Our privacy and security policy
Service Victoria makes it easy for customers to transact with government online at a time and place convenient to them.
This privacy and security policy explains how Service Victoria handles your information when you engage Service Victoria’s services, and use our website and app, in accordance with the Privacy and Data Protection Act 2014 and the Health Records Act 2001.
What we do
Service Victoria collects your information for a range of reasons. Typical methods and reasons for collection include to:
- carry out transactions you choose to do
- verify your identity, if we need to do it
- give you the choice to save your identity to make future transactions easier
- deliver digital licences, cards and permits which you can display in the Service Victoria app
- process payments for your transactions
- personalise your web experience
- send you information if you agree for us to or where the law says we can
- respond to queries you make
- store your details in an account — if you agree —to avoid repeating the same steps next time
- run this site, the Service Victoria app and the Service Victoria platform
- analyse the use of this site and the app so we can make it better and easier to use
- do market research and feedback surveys, if you agree to do them
What types of information do we collect?
We collect information to allow us to perform our functions and activities, and fulfil our responsibilities under:
- Service Victoria Act 2018
- Public Records Act 1973
- Health Records Act 2001
- Privacy and Data Protection Act 2014
- Charter of Human Rights and Responsibilities Act 2014
- and other relevant laws.
Information we collect and handle includes:
- personal information
- health information, and
- sensitive information.
In this policy, any reference to personal information also refers to health information and sensitive information.
Personal information means information or an opinion about a person who can be identified, regardless of whether or not it’s true.
Health information means personal information collected to provide a health service. For example, information or an opinion about someone’s physical, mental or psychological health, including any disability, or a health service they receive.
Sensitive information means personal information about a person’s:
- racial or ethnic origin
- political opinions
- membership of a political association
- religious beliefs or affiliations
- philosophical beliefs
- membership of a professional or trade association
- membership of a trade union
- sexual preferences or practices, or
- criminal record
What information we may collect from you
Wherever possible, we collect information from you directly. There are 2 main ways we collect information from you:
1. During a transaction
We'll collect your personal information when it is necessary to complete a transaction.
We'll always tell you which part of government we’re sharing your transaction data with on our ‘Get started’ page before you give us any information.
For example, if you buy a fishing licence, we’ll pass the information you’ve given to the Victorian Fisheries Authority so they can update their records and know you’ve paid.
We’ll always tell you if it’s compulsory or optional to provide your personal information.
This includes information like:
- personal information, such as your name, date of birth, where you live and how we can get in touch
- your photo if you choose to save your identity with us
- how you’d like to hear from us, such as email or reminders
- details on your identity documents
- payment information, such as credit card details, transaction details, such as a receipt number, or information we need to do your transaction
- live agent and virtual assistant chat data, so we can solve problems for customers and improve services
2. When you use our website or app
IP address and cookies
Your IP address is a unique number your device gets when you go online. It’s like your home address in real life, but online.
A cookie is a file left on your device when you visit a website. The cookie stores sign-in information and other things. It helps us give you the best experience when you visit our site or use our app.
Your IP address and cookies help us get information about your:
- device, such as if you use a phone or laptop
- location, such as if you’re in Melbourne or Ballarat
- behaviour, such as links you chose and how long you were on each page
- Recaptcha validations, for site security
You can block cookies, but then some parts of our site won’t work as well.
We use behavioural analytics to improve our digital products. These vary from improving your experience on our site or app, to making sure we can best support you when you get in touch.
One example is Google Analytics, a service built into many websites you use every day. Google Analytics is a web analytics service that only collects data about how you use our site and services, but not personal information.
Google Analytics helps us understand:
- what devices and operating systems people use to access our site
- how often people visit our site
- ways you use our products
- how our site performs
We use this information to evaluate, reportand improve our digital products so they're easier and simpler to use.
You can opt out of Google Analytics in some cases, like when you're on our site.
Other information we may collect
We may sometimes collect more information if we think our website is being:
- tampered or interfered with
- intercepted for the information we get and send
- compromised for security
- treated in a way that breaks any law
How we use and disclose your personal information
Generally, we use and share your personal information for the purpose it was collected. We’ll tell you how we'll use your personal information and who we may share it with. We won’t use your personal information for any other purpose unless we’re required or permitted to by law, or unless you agree.
Third parties and other parts of government
We sometimes give your information to other government departments and agencies and third parties to help us do our job. We make sure they keep it safe and secure, through our contracts and agreements, regardless of where they’re located.
We’ll never share your personal information with other parts of government without your consent unless we’re required or permitted to by law.
We may share information we hold for:
- processing transactions and providing services
- crash reporting and troubleshooting
- fulfilling legal obligations
Other permitted use and disclosure
Privacy laws sometimes permit or require us to disclose personal information in special circumstances. These times are rare and include to:
- investigate unlawful activity or for law enforcement
- a Commonwealth security agency
- lessen or prevent serious threats to health or safety
- protect public revenue
- When we must because it’s authorised or required by another law
If we send information to another part of government, they’re also bound by the same or similar laws we are.
How we protect your information
We've put in place technology and security policies, rules and measures to protect your personal information.
We also train all staff on the need for confidentiality and maintaining privacy and security. Access to your personal information is restricted to only those workers who need it to provide services to you. We log access to accounts to identify and audit any unauthorised access. Improper use is a serious offence.
We store and use your personal information in-line with the Victorian Protective Data Security Standards and relevant legislation.
We destroy data in line with our Retention and Disposal Authority. It sets out how long we retain certain types of data like account records, and records from customer interactions and when we destroy them.
We use the Payment Card Industry Data Security Standards. This means we follow best practice to securely store, process and send credit card information.
Personal information is stored securely within Australia and always in accordance with the Victorian Government’s information privacy principles.
As a general rule, we don’t permanently keep your transaction data. We simply pass it to the relevant government department or agency. In some cases we are legally authorised to store your transaction data.
If you store your details with us, then we’ll only save and store the personal information you choose to give to us.
Transact as a guest
If you don’t wish to set up a Service Victoria account, you can use many of our services as a guest. If you do use a service as a guest, we only collect the minimum information we need to:
- finish your service
- help you if you need it
- verify your identity
- improve this site, the Service Victoria app and the Service Victoria platform
Our use of unique identifiers complies with Victorian Information Privacy Principles.
A unique identifier will only be assigned when it’s necessary to deliver a service efficiently. It will only be used for the purpose of a transaction you have requested.
When you provide us with a unique identifier created by another agency — for example, a driver licence number — we will only useit for the purpose of a service you've requested.
We take reasonable steps to ensure the information it holds is accurate, complete and up to date. We rely on you to provide personal information that is accurate, complete and up-to-date. You'll always be given the opportunity to review data before submitting.
You can access or change much of the data associated with your profile by logging into your account on the Service Victoria website or via the app.
Access and correction
If you think any of your personal information is wrong, you can ask us to fix it. You just need to get in touch. You can ask for your personal information at any time.
Freedom of Information
Under the Victorian Freedom of Information Act 1982, you have the right to request access to documents held by Victorian public sector agencies. This right of access is subject to limited exceptions and exemptions.
Details for making a request under Freedom of Information can be found on the website of the Office for the Victorian Information Commissioner.
ou can make a privacy complaint if you think we’ve breached the law. You should lodge a complaint within 45 days of becoming aware of the alleged interference with your privacy.
We’ll ask you to:
- tell us how you believe your privacy has been breached
- explain the effect the breach has had on you
- outline what you’d like us to do
- give us time to respond. We’ll normally respond within 30 days, and we’ll keep you informed of our progress.
- remember to retain a copy of your complaint
We’ll keep your matter private. Only relevant staff who need access to review and respond to your complaint will have access. Our Privacy Officer will coordinate the investigation and will be your primary contact.
There are the possible outcomes:
- We may find there was no evidence to suggest the alleged conduct occurred.
- The alleged conduct did occur, but it complied with the law.
- The alleged conduct occurred and there was a breach.
You can read about how we handle your complaints in the Service Victoria Complaints Handling Policy.
Updates to this policy
We updated this policy in September 2023.
Read it often as we update it regularly.
How to contact us about this policy
Get in touch if you want to find out more about this policy.
Your privacy and the digital driver licence
Service Victoria is delivering a digital driver licence pilot. This allows you to link a driver licence to your Service Victoria account.
Adding your digital driver licence
When you add your digital driver licence to the wallet, we'll collect the following information:
- your identity details
- driver licence details — your driver licence number and expiry date
We require this information to verify your identity and to find your hard copy licence in the Department of Transport and Planning database.
To reduce risk, we handle minimal personal information and don’t retain your driver licence details. When you’ve added the digital driver licence to your Service Victoria wallet, the only information we retain on the Service Victoria platform is a linking key.
The path through Service Victoria’s platform from the Department of Transport and Planning to the app is automated.No Service Victoria personnel have access to this information while it passes through the platform.
Your digital driver licence will be secure in the Service Victoria app. It can only be seen by you and whoever you choose to share it with.
Using the QR code function
The Service Victoria app allows you to share information contained in your digital driver licence through a QR code. You can choose how much information you share through the app. You can share your full driver licence if you need to show your permission to drive. But you can also limit what you share if you only need to prove your identity, or your age. We don’t keep records of when you share your details using the QR code.
When you present your digital licence for verification using the QR code function, some of the information in the interaction will be captured and stored in an activity log. The activity log doesn’t contain any information that lets anybody track when, or to whom, you've presented your digital driver licence for checking.
The information in the activity log will only be used to troubleshoot issues with the app.
What happens if my device is lost or stolen?
If your device is lost or stolen, you should immediately change the Authentication Details on your Service Victoria account.
We also recommend that you contact Victoria Police at 131 444 and report the loss or theft to them. If you lose your device, or it is stolen, outside of Victoria, please contact the relevant police authority.
Your privacy and the Service Victoria mobile app
Besides how you choose to interact with Service Victoria services, you retain control of how the app uses features on the device.
When we need to use features like GPS location, Bluetooth or the camera, we’ll tell you why and ask if we can. We’ll only ever request permission for features when certain services need them. Our services only need features for:
- GPS location
We never track your GPS location without your permission. We’ll only ask you to show your GPS location for specific services if we need to check you are actually within Victoria. You can turn this off at any time.
We only ask you to turn on Bluetooth when you need to share data, proof of a licence or other document with an authorised officer, for example when you’re asked to show your fishing licence. This can only happen with your permission. Each time an officer asks you to share you can choose to accept or reject. You can turn this off at any time.
The app needs to access your camera for reading QR Codes or taking photos of your documents during an ID check. If you’re creating a digital identity with us, we’ll also need you to turn on your camera so we can see you move your head this is a ‘liveness test’, done to protect you against identity theft. Only you can switch on your camera and you can switch off access to it any time.
We’ll ask for your consent to send reminders and notifications to your device. If you agree, we’ll collect and use your device information so we can contact your device directly. You can opt out of receiving notifications anytime through the app.
Service Victoria advises against removing manufacturer security restrictions from your device, commonly known as jail breaking on Apple devices or rooting on Android devices. This can undermine the security of your personal information.
Your privacy and identity verification
Using services anonymously
With some services, it doesn’t matter who does them, so we won’t ask for identity information. For example, paying the registration fee for a car.
Verifying your identity
Put simply, this is your proof to the Victorian Government you are who you say you are.
Some transactions must only be done by the person who is applying. For example, applying for a National Police Check, or applying for a new Working with Children Check.
That’s why we need you to give us more information to prove who you are for some services.
To do this, we’ll ask you to give us details from your identity documents, such as your passport and your driver licence.
We may ask for more than just your documents and may ask to match you to the photo on your ID.
If you can’t give us identity documents online, then we may need to get more information from you another way. We'll let you know if this happens and what to do next.
What we may share to verify your identity
We’ll send your information to these places when we verify your identity:
- Other government agencies, including other state, territory and federal agencies to check the documents and information you provide to us. This includes the Commonwealth Government's Document Verification Service, to check with the agencies who issue your identity documents.
- Organisations we have a contract with to help us validate the documents, photos and information you provide to us.
By verifying your identity, you confirm you’re authorised to share the personal details provided and you’re OK with the information being matched with the document issuer or official record holder.
Information we may store about your identity
When you verify your identity on our platform, you can choose to continue as a guest, or to save your identity for next time you use one of our services.
This can make it quicker and easier for you to use future services and helps protect your privacy because you won’t need to provide your personal information again for similar tasks on our platform.
When you choose to save your identity, we'll keep a record of some of the information you used to support your verification, including:
- the type of identity documents you used
- where they were issued, and
- the last three digits of the document number
To protect your privacy in the case of a breach, we don't keep copies of your actual documents.
Your identity record expires after 10 years and you can apply to renew it.
You may cancel your stored record at any time. You just need to get in touch. We will only tell our partners whether you have verified your identity with us if it’s required for a transaction.
We can refuse to verify your identity or suspend or revoke your re-usable stored identity record if we're not satisfied that you're who you say you are. We'll notify you and give you an opportunity to resolve the issue with us. We'll keep a record that your identity hasn’t been verified, or that your stored identity has been suspended or revoked.
We also need to use, share or store some information if the law says we must.
To save a record of your identity at our highest level of identity proof, you must save and store a photo and create an account. This is so we can store your identity and be sure you are who you say you are. We may use this photo on any digital cards you choose to store within the Service Victoria app.