By ‘personal information’ we mean ‘any information or an opinion (including information or an opinion forming part of a data base) that is recorded in any form, and whether true or not, about an individual whose identity is apparent, or can be reasonably ascertained, from the information or opinion.’
Personal information includes sensitive information, such as age, gender, nationality, political affiliation, race, and religious beliefs, and delicate information, such as financial, banking and credit card details.
This policy also covers health information, which includes information or an opinion about an individual’s physical, mental or psychological health (at any time), disability, health services and genetic information.
Our functions and responsibilities
Taxes, levies and payment schemes (revenue lines)
As Victoria’s major revenue collection agency, we are responsible for administering state taxes and levies and payments made under various assistance schemes, including the First Home Owner Grant and liquor subsidies. These taxes and programs, and the laws under which they are administered, are listed below.
The following taxes are administered under the Taxation Administration Act 1997:
- Duties, including stamp, insurance and motor vehicle duty - Duties Act 2000 (Stamps Act 1958)
- Livestock duty - Part 6, Livestock Disease Control Act 1994
- Land Tax - Land Tax Act 2005 (Land Tax Act 1958)
- Payroll Tax - Payroll Tax Act 2007 (Pay-roll Tax Act 1971)
- Congestion Levy - Congestion Levy Act 2005
- Growth Area Infrastructure Contribution (GAIC) - Part 9B, Planning and Environment Act 1987
- Commercial Passenger Vehicle Service Levy - Part 11, Commercial Passenger Vehicle Industry Act 2017
- Wagering and Betting Tax - Part 6A of Chapter 4, Gambling Regulation Act 2003
- Metropolitan Planning Levy - Part 4, Planning and Environment Act 1987
- Fire Services Property Levy - Part 4, Fire Services Property Levy Act 2012
Payments, grants, rebates and subsidies
- First Home Owner Grant - First Home Owner Grant Act 2000
- Back to Work payments - Back to Work Act 2015
- Victorian liquor subsidies - Liquor Control Reform Act 1998
- Water and sewerage rebates - Water Act 1989
The register of unclaimed money
The Commissioner of State Revenue is also the Victorian Registrar of Unclaimed Money, responsible for the publicly accessible Unclaimed Money Register, a searchable list of unclaimed amounts lodged by Victorian businesses and trusts under the Unclaimed Money Act 2008. The publicly available register provides the minimum amount of information needed for people to find out if we hold any amounts belonging to them so they can lodge a claim.
Our functions as a public sector agency
As a public sector agency, we collect, use and disclose personal and health information provided for employment-related purposes, to engage contractors and suppliers, to prepare briefings, submissions and policy analysis, to manage and report on financial transactions, and to engage with stakeholders and other government agencies together with other similar functions required by government from time to time.
Read more about our information assets.
Information and health privacy principles
We collect personal information for a wide range of purposes and from a wide variety of sources, including:
- Unsolicited calls, emails and letters.
- Potentially identifying details collected through our website and social networking sites, our media channels, subscription services, surveys, feedback and customer experience research.
- Personal financial information included in documents generated for procurements and financial transactions and reports.
- The administration of taxes, grants and payment schemes, which includes calculating payments and liabilities, conducting investigations, providing revenue rulings, recovering debts, and reviewing and litigating disputed matters.
We will generally collect the information directly from you or your authorised representative. If we ask you for your contact details, we will indicate whether a detail is optional or required. If it is optional, we seek your consent to collect and use it.
In some circumstances, such as a tax investigation, we may seek personal information from third parties using our statutory investigative powers to do so. We may also seek information from third parties to establish eligibility for certain assistance and relief programs we administer.
Our website, digital platforms and forms include collection notices. Where a digital platform or online form is used to collect information for a revenue line or scheme we administer, the collection notice explains why personal information is being collected, the law under which it can be requested or is required, the consequences of not providing it, how it may be used, and if and when it might be disclosed. Read more in our Terms and Conditions for online systems.
We also collect personal information from our website, such as via cookies, google analytics or online surveys, in order to obtain general feedback about the use made of the services and information we provide. This assists us in tailoring our services to best meet the community’s needs. Read more in our website collection notice. We also enter into data and information sharing arrangements authorised by law and may use these arrangements, and our investigative powers, to verify or supplement information we have collected. For example, we obtain personal information from VicRoads, municipal councils and the Victorian Electoral Commission to verify identities and addresses.
We also undertake checks with Victoria Police, which may contain sensitive information, for employment-related purposes.
Our collection statements explain that we may obtain personal details from other sources, and also note when we are collecting details under an obligation to report them to another agency.
Where a serious threat to the life, health, safety or wellbeing of an individual or the public is concerned, we may obtain, use and disclose personal information, including sensitive and health details, without your consent.
We tale care to ensure that the personal information we collect about an individual is complete, up to date, and accurate. We conduct data matching activities for the purposes of ascertaining compliance with the Acts we administer, to verify or supplement information provided by a customer and to verify eligibility for certain concessions and exemptions.
Use and disclosure of information
We do not use personal information other than in accordance with the law and for the purpose for which it was collected, or for a purpose you would reasonably expect associated with our revenue collection or revenue protection functions.
We need to provide the contractors engaged by us with access to the data we hold, including personal information. Contractors, like employees, are required to understand and comply with the confidentiality obligations under privacy legislation, revenue laws, and the terms of their engagement.
We are authorised by law to disclose confidential information for the administration of revenue laws, which may include providing personal details to an entity engaged to provide a debt collection service or to provide a valuation of land. We are also authorised to disclose confidential personal information to investigate, for example, improper or criminal conduct or for preparing and conducting litigation.
Revenue laws contain secrecy provisions that protect the confidentiality of information we have obtained, but permit disclosures, without your consent, to specified government agencies (authorised recipients), or for the particular purposes set out in those laws. For example, we may disclose confidential information – including personal details – to other government agencies with law enforcement functions, such as Victoria Police, the Australian Taxation Office, other revenue offices, WorkSafe Victoria and Centrelink, for the enforcement of laws they administer.
We may also use and disclose data for reporting purposes and, under the Victorian Data Sharing Act 2016, for public policy purposes.
We may need to disclose information, without consent, during an event such as an accident, pandemic or natural disaster, in order to prevent a serious or imminent threat to individual or public life, safety, health or welfare.
We are conscious of the importance of protecting the personal information entrusted to us, such as from misuse or loss and from unauthorised access, modification or disclosure.
Information security is managed in accordance to the Victoria Protective Data Security Framework and Standards issued by the Office of the Victorian Information Commissioner (OVIC) under Part 4 of the Privacy and Data Protection Act 2014. Our Risk Management Framework aligns with the Victorian Government Risk Management Framework and the AS/NZS ISO 31000:2009 standard.
We also encourage those who access our online facilities to ensure, for their own protection, that their browser is up-to-date. In the event that we, or you, believe that your personal information has been compromised or requires enhanced protection, we will act to address the identified security risks.
Our records are retained in accordance with the Public Records Act 1973 and the authorities issued under that Act.
When personal information is no longer needed for any purpose, and any mandatory period of retention has expired, it may be de-identified or destroyed.
This policy, which is published on our website and in a hard copy format on request, outlines how we manage and protect the personal and health information in our possession.
It is regularly updated to reflect legislative changes or any new systems, schemes or services that alter the types of information we collect or the way in which it is handled.
Our website, for example, explains how we collect personal information from our website, and the terms and conditions for use of our online services.
Access and correction
The Privacy and Data Protection Act 2014 and the Health Records Act 2001 provide Victorians with a right of access to records of their own personal details. We process requests for access in accordance with the Freedom of Information Act 1982 (FOI Act).
Our collection notices provide details of how to request access to information relating to you that we hold.
To find out how to access or correct your personal records, visit the Freedom of Information (FOI) information on our website. If you want to make an FOI request, send an email explaining the information or records you seek to email@example.com or call (03) 9628 6261. To make a request on behalf of another person, you need to provide us with their written authority for you to represent them.
Transborder data flows
If you are located outside Victoria, and we write to you, this communication is treated as a transborder data flow done with your consent.
We use cloud-hosting services, with service providers certified by the Australian Signals Directorate (ASD) and in accordance with the applicable Victorian Government requirements. If a service is located outside Victoria, we endeavour to ensure that the contracted service provider is cognisant of the obligations and rights provided under Victorian privacy laws.
We are also permitted by law, and without consent, to disclose protected information, including personal information, to agencies in other Australian jurisdictions, such as the Federal Commissioner of Taxation and state and territory revenue offices. Read more about the agencies permitted to receive information from us under these laws.
In each of these instances, we try to ensure, as far as practicable, that the disclosed information has the equivalent level of protection to that offered by the Victorian Privacy and Data Protection Act 2014.
Sensitive personal details, such as age, family relationships, gender and marital status, are sometimes provided voluntarily to us because they are relevant in explaining circumstances that give rise to a tax liability, concession or exemption or a person’s eligibility for a grant.
Sensitive personal or health information may also be included in documentation, such as job applications, references, and evidence of identity and citizenship, required or voluntarily provided for employment-related purposes.
We also hold delicate information, such as bank account details, relating to the financial affairs of employees, taxpayers and grant applicants, details.
Generally, we obtain sensitive, health and delicate information directly from you or your representative. However, there are some circumstances – for example to obtain a referee’s report, conduct an investigation or to confirm residency status – when we are required by law to obtain this information and need to seek or verify it from a third party. The collection notices on our forms and online platforms explain when sensitive information may be collected from or disclosed to a third party without notifying you or obtaining your consent.
A unique identifier is a number or code given to an individual to distinguish them from other individuals. We assign a unique identifier to each customer and employee. These identifiers are needed to carry out our functions as a revenue office and employer.
We also receive other agencies’ unique identifiers, such as driver licence numbers and Centrelink reference numbers, in order to verify, investigate or review a customer’s details. However, we do not adopt identifiers created by other agencies.
Generally, we will not be in a position to administer our functions properly if we are not able to identify the individual to whom the information relates.
However, in some circumstances — for example, if you are making a general enquiry, completing a customer satisfaction questionnaire, or providing a tip-off about suspected non-compliant behaviour — it will not be necessary for you to identify yourself. In these types of circumstances, we will either not require you to identify yourself, or will de-identify the information provided to preserve your anonymity.
We are also mindful of the need to protect the identity of a complainant and other parties involved when we are investigating, referring or responding to a complaint. In these circumstances, we may anonymise individuals and provide additional safeguards on their records to ensure confidentiality is maintained throughout the complaint process.
To make an enquiry or complaint
If, after talking with us, your issue has not been resolved, there are various avenues available to you. More information about the options available to you are on our website. Please direct privacy inquiries or complaints to our Privacy Officer, by telephone on +613 9628 0000, online via our website, or by post to the Privacy Officer, State Revenue Office, GPO Box 1641, Melbourne VIC 3001.
If you have made a complaint to us and are not satisfied with the way we have handled it, you are entitled to refer your complaint to the Office of the Victorian Information Commissioner (OVIC) or the Health Complaints Commissioner.
For concerns relating to the handling of health information, visit the Health Complaints Commissioner’s website or call 1300 582 113.