OAIC Complaints: How to Report a Privacy Breach in Australia
If an Australian organisation has mishandled your personal information, you have the right to lodge a formal complaint with the Office of the Australian Information Commissioner (OAIC). The OAIC is the national regulator that enforces the Privacy Act 1988 and the Australian Privacy Principles (APPs), and it provides a free, accessible pathway for individuals to seek redress when their privacy has been breached.
This guide explains exactly how to report a privacy breach to the OAIC, what evidence you need, how long the process takes, and what outcomes you can realistically expect in 2026.
What Is the OAIC and What Does It Regulate?
The OAIC is an independent Australian Government agency that promotes and upholds privacy and information access rights. It investigates complaints under the Privacy Act 1988, oversees the Notifiable Data Breaches (NDB) scheme, and enforces compliance among APP entities — generally Australian Government agencies and private sector organisations with an annual turnover above $3 million, plus health service providers and certain other entities regardless of size.
The OAIC's main functions include:
- Investigating individual privacy complaints against APP entities
- Conducting own-motion investigations into systemic breaches
- Receiving mandatory data breach notifications under the NDB scheme
- Issuing determinations, enforceable undertakings, and civil penalty applications
- Providing guidance to organisations and individuals on privacy rights
What Counts as a Privacy Breach Under Australian Law?
A privacy breach occurs when an APP entity mishandles your personal information in a way that contravenes the Australian Privacy Principles. Personal information includes anything that can reasonably identify you — your name, address, phone number, email, date of birth, financial details, health records, and increasingly, digital identifiers like IP addresses and device IDs.
Common Types of Privacy Breaches
- Unauthorised disclosure — your information was shared with a third party without consent
- Data breaches — hacking, lost devices, or misdirected emails exposing your data
- Excessive collection — an organisation collected more information than it needed
- Refusal to provide access — being denied access to your own personal information
- Refusal to correct — an organisation refusing to fix inaccurate records
- Direct marketing without consent — receiving unwanted marketing you can't opt out of
- Cross-border disclosure — your data sent overseas without proper safeguards
Step-by-Step: How to Lodge an OAIC Complaint
Lodging a complaint with the OAIC is free and can be done online, by post, or by email. The process is designed to be accessible without legal representation, although complex cases sometimes benefit from professional advice.
Step 1: Complain Directly to the Organisation First
Before the OAIC will accept your complaint, you must usually give the organisation a chance to respond. Send a written complaint (email is fine) clearly stating:
- What happened and when
- What personal information was involved
- Why you believe it breaches the Privacy Act
- The outcome you want (apology, correction, deletion, compensation)
The organisation has 30 days to respond. If they don't respond, respond inadequately, or refuse to fix the issue, you can escalate to the OAIC.
Step 2: Gather Your Evidence
Strong complaints are backed by documentation. Collect:
- Copies of all correspondence with the organisation
- Screenshots of breaches (e.g., your data appearing publicly)
- Data breach notification emails you've received
- Records of dates, times, and people you spoke with
- Evidence of harm or loss (financial statements, medical records, etc.)
Step 3: Submit Your Complaint to the OAIC
The fastest method is the online complaint form at oaic.gov.au. You'll need to provide:
- Your contact details
- The name of the organisation you're complaining about
- A description of what happened
- The steps you've already taken
- Supporting documents (uploaded as attachments)
Complaints can also be lodged by post to GPO Box 5288, Sydney NSW 2001, or by emailing enquiries@oaic.gov.au.
Step 4: Conciliation and Investigation
The OAIC typically attempts conciliation first — a structured negotiation between you and the organisation. Most complaints resolve at this stage. If conciliation fails or the matter is serious, the Commissioner may formally investigate and issue a binding determination.
OAIC Complaint Timelines: What to Expect
Timelines vary based on complexity, but the OAIC publishes service standards. The table below outlines typical stages and durations in 2026.
| Stage | Typical Duration | What Happens |
|---|---|---|
| Initial acknowledgement | Within 10 business days | OAIC confirms receipt and assigns a case number |
| Preliminary assessment | 1–3 months | OAIC checks jurisdiction and merit |
| Conciliation | 3–6 months | Structured negotiation between parties |
| Formal investigation | 6–12+ months | Evidence gathering, submissions, draft findings |
| Determination | 12–18+ months total | Binding decision issued by the Commissioner |
Notifiable Data Breaches: When Organisations Must Tell You
Since 2018, the Notifiable Data Breaches scheme requires APP entities to notify both the OAIC and affected individuals when a data breach is likely to result in serious harm. If you receive a data breach notification, it's strong evidence supporting any complaint you later lodge.
What an NDB Notification Must Include
- The identity and contact details of the organisation
- A description of the breach
- The kinds of information involved
- Recommendations on steps you should take
If you suspect an organisation has suffered a breach but hasn't notified you, you can report this directly to the OAIC, who may launch an own-motion investigation. Reducing your exposure online — for example, by using a privacy-respecting link service like Lunyb instead of trackers that harvest click data — is also a sensible preventive measure.
Possible Outcomes of an OAIC Complaint
The OAIC has a range of remedies it can pursue, depending on the severity and nature of the breach. Outcomes can include:
- Apology — a formal acknowledgement of wrongdoing
- Correction or deletion — fixing or removing your data
- Staff training and policy changes — systemic improvements
- Compensation — typically $1,000–$20,000 for non-economic loss; higher for aggravated cases
- Enforceable undertakings — legally binding commitments by the organisation
- Civil penalties — for serious or repeated interferences with privacy, penalties can reach $50 million or more for body corporates under the 2022 amendments
OAIC vs Other Complaint Pathways
The OAIC isn't always the right venue. Some matters are handled better by other regulators or tribunals.
| Issue | Best Regulator | Why |
|---|---|---|
| Federal agency or large business privacy breach | OAIC | Direct Privacy Act jurisdiction |
| Spam or unsolicited marketing texts | ACMA | Enforces the Spam Act |
| Telco-specific data issues | TIO, then OAIC | Telecommunications Industry Ombudsman handles disputes first |
| Credit reporting errors | OAIC or AFCA | Both have jurisdiction over Part IIIA matters |
| State government agency (NSW, Vic, etc.) | State privacy regulator | OAIC only covers federal agencies |
| Workplace employee records | Fair Work or state body | Employee records exemption applies |
Tips for Strengthening Your Complaint
Well-prepared complaints are taken more seriously and resolve faster. Apply these practical tips:
- Be specific — cite the relevant Australian Privacy Principle (e.g., APP 6 for use and disclosure)
- Quantify the harm — describe stress, financial loss, time spent, or reputational damage
- Stay factual — emotive language weakens otherwise strong complaints
- Keep a timeline — chronological clarity helps investigators
- Propose a remedy — tell the OAIC what would resolve the matter for you
- Respond promptly — the OAIC may close inactive matters
Protecting Your Privacy Going Forward
Lodging a complaint addresses past harm, but ongoing privacy hygiene reduces future risk. Review what data you share with each service, opt out of marketing lists, request access to your personal information annually, and use tools that minimise data exposure. For example, when sharing links online, consider how much information the shortener collects — services like Lunyb emphasise minimal tracking compared to legacy alternatives. You can read more about the URL shortener landscape in our 2026 buyer's guide or our honest review of Lunyb.
Recent Reforms to Watch in 2026
The Privacy Act Review continues to reshape Australian privacy law. Key changes that affect how the OAIC handles complaints include:
- Expanded definition of personal information to clearly include technical identifiers
- A statutory tort for serious invasions of privacy (limited form enacted)
- Increased penalties — up to $50 million, three times the benefit obtained, or 30% of adjusted turnover
- Stronger requirements for direct marketing transparency
- Children's online privacy code under development
These reforms generally strengthen your position as a complainant and increase the consequences for non-compliant organisations.
Frequently Asked Questions
How much does it cost to lodge an OAIC complaint?
Nothing. Lodging a complaint with the OAIC is free, and you don't need a lawyer. The OAIC provides assistance to people with accessibility needs, language barriers, or other support requirements at no charge.
How long do I have to make a complaint?
You should complain within 12 months of becoming aware of the breach. The OAIC can decline complaints that are made too late unless there are exceptional circumstances. Acting promptly also preserves evidence and increases the likelihood of a useful remedy.
Can I get compensation through an OAIC complaint?
Yes. The Commissioner can order compensation for both economic loss (such as money lost to identity theft) and non-economic loss (such as distress and humiliation). Awards typically range from $1,000 to $20,000 for individual complaints, with significantly higher amounts in cases involving aggravating factors or large-scale breaches.
What if the organisation is based overseas?
The Privacy Act has extraterritorial reach. If an overseas organisation has an Australian link — such as offering goods or services to Australians, or collecting personal information from individuals in Australia — the OAIC can usually investigate. Enforcement against offshore entities is harder in practice, but the OAIC cooperates with international counterparts.
Will my identity stay confidential during the complaint?
The OAIC must share enough information with the organisation to allow them to respond, which usually means revealing your identity. However, the OAIC will not publish your personal details, and any public determinations are typically de-identified. If you have safety concerns, raise them with the OAIC at the outset and they will consider protective measures.
Can I appeal an OAIC decision?
Yes. Determinations can be reviewed by the Administrative Review Tribunal (ART, formerly the AAT). You generally have 28 days to lodge an application for review. Decisions not to investigate can also be challenged in some circumstances.
Final Thoughts
The OAIC complaints process is one of the most accessible privacy enforcement mechanisms in the world. By following the right steps — complaining to the organisation first, gathering solid evidence, and lodging a clear, specific complaint — Australians can hold APP entities accountable without lawyers or court fees. With reforms in 2024 and 2025 substantially increasing penalties and expanding the OAIC's powers, organisations are taking privacy compliance more seriously than ever, which works in your favour as a complainant.
If you believe your privacy has been breached, don't wait. Document what happened, contact the organisation, and if you don't get a satisfactory response within 30 days, escalate to the OAIC.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Privacy Rights in Canada 2026: A Complete Guide for Consumers and Businesses
Privacy rights in Canada are evolving rapidly in 2026 with Bill C-27, AIDA, and stronger enforcement. This guide explains your rights under PIPEDA and the new CPPA, compares federal and provincial laws, and offers practical steps for consumers and businesses to stay protected.
Bill C-27 Digital Charter: What Canadian Businesses Need to Know
Bill C-27, Canada's Digital Charter Implementation Act, overhauls private-sector privacy law and introduces the country's first AI legislation. Here's what the CPPA and AIDA require, who they affect, the steep new penalties, and how Canadian businesses should prepare for compliance.
UK Online Safety Act: What It Means for Your Privacy in 2026
The UK Online Safety Act reshapes how platforms handle your messages, identity and data. This plain-English guide explains what the law actually requires, how it affects your privacy, and the practical steps British users can take in 2026.
How Canadian Businesses Should Handle Data Privacy in 2026
From PIPEDA to Quebec's Law 25, Canadian businesses face a rapidly evolving privacy landscape. This guide breaks down the laws, obligations, and practical steps every organization should take in 2026 to build a defensible data privacy program.