facebook-pixel

OAIC Complaints: How to Report a Privacy Breach in Australia

L
Lunyb Security Team
··9 min read

If an Australian business, government agency, or organisation has mishandled your personal information, you have the right to complain to the Office of the Australian Information Commissioner (OAIC). This guide walks you through the entire process — from identifying whether a breach has actually occurred, to preparing your evidence, lodging your complaint, and following up until the matter is resolved.

What Is the OAIC and When Can You Complain?

The Office of the Australian Information Commissioner (OAIC) is the independent national regulator responsible for privacy and freedom of information in Australia. It enforces the Privacy Act 1988 and its 13 Australian Privacy Principles (APPs), which govern how organisations collect, store, use, and disclose personal information.

You can complain to the OAIC when you believe an entity covered by the Privacy Act has breached your privacy — for example, by leaking your data, sharing it without consent, refusing to give you access to your own records, or failing to secure it properly.

Who the Privacy Act Covers

  • Australian Government agencies
  • Private sector organisations with an annual turnover above A$3 million
  • All private health service providers (regardless of turnover)
  • Credit reporting bodies and credit providers
  • Tax File Number (TFN) recipients
  • Some small businesses that trade in personal information or contract with government

Who Is Generally Not Covered

  • Most small businesses with turnover under A$3 million
  • State and territory government agencies (these are covered by state-based privacy regulators)
  • Individuals acting in a personal capacity
  • Registered political parties and political acts
  • Media organisations acting in the course of journalism

What Counts as a Privacy Breach?

A privacy breach occurs when personal information is accessed, disclosed, altered, lost, or destroyed in a way that contravenes the Australian Privacy Principles. Not every mistake is a formal breach — but many everyday incidents qualify.

Common Examples of Reportable Breaches

  1. Data leaks and cyber incidents — hackers accessing customer databases, ransomware exposing files, or misconfigured cloud storage.
  2. Unauthorised disclosure — an employee sending your details to the wrong recipient, or sharing information with third parties without consent.
  3. Excessive collection — an organisation demanding personal data (such as ID documents) that it does not reasonably need.
  4. Refusal of access or correction — an entity refusing to let you see or correct the personal information it holds about you.
  5. Direct marketing without opt-out — being spammed after you have unsubscribed or never consented.
  6. Poor security — records left in a public bin, unencrypted laptops lost in transit, or weak account controls.

Step 1: Complain Directly to the Organisation First

Before the OAIC will investigate, it generally expects you to give the organisation an opportunity to fix the problem. This is a mandatory first step in almost all cases.

How to Lodge an Internal Complaint

  1. Locate the entity's privacy policy — it must include contact details for its Privacy Officer.
  2. Write a clear complaint in writing (email is ideal for the paper trail). State what happened, when, what information was involved, and the outcome you want.
  3. Ask for a written response within 30 days. This is the statutory window the OAIC uses as a benchmark.
  4. Keep copies of everything — the original complaint, any acknowledgements, and the final response.

If the organisation ignores you, refuses to engage, or gives an unsatisfactory response after 30 days, you can escalate to the OAIC.

Step 2: Prepare Your Evidence

A well-documented complaint is dramatically more likely to lead to a fast, favourable outcome. The OAIC assesses on the balance of probabilities, so evidence matters.

What to Gather Before Lodging

  • A timeline of events with specific dates and times
  • Copies of relevant emails, letters, screenshots, or SMS messages
  • The organisation's privacy policy at the time of the incident
  • Copies of your internal complaint and the entity's response
  • Evidence of harm — financial loss, distress, identity theft attempts, unwanted contact
  • Names and roles of any staff you dealt with

When capturing web-based evidence, save full-page screenshots including the URL and timestamp. If you need to share long or sensitive links in your complaint, tools like Lunyb can help you generate clean, trackable short links so investigators can see exactly when evidence was accessed. Never share evidence via a public paste site.

Step 3: Lodge Your Complaint With the OAIC

Once you have exhausted internal channels (or waited 30 days), you can formally complain to the OAIC. There is no fee.

Lodgement Methods

MethodDetailsBest For
Online formAvailable at oaic.gov.au — the fastest optionMost individuals
Emailenquiries@oaic.gov.au with the complaint form attachedComplex complaints with many attachments
PostGPO Box 5288, Sydney NSW 2001Those without reliable internet access
Phone1300 363 992 (for enquiries and assistance)Getting guidance before you lodge

Information Required on the Form

  1. Your full name and contact details
  2. The name of the organisation you're complaining about
  3. A clear description of what happened
  4. The date of the incident and when you became aware of it
  5. What you did to resolve it directly with the organisation
  6. The outcome you are seeking (apology, correction, compensation, systemic change)
  7. Supporting documents

Step 4: What Happens After You Lodge

The OAIC follows a structured process. Understanding the stages helps you set realistic expectations — investigations can take weeks or many months depending on complexity.

The Investigation Pathway

  1. Acknowledgement (within days) — the OAIC confirms receipt and assigns a case number.
  2. Assessment — a case officer decides whether the complaint falls within jurisdiction and has substance.
  3. Early resolution — many complaints are settled quickly through informal negotiation between you and the organisation, facilitated by the OAIC.
  4. Conciliation — for tougher cases, the OAIC may run a formal conciliation conference (often by phone).
  5. Formal investigation — the Commissioner can compel documents, interview staff, and make binding determinations.
  6. Determination — orders can include declarations, compensation, and requirements to change practices.

Possible Outcomes

  • A written apology from the organisation
  • Correction or deletion of your personal information
  • Financial compensation for economic loss or non-economic damage (such as distress)
  • Enforceable undertakings requiring the entity to change its systems
  • Civil penalty proceedings for serious or repeated interferences with privacy

Notifiable Data Breaches: A Separate but Related Scheme

The Notifiable Data Breaches (NDB) scheme obliges covered entities to notify both affected individuals and the OAIC when an eligible data breach occurs — one likely to result in serious harm.

What Triggers a Notification

  1. Unauthorised access, disclosure, or loss of personal information
  2. The breach is likely to result in serious harm (financial, physical, reputational, emotional)
  3. The organisation cannot prevent the risk of harm through remedial action

If you receive a data breach notification letter, keep it. It is powerful evidence for any later OAIC complaint about the same incident, and it may trigger your entitlement to remediation such as free credit monitoring.

Protecting Yourself After a Breach

Filing a complaint is important, but you should also act quickly to limit the damage. Australian Cyber Security Centre (ACSC) and IDCARE guidance recommends a layered response.

Immediate Actions

  • Change passwords on any affected accounts and enable multi-factor authentication
  • Place a temporary credit ban with Equifax, Experian, and illion (free for 21 days, renewable)
  • Contact IDCARE (1800 595 160) for free identity recovery support
  • Watch your bank and superannuation accounts for unusual activity
  • Be cautious of follow-up phishing emails and calls referencing the breach

Long-Term Privacy Hygiene

  • Use a reputable password manager with unique passwords for every service
  • Turn on encrypted DNS (DNS-over-HTTPS) in your browser or router
  • Prefer privacy-respecting browsers and search engines
  • Audit which apps and websites hold your data, and delete accounts you no longer use
  • When sharing links, use a shortener like Lunyb that doesn't attach invasive third-party tracking to the destination

For more on evaluating link tools before you trust them with your traffic, our 2026 buyer's guide to URL shorteners and our honest review of Lunyb are useful starting points.

When the OAIC Isn't the Right Body

Not every privacy grievance belongs with the federal regulator. Sending your complaint to the wrong agency wastes time and can hurt any deadlines.

IssueCorrect Body
State government agency (e.g. NSW Health)State privacy regulator (IPC NSW, OVIC in Vic, etc.)
Spam SMS or emailAustralian Communications and Media Authority (ACMA)
Do Not Call Register violationsACMA
Consumer/product complaintsACCC or state fair trading
Telecommunications providerTelecommunications Industry Ombudsman (TIO), then OAIC
Credit reporting disputesTry the credit body first, then OAIC or AFCA
Small business under A$3m turnoverUsually not covered — try fair trading or civil action

Tips for a Successful OAIC Complaint

  1. Be concise and factual — case officers handle huge caseloads. Lead with what happened, then evidence, then what you want.
  2. Cite the APPs where you can — pointing to APP 6 (use and disclosure) or APP 11 (security) shows you've done your homework.
  3. Quantify harm — even non-financial harm like anxiety, embarrassment, or lost time strengthens compensation claims.
  4. Be realistic about remedies — the OAIC rarely awards large sums, but even A$3,000–A$20,000 for serious distress is possible in determinations.
  5. Respond promptly — if a case officer asks for more information, reply within their deadline or the file may be closed.
  6. Consider representation — for complex or high-value complaints, a privacy lawyer or community legal centre can help.

Frequently Asked Questions

How long do I have to lodge an OAIC complaint?

The OAIC generally expects complaints to be lodged within 12 months of you becoming aware of the issue. Older complaints can still be accepted if you have a good reason for the delay, but timeliness always helps.

Does it cost anything to complain to the OAIC?

No. Lodging a complaint, participating in conciliation, and receiving a determination are all free. You would only incur costs if you chose to hire a lawyer or pursue court proceedings independently.

Can I get compensation for a privacy breach?

Yes. The Commissioner can order compensation for both economic loss (such as fraudulent charges you had to reverse) and non-economic loss (such as distress, humiliation, or anxiety). Amounts vary widely but recent determinations range from a few hundred dollars to tens of thousands per person.

Will my name be shared with the organisation?

In most cases, yes — the OAIC needs to identify you to the entity so it can investigate and respond. If you have safety concerns (for example, in domestic violence contexts), tell the OAIC upfront and they can discuss protective options.

What if the organisation is overseas?

The Privacy Act has extraterritorial reach. If a foreign business collects personal information from Australians (for example, an overseas online retailer), it can still be subject to the Act and the OAIC's jurisdiction. Enforcement is harder in practice, but complaints are still worth lodging.

Final Thoughts

Reporting a privacy breach to the OAIC is one of the most powerful consumer rights Australians have — and it's underused. Even if your individual outcome is modest, complaints drive systemic change: they trigger investigations, feed the OAIC's regulatory priorities, and can lead to civil penalties against repeat offenders. Take the time to complain internally first, document everything thoroughly, and lodge a clear, evidence-backed complaint. The system works best when the people it protects actually use it.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles