OAIC Complaints: How to Report a Privacy Breach in Australia
If an organisation has mishandled your personal information, you have the right to take action. The Office of the Australian Information Commissioner (OAIC) is the federal regulator responsible for enforcing the Privacy Act 1988 and the Australian Privacy Principles (APPs). This guide explains exactly how to lodge an OAIC complaint about a privacy breach, what to expect during the investigation, and how to maximise the chance of a positive outcome.
What Is an OAIC Privacy Complaint?
An OAIC privacy complaint is a formal report you make to the Australian Information Commissioner when you believe an entity covered by the Privacy Act 1988 has interfered with your personal information. The OAIC has the power to investigate, conciliate, and in some cases make legally binding determinations against organisations and Australian Government agencies.
Complaints typically involve issues such as unauthorised disclosure of personal data, a refusal to grant access to your own records, inaccurate information being held about you, or a notifiable data breach that affected your details. The OAIC handles thousands of complaints each year, and the process is free for the person making the complaint.
Who Can the OAIC Investigate?
The OAIC's jurisdiction extends to:
- Australian Government agencies and most ministers
- Private sector organisations with an annual turnover of more than $3 million
- All private health service providers, regardless of turnover
- Credit reporting bodies and credit providers
- Tax File Number (TFN) recipients
- Some small businesses that trade in personal information or are contracted service providers to the Commonwealth
State and territory government agencies, as well as most small businesses under the $3 million threshold, generally fall outside OAIC jurisdiction. State-level privacy regulators (such as the NSW IPC or OVIC in Victoria) handle complaints about state agencies.
What Counts as a Privacy Breach?
A privacy breach occurs when personal information is accessed, used, or disclosed in a way that contravenes the Australian Privacy Principles or a registered code. Not every annoyance with how a company handles your data will meet the legal threshold, but the scope is broader than many Australians realise.
Common Examples of Reportable Breaches
- Unauthorised disclosure: A company shares your details with a third party without consent or legal authority.
- Data breach incidents: A cyber attack, lost laptop, or misdirected email exposes your personal information.
- Excessive collection: An organisation demands information it does not need for its stated purpose.
- Refusal of access: A business will not let you see the personal information it holds about you, or refuses to correct inaccurate records.
- Use beyond the original purpose: Data collected for one reason is used for marketing or profiling without your agreement.
- Poor security practices: Storing sensitive data on unsecured platforms, sending login credentials in plain text, or failing to use HTTPS.
- Direct marketing without opt-out: Continued marketing contact after you have asked it to stop.
Step-by-Step: How to Lodge an OAIC Complaint
The OAIC requires you to follow a specific sequence before it will formally investigate. Skipping a step is the most common reason complaints are returned or delayed.
Step 1: Complain to the Organisation First
Before approaching the OAIC, you must give the organisation a chance to respond. Put your complaint in writing to the entity's privacy officer, clearly describing what happened, when it occurred, and what outcome you are seeking. Most large organisations publish a privacy contact in their privacy policy.
The organisation has 30 days to respond. If they do not reply within that period, or if you are unhappy with their response, you can escalate to the OAIC.
Step 2: Gather Your Evidence
A well-documented complaint is significantly more likely to succeed. Collect:
- Copies of correspondence with the organisation (emails, letters, chat transcripts)
- Screenshots of the alleged breach (web pages, app notifications, data breach notices)
- A clear timeline of events with dates
- Any reference numbers or case IDs the organisation provided
- Evidence of harm or distress where applicable (medical certificates, financial losses, identity theft reports)
When sharing screenshots or evidence files publicly or with advisers, consider using a privacy-respecting short link service like Lunyb so you can revoke access after the matter is resolved rather than leaving live URLs floating around.
Step 3: Submit the Online Privacy Complaint Form
The OAIC's preferred channel is its online Privacy Complaint Form, available at oaic.gov.au. You will need to provide:
- Your full name and contact details
- The name of the organisation or agency complained about
- A description of what happened
- The steps you took to resolve the matter directly
- The organisation's response (or lack thereof)
- The outcome you are seeking
If you cannot use the online form, you can post, email, or fax your complaint. Telephone assistance is also available through the OAIC's enquiries line.
Step 4: Cooperate With the Assessment
The OAIC will first assess whether your complaint falls within its jurisdiction and whether you have given the organisation a reasonable opportunity to respond. You may be asked for additional information. Respond promptly to keep the matter moving.
What Happens After You Lodge a Complaint?
The OAIC handles complaints through a graduated process designed to resolve disputes informally wherever possible.
Stage 1: Early Resolution
Many complaints are resolved at this stage. The OAIC contacts the organisation, outlines your concerns, and seeks a quick resolution such as an apology, correction of records, deletion of data, or a procedural change.
Stage 2: Conciliation
If early resolution fails, the matter may move to conciliation, where an OAIC officer mediates a structured discussion between you and the respondent. Conciliation is confidential and can result in financial compensation, written undertakings, or systemic changes.
Stage 3: Investigation and Determination
If conciliation does not succeed, the Commissioner may formally investigate and issue a determination. Determinations can require the respondent to:
- Stop the conduct that caused the breach
- Take specified steps to remedy the breach
- Pay compensation for financial loss and non-economic loss (such as distress)
- Issue a public apology or correction
Determinations are enforceable in the Federal Court of Australia.
OAIC Complaint Outcomes at a Glance
| Outcome | When It Applies | Binding? |
|---|---|---|
| Apology or correction | Early resolution of minor breaches | Voluntary |
| Conciliated agreement | Both parties accept negotiated terms | Contractually binding |
| Compensation payment | Demonstrated financial or emotional harm | Yes, if part of determination |
| Commissioner's determination | Serious or unresolved matters | Yes, enforceable in Federal Court |
| Civil penalties | Serious or repeated interferences with privacy | Yes, court-imposed |
The Notifiable Data Breaches Scheme
The Notifiable Data Breaches (NDB) scheme requires regulated entities to notify both the OAIC and affected individuals when an eligible data breach occurs. An eligible data breach is one likely to result in serious harm to any of the individuals whose information was compromised.
What Should Be in a Breach Notification?
If you receive a data breach notice from an organisation, it should include:
- The identity of the entity
- A description of the breach
- The kinds of information involved
- Recommended steps you should take (such as changing passwords or monitoring credit reports)
If a breach notification is missing, vague, or delayed, you can complain to the OAIC about the inadequate notification itself, not just the underlying breach.
Timeframes and Limitations
While there is no strict statutory deadline, the OAIC may decline to investigate a complaint if more than 12 months have passed since you became aware of the act or practice. Lodge your complaint as soon as practical after the organisation responds (or fails to).
The investigation itself can take anywhere from a few weeks for straightforward matters to more than 12 months for complex cases involving multiple respondents or systemic issues. Keep records throughout and update the OAIC of any new developments.
Tips for a Strong Privacy Complaint
- Be specific. Identify the exact information involved, the date(s), and which Australian Privacy Principle you believe was breached.
- Stay factual. Emotive language is less persuasive than a clear chronology supported by evidence.
- Quantify harm. If you suffered financial loss, identity theft costs, time off work, or psychological distress, document it.
- State your desired outcome. Whether you want deletion of data, compensation, or a public apology, make it clear from the outset.
- Keep your records secure. Use encrypted storage and access-controlled links when sharing sensitive evidence with lawyers or advocates.
When to Seek Legal Advice
For most consumer complaints, the OAIC process works without legal representation. However, you may want to consult a privacy lawyer or community legal centre if:
- The breach caused significant financial loss
- You have been the victim of identity theft or stalking
- The respondent is denying the breach entirely
- You are considering a class action involving many affected individuals
Community legal centres and Legal Aid offices in each state and territory can offer free initial advice on privacy and data protection matters.
Protecting Your Privacy Going Forward
While the OAIC complaint process gives you a remedy after the fact, prevention is always better. Practical steps Australians can take include:
- Use unique, strong passwords with a reputable password manager
- Enable multi-factor authentication on all important accounts
- Limit the personal information you share on social media
- Use encrypted DNS resolvers and privacy-focused browsers
- Review the privacy policies of services before signing up
- Use disposable or branded short links rather than exposing raw tracking URLs in your communications — tools like Lunyb let you control link access, while a broader comparison of options is available in our 2026 buyer's guide
For organisations that handle customer links and analytics at scale, choosing platforms with strong privacy postures matters too. Reviews such as our Rebrandly review compare how different providers handle user data, retention, and tracking.
Frequently Asked Questions
How much does it cost to lodge an OAIC complaint?
Lodging a privacy complaint with the OAIC is free. You do not need a lawyer to make a complaint, and the OAIC's online form, telephone assistance, and conciliation services are provided at no cost to the complainant.
How long does an OAIC investigation take?
Simple matters that resolve at the early resolution stage may conclude within a few weeks. Conciliated outcomes typically take three to six months, while formal investigations leading to a Commissioner's determination can take 12 months or longer, depending on complexity and the cooperation of the respondent.
Can I receive compensation for a privacy breach?
Yes. The OAIC can require respondents to pay compensation for both financial loss (such as expenses incurred dealing with identity theft) and non-economic loss (such as distress, humiliation, or injury to feelings). Amounts vary widely based on the severity of the breach and the harm suffered.
What if the organisation is based overseas?
The Privacy Act can apply to overseas entities that carry on business in Australia and collect or hold personal information of Australians. The OAIC has cooperative arrangements with international privacy regulators and can pursue matters with foreign organisations, although enforcement can be more complex.
Can I complain anonymously?
You can raise concerns anonymously, but the OAIC generally cannot investigate an anonymous complaint because it needs to verify the facts and provide procedural fairness to the respondent. You can, however, request that your identity be kept confidential from the respondent during early stages where possible.
Final Thoughts
The OAIC complaint process is one of the most accessible mechanisms Australians have to hold organisations accountable for mishandling personal information. The keys to success are following the correct sequence — complain to the organisation first, then escalate — documenting everything thoroughly, and being clear about the outcome you want. Whether your complaint ends in an apology, a compensation payment, or a binding determination, exercising your rights helps drive better privacy practices across the Australian economy.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Privacy Rights in Canada 2026: A Complete Guide for Citizens and Businesses
A complete 2026 guide to privacy rights in Canada, covering Bill C-27, the CPPA, Quebec's Law 25, provincial laws, and what citizens and businesses must do. Learn your rights to access, deletion, portability, and how to protect personal data effectively.
Bill C-27 Digital Charter: What You Need to Know in 2026
Bill C-27, Canada's Digital Charter Implementation Act, replaces PIPEDA with a modern privacy framework and introduces Canada's first dedicated AI law. Learn what the CPPA and AIDA require, the new penalties (up to 5% of global revenue), and how Canadian businesses should prepare.
UK Data Protection Act vs GDPR Explained: Key Differences for 2026
The UK Data Protection Act 2018 and the GDPR work together but are not identical. This guide breaks down the differences, overlaps, fines, and practical compliance steps every UK business needs to know in 2026.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face an evolving privacy landscape shaped by PIPEDA, Quebec's Law 25, and the proposed Bill C-27. This practical guide explains compliance obligations, breach response, vendor management, and how to build a privacy program that earns customer trust.