DVA Privacy Policy

Last updated:

Back to top

About our privacy policy

This privacy policy explains how the Department of Veterans’ Affairs (the department) manages the personal information it collects, in particular:

  • what kinds of personal information we collect and store
  • how we collect personal information and where it is stored
  • the reasons why we need to collect personal information
  • how we use and disclose personal information
  • our contact details and how to seek access to your information, or ask for a correction
  • how to lodge a complaint if you think your personal information has been mishandled, and how we will manage your complaint
  • if we are likely to disclose your information outside Australia.

We update this privacy policy when our practices in handling personal information change. Updates are published on this website.

Our role

We deliver government programs for war veterans, serving and former serving members of the ADF, Australian Federal Police and their families.

We offer support and services under legislation, including:

A full listing of the legislation we administer is set out in the Administrative Arrangements Orders

We are authorised under our portfolio legislation and the Privacy Act 1988 (Cth) (the Privacy Act) to collect, use and disclose a range of personal information. For more information about our functions and the services we provide, see the Who we are page on this website.

Back to top

Our privacy obligations

The department is bound by the provisions of the Privacy Act and the Australian Privacy Principles (APPs) which regulate the collection, storage, use, disclosure and disposal of personal information by Commonwealth agencies. The specific legal obligations of the department when collecting and handling personal information are detailed in the Privacy Act and, in particular, in the APPs found in Schedule 1 to that Act.

What is personal information?

The Privacy Act defines ‘personal information’ as:

Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  1. whether the information or opinion is true or not; and
  2. whether the information or opinion is recorded in a material form or not.

Examples of ‘personal information’ include name, address, phone number and gender.

Sensitive information’ is a subset of personal information which includes:

  1. information or an opinion about an individual’s
    • racial or ethnic origin
    • political opinions
    • membership of a political association
    • religious beliefs or affiliations
    • philosophical beliefs
    • membership of a professional or trade association
    • membership of a trade union
    • sexual orientation or practices
    • criminal record.
  2. health information about an individual
  3. genetic information about an individual that is not otherwise health information
  4. biometric information that is to be used for the purpose of automated biometric verification or biometric identification
  5. biometric templates.

Sensitive information attracts additional protections under the Privacy Act.

Back to top

Remaining anonymous or using a pseudonym

You have the right to request to remain anonymous or use a pseudonym when interacting with us. It may not always be possible or practical for this to occur—for example, when we assess your eligibility for a program or service, or when we are authorised or required to deal with you as an identified individual. If you request to remain anonymous or use a pseudonym when dealing with us, we will advise you if this is not possible for practical reasons, for example, we cannot release your personal information to you, if we are not satisfied of your identity.

Back to top

Collection of your personal information

We only collect personal information for purposes reasonably necessary for, or directly related to our functions or activities, pursuant to the Administrative Arrangements Orders and our portfolio legislation, or otherwise authorised by the Privacy Act.

Personal information (including sensitive information) will only be used or disclosed for the purpose for which it was collected unless the law requires or permits use or disclosure for another purpose or permission is given by the individual to use or disclose the information for another purpose. 

Some of our programs and services and claims processes have specific terms and conditions or terms of use and collection notices that detail how and why personal information is collected, used and disclosed.  Examples of this include MyService. These collection notices for specific claims and programs can be found at Privacy Collection Notice Register.   

How we collect your information

Our usual practice is to collect personal information directly from you or your authorised representative, including through application forms, online submissions (such as through MyService), over the telephone and through other official forms. This is ‘active data’ that we collect directly from you. In certain circumstances, where permitted by Australian law, we may also obtain personal information about you from third parties.

Online Services

The department collects personal information through its online services, including MyService. MyService is the department’s secure, online claims portal. The MyService terms of use and its Collection Notice set out how the department collects, holds, uses and discloses personal information in relation to MyService.

Passive Data Collection

The department also collects certain data from users automatically, as users navigate from page to page on our website. This is called ‘passive data’ collection and is done through the use of cookies, web beacons and other mechanisms. When you visit our website, our server logs the following information about you:

  • the type of browser and operating system you are using
  • your top level domain name, such as .com, .gov, .au
  • the address of the referring site, such as the previous site that you visited
  • your server's IP address, a number which is unique to the machine through which you are connected to the internet—usually one of your service provider's machines
  • the date and time of your visit
  • the address of the pages accessed and the documents downloaded or searches done.

This information is used only for statistical analysis and systems administration purposes. No attempt is made to identify users or their browsing activities, except in the unlikely event of an investigation by a law enforcement agency. While every effort is made to secure information transmitted to this site over the internet, there is a possibility that this information could be accessed by a third party while in transit.

The department’s website uses Google Analytics, which is a web analytics service provided by Google Inc. Google Analytics uses ‘cookies’ to help analyse how users use this site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers either in Australia or overseas. By using this website, you consent to Google processing data about you in the manner and for the purposes set out above. Please refer to Google's Privacy Policy

We also use the Adobe Experience Platform (Adobe) to collect data about your interactions with MyService, including:

  • pages you visit
  • how you interact with MyService pages and services
  • how you reach MyService pages or services you visit
  • your country and state
  • your device and browser.

We analyse this data to better understand how MyService is used and to continuously improve MyService (including its design, uptake and use) and DVA programs and services.  

While the information that we collect through Adobe is capable of being linked to a MyService user, we will not use this information to identify you as an individual, and we have set up Adobe to operate on MyService without collecting information that directly identifies you. This means the following information won’t be collected through Adobe:

  • name or sign in details
  • your email address
  • your IP address.

The user interaction data that we collect through Adobe is stored securely in Australia.  For more information about how Adobe works on MyService, please see MyService terms of use

We use a variety of software options for online forms including the Drupal content management system on our main web site dva.gov.au. This arrangement complies with Australian Government Web Guide Requirements. Submissions are stored in this Drupal system including the form data and the IP address of the submitter. Data is retained in this system until the business area wants it deleted.

What we collect

We collect and hold a broad range of personal information relating to:

  • individuals participating in our programs and services
  • dependants, families, authorised representatives and others who are connected with individuals participating in our programs and services
  • policy development, research and evaluation
  • Royal Commissions that we are involved with
  • correspondence from members of the public or organisations
  • complaint handling processes
  • requests under the Freedom of Information Act 1982 (Cth) (FOI Act) and the Privacy Act
  • performing employment and personnel functions in relation to our staff and contractors
  • contract management and commercial matters
  • preventing, detecting, investigating or dealing with misconduct and fraud, cyber-attacks, or other unlawful activity relating to the Commonwealth
  • policy advice and support to our Ministers
  • other matters relating to the performance of our legislative and administrative functions.

The personal information we collect will vary significantly depending on what we require to perform our functions and activities. Some of the common types of information we collect are:

  • personal details such as name, date of birth, occupation, marital status, residential details, contact details, government identifiers, and date of death
  • information about a person’s circumstances and background such as employment history, military service history, marital status, financial affairs and remuneration
  • information about dependants, family members and authorised representatives
  • tax file numbers (TFNs), when required for certain payments. Learn more about how we collect and handle TFNs on the Your tax file number page.

Personal information we collect from individuals participating in our programs and initiatives often includes sensitive information, such as:

  • racial or ethnic origin
  • health information (including medical history and any disability or injury you may have)
  • criminal activities you may have been involved in
  • biometrics (including photographs and voice or video recordings of you).

Generally, we will only collect sensitive personal information (such as health or criminal history information) if you have consented and it is reasonably necessary for, or directly related to, one or more of our functions or activities. Sometimes we may collect sensitive personal information without your consent, such as when it is required or authorised by law, or court or tribunal order.

Social media channels

The department uses social media to communicate with the public about our work: Facebook™, X™, LinkedIn™, YouTube™, Instagram™ and Flickr™. When you communicate with us using these services, we may collect your personal information but we only use it to help us to communicate with you. These social media platforms will also handle your personal information for their own purposes. These platforms have their own privacy policies and they may handle your personal information off-shore. You can access the privacy policies on each of the companies on their websites: Facebook™, Instagram™, X™, LinkedIn™, YouTube™ and Flickr™.

Back to top

How we use and disclose personal information

DVA generally uses and discloses personal information only for the primary purpose for which it is collected. In certain circumstances, we may use personal information for another purpose but only where this would be authorised by the Privacy Act. This may include where you have consented to this secondary purpose or where the secondary purpose is required or authorised by law. Some examples of where we might use personal information for a secondary purpose include:

  • where we have been compelled by a Court or Tribunal to produce certain information
  • where we have collected information for use in a particular program and we use the information to make service improvements to that program.

To deliver payments and services

We use personal information for delivering payments or services under our portfolio legislation. For example, we may use your personal information to:

  • communicate with you about a payment or service that we administer
  • verify your identity and eligibility for payments and services
  • ensure correct payments are made to you
  • verify data provided in relation to claims and reviews
  • investigate fraud, including internal fraud
  • manage complaints and feedback
  • conduct continuous improvement activities to improve the delivery of our payments and services
  • evaluate and report on programs and services and establish new or improved services and programs
  • administer and provide online services, including MyService.

The payments and services we deliver are outlined on our Homepage under Key Services. Some of our key services include:

  • mental health support services
  • Veteran Cards
  • commemorative programs and war graves
  • healthcare, rehabilitation and care assistance payments and services
  • housing assistance, loan subsidies and compensation payments and services.

For employment related purposes

We use personal information to manage our workforce. The Public Service Regulations 2023 provides that an agency head may use or disclose personal information in their possession or control where the use or disclosure is necessary or relevant to the performance or exercise of the agency head’s employer powers.

For the engagement of external service providers

The department uses consultants, contractors and outsourced service providers to undertake certain activities and functions. This requires us to collect personal information as required to meet our procurement, commercial and financial business obligations.

Consultants, contractors and outsourced service providers who have access to personal information collected by the department, or who collect personal information on behalf of the department, have obligations to ensure they handle personal information in accordance with the Privacy Act.

To improve our payments and services

We may share personal information to conduct statistical analysis and market research to improve service delivery. We may engage external companies to conduct this research on our behalf. These companies are bound by confidentiality and privacy laws.

Where we use personal information for market research, we will seek your consent. You do not have to participate if you do not want to. Your decision whether to participate won’t affect your eligibility for any payment or service we deliver.

Email lists, subscriptions and newsletters

DVA collects information that you provide to us when signing up to mailing lists, registering for events, subscribing to newsletters, or when submitting feedback on our website.

The department uses MailChimp to provide services to individuals, including its electronic newsletters. In distributing newsletters, MailChimp will collect personal information from you, including email addresses you have provided to DVA for the purpose of receiving electronic newsletters, and all information relating to those email addresses.

For more information on the information MailChimp will collect, please refer to the MailChimp’s Privacy Policy and the MailChimp terms of use.

Back to top

Usual disclosure arrangements

When we collect personal information about you, we are required by the Privacy Act to take reasonable steps to notify you of certain matters if it is reasonable to do so. These matters include the purposes for which we collect the information, whether the collection is required or authorised by law, and any person or body to whom we usually disclose the information. Outlined below are our usual disclosure arrangements with other government agencies:

  • Services Australia which holds most DVA data and hosts DVA ICT infrastructure and services such as MyService.  Where you link DVA cards to myGov, DVA shares Card details with Services Australia to ensure card information is up to date and valid for display in myGov and the myGov App
  • Services Australia to verify Centrelink payments that may impact entitlements under our legislation
  • Services Australia to verify Medicare entitlement and claims made that may impact entitlements under our legislation, and to process payments for treatment services
  • Department of Health for income testing in relation to aged care services, provision of programs like MyMedicare and the RPBS
  • Department of Defence in relation to your military service, veteran entitlements, military rehabilitation and compensation
  • ComSuper in relation to veterans’ superannuation funds and benefits
  • Australian Digital Health Agency for the purposes of the My Health Records Act 2012 (Cth)
  • Commonwealth agencies in relation to the recruitment of staff and contractors.

Disclosure to overseas recipients

It is uncommon for the department to disclose personal information to overseas recipients.

However, from time to time, we provide personal information to overseas recipients as part of our work. One of our functions is providing and maintaining official Australian memorials and war graves. Sometimes we may share personal information overseas as part of our role in commemorating and maintaining offshore war graves and memorial sites.

There are other circumstances where we may need to share personal information with an overseas recipient, for instance, in the provision of payments and services to veterans overseas.

We will only disclose personal information overseas when we have taken reasonable steps to ensure that the recipient does not breach the APPs in relation to that information. Or, if we are not able to take those steps, we:

  1. reasonably believe that the overseas recipient is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way the APPs protect the information, and you can access mechanisms to enforce that protection – or
  2. we obtain your consent to the disclosure after we expressly inform you that if you consent to the disclosure and the overseas recipient handles the personal information in breach of the APPs we will not be accountable under the Privacy Act and that you will not be able to seek redress under the Privacy Act.
Back to top

Storage of personal information

The department stores personal information in a variety of formats including on computer and paper based media. We implement measures to safeguard our IT systems against unauthorised access, and ensure that paper based files are physically secured. When no longer required, we destroy or archive personal information in a secure manner, where permissible under the Archives Act 1983 (Cth) (Archives Act). We may contact you about whether information we have collected should be retained.

Data security

The department takes reasonable steps to ensure the personal information it handles is protected from misuse, interference, loss, unauthorised access, and illegal modification and disclosure.

Some of the steps we take, includes implementing the principles of the Protective Security Policy Framework, for example:

  • implementing strategies to mitigate cyber security incidents
  • assessing and addressing security vulnerabilities as they arise
  • taking steps to secure ICT systems at all stages of their lifecycle
  • taking steps to secure internet gateways.

Quality of personal information

The Privacy Act requires us to take reasonable steps to ensure that the personal information we hold is safe and secure. We are also required to take reasonable steps to ensure that the personal information that we collect is accurate, up-to-date, and complete. Sometimes, this may include us contacting you to check whether our records remain accurate.

This may include us contacting you from time to time by telephone or email to ensure your personal information is accurate and up-to-date.

Back to top

Access and correct your personal information

You have a right to request access to personal information we hold about you under the Privacy Act and under the FOI Act

You also have a right to request corrections to any personal information that we hold about you if you think the information is inaccurate, out-of-date, incomplete, irrelevant or misleading. If you ask, we must give you access to your personal information, and take reasonable steps to correct it if we consider it is incorrect, unless there is a law that allows or requires us not to. We can decline access to, or correction of, personal information under circumstances set out in the Privacy Act

Although the information of a deceased individual is not regulated by the Privacy Act, the department will continue to respect the wishes of family members when using or disclosing such information, particularly where information of the deceased is of a sensitive nature.

You can access and correct most of your details online using MyService, if you have registered for MyService use.

To make a request for access or correction of your personal information, please contact:

EMAIL
information.access [at] dva.gov.au (information[dot]access[at]dva[dot]gov[dot]au)

POST
Information Access Unit
Department of Veterans’ Affairs
GPO Box 9998
Brisbane QLD 4001

Requests for personal information relating to counselling sessions held through the Open Arms Veterans and Families Counselling Service should be directed in the first instance to:

POST
Open Arms Counselling Service
GPO Box 9998
BRISBANE QLD 4001
PHONE 1800 011 046

Back to top

How we handle data breaches

Agencies and organisations regulated by the Privacy Act are required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach.

Examples of a serious data breach may include the following incidents:

  • a device containing customers’ personal information is lost or stolen
  • a database containing personal information is hacked
  • personal information is mistakenly provided to the wrong person.

If a data breach occurs, such as if personal information that we hold is subject to unauthorised access, use or disclosure, we will respond in line with the Office of the Australian Information Commissioner’s Data breach preparation and response: A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth). We will aim to provide timely advice to you to ensure you are able to manage any loss—financial or otherwise—that could result from the breach.

Our notification to you will be sent as soon as practicable and will contain:

  • a description of the data breach
  • the kinds of information concerned
  • recommendations about the steps you should take in response to the data breach.
Back to top

Complaints and reviews

If you believe that the department has breached the Privacy Act or mishandled your personal information, you can make a complaint to the department or to OAIC. In the first instance, we recommend reporting your privacy complaint to the department using the contact details in the Contact us section of our website.

Please submit your concern or complaint in writing so that we can fully understand the matter. We will respond to your complaint or request promptly if you provide your contact details. We take all complaints seriously and are committed to a quick and fair resolution.

You can also use the below contact details to make an enquiry about our compliance with the Privacy Act or to ask a question about this Policy.

Back to top

Contact us

POST
Privacy Officer
Department of Veterans’ Affairs
GPO Box 9998
BRISBANE QLD 4001

EMAIL
privacy.enquiries [at] dva.gov.au (privacy[dot]enquiries[at]dva[dot]gov[dot]au)

PHONE
1800 VETERAN (1800 838 372)

Back to top
Was this page useful?
Please tell us why you selected 'Yes'?
Please tell us why you selected 'No'?