OAIC Complaints: How to Report a Privacy Breach in Australia

If your personal information has been mishandled by an Australian business or government agency, you have the right to lodge a formal complaint with the Office of the Australian Information Commissioner (OAIC). This guide walks you through every step of the OAIC complaints process — from working out whether the Privacy Act applies to your situation, to preparing evidence, lodging your complaint, and understanding what outcomes you can realistically expect.

What Is the OAIC and When Can You Complain?

The Office of the Australian Information Commissioner (OAIC) is the independent national regulator responsible for enforcing the Privacy Act 1988 (Cth). It handles complaints about how organisations and Australian Government agencies collect, store, use, disclose and secure personal information.

You can lodge an OAIC complaint about a privacy breach if you believe an entity covered by the Privacy Act has interfered with your privacy. Common examples include:

A data breach that exposed your name, contact details, identity documents or financial data.
An organisation collecting more personal information than necessary, or collecting it covertly.
Your information being disclosed to a third party without your consent.
An organisation refusing to give you access to, or correct, your personal information.
Direct marketing you did not opt in to and cannot opt out of.
Mishandling of your tax file number, credit report information or health records.

Not every privacy annoyance is something the OAIC can investigate. The complaint must relate to an entity bound by the Privacy Act — generally most Australian Government agencies, all private sector organisations with annual turnover above A$3 million, plus smaller businesses in specific categories (health services, credit providers, contractors handling Commonwealth data, and businesses that trade in personal information).

Which Entities Are Covered by the Privacy Act?

Before you spend time preparing a complaint, confirm the respondent falls within OAIC jurisdiction. The Privacy Act applies to “APP entities” — organisations and agencies bound by the 13 Australian Privacy Principles (APPs).

Covered Entities

Australian Government agencies and most departments.
Private companies and not-for-profits with annual turnover above A$3 million.
All private health service providers (regardless of turnover).
Credit reporting bodies and credit providers.
Businesses that buy or sell personal information.
Tax file number recipients.
Contracted service providers for Commonwealth contracts.

Generally Not Covered

State and territory government agencies (these have their own state privacy regulators).
Small businesses under A$3 million turnover (unless they fall into a special category).
Registered political parties and political acts.
Media organisations acting in the course of journalism (with conditions).
Employee records held by your current or former employer (a long-standing exemption that is under review).

If your matter sits with a state agency, you may need to contact a state regulator instead — for example, the Information and Privacy Commission NSW, the Office of the Victorian Information Commissioner, or the Queensland Office of the Information Commissioner.

Step 1: Complain to the Organisation First

The OAIC will almost always require you to raise the issue directly with the organisation or agency before it accepts a complaint. This is set out in section 40 of the Privacy Act and is designed to give entities a chance to resolve the matter quickly.

Find the privacy contact. Most APP entities publish a privacy policy with a contact email, postal address or web form for privacy complaints. Look for headings like “Privacy Officer” or “Data Protection Officer”.
Put your complaint in writing. Be clear, factual and chronological. State what happened, when, what information was involved, and what outcome you want.
Set a reasonable deadline. The OAIC considers 30 days a reasonable period for the organisation to respond.
Keep copies. Save every email, letter, reference number and screenshot. You will need them later.

If the organisation does not respond within 30 days, or if you receive a response that does not adequately resolve the issue, you can escalate to the OAIC.

Step 2: Gather Your Evidence

The strength of your OAIC complaint depends almost entirely on the quality of your evidence. Privacy investigations are document-driven, and the Commissioner will assess what can be objectively proven.

Collect the following before you lodge:

Copies of the data breach notification (if one was sent to you).
Screenshots of any exposed information or the original collection point (such as a sign-up form).
Your written complaint to the organisation and any reply you received.
A timeline of events with dates and times.
Details of any harm suffered — financial loss, identity theft, emotional distress, time spent rectifying the issue.
Receipts for any costs you incurred (credit monitoring, replacement documents, legal advice).
Identification documents (you will need to verify your identity with the OAIC).

When sharing evidence online or with your legal representative, consider how you transmit links and files. A shortener with privacy-focused logging like Lunyb can be useful for sending one-off links to large evidence bundles without exposing long internal URLs, while keeping a record of click activity for your own files.

Step 3: Lodge Your Complaint With the OAIC

You can lodge an OAIC privacy complaint in several ways. The fastest and most reliable is the online form on oaic.gov.au.

How to Lodge

Online: Use the “Lodge a privacy complaint” form on the OAIC website. You will need to create or sign in to an account.
By post: Send a written complaint to the OAIC at GPO Box 5288, Sydney NSW 2001.
By email: Email enquiries@oaic.gov.au with your complaint and supporting documents attached.
By phone: Call 1300 363 992 for assistance, particularly if you need an interpreter or have accessibility needs.

What to Include in Your Complaint

Your full name and contact details.
The name of the organisation or agency you are complaining about.
A clear description of what happened and how it breached your privacy.
Dates of relevant events.
Evidence of your earlier complaint to the organisation and their response (or lack of response).
The outcome you are seeking — for example, an apology, correction of records, compensation for financial loss, changes to the organisation's practices.

Step 4: What Happens After You Lodge

Once lodged, your complaint goes through a structured assessment and investigation process. Timeframes vary, but straightforward matters are often resolved within a few months while complex investigations can take a year or longer.

Stage	What Happens	Typical Timeframe
Acknowledgement	OAIC confirms receipt and assigns a case officer.	1–2 weeks
Preliminary assessment	OAIC decides whether the complaint is within jurisdiction and not premature.	2–8 weeks
Conciliation	OAIC facilitates discussion between you and the respondent to seek resolution.	1–6 months
Investigation	If conciliation fails, formal investigation under section 40.	3–12 months
Determination	The Commissioner makes a binding determination under section 52.	Varies

The OAIC strongly favours conciliated outcomes. In practice, most complaints are resolved through negotiation rather than a formal determination.

Possible Outcomes of an OAIC Complaint

Under section 52 of the Privacy Act, the Commissioner can make a range of orders if a complaint is substantiated. Outcomes include:

A declaration that the respondent must not repeat or continue the conduct.
An order that the respondent take specified steps to remedy the breach (such as updating systems, retraining staff or changing policies).
Compensation for loss or damage, including for hurt feelings or humiliation.
A written apology.
Correction or deletion of personal information.

Compensation amounts in individual OAIC cases have historically ranged from a few hundred dollars for minor distress up to tens of thousands for serious breaches involving financial loss or significant psychological harm. Class-style representative complaints (for example, following large-scale data breaches) can produce much larger total awards.

Notifiable Data Breaches Scheme

The Notifiable Data Breaches (NDB) scheme, introduced in 2018, requires APP entities to notify both the OAIC and affected individuals when an “eligible data breach” occurs. An eligible data breach is one likely to result in serious harm to any of the individuals whose information was involved, where the entity has not been able to prevent that harm through remedial action.

If you receive a data breach notification, it usually contains:

A description of the breach.
The kinds of information involved.
Recommendations on what you should do to protect yourself.
Contact details for the entity's privacy team.

Receiving a notification does not automatically mean you should lodge an OAIC complaint, but it is strong evidence if you decide to. Practical steps after a breach include changing passwords, enabling multi-factor authentication, placing a temporary ban on your credit file with Equifax, Experian and illion, and watching for phishing attempts. For ongoing protection, use unique passwords stored in a reputable password manager and prefer encrypted DNS providers and privacy-respecting browsers for everyday browsing.

Common Mistakes to Avoid

Many complaints are delayed or dismissed because of avoidable errors. Watch out for these:

Skipping the internal complaint step. The OAIC will usually return your complaint and ask you to raise it with the organisation first.
Complaining about a non-APP entity. Always verify the respondent is covered by the Privacy Act.
Lodging too late. Generally you should complain within 12 months of becoming aware of the issue. The OAIC can decline complaints that are out of time.
Vague allegations. Stick to facts, dates and specific APPs you believe were breached.
Overstating losses. Only claim harm you can substantiate. Inflated claims undermine credibility.
Public commentary. Avoid publicly defaming the respondent during the process; this can complicate conciliation.

How to Strengthen Your Privacy Going Forward

Lodging an OAIC complaint is reactive. Building good personal information hygiene is the proactive other half. Practical steps include:

Audit which organisations hold your personal information and request deletion under APP 11 where possible.
Use disposable or alias email addresses for sign-ups you do not fully trust.
Set up credit bans or alerts with each of the three Australian credit reporting bodies.
Use a privacy-respecting URL shortener, such as Lunyb, when sharing links — particularly those tied to your name, business or social media — to avoid exposing tracking parameters and internal URLs.
Read privacy policies for the entities you deal with most often, and complain promptly when something seems off.

If you're a small business owner shortening links for marketing, choosing the right tool also matters for your customers' privacy. Compare options in our Best URL Shorteners Reviewed and Compared: 2026 Buyer's Guide, our Rebrandly Review 2026, and our honest review of Lunyb to find a service that handles user data responsibly.

When to Get Legal Help

Most OAIC complaints can be handled without a lawyer. The OAIC's processes are designed to be accessible to self-represented individuals. However, you should consider legal advice if:

You have suffered significant financial loss (such as identity theft running into thousands of dollars).
The breach has caused diagnosable psychological harm.
The matter may overlap with defamation, employment or negligence law.
You want to join or initiate a representative complaint following a major data breach.
The respondent has engaged its own external lawyers.

Community legal centres, the Cyber Civil Rights Initiative Australia partners, and consumer law firms operating on no-win-no-fee arrangements can be cost-effective starting points.

Frequently Asked Questions

How long do I have to lodge an OAIC privacy complaint?

The OAIC generally expects complaints within 12 months of you becoming aware of the issue. Complaints lodged later may still be accepted if there are good reasons for the delay, but timeliness is treated as an important factor in deciding whether to investigate.

Does it cost anything to complain to the OAIC?

No. Lodging a privacy complaint with the OAIC is free. You only incur costs if you choose to engage a lawyer or representative to help prepare or argue your matter.

Can I get compensation through an OAIC complaint?

Yes. The Commissioner can order compensation for financial loss and for non-economic loss such as hurt, humiliation and distress. Awards vary widely; minor matters may attract a few hundred dollars while serious breaches involving identity theft or psychological harm have attracted tens of thousands of dollars.

What if the organisation is overseas?

The Privacy Act has extraterritorial reach where an overseas entity has an Australian link — for example, carrying on business in Australia and collecting or holding personal information here. The OAIC has investigated and made determinations against foreign-based companies, although enforcement can be slower.

Can I lodge an anonymous complaint?

You can raise concerns anonymously with the OAIC, which may inform broader regulatory action, but you cannot pursue a formal individual complaint anonymously. The OAIC needs to verify your identity to investigate, share information with the respondent and arrange any remedy in your favour.