OAIC Complaints: How to Report a Privacy Breach in Australia
If an Australian business, government agency, or health provider has mishandled your personal information, you have the right to complain to the Office of the Australian Information Commissioner (OAIC). The OAIC is the national regulator that enforces the Privacy Act 1988 and the Australian Privacy Principles (APPs). Knowing exactly how to lodge a complaint, what evidence to gather, and what outcomes to expect can turn a frustrating breach into a real resolution.
This guide walks you through the entire OAIC complaints process step by step, explains what qualifies as a privacy breach, and shows you how to protect yourself while you wait for a determination.
What Is the OAIC and What Does It Do?
The Office of the Australian Information Commissioner (OAIC) is the independent Commonwealth authority responsible for privacy regulation, freedom of information oversight, and government information policy in Australia. It investigates complaints, conducts assessments, issues determinations, and can seek civil penalties against organisations that seriously or repeatedly interfere with privacy.
The OAIC's jurisdiction covers:
- Australian Government agencies (including the ATO, Services Australia, and Home Affairs).
- Private sector organisations with an annual turnover of more than $3 million.
- All health service providers, regardless of size.
- Businesses that trade in personal information, credit providers, and TFN recipients.
- Certain small businesses that opt in or handle sensitive data.
If your complaint involves a state or territory government agency, a small business under the threshold, or an employee record dispute, the OAIC may not be the right regulator — you may need to approach a state privacy commissioner (such as the IPC in NSW) or Fair Work.
What Counts as a Privacy Breach Under Australian Law?
A privacy breach occurs when an entity covered by the Privacy Act mishandles your personal information in a way that contravenes the Australian Privacy Principles. Personal information includes anything that could reasonably identify you — name, address, phone number, email, IP address, health records, financial data, and biometric identifiers.
Common Examples of Reportable Breaches
- Unauthorised disclosure: Your data was emailed to the wrong person or leaked in a data breach.
- Excessive collection: A business demanded ID or sensitive information it didn't need.
- Refusal to provide access: You asked for a copy of your personal information and were denied without valid reason.
- Refusal to correct data: You asked for inaccurate records to be fixed and were ignored.
- Misuse of personal information: Your details were used for direct marketing without consent.
- Failure to secure data: Poor cybersecurity led to a Notifiable Data Breach (NDB).
- Overseas disclosure: Data was sent offshore without appropriate safeguards.
The Notifiable Data Breaches (NDB) Scheme
Under the NDB scheme, organisations must notify affected individuals and the OAIC when a data breach is likely to result in serious harm. If you received a data breach notification letter or email, that is often the trigger point for lodging your own complaint — especially if you believe the entity did not respond quickly or transparently.
Step 1: Complain Directly to the Organisation First
The OAIC will almost always ask whether you have raised the issue with the organisation before escalating. This is a mandatory step in most cases, and it often resolves the problem faster than a formal investigation.
- Find their Privacy Officer: APP 1 requires every covered entity to publish a privacy policy that names a contact for complaints.
- Put your complaint in writing: Email is best because it creates a timestamped record.
- Be specific: State what happened, when, which APP you believe was breached, and what outcome you want (an apology, correction, deletion, compensation).
- Give them 30 days to respond: This is the standard window the OAIC expects before it will accept a complaint.
- Keep every reply: Save emails, letters, screenshots, and reference numbers.
If the organisation ignores you, refuses to acknowledge the breach, or offers a response you consider inadequate, you can then escalate to the OAIC.
Step 2: Lodge Your Complaint with the OAIC
OAIC complaints are free to lodge and can be submitted online, by post, or by phone. The online form at oaic.gov.au is the fastest option and lets you upload supporting documents.
Information You'll Need to Provide
- Your full name and contact details.
- The name of the organisation or agency you're complaining about.
- A clear description of what happened, including dates.
- Copies of your original complaint to the organisation and their response.
- Any evidence: emails, screenshots, letters, data breach notifications.
- The outcome you're seeking.
Time Limits
You generally have 12 months from when you became aware of the breach to lodge a complaint. The OAIC can refuse complaints that are older, frivolous, or already dealt with by another body, so don't delay.
Step 3: What Happens After You Lodge
The OAIC handles thousands of complaints each year, so the process is structured to filter and resolve matters efficiently. Here is what typically follows.
Preliminary Assessment
An OAIC officer reviews your complaint to confirm it falls within their jurisdiction and that you have complained to the organisation first. This stage can take a few weeks.
Conciliation
Most complaints are resolved through conciliation — a facilitated discussion between you and the organisation. The OAIC may propose remedies such as:
- A written apology.
- Correction or deletion of your data.
- Changes to the organisation's practices or staff training.
- Compensation for financial loss, wasted expenses, or non-economic harm (hurt feelings, embarrassment).
Formal Investigation and Determination
If conciliation fails and the matter is serious, the Commissioner can open a formal investigation under section 40 of the Privacy Act. This can end in a binding determination requiring the organisation to take action or pay compensation. Determinations are enforceable in the Federal Court.
Civil Penalties for Serious Breaches
Following the 2022 amendments, penalties for serious or repeated privacy interferences can reach the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover — a significant lever the OAIC now wields against major breaches.
OAIC Complaints Timeline at a Glance
| Stage | Who Acts | Typical Duration |
|---|---|---|
| Complain to organisation | You | Up to 30 days for response |
| Lodge complaint with OAIC | You | Same day (online) |
| Preliminary assessment | OAIC | 4–8 weeks |
| Conciliation | OAIC + parties | 3–9 months |
| Formal investigation | OAIC | 6–18 months |
| Determination | Commissioner | Variable |
Evidence That Strengthens Your Complaint
Strong evidence dramatically increases the chance that the OAIC accepts and progresses your complaint. Aim to include:
- Chronology: A dated timeline of every relevant event.
- Original communications: The emails, SMS, or letters that show the breach happened.
- Screenshots: Of websites, error messages, exposed data, or breach notifications.
- Financial records: If you're seeking compensation for actual loss (fraud, identity theft costs).
- Medical or counselling records: If you're claiming non-economic harm.
- The organisation's privacy policy: Highlight the clauses they breached.
Protecting Yourself While You Wait
An OAIC investigation can take months. In the meantime, you should take practical steps to reduce ongoing harm — especially if your data was exposed in a breach.
Immediate Actions
- Change passwords on affected accounts and enable multi-factor authentication.
- Place a credit ban with Equifax, Experian, and illion (free for 21 days, extendable).
- Monitor your accounts for suspicious activity and report anything unusual to IDCARE (1800 595 160).
- If your driver licence, passport, or Medicare number was leaked, apply for replacements.
Reducing Your Digital Footprint Going Forward
Prevention is stronger than remediation. Consider:
- Using unique email aliases for each service you sign up to.
- Switching to a privacy-respecting DNS resolver and browser.
- Avoiding the reuse of personal details on low-trust websites.
- Sharing links through privacy-focused tools rather than trackers. For instance, Lunyb is a URL shortener that lets you share links without the aggressive analytics fingerprinting some competitors use — useful if you're wary of how third parties handle click data. You can read more in our honest Lunyb review or compare options in our 2026 URL shortener buyer's guide.
Common Reasons OAIC Complaints Fail
Not every complaint results in a favourable outcome. Understanding common pitfalls can help you avoid them.
- Skipping the internal complaint: The OAIC will almost always close your matter and redirect you.
- Wrong jurisdiction: Complaints about state agencies, small businesses, or employee records are often outside OAIC scope.
- Insufficient evidence: Vague allegations without documents rarely progress.
- Delay: Complaints made more than 12 months after you became aware may be refused.
- No identifiable harm: Where there is no realistic loss or interference with privacy, the Commissioner may decline to investigate.
Alternative and Complementary Avenues
The OAIC is not your only option. Depending on the situation, you may also:
| Body | When to Use |
|---|---|
| State/Territory Privacy Commissioner | State government agencies (e.g., NSW IPC, OVIC in Victoria). |
| Australian Financial Complaints Authority (AFCA) | Banks, insurers, and financial firms. |
| Telecommunications Industry Ombudsman (TIO) | Phone and internet providers. |
| Australian Communications and Media Authority (ACMA) | Spam, unsolicited marketing, Do Not Call breaches. |
| eSafety Commissioner | Image-based abuse, cyberbullying, adult cyber abuse. |
| Federal Court | Enforcement of OAIC determinations. |
Tips to Maximise Your Chance of a Good Outcome
- Be factual, not emotional: Regulators respond to evidence, not anger.
- Cite the specific APP: Reference the exact principle you believe was breached (e.g., APP 6 — use and disclosure).
- Quantify harm: If you can show dollar amounts or documented distress, do so.
- Be reasonable about remedy: Realistic requests (apology, correction, modest compensation) settle faster than large damages claims.
- Respond promptly: The OAIC may close files if you don't reply to their requests within set deadlines.
Frequently Asked Questions
How much does it cost to lodge an OAIC complaint?
Nothing. Lodging a complaint with the OAIC is completely free, and you do not need a lawyer. The Commissioner's office is designed to be accessible to ordinary consumers.
How much compensation can I get for a privacy breach in Australia?
Compensation is assessed case by case. In practice, awards for non-economic harm (hurt feelings, humiliation) have historically ranged from $3,000 to $20,000, with higher amounts in serious cases. If you can prove actual financial loss — such as fraud costs, identity restoration fees, or medical expenses — those amounts can be added on top.
Can I complain anonymously to the OAIC?
You can raise a concern anonymously, but the OAIC cannot investigate a formal complaint or award you compensation without knowing who you are. For enquiries about systemic issues, an anonymous tip may still prompt an own-motion investigation.
What if the organisation is based overseas?
The Privacy Act has extraterritorial reach. If a foreign organisation carries on business in Australia and collects personal information here, it is bound by the APPs. The OAIC can investigate, though enforcement against non-cooperative overseas entities is more difficult in practice.
Do I need a lawyer to make an OAIC complaint?
No. The process is designed to be self-service, and the OAIC's conciliators actively help unrepresented complainants. You may want legal advice if the breach caused significant financial loss, if you're pursuing Federal Court enforcement, or if the organisation is legally represented and the matter is complex.
Final Thoughts
Reporting a privacy breach to the OAIC is one of the most effective tools Australians have to hold organisations accountable for how they handle personal information. The process rewards preparation: complain to the organisation first, gather solid evidence, be specific about the APP you believe was breached, and be realistic about the remedy you're seeking. Combined with practical self-protection — strong passwords, credit bans, careful online sharing — an OAIC complaint can genuinely change how a business treats your data, and sometimes deliver meaningful compensation as well.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Data Protection Act 2018 Ireland: Complete Guide
A complete plain-language guide to Ireland's Data Protection Act 2018: how it works alongside the GDPR, the powers of the DPC, individual rights, penalties, and practical compliance steps. Essential reading for any Irish business handling personal data.
ePrivacy Regulations Ireland: Latest Updates for 2026
Ireland's ePrivacy rules are being enforced more aggressively than ever in 2026. This guide breaks down the latest DPC updates on cookies, direct marketing, and consent — plus a practical compliance checklist for Irish businesses.
GDPR in Ireland: Your Privacy Rights Explained (2026 Guide)
Ireland is home to Europe's most influential data regulator. This guide explains your GDPR rights, how to make a Subject Access Request, and what to do if an organisation ignores you — plus practical steps for protecting your privacy every day.
PIPEDA vs GDPR: Canadian Privacy Law Explained (2026 Guide)
PIPEDA and GDPR both protect personal data, but they take very different approaches to consent, breach reporting, and penalties. This guide compares Canada's PIPEDA with the EU's GDPR and explains what Canadian businesses need to do to stay compliant with both.