I’ve received a letter from an agency informing me of a breach and my right to complain to the Privacy Commissioner. What should I do now?

An agency needs to notify the Office of the Privacy Commissioner if there has been a data breach that has caused or is likely to cause serious harm to people. Read about what serious harm means(external link). They also need to notify the people affected unless an exception applies and inform them of their right to complain to our Office.

We will assess privacy breaches that are notified to our Office regardless of whether people complain to us. We don’t directly contact affected individuals about our compliance actions.

If you are concerned that your privacy has been breached, our complaints process requires that the individual try to resolve the issue directly with the agency first before we investigate individual complaints.

This means, if you’re not satisfied with the steps the agency has taken or the letter you have received you will need to contact the agency and explain what it is you want them to do to resolve your concerns before you complain to us. If you complain to our Office, we will advise you to tell the agency what you want them to do to resolve your complaint and give them a reasonable opportunity to respond.

Read more information about making a complaint to us(external link).

Read these related AskUs articles:

• Can I complain straight to the Privacy Commissioner first?(external link)
• Do I get updates from you if I'm part of a privacy or data breach?(external link)

Updated November 2025