OAIC Complaints: How to Report a Privacy Breach in Australia
If your personal information has been mishandled by an Australian business, government agency or other organisation, you have the right to make a formal complaint to the Office of the Australian Information Commissioner (OAIC). The OAIC is the national regulator responsible for enforcing the Privacy Act 1988 and the Australian Privacy Principles (APPs). This guide explains exactly how to report a privacy breach, what evidence you need, how long it takes and what outcomes you can realistically expect.
What Is the OAIC and What Does It Do?
The Office of the Australian Information Commissioner (OAIC) is the independent federal agency that regulates privacy, freedom of information and government information policy in Australia. It investigates complaints about how organisations handle personal information, oversees the Notifiable Data Breaches (NDB) scheme, and can issue determinations, enforceable undertakings and civil penalty proceedings against entities that breach privacy law.
The OAIC has jurisdiction over:
- Australian Government agencies
- Private sector organisations with an annual turnover of more than $3 million
- All health service providers (regardless of turnover)
- Credit reporting bodies and credit providers
- Tax File Number recipients
- Some small businesses that trade in personal information or are contracted service providers under a Commonwealth contract
What Counts as a Privacy Breach?
A privacy breach occurs when an APP entity mishandles personal information in a way that contravenes the Australian Privacy Principles or other obligations under the Privacy Act. Personal information includes anything that can identify you — your name, address, phone number, email, financial details, health records, IP address in some cases, and even photographs.
Common Examples of Privacy Breaches
- Unauthorised disclosure: An organisation sends your medical records to the wrong recipient.
- Data breach: A company is hacked and your login credentials, address or payment details are leaked.
- Excessive collection: A retailer demands your date of birth and driver licence to process a return.
- Refusal of access: You ask for a copy of your personal information and the organisation refuses or ignores you.
- Refusal to correct: You request a correction to inaccurate data and the entity won't update it.
- Direct marketing without consent: You receive unsolicited marketing after opting out.
- Improper use of TFN or government identifiers: Using your Tax File Number for an unauthorised purpose.
Step-by-Step: How to Lodge an OAIC Complaint
The OAIC process generally requires you to complain to the organisation first before escalating. Follow these steps in order to maximise your chance of a successful outcome.
Step 1: Complain Directly to the Organisation First
Under section 40 of the Privacy Act, the OAIC will usually decline to investigate unless you have first given the entity a reasonable opportunity to respond. Submit a written complaint to the organisation's privacy officer or designated complaints channel. Most APP entities are required to publish a privacy policy that includes complaint contact details.
In your initial complaint, clearly:
- State that you are making a privacy complaint under the Privacy Act 1988.
- Describe what happened, including dates, people involved and the personal information affected.
- Explain what outcome you want — an apology, correction, deletion, compensation, or a change to a practice.
- Set a reasonable deadline for response (30 days is standard).
Step 2: Wait 30 Days for a Response
The OAIC expects organisations to respond within 30 calendar days. If you receive no response, or the response is unsatisfactory, you can escalate to the OAIC. Keep every email, letter and reference number — you will need these as evidence.
Step 3: Lodge Your Complaint with the OAIC
You can lodge an OAIC complaint in four ways:
- Online form: The fastest method. Visit oaic.gov.au and use the Privacy Complaint Form.
- Post: GPO Box 5288, Sydney NSW 2001.
- Email: enquiries@oaic.gov.au (suitable for general queries; complaints should use the form).
- Phone: 1300 363 992 for assistance, especially if you need accessibility support.
There is no cost to lodge a complaint with the OAIC.
Step 4: Provide Supporting Evidence
Strong complaints are backed by documentation. Include:
- A copy of your original complaint to the organisation
- The organisation's response (or proof of no response)
- Screenshots, emails or letters demonstrating the breach
- Any data breach notification you received under the NDB scheme
- Evidence of harm (financial loss, distress, identity theft attempts)
Step 5: Engage with the OAIC's Conciliation Process
Most complaints are resolved through conciliation rather than formal investigation. An OAIC officer will contact both parties and attempt to negotiate an outcome — commonly an apology, a corrective action, a policy change or, in some cases, financial compensation for non-economic loss such as distress.
What Outcomes Can You Expect?
The OAIC has a range of resolution and enforcement options. The outcome depends on the severity of the breach, the entity's cooperation and the harm caused.
| Outcome | When It Applies | Typical Value/Impact |
|---|---|---|
| Written apology | Minor or inadvertent breaches | No monetary value |
| Correction or deletion of data | Inaccurate or excessive data held | Restores accuracy |
| Staff training / policy change | Systemic issues | Prevents recurrence |
| Compensation for non-economic loss | Genuine distress, humiliation | $1,000 – $20,000+ in serious cases |
| Compensation for economic loss | Financial harm (e.g. fraud) | Actual losses |
| Determination under s 52 | Conciliation fails | Legally enforceable |
| Civil penalty (serious/repeated breach) | Egregious conduct | Up to $50 million per breach for companies |
The Notifiable Data Breaches (NDB) Scheme
Since February 2018, APP entities must notify both affected individuals and the OAIC when an "eligible data breach" occurs — that is, a breach likely to result in serious harm. If you received a data breach notification email or letter, you can use it as evidence in your complaint.
If you suspect a breach was not reported when it should have been, you can also report this to the OAIC. The Commissioner can investigate failures to notify and impose civil penalties.
Reducing Your Exposure After a Breach
If your data has been exposed, take immediate protective steps: change affected passwords, enable multi-factor authentication, place a credit ban with Equifax, Experian and illion, and watch for phishing emails. When sharing sensitive links with support staff or legal advisors, consider using a trusted link management tool like Lunyb to create short, trackable URLs that don't expose underlying parameters or session tokens in plain text.
Timelines: How Long Does an OAIC Complaint Take?
Timelines vary widely depending on complexity and the OAIC's backlog. Based on recent OAIC annual reports, expect:
- Initial acknowledgement: 1–2 weeks
- Preliminary assessment: 1–3 months
- Conciliation: 3–9 months
- Formal investigation and determination: 12–24 months or longer
Complex matters — such as those involving large data breaches, multiple parties or novel legal issues — can take significantly longer.
When the OAIC May Decline to Investigate
Under section 41 of the Privacy Act, the Commissioner may decide not to investigate, or to stop investigating, where:
- The complaint was not first made to the entity
- More than 12 months have passed since you became aware of the act or practice
- The complaint is frivolous, vexatious or lacks substance
- The matter is being or has been dealt with by another body (e.g. a court)
- An adequate remedy is otherwise available
If your complaint is declined, you can request internal review or, in limited circumstances, seek judicial review in the Federal Court.
Tips to Strengthen Your Complaint
- Be specific and chronological. List dates, times and parties involved in order.
- Reference the APPs. Cite specific principles — e.g. APP 6 (use and disclosure), APP 11 (security), APP 12 (access).
- Quantify the harm. Describe financial impact, emotional distress, lost time, and any flow-on effects like identity theft attempts.
- Be reasonable in remedies sought. Outlandish demands can stall conciliation.
- Keep originals. Never send originals of important documents — always submit copies.
- Stay professional. Even if you're frustrated, calm, factual writing carries more weight.
Other Avenues if the OAIC Isn't the Right Fit
Not every privacy issue belongs at the OAIC. Consider these alternatives:
- State or territory privacy regulators: For state government agencies (e.g. IPC NSW, OVIC in Victoria).
- Australian Communications and Media Authority (ACMA): For spam and telemarketing breaches.
- Australian Cyber Security Centre (ACSC): To report cybercrime via ReportCyber.
- Australian Financial Complaints Authority (AFCA): For financial services privacy issues.
- Telecommunications Industry Ombudsman (TIO): For telco-related privacy complaints.
- Police: If you suspect identity theft or fraud.
Protecting Your Privacy Going Forward
Prevention is always cheaper than a complaint. Regularly audit which businesses hold your personal data, request deletion under APP 11 where appropriate, use unique passwords with a manager, and treat every "verify your account" email with suspicion. For organisations handling customer data, building privacy-by-design into systems — including how you share links, track marketing campaigns and store analytics — is the most reliable defence. Tools that minimise data exposure, such as privacy-respecting URL shorteners and trackers like Lunyb, help reduce the surface area for future breaches.
For more on choosing privacy-conscious tools, see our 2026 buyer's guide to URL shorteners and our honest review of Lunyb.
Frequently Asked Questions
How much does it cost to lodge an OAIC complaint?
Nothing. Lodging a privacy complaint with the OAIC is completely free, and you do not need a lawyer. The OAIC's processes are designed to be accessible to ordinary members of the public.
Can I claim compensation through the OAIC?
Yes. The OAIC can facilitate compensation for both economic loss (e.g. money stolen due to a breach) and non-economic loss (distress, humiliation, anxiety). Awards for non-economic loss in serious cases have ranged from a few thousand dollars to over $20,000 per complainant, and class-style representative complaints can result in much larger total payouts.
What if the organisation is overseas?
The Privacy Act has extraterritorial reach. If an overseas organisation carries on business in Australia and collects personal information from Australians, the OAIC can still accept a complaint. However, enforcement against foreign entities can be more difficult in practice.
Do I have to complain to the company first?
Yes, in almost all cases. The OAIC will generally not investigate unless you have first complained to the entity and either received an unsatisfactory response or had no response within 30 days. The only exceptions are where it would be unreasonable to expect you to do so — for example, where you fear retaliation or the entity no longer exists.
Is there a time limit for making a complaint?
The OAIC may decline to investigate if more than 12 months have passed since you became aware of the act or practice you're complaining about. Lodge as soon as practical after the breach to preserve your rights. If you discovered the breach late — for example, through a delayed NDB notification — the clock typically starts from when you became aware, not when the breach occurred.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Privacy Rights in Canada 2026: A Complete Guide for Individuals and Businesses
Canada's privacy landscape has transformed heading into 2026, with stronger federal laws, expanded individual rights, and tougher enforcement. This guide breaks down what privacy rights Canadians have, how businesses must comply, and the practical steps to protect personal data online.
Bill C-27 Digital Charter: What You Need to Know in 2026
Bill C-27, Canada's Digital Charter Implementation Act, introduces sweeping changes to private-sector privacy law and creates the country's first AI regulatory framework. Here's what businesses and consumers need to know about the CPPA, AIDA, and the new enforcement tribunal — including penalties of up to 5% of global revenue.
UK Online Safety Act: What It Means for Your Privacy in 2026
The UK Online Safety Act reshapes online privacy in 2026 with age checks, content scanning, and pressure on encryption. Here's what it really means for UK users — and the practical steps you can take to protect your data while staying compliant.
How Canadian Businesses Should Handle Data Privacy in 2026
A comprehensive 2026 guide for Canadian businesses on managing data privacy under PIPEDA, Quebec's Law 25, and provincial laws. Learn practical steps for compliance, breach response, vendor management, and emerging AI obligations.