OAIC Complaints: How to Report a Privacy Breach in Australia
If an Australian business, government agency or other organisation has mishandled your personal information, you have the right to complain to the Office of the Australian Information Commissioner (OAIC). This guide explains exactly how to report a privacy breach, what evidence you need, how long it takes, and what outcomes you can realistically expect.
What Is the OAIC and When Can You Complain?
The Office of the Australian Information Commissioner (OAIC) is the independent national regulator responsible for enforcing the Privacy Act 1988 and the Australian Privacy Principles (APPs). It investigates complaints from individuals whose personal information has been mishandled by APP entities — generally Australian Government agencies and private sector organisations with an annual turnover of more than $3 million, plus certain smaller businesses such as health service providers.
You can lodge an OAIC complaint when you believe an organisation has:
- Collected your personal information unlawfully or unfairly
- Used or disclosed it for a purpose you did not consent to
- Failed to keep it secure, resulting in a data breach
- Refused to give you access to your own information or correct inaccurate records
- Sent unsolicited marketing without a lawful basis
- Mishandled your tax file number, credit reporting data or health records
Who the OAIC Cannot Help With
The OAIC does not handle complaints about state or territory government agencies (those go to state privacy regulators such as the IPC in NSW or OVIC in Victoria), small businesses under the $3 million threshold that aren't otherwise covered, employee records held by your current employer, or media organisations acting in the course of journalism. For telecommunications-specific issues, the Telecommunications Industry Ombudsman (TIO) may be more appropriate.
Step 1: Complain Directly to the Organisation First
Before the OAIC will accept your complaint, you generally must give the organisation a chance to fix the problem. This is a mandatory step under section 40(1A) of the Privacy Act, and skipping it is the most common reason complaints are rejected at intake.
- Find the privacy contact. Every APP entity must publish a privacy policy with contact details — usually a Privacy Officer or privacy@company email.
- Put your complaint in writing. Email is best because it creates a timestamped record. State clearly what happened, when, what personal information was involved, and what outcome you want (an apology, correction, deletion, compensation, or a change in practice).
- Give them 30 days to respond. The OAIC expects organisations to have a reasonable opportunity to resolve the matter — 30 days is the standard benchmark.
- Keep every reply. Save emails, letters and notes of phone calls. You'll need these as evidence later.
If the organisation refuses to respond, gives an inadequate answer, or 30 days pass with no resolution, you can escalate to the OAIC.
Step 2: Gather Your Evidence
A well-evidenced complaint is investigated faster and is far more likely to lead to a meaningful outcome. The OAIC is an evidence-based regulator — assertions alone are rarely enough.
Collect the following before you lodge:
- A timeline of events with specific dates (when you provided the data, when the breach occurred, when you first noticed it)
- Copies of relevant communications — emails, letters, SMS, chat transcripts, social media messages
- Screenshots of websites, account settings, privacy notices or breach notifications
- The organisation's privacy policy as it appeared at the time (the Wayback Machine is useful here)
- Your written complaint to the organisation and their response (or proof of no response)
- Evidence of harm: financial loss, identity theft, scam messages, emotional distress, lost time, medical records of stress
Documenting Suspicious Links and Phishing Evidence
If your breach involves phishing emails, fraudulent links or scam SMS sent using your leaked details, never click them. Instead, record the full URL as text and take screenshots. If you need to share a long suspicious URL safely with an investigator, a privacy-conscious link tool like Lunyb can help you record and reference URLs without exposing them in cleartext across multiple emails — useful when building a paper trail for the OAIC.
Step 3: Lodge Your Complaint With the OAIC
Once you've given the organisation 30 days and gathered evidence, you can lodge a formal complaint. There are three main ways:
- Online form — the Privacy Complaint Form at oaic.gov.au is the fastest method and walks you through every required field.
- Post or email — download the PDF form and send it to the OAIC's GPO Box in Sydney, or email enquiries@oaic.gov.au.
- Phone — call 1300 363 992 for assistance if you have accessibility needs or difficulty using the form.
What the Form Asks For
You'll need to provide:
- Your contact details (the OAIC generally won't accept anonymous complaints)
- The full name of the organisation you're complaining about
- A description of what happened, in chronological order
- Which APPs you believe were breached (you don't have to be a lawyer — plain English is fine)
- Evidence of your prior complaint to the organisation
- The outcome you're seeking
- Whether you've complained to any other body about the same issue
Step 4: What Happens After You Lodge
The OAIC's process is structured but can be slow. Here's what to expect at each stage:
| Stage | Typical Timeframe | What Happens |
|---|---|---|
| Acknowledgement | 1–2 weeks | You receive a reference number and confirmation of receipt. |
| Initial assessment | 1–3 months | OAIC checks jurisdiction, whether you complained to the entity first, and whether the matter has substance. |
| Conciliation | 3–9 months | OAIC facilitates a negotiated resolution between you and the organisation. |
| Formal investigation | 6–18 months | If conciliation fails and the matter is significant, the Commissioner can investigate and make a determination. |
| Determination | 12–24+ months total | A binding decision under section 52, potentially including compensation orders. |
Conciliation Is the Most Likely Outcome
The vast majority of OAIC complaints are resolved through conciliation rather than formal determination. This is essentially a structured negotiation where the OAIC helps both sides reach an agreed outcome — which may include an apology, deletion of records, a process change, staff training, or financial compensation.
Possible Outcomes and Compensation
Under section 52 of the Privacy Act, the Commissioner can make a determination that the organisation:
- Has interfered with your privacy and must not repeat the conduct
- Must take specified steps to redress the harm (such as deleting data or correcting records)
- Must pay you compensation for economic and non-economic loss, including hurt feelings
Compensation amounts vary widely. Historical determinations have ranged from a few thousand dollars for distress to tens of thousands where significant financial loss or serious emotional harm was proven. The landmark 'EQ' and Great Barrier Reef Marine Park Authority case set important precedents around non-economic loss, while large-scale data breach class actions have begun pushing potential remedies into much higher territory.
Notifiable Data Breaches: A Different Process
If you're an organisation that has suffered a data breach (rather than an individual reporting one against an organisation), you have separate obligations under the Notifiable Data Breaches (NDB) scheme. Eligible breaches must be reported to the OAIC and affected individuals as soon as practicable — and in any case within 30 days of becoming aware.
What Counts as an Eligible Data Breach
An eligible data breach occurs when:
- There is unauthorised access to, disclosure of, or loss of personal information held by the entity
- The access, disclosure or loss is likely to result in serious harm to one or more individuals
- The entity has not been able to prevent that serious harm through remedial action
Serious harm can include identity theft, financial fraud, physical safety threats, reputational damage, or significant psychological harm. Penalties for non-compliance increased dramatically in late 2022, with maximum civil penalties for serious or repeated interferences now reaching $50 million, three times the benefit obtained, or 30% of adjusted turnover — whichever is greater.
Practical Tips for a Strong Complaint
Based on patterns in published OAIC case notes and determinations, complaints tend to succeed when they:
- Identify specific APPs. Cite which Australian Privacy Principle (APP 1 through 13) you believe was breached and why.
- Stay factual. Emotional language is understandable but undermines credibility. Stick to what happened, with dates.
- Quantify harm. Specific losses ($X spent on credit monitoring, Y hours dealing with fraud, medical certificates for stress) are far more persuasive than general claims.
- Propose a reasonable remedy. Complaints that suggest a proportionate outcome are easier to conciliate than open-ended demands.
- Respond promptly to OAIC correspondence. Delays on your side slow everything down.
Protecting Yourself After a Breach
While the complaint process runs, take immediate steps to limit further damage:
- Change passwords on the affected service and any account that reused the same password
- Enable multi-factor authentication everywhere it's offered
- Place a credit ban with Equifax, Experian and illion (free for 21 days, extendable)
- Watch for phishing — scammers often exploit recent breaches with targeted messages
- Use encrypted DNS and a privacy-focused browser to reduce passive tracking
- Report identity theft to IDCARE (1800 595 160), Australia's free national identity support service
For more on choosing tools that respect your data, see our guides on privacy-respecting link services and our 2026 buyer's guide to URL shorteners, which evaluates how different providers handle click data and personal information.
When to Get Legal Help
Most OAIC complaints don't require a lawyer, but consider professional advice if:
- The breach caused substantial financial loss or identifiable harm
- You're considering joining or starting a representative complaint (class action equivalent)
- The organisation has refused to engage and you're heading toward a formal determination
- The matter overlaps with defamation, discrimination or workplace law
Community Legal Centres Australia, Legal Aid in your state, and the Australian Privacy Foundation can point you to affordable or pro bono assistance.
Frequently Asked Questions
How long do I have to lodge an OAIC complaint?
There is no strict statutory deadline, but the Commissioner can decline to investigate complaints made more than 12 months after you became aware of the conduct. Lodge as soon as practical after the organisation's 30-day response window — delays make evidence harder to gather and weaken your case.
Does it cost anything to complain to the OAIC?
No. Lodging a privacy complaint with the OAIC is completely free. You don't need a lawyer, and the OAIC will not charge fees at any stage of the process, including conciliation or formal determination.
Can I complain anonymously?
Generally no — the OAIC needs to contact you to investigate and to facilitate any remedy. However, you can request that your identity not be disclosed to the respondent organisation in certain circumstances, particularly where there is a risk of retaliation. You can also report concerns to the OAIC's tip-off line without lodging a formal complaint.
What if the organisation is overseas?
The Privacy Act applies extraterritorially to organisations that carry on business in Australia and collect or hold personal information here. Major global platforms (Meta, Google, Amazon and similar) fall within OAIC jurisdiction. For smaller foreign entities with no Australian presence, enforcement is more difficult and you may need to complain to a regulator in their home country.
Will I definitely get compensation?
No. Most complaints resolve through conciliation with non-monetary outcomes such as apologies, deletion of data, or process changes. Compensation is awarded where you can demonstrate actual harm — financial loss, identity theft, or significant emotional distress backed by evidence such as medical records. Strong documentation is the single biggest factor in whether compensation is achievable.
Can I take the matter to court instead?
The Privacy Act doesn't currently give individuals a direct right of action in court for a privacy breach — you generally must go through the OAIC first. However, recent reforms have introduced a statutory tort for serious invasions of privacy, which over time will expand court-based options. Representative complaints and class actions under other causes of action (such as breach of confidence or negligence) remain available in parallel.
Final Thoughts
The OAIC complaints process is not fast, but it is one of the most accessible privacy enforcement mechanisms in the world — free, no lawyer required, and capable of delivering meaningful remedies including compensation. The keys to success are simple: complain to the organisation first, document everything, identify the specific privacy principles you believe were breached, and quantify the harm you've suffered. With a well-prepared complaint and reasonable patience, you stand a strong chance of holding Australian organisations accountable for how they handle your personal information.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Data Protection Act 2018 Ireland: The Complete Guide for Businesses
A complete plain-English guide to Ireland's Data Protection Act 2018: how it works with the GDPR, the rights it gives individuals, the obligations it places on businesses, and how to stay compliant in 2026.
ePrivacy Regulations Ireland: Latest Updates and Compliance Guide
A practical 2026 guide to Ireland's ePrivacy Regulations, covering the latest DPC enforcement, cookie consent rules, electronic marketing requirements, and how ePrivacy interacts with the GDPR. Includes a compliance checklist and sector-specific guidance for Irish businesses.
PIPEDA vs GDPR: Canadian Privacy Law Explained for 2026
PIPEDA and GDPR both protect personal data, but they take very different approaches to consent, individual rights, and penalties. This guide compares Canada's privacy law with the EU's GDPR and explains what Canadian businesses need to do to stay compliant.
GDPR in Ireland: Your Privacy Rights Explained
Ireland has become the EU's most influential data protection hub, with the DPC issuing billions in GDPR fines. This guide explains your eight core privacy rights, how to enforce them through Subject Access Requests, and what to do if a company misuses your personal data.