Attendance tracking applications - digital guide

This guide is for third party providers of attendance tracking systems capturing visitor check-in data.

If you're a business, organisation, club or event and you're:

This guide is for third party providers of attendance tracking systems capturing visitor check-in data.

It's designed to help:

  • build a quality, trusted service which meets workplace obligations
  • integrate with the Department of Health (DH) contact tracing team
  • improve the coronavirus (COVID-19) contact tracing process

Before you begin

What is a COVID-19 attendance tracking app?

It's any mobile app or system used to capture location check-in information. When developed, it must meet the obligations of the current Workplace Directions. These directions support DH contact tracers to identify workplace visitors exposed to COVID-19.

We have developed the Victorian Government QR Code Service.

What is the Victorian Government Visitation API?

The Victorian Government Visitation API is vital for contact tracing. When contact tracers are tracking down cases of coronavirus (COVID-19) exposure, the API:

  • allows contact tracers to request check-in data directly from attendance tracking applications
  • helps streamline the information gathering process (when integrated)
  • reduces the time required for contact tracers to identify exposure risks

We've integrated the Victorian Government QR Code Service with this API. We provide it freely to all attendance tracking applications. To use it, you must agree to the API Licence Terms.

The API also helps assist you with meeting your Workplace Directions compliance. 

Earning and keeping trust

The coronavirus (COVID-19) pandemic has been hard for everyone. It’s important that users are comfortable with sharing their information to third parties.

The below privacy and security considerations should be met at a minimum - exceeding them should be the goal.

Keeping data private

When developing a mobile application for contact tracing, you're dealing with personal information. Meeting or exceeding your user's privacy expectations is good for business.

You are required to meet all relevant federal and state privacy legislation, including the:

For a guide on protecting user privacy, refer to Protect privacy - digital guide.

API Licence Terms of Use

The API Licence Terms of Use require third-party providers of attendance tracking systems to comply with the Victorian Information Privacy Principles (IPPs).

IPP '9.1' limits the circumstances where data can be transferred or stored outside of Victoria. These circumstances include (among others) where:

  • the individual has consented to the transfer outside of Victoria, or
  • you reasonably believe that the recipient of the information is subject to a law, binding scheme or contract which is substantially similar to the IPPs

If you transfer or store data collected for Workplace Direction compliance outside of Victoria, you must satisfy yourself that one of these circumstances applies.

The API Licence Terms of Use also require compliance with the Privacy Act 1988, even if your organisation is not otherwise required to comply with that Act. It is recommended that organisations not otherwise bound by the Privacy Act 1988 consider opting into compliance with that Act. Even if you do not opt-in, you will still be contractually required to comply with the Privacy Act 1988 when handling information collected for Workplace Direction compliance.

Marketing to users

If you collect personal information for one reason, you must not use or disclose it for a different reason. For example, if you collect personal information for contact tracing, it must not be used to send marketing emails.

Find out more about a user's privacy rights.

You should be in a position to give users access to their data if they ask for it. Ensure you have a clear and effective privacy collection notice, terms of use, etc.

Accessing personal information

You should, where possible, take steps to avoid accessing personal information. You should only use or disclose this information for contact tracing unless you have obtained explicit consent for other uses and disclosures.

Keeping data secure

It's important to secure your service when developing a contact tracing app. Find out more in our digital guide, Secure your service - digital guide.

There are other considerations to make when developing a contact tracing app.

Critical security risks

Be sure to comply with the OWASP Top Ten most critical security risks for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

Security mitigation strategies

The Essential Eight is a series of baseline mitigation strategies recommended for organisations. Implementing these strategies makes it harder for adversaries to compromise systems.

Reviewed 19 February 2021

Coronavirus Victoria

24/7 Coronavirus Hotline

If you suspect you may have COVID-19 call the dedicated hotline – open 24 hours, 7 days.

Please keep Triple Zero (000) for emergencies only.

Was this page helpful?