OAIC Complaints: How to Report a Privacy Breach in Australia
If your personal information has been mishandled by an Australian business or government agency, you have the right to complain to the Office of the Australian Information Commissioner (OAIC). Understanding how to lodge an OAIC complaint properly can make the difference between a swift resolution and months of frustration. This guide walks you through the process, evidence you'll need, and what to expect at each stage.
What Is the OAIC and When Should You Complain?
The Office of the Australian Information Commissioner is the independent national regulator responsible for enforcing the Privacy Act 1988 and the Australian Privacy Principles (APPs). It handles complaints about how organisations collect, use, store, disclose and secure personal information.
You should consider lodging an OAIC complaint when an organisation has:
- Collected personal information without your consent or a lawful basis
- Used or disclosed your data for a purpose you didn't agree to
- Failed to keep your information secure, resulting in a data breach
- Refused to give you access to, or correct, your personal information
- Sent unsolicited direct marketing you cannot easily opt out of
- Mishandled your tax file number, credit information or health records
The OAIC's jurisdiction covers most Australian Government agencies, private sector organisations with annual turnover above $3 million, all health service providers, credit reporting bodies and businesses that trade in personal information. Small businesses under the $3 million threshold are generally exempt unless they fall into one of these special categories.
Understanding a Privacy Breach Under Australian Law
A privacy breach occurs when personal information held by an entity is subject to unauthorised access, unauthorised disclosure, or is lost in circumstances where such access or disclosure is likely. Under the Notifiable Data Breaches (NDB) scheme, organisations must notify both the OAIC and affected individuals when a breach is likely to result in serious harm.
Common Types of Privacy Breaches
- Cyber incidents: Hacking, ransomware attacks, phishing that exposes customer databases
- Human error: Emails sent to the wrong recipient, misdirected mail, lost laptops or USB drives
- System misconfiguration: Publicly accessible cloud storage buckets, exposed APIs
- Malicious insider activity: Employees accessing or leaking records without authorisation
- Third-party breaches: A contractor or supplier compromising your data
What Counts as "Serious Harm"?
The OAIC considers factors such as the kind of information involved (health, financial, identity documents), whether it was encrypted, who obtained access, and the likelihood of identity theft, financial loss, physical safety risks or significant emotional distress. Not every breach reaches this threshold, but the affected individual still has the right to complain.
Step 1: Complain Directly to the Organisation First
The OAIC almost always requires you to raise the issue with the organisation before escalating. This step is mandatory in most cases, and the regulator can decline to investigate if you skip it.
Here's how to do it effectively:
- Find their privacy contact: Every APP entity must publish a privacy policy with contact details for privacy enquiries and complaints.
- Put it in writing: Email or letter creates a paper trail. Clearly state that you are making a formal privacy complaint under the Privacy Act.
- Describe the breach: Include dates, what information was affected, how you found out, and the harm caused.
- State what you want: An apology, correction, deletion, compensation, or changes to their practices.
- Give them 30 days: This is the standard response window the OAIC expects.
Step 2: Preparing Your OAIC Complaint
If the organisation doesn't respond within 30 days, or their response is unsatisfactory, you can lodge a complaint with the OAIC. Preparation is everything — a well-documented complaint is investigated faster and taken more seriously.
Evidence Checklist
- Copies of your original complaint to the organisation
- All correspondence you've received in response
- Screenshots of the breach (e.g. a public webpage exposing your details)
- Copies of notification letters if you received one under the NDB scheme
- Records of any financial loss or harm suffered
- A clear timeline of events
- Copies of the organisation's privacy policy at the relevant time
Writing a Strong Complaint
The OAIC's online complaint form asks for specific information. Structure your narrative chronologically, be factual rather than emotional, and link each allegation to a specific Australian Privacy Principle where possible. For example, an unauthorised disclosure would engage APP 6, while a failure to secure data engages APP 11.
Step 3: Lodging the Complaint
You can submit an OAIC complaint through several channels:
| Method | Best For | Response Time |
|---|---|---|
| Online form (oaic.gov.au) | Most complaints — fastest processing | Acknowledged within days |
| When you have many attachments | Acknowledged within a week | |
| Post | Sensitive matters, no digital access | Slower — allow 2+ weeks |
| Phone (1300 363 992) | Initial enquiries and guidance | Immediate for advice; formal complaint still required in writing |
There is no fee to lodge an OAIC complaint. You can complain on your own behalf, or with permission, on behalf of someone else. If your matter involves multiple affected people, group complaints are possible and often encouraged.
Step 4: What Happens After You Lodge
Once received, your complaint moves through several stages. Understanding this process helps set realistic expectations.
Preliminary Assessment
An OAIC officer reviews the complaint to confirm it falls within jurisdiction and that you've attempted resolution with the organisation. They may ask for further information or refer you back if steps are missing.
Conciliation
The OAIC's preferred approach is conciliation — helping both parties reach a mutually acceptable outcome. This can involve apologies, staff training commitments, monetary compensation, deletion of records, or changes to systems and policies. Most complaints resolve at this stage.
Formal Investigation
If conciliation fails or the matter is serious, the Commissioner may open a formal investigation under section 40 of the Privacy Act. This can result in:
- A determination that the entity engaged in an interference with privacy
- Orders to pay compensation for loss or humiliation
- Enforceable undertakings requiring the entity to change its practices
- Civil penalty proceedings in the Federal Court for serious or repeated breaches — with penalties up to $50 million for corporations
Typical Timelines
Straightforward matters resolve in 3–6 months. Complex investigations, especially those involving large data breaches or cross-border data flows, can take 12 months or longer. The OAIC publishes case studies and enforceable undertakings on its website, which can be useful precedents.
Reducing Your Exposure Before a Breach Happens
Prevention is far easier than pursuing a complaint. While the responsibility legally sits with organisations, individuals can meaningfully reduce their attack surface:
- Limit what you share: Only provide personal information that is genuinely required for the transaction.
- Use unique passwords and multi-factor authentication on every account holding sensitive data.
- Adopt encrypted DNS and a privacy-respecting browser to reduce tracking and lower your public data footprint.
- Be cautious with links: Phishing remains a top cause of breaches. Preview shortened links before clicking — services like Lunyb allow you to see where a URL leads before opening it, which is invaluable when checking suspicious messages that claim to come from banks, government or logistics companies.
- Review privacy settings on social platforms and connected apps quarterly.
- Monitor your credit file through Equifax, Experian or illion, and place a ban if you're concerned about identity theft.
If you're the person running a business that handles customer data, understanding tools you use is equally important. Our 2026 buyer's guide to URL shorteners and honest Lunyb review cover privacy-relevant considerations when selecting link management tools that touch customer data.
Special Situations Worth Knowing
Complaints About Government Agencies
Complaints about Commonwealth agencies follow the same OAIC process. State and territory government agencies are usually covered by state-based privacy regulators — for example, the Information and Privacy Commission NSW or the Office of the Victorian Information Commissioner. Check the entity's jurisdiction before lodging.
Health Information
Health records receive extra protection under the Privacy Act, and the OAIC handles complaints against all health service providers regardless of turnover. Complaints can also be made to state health complaints entities such as the Health Care Complaints Commission (NSW).
Credit Reporting
Complaints about credit reporting bodies and credit providers must generally go to the Australian Financial Complaints Authority (AFCA) first, before the OAIC.
Overseas Organisations
The Privacy Act applies to overseas organisations with an Australian link, including websites that collect data from Australians. The OAIC can investigate, though enforcement can be more complex.
What the OAIC Cannot Do
Managing expectations is important. The OAIC cannot:
- Order criminal prosecution — that's a matter for police
- Award damages for pure economic loss unrelated to the privacy interference
- Handle defamation, workplace disputes, or contractual matters
- Force organisations exempt from the Privacy Act (like most small businesses) to comply
- Act as your legal representative
For matters outside its remit, consider a private lawyer, a community legal centre, the state consumer affairs regulator, or the Australian Cyber Security Centre (ACSC) if the incident involves ongoing cybercrime.
Recent Enforcement Trends
Since the reforms following major breaches such as Optus and Medibank, the OAIC has taken a more assertive stance. Penalty maximums have increased significantly, and the regulator has begun using its Federal Court powers more frequently. Businesses are also facing greater scrutiny around retention — keeping personal data longer than necessary is increasingly treated as a compliance failure in its own right.
For individuals, this shift means complaints are being taken more seriously, particularly where systemic issues affect many people. Class-action-style complaints, coordinated through consumer advocates, are becoming more common.
Frequently Asked Questions
How long do I have to lodge an OAIC complaint?
There is no strict statutory limit, but the OAIC generally expects complaints within 12 months of when you became aware of the issue. Delayed complaints can still be accepted if you can explain the reason, but evidence quality deteriorates over time so acting promptly is best.
Can I be compensated for a privacy breach?
Yes. The Commissioner can award compensation for economic loss (out-of-pocket costs, identity restoration expenses) and non-economic loss (humiliation, distress, hurt feelings). Awards typically range from a few hundred dollars to tens of thousands depending on severity, though larger determinations occur in significant cases.
Will my complaint be made public?
Individual complaints are treated confidentially. However, the OAIC publishes de-identified case notes and formal determinations, which may include enough detail to identify the organisation involved. Enforceable undertakings and civil penalty outcomes are always public.
What if the organisation retaliates against me?
Retaliation for lodging a privacy complaint could itself be an interference with privacy and may breach other laws such as consumer protection or workplace legislation. Document any retaliatory behaviour and raise it with the OAIC officer handling your matter immediately.
Do I need a lawyer?
No — the OAIC process is designed to be accessible without legal representation. That said, for complex matters, significant losses, or if you're considering court proceedings after the OAIC process, legal advice is worthwhile. Community legal centres and Legal Aid may assist eligible individuals at no cost.
Final Thoughts
Reporting a privacy breach to the OAIC is a genuine, accessible remedy that Australians should use when their information rights are violated. The key is preparation: complain to the organisation first, gather evidence methodically, articulate the harm clearly, and be patient through what can be a lengthy process. Combined with sensible personal privacy habits — careful link handling, strong authentication, and mindful data sharing — Australians can meaningfully push back against poor data practices and, over time, help lift the industry standard.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
PIPEDA vs GDPR: Canadian Privacy Law Explained (2026 Guide)
PIPEDA and GDPR both protect personal data, but they take very different approaches to consent, rights, and penalties. This guide compares Canada's and Europe's privacy laws and explains what Canadian businesses need to do to stay compliant in 2026.
DPC Ireland: How to File a Privacy Complaint (2026 Guide)
Learn exactly how to file a privacy complaint with Ireland's Data Protection Commission (DPC) in 2026. This step-by-step guide covers evidence gathering, submission, timelines, and what to expect after you file.
Data Protection Act 2018 Ireland: The Complete Guide
Ireland's Data Protection Act 2018 works alongside GDPR to govern how organisations handle personal data. This complete guide covers key provisions, individual rights, business obligations, DPC enforcement, penalties, and a practical compliance checklist for Irish organisations.
Singapore Online Safety Act 2026: Complete Guide for Users and Businesses
Singapore's Online Safety Act has evolved significantly by 2026, with tougher rules on deepfakes, child safety, and scam content. This complete guide explains who the Act applies to, what platforms and businesses must do, and how everyday users are protected.