OAIC Complaints: How to Report a Privacy Breach in Australia
If your personal information has been mishandled by an Australian organisation or government agency, you have the right to complain to the Office of the Australian Information Commissioner (OAIC). The OAIC is the independent regulator responsible for enforcing the Privacy Act 1988 and the Australian Privacy Principles (APPs). This guide walks you through exactly how to lodge an OAIC complaint about a privacy breach, what evidence you need, how long the process takes, and what outcomes you can realistically expect.
What Is the OAIC and When Can You Complain?
The Office of the Australian Information Commissioner is the federal regulator that oversees privacy, freedom of information, and government information policy in Australia. You can lodge an OAIC complaint when you believe an APP entity — most Australian Government agencies, all private sector organisations with an annual turnover above AUD $3 million, health service providers, and credit reporting bodies — has interfered with your privacy.
Common situations that justify an OAIC complaint include:
- An organisation collected your personal information without consent or a lawful basis.
- Your data was disclosed to a third party without authorisation.
- A company refused to give you access to, or correct, your personal information.
- You were the victim of a notifiable data breach and the entity failed to respond appropriately.
- Your tax file number, health information or credit information was misused.
- Direct marketing continued after you opted out.
Who the OAIC Cannot Help With
The OAIC does not generally handle complaints about state or territory government agencies (these are usually managed by state privacy commissioners such as the IPC NSW or OVIC in Victoria), small businesses under the $3 million threshold (with some exceptions), individuals acting in a personal capacity, or media organisations engaged in journalism. If your complaint falls outside the OAIC's remit, the office will usually refer you to the correct body.
Step 1: Complain Directly to the Organisation First
Before the OAIC will accept your complaint, you must give the organisation a reasonable opportunity to respond — usually 30 days. This is a mandatory step under section 40(1A) of the Privacy Act.
- Find the privacy officer. Check the organisation's privacy policy (it must be freely available) for the contact details of its privacy officer or complaints team.
- Put your complaint in writing. Email or post a letter that clearly states what happened, when it happened, what APP you believe was breached, and what remedy you want (an apology, deletion of data, compensation, a policy change).
- Keep records. Save copies of all correspondence, including delivery receipts and read receipts.
- Wait for a response. The organisation has 30 days to investigate and respond. If they fail to respond, or their response is inadequate, you can escalate to the OAIC.
Sample Complaint Letter Structure
A strong internal complaint includes: your full name and contact details, a chronological summary of events, the specific personal information involved, the APP(s) you believe were breached, copies of any supporting evidence, and a clear statement of the outcome you are seeking.
Step 2: Lodge Your Complaint With the OAIC
If the organisation does not resolve the issue within 30 days, you can lodge a formal complaint with the OAIC. There are three main ways to do this:
- Online: Use the OAIC Privacy Complaint Form at oaic.gov.au — this is the fastest method.
- Email: Send a completed complaint form to enquiries@oaic.gov.au.
- Post: Mail your complaint to GPO Box 5288, Sydney NSW 2001.
You can also call the OAIC enquiries line on 1300 363 992 if you need help completing the form or require an interpreter.
What Information You Need to Provide
| Category | Details Required |
|---|---|
| Your identity | Full name, postal address, phone number, email |
| Respondent | Name of the organisation or agency, contact details if known |
| The breach | What happened, when, what personal information was involved |
| Prior contact | Evidence you complained to the organisation and their response |
| Harm suffered | Financial loss, emotional distress, identity theft risk |
| Desired outcome | Apology, deletion, compensation, systemic change |
| Supporting documents | Emails, screenshots, contracts, breach notifications |
Step 3: What Happens After You Lodge
Once the OAIC receives your complaint, it goes through a structured assessment and investigation process.
- Acknowledgement (1–2 weeks): The OAIC confirms receipt and assigns a case officer.
- Preliminary assessment: The OAIC decides whether the complaint falls within its jurisdiction and whether you complied with the 30-day internal complaint rule.
- Conciliation: Most complaints are resolved through informal conciliation — the OAIC facilitates a discussion between you and the organisation to reach a mutually acceptable outcome.
- Formal investigation: If conciliation fails, the Commissioner may launch a formal investigation under section 40 of the Privacy Act.
- Determination: The Commissioner can make a binding determination, including ordering compensation, requiring the organisation to take specific steps, or issuing an apology.
How Long Does the Process Take?
Simple complaints resolved through conciliation typically take 3–6 months. Complex matters that proceed to formal investigation can take 12 months or longer. The OAIC publishes annual performance data showing average resolution times in its yearly report.
What Outcomes Can You Get?
The OAIC has broad remedial powers under section 52 of the Privacy Act. Possible outcomes include:
- Declaration that conduct was an interference with privacy — formal recognition of the breach.
- Compensation for economic and non-economic loss, including hurt feelings and humiliation. Awards typically range from a few thousand dollars to tens of thousands, though larger sums are possible in serious cases.
- Injunctive relief — orders requiring the organisation to stop a particular practice or take specific action.
- Apology — written or public.
- Deletion or correction of personal information.
- Systemic changes such as new policies, staff training or independent audits.
For class-style complaints involving multiple affected individuals (such as those from large data breaches at Optus, Medibank or Latitude Financial), the OAIC can pursue representative complaints under section 38.
Notifiable Data Breaches: Your Rights as a Victim
Under the Notifiable Data Breaches (NDB) scheme, organisations covered by the Privacy Act must notify both the OAIC and affected individuals when an eligible data breach occurs — that is, a breach likely to result in serious harm. If you receive a data breach notification, you should:
- Read the notification carefully to understand what information was compromised.
- Follow any recommended steps (change passwords, monitor accounts, place credit bans).
- Keep the notification as evidence in case you later lodge a complaint.
- Watch for phishing — criminals often exploit breach news to send fake "support" messages with malicious links. Tools like a trusted URL shortener and link checker such as Lunyb can help you preview shortened links before clicking them, reducing the risk of follow-on scams.
- If you suffer loss or the organisation's response is inadequate, lodge an OAIC complaint.
Recent Major Breaches and OAIC Action
The OAIC has actively investigated several high-profile Australian breaches in recent years, including Optus (2022), Medibank (2022), Latitude Financial (2023) and HWL Ebsworth (2023). These investigations have resulted in civil penalty proceedings in the Federal Court and significant policy reforms.
Strengthening Your Complaint: Evidence Tips
The quality of your evidence will determine whether the OAIC and the respondent take your complaint seriously. Strong complaints typically include:
- A clear timeline — dates, times and a chronological narrative.
- Original documents — emails, letters, screenshots of websites, SMS messages.
- Proof of identity verification — if the issue involved a refused access request.
- Evidence of harm — bank statements showing fraud losses, medical evidence of psychological harm, invoices for identity restoration services.
- The organisation's privacy policy at the time of the breach.
- Copies of all communication with the organisation, including their response (or lack thereof).
Costs, Legal Help and Alternatives
Lodging an OAIC complaint is free. You do not need a lawyer, although you may engage one if you wish. Free assistance is available from:
- Community Legal Centres Australia (clcs.org.au)
- Legal Aid in your state or territory
- The Australian Privacy Foundation
- Financial Rights Legal Centre (for credit reporting and financial privacy issues)
Alternatives to an OAIC Complaint
| Forum | When to Use |
|---|---|
| State privacy commissioner | State or territory government agencies |
| Australian Financial Complaints Authority (AFCA) | Banking, insurance, superannuation privacy issues |
| Telecommunications Industry Ombudsman (TIO) | Telco and internet service provider privacy issues |
| eSafety Commissioner | Image-based abuse, cyberbullying, online harms |
| ACMA | Spam, unsolicited marketing, do-not-call register breaches |
| Federal Court class action | Large-scale breaches with significant losses |
Preventing Future Privacy Breaches
While regulators handle the aftermath, the best protection is reducing your exposure in the first place. Practical steps include using unique passwords with a password manager, enabling multi-factor authentication, limiting the personal information you provide to online services, regularly reviewing app permissions, and being cautious of shortened or suspicious links. For more guidance on safer link sharing and online privacy tools, see our 2026 buyer's guide to URL shorteners and our honest review of Lunyb.
Frequently Asked Questions
How much does it cost to lodge an OAIC complaint?
Nothing. Lodging a privacy complaint with the OAIC is completely free, and you do not need legal representation. The OAIC provides free assistance with completing the complaint form, including interpreter services.
How long do I have to lodge a complaint?
There is no strict time limit, but the OAIC may decline to investigate complaints lodged more than 12 months after you became aware of the breach. It is always best to act promptly while evidence and memories are fresh.
Can I claim compensation through the OAIC?
Yes. The Commissioner can order compensation for both economic loss (such as money stolen due to identity theft) and non-economic loss (such as stress, humiliation and hurt feelings). Awards typically range from a few thousand dollars to tens of thousands, though significant cases can attract higher amounts.
What if I want to remain anonymous?
You can make a general enquiry or tip-off anonymously, but a formal complaint requires you to identify yourself so the OAIC can investigate and the respondent can respond. The OAIC will not disclose your identity publicly without your consent.
Can I appeal an OAIC decision?
Yes. Determinations made by the Commissioner can be reviewed by the Administrative Review Tribunal (ART, which replaced the AAT in 2024). You generally have 28 days from the date of the determination to apply for review.
Final Thoughts
Australia's privacy framework gives individuals real, enforceable rights — but those rights only matter if you exercise them. If an organisation has mishandled your personal information, document everything, complain to them first, and escalate to the OAIC if you do not get a fair outcome. With the Privacy Act reforms continuing through 2026, including stronger penalties and a statutory tort of serious invasion of privacy, regulators are taking complaints more seriously than ever.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Privacy Rights in Canada 2026: A Complete Guide for Individuals and Businesses
Canada's privacy landscape has changed dramatically in 2026 with Bill C-27, the CPPA, and Quebec's Law 25 reshaping rights and obligations. This complete guide covers what individuals and businesses need to know to protect personal data and stay compliant.
Bill C-27 Digital Charter: What You Need to Know in 2026
Bill C-27, Canada's Digital Charter Implementation Act, modernizes privacy law with the CPPA, creates a new enforcement tribunal, and introduces the country's first federal AI legislation. Here's what businesses and consumers need to know in 2026.
UK Online Safety Act: What It Means for Your Privacy in 2026
The UK Online Safety Act is now in full force, reshaping how platforms moderate content, verify ages and handle your personal data. This guide explains what the law actually requires, the privacy trade-offs, and practical steps to protect yourself online.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a complex web of federal and provincial privacy laws in 2026. This guide explains PIPEDA, Law 25, breach response, and the practical steps every Canadian organization should take to protect customer data.