What is the Privacy Act 1988 (Cth) and who does it apply to?

The Privacy Act 1988 (Cth) is the primary federal privacy law in Australia. It regulates how organisations and government agencies collect, use, disclose, store, and provide access to personal information. The Act applies to: all Australian Government agencies (including Centrelink, the ATO, Medicare, and the Department of Home Affairs); all private sector organisations with an annual turnover of more than $3 million; all private health service providers (regardless of size); credit reporting bodies and credit providers; contractors and service providers that handle personal information for Commonwealth agencies; political parties; and organisations that trade in personal information. Small businesses with a turnover of $3 million or less are generally exempt, with some exceptions. The 13 Australian Privacy Principles (APPs) in Schedule 1 to the Act set out the specific rules that APP entities must follow in handling personal information. Breaches of the APPs can be investigated by the Office of the Australian Information Commissioner (OAIC).

What are the 13 Australian Privacy Principles (APPs) and which one applies to my situation?

The 13 Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act 1988 (Cth) cover: APP 1 (open and transparent management of personal information — requirement for a privacy policy); APP 2 (anonymity and pseudonymity — right to use a pseudonym where practicable); APP 3 (collection of solicited personal information — only collect information that is reasonably necessary); APP 4 (dealing with unsolicited personal information — destroy or de-identify unsolicited information); APP 5 (notification of collection — tell individuals what information is collected and why); APP 6 (use or disclosure of personal information — only use or disclose for the purpose for which it was collected, or with consent); APP 7 (direct marketing — right to opt out, no sensitive information for direct marketing without consent); APP 8 (cross-border disclosure — accountability for overseas recipients); APP 9 (government-related identifiers — restrictions on use of identifiers like TFNs and Medicare numbers); APP 10 (quality of personal information — ensure information is accurate, up-to-date, and complete); APP 11 (security of personal information — reasonable steps to protect from misuse, interference, and loss); APP 12 (access to personal information — right to request access); APP 13 (correction of personal information — right to request correction). The most common complaints relate to APPs 3 (unauthorised collection), 6 (unauthorised disclosure), 11 (data breach), 12 (denial of access), and 13 (refusal to correct).

Do I need to complain to the organisation before I can go to the OAIC?

Yes, in most cases. Under s40(1A) of the Privacy Act 1988 (Cth), the Information Commissioner must not investigate a privacy complaint unless the complainant has first complained to the respondent organisation and given it a reasonable opportunity to deal with the complaint. This means you should write to or contact the organisation's privacy officer, describe the privacy breach, and give the organisation an opportunity to resolve the complaint. What constitutes a 'reasonable opportunity' depends on the circumstances, but the OAIC generally expects complainants to have waited at least 30 days after complaining to the organisation before approaching the OAIC. If the organisation has not responded within 30 days, or has refused to resolve the complaint, or the complainant has reasonable grounds to believe the organisation will not deal with the complaint within a reasonable time, the OAIC may accept the complaint directly. Some exceptions apply, for example where it would be unreasonable in all the circumstances to require the complainant to complain to the organisation first (s40(1B)).

What remedies can the OAIC order in a successful privacy complaint?

The OAIC has a range of powers available if it finds that an organisation has interfered with an individual's privacy under s13 of the Privacy Act 1988 (Cth). Where the complaint proceeds to a formal determination under s52, the Commissioner may order the respondent to: perform any reasonable act or course of conduct to redress the loss or damage suffered (s52(1)(b)(i)); refrain from engaging in specified conduct (s52(1)(b)(ii)); pay compensation for loss or damage, including loss of income, expenses reasonably incurred, and non-economic loss (s52(1)(b)(iii)); and publish a notice setting out the Commissioner's findings (s52(1)(b)(iv)). There is no statutory cap on the amount of compensation that can be awarded for non-economic loss in a formal determination. However, the OAIC's primary approach is conciliation — it will attempt to assist the parties to reach a negotiated resolution before proceeding to a formal determination. In conciliation, outcomes can include apologies, changes to privacy practices, deletion of information, and ex gratia payments. The OAIC can also refer serious breaches to the Federal Court.

What is a 'notifiable data breach' and do I have a right to be informed?

The Notifiable Data Breaches (NDB) scheme, established by Part IIIC of the Privacy Act 1988 (Cth), requires APP entities to notify both the OAIC and affected individuals of eligible data breaches. An eligible data breach occurs when: there is unauthorised access to, or disclosure of, personal information held by an entity (or information is lost in circumstances where such access or disclosure is likely); and a reasonable person would conclude that the access or disclosure is likely to result in serious harm to any of the individuals whose information is involved. The NDB scheme applies to all entities covered by the Privacy Act 1988 (Cth). When an eligible data breach occurs, the entity must notify affected individuals 'as soon as practicable' and provide a statement to the OAIC. If you believe your personal information was involved in a data breach and you were not notified, you may complain to the OAIC that the entity failed to comply with Part IIIC of the Act. The Privacy Act 1988 (Cth) was amended in 2022 to increase penalties for serious or repeated breaches of the NDB scheme to $50 million or more.

Privacy Complaint to OAIC (Australia) — Australia

Lodge a formal privacy complaint with the Office of the Australian Information Commissioner (OAIC) under section 36 of the Privacy Act 1988 (Cth). Covers all 13 Australian Privacy Principles (APPs) including unauthorised collection, use, and disclosure of personal information, data breaches, denial of access or correction, direct marketing, cross-border data transfers, and failure to maintain data security. Suitable for complaints against Commonwealth agencies, large private sector organisations, health service providers, credit reporting bodies, and other APP entities.

What Is a Privacy Complaint to OAIC (Australia)?

A privacy complaint to the Office of the Australian Information Commissioner (OAIC) is a formal legal complaint lodged under s36 of the Privacy Act 1988 (Cth) when an individual believes that an Australian Government agency, private sector organisation, or other APP entity has interfered with their privacy by breaching the Australian Privacy Principles (APPs). The OAIC is the independent regulatory body responsible for administering the Privacy Act 1988 (Cth) and investigating privacy complaints at the Commonwealth level.

The Privacy Act 1988 (Cth) protects personal information — any information or an opinion about an identified individual, or an individual who is reasonably identifiable. This includes names, addresses, date of birth, financial information, health information, sensitive information (such as racial or ethnic origin, religious beliefs, criminal record, and sexual orientation), and government identifiers such as tax file numbers and Medicare numbers. The 13 Australian Privacy Principles (APPs) in Schedule 1 of the Act set out the rules that APP entities must follow when collecting, using, disclosing, storing, and providing access to personal information.

Common grounds for privacy complaints include: an organisation collecting more personal information than it needs; sharing your personal information with third parties without your consent; using your information for direct marketing when you have not consented; failing to keep your personal information secure (resulting in a data breach); refusing to give you access to your own personal information; refusing to correct inaccurate personal information; disclosing your health information to your employer; or sending your personal information overseas without appropriate safeguards.

Lodging a complaint with the OAIC is free of charge. The OAIC's primary approach is conciliation — it works with both parties to help resolve the complaint without the need for a formal investigation. If conciliation fails or is not appropriate, the Commissioner may investigate the complaint and make a formal determination under s52 of the Act.

When Do You Need a Privacy Complaint to OAIC (Australia)?

A privacy complaint to the OAIC is needed when you believe an organisation has mishandled your personal information and has either failed to resolve your complaint directly or is unlikely to do so. There are many situations that may give rise to a valid privacy complaint under the Privacy Act 1988 (Cth).

Data breaches are an increasingly common reason for privacy complaints. If your personal information has been exposed in a cyber attack, a misdirected email, an accidental publication, or an employee's misuse of records, and the organisation failed to notify you or has not adequately responded, you may have grounds to complain. Under the Notifiable Data Breaches scheme (Part IIIC Privacy Act 1988 (Cth)), organisations are required to notify affected individuals and the OAIC of eligible data breaches.

Unauthorised disclosure of health information is a common and serious privacy complaint. If a health service provider, insurer, or government agency has shared your medical records, diagnoses, or treatment information with your employer, family members, insurance companies, or other parties without your consent, this may breach APP 6 (use or disclosure) and APP 3 (collection).

Denial of access to personal information is another basis for complaint. Under APP 12, you have the right to request access to the personal information an organisation holds about you. If an organisation refuses to provide access without a valid reason, or charges an unreasonable fee, you can complain to the OAIC.

Direct marketing complaints arise when an organisation contacts you for marketing purposes in circumstances where you did not consent or where you have previously opted out. APP 7 provides specific protections against unsolicited direct marketing using personal information.

Unwanted use of sensitive information — including racial or ethnic origin, political opinions, religious beliefs, health information, genetic information, sexual orientation, and criminal record — is subject to stricter protections under APP 3 and APP 6. Collecting or disclosing sensitive information without consent is a serious breach.

What to Include in Your Privacy Complaint to OAIC (Australia)

A valid privacy complaint to the OAIC under s36 of the Privacy Act 1988 (Cth) must contain several key elements to enable the OAIC to assess and investigate the complaint.

The complainant's identity and contact details are required. The complaint must be made in the complainant's own name — anonymous complaints cannot be investigated by the OAIC. You must provide your full name, address, email, and phone number so the OAIC can contact you.

The respondent must be clearly identified. The complaint must identify the organisation or agency against which the complaint is made. Include the full legal name, ABN or ACN (if known), and address. Confirming that the respondent is covered by the Privacy Act 1988 (Cth) — as an APP entity — is important, as small businesses under $3 million turnover are generally exempt.

The Australian Privacy Principle(s) alleged to have been breached must be identified. This helps the OAIC assess whether the conduct complained of falls within the Act. Common breached APPs include APP 6 (unauthorised disclosure), APP 11 (data breach), APP 12 (denial of access), and APP 13 (refusal to correct).

A detailed factual summary of the complaint must be provided. Describe what the organisation did or failed to do, when it occurred, what personal information was involved, and how you became aware of the breach. Include specific dates, names, and reference numbers where possible. The summary should be factual and objective.

Harm suffered should be described. The OAIC considers the seriousness of the complaint and the harm caused to the individual. Relevant harm includes financial loss, reputational damage, emotional distress, loss of employment, relationship damage, and physical safety risks.

Evidence of complaint to the organisation must be provided. You must generally have first complained to the organisation and given it a reasonable opportunity to respond before the OAIC can investigate (s40(1A) Privacy Act 1988 (Cth)). Include the date and method of your complaint and the organisation's response (or failure to respond).

The outcome sought should be stated clearly. This helps the OAIC facilitate conciliation and, if necessary, make a formal determination under s52 of the Act.

What Is a Privacy Complaint to OAIC (Australia)?

When Do You Need a Privacy Complaint to OAIC (Australia)?

What to Include in Your Privacy Complaint to OAIC (Australia)

Frequently Asked Questions

Related Documents

Freedom of Information Request (Australia)

Statutory Declaration (Australia)

Cease and Desist Letter (Australia)

Letter of Demand (Australia)