This Privacy Statement sets out how the Banking Ombudsman Scheme (BOS) collects, uses, and shares personal information, and how we promote your privacy.
Personal information is information about an identifiable individual (ie you).
Types of personal information BOS collects includes:
your name, address, email address, and telephone numbers;
details of your complaint and interactions with your bank or financial service provider;
information about your interactions with us, such as when you visit our website or when you call us, email, post or meet with us in person;
your feedback provided to us in surveys, comments, and complaints.
Personal information about you will be collected primarily to provide our dispute resolution services, and to communicate with you about BOS and the sector.*
We also use personal information without identifying you to promote awareness of topics and issues, evaluate the effectiveness of our scheme and communications, and for reporting on the scheme to stakeholders and the public.
*All of our communications comply with the Unsolicited Electronic Messages Act 2007, including providing the option to unsubscribe.
BOS is a free and independent dispute resolution service. We look into complaints by customers about their banks or financial service providers. Sometimes we make formal decisions, but often we facilitate agreed outcomes between the customer and the bank before that. We also help in other ways, such as offering information and guidance on banking matters.
Most of our collection, use and disclosure of personal information is done for the purpose of effective complaint investigation and resolution. It might also be used for related purposes, such as:
evaluating the effectiveness of the scheme, or aspects of the scheme
reporting to stakeholders on the operation of the scheme, or
promoting the scheme, including communication with the public, stakeholders and the media via websites and social media.
We take safety very seriously so we will contact Police or other emergency intervention services in circumstances where a person threatens harm to themselves or other people. If a threat is made to a bank or organisation, we will notify them of the threat.
BOS anonymises information used for promotion or any public disclosure, including all public reporting on complaints. We de-identify (remove obvious identifiers like your name) whenever possible for our evaluation practices.
How we promote your privacy
You can interact with us in ways where we will not try to identify you.
We provide you opportunities to control what information you provide to us and who it can be shared with. We rely a lot on your consent in order to provide our services. We will ensure you are aware of how we intend to use and share your information when you give us consent and we will respect your choices.
You can call us and not provide us with identifying information (though the call will be recorded). You can also read information on this website and we only use aggregated (eg totals of everyone who reads it) information.
When you make a complaint with us, you get to tell us in your own words what your complaint is about and provide us with any relevant information or documents. You also must decide about giving us authority to provide and gather relevant information with the bank you are complaining about. You can also indicate to us what information is sensitive or confidential that you would not like us to disclose.
We will make sure you are fully informed when you make a consent decision. This includes:
knowing what we will do with your information before you decide; and
knowing what the consequences are of your decision – how agreeing will help and what will happen if you do not agree.
You can change your decision at any time by contacting us about it.
We actively keep an eye on our processes, systems, and practices to ensure we are meeting our obligations to you. You can find out more about our privacy programme below.
We ensure our systems and processes support us to properly manage your information and promote your privacy.
We ensure our staff are properly trained and have access to support in order to get it right. We have appointed a Privacy Officer to promote privacy within our organisation.
We acknowledge the trust you have placed in us by providing us with information about you. We recognise the need to manage it well in order to demonstrate professionalism in our service.
We obtain independent assurance from time to time about our practices.
We urgently fix any mistakes we make, and we learn from them. We take feedback and complaints seriously.
Where we collect personal information from
We collect information:
directly from you (or your representative) whenever possible;
from parties to a complaint where you authorise it;
from people using our website;
from responses to our communications;
from third parties who can assist by providing information eg the New Zealand Police.
It is gathered in letters, emails, forms, by recording calls and taking notes of conversations, in surveys, by using cookies and web tracking software, and from our social media platforms.
If you wish to make a complaint about your bank or financial provider, you should only send information relevant to the dispute and keep to a minimum information concerning third parties.
BOS will not accept personal information obtained by any person in any way which is unlawful or improper.
We keep records relating to complaints for up to 6 years.
Web complaint form
You can submit details of your complaint through our web form. We receive this as an email, which we will provide to your bank (copied to you where you provide an email address) to begin the resolution process.
Agents or representatives
You are welcome to have an agent or other person to represent or support you during your interactions with us.
We record all inbound and outbound telephone calls. We record calls:
for staff training purposes, to help us improve our service and to ensure the information we provide is consistent and accurate
for reporting on the types and numbers of enquiries we receive
to ensure we have an accurate record of your call, which may be needed to assess your complaint.
Copies are held for up to one year.
We gather information to administer the website and to gain a better understanding of visits. We collect user internet addresses, browser type and internet service provider details and other technical information. We generate statistics about page use, eg what is accessed, what documents are opened, and what tools are used. This assists us to understand what is important to users and help us to improve our website.
We keep the aggregated reports but do not receive or keep identifying information (eg IP address).
Cookies and other session tools may be used for security and performance to improve user experience when accessing our website.
A cookie is a small piece of text stored on a user's computer by a web browser. It is sent by a web server to a web browser and then sent back unchanged by the browser each time it accesses that server and is used for remembering data about the computer user (such as IP address; dates and times of visits, pages accessed, documents opened and links clicked).
You can prevent cookies being used by updating your browser settings.
Third parties we use
We use third party providers to manage our work, enable us to interact with people efficiently, and to gain insights into how we perform. We use IT systems to do this, including our case management system (CMS), website management system, social media platforms, analytics tools, and Microsoft Office products. More detail is available below.
Our IT networks and systems use servers and support within New Zealand and overseas. Our CMS is managed and hosted in New Zealand.
We use the following third-party platforms for the following purposes:
SilverStripe – we use SilverStripe to manage our website. Information you submit through our website is hosted on servers in New Zealand and Australia.
Xima Chronicall phone system– we use this software to record our inbound and outbound calls. Copies of relevant calls are transferred into our CMS files. Call recordings are held online at our officers in Wellington and backed up to servers in Auckland.
Facebook, Instagram – we use our social media platforms to promote our services and interact with members of the public. Interactions with us on social media platforms will remain stored with those platforms and will be subject to the privacy policies of the platform provider.
If you have made a complaint about your bank or financial provider, we will need to disclose identifiable personal information to the parties involved in order to investigate and resolve it. Transparency is important to promote natural justice. If there is sensitive information that you do not want us to disclose to the bank, please let us know.
We will disclose identifiable personal information to trusted service providers to help us with our activities, like running our IT systems, conducting surveys, or providing us with professional advice.
We will not otherwise share identifiable personal information unless you consent or we are required to by law.
We may publish a case note about your complaint if it will help others but we will change information so it does not identify you. All our reporting is done on an aggregate basis to prevent anybody being identified.
We will only disclose information about a complaint to the customer or their authorised representative, and parties to the complaint.
From time to time we are contacted by persons who advise that they represent a complainant and who seek information about the progress of a complaint, for example, Members of Parliament and/or their electorate office staff, legal and financial advisers, friends and family members. We will not discuss any aspect of a complaint with any person other than the complainant unless we have explicit authority from the complainant to do so. We do not regard a person copied into correspondence as being authorised to discuss the complaint or receive information about the progress of the complaint.
We will not disclose personal information to another party if you explicitly deny consent for the disclosure. However, where you deny consent, we may be limited in the assistance we can offer with resolving your complaint.
In order to investigate or resolve a complaint, we may disclose personal information to providers, third party experts/advisors or other agencies, such as external law firms, who are subject to their own professional obligations.
We provide anonymised information in reports to scheme participants and other relevant bodies, such as government agencies or regulators.
Evaluation of services – customer satisfaction
To ensure BOS provides an effective and efficient level of service, we may disclose customer information to market research companies for the purposes of customer satisfaction surveys. The market research company is required to sign a confidentiality agreement before we provide them with access to any information.
BOS does not engage in any direct marketing activities and will not provide customers’ personal information to another body for the purposes of direct marketing.
Before we publish case notes we anonymise all personal information.
We do not provide media with personal information relating to a complaint, unless the information is already publicly available or authorised by the individual. This is either proactively or in response to a request for comment.
Your privacy rights
You have the right to access the personal information we hold about you and to correct it where it is wrong.
We will take reasonable steps to make sure that the personal information collected, used or disclosed is accurate, complete and up-to-date.
We will make the necessary changes to personal information details held where you or your provider notifies us of errors or changes required. We will make the changes as soon as practicable.
If a change is not made, we will ensure you have the opportunity to provide us with what you believe the correction should be and we will attach it to the information you believe needs to be corrected.
It assists us if you make information requests in writing but we will also receive requests over the phone.
We will provide you with the information you ask for as soon as possible, and no later than 20 working days. Some information may be withheld or removed if one or more of the exceptions in the Privacy Act applies - for example, where it is confidential information.
We may provide you with the information you request as a summary, in documents, or by allowing you to view the information at our offices. We will undertake best endeavours to provide you with the information in the format you have requested.
We will provide you a written summary of calls. You can request a copy of a call recording. If a call recording exists, we will provide access to the recording unless we have a lawful reason for withholding this information.
If you have any questions about this Privacy Statement or requests relating to your personal information, please contact us.
How to make a complaint
If you wish to complain about how we have handled your personal information you should complain in writing. If you need help lodging a complaint, you can contact us.
If we receive a complaint from you about how we have handled your personal information we will determine what (if any) action we should take to resolve the complaint.
If we decide that a complaint should be investigated further, the complaint will usually be handled by a senior member of staff who was not involved in the original investigation.
We will tell you promptly that we have received your complaint and then respond to the complaint within a reasonable timeframe.