What is a privacy breach and when can I make a complaint in Australia?
A privacy breach occurs when an organisation or government agency interferes with your privacy by mishandling your personal information. This can include collecting information without consent, using it for a different purpose than stated, disclosing it to unauthorised parties, failing to secure it, or refusing to let you access or correct it. You can complain to the OAIC if the entity is covered by the Privacy Act 1988.
Which organisations are covered by the Privacy Act 1988 in Australia?
The Privacy Act covers Australian Government agencies, private sector organisations with an annual turnover of more than three million dollars, and some smaller organisations including private health service providers, credit reporting bodies, and tax file number recipients. Some states and territories also have their own privacy laws covering state government agencies.
What are the Australian Privacy Principles and how do they protect me?
The 13 Australian Privacy Principles (APPs) govern how covered organisations collect, use, disclose, and store personal information. Key principles include the requirement to collect information only with consent and for a stated purpose, to keep it secure, to give you access to your own information, and to correct inaccurate information. Breaches of the APPs are investigated by the OAIC.
What is the Notifiable Data Breaches scheme in Australia?
Under the Notifiable Data Breaches (NDB) scheme, organisations covered by the Privacy Act must notify the OAIC and affected individuals when a data breach is likely to result in serious harm. If an organisation fails to notify you of a breach that affects you, you can report this to the OAIC. The NDB scheme has been in operation since February 2018.
Do I need to complain to the organisation first before going to the OAIC in Australia?
Yes. The OAIC generally requires you to complain directly to the organisation first and give them 30 days to respond before lodging a complaint with the OAIC. If the organisation does not respond within 30 days, responds inadequately, or you are not satisfied with their response, you can then lodge a complaint with the OAIC at oaic.gov.au.
How do I lodge a privacy complaint with the OAIC in Australia?
Complete the online privacy complaint form at oaic.gov.au. You will need to provide your contact details, the name of the organisation you are complaining about, a description of what happened, the APP or Privacy Act provision you believe was breached, evidence of your complaint to the organisation, and their response if any. There is no fee to lodge a complaint with the OAIC.
What can the OAIC do about my privacy complaint in Australia?
The OAIC can investigate your complaint, conciliate between you and the organisation, and make a formal determination. Determinations can require the organisation to stop the conduct, take steps to remedy the harm, and pay compensation for non-economic loss such as humiliation and distress. The OAIC can also conduct own motion investigations and apply to the Federal Court for civil penalties.
What is the time limit for lodging a privacy complaint with the OAIC in Australia?
You should lodge your complaint as soon as possible. The OAIC has discretion to decline to investigate complaints where a significant amount of time has passed since the conduct occurred. There is no fixed statutory limitation period for privacy complaints but delay can affect the OAIC's decision to accept your complaint.
Can I get compensation for a privacy breach in Australia?
Yes. If the OAIC makes a determination in your favour it can award compensation for economic and non-economic loss. Non-economic loss includes injury to feelings, humiliation, and distress. The OAIC can also refer serious or systemic privacy breaches to the Federal Court for civil penalty proceedings, though this is a separate process from your individual complaint.
How does uplaw.ai help with privacy breach complaints in Australia?
Tell us what happened — who breached your privacy, what information was involved, and what the organisation did when you complained. We help you prepare your formal complaint to the organisation and your OAIC complaint submission, including identifying which Australian Privacy Principles were likely breached.
Free to start
Privacy breached? Tell uplaw.ai what the organisation did with your information.
No account required. uplaw.ai helps you identify which privacy principles were breached and prepare your OAIC complaint.