# How to File an OAIC Complaint About a Privacy Breach (Step by Step)
Someone mishandled your personal information. Maybe a medical practice emailed your records to the wrong person. Maybe a company disclosed your data without consent. Maybe you found out your information was part of a breach and the organisation hasn't told you what happened.
You want to do something about it. Here's exactly how.
Before You Complain to the OAIC
This is the step most people skip, and it will get your complaint bounced.
You must complain to the organisation first. The OAIC generally will not investigate a complaint unless you've first raised it directly with the organisation that you believe breached your privacy, and either:
- They haven't responded within **30 days**, or
- They responded but you're not satisfied with their response
This isn't optional. Section 40(1A) of the Privacy Act 1988 requires that a complainant must have first complained to the respondent, unless the Commissioner considers it was not appropriate to do so.
How to Complain to the Organisation
Write to them. Email is fine. Include:
1. What happened. Be factual and specific. "On [date], [organisation] emailed my medical records to [wrong person / disclosed my information to / failed to protect my data by...]."
2. What information was involved. Health records, financial details, contact information, etc.
3. What you want them to do. Apology, explanation, steps taken to prevent recurrence, compensation, or a combination.
4. A reasonable timeframe. State you expect a response within 30 days, and will escalate to the OAIC if unresolved.
Keep a copy of everything. You'll need it.
If 30 days pass without a substantive response, you've met the threshold -- proceed to the OAIC. If they respond with a form letter or "we take privacy seriously" non-answer, you can also proceed. Include their response with your complaint.
Filing Your OAIC Complaint
Step 1: Confirm the Organisation Is Covered
The Privacy Act applies to:
- Australian Government agencies
- Private sector organisations with an annual turnover of more than $3 million
- All private health service providers (regardless of turnover)
- Some small businesses that trade in personal information, are related to a larger organisation, or have opted in
Health service providers are covered regardless of size. A solo GP operating as a sole trader with $200,000 in revenue is still subject to the Privacy Act. This is a specific carve-out -- the small business exemption does not apply to health services.
If you're unsure whether an organisation is covered, the OAIC's website has guidance on this.
Step 2: Gather Your Documentation
Before you start the complaint form, assemble:
- **Your complaint to the organisation** and **their response** (if any)
- **Evidence of the breach** -- screenshots, data breach notifications, correspondence showing disclosure
- **Timeline** -- when it occurred, when you became aware, when you complained, when they responded
- **Impact** -- emotional distress, financial loss, time spent, risk of future harm
Step 3: Submit the Complaint
Go to oaic.gov.au and navigate to the privacy complaint page. The OAIC accepts complaints through:
- **Online form** (recommended). Available on the OAIC website. It walks you through the required information step by step.
- **Email** to enquiries@oaic.gov.au
- **Post** to Office of the Australian Information Commissioner, GPO Box 5218, Sydney NSW 2001
- **Phone** for initial enquiries: 1300 363 992
The online form is the most efficient path. It ensures you provide the information the OAIC needs to assess your complaint without back-and-forth.
Step 4: What to Include in the Complaint
The form asks for:
1. Your details. Name, contact info. Generally the organisation will be told who complained.
2. The respondent organisation. Name, address, reference numbers.
3. What happened. Factual description. What, when, what information. Save the editorialising.
4. Which APP was breached. You don't have to identify this -- the OAIC will assess -- but it helps. Common ones: APP 6 (unauthorised use/disclosure), APP 11 (failure to protect), APP 12 (failure to provide access).
5. Evidence you complained first and their response (or lack thereof).
6. Desired outcome. Be specific: apology, policy changes, access to information, compensation.
What Happens After You File
Assessment
The OAIC will assess whether your complaint is within jurisdiction and whether it warrants investigation. Not every complaint proceeds to a full investigation. The OAIC may:
- **Decline the complaint** if it's outside jurisdiction, frivolous, or if the OAIC considers the organisation has already dealt with it adequately.
- **Refer the complaint** to an alternative dispute resolution process.
- **Commence an investigation** if the matter is serious or raises systemic issues.
You'll be notified of the outcome of the assessment.
Conciliation
If the complaint proceeds, the OAIC typically attempts conciliation first. This is an informal process where the OAIC facilitates a resolution between you and the organisation. Many complaints are resolved at this stage.
Conciliated outcomes can include:
- An apology
- A commitment to change practices or policies
- Compensation for loss or damage
- Access to personal information
- Correction of personal information
Investigation
If conciliation fails or the matter is sufficiently serious, the OAIC may conduct a formal investigation. This involves gathering evidence from both parties, potentially interviewing witnesses, and analysing the organisation's privacy practices.
Determination
At the end of an investigation, the Commissioner can make a determination that includes:
- A declaration that the organisation breached the Privacy Act
- An order to compensate the complainant for loss or damage
- An order to take specified steps (e.g., implement security measures, change policies)
- An order to publish a notice about the breach
Determinations are enforceable through the Federal Court or Federal Circuit and Family Court.
Timelines
This is where expectations need to be managed.
The OAIC's published service standards indicate that most complaints are assessed within 60 days of receipt. However, complex matters take longer.
From lodgement to resolution, typical timelines are:
- **Simple complaints resolved at conciliation:** 3-6 months
- **Complaints requiring investigation:** 6-12 months
- **Complex or systemic investigations:** 12 months or longer
The OAIC has publicly acknowledged that its complaint handling timelines have been affected by high volumes, particularly following major data breaches that generate large numbers of individual complaints.
If your complaint involves a clear, documented breach with straightforward evidence, it's likely to be resolved faster. If it involves complex factual questions or systemic issues, prepare for a longer process.
What You Can't Get
A few things the OAIC process does not provide:
- **Punitive damages.** Compensation is for actual loss or damage suffered, not punishment. If you want the organisation to face financial penalties, that's a separate enforcement action that the OAIC initiates at its discretion.
- **Criminal prosecution.** Privacy breaches under the Privacy Act are civil matters. There are separate criminal offences for some specific conduct (e.g., re-identification of de-identified data), but the OAIC complaint process is civil.
- **Guaranteed investigation.** The OAIC exercises discretion in which complaints to investigate. Lodging a complaint does not guarantee it will proceed to investigation.
Protecting Yourself Going Forward
Filing a complaint is reactive. The breach already happened. If it involved insecure transmission -- a practice emailing your records without encryption -- ask what they've changed. If the answer doesn't include end-to-end encryption, the same breach can happen again. Flag systemic issues in your OAIC complaint -- the OAIC is more likely to investigate matters that reveal systemic failures.
Key Contacts
Verify current details at oaic.gov.au, as contact information may change.
- **OAIC enquiries line:** 1300 363 992
- **OAIC website:** [oaic.gov.au](https://www.oaic.gov.au)
- **Online complaint form:** Available via the OAIC website under "Privacy" > "Make a privacy complaint"
- **OAIC postal address:** GPO Box 5218, Sydney NSW 2001
---
ObsidianVault helps organisations avoid being the subject of these complaints. Zero-knowledge encrypted file transfer, built for compliance with Australian privacy law. Learn more at obsidianvault.vip