facebook-pixel

OAIC Complaints: How to Report a Privacy Breach in Australia

L
Lunyb Security Team
··11 min read

If an Australian organisation has mishandled your personal information, you have the right to complain to the Office of the Australian Information Commissioner (OAIC). Whether it's a data breach, unwanted marketing, or refusal to give you access to your own records, the OAIC is the federal regulator that investigates privacy breaches under the Privacy Act 1988. This guide walks you through exactly how to report a privacy breach, what evidence you need, and what happens after you lodge a complaint.

What Is the OAIC and When Can You Complain?

The Office of the Australian Information Commissioner (OAIC) is the independent statutory agency that oversees privacy and freedom of information at the federal level in Australia. It enforces the 13 Australian Privacy Principles (APPs), investigates data breaches under the Notifiable Data Breaches (NDB) scheme, and handles complaints against Australian Government agencies and most private-sector organisations with an annual turnover above $3 million.

You can generally complain to the OAIC if you believe your personal information has been:

  • Collected unfairly, unlawfully, or without proper notice
  • Used or disclosed for a purpose you didn't agree to
  • Stored insecurely and exposed in a data breach
  • Accessed by staff without a legitimate reason
  • Refused when you asked for a copy of your own records
  • Kept inaccurate or out of date and the organisation refuses to correct it

The OAIC does not handle every complaint. State government agencies, small businesses under the turnover threshold, employee records held by your current employer, and media organisations acting journalistically often fall outside its remit. In those cases, state privacy regulators (like the NSW IPC or OVIC in Victoria) may be the correct pathway.

Common Types of Privacy Breaches You Can Report

Understanding what constitutes a reportable breach helps you frame your complaint and gather the right evidence.

1. Notifiable Data Breaches

Under the NDB scheme, any organisation covered by the Privacy Act must notify affected individuals and the OAIC when a data breach is likely to result in serious harm. Examples include leaked customer databases, ransomware attacks exposing health records, or misdirected emails containing Tax File Numbers.

2. Unauthorised Disclosure

This includes a bank employee looking up an ex-partner's account, a hospital sharing your records with a third party without consent, or a telco sending your details to a debt collector for a debt that isn't yours.

3. Direct Marketing Without Consent

Receiving marketing SMS or emails without a working opt-out, or after you've unsubscribed, breaches APP 7. Unsolicited electronic marketing is also covered by the Spam Act, enforced by ACMA.

4. Refusal of Access or Correction Requests

Under APPs 12 and 13, you have a right to access and correct your personal information. Unreasonable delays, excessive fees, or outright refusals can be complained about.

5. Credit Reporting Breaches

Errors on your credit file, incorrect default listings, or credit providers accessing your file without permission fall under Part IIIA of the Privacy Act and are handled by the OAIC.

Step 1: Complain Directly to the Organisation First

The OAIC will almost always require you to complain to the organisation first before it accepts your complaint. This is a mandatory step, and organisations have 30 days to respond.

  1. Find the right contact. Every APP entity must publish a privacy policy naming a Privacy Officer or contact point. Look for it in the website footer.
  2. Put it in writing. Email is best because it creates a timestamped record. State clearly that you are making a formal privacy complaint.
  3. Describe what happened. Include dates, account numbers, staff names if known, and the personal information involved.
  4. State what you want. An apology, deletion of records, compensation, staff training, or a systemic fix. Being specific helps.
  5. Set a deadline. Ask for a substantive response within 30 days, as required under OAIC guidelines.

Keep copies of everything. If the organisation doesn't respond, responds inadequately, or takes longer than 30 days, you can escalate.

Step 2: Lodging Your Complaint With the OAIC

Once the internal process has failed or 30 days have passed, you can lodge a formal complaint with the OAIC.

How to Submit

The OAIC accepts complaints through several channels:

  • Online form: The fastest method, available at oaic.gov.au
  • Email: enquiries@oaic.gov.au with a completed privacy complaint form attached
  • Post: GPO Box 5288, Sydney NSW 2001
  • Phone: 1300 363 992 for guidance, though formal complaints must be in writing

What to Include

A strong complaint contains:

  1. Your full name and contact details
  2. The name of the organisation you're complaining about
  3. A clear chronology of what happened, with dates
  4. The specific Australian Privacy Principle you believe was breached (if you know)
  5. Copies of correspondence with the organisation showing you tried to resolve it directly
  6. Any supporting evidence: screenshots, emails, breach notification letters, medical reports if there's been harm
  7. The outcome you are seeking

Time Limits

You generally have 12 months from when you became aware of the breach to lodge a complaint. The OAIC can extend this in exceptional circumstances, but delays weaken your case.

Step 3: What Happens After You Lodge

The OAIC's process is designed to resolve most complaints through conciliation rather than formal determinations. Here's what typically happens:

  1. Acknowledgement - You'll receive confirmation within a few business days.
  2. Preliminary assessment - An officer reviews whether the complaint falls within jurisdiction and has substance. This can take several weeks.
  3. Referral back if needed - If you haven't complained to the organisation first, the OAIC will usually pause your complaint and ask you to do so.
  4. Conciliation - The OAIC facilitates a resolution between you and the organisation. This might involve an apology, compensation, or changes to practices.
  5. Investigation - If conciliation fails or the breach is serious, the Commissioner may launch a formal investigation.
  6. Determination - In rare cases, the Commissioner issues a legally binding determination, which can include compensation orders and require the organisation to change its practices.

Most complaints resolve within 6 to 12 months, though complex matters can take longer.

OAIC Complaint Outcomes: What You Can Expect

Outcome When It Applies What You Get
Conciliated settlement Both parties agree to a resolution Apology, deletion, compensation (usually $500-$20,000)
Declined complaint No breach found or outside jurisdiction Written explanation; no further action
Formal determination Serious or unresolved breaches Legally binding orders, potential compensation
Civil penalty proceedings Serious or repeated interference with privacy Federal Court penalties up to $50 million per breach
Enforceable undertaking Organisation commits to reforms Public commitment to fix systemic issues

Evidence That Strengthens Your Complaint

The OAIC assesses complaints on the balance of probabilities, so documentary evidence matters. Strong complaints usually include:

  • Data breach notification letters - Keep the original letter or email you received
  • Screenshots with timestamps - Of unauthorised marketing messages, exposed data, or online records
  • Correspondence trail - Your original complaint to the organisation and their responses
  • Financial evidence - Bank statements showing fraud or costs incurred as a result of the breach
  • Medical or psychological reports - If the breach caused emotional distress or health impact
  • Witness statements - From family or colleagues who saw the impact firsthand

When sharing evidence electronically, avoid pasting long, ugly links that expose account IDs or tokens. Tools like Lunyb can help you create tidy, trackable links to hosted documents without leaking metadata in the URL itself. If you're unsure whether Lunyb suits your needs, this honest Lunyb review covers what it does and doesn't do.

What If Your Complaint Is Rejected?

The OAIC can decline complaints for several reasons: no interference with privacy occurred, the complaint is frivolous, more than 12 months have passed, or the matter is being handled by another body. If your complaint is declined, you have options:

  1. Request internal review - Ask the OAIC to reconsider based on new information
  2. Apply to the AAT - The Administrative Appeals Tribunal (now the Administrative Review Tribunal) can review certain OAIC decisions
  3. Federal Court proceedings - For breaches involving credit reporting or tax file numbers, direct court action may be possible
  4. State regulators - If the matter falls under state jurisdiction, refer it to the relevant state privacy commissioner
  5. Industry ombudsman - Telco complaints can go to TIO, banking to AFCA, health to state health complaints commissioners

Preventing Future Privacy Breaches

While regulatory complaints are important, prevention protects you better than post-incident enforcement. Consider these practical steps:

  • Minimise data sharing. Give organisations only the information they legally need. Question requests for driver's licence numbers, dates of birth, or Medicare details.
  • Use encrypted DNS and modern browsers. Firefox, Brave, and Safari now offer built-in tracking protection and encrypted DNS to reduce network-level data leakage.
  • Enable multi-factor authentication. Most breaches involve credential stuffing; MFA blocks the majority of these.
  • Freeze your credit file. Australians can place a credit ban with Equifax, Experian and illion at no cost, preventing new accounts being opened fraudulently after a breach.
  • Use unique aliases. Email aliases (like +tag addresses or services such as SimpleLogin) let you identify which company leaked your address.
  • Audit app permissions quarterly. Revoke access for apps you no longer use.

If you run a business handling shared links or campaign URLs, use a privacy-respecting link management tool and review its data handling practices. Our 2026 buyer's guide to URL shorteners compares vendors on privacy grounds, and this Rebrandly review looks at one of the market leaders in detail.

Real-World Examples of OAIC Action

Recent OAIC determinations show the regulator's growing appetite for enforcement:

  • Medibank (2022 breach) - The OAIC launched civil penalty proceedings in the Federal Court after the health records of 9.7 million customers were exposed. Potential penalties run into the hundreds of millions of dollars.
  • Optus (2022 breach) - Under investigation for the exposure of nearly 10 million customer records, with civil penalty proceedings and regulatory reviews ongoing.
  • 7-Eleven facial recognition case - The Commissioner determined that collecting facial images from customer feedback tablets breached APP 3, requiring the company to destroy the data and cease the practice.
  • Clearview AI - Ordered to stop collecting Australian faces from the web and destroy existing images, showing the OAIC's reach extends to foreign entities operating in Australia.

These cases demonstrate that individual complaints can trigger systemic change, not just personal remedies.

Frequently Asked Questions

How long does an OAIC complaint take?

Most complaints resolve within 6 to 12 months. Simple conciliated matters can conclude in a few months, while investigations leading to formal determinations may take 18 months or longer. Complex cases involving overseas entities or ongoing court proceedings can extend further.

Does it cost anything to complain to the OAIC?

No. Lodging a privacy complaint with the OAIC is free. You don't need a lawyer, though for serious breaches involving significant loss, legal advice can help you present a stronger case and calculate appropriate compensation.

Can I get compensation through the OAIC?

Yes. Compensation is typically negotiated during conciliation or ordered in a formal determination. Amounts commonly range from $500 for minor breaches to over $20,000 for serious incidents involving significant emotional distress, financial loss, or exposure of sensitive information like health or financial records.

What's the difference between an OAIC complaint and a class action?

An OAIC complaint is a free regulatory process focused on individual remedies and systemic reform. A class action is a court proceeding where a law firm represents many affected people, usually seeking larger financial damages. You can often participate in both simultaneously, though outcomes may affect each other. Class actions have followed both the Medibank and Optus breaches.

Can I complain anonymously?

You can raise concerns anonymously, but the OAIC generally cannot investigate a formal complaint without knowing who you are, because it needs to verify the breach affected you and communicate outcomes. However, the OAIC keeps your details confidential from the public and will only share necessary information with the organisation being investigated.

What if the organisation is based overseas?

The Privacy Act applies to overseas organisations that carry on business in Australia and collect personal information about Australians. The OAIC has successfully pursued foreign entities including Facebook and Clearview AI. Cross-border enforcement is slower, but the regulator does have jurisdiction.

Final Thoughts

Reporting a privacy breach to the OAIC is one of the most powerful consumer protections available under Australian law. The process rewards preparation: complain to the organisation first, document everything, understand which Australian Privacy Principle applies, and set realistic expectations about timelines. Even if your individual complaint doesn't yield a large settlement, it contributes to a body of evidence that shapes how the OAIC allocates resources and pursues systemic enforcement. In a landscape where breaches like Medibank and Optus have exposed the personal data of millions, every properly lodged complaint strengthens the accountability framework Australians increasingly rely on.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles