Our privacy and security policy
Extra privacy information for COVID-19 digital certificates
Service Victoria makes it simpler and faster to do various State Government transactions online, protects the security of your personal information, and sets a new standard in best practice for customer service in Victoria.
This privacy and security policy explains how Service Victoria handles your information, both when you engage Service Victoria’s services and when you visit our website.
Protecting your information
Service Victoria’s platform is designed to keep your information safe. We let you choose how your data is shared.
Some people want us to store their information, to save it for next time they visit. Others will choose for us to simply pass the data to the relevant part of government to update their records. (For example, to tell VicRoads you’ve paid your car registration).
Either way, the choice is yours.
This policy explains how we protect your privacy and the information we collect, use and store.
What we do
- Carry out transactions you choose to do
- Verify your identity, if we need to do it
- Give you the choice to save your identity to make future transactions easier
- Display digital licences and permits
- Process payments for your transactions
- Send you information, when you ask us to or where the law says we must
- Respond to queries you make
- Run this site
- Analyse the use of this site so we can make it better and easier to use
- Do market research and surveys, if you agree to do them.
What you agree to
When you use Service Victoria, you agree and consent to:
- This Privacy and security policy
The laws of this policy
We only collect, use, store and give out your personal information as allowed by the:
- Public Records Act 1973
- Health Records Act 2001
- Privacy and Data Protection Act 2014
- Service Victoria Act 2018
Your use of this site
It’s up to you how you use Service Victoria.
- Choose not to use this site
- Transact as a guest (and not store your details with us)
- Store your details with us
- Store your details with us AND choose to transact as a guest
- Delete the details you’ve stored with us.
Your use of the mobile app
Besides how you choose to interact with Service Victoria services, you retain control of how the app uses features on the device.
When we need to use features like GPS location, Bluetooth or the camera, we’ll tell you why and ask if we can. We’ll only ever request permission for features when certain services need them. Our services only need features for:
- GPS location
We never track your GPS location without your permission. We’ll only ask you to show your GPS location for specific services if we need to check you are actually within Victoria. You can turn this off at any time.
We only ask you to turn on Bluetooth when you need to share data proof of a licence or other document with an authorised officer, for example when you’re asked to show your fishing licence. This can only happen with your permission. Each time an officer asks you to share you can choose to accept or reject. You can turn this off at any time.
The app needs to access your camera for reading QR Codes or taking photos of your documents during an ID check. If you’re creating a digital identity with us, we’ll also need you to turn on your camera so we can see you move your head this is a ‘liveness test’, done to protect you against identity theft. Only you can switch on your camera and you can switch off access to it any time.
We’ll ask for your consent to send reminders and notifications to your device. If you agree, we’ll collect and use your device information so we can contact your device directly. You can opt out of receiving notifications anytime through the app.
What information we may get from you
If you use our site as a guest, then we only collect the minimum information we need to:
- Finish your transaction
- Help you if you need it
- Verify your identity
- Improve our website.
If you store your details with us, then we’ll only save and store the personal information you choose to give to us.
Information we collect
We only get information from you with your consent or where the law allows it.
This includes information like:
- Personal, such as your name, your photo, date of birth, where you live and how we can get in touch.
- How you’d like to hear from us, such as email or reminders.
- Identity, such as the details on your identity documents and your photo.
- Payment, such as the details of your credit card.
- Transaction, such as a receipt number, or information we need to do your transaction.
- Live agent and virtual assistant chat data, so we can solve problems for customers and improve services.
How we use and disclose your personal information
Personal information includes your name, your photo, date of birth, where you live and how we can get in touch.
We use this information to:
- Run our site
- Process transactions on your behalf
- Send you updates and information
- Reply to your queries
- Store your details in an account (if you agree) to avoid repeating the same steps next time
- Make it possible for you to store digital versions of licences and permits
- Verify your identity.
We won’t use your personal information for any other reason unless you agree, or we must by law.
We sometimes give your information to third parties to help us do our job. We make sure they keep it safe and secure, through our contracts and commercial agreements, regardless of where they are located.
We may share information we hold with third parties for:
- Crash reporting and troubleshooting
- Fulfilling legal obligations.
Other areas of government
Privacy law sometimes requires us to disclose personal information in special circumstances. These times are rare, but we’ll outline them below just to be clear. These times include:
- For law enforcement or to investigate unlawful activity
- To a Commonwealth security agency
- To lessen or prevent serious threats to health or safety
- To protect public revenue
- When we have to because it’s authorised or required by another law.
If we send information to another part of government, then they’re also bound by the same or similar laws we are.
Information we store
As a general rule, we don’t permanently keep your transaction data. We simply pass it to the relevant government department or agency.
You’ll always know which part of government we are passing your transaction data to because their name and logo will be on our ‘Get started’ page (before you give us any information).
For example, if you buy a fishing licence, we’ll pass the information you’ve given to the Victorian Fisheries Authority so they can update their records and know you’ve paid.
Sometimes, we need to keep our own records. This includes information like:
- Identity, such as how you verified it or what you agreed to store and your photo if you chose to.
- Your name and email, if you create a Service Victoria account.
- Payment, such as what, when and how you paid or stored payment methods.
- Transaction, such as your reference number.
- Live agent and virtual assistant chat data, so we can solve problems for customers and improve our services.
We’ll never share your personal information with other parts of government without your consent unless we're allowed to by law.
We may also store your contact details, if you voluntarily gave them to us, so we can respond to a request for help or give you further information to help resolve an issue.
What we collect if you store your details
If you store your details with us, then we’ll ask you to give us:
- Your name, so we know who you are.
- Your email, so you can login, get security codes and so we can send you things you’ve asked for.
- Your mobile, for security codes and so we can send you things you’ve asked for.
If you want, you can also choose to save and store:
- Your payment method, like your credit card details so you don’t have to enter them every time.
- The fact you've proved who you are so you can get things done faster next time.
- Your transactions, so you have a record of what you’ve done with us.
Service Victoria’s identify verification functions
Verifying your identity
Put simply, this is your proof to the Victorian Government you are who you say you are.
With some transactions, it doesn’t matter who does them, so we
won’t ask for identity information. For example, paying the registration
fee for a car.
However, some transactions must only be done by the person who is applying. For example, applying for a Solar Homes loan and rebate, or applying for a new Working with Children Check.
That’s why we need you to give us more information to prove who you are for some transactions.
Confirming your identity
We’ll check your identity when you do some transactions.
To do this, we’ll ask you to give us details from your identity documents, such as your passport and your driver licence.
We may ask for more than just your documents and may ask to match you to the photo on your ID.
If you can’t give us identity documents online, then we may need to get more information from you another way. We'll let you know if this happens and what to do next.
What we may share to verify your identity
We’ll send your information to these places when we verify your identity:
- Other government agencies, including other state, territory and federal agencies to check the documents and information you provide to us. This includes the Commonwealth Government's Document Verification Service (to check with the agencies who issue your identity documents)
- Organisations we have a contract with to help us validate the documents, photos and information you provide to us.
By verifying your identity, you confirm you’re authorised to share the personal details provided and you’re OK with the info being matched with the document issuer or official record holder.
Information we may store about your identity
When you attempt to verify your identity for a transaction on our platform, we'll keep a record of some of the information you used to support your verification, including:
- the type of identity documents you used
- where they were issued, and
- the last four digits of the document number.
To protect your privacy, we don't keep copies of your actual
You'll be given the option to save a record of the fact your identity has been verified so that you can re-use this for future transactions.
This can make it quicker and easier for you to complete future transactions
and helps protect your privacy because you won’t need to provide your
personal information again for similar transactions on our platform.
Your identity record expires after 10 years and you can apply to renew it.
You may cancel your stored record at any time. You just need to get in touch. We may tell partners whether or not you have an identity record if they need to know that to do your transaction.
We can refuse to verify your identity or suspend or revoke your re-usable stored identity record if we're not satisfied that you're who you say you are. We'll notify you and give you an opportunity to resolve the issue with us. We'll keep a record that your identity has not been verified, or that your stored identity has been suspended or revoked.
We also need to use, share or store some information if the law says we must.
To save a record of your identity at our highest level of identity proof, you must save and store a photo and create an account. This is so we can store your identity and be sure you are who you say you are.
What data we get from all visitors to our site
IP address and cookies
Your IP address is a unique number your device gets when you go online. It’s like your home address in real life, but online.
A cookie is a file left on your device when you visit a website. The cookie stores sign-in information and other things. It helps us give you the best experience when you visit our site.
Your IP address and cookies help us get information about your:
- Device, such as if you use a phone or laptop.
- Location, such as if you’re in Melbourne or Ballarat.
- Behaviour, such as links you chose and how long you were on each page.
- Recaptcha validations, for site security.
You can block cookies, but this will mean some parts of our site won’t work as well.
We use Google to make our digital products better.
Google Analytics is a web analytics service that only collects data about how you use our site and services. It helps us understand:
- what devices and operating systems people use to access our site
- how often people visit our site
- ways you use our products
- how our site is performing.
We use this information to undertake evaluation and reporting and improve our digital products so they are easier and simpler to use.
We also use Hotjar to better understand how people interact with our website. Hotjar is software that helps us learn:
- how long people are on pages
- which pages they're on
- which links they use
- where people get stuck
- what parts of our design need changing.
We only collect anonymous information. We never capture or store your personal information, login info, credit card or identity details with this tool.
Other information we may get
We may sometimes collect more information if we think our website is being:
- Tampered or interfered with.
- Intercepted for the information we get and send.
- Compromised for security.
- Treated in a way that breaks any law.
Access and correction
If you think any of your personal information is wrong, you can ask us to fix it. You just need to get in touch. You can request your personal information at any time.
How we protect your information
We use lots of tools and processes to protect your data and keep your personal information secure.
We also train all staff on the need for confidentiality and maintaining privacy and security. Access to your personal information is restricted to only those workers who need it to provide services to you. We log access to accounts to identify and audit any unauthorised access. Improper use is a serious offence.
We store, use and get rid of your personal information in-line with the Victorian Protective Data Security .
There are 12 high-level standards that we must meet to protect public sector data.
We use the Payment Card Industry Data Security Standards (PDF, 202KB).
This means we follow best practice to securely store, process and send credit card information.
- Never send passwords to anyone.
- Check for a green padlock icon and ‘https://’ in your browser’s address bar.
- Make sure your device has the latest security updates.
- Keep your internet browser up to date.
- Run anti-malware software on your device.
- Don’t access our site on untrusted networks or devices, such as on public WIFI.
Scams and hoaxes
There are scammers, hoaxers and criminals who want your personal information. These scams can come via email, phone or other means.
Some scams pretend to be a government department or agency and can look very real.
You should never:
- Send anyone your username, password or personal details. We’ll never ask for this.
- Click links in messages that claim to be from Service Victoria (unless you’ve signed up for reminders).
We only send you messages if you consent to them.
Other ways to be safe online
If you’d like to read more, then go to these sites:
- tells you how to avoid cybercrime and report issues.
- Stay Smart helps you protect your personal and financial information online.
- shows you how to see, avoid and report scams.
How to report a security issue
If you think you see a scam, hoax or any security issue on our site, then tell our security team.
How to contact us about this policy
Get in touch if you want to find out more about this policy.
You can make a privacy complaint if you think we’ve breached the law. Complaints should be lodged within 45 days of you becoming aware of the alleged interference with your privacy.
We’ll ask you to:
- Tell us how you believe your privacy has been breached
- Explain the effect the breach has had on you
- Outline what you’d like us to do
- Give us time to respond. (We’ll normally respond within 30 days, and we’ll keep you informed of our progress along the way).
- Remember to retain a copy of your complaint.
We’ll keep your matter private. Only relevant staff who need access to review and respond to your complaint will have access. Our Privacy Officer will coordinate the investigation and will be your primary contact.
There are a number of outcomes:
- We may find there was no evidence to suggest the alleged conduct occurred
- The alleged conduct did occur, but it complied with the law
- The alleged conduct occurred and there was a breach.
You can read about how we handle your complaints in the Service Victoria Complaints Handling Policy.
Updates to this policy
We updated this policy in March 2022.
Read it often as we may update it.
Your continued use of our site means if we update this policy, then you accept and consent to the changes we make.
Extra privacy information for COVID-19 digital certificates
You can link your COVID-19 digital certificate to the Service Victoria app through the Medicare Express Plus App or myGov.You don’t need a Service Victoria account to save and use your COVID-19 digital certificate within the Service Victoria app.
You can also access your COVID-19 digital certificate through existing channels supported by the Australian Government, such as the Medicare Express Plus App, Medicare Online, or through myGov, or My Health Record. You can ask them to send you a paper copy in the mail if you prefer a hard copy.
Our app stores your COVID-19 digital certificate on your device. Other people who have access to this device can view this certificate. We do not keep a copy of your certificate on our system. You can remove your certificate from your device at any time, through the Service Victoria app. To remove your certificate from the app, go to ‘View certificate’ and tap ‘remove’.
If you link your digital certificate, the app will show a QR code below the digital certificate when you check-in. We use the personal and health info in your digital certificate, including your name and date of birth, to generate the QR code. This helps to show you have a valid COVID-19 digital certificate and to prevent fraud.
This QR code can be scanned using the Service Victoria app to show whether your digital certificate is valid. If you choose to let someone scan your QR code using our app, their device reads the information in the QR code. Our app will only show them whether your certificate is valid and show your first name and first initial of your surname. None of your health info or personally identifiable information will be shared or stored.
Sharing digital certificates with family
Parents and guardians can use the Service Victoria app to add their children’s COVID-19 digital certificates to their device if their children are under 14 and linked to their Medicare account.
You can also add a COVID-19 digital certificate for another family member with their consent if they are unable to download a certificate to their own device.
If you have a child under 14, you can access their immunisation history through your Medicare account and add their COVID-19 digital certificate to the Service Victoria app on your device.
When your child turns 14, they can access their immunisation history through their own Medicare account. This means you will no longer be able to view their digital certificate. There are limited circumstances where you should continue to access your child’s COVID-19 digital certificate once they turn 14, such as if your child is unable to manage their own health affairs (for example, due to a disability or illness). You will need to contact Medicare for further information.
If you shared your child’s digital certificate with your device, it will be removed from your device once they turn 14.
How to protect your shared COVID-19 digital certificate
When you push your digital certificate to the Service Victoria app on another device, people with access to that device can view your personal and health information and share your vaccination status with others. Only the person with access to that device can delete your digital certificate.
Vaccination status can be shared with others using the device to which the COVID-19 digital certificate is downloaded.
Sharing your digital certificate with other devices increases the risk of misuse of your personal and health information. Do not share your certificate with others if you don’t need to.
You do not have to share your COVID-19 digital certificate to another person’s device. You can still show proof of vaccination in other ways such as through your Medicare Express Plus App, Medicare Online, or your Individual Healthcare Identifier service through myGov, or My Health Record. You can also use a print-out of your certificate, and if you don’t have access to technology, you can contact the Australian Immunisation Register on 1800 653 809 and ask them to send you a paper copy in the mail.
If you are aged 14 and over and unable to download your COVID-19 digital certificate to your own device you can consent to sharing a copy of your digital certificate to another person’s device. To do this you will need to log on to your own Medicare account using the other person’s device and share your certificate to that device.
How we use your digital certificate information
When you link your certificate, we collect some data in a secured, encrypted
format for fraud detection and control. We will collect your full name, date
of birth, date of certificate issue, and a unique number for the installation.
We de-identify this info using hashing technology. This protects your info so
no-one can see it without decryption. We destroy this record when no longer
needed to support this service.
We may share your de-identified info with Services Australia if required to detect or investigate suspected fraud or misuse of COVID-19 digital certificates. To learn more about how Services Australia handles your info, please see their privacy statement.
We also collect anonymous statistical data, such as how you interact with the app, so we can make it easier to use and improve the design. We analyse this data to support the Victorian Government’s response to the COVID-19 pandemic. This doesn’t contain information about you.
Get in touch if you want to find out more about this policy.