The Office of the Commonwealth Ombudsman (the Office) must comply with the Australian Privacy Principles contained in Schedule 1 of the Privacy Act 1988 (Cth) (Privacy Act).

The Office’s Privacy Policy (this Policy) contains a summarised version of information about the Ombudsman’s collection, use, disclosure and storage of personal information, including sensitive information (defined in section 6 of the Privacy Act 1988) and how individuals may access and correct personal information that we hold. It also contains information on how the Ombudsman will respond to an Eligible Data Breach (EDB).

A complete copy of the Privacy Policy is available here.  A copy of the Commonwealth Ombudsman’s Supplementary Privacy Policy in relation to reporting abuse in Defence is available here.

What kinds of personal information does the Ombudsman hold?

We collect and hold personal information for the purposes of performing functions of the Ombudsman.  Personal information held by the Office includes personal contact details such as your name, date of birth, email, postal address, telephone number and details about your complaint.  We may also collect financial information from contractors and service providers, bank account details, employment history details of staff and information in relation to staff of private service providers for example, health care, education and postal operators.

We may collect sensitive information such as health information when it is relevant to an investigation - for example an assessment of serious abuse in Defence; an investigation in relation to our Private Health Insurance Ombudsman functions; or where the Ombudsman is performing his functions under thMigration Act 1958 (Cth) in relation to persons held in immigration detention..

How the Ombudsman collects personal information

The Ombudsman collects personal information usually directly from you or your authorised representative. We will only collect your sensitive information (defined in s 6 of the Privacy Act 1988) if you agree to us collecting it and it is reasonably necessary for, or directly related to one of our functions or activities.

For example, the Ombudsman Act 1976 allows us to collect information relevant to a complaint about a private health insurance arrangement which may include sensitive information about health, health services, or claims, or

It is required or authorised by law or an order of a court or tribunal, or

A ‘permitted general situation’ as defined in the Privacy Act 1988 exists.

Other examples of information we may collect is

- Information we believe is necessary to lessen or prevent a serious threat to life, health or safety of a person or the public

- Where we suspect that unlawful activity or serious misconduct relating to the Ombudsman’s functions or activities has happened or may happen and the information is needed to take appropriate action

- If we believe it is necessary to assist in locating a missing person; or

- If we believe it is necessary to defend court action brought against the Ombudsman.

We may also collect personal information provided to us via online forms submitted to our website or when you subscribe to our mailing lists.

We do not collect your personal information when you browse our website.

We have a broad discretion on how we investigate matters, and we may collect personal information from another source including the information we may request from other agencies, individuals or private entities.

Therefore if you make a complaint to us and we decide to investigate the complaint, you should expect that your personal information will be collected from other agencies, individuals or private entities.

We may also collect information about a person/s who is associated with your complaint.

You may complain to us anonymously or by adopting a pseudonym. However, if you do so it may be difficult or impossible for us to investigate your complaint.

How the Ombudsman holds and protects personal information

Strong data management is integral to the operation of the Ombudsman’s Office. We have developed a range of robust policies and procedures to ensure that all personal information we hold is protected against unauthorised access, use, modification, disclosure, or other interferences.

For example, we restrict access to personal information within the Office on a ‘need to know’ work-related basis.  We apply access restrictions such as IT controls for electronic files and investigation data bases.  Paper files containing personal information are contained within locked containers with physical access restrictions.

When no longer required to be retained as part of a Commonwealth record, personal information is destroyed in accordance with the Archives Act 1983 (Cth) and the Ombudsman’s Records Authority  (for Commonwealth Ombudsman records), or the Territory Records Act 2002 (ACT).

In the unlikely event that personal information is unlawfully disclosed, accessed or lost we have developed robust procedures to respond to a data breach in the form of our Data Breach Response Plan (DBRP).  Our DBRP has been designed in accordance with the requirements of the Privacy Act. This means should a breach occur, our staff can promptly activate the necessary steps to minimise the risk of harm or damage.

How we use and disclose personal information

We may use or disclose your personal information to enable us to decide whether your complaint is within the Ombudsman’s jurisdiction, whether there is a reason not to investigate the complaint, or how best to investigate the complaint. This also helps us decide if another body or person could assist you better in resolving your complaint. In some circumstances the Ombudsman Act 1976 allows us to transfer your complaint, including your personal information, to another agency or body.

If we investigate your complaint, we will contact the agency you have complained about. In some circumstances we will contact other people, organisations or departments if we consider they have information relevant to the investigation. It will normally be necessary for us to disclose some of your personal information when we do this.

Where we have an obligation to report to the Minister, such as under the Migration Act 1958 (Cth), we may use the details of your complaint to help us in our report to the Minister.

We might also contact people who have used our services to get information about their experiences and needs. We will use this information to improve our services. Sometimes we engage other companies to contact people to gather this information. You can choose whether or not you provide information – it's voluntary. Any information you choose to provide will be kept secure, remain confidential and will be stored separately from our records about your complaint. We, and the companies we use, must meet privacy requirements about collecting, storing and using the information you give. If you do not wish to be contacted about your experience using our services, you can let us know by completing this form (select ‘provide feedback’ from the drop down menu) or, if you are unable to complete the form, contact us on 1300 362 072.

How can I access or correct my personal information held by the Ombudsman

If you wish to access personal information we hold about you, or to correct that personal information, you can

- ask your current contact in the Office (eg your complaints officer) to update information such as your address or contact details

- email your request to information.access@ombudsman.gov.au

- mail your request to the ‘Privacy Officer’ GPO Box 442, Canberra ACT 2601

- call 1300 362 072 and ask to speak with a Privacy Officer.

How do I complain about the handling of my personal information

We are committed to protecting your personal information. If you are concerned about the Office’s handling of your information, you may submit your complaint in writing using our online complaint form. You can also call 1300 362 072 and ask to speak with a Privacy Officer.

Privacy Impact Assessment Register

A Privacy Impact Assessment (PIA) is a systemic assessment of a project that may have privacy implications. The Office of the Commonwealth Ombudsman is required by s 15 of the Privacy (Australian Government Agencies – Governance) APP Code 2017 to publish a version of its PIA Register on its website.

Date

Title

Other information

19/08/2020

VET Student Loans Industry Code of Practice Privacy Impact Assessment

 

13/02/2020

Collection and storage of staff personal mobile Privacy Impact Assessment

 

6/06/2019

OPCAT Detainee and Staff Surveys Privacy Impact Assessment

 

19/03/2019

Privatehealth.gov.au Privacy Impact Assessment

 

11/07/2018

Power BI Solution Privacy Impact Assessment

Privacy Policy

The Office of the Commonwealth Ombudsman (the Office) must comply with the Australian Privacy Principles contained in Schedule 1 of the Privacy Act 1988 (Cth) (Privacy Act).

The Office’s Privacy Policy (this Policy) contains a summarised version of information about the Ombudsman’s collection, use, disclosure and storage of personal information, including sensitive information (defined in section 6 of the Privacy Act 1988) and how individuals may access and correct personal information that we hold. It also contains information on how the Ombudsman will respond to an Eligible Data Breach (EDB).

A complete copy of the Privacy Policy is available here.  A copy of the Commonwealth Ombudsman’s Supplementary Privacy Policy in relation to reporting abuse in Defence is available here.

What kinds of personal information does the Ombudsman hold?

We collect and hold personal information for the purposes of performing functions of the Ombudsman.  Personal information held by the Office includes personal contact details such as your name, date of birth, email, postal address, telephone number and details about your complaint.  We may also collect financial information from contractors and service providers, bank account details, employment history details of staff and information in relation to staff of private service providers for example, health care, education and postal operators.

We may collect sensitive information such as health information when it is relevant to an investigation - for example an assessment of serious abuse in Defence; an investigation in relation to our Private Health Insurance Ombudsman functions; or where the Ombudsman is performing his functions under thMigration Act 1958 (Cth) in relation to persons held in immigration detention..

How the Ombudsman collects personal information

The Ombudsman collects personal information usually directly from you or your authorised representative. We will only collect your sensitive information (defined in s 6 of the Privacy Act 1988) if you agree to us collecting it and it is reasonably necessary for, or directly related to one of our functions or activities.

For example, the Ombudsman Act 1976 allows us to collect information relevant to a complaint about a private health insurance arrangement which may include sensitive information about health, health services, or claims, or

It is required or authorised by law or an order of a court or tribunal, or

A ‘permitted general situation’ as defined in the Privacy Act 1988 exists.

Other examples of information we may collect is

- Information we believe is necessary to lessen or prevent a serious threat to life, health or safety of a person or the public

- Where we suspect that unlawful activity or serious misconduct relating to the Ombudsman’s functions or activities has happened or may happen and the information is needed to take appropriate action

- If we believe it is necessary to assist in locating a missing person; or

- If we believe it is necessary to defend court action brought against the Ombudsman.

We may also collect personal information provided to us via online forms submitted to our website or when you subscribe to our mailing lists.

We do not collect your personal information when you browse our website.

We have a broad discretion on how we investigate matters, and we may collect personal information from another source including the information we may request from other agencies, individuals or private entities.

Therefore if you make a complaint to us and we decide to investigate the complaint, you should expect that your personal information will be collected from other agencies, individuals or private entities.

We may also collect information about a person/s who is associated with your complaint.

You may complain to us anonymously or by adopting a pseudonym. However, if you do so it may be difficult or impossible for us to investigate your complaint.

How the Ombudsman holds and protects personal information

Strong data management is integral to the operation of the Ombudsman’s Office. We have developed a range of robust policies and procedures to ensure that all personal information we hold is protected against unauthorised access, use, modification, disclosure, or other interferences.

For example, we restrict access to personal information within the Office on a ‘need to know’ work-related basis.  We apply access restrictions such as IT controls for electronic files and investigation data bases.  Paper files containing personal information are contained within locked containers with physical access restrictions.

When no longer required to be retained as part of a Commonwealth record, personal information is destroyed in accordance with the Archives Act 1983 (Cth) and the Ombudsman’s Records Authority  (for Commonwealth Ombudsman records), or the Territory Records Act 2002 (ACT).

In the unlikely event that personal information is unlawfully disclosed, accessed or lost we have developed robust procedures to respond to a data breach in the form of our Data Breach Response Plan (DBRP).  Our DBRP has been designed in accordance with the requirements of the Privacy Act. This means should a breach occur, our staff can promptly activate the necessary steps to minimise the risk of harm or damage.

How we use and disclose personal information

We may use or disclose your personal information to enable us to decide whether your complaint is within the Ombudsman’s jurisdiction, whether there is a reason not to investigate the complaint, or how best to investigate the complaint. This also helps us decide if another body or person could assist you better in resolving your complaint. In some circumstances the Ombudsman Act 1976 allows us to transfer your complaint, including your personal information, to another agency or body.

If we investigate your complaint, we will contact the agency you have complained about. In some circumstances we will contact other people, organisations or departments if we consider they have information relevant to the investigation. It will normally be necessary for us to disclose some of your personal information when we do this.

Where we have an obligation to report to the Minister, such as under the Migration Act 1958 (Cth), we may use the details of your complaint to help us in our report to the Minister.

We might also contact people who have used our services to get information about their experiences and needs. We will use this information to improve our services. Sometimes we engage other companies to contact people to gather this information. You can choose whether or not you provide information – it's voluntary. Any information you choose to provide will be kept secure, remain confidential and will be stored separately from our records about your complaint. We, and the companies we use, must meet privacy requirements about collecting, storing and using the information you give. If you do not wish to be contacted about your experience using our services, you can let us know by completing this form (select ‘provide feedback’ from the drop down menu) or, if you are unable to complete the form, contact us on 1300 362 072.

How can I access or correct my personal information held by the Ombudsman

If you wish to access personal information we hold about you, or to correct that personal information, you can

- ask your current contact in the Office (eg your complaints officer) to update information such as your address or contact details

- email your request to information.access@ombudsman.gov.au

- mail your request to the ‘Privacy Officer’ GPO Box 442, Canberra ACT 2601

- call 1300 362 072 and ask to speak with a Privacy Officer.

How do I complain about the handling of my personal information

We are committed to protecting your personal information. If you are concerned about the Office’s handling of your information, you may submit your complaint in writing using our online complaint form. You can also call 1300 362 072 and ask to speak with a Privacy Officer.

Privacy Impact Assessment Register

A Privacy Impact Assessment (PIA) is a systemic assessment of a project that may have privacy implications. The Office of the Commonwealth Ombudsman is required by s 15 of the Privacy (Australian Government Agencies – Governance) APP Code 2017 to publish a version of its PIA Register on its website.

Date

Title

Other information

19/08/2020

VET Student Loans Industry Code of Practice Privacy Impact Assessment

 

13/02/2020

Collection and storage of staff personal mobile Privacy Impact Assessment

 

6/06/2019

OPCAT Detainee and Staff Surveys Privacy Impact Assessment

 

19/03/2019

Privatehealth.gov.au Privacy Impact Assessment

 

11/07/2018

Power BI Solution Privacy Impact Assessment