OAIC Complaints: How to Report a Privacy Breach in Australia
If an Australian business, agency or organisation has mishandled your personal information, you have the right to complain to the Office of the Australian Information Commissioner (OAIC). Whether your data was leaked in a breach, shared without consent, or you were denied access to your own records, the OAIC is the national regulator empowered to investigate and resolve these disputes under the Privacy Act 1988.
This guide walks you through, step by step, how to lodge an OAIC privacy complaint, what to expect during the process, and how to strengthen your case with the right documentation.
What Is the OAIC and What Does It Do?
The Office of the Australian Information Commissioner (OAIC) is Australia's independent federal privacy and freedom of information regulator. It enforces the Privacy Act 1988, the 13 Australian Privacy Principles (APPs), the Notifiable Data Breaches (NDB) scheme, and various credit reporting and health information rules.
The OAIC has three main functions relevant to a privacy complaint:
- Investigating complaints from individuals about mishandling of personal information.
- Regulating organisations that fall under the Privacy Act (most businesses with turnover above AUD $3 million, all federal agencies, health service providers, and credit reporters).
- Enforcing the Notifiable Data Breaches scheme, which requires eligible entities to report serious breaches to affected individuals and the OAIC.
The OAIC does not handle every kind of privacy issue. State and territory government agencies, small businesses (under $3 million turnover with some exceptions), and employee records within employment relationships are generally outside its remit.
What Counts as a Privacy Breach Under Australian Law?
A privacy breach occurs when an entity covered by the Privacy Act mishandles your personal information in a way that breaches the Australian Privacy Principles. This includes unauthorised access, disclosure, loss, or misuse of information that can identify you.
Common Types of Privacy Breaches
- Data breaches and hacks — cyber attacks that expose customer databases (like the high-profile Optus and Medibank incidents).
- Unauthorised disclosure — a staff member emails your details to the wrong recipient, or shares information without consent.
- Collection without consent — an organisation gathers sensitive data (health, biometric, financial) without a lawful basis.
- Refusal of access or correction — the entity refuses to let you see or correct your own personal information.
- Use for a secondary purpose — your information collected for one reason is used for another (e.g., marketing) without permission.
- Poor data security — failure to protect records with reasonable safeguards, resulting in loss or exposure.
- Excessive retention — keeping your data long after there is any legitimate reason to.
The Notifiable Data Breaches Scheme
Under the NDB scheme, if an eligible data breach is likely to result in serious harm, the organisation must notify you and the OAIC as soon as practicable. If you receive such a notification, it is strong evidence that supports a complaint, especially if you have suffered financial loss, identity theft, emotional distress, or reputational damage as a result.
Before You Complain: Contact the Organisation First
The OAIC generally will not accept your complaint until you have given the organisation a chance to respond. This is a mandatory first step, not optional.
Step-by-Step: Making an Internal Complaint
- Identify the right contact. Most organisations covered by the Privacy Act must appoint a Privacy Officer. Check their privacy policy — it is legally required to include complaint contact details.
- Put it in writing. Email is ideal because it creates a timestamped record. Clearly state you are making a formal privacy complaint under the Privacy Act 1988.
- Describe the breach factually. Include dates, what happened, what information was affected, and how you found out.
- State what you want. A written apology? Deletion of your data? Compensation? Corrective action? Be specific.
- Give them 30 days. The OAIC expects organisations to have a reasonable opportunity — usually 30 days — to respond before escalation.
- Keep every reply. Save emails, letters, screenshots and case reference numbers.
If the organisation does not respond within 30 days, or if their response is inadequate, you can then escalate to the OAIC.
How to Lodge an OAIC Privacy Complaint
Lodging a complaint with the OAIC is free. You do not need a lawyer, and the process is designed to be accessible to individuals with no legal background.
What You'll Need Before You Start
- Your full name, contact details, and preferred method of correspondence.
- The name of the organisation or agency you're complaining about.
- A clear timeline of events, from when the breach occurred to your most recent contact with the organisation.
- Copies of your written complaint to the organisation and their response (or evidence they didn't respond).
- Any supporting documents — breach notification letters, screenshots, emails, transaction records.
- A description of how you have been affected (financial loss, distress, identity theft risk).
- The outcome you are seeking.
Lodging Options
- Online form — the OAIC's website hosts an online privacy complaint form, which is the fastest route.
- Email — you can email a completed complaint form or a written complaint to the OAIC.
- Post — mail your complaint to the OAIC's national office in Sydney.
- Phone assistance — the OAIC Enquiries Line can help if you have accessibility needs or need translation support.
What Happens After You Lodge a Complaint
Once received, your complaint enters a structured assessment and resolution process. Understanding each stage helps you set realistic expectations — investigations can take several months, sometimes longer for complex matters.
Stage 1: Assessment
The OAIC first checks whether your complaint falls within its jurisdiction and whether you gave the organisation a chance to respond. If not, they may refer you elsewhere or ask you to complete the internal complaint step first.
Stage 2: Conciliation
Most complaints are resolved through conciliation — a facilitated negotiation between you and the organisation. The OAIC acts as a neutral intermediary. Outcomes can include apologies, staff training commitments, policy changes, deletion of data, or financial compensation for actual loss and non-economic harm (such as distress).
Stage 3: Formal Investigation
If conciliation fails, or if the matter is serious enough, the Commissioner may open a formal investigation. This can result in a legally binding determination requiring the organisation to take specific actions and pay compensation. Determinations are published and can be enforced through the Federal Court.
Stage 4: Systemic Action
Where a breach reveals wider problems, the OAIC can launch a Commissioner-initiated investigation, seek civil penalties (which can reach tens of millions of dollars for serious or repeated interferences with privacy), or accept enforceable undertakings from the organisation.
Complaint Outcomes and Timelines at a Glance
| Stage | Typical Duration | Possible Outcome |
|---|---|---|
| Internal complaint to organisation | Up to 30 days | Apology, remedy, or unsatisfactory response |
| OAIC assessment | 2–8 weeks | Accepted, declined, or referred elsewhere |
| Conciliation | 2–6 months | Negotiated resolution, compensation |
| Formal investigation | 6–18+ months | Binding determination, orders, compensation |
| Civil penalty proceedings | 12+ months | Court-ordered fines against organisation |
Evidence That Strengthens Your Complaint
The quality of your evidence significantly influences the outcome. Strong complaints are supported by contemporaneous documentation — records made at or near the time of the events.
Documentation Checklist
- Breach notification letter if you received one under the NDB scheme.
- Copies of correspondence with the organisation (emails, letters, chat logs).
- Screenshots of exposed data, misleading privacy notices, or the organisation's public statements.
- Bank statements or invoices showing financial loss, such as fraudulent transactions or the cost of identity monitoring services.
- Medical or counselling records if you experienced psychological distress requiring treatment.
- Third-party reports — for example, an IDCARE case report, an ACSC ReportCyber reference, or police reports for identity crime.
- A written personal statement describing how the breach has affected you day to day.
Protecting Yourself After a Breach
While your complaint works its way through the OAIC, take practical steps to limit further harm. A regulator can order remedies, but only you can lock down your accounts.
Immediate Actions
- Change passwords on any account linked to the exposed email address. Use a password manager to generate unique, long passphrases.
- Enable multi-factor authentication everywhere it is offered, preferring authenticator apps over SMS where possible.
- Place a credit ban with Equifax, Experian and illion. In Australia this is free and can be renewed. It stops new credit being opened in your name.
- Contact IDCARE, the national identity and cyber support service, for tailored recovery advice.
- Monitor accounts daily for a few weeks, and be alert to phishing that references the leaked details.
Reducing Your Data Footprint Going Forward
Every service you sign up to is another potential breach exposure. Sharing less data in the first place is the most reliable long-term defence. When you share links — for signup pages, appointment forms, or personal profiles — consider using a shortener that respects privacy, has clear data-handling policies, and avoids aggressive tracking. Services like Lunyb focus on privacy-first URL shortening, which can help minimise the trail of tracking data left across the web. For a broader comparison of options, see our 2026 buyer's guide to URL shorteners.
When the OAIC Isn't the Right Path
Not every privacy concern belongs with the OAIC. Sending your complaint to the wrong body can waste months. The table below outlines common alternatives.
| Issue | Right Body |
|---|---|
| NSW, VIC, QLD state government agencies | State privacy regulator (e.g., IPC NSW, OVIC, OIC Qld) |
| Telecommunications provider dispute | Telecommunications Industry Ombudsman (TIO) |
| Bank or insurer dispute | Australian Financial Complaints Authority (AFCA) |
| Spam, telemarketing, Do Not Call issues | ACMA |
| Employee records within your employment | Fair Work Ombudsman or state tribunal |
| Identity crime already occurring | ReportCyber (ACSC) and local police |
Recent Reforms and What They Mean for You
Australia's Privacy Act has been undergoing significant reform following major breaches at Optus, Medibank and other entities. Key changes strengthening consumer rights include:
- Higher penalties — maximum civil penalties for serious or repeated interferences with privacy now reach the greater of AUD $50 million, three times the benefit obtained, or 30% of adjusted turnover.
- Statutory tort for serious invasions of privacy — allowing individuals to sue directly in court for egregious invasions.
- Enhanced OAIC powers — including infringement notices and expanded information-gathering.
- Automated decision-making transparency — organisations must disclose when significant decisions about you are made by automated systems.
These reforms are being rolled out in stages, so the exact remedies available at the time you complain may differ from those in effect a year earlier. The OAIC website publishes current guidance.
Frequently Asked Questions
How much does it cost to lodge an OAIC privacy complaint?
Nothing. The OAIC complaint process is free, and you do not need legal representation. If your matter proceeds to conciliation or determination, you can still self-represent, though some complainants choose to engage a lawyer for complex claims involving significant financial loss.
How long do I have to make a complaint after a privacy breach?
There is no strict statutory deadline, but the OAIC may decline to investigate complaints made more than 12 months after you became aware of the issue, unless there is good reason for the delay. Lodge as soon as reasonably possible, ideally within a few months of the organisation's final response to your internal complaint.
Can I get compensation through the OAIC?
Yes. Compensation can be awarded for financial loss (fraud, credit repair, monitoring costs) and non-economic loss (distress, humiliation, injury to feelings). Amounts vary widely — smaller conciliated outcomes may be a few hundred to a few thousand dollars, while formal determinations for serious breaches have awarded tens of thousands per individual.
Will my complaint be public?
Conciliated outcomes are generally confidential. However, if the Commissioner issues a formal determination, it is published on the OAIC website, though your name is typically de-identified unless publication of your identity is in the public interest and you consent.
What if the organisation is based overseas?
The Privacy Act has extraterritorial reach. If a foreign organisation carries on business in Australia and collects or holds personal information here, they are covered. The OAIC can and does investigate multinational companies, though enforcement across borders can be more complex and time-consuming.
Can I complain about a small business?
Usually only if the business falls within an exception — such as health service providers, businesses trading in personal information, credit reporting bodies, or those contracted to Commonwealth agencies. Otherwise, small businesses with turnover under $3 million are exempt, though this exemption is under active review.
Final Thoughts
Lodging an OAIC complaint is one of the most powerful tools Australians have to hold organisations accountable for mishandling personal information. The process rewards preparation: complain to the organisation first, keep meticulous records, be specific about the harm you have suffered, and clearly state the outcome you want. Meanwhile, minimise the amount of data you share online in the first place — the strongest privacy protection is data that was never collected. For related privacy-conscious tooling, our honest review of Lunyb covers what to look for in trustworthy web services.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Data Protection Act 2018 Ireland: Complete Guide
The Data Protection Act 2018 is Ireland's implementation of the GDPR, setting out rights, obligations, and penalties for anyone processing personal data. This complete guide covers key definitions, lawful bases, data subject rights, breach notification, and a practical compliance checklist for Irish businesses in 2026.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a complex mix of federal and provincial privacy laws, from PIPEDA to Quebec's Law 25. This practical 2026 guide explains obligations, provides a step-by-step compliance framework, and helps you build lasting customer trust.
ePrivacy Regulations Ireland: Latest Updates and Compliance Guide
A complete guide to ePrivacy regulations in Ireland in 2026, covering cookie consent, direct marketing rules, DPC enforcement, penalties, and practical compliance steps. Learn how S.I. 336/2011 interacts with the GDPR and how to prepare for the incoming EU ePrivacy Regulation.
GDPR in Ireland: Your Privacy Rights Explained
A complete guide to your GDPR privacy rights in Ireland: what data protection law entitles you to, how to make Subject Access Requests, and how to complain to the Data Protection Commission when your rights are ignored.