OAIC Complaints: How to Report a Privacy Breach in Australia
If an Australian business, government agency, or organisation has mishandled your personal information, you have the right to lodge a formal complaint with the Office of the Australian Information Commissioner (OAIC). This guide walks you through exactly how the OAIC complaints process works, what counts as a privacy breach, how to gather evidence, and what outcomes you can realistically expect.
What Is the OAIC and Why It Matters
The Office of the Australian Information Commissioner (OAIC) is the independent national regulator responsible for enforcing the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). It investigates complaints, takes enforcement action against organisations that mishandle personal data, and oversees the Notifiable Data Breaches (NDB) scheme.
The OAIC has jurisdiction over:
- Australian Government agencies
- Private sector organisations with an annual turnover of more than AUD $3 million
- Health service providers of any size
- Credit reporting bodies and credit providers
- Tax File Number (TFN) recipients
- Some small businesses that trade in personal information or are contracted service providers to the Commonwealth
If your complaint falls outside this jurisdiction (for example, a state government agency or a very small business), the OAIC will usually redirect you to the appropriate state or territory privacy regulator.
What Counts as a Privacy Breach Under Australian Law
A privacy breach occurs when an organisation that handles your personal information acts in a way that interferes with your privacy, typically by breaching one or more of the 13 Australian Privacy Principles. Personal information includes any data that can identify you, such as your name, address, phone number, email, financial details, health records, or biometric data.
Common Examples of Reportable Breaches
- Unauthorised disclosure: An organisation shares your details with a third party without consent.
- Data leaks and cyber incidents: A hack, ransomware attack, or misconfigured database exposes customer records.
- Refusal to provide access: A company refuses to give you a copy of the personal information it holds about you.
- Refusal to correct inaccurate data: The organisation will not fix incorrect personal information after you request it.
- Excessive collection: An entity collects information it does not reasonably need.
- Direct marketing without consent: You receive marketing communications you did not opt in to and cannot opt out of.
- Mishandling of TFNs, health records, or credit data: Specific protections apply to these sensitive categories.
Step 1: Complain Directly to the Organisation First
The OAIC will almost always require evidence that you have tried to resolve the matter with the organisation before it accepts your complaint. This is a mandatory first step under section 40 of the Privacy Act.
How to Lodge an Internal Privacy Complaint
- Locate the organisation's privacy policy on its website. It must list a contact point for privacy concerns.
- Write to the privacy officer or designated contact. Email is preferred because it creates a written record.
- State clearly that this is a formal privacy complaint under the Privacy Act 1988.
- Describe what happened, when it occurred, and which Australian Privacy Principle you believe was breached.
- Specify the outcome you want, such as deletion of data, an apology, correction of records, or compensation.
- Give the organisation a reasonable period to respond. The OAIC suggests 30 days as a standard timeframe.
Keep copies of all correspondence. If the organisation does not respond within 30 days, refuses to investigate, or provides an unsatisfactory response, you can then escalate to the OAIC.
Step 2: Lodging a Formal Complaint with the OAIC
Once you have given the organisation a chance to respond, you can submit your OAIC complaint. The process is free, and you do not need a lawyer.
How to Lodge the Complaint
- Visit the OAIC website at oaic.gov.au and navigate to "Make a privacy complaint".
- Use the online form (preferred). Alternatively, download the PDF form or write a letter.
- Provide your contact details and the full name of the organisation you are complaining about.
- Describe the breach in chronological order, attaching supporting documents.
- Attach evidence of your prior contact with the organisation.
- State the resolution you are seeking, whether that is an apology, data deletion, correction, or compensation.
- Submit and retain the reference number the OAIC provides.
Required Information Checklist
| Item | Required? | Notes |
|---|---|---|
| Your full name and contact details | Yes | Anonymous complaints generally cannot proceed |
| Name of the respondent organisation | Yes | Legal trading name preferred |
| Date of the alleged breach | Yes | Must be within 12 months, or explain delay |
| Description of what happened | Yes | Chronological, factual account |
| Copies of correspondence with the organisation | Yes | Emails, letters, screenshots |
| Evidence of harm or loss | Recommended | Medical bills, financial loss records, distress evidence |
| Desired outcome | Yes | Be specific and realistic |
Step 3: What Happens After You Submit
The OAIC follows a structured assessment and conciliation process. Most complaints are resolved without formal determination.
The OAIC's Process Stages
- Initial assessment (4 to 8 weeks): The OAIC reviews whether it has jurisdiction and whether the complaint meets threshold requirements.
- Early resolution: Many matters are resolved by the OAIC contacting the organisation and facilitating a quick fix.
- Conciliation: If early resolution fails, the OAIC may run a structured conciliation between you and the organisation.
- Investigation: For serious or systemic matters, the Commissioner can launch a formal investigation under section 40(2).
- Determination: The Commissioner can issue a binding determination requiring the organisation to take action, including paying compensation.
The total timeline varies considerably. Straightforward matters may resolve in 2 to 4 months. Complex investigations can take 12 months or longer.
Possible Outcomes and Remedies
The OAIC has broad remedial powers. Outcomes you can realistically pursue include:
- Apology: Written acknowledgement and apology from the organisation.
- Correction or deletion of records: The organisation must fix or destroy inaccurate or unnecessary data.
- Changes to practices: Updated policies, staff training, or new technical safeguards.
- Compensation: Monetary compensation for economic loss and non-economic loss such as humiliation, anxiety, or distress. Awards typically range from a few hundred dollars to tens of thousands, depending on severity.
- Civil penalties: For serious or repeated interferences with privacy, the Federal Court can impose penalties of up to AUD $50 million per contravention against companies under recent reforms.
The Notifiable Data Breaches (NDB) Scheme
Separately from individual complaints, organisations must notify the OAIC and affected individuals about "eligible data breaches" likely to result in serious harm. If you receive a data breach notification, you do not automatically have to lodge a complaint, but you should:
- Read the notification carefully to understand what was exposed.
- Change passwords for the affected service and any service using the same password.
- Enable multi-factor authentication wherever available.
- Monitor bank statements and credit reports through Equifax, Experian, or illion.
- Consider placing a ban on your credit file if financial data was exposed.
- Lodge an OAIC complaint if you believe the organisation handled the breach poorly or failed to protect your data adequately.
Strengthening Your Personal Privacy Going Forward
While regulators play an important role after the fact, prevention is always better than a complaint. Consider these practical steps to reduce your exposure:
- Minimise data sharing: Only provide the information genuinely required for a transaction.
- Use unique passwords and a password manager for every account.
- Enable encrypted DNS (DNS over HTTPS) in your browser to reduce passive tracking.
- Use privacy-respecting browsers such as Firefox or Brave with tracking protection enabled.
- Review app permissions regularly on your phone and revoke unnecessary access.
- Be cautious with shortened links: When sharing links yourself, use a trusted shortener with analytics and link-disabling features such as Lunyb, which lets you deactivate a link if it is leaked or misused. You can read more in our honest review of Lunyb.
- Audit your accounts annually and delete services you no longer use, requesting data erasure where possible.
Common Mistakes That Weaken Privacy Complaints
Many complaints stumble for avoidable reasons. Avoid these traps:
- Skipping the internal complaint step. The OAIC will likely refuse or defer your matter.
- Delaying too long. Complaints lodged more than 12 months after you became aware of the breach may be rejected.
- Failing to keep evidence. Screenshots, emails, and timestamps are essential.
- Asking for unrealistic remedies. Compensation must be tied to actual harm or distress.
- Confusing the wrong regulator. Spam, telemarketing, and scam complaints often belong with ACMA or Scamwatch, not the OAIC.
- Emotional rather than factual language. Stick to the facts and the relevant APP breached.
When to Seek Legal Advice
Most privacy complaints can be handled without a lawyer. However, you should consider legal advice if:
- You have suffered significant financial loss or identity theft.
- The matter involves sensitive health, sexuality, or criminal record information.
- You are part of a class affected by a large-scale data breach (representative complaints are possible under section 38 of the Privacy Act).
- The OAIC declines your complaint and you are considering judicial review or other action.
Community legal centres, Legal Aid commissions in each state, and consumer law clinics often provide free initial advice on privacy matters.
Related Reading on Privacy and Online Tools
If you are evaluating online services that handle your data, our editorial team regularly reviews privacy-related tools:
- Best URL Shorteners Reviewed and Compared: 2026 Buyer's Guide
- Rebrandly Review 2026: Is It Worth the Price?
- Is Lunyb Legit? An Honest Review of the URL Shortener in 2026
Frequently Asked Questions
How long do I have to lodge an OAIC complaint?
You should lodge your complaint within 12 months of becoming aware of the privacy breach. The OAIC can accept later complaints if you provide a reasonable explanation for the delay, but late complaints face a higher risk of refusal under section 41 of the Privacy Act.
Does it cost anything to make an OAIC complaint?
No. The OAIC complaints process is completely free, and you do not need a lawyer. You can submit your complaint online, by post, or by email. If your matter proceeds to the Federal Court, costs may arise at that later stage, but the OAIC's investigation and conciliation services carry no fee.
Can I get compensation through the OAIC?
Yes. The Commissioner can make a determination requiring the organisation to pay compensation for economic loss (such as money stolen) and non-economic loss (such as distress, humiliation, or anxiety). Awards generally range from a few hundred dollars to tens of thousands of dollars, with serious cases attracting higher amounts. Most matters resolved through conciliation also involve negotiated settlements.
What if the organisation is a small business not covered by the Privacy Act?
Small businesses with turnover under AUD $3 million are generally exempt unless they handle health information, trade in personal data, or contract to the Commonwealth. If your matter is outside OAIC jurisdiction, you may be able to pursue it through a state privacy regulator, the Australian Competition and Consumer Commission for misleading conduct, or general civil action for breach of confidence.
What is the difference between an OAIC complaint and a Notifiable Data Breach report?
A Notifiable Data Breach report is something the organisation must file with the OAIC when an eligible data breach occurs. A complaint is something you file as an individual whose privacy you believe has been interfered with. The two are linked but separate: you can lodge a complaint even if an organisation has already self-reported the breach, especially if you believe the response was inadequate.
Final Thoughts
Reporting a privacy breach to the OAIC is one of the most effective ways individual Australians can hold organisations accountable for how they handle personal information. The process rewards preparation: gather evidence, complain to the organisation first, articulate the specific APPs you believe were breached, and request realistic remedies. Combined with strong personal privacy habits and tools that give you control over your own digital footprint, you can significantly reduce both the likelihood and impact of future breaches.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
ePrivacy Regulations Ireland: Latest Updates for 2026
Ireland's ePrivacy regime is evolving fast, with the DPC stepping up enforcement on cookie consent and direct marketing. This 2026 guide explains the current rules, recent updates, and what Irish businesses need to do to stay compliant.
GDPR in Ireland: Your Privacy Rights Explained
A complete guide to your GDPR privacy rights in Ireland. Learn what data is protected, how to exercise your eight core rights, and how to complain to the Data Protection Commission when companies fall short.
Australian Data Breach Notification Scheme: The Complete 2026 Guide
Australia's Notifiable Data Breaches scheme imposes strict obligations on organisations that handle personal information. This complete 2026 guide explains who must comply, what counts as an eligible breach, notification timelines, OAIC requirements, and how to build a breach-ready organisation.
Australia Privacy Act 2026: Your Rights Explained
The Australia Privacy Act 2026 introduces stronger individual rights, tougher penalties, and a new statutory tort for serious invasions of privacy. This guide explains what's changed, your key rights, and how to exercise them.