If you’re an employer with Work Premises in Victoria, you must comply with the current Workplace Directions, which are issued under the Public Health and Wellbeing Act 2008 (Vic).
Who is an employer?
The Workplace Directions define an employer as a person who owns, operates or controls Work Premises. This includes a self-employed person.
What are Work Premises?
Work Premises are premises where work is undertaken. This includes vehicles used for work purposes (e.g., a taxi).
Work Premises do not include an employer’s ordinary place of residence.
Record keeping obligations
Employers must keep a record of all employees and visitors who attend their premises for longer than 15 minutes. The record must include the:
- person’s first name
- person’s phone number
- date and time the person attended the Work Premises
- areas of the Work Premises the person attended
The Department of Health and Human Services (DHHS) needs this information for contact tracing to limit the spread of coronavirus (COVID-19).
Find out more about meeting your obligations under the Privacy Act:
Only collect personal information required by law
You must only collect personal information that is required by the Workplace Directions for contact tracing purposes.
Notify individuals before you collect their personal information
If you’re required to comply with the Privacy Act, you must clearly inform all employees and visitors to your Work Premises:
- what information you are collecting
- that the collection is required by law
- the purposes of collection
- who the information will be disclosed to
- the consequences of failing to provide the information
Even if the Privacy Act doesn’t apply to you, you still have obligations. as defined by the Workplace Directions, you must take reasonable steps to notify visitors and all employees that their personal information:
- is being collected for coronavirus (COVID-19) contact tracing
- may be collected and stored by the Victorian Government for this purpose
You can do this by displaying a prominent notice on your premises and website.
Do not disclose personal information to anyone except DHHS
You must not disclose personal information to anyone except ‘Authorised Officers’ from DHHS, when they request it for contact tracing purposes. ‘Authorised Officers’ are defined under the Public Health and Wellbeing Act 2008 (Vic).
Store personal information securely
- do not write the names, phone numbers or other details of visitors where others may see it. This includes in a book, notepad or computer screen. For example, to prevent others from seeing the information, you could place a sheet of paper over visitor details
- restrict access to the information to only those staff who need to see it
- ensure the information is secure and protected at all times
- record personal information in a separate location or repository to your central booking system. Separating it will ensure you can keep the information secure and easily destroy it once it’s no longer needed
Destroy the information once it’s not needed for contact tracing
You must destroy information collected for contact tracing as soon as reasonably practicable following 28 days after the person visited your premises.
The Victorian Government’s QR Code Service will delete any stored personal information (except your business information) after 28 days. If the information is disclosed to DHHS for contact tracing purposes, DHHS may store the information for a longer period.
Notify affected individuals in the event of a data breach
If the Privacy Act applies to you, you also have obligations under the Notifiable Data Breach scheme. For example, if a data breach occurs, which is likely to result in serious harm to the individuals to whom the information relates, you must notify:
- the affected individuals
- the Australian Information Commissioner
Victorian Government’s QR Code Service
Our QR Code Service was developed to help DHHS contain COVID-19 community outbreaks. The Service strictly protects user information and privacy via a range of privacy and security safeguards. The Service includes a:
- the Business Registration Portal
- a free Service Victoria app
The Service Victoria app stores customer data in a secure repository. Only DHHS can access it in the event of a COVID-19 outbreak.
Learn more about how the app handles personal information:
Be careful when using other services
The Victorian Government’s QR Code Service is the only system we have developed for contact tracing in Victoria. It’s designed to protect the information and privacy of individuals.The Victorian Government does not support or endorse other digital visitation registration apps.
If you decide to use a service other than the Service Victoria app, you should check that the app:
- handles personal information it collects in accordance with the Privacy Act
- stores data in Australia
- deletes the personal information it collects after 28 days as per the Workplace Direction
To check this, read the app’s privacy and legal policies. You can find these in the app’s:
- terms and conditions
If the app does not meet the above requirements, you should use a different service, such as the Victorian Government’s QR Code Service.
Reviewed 06 December 2020