Compliance glossary
Privacy & Data Protection

Office of the Australian Information Commissioner(OAIC)

Also known as: OAIC, Privacy Commissioner, Information Commissioner

Definition

The Office of the Australian Information Commissioner (OAIC) is the federal regulator for privacy and freedom of information. It administers the Privacy Act 1988, receives notifiable data breach statements and privacy complaints, issues guidance on the Australian Privacy Principles, and can investigate and seek civil penalties for serious or repeated privacy breaches.

Why this matters for your practice

The OAIC is the body a practice answers to on privacy. It is where you notify a notifiable data breach, where a patient can take a privacy complaint, and whose guidance defines what "reasonable steps" under the Australian Privacy Principles actually means in practice. When privacy goes wrong, the OAIC is the regulator that investigates, and its enforcement powers now include civil penalties that reach into the tens of millions of dollars for serious or repeated interferences with privacy.

Knowing what the OAIC does, and what it expects, helps a practice respond correctly when something happens rather than guessing.

What the OAIC does

  • Administers the Privacy Act 1988 and the Australian Privacy Principles.
  • Receives notifiable data breach statements under the NDB scheme and can direct entities to notify.
  • Handles privacy complaints from individuals about how their personal information was handled.
  • Issues guidance on privacy obligations, which sets the practical standard.
  • Investigates and enforces, with powers to make determinations, accept enforceable undertakings, and seek civil penalties.

When a practice deals with the OAIC

The two most common touchpoints for a medical practice are:

  • Notifying a data breach. If you have an eligible data breach, you provide a statement to the OAIC and notify affected individuals.
  • Responding to a complaint. A patient who believes their privacy was mishandled can complain to your practice and then to the OAIC.

What the OAIC expects

  • That you have taken reasonable steps to secure personal information before a breach.
  • That you assess and notify breaches promptly when they occur.
  • That you can show your reasoning, including where you decided a breach was not notifiable.

Common mistakes

  • Treating OAIC guidance as optional. It defines the practical compliance standard.
  • Slow or absent breach notification.
  • No documented assessment to show the regulator if a complaint is later made.

Frequently Asked Questions

What is the OAIC?

The Office of the Australian Information Commissioner (OAIC) is the federal privacy and freedom of information regulator. It administers the Privacy Act 1988, receives notifiable data breach statements and privacy complaints, issues guidance, and can investigate and penalise serious privacy breaches.

When do I have to contact the OAIC?

A practice contacts the OAIC mainly to notify an eligible data breach under the Notifiable Data Breaches scheme, and may deal with it when a patient makes a privacy complaint. The OAIC can also investigate privacy issues on its own initiative.

What powers does the OAIC have?

The OAIC can investigate privacy breaches, make determinations, accept enforceable undertakings, direct entities to notify a data breach, and seek civil penalties for serious or repeated interferences with privacy, which can run to tens of millions of dollars for bodies corporate.

Related terms

Notifiable Data Breach (NDB)Australian Privacy Principles (APPs)

Go deeper

GuideHealthcare Data Breach Obligations Australia (2026 NDB Guide)

Last reviewed

30-day free trial, no credit card

Be the practice the assessor compliments.

Set up your frameworks this weekend. Walk into your next visit with every criterion linked to current evidence, and nothing left to chase.

Start your 30-day free trialBrowse free templates
No credit card required
Australian data residency (Sydney)
Cancel anytime