Guidelines for meeting your contact tracing obligations

If you’re an employer with Work Premises in Victoria, you must comply with the current Workplace Directions, which are issued under the Public Health and Wellbeing Act 2008 (Vic).

  • If you’re an employer with Work Premises in Victoria, you must comply with the current Workplace Directions, which are issued under the Public Health and Wellbeing Act 2008 (Vic).

    The Directions may be updated and replaced at any time. The current directions are available on the Victoria’s Restriction Levels page.

    Who is an employer?

    The Workplace Directions define an employer as a person who owns, operates or controls Work Premises. This includes a self-employed person.

    What are Work Premises?

    Work Premises are premises where work is undertaken. This includes vehicles used for work purposes (e.g., a taxi).

    Work Premises do not include an employer’s ordinary place of residence.

    Record keeping obligations

    Employers must keep a record of all employees and visitors who attend their premises for longer than 15 minutes. The record must include the:

    • person’s first name
    • person’s phone number
    • date and time the person attended the Work Premises
    • areas of the Work Premises the person attended

    The Department of Health and Human Services (DHHS) needs this information for contact tracing to limit the spread of coronavirus (COVID-19).

    Privacy obligations

    Businesses must comply with the Privacy Act 1988 (Cth) (Privacy Act) if their annual turnover is more than $3 million.

    The Privacy Act requires businesses to comply with 13 Australian Privacy Principles (APPs).

    Find out more about meeting your obligations under the Privacy Act:

  • Only collect personal information required by law

    You must only collect personal information that is required by the Workplace Directions for contact tracing purposes.

    Notify individuals before you collect their personal information

    If you’re required to comply with the Privacy Act, you must clearly inform all employees and visitors to your Work Premises:

    • what information you are collecting
    • that the collection is required by law
    • the purposes of collection
    • who the information will be disclosed to
    • the consequences of failing to provide the information

    Even if the Privacy Act doesn’t apply to you, you still have obligations. If you are an employer as defined by the Workplace Directions, you must take reasonable steps to notify visitors and all employees that their personal information:

    • is being collected for coronavirus (COVID-19) contact tracing
    • may be collected and stored by the Victorian Government for this purpose

    You can do this by displaying a prominent notice on your premises and website.

    Do not disclose personal information to anyone except DHHS

    You must not disclose personal information to anyone except ‘Authorised Officers’ from DHHS, when they request it for contact tracing purposes. ‘Authorised Officers’ are defined under the Public Health and Wellbeing Act 2008 (Vic).

    Store personal information securely

    If you are an employer as defined by the Workplace Directions, you must protect any personal information you collect from use or disclosure. To assist with this:

    • do not write the names, phone numbers or other details of visitors where others may see it. This includes in a book, notepad or computer screen. For example, to prevent others from seeing the information, you could place a sheet of paper over visitor details
    • restrict access to the information to only those staff who need to see it
    • ensure the information is secure and protected at all times
    • record personal information in a separate location or repository to your central booking system. Separating it will ensure you can keep the information secure and easily destroy it once it’s no longer needed

    Destroy the information once it’s not needed for contact tracing

    You must destroy information collected for contact tracing as soon as reasonably practicable following 28 days after the person visited your premises.

    The Victorian Government’s QR Code Service will delete any stored personal information (except your business information) after 28 days. If the information is disclosed to DHHS for contact tracing purposes, DHHS may store the information for a longer period.

    Notify affected individuals in the event of a data breach

    If the Privacy Act applies to you, you also have obligations under the Notifiable Data Breach scheme. For example, if a data breach occurs, which is likely to result in serious harm to the individuals to whom the information relates, you must notify:

    • the affected individuals
    • the Australian Information Commissioner
  • Victorian Government’s QR Code Service

    Our QR Code Service was developed to help DHHS contain COVID-19 community outbreaks. The Service strictly protects user information and privacy via a range of privacy and security safeguards. The Service includes a:

    • the Business Registration Portal
    • a free Service Victoria app

    Find out more about the Victorian Government QR Code Service.

    The Service Victoria app stores customer data in a secure repository. Only DHHS can access it in the event of a COVID-19 outbreak.

    Learn more about how the app handles personal information:

    Be careful when using other services

    The Victorian Government’s QR Code Service is the only system we have developed for contact tracing in Victoria. It’s designed to protect the information and privacy of individuals.

    The Victorian Government does not support or endorse other digital visitation registration apps.

    If you decide to use a service other than the Service Victoria app, you should check that the app:

    • handles personal information it collects in accordance with the Privacy Act
    • stores data in Australia
    • deletes the personal information it collects after 28 days as per the Workplace Direction

    To check this, read the app’s privacy and legal policies. You can find these in the app’s:

    • terms of use
    • terms and conditions
    • privacy policy

    If the app does not meet the above requirements, you should use a different service, such as the Victorian Government’s QR Code Service.

  • The Office of the Australian Information Commissioner has developed advice and guidance on privacy in the context of the COVID-19 outbreak, including:

Reviewed 06 December 2020

Coronavirus Victoria

24/7 Coronavirus Hotline

If you suspect you may have COVID-19 call the dedicated hotline – open 24 hours, 7 days.

Please keep Triple Zero (000) for emergencies only.

Was this page helpful?