Privacy Policy

The Office of the Commonwealth Ombudsman must comply with the  
Australian Privacy Principles contained in Schedule 1 of the Privacy Act 1988 (Cth) (Privacy Act). This Policy contains a summarised version of information about the Ombudsman’s collection, use, disclosure and storage of personal information, including sensitive information (defined in s 6 of the Privacy Act 1988) and how individuals may access and correct personal information that we hold. It also contains information on how the Ombudsman will respond to an Eligible Data Breach (EDB).  A complete copy of the Privacy Policy is available here. A copy of the Commonwealth Ombudsman’s Supplementary Privacy Policy in relation to reporting abuse in Defence is available here.

What kinds of personal information does the Ombudsman hold?

We collect and hold personal information for the purposes of performing functions of the Ombudsman.  Personal information held by the Office includes but is not limited to; personal contact details such as your name, date of birth, email, postal address, telephone number and details about your complaint.  We may also collect financial information from contractors and service providers, bank account details, employment history details of staff and information in relation to staff of private service providers for example, health care, education and postal operators. We may collect sensitive information such as health information when it is relevant to an investigation for example an assessment of serious abuse in Defence, an investigation in relation to our Private Health Insurance Ombudsman functions or where the Ombudsman is performing his functions under thMigration Act 1958 (Cth)in relation to persons held in immigration detention for than two years.

How the Ombudsman collects personal information

The Ombudsman collects personal information usually directly from you or your authorised representative. We will only collect your sensitive information (defined in s 6 of the Privacy Act 1988) if you agree to us collecting it and it is reasonably necessary for, or directly related to one of our functions or activities;

Example: The Ombudsman Act 1976 allows us to collect information relevant to a complaint about a private health insurance arrangement which may include sensitive information about health, health services, or claims, or 

It is required or authorised by law or an order of a court or tribunal, or

A ‘permitted general situation’ as defined in the Privacy Act 1988 exists.

Example it is necessary to lessen or prevent a serious threat to life, health or safety of a person or the public; we suspect that unlawful activity or serious misconduct relating to the Ombudsman’s functions or activities has happened or may happen and the information is needed to take appropriate action; we believe it is necessary to assist in locating a missing person; we believe it is necessary to defend court action brought against the Ombudsman.

We may also collect personal information provided to us via online forms submitted to our website or when you subscribe to our mailing lists.  We do not collect your personal information when you browse our website.

We have a broad discretion on how we investigate matters, and we may collect personal information from another source including the information we may request from other agencies, individuals or private entities.  Therefore if you make a complaint to us and we decide to investigate the complaint, you should expect that your personal information will be collected in this way.  We may also collect information about a person/s who is associated with your complaint.

You may complain to us anonymously or by adopting a pseudonym. However, if you do so it may be difficult or impossible for us to investigate your complaint.

How the Ombudsman holds and protects personal information 

Strong data management is integral to the operation of the Ombudsman’s Office, accordingly we have developed a range of robust policies and procedures to ensure that personal information we hold is protected against unauthorised access, use, modification or disclosure, or other interferences.  For example we restrict access to personal information within the Office, to only allow access on a ‘need to know’, work-related basis and apply access restrictions such as IT security access controls for electronic files and investigation data bases and secure paper files within locked containers with physical access restrictions. When no longer required to be retained as part of a Commonwealth record, personal information is destroyed in accordance with the Archives Act 1983 (Cth) and the Ombudsman’s Records Authority (for Commonwealth Ombudsman records), or the Territory Records Act 2002 (ACT).

In the unlikely event that personal information is unlawfully disclosed, accessed or lost we have developed robust procedures to respond to a data breach in the form of our Data Breach Response Plan (DBRP).  Our DBRP has been designed in accordance with the requirements of the Privacy Act. This means should a breach occur our staff can promptly activate the necessary steps to mitigate potential impacts and minimise the risk of harm or damage.

How we use and disclose personal information

We may use or disclose your personal information to enable us to decide whether your complaint is within the Ombudsman’s jurisdiction, whether there is a reason not to investigate the complaint, or how best to investigate the complaint. It also helps us decide if another body or person could assist you better in resolving your complaint. In some circumstances the Ombudsman Act 1976 allows us to transfer your complaint, including your personal information, to another agency or body. If we investigate your complaint we will contact the agency you have complained about. In some circumstances we will contact other people, organisations or departments if we consider they have information relevant to the investigation. It will normally be necessary for us to disclose some of your personal information when we do this.

Where we have an obligation to report to the Minister, such as under the Migration Act 1958 (Cth). We may use the details of your complaint to help us in our report to the Minister.

How can I access or correct my personal information held by the Ombudsman

If you wish to access personal information we hold about you, or to correct that personal information, if you are speaking to an Investigation Officer or a member of the Public Contact Team you can ask them to immediately update information such as your address or contact details.  Alternately you can email or Post your request to the ‘Privacy Contact Officer’ GPO Box 442, Canberra ACT 2601. You can also call 1300 363 072 and ask to speak with a Privacy Contact Officer.

How do I complain about the handling of my personal information

We are committed to protecting your personal information however if you are concerned about the Department’s handling of your information you may submit your complaint in writing using our online complaint form.You can also call 1300 363 072 and ask to speak with a Privacy Contact Officer.

Privacy Impact Assessment Register

A Privacy Impact Assessment (PIA) is a systemic assessment of a project that may have privacy implications. The Office of the Commonwealth Ombudsman is required by s 15 of the Privacy (Australian Government Agencies – Governance) APP Code 2017 to publish a version of its PIA Register on its website.