Information Requests, Privacy and Confidentiality



The Ombudsman collects and uses information provided by complainants, agencies and third parties in the course of taking complaints, conducting enquiries and investigations and to improve our service.
The Ombudsman does not otherwise use or disclose personal information unless permitted by law. The Ombudsman will provide a person reasonable access to their personal information and will correct details in order to ensure that records are accurate. 

General principles

  1. VO commonly deals with information that identifies, or is attributable to, a particular individual and is protected by law.
  2. We obtain, keep, use and disclose information for the primary purpose of taking complaints, conducting enquiries and investigations, and making recommendations and reports involving authorities, which include Victorian state government departments, agencies and local councils (and those acting on behalf of these bodies), and protected disclosure entities.
  3. We also use de-identified information to educate others on our role and responsibilities, and to encourage and support state government agencies to improve their administrative practices to better serve the public.
  4. Information can be in the form of documents, voice or video recordings, electronic files or data, case records and file notes.
  5. We must adhere to the confidentiality requirements set out in the:
  • Ombudsman Act 1973
  • Protected Disclosure Act 2012
  • Privacy and Data Protection Act 2014, which protects personal information, including sensitive information
  • the Health Records Act 2001, which protects health information.
  1. Information that we obtain is retained and stored in accordance with the requirements of the Public Records Act 1973, associated standards and our internal records policy.

Collection of information

  1. We obtain information relating to a person directly from that person where possible. However, we may also collect information about a person (and their complaint) from:
  • an authority or protected disclosure entity (for example, by receiving a referral of a complaint, or while conducting an enquiry or investigation)
  • a third party
  • other publicly available sources.
  1. We may  obtain information voluntarily or require the provision of information using our statutory powers under the Ombudsman Act (section 18 Ombudsman Act and section 17 Evidence (Miscellaneous Provisions) Act 1958 as in effect immediately prior to its repeal).
  2. As far as is practical, we will inform a person of how we intend to use their information and to whom their information may be disclosed (for example, in relation to most complaints that we take action on, information is disclosed to the agency involved).

Use and disclosure of information

  1. We must use personal information and health information only for:
  • the primary purpose for which it was collected (in most cases, to deal with complaints or referrals, conduct an enquiry or investigation, make recommendations or report on a matter)
  • a secondary purpose that a person or body may reasonably expect us to perform (for example, to identify systemic issues in public administration. See Schedule 1 to the Privacy and Data Protection Act 2014 for further information on the information privacy principles and what information must not be used or disclosed in certain circumstances).
  1. Commonly, information we obtain is used:
  • to identify records or documents relating to a particular matter, which  means that we may disclose a complainant’s information, and the details of their complaint, to the agency involved in order for the agency to provide us relevant information about its handling of a matter
  • to examine whether the actions taken in or by an agency in relation to a particular matter were contrary to law, unreasonable or otherwise wrong
  • to consult with other complaint handling agencies and integrity bodies to ensure that we do not interfere with, or prejudice, other investigations and or processes
  • to provide a complainant the outcome of our consideration of their complaint.
  • for a purpose specified under sections 16L or 16M of the Ombudsman Act.
  1. When we disclose or transfer information to another person or body, we will take reasonable steps to preserve the privacy of the person to whom the information relates (for example, by only providing information relevant to a matter or de-identifying information prior to its disclosure).
  2. If we become aware of information about a person being in appropriately released, we will take steps to inform the person to whom the information relates of the incident. We will also  take  appropriate action to ensure that such a breach does not occur again.

Access to and correction of personal information

  1. We make information held by the office reasonably accessible to the person to which it relates and will provide such information on request. In some circumstances, we may ask that the request be submitted in writing to assist in identifying relevant information or documents.
  2. We endeavour to maintain accurate records. When an error is identified (either internally or by an external party) we will correct the information promptly.
  3. We take steps to verify the identity of any person who requests access, or a change, to their information before considering the request.
  4. We will not release or provide access to information to any other person or body, unless:
  • we have been authorised to do so by the person to whom the information relates
  • we are permitted or required to do so by law
  • it is appropriate or required in the performance of a function of the office.
  1. Any person can request documents from VO under the Freedom of Information Act 1982. However, the Freedom of Information Act does not apply to documents that relate to a complaint, enquiry, investigation, recommendation or report dealt with or made by VO (section 29A Ombudsman Act). Requests made under the Freedom of Information Act can be addressed to, and are coordinated by, VO’s Freedom of Information Officer.

Complaints about privacy

  1. Complaints about an alleged breach of privacy by VO can be made:
  • to the VO Privacy Officer in the first instance for consideration against our legal obligations, this policy and service standards
  • to the Commissioner for Privacy and Data Protection if the complaint relates to ‘personal information’ and the matter remains unresolved after being raised with VO directly
  • to the Health Services Commissioner if the complaint relates to ‘health information’ (irrespective of whether the complaint has been made to VO).


  1. We must keep personal information obtained by the office confidential (sections 26A and 26B Ombudsman Act), except when it is necessary or appropriate to disclose the information in the performance of our statutory functions.
  2. Generally this means that VO officers are not permitted to use, provide or disclose information obtained by VO except for the purpose of dealing with a complaint or referral, conducting an enquiry or investigation, making a recommendation or reporting on a matter (see section 26A for a complete list of exemptions).
  3. We have the power to issue a ‘confidentiality notice’ (section 26C(1) Ombudsman Act. See our ‘Investigations’ policy).

Roles and responsibilities

Manager, Human Rights Portfolio
This policy (PO_SF_06) is compatible with the human rights protected by the Charter of Human Rights and Responsibilities 2006
Assistant Director, Portfolios & Administrative Improvement
Policy owner
Governance Committee
Policy authorisation
Senior Legal Officer
Privacy Officer
Level 2 570 Bourke Street
Melbourne VIC 3000
(03) 9613 6222 or 1800 806 314 (landline only)

This policy is a guide only and is not legal advice.  Staff should refer to relevant legislation.