OAIC Complaints: How to Report a Privacy Breach in Australia
If your personal information has been mishandled by an Australian organisation, you have the right to complain to the Office of the Australian Information Commissioner (OAIC). This guide walks you through the entire OAIC complaints process for a privacy breach — from your first contact with the organisation, to lodging the formal complaint, to what happens once the Commissioner takes over.
What Is the OAIC?
The Office of the Australian Information Commissioner (OAIC) is the independent Commonwealth regulator that oversees privacy and freedom of information in Australia. It enforces the Privacy Act 1988, including the 13 Australian Privacy Principles (APPs) and the Notifiable Data Breaches (NDB) scheme.
The OAIC handles complaints against most Australian Government agencies, all private-sector organisations with an annual turnover above $3 million, health service providers of any size, credit reporting bodies, and certain small businesses that trade in personal information.
What Counts as a Privacy Breach?
A privacy breach — often called an "interference with privacy" under the Act — occurs when an APP entity handles your personal information in a way that breaches the Privacy Act. Common examples include:
- A company collecting information it did not need or told you it would not collect.
- An unauthorised disclosure of your details to a third party.
- A data breach where your information was lost, hacked, or emailed to the wrong recipient.
- Refusal to give you access to, or correct, your own personal information.
- Using your data for direct marketing without a valid opt-out.
- Mishandling of tax file numbers, health records, or credit information.
Before You Complain to the OAIC: Contact the Organisation First
The OAIC almost always requires you to complain directly to the organisation before it will accept your complaint. This is called giving the entity "a reasonable opportunity to respond," and the standard timeframe is 30 days.
Step 1: Identify the Right Contact
Every APP entity must have a clearly accessible privacy policy that names a privacy officer or contact channel. Look for:
- A "Privacy" link in the website footer.
- An email address such as privacy@company.com.au.
- A postal address for the Privacy Officer.
Step 2: Put Your Complaint in Writing
Even if the organisation offers a phone line, always follow up in writing. Include:
- Your full name and preferred contact details.
- A clear description of what happened, with dates.
- Which of the Australian Privacy Principles you believe were breached (if you know).
- The impact on you — financial, emotional, reputational.
- The outcome you want (apology, correction, deletion, compensation, changed practice).
Step 3: Wait 30 Days
If the organisation does not respond within 30 days, or the response is inadequate, you can escalate to the OAIC. Keep every email, letter, and file note — this becomes your evidence pack.
How to Lodge a Privacy Complaint with the OAIC
Once the 30-day window has passed, you can submit a formal complaint. The OAIC accepts complaints in four ways.
Online Form (Recommended)
Visit oaic.gov.au and use the Privacy Complaint Form. This is the fastest route and lets you attach supporting documents (PDFs, screenshots, correspondence). You'll receive an acknowledgement email with a reference number, usually within a few business days.
Post, Email, or Phone
- Post: GPO Box 5288, Sydney NSW 2001.
- Email: enquiries@oaic.gov.au (mark it as a formal complaint).
- Phone: 1300 363 992 — useful for accessibility support or if you need an interpreter.
What to Include in Your Complaint
The OAIC's assessors will move faster if your submission is well-organised. A strong complaint contains:
- Your details — full legal name, address, phone, and email.
- The respondent — the organisation's legal name and ABN if known.
- A chronological narrative — what happened, when, and who was involved.
- The alleged breach — reference specific APPs, the NDB scheme, or credit reporting provisions.
- Evidence — copies of your original complaint to the organisation, their response (or lack thereof), screenshots, and any breach notification you received.
- Harm suffered — describe financial loss, distress, identity theft risk, or lost opportunities.
- Desired resolution — be specific and realistic.
What Happens After You Lodge the Complaint
The OAIC follows a structured, staged process. Understanding each stage helps you set realistic expectations.
Stage 1: Assessment and Acknowledgement
Within 7–14 days you should receive written acknowledgement. An assessor reviews jurisdiction — confirming the respondent is covered by the Privacy Act and that you complained to them first. If jurisdiction is missing, the OAIC may decline or refer you to another regulator (such as a state privacy commissioner or the Australian Financial Complaints Authority).
Stage 2: Early Resolution / Conciliation
The Commissioner strongly prefers to resolve complaints informally. An OAIC officer will contact the organisation, share your concerns, and try to broker a resolution. This may involve an apology, correction of records, deletion of data, staff training commitments, or a monetary payment.
Stage 3: Formal Investigation
If conciliation fails, the Commissioner may open a formal investigation under section 40 of the Privacy Act. Investigators can compel documents, interview witnesses, and produce a determination.
Stage 4: Determination and Remedies
A section 52 determination can order the entity to stop the conduct, redress the loss, and pay compensation. Determinations are enforceable in the Federal Court.
OAIC Complaint Timelines at a Glance
| Stage | Typical Timeframe | Who Acts |
|---|---|---|
| Complain to the organisation | Wait up to 30 days | You & the entity |
| Lodge complaint with OAIC | Same day (online) | You |
| Acknowledgement | 7–14 days | OAIC |
| Early resolution/conciliation | 3–9 months | OAIC + entity |
| Formal investigation | 6–18 months | OAIC |
| Determination | Additional 3–6 months | Commissioner |
The Notifiable Data Breaches Scheme
If you were caught in a large-scale breach — think Optus, Medibank, or Latitude Financial — the organisation is required under the NDB scheme to notify both you and the OAIC when an "eligible data breach" is likely to result in serious harm.
Your Rights When You Receive a Breach Notice
- Request full detail of what personal information was exposed.
- Ask what remediation the organisation is offering (credit monitoring, identity restoration, document replacement).
- Change passwords, enable multi-factor authentication, and place a credit ban with Equifax, Experian, and illion.
- If you're unhappy with the response, complain to the entity, then to the OAIC.
Protecting Yourself After a Breach
Reducing your digital footprint helps limit damage from future incidents. Practical steps include using unique passwords with a manager, enabling passkeys where offered, switching to encrypted DNS resolvers, and being cautious about the links you click in unsolicited SMS or email. Tools such as Lunyb let you shorten and share links without exposing tracking parameters, which is useful when you don't want to leak referrer or campaign data. For a broader look at safe link-handling tools, see our 2026 buyer's guide to URL shorteners.
Remedies the OAIC Can Order
The Privacy Act gives the Commissioner meaningful remedial powers. A determination can require the respondent to:
- Stop the offending conduct.
- Perform a specific act — such as issuing a public apology or amending records.
- Pay compensation for economic loss, including out-of-pocket expenses.
- Pay compensation for non-economic loss such as humiliation, injury to feelings, or aggravated damages. Recent determinations have ranged from $3,000 for minor distress to well over $20,000 for serious breaches.
- Undertake remedial steps like staff training, policy overhauls, or independent audits.
Civil Penalties for Serious Breaches
Following the 2022 amendments, penalties for serious or repeated interferences with privacy rose sharply. Body corporates can face the greater of $50 million, three times the benefit obtained, or 30% of adjusted turnover during the breach period. These penalties are pursued by the Commissioner in the Federal Court, not through your individual complaint — but a strong complaint can trigger a broader investigation.
When the OAIC Might Decline Your Complaint
Section 41 of the Privacy Act lets the Commissioner decline to investigate. Common reasons include:
- You did not complain to the organisation first.
- More than 12 months have passed since you became aware of the act.
- The complaint is frivolous, vexatious, misconceived, or lacks substance.
- The respondent is not covered by the Privacy Act (e.g. most small businesses under $3 million turnover, individuals acting personally, or state government agencies).
- Another body (such as an ombudsman) is better placed to handle it.
If your complaint is declined, you can request internal review or, in limited cases, seek review at the Administrative Review Tribunal.
Tips to Strengthen Your OAIC Complaint
1. Document Everything from Day One
Save emails as PDFs, take dated screenshots, and log phone calls in a diary with times and names. Contemporaneous notes carry far more weight than reconstructions.
2. Quantify the Harm
Attach bank statements showing fraudulent charges, invoices for credit monitoring, or medical certificates for stress-related conditions. Compensation flows more readily where loss is documented.
3. Reference the Right APP
Read the Australian Privacy Principles guidelines on the OAIC website. Framing your complaint around APP 6 (use and disclosure) or APP 11 (security) demonstrates you understand the framework.
4. Be Specific About Your Desired Outcome
"Compensation" is vague. "$4,500 for six months of identity monitoring plus $2,000 for distress" is actionable.
5. Cooperate With Conciliation
Most complaints resolve at conciliation. Being reasonable and responsive dramatically shortens the process.
Other Avenues if the OAIC Isn't the Right Fit
| Body | When to Use |
|---|---|
| State/Territory Privacy Commissioners | Breaches by state agencies (NSW IPC, OVIC in Victoria, etc.) |
| Australian Financial Complaints Authority (AFCA) | Privacy breaches by banks, insurers, or superannuation funds |
| Telecommunications Industry Ombudsman (TIO) | Telco privacy issues involving small consumers or businesses |
| ACMA | Spam and unsolicited marketing complaints |
| eSafety Commissioner | Image-based abuse, cyberbullying, doxxing |
| State Police / ACSC ReportCyber | Criminal identity theft or hacking |
Frequently Asked Questions
How much does it cost to complain to the OAIC?
Nothing. Lodging a privacy complaint with the OAIC is free, and you do not need a lawyer. The Commissioner's officers will guide you through the process, and interpreters are available at no cost.
How long do I have to lodge a complaint?
You should generally lodge within 12 months of becoming aware of the breach. The Commissioner may decline older complaints, though there is discretion for exceptional circumstances such as ongoing harm or newly discovered evidence.
Can I complain anonymously?
You can raise concerns anonymously with the OAIC's enquiries line, which may trigger a broader own-motion investigation. However, a formal complaint seeking a personal remedy generally requires you to identify yourself so the organisation can respond and any compensation can be paid to you.
What compensation can I actually expect?
Amounts vary widely. Minor breaches with limited distress often resolve for an apology and a few thousand dollars. Serious breaches involving sensitive health data, financial loss, or identity theft have attracted determinations of $10,000–$25,000 or more per complainant. Class-style representative complaints for major incidents can lead to larger aggregate outcomes.
Does the OAIC handle complaints against small businesses?
Only in limited cases. Businesses with turnover under $3 million are generally exempt unless they provide a health service, trade in personal information, are a contracted service provider to the Commonwealth, or are related to a larger APP entity. If the small business exemption applies, consider raising the matter with Fair Trading in your state or through the courts as a breach of contract or consumer law.
Can I still sue the organisation directly?
Australia does not currently have a general statutory tort of privacy, though a statutory cause of action for serious invasions of privacy is on the legislative horizon. For now, private legal action typically relies on breach of confidence, negligence, contract, or consumer law. The OAIC pathway remains the most accessible route for most Australians.
Final Thoughts
Filing an OAIC complaint is one of the most powerful tools Australians have to hold organisations accountable for mishandling personal information. The process rewards preparation: complain to the organisation first, document meticulously, quantify your harm, and be specific about the remedy you want. Combine that with sensible personal security hygiene — strong passwords, cautious link handling, and minimising the data you share — and you'll be far better positioned the next time a breach hits the headlines.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Singapore Online Safety Act 2026: Complete Guide for Businesses and Users
Singapore's Online Safety Act 2026 expands regulator powers over harmful content, scams, and deepfakes. This complete guide breaks down who must comply, what content is regulated, penalties, and practical compliance steps for businesses and users.
UK Online Safety Act: What It Means for Your Privacy in 2026
The UK Online Safety Act reshapes how platforms handle your data, messages and identity. This 2026 guide explains what the law actually requires, where it puts your privacy at risk, and the practical steps UK users can take to stay in control online.
UK Data Protection Act vs GDPR Explained: Key Differences in 2026
The UK Data Protection Act 2018 and GDPR work together to protect personal data, but they aren't identical. This guide explains the key differences, overlaps, and compliance steps every UK business needs to know in 2026.
How Canadian Businesses Should Handle Data Privacy in 2026
Canadian businesses face a rapidly evolving privacy landscape shaped by PIPEDA, Quebec Law 25, and pending federal reforms. This comprehensive 2026 guide covers legal obligations, consent, safeguards, breach reporting, and practical steps to build a privacy-first program.