OAIC Complaints: How to Report a Privacy Breach in Australia
If an Australian business, government agency, or organisation has mishandled your personal information, you have the right to complain to the Office of the Australian Information Commissioner (OAIC). This guide walks you through the entire process — from identifying whether a breach has actually occurred, to preparing your evidence, lodging your complaint, and following up until the matter is resolved.
What Is the OAIC and When Can You Complain?
The Office of the Australian Information Commissioner (OAIC) is the independent national regulator responsible for privacy and freedom of information in Australia. It enforces the Privacy Act 1988 and its 13 Australian Privacy Principles (APPs), which govern how organisations collect, store, use, and disclose personal information.
You can complain to the OAIC when you believe an entity covered by the Privacy Act has breached your privacy — for example, by leaking your data, sharing it without consent, refusing to give you access to your own records, or failing to secure it properly.
Who the Privacy Act Covers
- Australian Government agencies
- Private sector organisations with an annual turnover above A$3 million
- All private health service providers (regardless of turnover)
- Credit reporting bodies and credit providers
- Tax File Number (TFN) recipients
- Some small businesses that trade in personal information or contract with government
Who Is Generally Not Covered
- Most small businesses with turnover under A$3 million
- State and territory government agencies (these are covered by state-based privacy regulators)
- Individuals acting in a personal capacity
- Registered political parties and political acts
- Media organisations acting in the course of journalism
What Counts as a Privacy Breach?
A privacy breach occurs when personal information is accessed, disclosed, altered, lost, or destroyed in a way that contravenes the Australian Privacy Principles. Not every mistake is a formal breach — but many everyday incidents qualify.
Common Examples of Reportable Breaches
- Data leaks and cyber incidents — hackers accessing customer databases, ransomware exposing files, or misconfigured cloud storage.
- Unauthorised disclosure — an employee sending your details to the wrong recipient, or sharing information with third parties without consent.
- Excessive collection — an organisation demanding personal data (such as ID documents) that it does not reasonably need.
- Refusal of access or correction — an entity refusing to let you see or correct the personal information it holds about you.
- Direct marketing without opt-out — being spammed after you have unsubscribed or never consented.
- Poor security — records left in a public bin, unencrypted laptops lost in transit, or weak account controls.
Step 1: Complain Directly to the Organisation First
Before the OAIC will investigate, it generally expects you to give the organisation an opportunity to fix the problem. This is a mandatory first step in almost all cases.
How to Lodge an Internal Complaint
- Locate the entity's privacy policy — it must include contact details for its Privacy Officer.
- Write a clear complaint in writing (email is ideal for the paper trail). State what happened, when, what information was involved, and the outcome you want.
- Ask for a written response within 30 days. This is the statutory window the OAIC uses as a benchmark.
- Keep copies of everything — the original complaint, any acknowledgements, and the final response.
If the organisation ignores you, refuses to engage, or gives an unsatisfactory response after 30 days, you can escalate to the OAIC.
Step 2: Prepare Your Evidence
A well-documented complaint is dramatically more likely to lead to a fast, favourable outcome. The OAIC assesses on the balance of probabilities, so evidence matters.
What to Gather Before Lodging
- A timeline of events with specific dates and times
- Copies of relevant emails, letters, screenshots, or SMS messages
- The organisation's privacy policy at the time of the incident
- Copies of your internal complaint and the entity's response
- Evidence of harm — financial loss, distress, identity theft attempts, unwanted contact
- Names and roles of any staff you dealt with
When capturing web-based evidence, save full-page screenshots including the URL and timestamp. If you need to share long or sensitive links in your complaint, tools like Lunyb can help you generate clean, trackable short links so investigators can see exactly when evidence was accessed. Never share evidence via a public paste site.
Step 3: Lodge Your Complaint With the OAIC
Once you have exhausted internal channels (or waited 30 days), you can formally complain to the OAIC. There is no fee.
Lodgement Methods
| Method | Details | Best For |
|---|---|---|
| Online form | Available at oaic.gov.au — the fastest option | Most individuals |
| enquiries@oaic.gov.au with the complaint form attached | Complex complaints with many attachments | |
| Post | GPO Box 5288, Sydney NSW 2001 | Those without reliable internet access |
| Phone | 1300 363 992 (for enquiries and assistance) | Getting guidance before you lodge |
Information Required on the Form
- Your full name and contact details
- The name of the organisation you're complaining about
- A clear description of what happened
- The date of the incident and when you became aware of it
- What you did to resolve it directly with the organisation
- The outcome you are seeking (apology, correction, compensation, systemic change)
- Supporting documents
Step 4: What Happens After You Lodge
The OAIC follows a structured process. Understanding the stages helps you set realistic expectations — investigations can take weeks or many months depending on complexity.
The Investigation Pathway
- Acknowledgement (within days) — the OAIC confirms receipt and assigns a case number.
- Assessment — a case officer decides whether the complaint falls within jurisdiction and has substance.
- Early resolution — many complaints are settled quickly through informal negotiation between you and the organisation, facilitated by the OAIC.
- Conciliation — for tougher cases, the OAIC may run a formal conciliation conference (often by phone).
- Formal investigation — the Commissioner can compel documents, interview staff, and make binding determinations.
- Determination — orders can include declarations, compensation, and requirements to change practices.
Possible Outcomes
- A written apology from the organisation
- Correction or deletion of your personal information
- Financial compensation for economic loss or non-economic damage (such as distress)
- Enforceable undertakings requiring the entity to change its systems
- Civil penalty proceedings for serious or repeated interferences with privacy
Notifiable Data Breaches: A Separate but Related Scheme
The Notifiable Data Breaches (NDB) scheme obliges covered entities to notify both affected individuals and the OAIC when an eligible data breach occurs — one likely to result in serious harm.
What Triggers a Notification
- Unauthorised access, disclosure, or loss of personal information
- The breach is likely to result in serious harm (financial, physical, reputational, emotional)
- The organisation cannot prevent the risk of harm through remedial action
If you receive a data breach notification letter, keep it. It is powerful evidence for any later OAIC complaint about the same incident, and it may trigger your entitlement to remediation such as free credit monitoring.
Protecting Yourself After a Breach
Filing a complaint is important, but you should also act quickly to limit the damage. Australian Cyber Security Centre (ACSC) and IDCARE guidance recommends a layered response.
Immediate Actions
- Change passwords on any affected accounts and enable multi-factor authentication
- Place a temporary credit ban with Equifax, Experian, and illion (free for 21 days, renewable)
- Contact IDCARE (1800 595 160) for free identity recovery support
- Watch your bank and superannuation accounts for unusual activity
- Be cautious of follow-up phishing emails and calls referencing the breach
Long-Term Privacy Hygiene
- Use a reputable password manager with unique passwords for every service
- Turn on encrypted DNS (DNS-over-HTTPS) in your browser or router
- Prefer privacy-respecting browsers and search engines
- Audit which apps and websites hold your data, and delete accounts you no longer use
- When sharing links, use a shortener like Lunyb that doesn't attach invasive third-party tracking to the destination
For more on evaluating link tools before you trust them with your traffic, our 2026 buyer's guide to URL shorteners and our honest review of Lunyb are useful starting points.
When the OAIC Isn't the Right Body
Not every privacy grievance belongs with the federal regulator. Sending your complaint to the wrong agency wastes time and can hurt any deadlines.
| Issue | Correct Body |
|---|---|
| State government agency (e.g. NSW Health) | State privacy regulator (IPC NSW, OVIC in Vic, etc.) |
| Spam SMS or email | Australian Communications and Media Authority (ACMA) |
| Do Not Call Register violations | ACMA |
| Consumer/product complaints | ACCC or state fair trading |
| Telecommunications provider | Telecommunications Industry Ombudsman (TIO), then OAIC |
| Credit reporting disputes | Try the credit body first, then OAIC or AFCA |
| Small business under A$3m turnover | Usually not covered — try fair trading or civil action |
Tips for a Successful OAIC Complaint
- Be concise and factual — case officers handle huge caseloads. Lead with what happened, then evidence, then what you want.
- Cite the APPs where you can — pointing to APP 6 (use and disclosure) or APP 11 (security) shows you've done your homework.
- Quantify harm — even non-financial harm like anxiety, embarrassment, or lost time strengthens compensation claims.
- Be realistic about remedies — the OAIC rarely awards large sums, but even A$3,000–A$20,000 for serious distress is possible in determinations.
- Respond promptly — if a case officer asks for more information, reply within their deadline or the file may be closed.
- Consider representation — for complex or high-value complaints, a privacy lawyer or community legal centre can help.
Frequently Asked Questions
How long do I have to lodge an OAIC complaint?
The OAIC generally expects complaints to be lodged within 12 months of you becoming aware of the issue. Older complaints can still be accepted if you have a good reason for the delay, but timeliness always helps.
Does it cost anything to complain to the OAIC?
No. Lodging a complaint, participating in conciliation, and receiving a determination are all free. You would only incur costs if you chose to hire a lawyer or pursue court proceedings independently.
Can I get compensation for a privacy breach?
Yes. The Commissioner can order compensation for both economic loss (such as fraudulent charges you had to reverse) and non-economic loss (such as distress, humiliation, or anxiety). Amounts vary widely but recent determinations range from a few hundred dollars to tens of thousands per person.
Will my name be shared with the organisation?
In most cases, yes — the OAIC needs to identify you to the entity so it can investigate and respond. If you have safety concerns (for example, in domestic violence contexts), tell the OAIC upfront and they can discuss protective options.
What if the organisation is overseas?
The Privacy Act has extraterritorial reach. If a foreign business collects personal information from Australians (for example, an overseas online retailer), it can still be subject to the Act and the OAIC's jurisdiction. Enforcement is harder in practice, but complaints are still worth lodging.
Final Thoughts
Reporting a privacy breach to the OAIC is one of the most powerful consumer rights Australians have — and it's underused. Even if your individual outcome is modest, complaints drive systemic change: they trigger investigations, feed the OAIC's regulatory priorities, and can lead to civil penalties against repeat offenders. Take the time to complain internally first, document everything thoroughly, and lodge a clear, evidence-backed complaint. The system works best when the people it protects actually use it.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
ePrivacy Regulations Ireland: Latest Updates for 2026
Ireland's ePrivacy rules govern cookies, tracking, and electronic marketing alongside the GDPR. This 2026 guide covers the latest DPC guidance, enforcement trends, and a practical compliance checklist for Irish businesses.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a growing web of privacy obligations under PIPEDA, Quebec's Law 25, provincial laws, and the upcoming CPPA. This practical guide covers everything from data mapping and consent to breach response and cross-border transfers.
GDPR in Ireland: Your Privacy Rights Explained
A complete plain-English guide to your GDPR rights in Ireland, from Subject Access Requests to complaint procedures with the Data Protection Commission. Learn what businesses must do, how to protect your data, and how to enforce your rights.
UK Data Protection Act vs GDPR Explained: Key Differences in 2026
The UK Data Protection Act 2018 and the GDPR share the same DNA but diverge in important ways. This guide explains the key differences, overlaps, and what UK businesses must do to comply in 2026.