The Whistleblowing Service is operated by the Banking Ombudsman Scheme. This policy outlines how we collect, use and, where appropriate, share your personal information. We also outline our commitment to uphold your rights under the Privacy Act 2020.

We acknowledge the trust you place in us by providing sensitive and confidential information. We will respect that trust by managing your information with care, professionalism and diligence.

We take all reasonable steps to ensure personal information remains confidential to the Whistleblowing Service and those you agree can have access to it. 

Our purpose

We provide a free whistleblowing reporting service for people who know about or suspect wrongdoing at a New Zealand bank. We collect information about wrongdoing so we can ensure the bank involved reviews those concerns and, if appropriate, investigates.

As well as forwarding information about wrongdoing to banks, we also use it (without identifying you) to:

  • promote awareness of our service
  • highlight trends within whistleblowing reports
  • bring patterns of serious wrongdoing to the relevant regulator's attention
  • evaluate our effectiveness
  • report to banks on our performance
  • train our staff in handling whistleblowing concerns.

Information we collect

The information we collect can include:

  • your name, address, email address and phone number (if you choose to give these to us)
  • details about the concerns you are reporting to us
  • details about when and how you contact us
  • feedback you may give us
  • any other information that may identify you.

We do not accept information obtained by unlawful or improper means.

Anonymity is your choice

We respect your choice to report concerns anonymously. When you contact us for the first time, we will ask you:

  • whether you want to remain anonymous 
  • whether you want us to pass on any of your personal information to the bank concerned.

You determine what personal information you are willing to give us and with whom we can share it. However, the law can require us in certain circumstances to disclose information you have given us, including your personal information, to authorities such as the police. These circumstances include:

  • when we believe your life, or another's life, is at risk
  • when we must comply with a court order
  • when we become aware of any threat made against a bank's staff, customers or property - in such circumstances we will also notify the bank.

We will try to let you know before we disclose any information.

Contacting us

You can choose to communicate with us without us knowing your contact details. To do this, the email address you supply through our online form is collected and used by our system to generate an anonymous contact link. We do not see or have access to the email address you supply for this purpose. We also do not have access to identifying information such as IP addresses.

You can, of course, disclose your email address and other personal information to us if you wish. We will ask you how you would prefer us to communicate with you about your concerns.

We do not record our phone calls, although we may take notes and ask you to confirm that what we've noted is correct.

We analyse traffic volumes and patterns on our website to improve the site and understand what is important to whistleblowers. We use cookies and similar tools solely for security purposes and to improve the website. You can update your browser settings to turn off cookies. We do not use cookies in our online reporting forms.

We comply with the Unsolicited Electronic Messages Act 2007 by giving you the option to not receive communications from us.

Passing information to a bank

We ask for your authority to forward a report about the wrongdoing you describe to the bank concerned. Without this authority, we can only give you general information about other ways to make your concerns known. You can contact us later if you change your mind and would like us to report your concerns to the bank.

Please tell us if there are any specific aspects of the information you have disclosed that you do not want us to pass on to the bank.

We send the information to the bank’s nominated whistleblowing representative only. You can ask us who the information will be sent to, and we will ask the bank to arrange for another person to receive the report if you reasonably believe that person is involved in the wrongdoing. 

Please be aware that the bank may make assumptions about who has reported the wrongdoing even if you remain anonymous in the report we send.

Individuals you identify

In describing your concerns to us, you may need to include personal information about other individuals or third parties, such as those you suspect are involved in wrongdoing. We will pass on these identifying details to the bank unless you ask us not to.

Individuals you copy into correspondence

We do not consider any person you copy into correspondence with us, such as your lawyer, to be authorised to receive information from us, and we will not disclose information to that person without your consent.

Requesting a copy of your personal information

The Privacy Act 2020 gives you the right to a copy of the personal information we hold about you and to correct any inaccuracies in that information.

We prefer requests for information we hold to be in writing but will accept them over the phone. We will send you the information as soon as possible and within 20 working days at the latest. We may withhold some information if exceptions in the Privacy Act 2020 apply.

We try our best to supply the information in the format you request, although we may provide it in summary form. 

If you request amendments to the information we hold and we agree with them, we will make them as soon as practical. If we don’t, we attach your suggestions to your file. 

Security and retention of information

Our information storage system has a high level of security protection. All information is password-protected and accessible only to those responsible for running the service.

We will usually only keep written records of your information for two years after the bank has advised us of the outcome of their review. If asked, we will return or destroy any information you've given us as soon as possible.

System providers

We use various providers to operate our case management system, website and other tools and products. Our IT systems use servers and support in New Zealand and Australia. We use:

  • SilverStripe to manage our website and online form submissions
  • a case management system managed and hosted in New Zealand 
  • Microsoft Office products for drafting correspondence and reporting
  • Google Analytics to interpret website use (see their privacy policy).


We actively monitor our processes, systems and practices to ensure:

  • we meet our obligations to you
  • your information is properly managed
  • your personal information is kept confidential.

Our board monitors privacy risks and measures our privacy performance.

In the event of a data breach that has caused, or is likely to cause, serious harm to whistleblowers, we notify the individuals concerned, along with the Privacy Commissioner. We investigate any breach thoroughly and take all reasonable steps to reduce any impacts for the individuals concerned.

Making a privacy complaint

If you are unhappy with the way we have dealt with your personal information, you can make a complaint to us, preferably in writing. You can also make a complaint to the Privacy Commissioner.

We acknowledge complaints promptly and consider them as quickly as possible. If we consider a complaint warrants investigation, we will arrange for a senior staff member (who was not involved with your original report or communications) to look into your complaint.