We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy.

News Join our team Contact us

  • On this page

Carly Kind

Carly Kind
Privacy Commissioner

Published:  

This provides the Australian community up to date advice and guidance about the handling of individual privacy complaints by the Office of the Australian Information Commissioner (OAIC). It provides background, a checklist and templates to assist people considering making an individual privacy complaint to understand the OAIC regulatory approach and reciprocal expectations.

Over the past twelve months, the OAIC has been intentionally shifting to a greater focus on enforcement, acknowledging the considerable deterrent and educative benefits of proportionate regulatory action. Our approach is designed to ensure maximum impact in elevating privacy practices across all sectors. The early results from that shift speak for themselves: the $5.8 million civil penalty imposed on Australian Clinical Labs, the civil penalties proceedings we filed against Optus and Medibank, and the watershed settlement of $50 million we obtained from Meta Platforms are three examples. Other landmark determinations have sought to update the application of the Privacy Act in light of new technologies, such as with respect to facial recognition in the Bunnings and Kmart decisions.

Big aspirations to safeguard privacy rights

This is only the beginning – in 2026 we will continue civil penalties proceedings against Optus and Medibank, and advance Commissioner-initiated investigations into rental tech, connected cars, and tracking pixels. We’ve recently completed our inaugural privacy sweep, with a focus on the in-person collection of personal information in certain sectors, including real estate and licenced venues.

We’ve also got some new enforcement powers to use, including infringement notices for specific breaches of the Privacy Act, and a mandate to develop a Children’s Online Privacy Code to improve protections for children in the digital domain.

Resolving matters through the issuing of determinations will also continue, for both educative and deterrent purposes. We will continue to publish our determinations, unless exceptional circumstances warrant otherwise – we made and published ten determinations in the last financial year, with a further three determinations published in the second half of 2025. We will also continue to issue guidance on the application of the legal framework, including on matters of public interest, in response to significant decisions, and in the context of new technologies and other emerging developments. These activities will promote compliance and provide transparency about our regulatory approach for the Australian community and the regulated sector.

Our focus on enforcement is driven by a few factors: first and foremost by the expectations of the Australian community, who want to see a visible and strong regulator defending their privacy rights. It is also motivated by our understanding of the changing nature of privacy harms; increasingly, and thanks to the boom of the digital age, interferences with individuals’ privacy are largely obscured from their view. Many privacy harms operate in undetectable ways, including the unlawful and unfair collection of personal information by scraping and other methods online. We shouldn’t put the burden onto individual Australians to detect and deter such abuses – rather, to be a modern and effective regulator we need to be proactively scanning for and investigating these kinds of privacy harms.

We also believe that the general deterrence impacts of significant enforcement action can lead to systemic change, and potentially lead to the eradication of harmful market practices. That means we can actually help more people by strategically pursuing matters that enable us to tackle persistent, egregious or systemic harms.

We have big aspirations to advance the rights of Australian consumers and the community in this way. However, shifting our approach to proactive and purpose-led identification of harms and contraventions has flow on effects for how we administer our other functions and responsibilities. A key area in which we’ll be changing our approach relates to how we handle individual privacy complaints.

A new approach to individual privacy complaints

Going forward, we need to take a robust approach to assessing the validity of individual privacy complaints, and deciding which privacy complaints warrant an investigation in all of the circumstances. We want to speed up the time it takes us to deal with privacy complaints, and ensure that the OAIC’s resources are being applied proportionately to address serious and valid privacy complaints. Our efforts will be increasingly directed to resolving matters in a way that will result in meaningful change. In doing so, we’ll be guided by a number of principles, including:

  • The OAIC can be most impactful when we can address privacy complaints in a timely way
  • Privacy complaints can be effectively processed only when a complainant has provided all the required information and has followed the necessary processes
  • Some individual privacy complaints may highlight problematic acts and practices that are more impactfully dealt with through a means other than just an individual outcome, such as a Commissioner-initiated investigation, through the publication of guidance or engagement with the regulated community, or through OAIC’s policy advocacy
  • Where a privacy complaint relates to a notifiable data breach that the OAIC is investigating, individual complaints will usually be put on hold until the investigation and any related court proceedings (such as civil penalty proceedings) are finalised
  • Some individual privacy complaints, while they may establish breaches of the Privacy Act, may not warrant investigation in all of the circumstances, particularly when they arise amidst other issues or proceedings, or where they don’t meet a threshold of seriousness that warrants the proportionate investment of our resources.

Not all individual privacy complaints will be taken through to investigation. In exercising our discretion under the Privacy Act, we will take into account a range of considerations including our enforcement-focussed stance and our regulatory priorities.

We want to be clear and up front about this shift, and give some specific advice to those wishing to submit an individual privacy complaint to the OAIC:

What you need to do before you lodge a privacy complaint with the OAIC

  • We currently have a significant backlog of individual privacy complaints that we are actively seeking to address. As at February 2026, it is unlikely that we will be able to substantially progress new validly lodged individual privacy complaints for some 6 to 12 months after they are lodged (unless we determine there are exceptional circumstances which may warrant expeditious consideration).
  • Before you make a privacy complaint, please familiarise yourself with the requirements for lodging a privacy complaint with an organisation or agency, and if you are unable to resolve your complaint with the organisation or agency, the requirements for lodging a valid complaint with us.
  • Generally, you must first complain to the entity that is the subject of your complaint, and give them 30 days to respond and propose a way to resolve your privacy complaint. This reflects the requirements of the Privacy Act.
  • If an external dispute resolution scheme (EDR scheme) has been approved to deal with privacy complaints about the entity your complaint is about, generally you should also attempt to complain to the EDR scheme directly  before complaining to us. EDR schemes are applicable in the following areas:
    • Banks
    • Financial planners
    • Insurance companies
    • Mortgage brokers
    • Superannuation funds
    • Electricity, gas and water providers in the Australian Capital Territory, New South Wales, South Australia, Queensland, Victoria and Western Australia
    • Telecommunications providers
    • Public transport in Victoria, and
    • Tolling in New South Wales, Queensland and Victoria.

A list of approved external dispute resolution schemes is available on our website.

  • If you are unable to resolve your privacy complaint with the entity or through external dispute resolution, you can make a complaint to us.

What you need to provide when lodging an individual privacy complaint with the OAIC

For your privacy complaint to be dealt with quickly, you will need to provide us with all of the necessary information from the outset:

  • your name
  • your contact details
  • the name of the entity you are complaining about – without a valid entity name, we can’t progress your complaint
    • also include the entity’s ABN, if you know it
  • a description of your privacy complaint (what happened and when), including information about the impact of the alleged breach
  • a copy of your written complaint, or details of a verbal complaint, made to the entity
    • reference numbers or identifiers from when you made your complaint to the organisation or agency
    • any action the entity you complained to has taken to fix the problem
  • a copy of any relevant document or correspondence, including the entity’s response to your complaint
  • a statement of what outcome you’d like to resolve your complaint.

What you need to be aware of when lodging an individual privacy complaint with the OAIC

Under the Privacy Act we have a discretion to decide not to investigate an individual privacy complaint after a consideration of all of the circumstances. We will complete a strategic assessment of your privacy complaint on the basis of the information you have provided and make a decision as to next steps. This may involve seeking further information from you and/or the entity you are complaining about through either early resolution or formal investigation channels or advising you that we will not be investigating your privacy complaint, including our reasons for making this decision.

A clear-eyed look at constraints and outcomes

Finally, it is important for complainants to be clear eyed about the possible outcomes of their privacy complaint. If the entity you are complaining about has offered you a resolution that we consider reasonable, we will be unlikely to take your privacy complaint through to investigation. If we do investigate your privacy complaint and find it substantiated, although we have the power to make a range of declarations in remediation, we will not always award compensation – this will depend on the circumstances of the matter. The handling of your privacy complaint may be paused in certain circumstances, for example, if your complaint relates to an issue we’re already investigating, or for which we’ve already received a representative complaint. This may mean a considerable delay before we are able to progress your individual privacy complaint.

We appreciate that the Australian community relies on the OAIC to detect and remedy privacy harms across the economy, in a timely and effective manner. We believe a more proactive enforcement focus on systemic harms and market practices will make a real difference, but in order to carve out the time, resources and capability to make such a shift we need to apply more robust thresholds to our individual privacy complaint handling practices. We do so with the clear objective of protecting and defending the privacy rights of the Australian community.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia