Privacy Complaint to OAIC (Australia)

A Privacy Complaint to OAIC in Australia is a legally binding written instrument.

The Privacy Act 1988 (Cth) protects personal information — any information or an opinion about an identified individual, or an individual who is reasonably identifiable. This includes names, addresses, date of birth, financial information, health information, sensitive information (such as racial or ethnic origin, religious beliefs, criminal record, and sexual orientation), and government identifiers such as tax file numbers and Medicare numbers. The 13 Australian Privacy Principles (APPs) in Schedule 1 of the Act set out the rules that APP entities must follow when collecting, using, disclosing, storing, and providing access to personal information.

Common grounds for privacy complaints include: an organisation collecting more personal information than it needs; sharing your personal information with third parties without your consent; using your information for direct marketing when you have not consented; failing to keep your personal information secure (resulting in a data breach); refusing to give you access to your own personal information; refusing to correct inaccurate personal information; disclosing your health information to your employer; or sending your personal information overseas without appropriate safeguards.

Lodging a complaint with the OAIC is free of charge. The OAIC's primary approach is conciliation — it works with both parties to help resolve the complaint without the need for a formal investigation. If conciliation fails or is not appropriate, the Commissioner may investigate the complaint and make a formal determination under s52 of the Act.

The legal framework governing the Privacy Complaint to OAIC (Australia) in Australia draws on several key statutes and regulatory bodies. Under Australian law, the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) apply to personal data processed under this agreement. The Australian Consumer Law (Schedule 2, Competition and Consumer Act 2010), enforced by the Australian Competition and Consumer Commission (ACCC), protects consumer rights. Section 127 of the Corporations Act 2001 governs corporate execution. The Fair Work Commission (FWC) adjudicates employment disputes under the Fair Work Act 2009. The Federal Court of Australia and state Supreme Courts have jurisdiction for civil matters. Parties executing a Privacy Complaint to OAIC (Australia) in Australia should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Freedom of Information Act 1982 (Cth) sets the foundational requirements.

A privacy complaint to the OAIC is needed when you believe an organisation has mishandled your personal information and has either failed to resolve your complaint directly or is unlikely to do so. There are many situations that may give rise to a valid privacy complaint under the Privacy Act 1988 (Cth).

Data breaches are an increasingly common reason for privacy complaints. If your personal information has been exposed in a cyber attack, a misdirected email, an accidental publication, or an employee's misuse of records, and the organisation failed to notify you or has not adequately responded, you may have grounds to complain. Under the Notifiable Data Breaches scheme (Part IIIC Privacy Act 1988 (Cth)), organisations are required to notify affected individuals and the OAIC of eligible data breaches.

Unauthorised disclosure of health information is a common and serious privacy complaint. If a health service provider, insurer, or government agency has shared your medical records, diagnoses, or treatment information with your employer, family members, insurance companies, or other parties without your consent, this may breach APP 6 (use or disclosure) and APP 3 (collection).

Denial of access to personal information is another basis for complaint. Under APP 12, you have the right to request access to the personal information an organisation holds about you. If an organisation refuses to provide access without a valid reason, or charges an unreasonable fee, you can complain to the OAIC.

Direct marketing complaints arise when an organisation contacts you for marketing purposes in circumstances where you did not consent or where you have previously opted out. APP 7 provides specific protections against unsolicited direct marketing using personal information.

Unwanted use of sensitive information — including racial or ethnic origin, political opinions, religious beliefs, health information, genetic information, sexual orientation, and criminal record — is subject to stricter protections under APP 3 and APP 6. Collecting or disclosing sensitive information without consent is a serious breach.

A valid privacy complaint to the OAIC under s36 of the Privacy Act 1988 (Cth) must contain several key elements to enable the OAIC to assess and investigate the complaint.

The complainant's identity and contact details are required. The complaint must be made in the complainant's own name — anonymous complaints cannot be investigated by the OAIC. You must provide your full name, address, email, and phone number so the OAIC can contact you.

The respondent must be clearly identified. The complaint must identify the organisation or agency against which the complaint is made. Include the full legal name, ABN or ACN (if known), and address. Confirming that the respondent is covered by the Privacy Act 1988 (Cth) — as an APP entity — is important, as small businesses under $3 million turnover are generally exempt.

The Australian Privacy Principle(s) alleged to have been breached must be identified. This helps the OAIC assess whether the conduct complained of falls within the Act. Common breached APPs include APP 6 (unauthorised disclosure), APP 11 (data breach), APP 12 (denial of access), and APP 13 (refusal to correct).

A detailed factual summary of the complaint must be provided. Describe what the organisation did or failed to do, when it occurred, what personal information was involved, and how you became aware of the breach. Include specific dates, names, and reference numbers where possible. The summary should be factual and objective.

Harm suffered should be described. The OAIC considers the seriousness of the complaint and the harm caused to the individual. Relevant harm includes financial loss, reputational damage, emotional distress, loss of employment, relationship damage, and physical safety risks.

Evidence of complaint to the organisation must be provided. You must generally have first complained to the organisation and given it a reasonable opportunity to respond before the OAIC can investigate (s40(1A) Privacy Act 1988 (Cth)). Include the date and method of your complaint and the organisation's response (or failure to respond).

The outcome sought should be stated clearly. This helps the OAIC support conciliation and, if necessary, make a formal determination under s52 of the Act.

Additional compliance elements for a Privacy Complaint to OAIC (Australia) used in Australia include: Under Australian law, the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) apply to personal data processed under this agreement. The Australian Consumer Law (Schedule 2, Competition and Consumer Act 2010), enforced by the Australian Competition and Consumer Commission (ACCC), protects consumer rights. Section 127 of the Corporations Act 2001 governs corporate execution. The Fair Work Commission (FWC) adjudicates employment disputes under the Fair Work Act 2009. The Federal Court of Australia and state Supreme Courts have jurisdiction for civil matters. Forms-legal.com provides this template as a starting point for Australia-compliant documentation.