Service Victoria makes it simpler and faster to do various State Government transactions online, protects the security of your personal information, and sets a new standard in best practice for customer service in Victoria.
This privacy and security policy explains how Service Victoria handles your information, both when you engage Service Victoria’s services and when you visit our website.
Protecting your information
Service Victoria’s platform is designed to keep your information safe. We let you choose how your data is shared.
Some people want us to store their information, to save it for next time they visit. Others will choose for us to simply pass the data to the relevant part of government to update their records. (For example, to tell VicRoads you’ve paid your car registration).
Either way, the choice is yours.
This policy explains how we protect your privacy and the information we collect, use and store.
What we do
- Carry out transactions you choose to do
- Verify your identity, if we need to do it
- Give you the choice to save your identity to make future transactions easier
- Display digital licences and permits
- Process payments for your transactions
- Send you information, when you ask us to or where the law says we must
- Respond to queries you make
- Run this site
- Analyse the use of this site so we can make it better and easier to use
- Do market research and surveys, if you agree to do them.
What you agree to
When you use Service Victoria, you agree and consent to:
- This Privacy and security policy
The laws of this policy
We only collect, use, store and give out your personal information as allowed by the:
- Public Records Act 1973
- Health Records Act 2001
- Privacy and Data Protection Act 2014
- Service Victoria Act 2018
Your use of this site
It’s up to you how you use Service Victoria.
- Choose not to use this site
- Transact as a guest (and not store your details with us)
- Store your details with us
- Store your details with us AND choose to transact as a guest
- Delete the details you’ve stored with us.
What information we may get from you
If you use our site as a guest, then we only collect the minimum information we need to:
- Finish your transaction
- Help you if you need it
- Verify your identity
- Improve our website.
If you store your details with us, then we’ll only save and store the personal information you choose to give to us.
Information we collect
We only get information from you with your consent or where the law allows it.
This includes information like:
- Personal, such as your name, your photo, date of birth, where you live and how we can get in touch.
- How you’d like to hear from us, such as email or reminders.
- Identity, such as the details on your identity documents and your photo.
- Payment, such as the details of your credit card.
- Transaction, such as a receipt number, or information we need to do your transaction.
- Live agent and virtual assistant chat data, so we can solve problems for customers and improve services.
How we use and disclose your personal information
Personal information includes your name, your photo, date of birth, where you live and how we can get in touch.
We use this information to:
- Run our site
- Process transactions on your behalf
- Send you updates and information
- Reply to your queries
- Store your details in an account (if you agree) to avoid repeating the same steps next time
- Make it possible for you to store digital versions of licences and permits
- Verify your identity.
We won’t use your personal information for any other reason unless you agree, or we must by law.
We sometimes give your information to third parties to help us do our job. We make sure they keep it safe and secure, through our contracts and commercial agreements, regardless of where they are located.
We may share information we hold with third parties for:
- Crash reporting and troubleshooting
- Fulfilling legal obligations.
Other areas of government
Privacy law sometimes requires us to disclose personal information in special circumstances. These times are rare, but we’ll outline them below just to be clear. These times include:
- For law enforcement or to investigate unlawful activity
- To a Commonwealth security agency
- To lessen or prevent serious threats to health or safety
- To protect public revenue
- When we have to because it’s authorised or required by another law.
If we send information to another part of government, then they’re also bound by the same or similar laws we are.
Information we store
As a general rule, we don’t permanently keep your transaction data. We simply pass it to the relevant government department or agency.
You’ll always know which part of government we are passing your transaction data to because their name and logo will be on our ‘Get started’ page (before you give us any information).
For example, if you buy a fishing licence, we’ll pass the information you’ve given to the Victorian Fisheries Authority so they can update their records and know you’ve paid.
Sometimes, we need to keep our own records. This includes information like:
- Identity, such as how you verified it or what you agreed to store and your photo if you chose to.
- Your name and email, if you create a Service Victoria account.
- Payment, such as what, when and how you paid or stored payment methods.
- Transaction, such as your reference number.
- Live agent and virtual assistant chat data, so we can solve problems for customers and improve our services.
We’ll never share your personal information with other parts of government without your consent unless we're allowed to by law.
We may also store your contact details, if you voluntarily gave them to us, so we can respond to a request for help or give you further information to help resolve an issue.
What we collect if you store your details
If you store your details with us, then we’ll ask you to give us:
- Your name, so we know who you are.
- Your email, so you can login, get security codes and so we can send you things you’ve asked for.
- Your mobile, for security codes and so we can send you things you’ve asked for.
If you want, you can also choose to save and store:
- Your payment method, like your credit card details so you don’t have to enter them every time.
- The fact you've proved who you are so you can get things done faster next time.
- Your transactions, so you have a record of what you’ve done with us.
Service Victoria’s identify verification functions
Verifying your identity
Put simply, this is your proof to the Victorian Government you are who you say you are.
With some transactions, it doesn’t matter who does them, so we
won’t ask for identity information. For example, paying the registration
fee for a car.
However, some transactions must only be done by the person who is applying. For example, applying for a Solar Homes loan and rebate, or applying for a new Working with Children Check.
That’s why we need you to give us more information to prove who you are for some transactions.
Confirming your identity
We’ll check your identity when you do some transactions.
To do this, we’ll ask you to give us details from your identity documents, such as your passport and your driver licence.
We may ask for more than just your documents and may ask to match you to the photo on your ID.
If you can’t give us identity documents online, then we may need to get more information from you another way. We'll let you know if this happens and what to do next.
What we may share to verify your identity
We’ll send your information to these places when we verify your identity:
- Other government agencies, including other state, territory and federal agencies to check the documents and information you provide to us. This includes the Commonwealth Government's Document Verification Service (to check with the agencies who issue your identity documents)
- Organisations we have a contract with to help us validate the documents, photos and information you provide to us.
By verifying your identity, you confirm you’re authorised to share the personal details provided and you’re OK with the info being matched with the document issuer or official record holder.
Information we may store about your identity
When you attempt to verify your identity for a transaction on our platform, we'll keep a record of some of the information you used to support your verification, including:
- the type of identity documents you used
- where they were issued, and
- the last four digits of the document number.
To protect your privacy, we don't keep copies of your actual
You'll be given the option to save a record of the fact your identity has been verified so that you can re-use this for future transactions.
This can make it quicker and easier for you to complete future transactions
and helps protect your privacy because you won’t need to provide your
personal information again for similar transactions on our platform.
Your identity record expires after 10 years and you can apply to renew it.
You may cancel your stored record at any time. You just need to get in touch. We may tell partners whether or not you have an identity record if they need to know that to do your transaction.
We can refuse to verify your identity or suspend or revoke your re-usable stored identity record if we're not satisfied that you're who you say you are. We'll notify you and give you an opportunity to resolve the issue with us. We'll keep a record that your identity has not been verified, or that your stored identity has been suspended or revoked.
We also need to use, share or store some information if the law says we must.
To save a record of your identity at our highest level of identity proof, you must save and store a photo and create an account. This is so we can store your identity and be sure you are who you say you are.
What data we get from all visitors to our site
IP address and cookies
Your IP address is a unique number your device gets when you go online. It’s like your home address in real life, but online.
A cookie is a file left on your device when you visit a website. The cookie stores sign-in information and other things. It helps us give you the best experience when you visit our site.
Your IP address and cookies help us get information about your:
- Device, such as if you use a phone or laptop.
- Location, such as if you’re in Melbourne or Ballarat.
- Behaviour, such as links you chose and how long you were on each page.
- Recaptcha validations, for site security.
You can block cookies, but this will mean some parts of our site won’t work as well.
We use Google to make our digital products better.
Google Analytics is a web analytics service that only collects data about how you use our site and services. It helps us understand:
- what devices and operating systems people use to access our site
- how often people visit our site
- ways you use our products
- how our site is performing.
We use this information to undertake evaluation and reporting and improve our digital products so they are easier and simpler to use.
We also use Hotjar to better understand how people interact with our website. Hotjar is software that helps us learn:
- how long people are on pages
- which pages they're on
- which links they use
- where people get stuck
- what parts of our design need changing.
We only collect anonymous information. We never capture or store your personal information, login info, credit card or identity details.
Other information we may get
We may sometimes collect more information if we think our website is being:
- Tampered or interfered with.
- Intercepted for the information we get and send.
- Compromised for security.
- Treated in a way that breaks any law.
Access and correction
If you think any of your personal information is wrong, you can ask us to fix it. You just need to get in touch. You can request your personal information at any time.
How we protect your information
We use lots of tools and processes to protect your data and keep your personal information secure.
We also train all staff on the need for confidentiality and maintaining privacy and security. Access to your personal information is restricted to only those workers who need it to provide services to you. We log access to accounts to identify and audit any unauthorised access. Improper use is a serious offence.
We store, use and get rid of your personal information in-line with the Victorian Protective Data Security .
There are 12 high-level standards that we must meet to protect public sector data.
We use the Payment Card Industry Data Security Standards (PDF, .
This means we follow best practice to securely store, process and send credit card information.
- Never send passwords to anyone.
- Check for a green padlock icon and ‘https://’ in your browser’s address bar.
- Make sure your device has the latest security updates.
- Keep your internet browser up to date.
- Run anti-malware software on your device.
- Don’t access our site on untrusted networks or devices, such as on public WIFI.
Scams and hoaxes
There are scammers, hoaxers and criminals who want your personal information. These scams can come via email, phone or other means.
Some scams pretend to be a government department or agency and can look very real.
You should never:
- Send anyone your username, password or personal details. We’ll never ask for this.
- Click links in messages that claim to be from Service Victoria (unless you’ve signed up for reminders).
We only send you messages if you consent to them.
Other ways to be safe online
If you’d like to read more, then go to these sites:
- tells you how to avoid cybercrime and report issues.
- Stay Smart helps you protect your personal and financial information online.
- shows you how to see, avoid and report scams.
How to report a security issue
If you think you see a scam, hoax or any security issue on our site, then tell our security team.
How to contact us about this policy
Get in touch if you want to find out more about this policy.
You can make a privacy complaint if you think we’ve breached the law. Complaints should be lodged within 45 days of you becoming aware of the alleged interference with your privacy.
We’ll ask you to:
- Tell us how you believe your privacy has been breached
- Explain the effect the breach has had on you
- Outline what you’d like us to do
- Give us time to respond. (We’ll normally respond within 30 days, and we’ll keep you informed of our progress along the way).
- Remember to retain a copy of your complaint.
We’ll keep your matter private. Only relevant staff who need access to review and respond to your complaint will have access. Our Privacy Officer will coordinate the investigation and will be your primary contact.
There are a number of outcomes:
- We may find there was no evidence to suggest the alleged conduct occurred
- The alleged conduct did occur, but it complied with the law
- The alleged conduct occurred and there was a breach.
You can read about how we handle your complaints in the Service Victoria Complaints Handling Policy.
Updates to this policy
We updated this policy in February 2021.
Read it often as we may update it.
Your continued use of our site means if we update this policy, then you accept and consent to the changes we make.
Extra privacy information for COVID-19 Check-in
Service Victoria offers a check-in service available through mobile app and
This tool helps identify people exposed to COVID-19 and supports the process of finding people who have been in close contact with someone with COVID-19. It also provides a digital means for employers/businesses to comply with their obligations under the Workplace Directions of the Chief Health Officer issued under the Public Health and Wellbeing Act 2008.
Service Victoria’s approach to privacy with respect to this digital visitor registration system is outlined in this supplementary privacy and security policy. This policy is to be read in conjunction with Service Victoria’s Privacy and Security policy.
COVID-19 digital certificates
You can link your COVID-19 digital certificate to the Service Victoria app through the Medicare Express Plus App or myGov.
When you check-in using the Service Victoria app, the app uses the info on your certificate to show your vaccination status.
This makes it easier for you to show proof of your vaccination status when you check-in. We do not collect your vaccination status when you check-in.
You don’t need a Service Victoria account to save and use your COVID-19 digital certificate within the Service Victoria app.
You can also access your COVID-19 digital certificate through existing channels supported by the Australian Government, such as the Medicare Express Plus App, Medicare Online, or through myGov, or My Health Record. You can ask them to send you a paper copy in the mail if you prefer a hard copy.
Our app stores your COVID-19 digital certificate on your device. Other people who have access to this device can view this certificate. We do not keep a copy of your certificate on our system. You can remove your certificate from your device at any time, through the Service Victoria app. To remove your certificate from the app, go to ‘View certificate’ and tap ‘remove’.
When you link your certificate, we collect some data in a secured, encrypted format for fraud detection and control. We will collect your full name, date of birth, date of certificate issue, and a unique number for the installation. We de-identify this info using hashing technology. This protects your info so no-one can see it without decryption. We destroy this record when no longer needed to support this service.
We may share your de-identified info with Services Australia if required to detect or investigate suspected fraud or misuse of COVID-19 digital certificates. To learn more about how Services Australia handles your info, please see their privacy statement.
We also collect anonymous statistical data, such as how you interact with the app, so we can make it easier to use and improve the design. We analyse this data to support the Victorian Government’s response to the COVID-19 pandemic. This doesn’t contain information about you.
Collection, use and disclosure of personal information for contact tracing
When you visit premises that are participating in the digital visitor registration system, you will be able to scan the QR code displayed on your mobile phone.
If you can’t use our app, you may be able to use our web kiosk. You can
ask the premises you visit for access to the web kiosk.
Checking in registers your attendance at the premises and helps the Victorian Government protect the public through COVID-19 contact tracing.
Your visit will be recorded in a visitor log database held by Service Victoria for 28 days. Service Victoria holds this data on behalf of the Victorian Department of Health
The information collected will include:
- Your name
- Your contact phone number
- The location number of the premises
- The date and time you attended the premises
You can check in another person if that person is unable to check in. If someone can check themselves in, they should.
You do not have to create or have an account with Service Victoria to use the QR code.
Under the Workplace Directions (Directions) issued under the Public Health and
Wellbeing Act 2008, most employers/businesses must keep a record of all
workers/visitors at their premises. Most employers/business need to do this
through the Service Victoria digital visitor registration system.
We’ll share your personal information with the Victorian Department of Health and others authorised to do contact tracing in the event that the Chief Health Officer requests it to support contact tracing purposes under the Directions. Contact tracing is the process of identifying people who may have come into contact with someone who has COVID-19 so that they can be advised to take measures to help stop the further spread of COVID-19 (such as getting tested or self-isolating).
If we get asked to share check-in data for purposes other than contact tracing, then our general position is to say ‘no’, except where an individual asks for their own data. This includes requests from law enforcement agencies.
Where possible, the Department of Health will handle any formal legal requests for check-in data, not Service Victoria. The Department of Health’s policy is to oppose this request. If the court says ‘no’ and requires us to share your info, we will need to follow this order.
The Department of Health can keep any information we share for more than 28 days. For more information on how the department handles this information, please refer to their Privacy .
We may also use or disclose your information:
- to ensure the proper functioning, integrity and security of the digital visitor registration service
- if required or authorised by law (e.g. we receive a court order or it is necessary to lessen or prevent a serious threat to public health or safety).
You can access the personal information we hold about you at any time and request to update, correct or amend your personal information. However, once a check-in at a premises is registered using Service Victoria you will not be able to update or amend the details of the visit.
Our app may also record your visit history on your device, for 28 days. This supports you to check where you have been. You can view and remove this data from your device history list through our mobile app. The data is still stored on your device, but is not shown. Contact tracers can still access the official check-in records if needed.
You can choose to save your favourite locations in the app. When you save a favourite location, you don’t need to scan their QR code again. Just tap the location in your favourites list to start your check in. You can remove favourite locations at any time.
Service Victoria can’t access data stored on your device, including any favourite locations or visit history.
We collect anonymous statistical data, such as how you interact with the app, so we can make it easier to use and improve the design. We analyse this data to support the Victorian Government’s response to the COVID-19 pandemic. This doesn’t contain information about you.
The digital visitor registration system has a range of privacy and security safeguards built-in, including the use of encryption, and with personal data stored in Australia on secure servers.
Get in touch if you want to find out more about this policy.