Privacy Complaint to OAIC (Australia)
PRIVACY COMPLAINT TO THE OFFICE OF THE AUSTRALIAN INFORMATION COMMISSIONER (OAIC)
Made under section 36 of the Privacy Act 1988 (Cth)
COMPLAINANT DETAILS
Name: [Complainant Full Name]
Address: [Complainant Street], [Complainant Suburb] [Complainant State] [Complainant Postcode]
Email: [Complainant Email]
Phone: [Complainant Phone]
RESPONDENT (ORGANISATION OR AGENCY)
Name: [Respondent Name]
Address: [Respondent Address]
ABN/ACN: [Respondent ABN]
Type: [Respondent Type]
NATURE OF THE PRIVACY COMPLAINT
Australian Privacy Principle(s) alleged to have been breached: [APP Breached]
Date or period of incident: [Date of Incident]
Summary of complaint:
[Complaint Summary]
Harm suffered:
[Harm Suffered]
STEPS TAKEN WITH THE ORGANISATION
Have you complained to the organisation directly? [Complained To Organisation]
OUTCOME SOUGHT
[Outcome Sought]
LEGAL BASIS FOR COMPLAINT
This complaint is made under s36 of the Privacy Act 1988 (Cth), which provides that an individual may complain to the Commissioner about an act or practice that may be an interference with the privacy of the individual. An interference with privacy includes any act or practice that breaches the Australian Privacy Principles (APPs) in Schedule 1 to the Act, a registered APP code binding the respondent, a credit reporting provision, a registered CR code, a tax file number rule, or a contracted service provider obligation (s13 Privacy Act 1988 (Cth)).
The respondent's conduct described above constitutes an act or practice that is an interference with my privacy within the meaning of s13 of the Privacy Act 1988 (Cth), specifically a breach of [APP Breached].
DECLARATION
I, [Complainant Full Name], declare that the information contained in this complaint is true and correct to the best of my knowledge and belief, and that I am the individual to whom the personal information the subject of this complaint relates.
Signature:
[Complainant Full Name]
Date: [Complaint Date]
HOW TO LODGE THIS COMPLAINT
This complaint should be lodged with the Office of the Australian Information Commissioner (OAIC) by: (a) online at www.oaic.gov.au/privacy/privacy-complaints; (b) email to [email protected]; (c) post to GPO Box 5218, Sydney NSW 2001; or (d) fax to (02) 9284 9666. There is no fee for lodging a privacy complaint with the OAIC. Note: The OAIC may attempt conciliation before commencing a formal investigation. The OAIC has the power to make a formal determination under s52 of the Privacy Act 1988 (Cth).
Complainant
________________
Signature
What Is a Privacy Complaint to OAIC (Australia)?
A Privacy Complaint to OAIC in Australia formally puts the other party on notice of a concern or claim and states what is required to resolve it, supporting later action under the Privacy Act 1988 (Cth).
The Privacy Act 1988 (Cth) protects personal information — any information or an opinion about an identified individual, or an individual who is reasonably identifiable. This includes names, addresses, date of birth, financial information, health information, sensitive information (such as racial or ethnic origin, religious beliefs, criminal record, and sexual orientation), and government identifiers such as tax file numbers and Medicare numbers. The 13 Australian Privacy Principles (APPs) in Schedule 1 of the Act set out the rules that APP entities must follow when collecting, using, disclosing, storing, and providing access to personal information.
Common grounds for privacy complaints include: an organisation collecting more personal information than it needs; sharing your personal information with third parties without your consent; using your information for direct marketing when you have not consented; failing to keep your personal information secure (resulting in a data breach); refusing to give you access to your own personal information; refusing to correct inaccurate personal information; disclosing your health information to your employer; or sending your personal information overseas without appropriate safeguards.
Lodging a complaint with the OAIC is free of charge. The OAIC's primary approach is conciliation — it works with both parties to help resolve the complaint without the need for a formal investigation. If conciliation fails or is not appropriate, the Commissioner may investigate the complaint and make a formal determination under s52 of the Act.
The legal framework governing the Privacy Complaint to OAIC (Australia) in Australia draws on several key statutes and regulatory bodies. Under Australian law, the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) apply to personal data processed under this agreement. The Australian Consumer Law (Schedule 2, Competition and Consumer Act 2010), enforced by the Australian Competition and Consumer Commission (ACCC), protects consumer rights. Section 127 of the Corporations Act 2001 governs corporate execution. The Fair Work Commission (FWC) adjudicates employment disputes under the Fair Work Act 2009. The Federal Court of Australia and state Supreme Courts have jurisdiction for civil matters. Parties executing a Privacy Complaint to OAIC (Australia) in Australia should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Privacy Act 1988 (Cth) sets the foundational requirements.
When Do You Need a Privacy Complaint to OAIC (Australia)?
A privacy complaint to the OAIC is needed when you believe an organisation has mishandled your personal information and has either failed to resolve your complaint directly or is unlikely to do so. There are many situations that may give rise to a valid privacy complaint under the Privacy Act 1988 (Cth).
Data breaches are an increasingly common reason for privacy complaints. If your personal information has been exposed in a cyber attack, a misdirected email, an accidental publication, or an employee's misuse of records, and the organisation failed to notify you or has not adequately responded, you may have grounds to complain. Under the Notifiable Data Breaches scheme (Part IIIC Privacy Act 1988 (Cth)), organisations are required to notify affected individuals and the OAIC of eligible data breaches.
Unauthorised disclosure of health information is a common and serious privacy complaint. If a health service provider, insurer, or government agency has shared your medical records, diagnoses, or treatment information with your employer, family members, insurance companies, or other parties without your consent, this may breach APP 6 (use or disclosure) and APP 3 (collection).
Denial of access to personal information is another basis for complaint. Under APP 12, you have the right to request access to the personal information an organisation holds about you. If an organisation refuses to provide access without a valid reason, or charges an unreasonable fee, you can complain to the OAIC.
Direct marketing complaints arise when an organisation contacts you for marketing purposes in circumstances where you did not consent or where you have previously opted out. APP 7 provides specific protections against unsolicited direct marketing using personal information.
Unwanted use of sensitive information — including racial or ethnic origin, political opinions, religious beliefs, health information, genetic information, sexual orientation, and criminal record — is subject to stricter protections under APP 3 and APP 6. Collecting or disclosing sensitive information without consent is a serious breach.
What to Include in Your Privacy Complaint to OAIC (Australia)
A valid privacy complaint to the OAIC under s36 of the Privacy Act 1988 (Cth) must contain several key elements to enable the OAIC to assess and investigate the complaint.
The complainant's identity and contact details are required. The complaint must be made in the complainant's own name — anonymous complaints cannot be investigated by the OAIC. You must provide your full name, address, email, and phone number so the OAIC can contact you.
The respondent must be clearly identified. The complaint must identify the organisation or agency against which the complaint is made. Include the full legal name, ABN or ACN (if known), and address. Confirming that the respondent is covered by the Privacy Act 1988 (Cth) — as an APP entity — is important, as small businesses under $3 million turnover are generally exempt.
The Australian Privacy Principle(s) alleged to have been breached must be identified. This helps the OAIC assess whether the conduct complained of falls within the Act. Common breached APPs include APP 6 (unauthorised disclosure), APP 11 (data breach), APP 12 (denial of access), and APP 13 (refusal to correct).
A detailed factual summary of the complaint must be provided. Describe what the organisation did or failed to do, when it occurred, what personal information was involved, and how you became aware of the breach. Include specific dates, names, and reference numbers where possible. The summary should be factual and objective.
Harm suffered should be described. The OAIC considers the seriousness of the complaint and the harm caused to the individual. Relevant harm includes financial loss, reputational damage, emotional distress, loss of employment, relationship damage, and physical safety risks.
Evidence of complaint to the organisation must be provided. You must generally have first complained to the organisation and given it a reasonable opportunity to respond before the OAIC can investigate (s40(1A) Privacy Act 1988 (Cth)). Include the date and method of your complaint and the organisation's response (or failure to respond).
The outcome sought should be stated clearly. This helps the OAIC support conciliation and, if necessary, make a formal determination under s52 of the Act.
Additional compliance elements for a Privacy Complaint to OAIC (Australia) used in Australia include: Under Australian law, the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) apply to personal data processed under this agreement. The Australian Consumer Law (Schedule 2, Competition and Consumer Act 2010), enforced by the Australian Competition and Consumer Commission (ACCC), protects consumer rights. Section 127 of the Corporations Act 2001 governs corporate execution. The Fair Work Commission (FWC) adjudicates employment disputes under the Fair Work Act 2009. The Federal Court of Australia and state Supreme Courts have jurisdiction for civil matters. Forms-legal.com provides this template as a starting point for Australia-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Privacy Complaint to OAIC (Australia) (Australia) [Legal document template]. Forms Legal. https://forms-legal.com/australia/government/court-forms/privacy-complaint-oaic-australia
"Privacy Complaint to OAIC (Australia) (Australia)." Forms Legal, 2026, https://forms-legal.com/australia/government/court-forms/privacy-complaint-oaic-australia.
@misc{formslegal-privacy-complaint-oaic-australia,
author = {{Forms Legal}},
title = {Privacy Complaint to OAIC (Australia) (Australia)},
year = {2026},
howpublished = {\url{https://forms-legal.com/australia/government/court-forms/privacy-complaint-oaic-australia}},
note = {Free legal document template. Based on Privacy Act 1988 (Cth)}
}Frequently Asked Questions
The Privacy Act 1988 (Cth) is the primary federal privacy law in Australia. It regulates how organisations and government agencies collect, use, disclose, store, and provide access to personal information. The Act applies to: all Australian Government agencies (including Centrelink, the ATO, Medicare, and the Department of Home Affairs); all private sector organisations with an annual turnover of more than $3 million; all private health service providers (regardless of size); credit reporting bodies and credit providers; contractors and service providers that handle personal information for Commonwealth agencies; political parties; and organisations that trade in personal information. Small businesses with a turnover of $3 million or less are generally exempt, with some exceptions. The 13 Australian Privacy Principles (APPs) in Schedule 1 to the Act set out the specific rules that APP entities must follow in handling personal information. Breaches of the APPs can be investigated by the Office of the Australian Information Commissioner (OAIC).
The 13 Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act 1988 (Cth) cover: APP 1 (open and transparent management of personal information — requirement for a privacy policy); APP 2 (anonymity and pseudonymity — right to use a pseudonym where practicable); APP 3 (collection of solicited personal information — only collect information that is reasonably necessary); APP 4 (dealing with unsolicited personal information — destroy or de-identify unsolicited information); APP 5 (notification of collection — tell individuals what information is collected and why); APP 6 (use or disclosure of personal information — only use or disclose for the purpose for which it was collected, or with consent); APP 7 (direct marketing — right to opt out, no sensitive information for direct marketing without consent); APP 8 (cross-border disclosure — accountability for overseas recipients); APP 9 (government-related identifiers — restrictions on use of identifiers like TFNs and Medicare numbers); APP 10 (quality of personal information — ensure information is accurate, up-to-date, and complete); APP 11 (security of personal information — reasonable steps to protect from misuse, interference, and loss); APP 12 (access to personal information — right to request access); APP 13 (correction of personal information — right to request correction). The most common complaints relate to APPs 3 (unauthorised collection), 6 (unauthorised disclosure), 11 (data breach), 12 (denial of access), and 13 (refusal to correct).
Yes, in most cases. Under s40(1A) of the Privacy Act 1988 (Cth), the Information Commissioner must not investigate a privacy complaint unless the complainant has first complained to the respondent organisation and given it a reasonable opportunity to deal with the complaint. This means you should write to or contact the organisation's privacy officer, describe the privacy breach, and give the organisation an opportunity to resolve the complaint. What constitutes a 'reasonable opportunity' depends on the circumstances, but the OAIC generally expects complainants to have waited at least 30 days after complaining to the organisation before approaching the OAIC. If the organisation has not responded within 30 days, or has refused to resolve the complaint, or the complainant has reasonable grounds to believe the organisation will not deal with the complaint within a reasonable time, the OAIC may accept the complaint directly. Some exceptions apply, for example where it would be unreasonable in all the circumstances to require the complainant to complain to the organisation first (s40(1B)).
The OAIC has a range of powers available if it finds that an organisation has interfered with an individual's privacy under s13 of the Privacy Act 1988 (Cth). Where the complaint proceeds to a formal determination under s52, the Commissioner may order the respondent to: perform any reasonable act or course of conduct to redress the loss or damage suffered (s52(1)(b)(i)); refrain from engaging in specified conduct (s52(1)(b)(ii)); pay compensation for loss or damage, including loss of income, expenses reasonably incurred, and non-economic loss (s52(1)(b)(iii)); and publish a notice setting out the Commissioner's findings (s52(1)(b)(iv)). There is no statutory cap on the amount of compensation that can be awarded for non-economic loss in a formal determination. However, the OAIC's primary approach is conciliation — it will attempt to assist the parties to reach a negotiated resolution before proceeding to a formal determination. In conciliation, outcomes can include apologies, changes to privacy practices, deletion of information, and ex gratia payments. The OAIC can also refer serious breaches to the Federal Court.
The Notifiable Data Breaches (NDB) scheme, established by Part IIIC of the Privacy Act 1988 (Cth), requires APP entities to notify both the OAIC and affected individuals of eligible data breaches. An eligible data breach occurs when: there is unauthorised access to, or disclosure of, personal information held by an entity (or information is lost in circumstances where such access or disclosure is likely); and a reasonable person would conclude that the access or disclosure is likely to result in serious harm to any of the individuals whose information is involved. The NDB scheme applies to all entities covered by the Privacy Act 1988 (Cth). When an eligible data breach occurs, the entity must notify affected individuals 'as soon as practicable' and provide a statement to the OAIC. If you believe your personal information was involved in a data breach and you were not notified, you may complain to the OAIC that the entity failed to comply with Part IIIC of the Act. The Privacy Act 1988 (Cth) was amended in 2022 to increase penalties for serious or repeated breaches of the NDB scheme to $50 million or more.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Freedom of Information Request (Australia)
Submit a formal Freedom of Information (FOI) request to an Australian Commonwealth, state, or territory government agency. Compliant with the Freedom of Information Act 1982 (Cth) and corresponding state FOI Acts (including NSW GIPA Act 2009, Victorian FOI Act 1982, Queensland RTI Act 2009, WA FOI Act 1992, SA FOI Act 1991, Tasmanian RTI Act 2009, ACT FOI Act 2016, and NT Information Act 2002). Request access to government documents, agency files, ministerial records, briefing notes, and decisions affecting your rights. Includes option to request a fee waiver on grounds of financial hardship or public interest.
Statutory Declaration (Australia)
Create a Commonwealth Statutory Declaration in the form prescribed by Schedule 1 of the Statutory Declarations Regulations 2018 (Cth). Compliant with the Statutory Declarations Act 1959 (Cth). Used for identity verification, lost documents, government applications, and other official purposes. Must be signed before an authorised witness (JP, lawyer, pharmacist, police officer, and others listed in section 8 of the Regulations).
Cease and Desist Letter (Australia)
Create a formal cease and desist letter for Australia. Covers IP infringement (Copyright Act 1968, Trade Marks Act 1995, Patents Act 1990, Designs Act 2003), misleading or deceptive conduct (Australian Consumer Law s18), false representations (ACL s29), passing off, and breach of confidence. Includes demands to stop infringing conduct, destroy materials, provide undertakings, and pay compensation. For use in Federal Court or FCFCA proceedings.
Letter of Demand (Australia)
Create an Australian Letter of Demand for unpaid debts, invoices, or contract breaches. Covers pre-litigation notice requirements, interest under the Penalty Interest Rates Act 1983 (Vic) / Civil Procedure Act 2005 (NSW), GST, ASIC debt collection guidelines compliance, legal costs warning, and enforcement consequences. Suitable for all Australian states and territories.