Our privacy and security policy

Extra privacy information for COVID-19 Check-in

Service Victoria makes it simpler and faster to do various State Government transactions online, protects the security of your personal information, and sets a new standard in best practice for customer service in Victoria. 

This privacy and security policy explains how Service Victoria handles your information, both when you engage Service Victoria’s services and when you visit our website. 

Protecting your information

Service Victoria’s platform is designed to keep your information safe. We let you choose how your data is shared. 

Some people want us to store their information, to save it for next time they visit. Others will choose for us to simply pass the data to the relevant part of government to update their records. (For example, to tell VicRoads you’ve paid your car registration). 

Either way, the choice is yours. 

This policy explains how we protect your privacy and the information we collect, use and store.

What we do

We: 

  • Carry out transactions you choose to do
  • Verify your identity, if we need to do it
  • Give you the choice to save your identity to make future transactions easier
  • Display digital licences and permits
  • Process payments for your transactions
  • Send you information, when you ask us to or where the law says we must 
  • Respond to queries you make 
  • Run this site 
  • Analyse the use of this site so we can make it better and easier to use  
  • Do market research and surveys, if you agree to do them.

What you agree to

When you use Service Victoria, you agree and consent to:

The laws of this policy

We only collect, use, store and give out your personal information as allowed by the:

  • Public Records Act 1973
  • Health Records Act 2001
  • Privacy and Data Protection Act 2014
  • Service Victoria Act 2018

Your use of this site

It’s up to you how you use Service Victoria.

You can:

  • Choose not to use this site
  • Transact as a guest (and not store your details with us)
  • Store your details with us
  • Store your details with us AND choose to transact as a guest
  • Delete the details you’ve stored with us.

What information we may get from you

If you use our site as a guest, then we only collect the minimum information we need to:

  • Finish your transaction
  • Help you if you need it
  • Verify your identity
  • Improve our website.

If you store your details with us, then we’ll only save and store the personal information you choose to give to us.

Information we collect

We only get information from you with your consent or where the law allows it.

This includes information like:

  • Personal, such as your name, your photo, date of birth, where you live and how we can get in touch.
  • How you’d like to hear from us, such as email or reminders.
  • Identity, such as the details on your identity documents and your photo.
  • Payment, such as the details of your credit card.
  • Transaction, such as a receipt number, or information we need to do your transaction.
  • Live agent and virtual assistant chat data, so we can solve problems for customers and improve services. 

How we use and disclose your personal information

Personal information includes your name, your photo, date of birth, where you live and how we can get in touch.

We use this information to:

  • Run our site
  • Process transactions on your behalf
  • Send you updates and information
  • Reply to your queries
  • Store your details in an account (if you agree) to avoid repeating the same steps next time
  • Make it possible for you to store digital versions of licences and permits
  • Verify your identity.

We won’t use your personal information for any other reason unless you agree, or we must by law.

Third parties

We sometimes give your information to third parties to help us do our job. We make sure they keep it safe and secure, through our contracts and commercial agreements, regardless of where they are located.

We may share information we hold with third parties for:

  • Improvements
  • Crash reporting and troubleshooting
  • Auditing
  • Reporting
  • Researching
  • Fulfilling legal obligations.

Other areas of government

Privacy law sometimes requires us to disclose personal information in special circumstances. These times are rare, but we’ll outline them below just to be clear. These times include:

  • For law enforcement or to investigate unlawful activity
  • To a Commonwealth security agency
  • To lessen or prevent serious threats to health or safety
  • To protect public revenue
  • When we have to because it’s authorised or required by another law.

If we send information to another part of government, then they’re also bound by the same or similar laws we are.

    Information we store

    As a general rule, we don’t permanently keep your transaction data. We simply pass it to the relevant government department or agency.

    You’ll always know which part of government we are passing your transaction data to because their name and logo will be on our ‘Get started’ page (before you give us any information).

    For example, if you buy a fishing licence, we’ll pass the information you’ve given to the Victorian Fisheries Authority so they can update their records and know you’ve paid.

    Sometimes, we need to keep our own records. This includes information like:

    • Identity, such as how you verified it or what you agreed to store and your photo if you chose to.
    • Your name and email, if you create a Service Victoria account.
    • Payment, such as what, when and how you paid or stored payment methods.
    • Transaction, such as your reference number.
    • Live agent and virtual assistant chat data, so we can solve problems for customers and improve our services.

     

    We’ll never share your personal information with other parts of government without your consent unless we're allowed to by law.

    We may also store your contact details, if you voluntarily gave them to us, so we can respond to a request for help or give you further information to help resolve an issue.  

    What we collect if you store your details

    If you store your details with us, then we’ll ask you to give us:

    • Your name, so we know who you are.
    • Your email, so you can login, get security codes and so we can send you things you’ve asked for.
    • Your mobile, for security codes and so we can send you things you’ve asked for.

    If you want, you can also choose to save and store:

    • Your payment method, like your credit card details so you don’t have to enter them every time.
    • The fact you've proved who you are so you can get things done faster next time. 
    • Your transactions, so you have a record of what you’ve done with us.

    Service Victoria’s identify verification functions 

    Verifying your identity 

    Put simply, this is your proof to the Victorian Government you are who you say you are. 

    With some transactions, it doesn’t matter who does them, so we won’t ask for identity information. For example, paying the registration fee for a car.  

    However, some transactions must only be done by the person who is applying. For example, applying for a Solar Homes loan and rebate, or applying for a new Working with Children Check.  

    That’s why we need you to give us more information to prove who you are for some transactions. 

    Confirming your identity 

    We’ll check your identity when you do some transactions.  

    To do this, we’ll ask you to give us details from your identity documents, such as your passport and your driver licence. 

    We may ask for more than just your documents and may ask to match you to the photo on your ID. 

    If you can’t give us identity documents online, then we may need to get more information from you another way. We'll let you know if this happens and what to do next. 

    What we may share to verify your identity 

    We’ll send your information to these places when we verify your identity: 

    • Other government agencies, including other state, territory and federal agencies to check the documents and information you provide to us. This includes the Commonwealth Government's Document Verification Service (to check with the agencies who issue your identity documents) 
    • Organisations we have a contract with to help us validate the documents, photos and information you provide to us. 

    By verifying your identity, you confirm you’re authorised to share the personal details provided and you’re OK with the info being matched with the document issuer or official record holder. 

    Information we may store about your identity 

    When you attempt to verify your identity for a transaction on our platform, we'll keep a record of some of the information you used to support your verification, including:

    • the type of identity documents you used
    • where they were issued, and
    • the last four digits of the document number.

    To protect your privacy, we don't keep copies of your actual documents. 

    You'll be given the option to save a record of the fact your identity has been verified so that you can re-use this for future transactions.   

    This can make it quicker and easier for you to complete future transactions and helps protect your privacy because you won’t need to provide your personal information again for similar transactions on our platform. 

    Your identity record expires after 10 years and you can apply to renew it. 

    You may cancel your stored record at any time. You just need to get in touch. We may tell partners whether or not you have an identity record if they need to know that to do your transaction. 

    We can refuse to verify your identity or suspend or revoke your re-usable stored identity record if we're not satisfied that you're who you say you are. We'll notify you and give you an opportunity to resolve the issue with us. We'll keep a record that your identity has not been verified, or that your stored identity has been suspended or revoked. 

    We also need to use, share or store some information if the law says we must. 

    To save a record of your identity at our highest level of identity proof, you must save and store a photo and create an account. This is so we can store your identity and be sure you are who you say you are.

    What data we get from all visitors to our site

    IP address and cookies

    Your IP address is a unique number your device gets when you go online. It’s like your home address in real life, but online.

    A cookie is a file left on your device when you visit a website. The cookie stores sign-in information and other things. It helps us give you the best experience when you visit our site.

    Your IP address and cookies help us get information about your:

    • Device, such as if you use a phone or laptop.
    • Location, such as if you’re in Melbourne or Ballarat.
    • Behaviour, such as links you chose and how long you were on each page.
    • Recaptcha validations, for site security. 

    You can block cookies, but this will mean some parts of our site won’t work as well.

    Behavioural Analytics

    We use Google Analytics (External link) (External link) (External link) (External link) (External link) (External link) (External link) (External link) (External link) (External link) (External link) (External link) (External link) (External link)to make our digital products better.

    Google Analytics is a web analytics service that only collects data about how you use our site and services. It helps us understand: 

    • what devices and operating systems people use to access our site 
    • how often people visit our site 
    • ways you use our products
    • how our site is performing. 

    We use this information to undertake evaluation and reporting and improve our digital products so they are easier and simpler to use.  

    We also use Hotjar to better understand how people interact with our website. Hotjar is software that helps us learn:

    • how long people are on pages
    • which pages they're on
    • which links they use 
    • where people get stuck 
    • what parts of our design need changing.

    We only collect anonymous information. We never capture or store your personal information, login info, credit card or identity details with this tool.

    Other information we may get

    We may sometimes collect more information if we think our website is being:

    • Tampered or interfered with.
    • Intercepted for the information we get and send.
    • Compromised for security.
    • Treated in a way that breaks any law.

    Access and correction

    If you think any of your personal information is wrong, you can ask us to fix it. You just need to get in touch. You can request your personal information at any time.  

    How we protect your information

    We use lots of tools and processes to protect your data and keep your personal information secure.

    We also train all staff on the need for confidentiality and maintaining privacy and security. Access to your personal information is restricted to only those workers who need it to provide services to you. We log access to accounts to identify and audit any unauthorised access. Improper use is a serious offence. 

    We store, use and get rid of your personal information in-line with the Victorian Protective Data Security Standards.

    There are 12 high-level standards that we must meet to protect public sector data. 

    We use the Payment Card Industry Data Security Standards (PDF, 93KB) (External link) (External link) (External link) (External link) (External link) (External link) (External link) (External link) (External link) (External link) (External link).

    This means we follow best practice to securely store, process and send credit card information.

    Security tips

    • Never send passwords to anyone.
    • Check for a green padlock icon and ‘https://’ in your browser’s address bar.
    • Make sure your device has the latest security updates.
    • Keep your internet browser up to date.
    • Run anti-malware software on your device.
    • Don’t access our site on untrusted networks or devices, such as on public WIFI.

    Scams and hoaxes

    There are scammers, hoaxers and criminals who want your personal information. These scams can come via email, phone or other means.

    Some scams pretend to be a government department or agency and can look very real.

    You should never:

    • Send anyone your username, password or personal details. We’ll never ask for this.
    • Click links in messages that claim to be from Service Victoria (unless you’ve signed up for reminders).

    We only send you messages if you consent to them.

    Other ways to be safe online

    If you’d like to read more, then go to these sites:

    How to report a security issue

    If you think you see a scam, hoax or any security issue on our site, then tell our security team.

    How to contact us about this policy

    Get in touch if you want to find out more about this policy.

    Privacy complaints

    You can make a privacy complaint if you think we’ve breached the law. Complaints should be lodged within 45 days of you becoming aware of the alleged interference with your privacy.

    We’ll ask you to:

    • Tell us how you believe your privacy has been breached
    • Explain the effect the breach has had on you
    • Outline what you’d like us to do
    • Give us time to respond. (We’ll normally respond within 30 days, and we’ll keep you informed of our progress along the way).
    • Remember to retain a copy of your complaint.

    We’ll keep your matter private. Only relevant staff who need access to review and respond to your complaint will have access. Our Privacy Officer will coordinate the investigation and will be your primary contact.

    There are a number of outcomes:

    • We may find there was no evidence to suggest the alleged conduct occurred
    • The alleged conduct did occur, but it complied with the law
    • The alleged conduct occurred and there was a breach.

    If a breach of your privacy did occur, we may offer an apology, review the wording of our website and privacy policy, change our processes, give more training to staff, or offer some kind of other remediation.

    You can read about how we handle your complaints in the Service Victoria Complaints Handling Policy.

    Updates to this policy

    We updated this policy in February 2021.

    Read it often as we may update it.

    Your continued use of our site means if we update this policy, then you accept and consent to the changes we make.

    Extra privacy information for COVID-19 Check-in

    Service Victoria offers a check-in service available through mobile app and web kiosk.

    This tool helps identify people exposed to COVID-19 and supports the process of finding people who have been in close contact with someone with COVID-19. It also provides a digital means for employers/businesses to comply with their obligations under the Workplace Directions of the Chief Health Officer issued under the Public Health and Wellbeing Act 2008.

    Service Victoria’s approach to privacy with respect to this digital visitor registration system is outlined in this supplementary privacy and security policy. This policy is to be read in conjunction with Service Victoria’s Privacy and Security policy.

    COVID-19 digital certificates 

    You can link your COVID-19 digital certificate to the Service Victoria app through the Medicare Express Plus App or myGov.  

    When you check-in using the Service Victoria app, the app uses the info on your certificate to show your vaccination status.  

    This makes it easier for you to show proof of your vaccination status when you check-in. We do not collect your vaccination status when you check-in. 

    You don’t need a Service Victoria account to save and use your COVID-19 digital certificate within the Service Victoria app.  

    You can also access your COVID-19 digital certificate through existing channels supported by the Australian Government, such as the Medicare Express Plus App, Medicare Online, or through myGov, or My Health Record. You can ask them to send you a paper copy in the mail if you prefer a hard copy. 

    Our app stores your COVID-19 digital certificate on your device. Other people who have access to this device can view this certificate. We do not keep a copy of your certificate on our system.  You can remove your certificate from your device at any time, through the Service Victoria app. To remove your certificate from the app, go to ‘View certificate’ and tap ‘remove’. 

    If you link your digital certificate, the app will show a QR code below the digital certificate when you check-in. We use the personal and health info in your digital certificate, including your name and date of birth, to generate the QR code. This helps to show you have a valid COVID-19 digital certificate and to prevent fraud.

    This QR code can be scanned using the Service Victoria app to show whether your digital certificate is valid. If you choose to let someone scan your QR code using our app, their device reads the information in the QR code. Our app will only show them whether your certificate is valid and show your first name and first initial of your surname. None of your health info or personally identifiable information will be shared or stored.

    Sharing digital certificates with family

    Parents and guardians can use the Service Victoria app to add their children’s COVID-19 digital certificates to their device if their children are under 14 and linked to their Medicare account.

    You can also add a COVID-19 digital certificate for another family member with their consent if they are unable to download a certificate to their own device.

    If you have a child under 14, you can access their immunisation history through your Medicare account and add their COVID-19 digital certificate to the Service Victoria app on your device.

    When your child turns 14, they can access their immunisation history through their own Medicare account. This means you will no longer be able to view their digital certificate. There are limited circumstances where you should continue to access your child’s COVID-19 digital certificate once they turn 14, such as if your child is unable to manage their own health affairs (for example, due to a disability or illness). You will need to contact Medicare for further information.

    If you shared your child’s digital certificate with your device, it will be removed from your device once they turn 14.

    How to protect your shared COVID-19 digital certificate

    When you push your digital certificate to the Service Victoria app on another device, people with access to that device can view your personal and health information and share your vaccination status with others. Only the person with access to that device can delete your digital certificate.

    Vaccination status can be shared with others using the device to which the COVID-19 digital certificate is downloaded.

    Sharing your digital certificate with other devices increases the risk of misuse of your personal and health information. Do not share your certificate with others if you don’t need to.

    You do not have to share your COVID-19 digital certificate to another person’s device. You can still show proof of vaccination in other ways such as through your Medicare Express Plus App, Medicare Online, or your Individual Healthcare Identifier service through myGov, or My Health Record. You can also use a print-out of your certificate, and if you don’t have access to technology, you can contact the Australian Immunisation Register on 1800 653 809 and ask them to send you a paper copy in the mail.

    If you are aged 14 and over and unable to download your COVID-19 digital certificate to your own device you can consent to sharing a copy of your digital certificate to another person’s device. To do this you will need to log on to your own Medicare account using the other person’s device and share your certificate to that device.

    How we use your digital certificate information

    When you link your certificate, we collect some data in a secured, encrypted format for fraud detection and control. We will collect your full name, date of birth, date of certificate issue, and a unique number for the installation. We de-identify this info using hashing technology. This protects your info so no-one can see it without decryption. We destroy this record when no longer needed to support this service. 

    We may share your de-identified info with Services Australia if required to detect or investigate suspected fraud or misuse of COVID-19 digital certificates. To learn more about how Services Australia handles your info, please see their privacy statement

    We also collect anonymous statistical data, such as how you interact with the app, so we can make it easier to use and improve the design. We analyse this data to support the Victorian Government’s response to the COVID-19 pandemic. This doesn’t contain information about you. 

    Collection, use and disclosure of personal information for contact tracing

    When you visit premises that are participating in the digital visitor registration system, you will be able to scan the QR code displayed on your mobile phone.

    If you can’t use our app, you may be able to use our web kiosk. You can ask the premises you visit for access to the web kiosk.

    Checking in registers your attendance at the premises and helps the Victorian Government protect the public through COVID-19 contact tracing.

    Your visit will be recorded in a visitor log database held by Service Victoria for 28 days. Service Victoria holds this data on behalf of the Victorian Department of Health

    The information collected will include:

    • Your name
    • Your contact phone number
    • The location number of the premises
    • The date and time you attended the premises

    You can check in another person if that person is unable to check in. If someone can check themselves in, they should.

    You do not have to create or have an account with Service Victoria to use the QR code.

    Under the Workplace Directions (Directions) issued under the Public Health and Wellbeing Act 2008, most employers/businesses must keep a record of all workers/visitors at their premises. Most employers/business need to do this through the Service Victoria digital visitor registration system.

    We’ll share your personal information with the Victorian Department of Health and others authorised to do contact tracing in the event that the Chief Health Officer requests it to support contact tracing purposes under the Directions. Contact tracing is the process of identifying people who may have come into contact with someone who has COVID-19 so that they can be advised to take measures to help stop the further spread of COVID-19 (such as getting tested or self-isolating).

    If we get asked to share check-in data for purposes other than contact tracing, then our general position is to say ‘no’, except where an individual asks for their own data. This includes requests from law enforcement agencies.

    Where possible, the Department of Health will handle any formal legal requests for check-in data, not Service Victoria. The Department of Health’s policy is to oppose this request. If the court says ‘no’ and requires us to share your info, we will need to follow this order.

    The Department of Health can keep any information we share for more than 28 days. For more information on how the department handles this information, please refer to their Privacy Policy (External link) (External link) (External link).

    We may also use or disclose your information:

    • to ensure the proper functioning, integrity and security of the digital visitor registration service
    • if required or authorised by law (e.g. we receive a court order or it is necessary to lessen or prevent a serious threat to public health or safety).

    You can access the personal information we hold about you at any time and request to update, correct or amend your personal information. However, once a check-in at a premises is registered using Service Victoria you will not be able to update or amend the details of the visit.

    Our app records your visit history on your device for 28 days. This supports you to check where you have been. To save you time, the app now checks your check-in history against the high-risk public exposure sites which the Department of Health publishes online. 

    The Department of Health has changed the way they alert you to exposure sites. Only the high-risk, Tier 1 sites are made public. This is because lower-risk sites, or those with comprehensive record keeping and contact tracing measures, aren’t added to the list anymore. Small, private locations aren’t usually added either. 

    If you now use the Service Victoria app to check in and the Department of Health publishes that location as an exposure site at the same time and date you were there, you will receive a notification in the app. This notification pops-up the next time you open the app. 

    This notification will give you information from the Department of Health about the exposure site and what you should do next, including any requirements to get tested. If you later get more specific advice from the Department of Health, make sure to follow that advice.  

    We have designed this feature to protect your privacy. The app won’t send us your name and phone number for this, but it will send to our system a unique location reference and the time and date you checked in. This isn’t accessed by humans, but simply allows the system at our end to alert your app when you have been to one of the high-risk priority public exposure sites published on the Department of Health website. 

    If you don’t want your app to let you know when you have been to one of these high-risk sites, you can remove location history in the app. Contact tracers can still access the official check-in data if needed.  

    You can choose to save your favourite locations in the app. When you save a favourite location, you don’t need to scan their QR code again. Just tap the location in your favourites list to start your check in. You can remove favourite locations at any time. 

    We collect anonymous statistical data, such as how you interact with the app, so we can make it easier to use and improve the design. We analyse this data to support the Victorian Government’s response to the COVID-19 pandemic. This doesn’t contain information about you. 

    The digital visitor registration system has a range of privacy and security safeguards built-in, including the use of encryption, and with personal data stored in Australia on secure servers.

    Get in touch if you want to find out more about this policy.