Skip to main content Go to home page

Privacy Strategy

The State Revenue Office (SRO) is committed to ensuring it manages personal and health information in accordance with applicable legal requirements and best practice. In February 2024 the Executive endorsed the new SRO Privacy Strategy, aligning it with the SRO Strategic Plan for 2024–2027. 

"The State Revenue Office — its employees, contractors and agents — respects the privacy of all individuals whose information is entrusted to it, and is committed to protecting and managing personal and health information fairly and lawfully, applying the following strategic approach:

  • Fair and efficient revenue administration — applying Victoria’s privacy legislation (including the Information Privacy Principles) and minimising identified privacy risks throughout the information life-cycle in all aspects of revenue administration.
  • People excellence — ensuring that understanding of, and accountability for, meeting privacy obligations exists throughout the State Revenue Office.
  • Excellent customer experience — securing personal information, providing simplified processes for individuals to access their personal information, and delivering timely and effective responses to privacy incidents.
  • Modern technology — integrating privacy requirements into the design and implementation of the State Revenue Office’s products, systems and services.
  • Maximised compliance — handling personal information in ways that contribute to building community confidence in a tax system that is fair, efficient, secure and widely complied with."

Privacy Policy

The State Revenue Office's privacy policy sets out the practices we have adopted to manage personal and health information in accordance with the Victorian privacy laws — specifically, the Privacy and Data Protection Act 2014 and the Health Records Act 2001.

By ‘personal information’ we mean ‘any information or an opinion (including information or an opinion forming part of a data base) that is recorded in any form, and whether true or not, about an individual whose identity is apparent, or can be reasonably ascertained, from the information or opinion.’

Personal information includes sensitive information, such as age, gender, nationality, political affiliation, race, and religious beliefs, and delicate information, such as financial, banking and credit card details.

This policy also covers health information, which includes information or an opinion about an individual’s physical, mental or psychological health (at any time), disability, health services and genetic information.

Our functions and responsibilities

Taxes, levies and payment schemes (revenue lines)

As Victoria’s major revenue collection agency, we are responsible for administering state taxes and levies and payments made under various assistance schemes.

When required, the State Revenue Office also administers emergency tax relief and assistance programs provided by the Victorian Government. Examples include responses to the 2019-20 bushfires and the 2020 coronavirus pandemic.

The register of unclaimed money

The Commissioner of State Revenue is also the Victorian Registrar of Unclaimed Money, responsible for the publicly accessible Unclaimed Money Register, a searchable list of unclaimed amounts lodged by Victorian businesses and trusts under the Unclaimed Money Act 2008. The register discloses the minimum amount of information needed for people to find out if we hold any amounts belonging to them so they can lodge a claim.

Our functions as a public sector agency

As a public sector agency, we collect, use and disclose personal and health information provided for employment-related purposes, to engage contractors and suppliers, to prepare briefings, submissions and policy analysis for government, to manage and report on financial transactions, and to engage with stakeholders and other government agencies. We undertake other similar functions required by government from time to time.

Read more about our information assets.

Information and health privacy principles

We take care to protect the personal information entrusted to us for the duration of the information lifecycle, from the point it is collected or generated until the time it is permanently archived, de-identified or destroyed.


We collect personal information for a wide range of purposes involved in the administration of taxes, grants and levies and to carry out our functions as a public sector agency.

Personal information is collected through the SRO's online portals, forms, calls, emails and letters; through our website and social networking sites, our media channels, subscription services, surveys, feedback and customer experience research; and in documents generated or submitted to the SRO.

We will generally collect personal information directly from you or your authorised representative. If we ask you for your contact details, we will indicate whether a detail is optional or required. If it is optional, we seek your consent to collect and use it.

We record inbound telephone calls routed by our call management system as well as outbound telephone calls from this system. We use call recordings as part of quality assurance, primarily for coaching and training purposes. You can ask for a call not to be recorded.

In some circumstances, such as a tax investigation, we may seek personal information from third parties using our statutory investigative powers to do so. We may also seek information from third parties to establish eligibility for certain assistance and relief programs we administer.

Our website, digital platforms and forms include collection notices. Where a digital platform or online form is used to collect information for a revenue law or scheme we administer, the collection notice explains why personal information is being collected, the law under which it can be requested or is required, the consequences of not providing it, how it may be used, and if and when it might be disclosed. Read more in our Terms and Conditions for online systems.

We collect personal information from our website, such as via cookies, google analytics or online surveys, in order to obtain general feedback about the use made of the services and information we provide. This assists us in tailoring our services to best meet the community’s needs. Read more in our website collection notice. We enter into data and information sharing arrangements authorised by law and may use these arrangements, and our investigative powers, to verify or supplement information we have collected. For example, we obtain personal information from VicRoads, municipal councils and the Victorian Electoral Commission to verify identities and addresses.

We undertake checks with Victoria Police, which may contain sensitive information, for employment-related purposes.

Our collection statements explain that we may obtain personal details from other sources, and also note when we are collecting details under an obligation to report them to another agency.

Where a serious threat to the life, health, safety or wellbeing of an individual or the public is concerned, we may obtain, use and disclose personal information, including sensitive and health details, without your consent.

Data quality

The State Revenue Office takes care to ensure that the personal information it collects about an individual is complete, up to date, and accurate. It conducts data matching activities for the purposes of ascertaining compliance with the Acts it administers, to verify or supplement information provided by a customer and to verify eligibility for certain concessions and exemptions.

Use and disclosure of information

We do not use personal information other than in accordance with the law and for the purpose for which it was collected, or for a purpose you would reasonably expect associated with our revenue collection or revenue protection functions.

We need to provide the contractors engaged by us with access to the data we hold, including personal information. Contractors, like employees, are required to understand and comply with the confidentiality obligations under privacy legislation, revenue laws, and the terms of their engagement.

We are authorised by law to disclose protected and confidential information for the administration of taxation or revenue laws, which may include providing personal details to an entity or service provider engaged to undertake functions such as a debt collection or valuation of land. We are also authorised to disclose confidential personal information to investigate, for example, improper or criminal conduct or for preparing and conducting litigation.

Revenue laws contain secrecy provisions that protect the confidentiality of information we have obtained, but permit disclosures, without your consent, to specified government agencies (authorised recipients), or for the particular purposes set out in those laws. For example, we may disclose confidential information – including personal details – to other government agencies with law enforcement functions, such as Victoria Police, the Australian Taxation Office, other revenue offices, WorkSafe Victoria and Centrelink, for the enforcement of laws they administer.

We may also use and disclose data for reporting purposes and, under the Victorian Data Sharing Act 2016, for public policy purposes.

We may need to disclose information, without consent, during an event such as an accident, pandemic or natural disaster, in order to prevent a serious or imminent threat to individual or public life, safety, health or welfare.

Review a list of agencies permitted to receive information under legislation administered by the Commissioner of State Revenue and the Registrar of Unclaimed Money.

Data security

We seek to protect the personal information we hold from misuse or loss, and from unauthorised access, modification or disclosure.

Information security is managed in accordance with the Victoria Protective Data Security Framework and Standards issued by the Office of the Victorian Information Commissioner (OVIC) under Part 4 of the Privacy and Data Protection Act 2014. Our Risk Management Framework aligns with the Victorian Government Risk Management Framework and the AS/NZS ISO 31000:2009 standard.

We also encourage those who access our online facilities to ensure, for their own protection, that their browser is up-to-date. In the event that we, or you, believe that your personal information has been compromised or requires enhanced protection, we will act to address the identified security risks.

Data retention

Our records are retained in accordance with the Public Records Act 1973 and the authorities issued under that Act.

When personal information is no longer needed for any purpose, and any mandatory period of retention has expired, it may be de-identified or destroyed.


This policy, which is published on our website and in a hard copy format on request, outlines how we manage and protect the personal and health information we collect and hold.

It is regularly updated to reflect legislative changes or any new systems, schemes or services that alter the types of information we collect or the way in which it is handled.

Our website, for example, explains how we collect personal information from our website, and the terms and conditions for use of our online services.

Access and correction

The Privacy and Data Protection Act 2014 and the Health Records Act 2001 provide Victorians with a right of access to records of their own personal details. We ordinarily process requests for access to records in accordance with the Freedom of Information Act 1982 (FOI Act).

Our collection notices provide details of how to request access to information relating to you that we hold.

To find out how to access or correct your personal records, visit the Freedom of Information (FOI) information on our website. If you want to make an FOI request, send an email explaining the information or records you seek to or call 13 21 61. To make a request on behalf of another person, you need to provide us with their written authority for you to represent them.

Transborder data flows

If you are located outside Victoria, and we write to you, this communication is treated as a transborder data flow done with your consent.

We use cloud-hosting services, with service providers certified by the Australian Signals Directorate (ASD) and in accordance with the applicable Victorian Government requirements. If a service is located outside Victoria, we endeavour to ensure that the contracted service provider is cognisant of the obligations and rights provided under Victorian privacy laws.

We are also permitted by law, and without consent, to disclose protected information, including personal information, to agencies in other Australian jurisdictions, such as the Federal Commissioner of Taxation and state and territory revenue offices. Read more about the agencies permitted to receive information from us under these laws.

In each of these instances, we try to ensure, as far as practicable, that the disclosed information has the equivalent level of protection to that offered by the Victorian Privacy and Data Protection Act 2014.

Sensitive information

Sensitive personal details, such as age, family relationships, gender and marital status, are sometimes provided voluntarily to us because they are relevant in explaining circumstances that give rise to a tax liability, concession or exemption or a person’s eligibility for a grant.

Sensitive personal or health information may also be included in documentation, such as job applications, references, and evidence of identity and citizenship, required or voluntarily provided for employment-related purposes.

We also hold delicate information, such as bank account details, relating to the financial affairs of employees, taxpayers and grant applicants, details.

Generally, we obtain sensitive, health and delicate information directly from you or your representative. However, there are some circumstances – for example to obtain a referee’s report, conduct an investigation or to confirm residency status – when we are required by law to obtain this information and need to seek or verify it from a third party. The collection notices on our forms and online platforms explain when sensitive information may be collected from or disclosed to a third party without notifying you or obtaining your consent.

Unique identifiers

A unique identifier is a number or code given to an individual to distinguish them from other individuals. We assign a unique identifier to each customer and employee. These identifiers are needed to carry out our functions as a revenue office and employer.

We also receive other agencies’ unique identifiers, such as driver licence numbers and Centrelink reference numbers, in order to verify, investigate or review a customer’s details. However, we do not adopt identifiers created by other agencies.


Generally, we will not be in a position to administer our functions properly if we are not able to identify the individual to whom the information relates.

However, in some circumstances — for example, if you are making a general enquiry, completing a customer satisfaction questionnaire, or providing a tip-off about suspected non-compliant behaviour — it will not be necessary for you to identify yourself. In these types of circumstances, we will either not require you to identify yourself, or will de-identify the information provided to preserve your anonymity.

We are also mindful of the need to protect the identity of a complainant and other parties involved when we are investigating, referring or responding to a complaint. In these circumstances, we may anonymise individuals and provide additional safeguards on their records to ensure confidentiality is maintained throughout the complaint process.

To make an enquiry or complaint

We welcome your questions and feedback on our services. We also encourage you to contact us when there is a misunderstanding or disagreement regarding personal information handling, as they can often be resolved by us promptly.

If, after talking with us, your issue has not been resolved, there are various avenues available to you. More information about the options available to you are on our website. Please direct privacy inquiries or complaints to our Privacy Officer, by telephone on 13 21 61, online via our website, or by post to the Privacy Officer, State Revenue Office, GPO Box 1641, Melbourne VIC 3001.

If you have made a complaint to us and are not satisfied with the way we have handled it, you are entitled to refer your complaint to the Office of the Victorian Information Commissioner (OVIC) or the Health Complaints Commissioner.

OVIC’s role is to try and resolve privacy complaints through a conciliation process. To contact OVIC, visit their website, email, or telephone 1300 006 842.

For concerns relating to the handling of health information, visit the Health Complaints Commissioner’s website or call 1300 582 113.

Privacy and your rights

Last modified: 1 May 2024
Back to top