OAIC Complaints: How to Report a Privacy Breach in Australia (2026 Guide)
What Is the OAIC and Why Does It Matter for Privacy Breaches?
The Office of the Australian Information Commissioner (OAIC) is Australia's independent national regulator responsible for privacy and freedom of information. It oversees compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and it is the primary body to which Australians can lodge complaints when their personal information has been mishandled.
If an organisation or government agency has collected, used, stored, or disclosed your personal information in a way that breaches the Privacy Act, you have the right to complain. Understanding the OAIC complaints process is essential for every Australian consumer, employee, and business owner. Whether you've experienced a data breach, had your medical records improperly shared, or discovered that a company sold your details without consent, the OAIC is your first formal line of recourse.
Who Does the Privacy Act Cover?
The Privacy Act applies to:
- Australian Government agencies — federal departments, statutory agencies, and most government bodies
- Private sector organisations with an annual turnover of more than $3 million
- Smaller organisations that handle health information, trade in personal information, or are otherwise prescribed by law
- Credit reporting bodies and tax file number recipients
Notably, small businesses with a turnover under $3 million are generally exempt unless they fall into a specific category. However, proposed reforms to the Privacy Act in 2025 and 2026 are expected to extend coverage further — so check the OAIC's website for the most current guidance.
What Counts as a Privacy Breach?
A privacy breach occurs when an APP entity fails to handle personal information in accordance with the Australian Privacy Principles. Understanding what qualifies is crucial before lodging a complaint.
Common Examples of Privacy Breaches
- An organisation collects your personal data without your knowledge or consent
- A business shares your personal details with a third party you didn't authorise
- A government agency uses your information for a purpose other than why it was collected
- Your employer discloses sensitive health or financial information without permission
- A company fails to secure your data and it is accessed by an unauthorised party
- An entity refuses to give you access to your own personal information
- An organisation does not correct inaccurate personal information upon request
Notifiable Data Breaches (NDB) Scheme
Since 2018, the Notifiable Data Breaches (NDB) scheme requires organisations covered by the Privacy Act to notify both the OAIC and affected individuals when a data breach is likely to result in serious harm. If you have received an NDB notification from a company — or believe you should have — you can use that as the basis for an OAIC complaint if the organisation failed in its notification obligations.
Protecting your personal information proactively is equally important. For practical steps you can take right now, see our guide on How to Encrypt Your Internet Traffic: Complete Guide to Online Privacy in 2026.
Before You Lodge an OAIC Complaint: Internal Complaints First
Before the OAIC will formally investigate your complaint, you are generally required to have first raised the issue directly with the organisation concerned. This is a standard prerequisite under the Privacy Act.
Steps to Take Before Contacting the OAIC
- Identify the organisation — Confirm the entity that handled your personal information and whether they are covered by the Privacy Act.
- Gather your evidence — Collect emails, letters, screenshots, account statements, or any documents showing how your data was mishandled.
- Submit a formal complaint to the organisation — Write to their privacy officer or complaints team. Most larger organisations have a dedicated privacy contact on their website.
- Allow reasonable time for a response — Give the organisation at least 30 days to respond to your complaint. The OAIC recommends this timeframe as a general benchmark.
- Document everything — Keep records of all correspondence, including dates, names of staff you spoke with, and any responses received.
- Assess the response — If the organisation ignores your complaint, responds unsatisfactorily, or you are not happy with the outcome, you are now ready to approach the OAIC.
Exception: If the organisation is a government agency and has not responded within 30 days, or if there are urgent circumstances (for example, an imminent risk of serious harm), you may approach the OAIC sooner.
How to Lodge an OAIC Complaint: Step-by-Step
Lodging a complaint with the OAIC is a formal process, but it is free of charge and accessible to all Australians. Here is exactly how to do it.
Step 1: Use the OAIC Online Complaint Form
The OAIC provides an online complaints portal at oaic.gov.au. Navigate to the 'Privacy' section and select 'Make a privacy complaint'. The online form is the fastest and most efficient method. Alternatively, you can submit a written complaint by post or email.
Step 2: Provide Your Personal Details
You will need to supply:
- Your full name and contact information
- Whether you are complaining on your own behalf or on behalf of someone else
- Your preferred contact method for OAIC correspondence
Step 3: Identify the Organisation or Agency
Provide the full name of the organisation, the type of entity (private company, government agency, etc.), and any relevant contact details you have for them.
Step 4: Describe the Privacy Breach in Detail
Clearly explain:
- What personal information was involved
- How you believe it was mishandled
- Which Australian Privacy Principle(s) you believe were breached (if known)
- When the breach occurred or when you became aware of it
- What harm you have suffered or expect to suffer
Step 5: Attach Supporting Evidence
Upload or include copies of your previous correspondence with the organisation, any written responses you received, and any other relevant documentation. The stronger your evidence, the better positioned the OAIC is to act.
Step 6: Indicate Your Desired Outcome
The OAIC will ask what resolution you are seeking. This might include:
- An apology from the organisation
- Deletion or correction of your personal information
- Financial compensation for loss or harm suffered
- A change in the organisation's practices
- A formal investigation or compliance action
Step 7: Submit and Await Acknowledgement
Once submitted, the OAIC will send you an acknowledgement, typically within a few business days. They will then conduct a preliminary assessment to determine whether the complaint is within their jurisdiction and whether it warrants further action.
What Happens After You Lodge a Complaint?
Understanding the OAIC's complaint-handling process helps set realistic expectations about timelines and outcomes.
The OAIC Complaint Process — Overview
| Stage | What Happens | Approximate Timeline |
|---|---|---|
| Preliminary Assessment | OAIC reviews whether the complaint is in jurisdiction and whether it has merit to proceed | 4–8 weeks |
| Conciliation | OAIC attempts to resolve the complaint informally between you and the organisation | 3–12 months |
| Investigation (if conciliation fails) | The Information Commissioner investigates and may make a formal determination | 6–18 months |
| Determination | Formal decision issued; the organisation may be directed to take specific actions or pay compensation | Variable |
| Federal Court (if determination not complied with) | The OAIC or the complainant can apply to the Federal Court to enforce the determination | Variable |
Conciliation: The Most Common Outcome
The majority of OAIC complaints are resolved through conciliation — a confidential, informal process where an OAIC officer facilitates a discussion between you and the organisation to reach a mutually acceptable resolution. This is faster and less adversarial than a formal investigation. Most complainants find this stage sufficient to achieve their desired outcome.
Formal Investigation and Determination
If conciliation is unsuccessful or the complaint is serious, the Information Commissioner may launch a formal investigation. Following this, they can issue a determination requiring the organisation to:
- Cease the conduct causing the breach
- Apologise to the complainant
- Pay compensation for loss, damage, or injury (including injury to feelings)
- Implement specific changes to their data-handling practices
Time Limits for OAIC Complaints
Timing is critical. The Privacy Act imposes a 12-month time limit from the date of the alleged breach (or from when you became aware of it) to lodge your complaint with the OAIC. However, the OAIC has discretion to accept complaints outside this period in exceptional circumstances.
This reinforces the importance of acting promptly. If you suspect a breach has occurred, begin documenting your concerns immediately and initiate the internal complaint process without delay.
Specific Types of Privacy Complaints
Credit Reporting Complaints
If your complaint relates to how a credit reporting body or credit provider has handled your credit information, specific rules under Part IIIA of the Privacy Act apply. The OAIC has a dedicated pathway for credit reporting complaints, and you should mention this when lodging your complaint.
Tax File Number Complaints
Misuse of your Tax File Number (TFN) is handled under the Tax File Number Guidelines. If an organisation has collected, used, or disclosed your TFN improperly, the OAIC can investigate.
Health Information Complaints
Health information is classified as sensitive information under the Privacy Act and receives a higher standard of protection. Complaints involving GPs, hospitals, health insurers, or My Health Record are all within the OAIC's remit.
Online Privacy and Digital Tracking
With the rise of digital marketing, concerns about tracking pixels, third-party cookies, and unsolicited data collection are increasingly common. If a website or app operator covered by the Privacy Act has collected or used your data without proper consent, this may constitute a breach. Tools like privacy-focused URL shorteners — such as Lunyb, which prioritises user privacy in link tracking — reflect a broader industry shift towards transparent data handling. For additional context on how shared links can expose your data, read our guide on How to Password Protect a Short Link: Complete Security Guide for 2026.
What If the Organisation Is Not Covered by the OAIC?
If the entity involved is not covered by the federal Privacy Act, you may have other avenues:
| Entity Type | Relevant Regulator or Remedy |
|---|---|
| NSW State Government agency | NSW Privacy Commissioner (IPC NSW) |
| Victorian State Government agency | Office of the Victorian Information Commissioner (OVIC) |
| Queensland State Government agency | Office of the Information Commissioner Queensland |
| Small business (general) | Generally exempt; consider consumer law or state-based remedies |
| Employer (workplace context) | Fair Work Commission may be relevant depending on the circumstances |
| Financial services organisation | Australian Financial Complaints Authority (AFCA) in addition to OAIC |
Tips for Strengthening Your OAIC Complaint
- Be specific — Vague complaints are harder to act on. Name dates, describe exactly what data was involved, and explain the precise harm caused.
- Reference the relevant APP — If you can identify which Australian Privacy Principle was breached (e.g., APP 6 for use or disclosure, APP 11 for security), include that reference.
- Quantify your harm — Whether it is financial loss, emotional distress, reputational damage, or professional consequences, describe it clearly.
- Be concise — Present your case in a clear, chronological narrative. Avoid unnecessary detail that obscures the core issue.
- Follow up — If you have not heard from the OAIC within the expected timeframe, it is appropriate to contact them for an update.
- Seek legal advice if needed — For complex or high-value cases, a privacy lawyer can help you structure your complaint effectively.
Frequently Asked Questions (FAQ)
Can I lodge an OAIC complaint anonymously?
No. To lodge a formal complaint with the OAIC, you must provide your identity. However, the OAIC is bound by strict confidentiality obligations and will not disclose your personal details to the organisation without your consent, except as required for the complaint process.
Is there a fee to lodge a complaint with the OAIC?
No. Making a privacy complaint to the OAIC is completely free of charge. The OAIC is a publicly funded independent regulator, and access to its complaints process is a right available to all Australians.
How long does the OAIC take to resolve a complaint?
Timelines vary significantly depending on complexity. Simple matters resolved through conciliation may conclude within three to six months. Formal investigations can take considerably longer — sometimes 12 to 18 months or more. The OAIC publishes annual statistics on complaint handling times in its annual report.
What compensation can I receive from an OAIC complaint?
If the Information Commissioner makes a determination in your favour, they can order the organisation to pay compensation for loss or damage suffered, including injury to feelings and humiliation. There is no statutory cap on compensation amounts, though awards vary based on the severity and circumstances of the breach.
What if I am not satisfied with the OAIC's decision?
If you are dissatisfied with the outcome of an OAIC investigation or determination, you may be able to seek review in the Administrative Appeals Tribunal (AAT) or the Federal Court of Australia, depending on the nature of the decision. You should seek legal advice before pursuing this avenue, as it involves more formal legal proceedings.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Australia Privacy Act 2026: Your Rights Explained
The Australia Privacy Act 2026 introduces stronger rights for individuals, including erasure, objection to direct marketing, and a statutory tort for serious invasions of privacy. Here is a clear breakdown of what has changed, who it covers, and how to exercise your rights.
DPC Ireland: How to File a Privacy Complaint (2026 Guide)
A practical 2026 guide to filing a privacy complaint with Ireland's Data Protection Commission (DPC), including step-by-step instructions, evidence checklists, timelines, costs, and likely outcomes. Learn what the DPC can and cannot do, and how to strengthen your case.
ePrivacy Regulations Ireland: Latest Updates for 2026
Ireland's ePrivacy regulations govern cookies, electronic marketing, and communications confidentiality alongside GDPR. This 2026 guide covers the latest DPC enforcement trends, cookie consent standards, direct marketing rules, and a practical compliance roadmap for Irish businesses.
GDPR in Ireland: Your Privacy Rights Explained
GDPR gives Irish residents powerful rights over their personal data. This guide explains your eight key privacy rights, how to make a Subject Access Request, how to file a complaint with the Irish DPC, and what businesses must do to stay compliant in 2026.