OAIC Complaints: How to Report a Privacy Breach in Australia (2026 Guide)
If your personal information has been mishandled, leaked, or misused by an Australian organisation, you have the right to complain to the Office of the Australian Information Commissioner (OAIC). The OAIC is the independent regulator responsible for enforcing the Privacy Act 1988 and the Australian Privacy Principles (APPs). This guide walks you through exactly how to report a privacy breach, what happens after you lodge a complaint, and how to maximise your chances of a successful outcome.
What Is the OAIC and What Does It Do?
The Office of the Australian Information Commissioner (OAIC) is Australia's national privacy and freedom of information regulator. It investigates privacy complaints, oversees mandatory data breach notifications, and enforces compliance with the Privacy Act 1988.
The OAIC has the authority to:
- Investigate complaints from individuals about privacy breaches
- Conduct own-motion investigations into systemic issues
- Issue determinations requiring organisations to pay compensation or change practices
- Apply to the Federal Court for civil penalties of up to AUD $50 million for serious or repeated interferences with privacy
- Receive and assess Notifiable Data Breach (NDB) notifications
What Counts as a Privacy Breach Under Australian Law?
A privacy breach occurs when an organisation covered by the Privacy Act mishandles your personal information in a way that contravenes the Australian Privacy Principles. Personal information includes any information that can identify you — your name, address, phone number, email, financial details, health data, biometric data, or even your IP address in some contexts.
Common Examples of Reportable Privacy Breaches
- Unauthorised disclosure: An organisation shares your information with a third party without consent
- Data security failures: A hack or leak exposes your details (think Optus, Medibank, or Latitude Financial breaches)
- Collection without consent: A company gathers sensitive information you never agreed to provide
- Refusal to provide access: An organisation won't give you a copy of the personal information they hold about you
- Refusal to correct: They won't fix inaccurate data even after you request it
- Direct marketing without opt-out: You can't unsubscribe from marketing communications
- Misuse of government identifiers: Your tax file number or Medicare number is used inappropriately
Who Can Lodge an OAIC Complaint?
Any individual whose personal information has been mishandled by a covered entity can lodge a complaint. You don't need to be an Australian citizen or resident — what matters is whether the organisation falls under the Privacy Act's jurisdiction.
Which Organisations Are Covered?
| Covered | Generally Not Covered |
|---|---|
| Australian Government agencies | State and territory government agencies (with exceptions) |
| Private sector organisations with annual turnover over $3 million | Most small businesses under $3 million turnover |
| All health service providers (regardless of size) | Registered political parties |
| Credit reporting bodies and credit providers | Media organisations (in journalism context) |
| Businesses that trade in personal information | Employee records (in many cases) |
| TFN recipients and contracted service providers | Individuals acting in a personal capacity |
Note: The 2024–2026 Privacy Act reforms are progressively narrowing the small business exemption, so more organisations are becoming subject to OAIC oversight each year.
Step 1: Complain Directly to the Organisation First
Before the OAIC will accept your complaint, you generally need to give the organisation a chance to fix the problem. This is mandatory under section 40(1A) of the Privacy Act in most cases.
How to Lodge an Internal Complaint
- Find their privacy contact. Look for a Privacy Officer or Data Protection Officer on the company's website or in their privacy policy.
- Put it in writing. Email is best because it creates a timestamped record. Clearly state what happened, what APP you believe was breached, and what outcome you want.
- Be specific. Include dates, account numbers, names of staff you spoke with, and copies of any relevant communications.
- Wait 30 days. The organisation has a reasonable time — typically 30 days — to respond. If they ignore you or their response is unsatisfactory, you can escalate to the OAIC.
Step 2: Lodge Your Complaint with the OAIC
If the organisation fails to respond within 30 days or their resolution is inadequate, you can lodge a formal complaint with the OAIC. There's no fee, and you can do it yourself without a lawyer.
How to Submit Your OAIC Complaint
- Visit oaic.gov.au and navigate to the "Privacy complaints" section.
- Choose your submission method:
- Online complaint form (fastest)
- Post to GPO Box 5288, Sydney NSW 2001
- Email to enquiries@oaic.gov.au
- Phone 1300 363 992 for assistance
- Provide the required details:
- Your full name and contact information
- The respondent organisation's name and contact details
- A description of what happened, in chronological order
- Which APPs you believe were breached
- What you've already done to resolve the issue
- The outcome you're seeking (apology, correction, compensation, change in practices)
- Attach supporting evidence (more on this below).
- Submit and wait for acknowledgement — usually within 10 business days.
What Evidence Should You Include?
Strong evidence is the difference between a successful complaint and a dismissed one. The OAIC operates on the balance of probabilities, so the more documentation you have, the better.
- Correspondence: All emails, letters, and chat transcripts with the organisation
- Screenshots: Web pages showing the breach (e.g., your data exposed publicly)
- Notification letters: If the organisation informed you of a data breach under the NDB scheme
- Account records: Statements, invoices, or membership details proving your relationship with the organisation
- Witness statements: If applicable
- Evidence of harm: Bank statements showing fraudulent transactions, medical records for stress-related issues, or quotes for credit monitoring services
- Internal complaint trail: Proof you complained to the organisation first and how they responded
Step 3: What Happens After You Lodge
The OAIC's complaint handling process is designed to be conciliatory rather than adversarial. Most complaints are resolved through negotiation rather than formal determinations.
The OAIC Process Timeline
| Stage | Typical Timeframe | What Happens |
|---|---|---|
| Acknowledgement | 1–2 weeks | OAIC confirms receipt and assigns a case officer |
| Preliminary assessment | 4–8 weeks | OAIC decides whether to investigate |
| Investigation | 3–12 months | Evidence gathered from both sides |
| Conciliation | Ongoing during investigation | Mediated discussion to reach a resolution |
| Determination (if needed) | 12–18 months total | Formal binding decision by the Commissioner |
Possible Outcomes
- Conciliated settlement: Apology, data correction, account closure, or financial compensation
- Compensation: Awards typically range from $1,000 to $20,000 for non-economic loss; higher for serious cases involving financial loss
- Systemic changes: The organisation must update policies, retrain staff, or audit its systems
- Dismissal: The complaint may be declined if it lacks merit or falls outside OAIC jurisdiction
- Escalation: Serious cases may lead to civil penalty proceedings in the Federal Court
The Notifiable Data Breach (NDB) Scheme
Since February 2018, organisations covered by the Privacy Act must notify both the OAIC and affected individuals when an "eligible data breach" occurs — one likely to result in serious harm. If you receive an NDB notification, that letter itself is powerful evidence for any subsequent complaint.
Following the major Australian breaches of recent years, penalties for failing to comply with the NDB scheme have increased dramatically. The maximum penalty for serious or repeated interferences with privacy now stands at the greater of AUD $50 million, three times the benefit obtained, or 30% of adjusted turnover.
How Businesses Can Reduce Privacy Breach Risk
If you run a business and want to avoid being on the receiving end of an OAIC complaint, prevention is far cheaper than remediation. Australian regulators have made it clear that "reasonable steps" under APP 11 now means modern, layered security — not just a password and hope.
Practical Steps to Stay Compliant
- Conduct an annual Privacy Impact Assessment (PIA)
- Maintain an up-to-date data inventory and retention schedule
- Use encryption for data at rest and in transit
- Implement multi-factor authentication on all privileged accounts
- Train staff on phishing, social engineering, and data handling
- Use secure tools for sharing links and documents — for example, when sharing campaign or internal URLs publicly, services like Lunyb let you create short links with optional password protection so sensitive destinations aren't exposed by accident. See our guide on how to password protect a short link for details.
- Generate secure QR codes rather than open redirects for printed materials
- Have an incident response plan ready before you need it
Comparing Privacy Frameworks Across Jurisdictions
If your organisation operates internationally, understanding how Australia's regime compares helps you build a unified compliance program.
| Jurisdiction | Regulator | Maximum Penalty | Mandatory Breach Notification |
|---|---|---|---|
| Australia | OAIC | AUD $50M / 30% turnover | Yes (NDB Scheme) |
| EU/UK | EDPB / ICO | €20M / 4% turnover | Yes (within 72 hours) |
| Canada | OPC | CAD $25M (under Bill C-27) | Yes (PIPEDA) |
| USA (California) | CPPA | USD $7,500 per intentional violation | Yes (CCPA/CPRA) |
For Canadian readers, our deep dive on Bill C-27 covers the parallel reforms happening across the Pacific. UK businesses can also review our URL shortener compliance guide for region-specific tooling advice.
Common Mistakes to Avoid When Filing
- Skipping the internal complaint: The OAIC will usually return your complaint if you haven't given the organisation a chance to respond.
- Waiting too long: Complaints lodged more than 12 months after you became aware of the breach may be declined.
- Vague descriptions: "They mishandled my data" isn't enough — explain exactly what happened, when, and how you found out.
- Demanding unrealistic compensation: Six-figure demands without supporting evidence reduce credibility.
- Filing against the wrong entity: Make sure you've identified the correct legal entity, not just a brand name.
- Ignoring jurisdictional limits: The OAIC can't help with state government agencies (other than ACT and Norfolk Island) — those go to state-based commissioners.
Frequently Asked Questions
How long do I have to lodge an OAIC complaint?
You should lodge your complaint within 12 months of becoming aware of the privacy breach. The Information Commissioner has discretion to accept late complaints in exceptional circumstances, but you'll need to explain the delay. The earlier you act, the stronger your case.
Does it cost anything to complain to the OAIC?
No. Lodging a privacy complaint with the OAIC is completely free. You don't need a lawyer, although you can engage one if your case is complex or involves significant financial loss. Community legal centres also offer free advice for privacy matters.
Can I get compensation through an OAIC complaint?
Yes. The Commissioner can award compensation for both financial loss (such as fraudulent transactions resulting from a breach) and non-economic loss (such as humiliation, anxiety, or damage to reputation). Awards for non-economic loss typically range from $1,000 to $20,000, though larger amounts are possible in serious cases like the Medibank or Optus breaches.
What if my small business is exempt — do I have any recourse?
If the organisation is genuinely exempt under the small business exception (turnover under $3 million and not in a regulated sector), the OAIC may not be able to investigate. However, you may still have remedies under Australian Consumer Law, the Privacy Act's APP-equivalent provisions for health providers, or state-based privacy legislation. The Privacy Act reforms progressively rolling out through 2025–2026 are also narrowing this exemption substantially.
Will my identity be kept confidential?
Generally, no — the OAIC will share your complaint with the respondent organisation so they can respond. However, if you have safety concerns or special circumstances, you can request that certain details be withheld. Anonymous complaints are accepted but harder to investigate effectively.
What if I disagree with the OAIC's decision?
If the Commissioner makes a formal determination you disagree with, you can apply to the Administrative Review Tribunal (ART) for review within 28 days. If your complaint was simply declined, you may be able to lodge proceedings directly in the Federal Court or Federal Circuit and Family Court for breach of the Privacy Act.
Final Thoughts
Lodging an OAIC complaint is more accessible than most Australians realise. With clear evidence, a properly documented internal complaint trail, and realistic expectations, individuals regularly secure apologies, corrections, and meaningful compensation. As Australia's privacy regime continues to strengthen — with higher penalties, narrower exemptions, and tougher enforcement — both individuals and businesses need to take the Privacy Act seriously.
Whether you're a consumer pursuing a remedy or a business trying to stay compliant, the principle is the same: treat personal information with the care it deserves, and document everything.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Privacy Rights in Canada 2026: Your Complete Guide to PIPEDA and Bill C-27
A complete 2026 guide to privacy rights in Canada, covering PIPEDA, Quebec's Law 25, Bill C-27's incoming Consumer Privacy Protection Act and AIDA, and how to file complaints with the OPC. Learn what protections you have and how to exercise them.
Bill C-27 Digital Charter: What Canadian Businesses Need to Know in 2026
Bill C-27, Canada's Digital Charter Implementation Act, will replace PIPEDA with the CPPA and introduce AIDA — Canada's first AI law. Learn what's inside, who it affects, and how to prepare for fines of up to 5% of global revenue.
UK Online Safety Act: What It Means for Your Privacy in 2026
The UK Online Safety Act introduces sweeping age verification rules and powers that could weaken encryption. Here's what every UK internet user needs to know about how the Act affects your privacy in 2026, and the steps you can take to protect yourself.
GDPR After Brexit: What Changed for UK Businesses in 2026
Brexit didn't end GDPR in the UK — it forked it. This guide explains how UK GDPR differs from EU GDPR, what changed for data transfers, and what UK businesses must do to stay compliant in 2026.