The Explanatory Memo for the Identity Verification Services Bill 2023 (Cth), ahead of the foreshadowed privacy reforms noted in the preceding post, states
1. Secure and efficient identity verification is critical to minimising the risk of identity fraud and theft, and protecting the privacy of Australians when seeking to access government and industry services and engage with the digital economy. The identity verification services are the only national capability that can be used by industry and government agencies to securely verify the identity of their customers.
2. Identity verification services are a series of automated national services offered by the Commonwealth to allow government agencies and industry to efficiently compare or verify personal information on identity documents against existing government records, such as passports, driver licences and birth certificates.
3. 1:1 matching services (the Document Verification Service and the Face Verification Service) are now used every day by Commonwealth, State and Territory government agencies and industry to securely verify the identity. In 2022, the DVS was used over 140 million times by approximately 2700 government and industry sector organisations, and there were approximately 2.6 million FVS transactions in the 2022-23 financial year.
4. Examples of the current uses of the DVS and FVS include:
• verifying the identity of an individual when establishing a myGovID to access online services, including services provided by the Australian Taxation Office
• financial service providers, such as banks, when seeking to verify the identity of their customers and to meet the 'know your customer' obligation under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
• Government agencies when providing services, disaster relief and welfare payments, and
• Commonwealth, state and territory government agencies verifying identity in order to provide or change credentials.
5. The Identity Verification Services Bill 2023 establishes new primary legislation that provides a legislative framework to support the operation of the identity verification services. The Bill will support the efficient and secure operation of the services without compromising the privacy of the Australian community.
6. The IVS Bill will:
• authorise 1:1 matching of identity through the identity verification services, with consent of the relevant individual, by public and private sector entities. This will be enabled by: o the Document Verification Service which provides 1:1 matching to verify biographic information (such as a name or date of birth), with consent, against government issued identification documents; o the Face Verification Service which provides 1:1 matching to verifiy biometric information (in this case a photograph or facial image of an individual), with consent, against a Commonwealth, state or territory issued identification document (for example, passports and driver licences); and o the National Driver Licence Facial Recognition Solution which enables the FVS to conduct 1:1 matching against State and Territory identification documents such as driver licences.
• authorise 1:many matching services through the Face Identification Service only for the purpose of protecting the identity of persons with a legally assumed identity, such as undercover officers and protected witnesses. The protection of legally assumed identities will also be supported by the use of the FVS. All other uses of 1:many matching through the identity verification services will not be authorised, and will therefore be prohibited.
• authorise the responsible Commonwealth department - in this case the Attorney-General's Department - to develop, operate and maintain the identity verification facilities (the DVS hub, the Face Matching Service Hub and the NDLFRS). These approved identity verification facilities will be used to provide the identity verification services. These facilities will relay electronic communications between persons and bodies for the purposes of requesting and providing identity verification services.
7. Subject to robust privacy safeguards, the Department will be authorised to collect, use and disclose identification information through the approved identity verification facilities for the purpose of providing identity verification services and developing, operating and maintaining the NDLFRS. Offences will apply to certain entrusted persons for the unauthorised recording, disclosing or accessing protected information.
8. The Bill ensures that the operation the identity verification services and requests for the use of those services are subject to privacy protections and safeguards. These include consent and notice requirements, privacy impact assessments, requirements to report security breaches and data breaches, complaints handling, annual compliance reporting and transparency about how information will be collected, used and disclosed. Furthermore, privacy law and/or the Australian Privacy Principles will apply to almost all entities that seek to make a request for identity verification services. These privacy protections and safeguards will be set out in participation agreements.
9. Government authorities that supply identification information that is used for the purpose of identity verification services will also be subject to the privacy protections and safeguards captured in the participation agreement. Breaches of participation agreements can lead to suspension or termination of the agreement, meaning that the entity would no longer be able to request identity verification services.
10. States or territories seeking to contribute to the NDLFRS will be subject to privacy obligations and safeguards, which are required by the Bill and will be set out in the NDLFRS hosting agreement.
11. The Bill requires parties to the agreement to agree to be bound by the Privacy Act or a state or territory equivalent, or agree to be subject to the Australian Privacy Principles. The Bill requires state or territory authorities to inform individuals if their information is stored on the NDLFRS (and provide for a mechanism by which those persons can correct any errors), inform the Department and individuals whose information is stored on the NDLFRS of any data breaches, establish a complaints mechanism, and report annually to the Department on the party's compliance with the agreement. The Bill enables states and territories to limit the use of identity information stored on the NDLFRS, and requires the Department to maintain the security of the NDLFRS. The Department may suspend or terminate access to the NDLFRS in the event of a party's non-compliance with legislative obligations.
12. To protect the privacy of Australians, the Department will be required to maintain the security of electronic communications to and from the approved identity verification facilities, and the information held in the NDLFRS. This information and communications must be encrypted and data breaches reported.
13. There will be transparency about the operation of the approved identity verification facilities, including through extensive annual reporting requirements and annual assessments by the Information Commissioner on the operation and management of the facilities.
14. The Bill reflects and seeks to implement aspects of the Commonwealth's commitments under the Intergovernmental Agreement on Identity Matching Services (Intergovernmental Agreement). The Intergovernmental Agreement provides that jurisdictions would share and match biographic and biometric information, with robust privacy safeguards, through the identity verification services.
15. The Bill will be supported by the Identity Verification Services (Consequential Amendments) Bill which amends the Australian Passports Act 2005 to provide a clear legal basis for the Minister to disclose personal information for the purpose of participating in one of the following services to share or match information relating to the identity of a person: • the DVS or the FVS, or • any other service, specified or of a kind specified in the Minister's determination.
16. The Consequential Amendments Bill will also allow for automated disclosures of personal information to a specified person via the DVS or the FVS. In combination, this comprehensively authorises the operation of the DVS and FVS in relation to Australian travel documents regulated by the Australian Passports Act.
