OAIC Complaints: How to Report a Privacy Breach in Australia
If an Australian business, government agency or online service has mishandled your personal information, you have the right to complain to the Office of the Australian Information Commissioner (OAIC). Lodging an OAIC complaint is free, doesn't require a lawyer, and can lead to real outcomes — from a formal apology to compensation and enforceable undertakings against the organisation.
This guide walks you through exactly how to report a privacy breach under Australian law, what evidence to gather, how long the process takes, and what to expect once the OAIC begins its investigation.
What Is the OAIC and What Does It Do?
The Office of the Australian Information Commissioner (OAIC) is the independent national regulator responsible for enforcing the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs). It investigates complaints, monitors data breaches, and takes enforcement action against organisations that mishandle personal information.
The OAIC has jurisdiction over:
- Australian Government agencies (with limited exceptions)
- Private sector organisations with annual turnover of more than $3 million
- Small businesses that trade in personal information, provide health services, or are contracted service providers to the Commonwealth
- Credit reporting bodies and credit providers
- Tax File Number (TFN) recipients
If your complaint is against a state or territory government agency, a small business not covered above, or an employer handling employee records, the OAIC generally cannot help — but there are alternative regulators, which we'll cover later.
What Counts as a Privacy Breach Under the Privacy Act?
A privacy breach occurs when an entity covered by the Privacy Act mishandles personal information in a way that contravenes one or more of the Australian Privacy Principles. Personal information includes anything that can identify you — name, address, phone number, email, IP address, health data, financial records, biometrics, or even opinions about you.
Common examples of reportable breaches
- An organisation collects personal information you didn't consent to (APP 3)
- Your data is used for direct marketing without a lawful basis (APP 7)
- A company refuses to give you access to your own records (APP 12)
- An organisation won't correct inaccurate information about you (APP 13)
- Your details are disclosed to a third party without permission (APP 6)
- Personal data is sent overseas without adequate protection (APP 8)
- A data breach — such as a hack, lost laptop, or emailed spreadsheet — exposes your information
- An entity fails to secure your information with reasonable safeguards (APP 11)
Since 2018, the Notifiable Data Breaches (NDB) scheme has required covered entities to notify both the OAIC and affected individuals of any "eligible data breach" likely to result in serious harm.
Step 1: Complain to the Organisation First
Before the OAIC will accept your complaint, you must give the organisation a chance to respond. This is a mandatory step — the OAIC will typically bounce your complaint back if you skip it.
- Identify the right contact. Most organisations have a Privacy Officer or a privacy contact listed in their privacy policy.
- Put your complaint in writing. Email is fine, but keep a copy. Clearly state what happened, when, and what outcome you want (e.g. deletion of data, an apology, compensation).
- Give them 30 days to respond. This is the timeframe the OAIC expects before escalation.
- Keep all correspondence. Save emails, screenshots, letters and any reference numbers.
If the organisation ignores you, refuses to fix the issue, or gives an inadequate response after 30 days, you're ready to escalate.
Step 2: Gather Your Evidence
A well-documented complaint moves faster and is more likely to succeed. Before you file, collect:
- Copies of your original complaint to the organisation and their response (or proof they didn't reply)
- A clear timeline of events with dates
- Screenshots of relevant web pages, forms, emails or notifications
- Any breach notification letters you received
- Evidence of harm — financial loss, emotional distress, identity theft, unwanted contact
- Copies of the organisation's privacy policy at the time of the breach (use the Wayback Machine if it's been updated)
If you shared or received links related to the incident — for instance, phishing URLs or suspicious short links — preserve them safely. Tools like Lunyb allow you to inspect and archive links securely without visiting the destination directly, which is useful when documenting suspected scams or breach-related communications.
Step 3: Lodge Your OAIC Complaint
You can lodge a privacy complaint with the OAIC in three ways:
- Online form: The fastest option — available at oaic.gov.au under "Privacy complaints"
- Email or post: Download the Privacy Complaint Form (PDF), fill it in, and send it to enquiries@oaic.gov.au or GPO Box 5218, Sydney NSW 2001
- Phone: Call 1300 363 992 if you need help lodging or have accessibility requirements
What to include in your complaint
- Your full name and contact details
- The name of the organisation you're complaining about
- A description of what happened and when
- Which APPs you believe were breached (helpful but not mandatory)
- What steps you've already taken with the organisation
- Copies of supporting evidence
- The outcome you're seeking
There is no fee to lodge a complaint, and you don't need legal representation.
Step 4: What Happens After You Lodge
The OAIC follows a fairly standard process, though timelines can vary depending on complexity and case load.
The OAIC investigation process
| Stage | What Happens | Typical Timeframe |
|---|---|---|
| 1. Acknowledgment | OAIC confirms receipt and assigns a case officer | 1–4 weeks |
| 2. Preliminary assessment | OAIC checks jurisdiction and whether the complaint can proceed | 4–8 weeks |
| 3. Conciliation | OAIC attempts to resolve the dispute between you and the organisation | 2–6 months |
| 4. Formal investigation | If conciliation fails, the Commissioner may formally investigate | 6–18 months |
| 5. Determination | The Commissioner issues a binding decision with remedies | Variable |
Most complaints are resolved through conciliation — a facilitated negotiation rather than a court-style hearing. Only a small proportion escalate to a formal determination.
Possible Outcomes of an OAIC Complaint
If your complaint succeeds, the OAIC can direct the organisation to take a range of actions. These include:
- A formal apology in writing
- Correcting or deleting your personal information
- Changes to internal privacy practices, policies or staff training
- Compensation for financial loss and non-economic loss (such as stress or humiliation)
- Enforceable undertakings — legally binding promises to fix systemic issues
- Civil penalties for serious or repeated interference with privacy (up to $50 million or more for corporations under recent reforms)
Compensation amounts in Australian privacy determinations typically range from a few hundred dollars for minor breaches to tens of thousands for serious cases involving identity theft, medical information or significant emotional harm.
When the OAIC Can't Help
The OAIC will decline complaints in several circumstances. Knowing these upfront saves time.
- Out of jurisdiction: State agencies, small businesses under $3 million turnover (with exceptions), or overseas entities with no Australian link
- Too old: Complaints lodged more than 12 months after you became aware of the issue may be refused
- Frivolous or vexatious: Complaints without merit or made in bad faith
- Already being dealt with: If another regulator, court, or ombudsman is handling it
- Employee records: Handling of current or former employee records by private employers is generally exempt
Alternative regulators
| Issue | Where to Go |
|---|---|
| NSW state agency | Information and Privacy Commission NSW (IPC) |
| Victorian state agency | Office of the Victorian Information Commissioner (OVIC) |
| Queensland state agency | Office of the Information Commissioner Queensland |
| Telecommunications | Telecommunications Industry Ombudsman (TIO) |
| Banks and insurers | Australian Financial Complaints Authority (AFCA) |
| Spam and scams | ACMA and Scamwatch (ACCC) |
| Health information (state) | Relevant state Health Complaints Commissioner |
Tips for a Stronger OAIC Complaint
Case officers handle hundreds of complaints. Making yours clear, factual and well-evidenced dramatically improves your chances.
- Stick to facts, not emotion. Describe what happened chronologically without editorialising.
- Name the APP if you can. Referencing "APP 6 — Use or disclosure" signals you've done your homework.
- Quantify harm. If you lost money, spent hours dealing with fraud, or suffered anxiety, say so specifically.
- Be realistic about remedies. Ask for what would genuinely fix the issue — deletion, correction, an apology — not just the largest possible payout.
- Respond promptly. If the case officer asks for more information, replying quickly keeps momentum.
- Consider conciliation seriously. Even if it feels unsatisfying, a negotiated outcome is usually faster than years of investigation.
Protecting Yourself After a Breach
While the OAIC investigates, take steps to limit further damage:
- Change passwords on any accounts linked to the breached data, and enable multi-factor authentication
- Place a temporary ban on your credit file through Equifax, illion and Experian
- Monitor bank and credit card statements closely for unauthorised transactions
- Report identity theft to IDCARE (1800 595 160), Australia's national identity and cyber support service
- Be cautious of follow-up phishing — scammers often target breach victims with fake "support" emails and SMS links
- Use link-inspection tools before clicking suspicious URLs; services such as Lunyb let you preview and analyse shortened links safely rather than clicking blindly
If you're researching secure link-management options for your organisation as part of post-breach hygiene, our 2026 URL shortener buyer's guide compares privacy features across the major providers, and our honest Lunyb review covers what to look for in a trustworthy shortener.
Recent Reforms You Should Know About
The Privacy Act has been significantly strengthened following the wave of major Australian data breaches in recent years (Optus, Medibank, Latitude, and others). Key changes affecting complaints include:
- Higher penalties: Maximum civil penalties for serious or repeated privacy interferences now reach the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover
- Expanded OAIC powers: The Commissioner can now issue infringement notices, conduct public inquiries, and share information with other regulators more freely
- Statutory tort of serious invasion of privacy: Passed in 2024, giving individuals a direct right to sue for serious privacy invasions in some circumstances
- Children's Online Privacy Code: Being developed to provide stronger protections for minors online
- Automated decision-making transparency: New requirements on organisations to disclose when significant decisions are made using automation
These reforms make it more worthwhile than ever to formally report privacy breaches — organisations now face real consequences.
Frequently Asked Questions
How long do I have to lodge an OAIC complaint?
You should lodge within 12 months of becoming aware of the breach. The OAIC has discretion to accept older complaints where there's a good reason for the delay, but timely lodgement is strongly encouraged.
Does it cost anything to complain to the OAIC?
No. Lodging a privacy complaint with the OAIC is completely free. You don't need a lawyer, and there are no filing fees, hearing costs or charges at any stage of the process.
Can I get compensation through an OAIC complaint?
Yes. The Commissioner can award compensation for both financial loss and non-economic loss such as distress, humiliation or anxiety. Amounts vary widely — from a few hundred dollars for minor breaches to tens of thousands for serious cases involving sensitive information or identity theft.
Can I complain anonymously?
You can raise concerns anonymously, and the OAIC uses this intelligence to monitor systemic issues. However, to have a complaint formally investigated and resolved on your behalf, the OAIC generally needs to know your identity so it can communicate with you and the organisation involved.
What if the organisation is based overseas?
The Privacy Act can apply to overseas organisations that carry on business in Australia and collect or hold personal information here. The OAIC may still investigate — for example, it has taken action against global platforms — but enforcement can be more complex. Include as much information as possible about the organisation's Australian activities in your complaint.
Final Thoughts
The OAIC complaints process exists to hold organisations accountable when they mishandle your personal information — and with recent reforms delivering serious penalties, it has more teeth than ever. Follow the steps in order: complain to the organisation first, gather solid evidence, lodge a clear and factual complaint, and engage constructively with conciliation. Whether your goal is an apology, deletion of data, or compensation, a well-prepared complaint is your most powerful tool for enforcing your privacy rights under Australian law.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
UK Online Safety Act: What It Means for Your Privacy in 2026
The UK Online Safety Act reshapes how platforms handle age verification, encryption and content moderation — with real consequences for your privacy. This guide explains the law in plain English and gives British users practical steps to protect their data.
PIPEDA vs GDPR: Canadian Privacy Law Explained (2026 Guide)
PIPEDA and GDPR both protect personal data, but they take very different approaches to consent, individual rights, and enforcement. This guide breaks down the key differences and explains what Canadian businesses need to know to stay compliant in 2026.
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
The Singapore Online Safety Act 2026 consolidates the country's online content rules into a single framework covering platforms, search engines, and even URL shorteners. This complete guide explains who it applies to, what obligations businesses face, and how users can protect their rights.
Data Protection Act 2018 Ireland: Complete Guide
A complete guide to Ireland's Data Protection Act 2018: how it interacts with the GDPR, the rights it protects, DPC enforcement powers, penalties, and the practical compliance steps every Irish organisation needs to take.