Privacy & Data · Australia

How to Make a Privacy Complaint to the OAIC

If an Australian company shares your personal data without consent, ignores your requests to be removed from their database, or suffers a data breach that exposes your information, you don't need to fund a class action to get a real response. The Privacy Act 1988 and its 13 Australian Privacy Principles (APPs) give you a free, formal complaint pathway through the Office of the Australian Information Commissioner (OAIC).

Who this applies to

The OAIC's jurisdiction generally covers organisations with an annual turnover above $3 million, plus certain entities regardless of size — private health service providers, credit reporting bodies, and most government agencies. Many small businesses under that threshold fall outside the Privacy Act entirely, which is a real gap worth knowing about upfront.

You have to try the company first

The law requires you to complain in writing directly to the organisation first, giving them a reasonable opportunity to respond — generally 30 days. Only if they ignore you or their response is unsatisfactory does the door open to the OAIC.

Framing your complaint

Write a clear timeline of events. Identify which specific APP was breached — for example, APP 6 (use or disclosure of personal information) or APP 11 (security of personal information). Attach your original complaint to the company and their response, or evidence that 30 days passed with no reply.

What the OAIC can actually do

The OAIC generally tries conciliation first — many complaints resolve with an apology, a correction, or compensation. If that fails, the Commissioner can formally investigate and issue a binding determination requiring the organisation to change its practices and pay compensation for financial or emotional harm. These determinations are enforceable in the Federal Court.