- Find the Privacy Officer. Every APP entity must publish a privacy policy naming a contact point. Check the organisation's website footer or "Privacy" page.
- Write to them in writing. Email is ideal because it creates a timestamp. Clearly state that you are making a privacy complaint.
- Describe the breach factually. Include dates, what information was involved, and how you found out.
- State what you want. Ask for a specific remedy — an apology, deletion of data, a policy change, or compensation.
- Give them 30 days. The OAIC generally expects organisations to respond within 30 days.
Keep copies of everything. If the organisation ignores you, gives an inadequate response, or refuses to act, you can then escalate to the OAIC.
How to Lodge an OAIC Complaint: Step by Step
Lodging a complaint with the OAIC is free, and you do not need a lawyer. The process is designed to be accessible to ordinary consumers.
Step 1: Gather Your Evidence
Before you start the form, collect:
- A written timeline of events
- Copies of your internal complaint and the organisation's response (or proof you contacted them)
- Screenshots, emails, letters, or documents that show the breach
- Any evidence of harm — financial loss, distress, identity theft, or reputational damage
Step 2: Submit the Complaint Form
Go to oaic.gov.au and use the online privacy complaint form. You can also lodge by post, email (enquiries@oaic.gov.au), or over the phone on 1300 363 992 if you need assistance. The form asks for:
- Your contact details
- The name of the respondent organisation
- A description of what happened
- What steps you have already taken
- The outcome you want
Step 3: Acknowledgement and Assessment
The OAIC will acknowledge your complaint, usually within a few working days. An officer then assesses whether the complaint falls within jurisdiction and whether there is a reasonable basis to proceed. Under section 41 of the Privacy Act, the Commissioner can decline complaints that are frivolous, out of time, or where you have not first contacted the entity.
Step 4: Conciliation
Most complaints are resolved through conciliation rather than formal investigation. The OAIC acts as a neutral facilitator between you and the organisation to negotiate a settlement. Common outcomes include an apology, correction of records, a change in business practice, staff training, or a compensation payment.
Step 5: Formal Investigation and Determination
If conciliation fails and the matter is serious, the Commissioner may open a formal investigation and issue a determination under section 52. This is legally binding and can order compensation for economic and non-economic loss, including hurt feelings. Determinations are published on the OAIC website.
Timeframes: How Long Does It Take?
Complaint handling is not fast. Here is a realistic view of the timeline:
| Stage | Typical Duration | Notes |
|---|---|---|
| Acknowledgement | 1–2 weeks | Automated or brief written confirmation |
| Initial assessment | 1–3 months | Jurisdiction and prima facie review |
| Conciliation | 3–9 months | Depends on complexity and cooperation |
| Formal investigation | 6–18+ months | Only for unresolved or serious matters |
| Determination | 12–24+ months total | Rare — most cases settle |
You must lodge within 12 months of becoming aware of the breach, or the OAIC may decline to investigate under section 41(1)(c).
The Notifiable Data Breaches (NDB) Scheme
Separately from individual complaints, the NDB scheme requires organisations to notify the OAIC and affected individuals when an "eligible data breach" occurs — that is, unauthorised access, disclosure, or loss of personal information that is likely to result in serious harm.
What You Should Do if You Receive a Breach Notification
- Read the notification carefully. Note exactly which categories of your data were affected.
- Change compromised credentials. Update passwords and enable two-factor authentication anywhere the same password was reused.
- Place a credit ban. Contact Equifax, illion, and Experian to freeze new credit applications for at least 21 days (extendable).
- Watch for phishing. Breach victims are targeted for months afterward with tailored scam emails and calls.
- Keep the notification letter. It is evidence if you later lodge an OAIC complaint or class action claim.
Reducing Your Exposure Going Forward
While regulation matters, personal risk mitigation is equally important. Every extra service that holds your data is another potential breach vector. Consider these habits:
- Use a password manager and unique passwords for every account.
- Enable multi-factor authentication, ideally with an authenticator app rather than SMS.
- Give the minimum data required — a fake date of birth on a loyalty form is not fraud.
- Use a secondary email address for signups you do not fully trust.
- When sharing links (for marketing, referrals, or documents), route them through a privacy-conscious shortener such as Lunyb, which lets you track engagement without exposing raw destination URLs or tolerating aggressive third-party trackers.
- Review privacy policies before signing up — look specifically for overseas disclosure clauses.
For a wider comparison of link tools and their privacy trade-offs, see our 2026 URL shorteners buyer's guide.
Possible Outcomes of an OAIC Complaint
The OAIC does not impose criminal penalties directly on individuals within an organisation, but it has significant civil powers. Typical remedies from conciliation or determination include:
- Apology — written acknowledgement of the breach
- Corrective action — deletion, correction, or destruction of your data
- Systemic change — new policies, staff training, external audits
- Compensation — payments typically range from a few hundred dollars to $20,000+ for non-economic loss, and can be higher where economic loss is proven
- Civil penalties — for serious or repeated interferences with privacy, the OAIC can seek civil penalties in the Federal Court. Since December 2022, maximum penalties for corporations are the greater of $50 million, three times the benefit gained, or 30% of adjusted turnover during the breach period.
If You Are Not Satisfied With the Outcome
If your complaint is closed and you disagree with the decision, you have several options:
- Request internal review — ask the OAIC to reconsider under its internal review process.
- Apply to the Administrative Review Tribunal (ART) — the ART replaced the AAT in 2024 and can review certain OAIC decisions.
- Consider a representative action — for large-scale breaches (like Optus or Medibank), class actions in the Federal Court may run in parallel.
- Complain to the Commonwealth Ombudsman — if you believe the OAIC handled your complaint unfairly as an administrative matter.
Common Mistakes to Avoid
- Skipping the internal complaint. The OAIC will almost always send you back to do this first.
- Waiting too long. The 12-month limit is strict.
- Overstating loss without evidence. Compensation requires documented harm — save receipts, medical letters, and correspondence.
- Complaining about the wrong entity. State agencies, small businesses, and individuals acting in a personal capacity are usually outside OAIC jurisdiction.
- Being emotional rather than factual. A calm chronological narrative is far more persuasive than an angry letter.
Frequently Asked Questions
Is there a fee to lodge an OAIC complaint?
No. Lodging a privacy complaint with the OAIC is completely free, and you do not need to hire a lawyer. The regulator is designed to be accessible to individuals without legal representation, although you can bring a representative or advocate if you wish.
Can I complain about a small business that leaked my data?
Generally no — businesses with annual turnover under $3 million are exempt from the Privacy Act unless they fall into a special category (health service providers, credit reporting, TFN recipients, businesses trading in personal information, or Commonwealth contractors). If the small business is not covered, you may still have recourse through Australian Consumer Law or a civil claim for breach of confidence.
How much compensation can I get for a privacy breach?
Compensation varies significantly. OAIC determinations for individual complaints commonly award between $3,000 and $20,000 for non-economic loss (distress, humiliation, anxiety), with additional amounts for provable economic loss like identity theft costs. Class action settlements for major breaches can result in different per-person outcomes depending on the settlement structure.
What is the difference between the OAIC and a state privacy commissioner?
The OAIC regulates federal agencies and private sector entities under the Commonwealth Privacy Act. State and territory public sector agencies (like state hospitals, schools, and police) are usually regulated by state-based commissioners such as the NSW IPC, OVIC in Victoria, or the OIC in Queensland. If in doubt, lodge with the OAIC — they will refer you to the correct regulator if necessary.
Do I have to prove the organisation intended to breach my privacy?
No. The Privacy Act is a strict liability regime for most APP breaches. You do not need to prove intent or negligence — only that the organisation's conduct interfered with your privacy. However, the seriousness of the breach, including whether it was deliberate or reckless, will influence remedies and any civil penalty proceedings.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
ePrivacy Regulations Ireland: Latest Updates for 2026
Ireland's ePrivacy Regulations are being enforced more aggressively than ever, with the DPC targeting cookie banners, tracking pixels, and unsolicited marketing. This 2026 guide explains the latest updates, consent requirements, and practical compliance steps for Irish businesses.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a layered privacy landscape in 2026, from PIPEDA to Quebec's Law 25. This practical guide walks through consent, breach reporting, cross-border transfers, and the security safeguards every organization needs to stay compliant.
ICO Fines 2026: Biggest Data Protection Penalties in the UK
A detailed look at the biggest ICO fines of 2026, why they were issued, and what UK organisations must do to avoid becoming the next headline. Includes the enforcement themes shaping data protection in Britain today.
GDPR in Ireland: Your Privacy Rights Explained (2026 Guide)
GDPR gives everyone in Ireland strong, enforceable privacy rights — from accessing your data to demanding its deletion. This guide explains all eight core rights, how to complain to the Data Protection Commission, and practical steps to protect yourself online.