Chapter 2Key issues

2.1This chapter outlines key issues raised in evidence to the committee about the Identity Verification Services Bill 2023 (IVS bill) and the Identity Verification Services (Consequential Amendments) Bill 2023 (Consequential Amendments bill) (collectively the bills), including the:

rationale and legislative basis for the identity verification services;

privacy provisions contained in the IVS bill;

consent models most appropriate for the IVS bill; and

timeframe for a review of the IVS bill.

2.2This chapter also articulates the committee's views and recommendations in relation to the bills.

Rationale and legislative basis for the identity verification services

2.3Several government and non-government entities outlined the rationale for the identity verification services and explained that the bills would provide the legislative basis for their ongoing operation.[1]

Rationale for the identity verification services

2.4The Australian Banking Association (ABA) supported the bills as they would provide:

…a secure way for banks to check the identity of those opening and using accounts against passports and drivers licence databases to ensure that they are not criminals impersonating a real customer. This bill enables a material improvement on some of the existing ways that customers can confirm their identity.[2]

2.5The ABA remarked that Australian identity documents are available to criminals on the dark web and, '[a]s a result, it is critical that industry can confirm not only the legitimacy of an identity document but the identity of the person presenting it'.[3]

2.6The identification verification services provide the confirmation that industry requires 'to verify the person providing the document is in fact who they say they are'.[4] To that end, the IVS bill would make Australians safer by providing 'the banking industry with a critical weapon in the fight to protect customers from scams, fraud and identity theft'.[5]

2.7The ABA argued that the identity verification services would 'enable banks to take additional steps to verify the person providing the document is in fact who they say they are'.[6]

2.8Westpac Banking Group highlighted the importance of the IVS bill in protecting Australians and the financial sector from fraud and money laundering. Itexplained that scammers:

…use counterfeit IDs to enable certain [bank] accounts to be opened. Those accounts are then used as part of the moving of bad actor moneys across the banking system and outside the banking system. We need to have as many tools as we possibly can to maximise our chance of finding bad actors as quickly as we possibly can and, ultimately, to stop the avenues for them being able to use the banking system. That's why this bill for us is quite critical—it closes the loop; it's the last piece of the jigsaw puzzle from the IDs aspects of muling. There are other aspects of muling that this won't stop…One of the big parts of muling is ID takeover, and this will really help.[7]

2.9The Australian Transaction Reports and Analysis Centre (AUSTRAC) explained that there are more than 17 000 Australian businesses that must comply with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and associated rules.[8] Those entities must 'implement effective AML/CTF systems and controls to identify and mitigate money laundering and terrorism financing risk'.[9]

2.10Under the AML/CTF Act, businesses are required 'to conduct customer due diligence ("know your customer"/KYC procedures)'.[10] The DVS is used by many businesses to satisfy that requirement.[11]

2.11The Attorney-General's Department (AGD) stated that the identification verification services:

…are essential to support fast, secure and private identity verification. Theservices support Australians to engage with the digital economy and access government services in a way that minimises collection and retention of identity information.

Importantly, the services are used for beneficial purposes: either to support Australians access to products and services that they are seeking or to protect shielded persons who have a legally assumed identity. This provides significant value to the Australian community, including by reducing the risk and impact of identity crime and allowing Australians to access essential services in a streamlined manner.[12]

Legislative basis for the identity verification services

2.12Some submitters noted that the Document Verification Service (DVS), FacialVerification Service (FVS), and Facial Identification Service (FIS) appear to be currently operating without a legislative basis.[13]

2.13Professor Edward Santow, Director, Policy and Governance, HumanTechnology Institute, University of Technology Sydney (HTI), stated that the IVS bill as it is currently drafted would provide the identification verification services with 'some legislative foundation'.[14] He explained that the scheme currently:

…operates really by a series of agreements where the people of Australia are not parties to those agreements. They're agreements either within government or between a government agency and a private sector organisation'.[15]

2.14The Law Council of Australia (Law Council) similarly indicated that the IVS bill would increase transparency of the identity verification services, by creating:

…a legislative framework on operations that are already occurring…allow[ing] individuals to see how this framework works and have parliament consider a legislative framework that balances the interests of individuals with the benefits of the bill.[16]

2.15The IVS bill would also ensure that identification verification services operate according to existing privacy legislation. Professor Santow suggested that while 'that's a very weak, flimsy protection…it is better than nothing'.[17]

2.16The HTI agreed that urgent action is needed and opined that the lack of a legislative basis for the identity verification services 'may be a motivating factor in the Australian Government deciding to proceed urgently with the IVS Bill'.[18]

2.17It noted that one 'unfortunate consequence of that urgency is that there is very limited scope for public consultation on a major reform that affects Australians' right to privacy, among other rights'.[19]

2.18The Law Council noted that it would be 'vastly preferable to have a legislative foundation in place for an identity verification framework' and that 'the bills appear to be more robust, both in terms of privacy and human rights safeguards, compared to the [Identity-matching Services Bill 2019]'.[20]

2.19The Digital Transformation Agency (DTA) indicated that there is a strong need to provide a legislative basis for the identity verification services:

The need to legislate for the identity verification services is more important today than ever before. The identity verification services are a foundational capability to the Australian economy that is used every day by governments and industry.[21]

2.20The AGD explained:

The IVS Bill provides clear legislative authority for the identity verification services and ensures the services operate subject to strong privacy safeguards, oversight and transparency arrangements. The identity verification services are a critical capability provided by the Commonwealth and are used every day by government and industry to verify the personal information on a passport, driver's licence, birth certificate or other government issued credential.[22]

2.21The AGD pointed out:

…there are extremely good reasons that the services that are being provided now should have appropriate legislative authority that provides parameters within which the services can be used that have been set by the parliament and have on their face strong privacy protections to ensure that there's certainty for entities who are requesting the services and of course for the customer, at the end of the day, whose identity is being verified.

…

And now that it's before the parliament we think it is highly desirable for that legislative authority to be in place in a timely way.[23]

Privacy provisions

2.22Evidence to the committee reflected on the privacy provisions contained in the IVS bill. That evidence related to the:

harmonisation of privacy safeguards in the IVS bill, the draft Digital Identity Bill 2023 (Digital ID bill), and the Attorney-General's review into Australian privacy legislation;

modernisation of the Privacy Act 1988 (Privacy Act);

definition of 'personal information' in the IVS bill;

participation agreements; and

powers available to the Australian Information Commissioner (theInformation Commissioner).

Harmonisation of privacy safeguards

2.23Some organisations drew connections between the IVS bill, the Digital ID bill, and the Attorney-General's review into Australian privacy legislation.[24]

2.24Due to those linkages, the HTI suggested that 'it would be both logical and practical for the schemes to operate harmoniously, and subject to consistent legal standards'.[25] It reiterated its view that the government should 'proceed in a more deliberate way' through increased public consultation and ensuring that these three reform processes operate harmoniously.[26]

2.25The Law Council pointed out that the Digital ID bill:

…contains a specific division that sets out several additional privacy safeguards that go beyond those in the Privacy Act. These safeguards must be adhered to by accredited Digital ID services under the proposed arrangement. The inclusion of these safeguards in the draft Digital ID Bill indicates that compliance with the Privacy Act in its current form is not regarded as providing adequate protections for the collection and handling of biometric data.[27]

2.26Digital Rights Watch (DRW) argued that, if there are inconsistencies between the Digital ID bill and the IVS bill, there would be increased risk of 'the creation of loopholes and ineffective governance processes'.[28]

2.27Ms Lizzie O'Shea, Chair, DRW, reiterated:

There's also a regulatory burden that's been created for government. They're implementing two different privacy regimes, one of which is much more substandard than the other, which is this one. Also, in a context where we're going through pretty significant privacy reforms, it looks likely, if the Attorney's plan is enacted, that we will have considerable reforms made to the Privacy Act, which will again create another change to the scenario in which these schemes are implemented. All of these seem excessively cumbersome, unclear for people who are subjected to these schemes and costly in terms of regulatory burden.[29]

2.28IIS Partners suggested that the Digital ID bill and the IVS bill 'need to be consistent with each other and potentially enacted in the right sequence'.[30]

2.29In a similar vein, Professor Lyria Bennett Moses, Director, University of NewSouth Wales Allens Hub for Technology, Law and Innovation (AllensHub), argued that the bills would not 'achieve their full objectives…until they are considered holistically alongside the digital identity legislation and…the Privacy Act reform'.[31]

2.30To better promote harmonisation and clarity in relation to those frameworks, the Law Council reiterated 'its calls for a roadmap for the harmonisation of Australia's privacy and data laws, to ensure the development of a national privacy framework that is consistent, clear and accessible'.[32]

2.31The Office of the Australian Information Commissioner (OAIC) similarly advocated for the harmonisation of privacy laws and called for 'aCommonwealth, state and territory working group [to] be convened to harmonise privacy laws'.[33]

2.32In regard to the harmonisation of privacy legislation, the AGD stated:

In many ways we agree that it is desirable for consistency between the operation of these services and privacy law…that's why we think it's important for it to be linked to the Privacy Act rather than creating a bespoke regime that could drift out of alignment over time.[34]

2.33Ms Tara Inverarity, Acting Deputy Secretary, National Security and CriminalJustice Group, AGD, outlined that there is a 'different scope and policy intent' behind the Digital ID bill and the IVS bill:

The Digital ID Bill creates a framework for an economy-wide digital ID system and has privacy protections that have been designed and are fit for purpose in the context of that comprehensive regime. By contrast, the one-to-one matching services regulated by this bill are used for identity verification for a single transaction when a person is seeking to access a service or obtain a product, with the consent of that person. The response that will be provided by the customer match those that are held by the owner of the government issued document. No personal information will be shared back to the requesting entity. On this basis, the department does not accept that identical privacy protections are necessarily required and thinks that the privacy protections for each scheme are appropriate to their context and policy intent.[35]

Modernisation of the Privacy Act

2.34The DTA pointed out that Australians expect 'greater convenience and efficiency when accessing digital services with a high standard of privacy in order to maintain trust in Government'.[36]

2.35The Law Council indicated that there are 'serious deficiencies in the current [privacy] regime, which has been in operation for more than 30 years and is in urgent need of modernisation'.[37]

2.36The Law Council remarked that there is a need for 'the secure and efficient verification of identities…[that is balanced with] adequate privacy safeguards and oversight'.[38] That requirement is particularly pertinent as '[t]here is no opportunity for individuals to opt out of being subject to these schemes'.[39]

2.37Professor Santow stated:

the privacy protections in the IVS bill are inadequate. Essentially the bill provides that an organisation need only comply with the existing federal, state, territory or New Zealand privacy laws. That position is untenable.[40]

2.38Professor Santow stated that the bill relies:

…on fundamentally inadequate privacy protections...[and that] it be amended to ensure adequate privacy protections. That could be achieved through any of the following options: firstly, the government could introduce the Privacy Act reforms before proceeding with the IVS bill; secondly, the IVS bill could be amended to include an equivalent to chapter 3 of the digital ID bill, so that the digital ID scheme as a whole would contain consistent and more effective privacy protections; or, thirdly, clause 44 of the IVS bill could be amended to empower the minister to make rules to strengthen the privacy protections of the IVS bill.[41]

2.39The Australian Human Rights Commission (AHRC) echoed ProfessorSantow's view regarding the inadequacy of relying on the provisions of the Privacy Act. It suggested that because the Privacy Act has not yet been modernised:

…the privacy protections built into the Verification Services Bills are currently incomplete and not appropriate to safeguard privacy against verification technologies. The Privacy Act reforms must be completed before the Verification Services Bills are enacted.[42]

2.40The AHRC suggested that the creation of a bespoke privacy framework specifically for the IVS bill would be one option to strengthen the privacy provisions of that bill.[43] It reiterated that its preference is for the Privacy Act to be reformed first, to avoid complicating 'the already highly technical privacy legislative landscape'.[44]

2.41The HTI suggested that as the Digital ID bill does not rely on the Privacy Act, its privacy provisions are 'superior' to those contained in the IVS bill.[45] It noted that 'Chapter 3 of the Digital ID Bill contains a number of additional provisions that provide stronger privacy safeguards'.[46] The HTI recommended 'that the IVS Bill be amended to include privacy protections that bring the IVS Bill in line with the privacy protections in the Digital ID Bill'.[47]

2.42Ms O'Shea supported the reform of the Privacy Act before the passage of the IVS bill.[48] She suggested as a second preference that the privacy protections in the Digital ID bill 'be imported into' the IVS bill.[49]

2.43The Law Council suggested that, if additional safeguards cannot be included in the bill, 'it would be prudent for rules to be developed, pursuant to clause44, which can lift the compliance expectations on entities within the framework beyond what is currently required'.[50]

2.44The OAIC recommended that the Information Commissioner should be consulted prior to any rules being developed under clause 44.[51]

2.45The HTI argued that amending the Privacy Act prior to the passage of the IVS bill would improve privacy protections for Australians and 'provide regulatory certainty for the government and non-government organisations currently participating in the IVS scheme'.[52]

2.46It suggested that passing the IVS bill before amending the Privacy Act 'would create a significant regulatory burden for the approximately 2700 organisations that already participate in the IVS scheme and those that join it'.[53]

2.47The ABA argued that the IVS bill should be passed urgently, even before the review of the Privacy Act is completed, as it would 'enable a higher degree of protection for Australians against cybersecurity fraud and scams around their identity documents'.[54]

2.48The AGD agreed with the ABA, and suggested that waiting for the completion of the Privacy Act review and the passage of the Digital ID bill would risk:

…making the perfect the enemy of the good, in that there is a strong argument for legislative authority to be in place for the identity verification services…You could wait, but the sequencing may never align, and we think there are strong reasons to act now.[55]

2.49Ms Inverarity disagreed with the Law Council's assessment of the Privacy Act:

…we don't necessarily accept that the Privacy Act isn't a good and strong regime for protecting the privacy of Australians. It is a comprehensive regime. It is in place. It has been in place for a long time. It can be enhanced, obviously, through the reforms the government has indicated it will undertake. But as the government administering the service we are strongly supportive of it operating under a legislative framework as soon as possible.[56]

2.50Ms Inverarity argued in favour of connecting the privacy safeguards in the IVS bill to the Privacy Act:

Linking the privacy protections in the bill to existing privacy legislation ensures that these protections remain consistent and contemporary as privacy law evolves over time—for example, through the amendments following from the government's response to the Privacy Act review.[57]

Definition of 'personal information'

2.51Evidence to the committee discussed the importance of protecting personal information and noted that the legal definition of 'personal information' is currently in a state of flux.

2.52For example, the HTI argued that as:

…the IVS scheme deals with sensitive personal information…there is a need for strong privacy law protections to guard against the misuse or non-consensual use of individuals' personal information, and also to build trust in the IVS scheme.[58]

2.53The Law Council pointed out 'that the definition of "personal information" in the Privacy Act is currently under review and the Government has agreed, in principle, to amend it'.[59] It submitted that key concepts, such as personal information, should be consistently defined 'across Australia's digital identity, privacy, and identity verification frameworks'.[60] It suggested that 'the fragmented and expedited reform approach that the Government is taking is not conducive to promoting harmonisation and clarity'.[61]

2.54The OAIC suggested 'that the IVS Bill should be amended to provide that "identification information" as defined in clause 6 of the bill is personal information for the purposes of the Privacy Act'.[62]

2.55The AGD stated it 'adopted the terminology that we think is appropriate in light of the framework that the bill is creating'.[63]

Participation agreements

2.56In addition to the concerns relating to the IVS bill's reliance on the Privacy Act, some of the evidence received by the committee critiqued the design of the participation agreements.[64]

2.57The NSW Council for Civil Liberties (NSWCCL), for example, proposed that privacy protections should be contained in the primary legislation and not 'in subordinate documents or delegated legislation'.[65]

2.58The Law Council suggested that due to the identity verification services holding 'sensitive personal information…higher standards of compliance should apply to parties, beyond reliance on the existing Privacy Act, which is not fit for purpose in the digital landscape'.[66] It welcomed the inclusion of participation agreements but stated that they 'are limited in scope and unlikely to promote public trust in the scheme'.[67]

2.59The Law Council welcomed the transparency that would be provided by the publication of participation agreements.[68] Mr NathanMacDonald, DeputyDirector of Policy, of the Law Council, noted that 'having a little bit more oversight around the development of those participation agreements is probably something that this bill could benefit from'.[69]

2.60Equifax outlined some areas of consideration in relation to the participation agreements. Ms Tehani Legeay, General Manager, Identity, Fraud and Anti-Money Laundering Compliance, Equifax, indicated that her organisation had not been provided with a draft of those agreements, which has led to some uncertainty about compliance costs and whether new business capabilities would be required.[70]

2.61She noted that there can be significant lead times in the implementation of new measures. For example, the addition of a new field to drivers licence verification took over two years to implement nationally.[71] She expected that it would take longer than 12 months to operationalise new compliance measures in relation to the new participation agreements.[72]

2.62The ABA stated that the participation agreement model ensures a balance between providing businesses with the tools to verify a person's identity and protect individual privacy.[73]

2.63A participant's access to the identification verification services may be suspended or terminated if they breach the participation agreement. ProfessorSantow suggested that 'there should be much stronger consequences for that noncompliance'.[74]

2.64DRW similarly argued that the suspension or termination of access to the identification verification services 'is a positive and necessary step, [however] we do not believe it to be a strong enough deterrent from misuse of the identification services'.[75]

2.65The OAIC recommended greater clarity around 'how any privacy-related requirements contained in the participation agreements are intended to interact with the [Australian Privacy Principles (APP)]'.[76] To that end it suggested:

…the IVS Bill could state that participation agreements are intended to be privacy-enhancing and may therefore impose additional requirements to the APPs, but any such requirements must not be contrary to, or inconsistent with, the APPs.[77]

2.66The OAIC also recommended that the IVS bill 'clarify that the compliance obligations under it do not alter entities' obligations under the Privacy Act, and in particular the general obligation to notify the OAIC of eligible data breaches'.[78]

2.67The OAIC suggested that those recommendations could be implemented through amendments to the EM.[79]

2.68AGD remarked that it has engaged in:

…productive conversations with the [OAIC] about the suggestions that they have made…If there are aspects of the digital ID bill that could sensibly be replicated in this bill then we are certainly not closed to that, but it is not immediately clear to us what those protections necessarily are and how they would sit within the scheme that this bill creates.[80]

Powers available to the Information Commissioner

2.69DRW recommended that 'the IVS Bill be amended to provide the OAIC with additional powers and resources to manage a more comprehensive redress mechanism for individuals affected by the operation of the IVS scheme'.[81]

2.70It proposed:

Such a redress mechanism should allow an individual to submit complaints about the handling of their identification information by either the Department, or a party to a participation agreement or the NDLFRS hosting agreement, and include appropriate measures to remedy any harm suffered by the individual.[82]

2.71The OAIC pointed out that the IVS bill 'does not provide a clear framework for the OAIC to enforce these [privacy] agreements'.[83] It noted that its enforcement powers in relation to a breach of a participation agreement would rely on:

…the ordinary mechanisms of the APPs/Privacy Act. However, a breach of a participation agreement may not necessarily be a breach of the PrivacyAct, even where the agreement clearly sets out privacy-related safeguards.[84]

2.72The OAIC reported that it 'would have no ability to enforce breaches of participation agreements in relation to State and Territory entities'.[85] It also indicated that it would be 'difficult' for it to terminate or suspend an entity's access to the identity verification systems, particularly if those entities 'provide essential services to the community'.[86]

2.73The OAIC suggested that 'it would be more appropriate to include a provision in the IVS Bill that will make certain (privacy-related) breaches of a participation agreement…an interference with privacy under the Privacy Act'.[87] Doing so would 'clearly enable enforcement (including the ability to deal with complaints) by the OAIC under the Privacy Act in relation to entities with a participation agreement'.[88]

2.74The OAIC submitted 'that the IVS Bill should clearly set out the OAIC's regulatory role, including clear enforcement mechanisms, to ensure that the Information Commissioner can efficiently and effectively carry out their oversight functions'.[89]

2.75In relation to the annual assessments by the Information Commissioner, the OAIC submitted that the provisions contained in 'clause 40 are unusual in that they do not activate the OAIC's usual assessment regulatory powers'.[90] It noted that it would have to rely 'on information agreed to be provided by the department when carrying out this specific annual function'.[91]

2.76The OAIC suggested that the Information Commissioner's 'oversight role and enforcement powers' would be strengthened by allowing entrusted persons to disclose protected information to the OAIC or the Information Commissioner.[92]

2.77The Law Council noted that clause 40 of the IVS bill 'merely grants the Information Commissioner the function, or power, to conduct an assessment'.[93] It suggested that there should be some consideration given to amending the IVS bill to make the Information Commissioner's annual assessments obligatory.[94]

2.78It further noted that the annual assessment provisions are currently 'likely [to] be inconsistent with public expectations in relation to the oversight, transparency and accountability for the IVS system'.[95] To bring the annual assessment provisions into line with public expectations, the OAIC suggested 'that clause 40 needs to provide the Information Commissioner with the ability to discharge the assessment function in a manner that is appropriately independent'.[96]

2.79The OAIC argued that amending the IVS bill to bring the annual assessment provisions into line 'with the OAIC's usual assessment powers as set out in s 33C of the Privacy Act' would assist in providing a greater level of independence.[97] That section of the Privacy Act provides the InformationCommissioner with the 'power to require an entity to give information or produce documents relevant to the assessment, without reliance on the agreement of the entity'.[98]

2.80The AGD submitted that the nature of the OAIC's annual assessments would 'likely change each year, the intended outcome is that the identity verification services will operate in accordance with best practice privacy standards'.[99] TheOAIC would maintain its independence by determining 'the scope of the assessments following consultation with the Department'.[100]

Consent provisions

2.81Evidence to the committee discussed whether the IVS bill should operate on an implied or express consent model.[101]

2.82DRW suggested that 'the IVS Bill is dependent on the concept of "consent"'.[102] Itnoted that the EM explains that the IVS bill 'is intended to include express consent or implied consent'.[103]

2.83It referred to subclause 35(1) of the IVS bill, which 'includes a carve out that permits an entrusted person to make a record of, disclose or access protected information "if the person has consented"'.[104] It expressed concern:

…that such a provision could be subject to misuse where individuals may not be in a position to meaningfully refuse if an entrusted person compels them to provide consent, or where "implied" consent is unreasonably applied.[105]

2.84To alleviate that concern, DRW suggested that consideration be given to 'the addition of a fair and reasonable test, in line with the proposal contained in the Privacy Act Review'.[106]

2.85The NSWCCL argued that '[i]t has become abundantly clear…that standard consent and notice requirements are totally inadequate for obtaining meaningful consent of participant citizens. Without offering alternative easy methods of verification there is no consent'.[107]

2.86The IVS bill would adopt an implied consent model.[108] The HTI suggested that an implied consent model would result 'in individuals having less control and autonomy over the uses of their personal information for the purposes of the IVS Bill'.[109] The Law Council indicated that the EM's reference to implied consent 'is concerning'.[110] Mr MacDonald suggested that the express consent framework referenced in the Digital ID bill 'is something that could easily make its way into [the IVS bill]'.[111]

2.87The HTI pointed out that the Digital ID Bill adopts an express consent model, which 'requires that accredited entities obtain express consent from individuals in relation to the collection, use, disclosure and subsequent destruction of biometric information and disclosure of restricted attributes'.[112]

2.88The HTI suggested that amending the IVS bill to require express consent before participating entities collect, use or disclose sensitive information would harmonise the privacy protections contained in the IVS and digital identity schemes.[113]

2.89The ABA stated that the banking industry would not object to a requirement for customers to give express, rather than implied, consent when their identity information is used by verification services.[114]

2.90Professor Bennett Moses explained that consent:

…should be expressed, it should be voluntary, it should be informed and it should be unbundled…But I think, in particular for schemes like this, that people should be given another means of accessing services without participating in what is meant to be a voluntary scheme.[115]

2.91Ms Shohini Sengupta, PhD student, Allens Hub, further explained:

…if people are given the option to get a service based on consent and the other option is to not get the service if they do not consent, then that consent becomes meaningless. So we would advise caution against only using the consent framework as a means for people to obtain services—essential services in particular'.[116]

2.92The Law Council echoed her view:

…informed consent is key to compliance with both domestic and international privacy protections. Australians are…already precluded from opting out of inclusion in the federal databases. In addition, the ExplanatoryMemorandum [EM] acknowledges that access to crucial Government services often depends on the DVS and FVS. The informed consent requirements in the Bill are likely to be of little value to those who lack reasonable alternative means to access the relevant services.[117]

2.93The AGD pointed out:

There's nothing in this bill that requires an entity to use the identity verification services. If a customer does not consent to use the identity verification services, it's absolutely open to that entity to undertake other forms of identity verification that might be considered appropriate, perhaps in line with other practices that may have occurred in the past. A person not consenting to the use of the identity verification service does not necessarily mean that they won't be able to access the service.[118]

Review of the legislation

2.94The IVS bill would require a statutory review of the legislation and the identity verification services within two years of its passage.[119] Some submitters recommended that a statutory review of the legislation occur after 12 months of operation.[120]

2.95The HTI suggested that there should be an interim review of the operation of the law 12 months from when the bill becomes operational.[121] That interim review would focus on privacy and assess whether the IVS framework, PrivacyAct, and Digital ID bill are aligned in terms of the privacy protections offered to Australians.[122]

2.96The Law Council welcomed the requirement for a review of the legislation, noting that it would 'provide a clearer picture of how the identity verification scheme operates in practice'.[123] It suggested that the review should occur '12months after commencement. This change will ensure that any unintended consequences can be identified and addressed in a timelier manner'.[124]

2.97Professor Bennett Moses agreed that an interim review as proposed by the HTI would be appropriate and added that it should also assess security matters.[125] Inparticular, it should examine 'whether, in fact, it has improved things or not and also to see whether it has led to any data breaches of its own'.[126]

2.98The AHRC submitted that a review mechanism should be included in the IVS bill, if it is passed prior to the modernisation of the Privacy Act.[127] That review 'would ensure that 12 months after receiving royal assent, the VerificationServices Bill would be reviewed alongside the Privacy Act to ensure that subsequent privacy reforms are adequate to protect individuals' data'.[128] The AHRC proposed that further reviews be conducted every 12 months until the Privacy Act reforms are passed before a final examination 12 months later to determine 'the adequacy of privacy protection for individuals'.[129]

2.99DRW favoured the introduction of 'friction' in the introduction of the IVS bill.[130] That 'friction' would slow down the use of identity verification services:

…to guard against expansion and mission creep, and the documentation of that can assist to allow the public to have a proper assessment of whether legislation is still serving its purposes and the limitation are still working in a way that the parliament intended.[131]

2.100The AGD submitted that a statutory review two years after the passage of the legislation would 'allow sufficient time for the identity verification services to operate which will enable a more meaningful review to be conducted'.[132]

Committee view

2.101The Identity Verification Services Bill 2023 would provide a clear legislative framework for the operation of three approved identity verification facilities, and provide privacy and security for users of them.

2.102The Identity Verification Services (Consequential Amendments) Bill 2023 would amend the Australian Passports Act 2005 to enable the Attorney-General to disclose the personal information of individuals participating in the DVS or FVS.

2.103The committee acknowledges that there is a need to provide a legislative basis for the ongoing operation of the identity verification services which, as the Attorney-General's Department highlighted, provide a critical capability to government and industry.

2.104The committee recognised that there is ongoing work on the DigitalIdentification Bill 2023 and reform of the Privacy Act. The committee welcomes the government's commitment to modernising the privacy regime and ensuring that new legislation aligns with community expectations in relation to the protection of personal information.

2.105The committee is of the view that it is imperative that the IVS bill strikes an appropriate balance between the provision of identity verification services and the protection of individual privacy.

2.106The committee received evidence from several civil society organisations that suggested that the IVS bill should be amended to provide a rule making power to strengthen privacy safeguards. The AGD stated that the Digital Identification Bill 2023 would serve a different purpose and provide a different regulatory framework and, in the committee's view, the rules do not need to be the same as the privacy safeguards outlined in that bill. The committee notes that stakeholders indicated the importance of consultation on any rules made under the new rule making power. A new rule making power to strengthen privacy safeguards should not be subject to a sunset provision to enable proper consultation to occur.

2.107The committee recommends that the IVS bill is amended to provide a rule making power to strengthen privacy safeguards.

2.108Evidence to the committee indicated that the terms 'identification information' and 'personal information' are in a state of flux due to the ongoing review of the Privacy Act. The committee agrees with the recommendation made by the OAIC that 'identification information' under the IVS Bill should be considered'personal information' for the purposes of the Privacy Act. This will clarify the application of the Privacy Act and will more easily enliven the Information Commissioner's functions and powers.

2.109The committee recommends that the IVS bill is amended to provide that 'identification information' as defined in clause 6 is 'personal information' for the purposes of the Privacy Act.

2.110The committee agrees with the OAIC's position that it would be appropriate to include a provision in the IVS bill to make certain that a breach of a participation agreement that relates to a privacy matter by an APP entity constitute an interference with privacy under the Privacy Act. The inclusion of such a provision would enable the Information Commissioner to carry out their enforcement powers, including the ability to deal with privacy complaints.

2.111The committee recommends that the IVS bill is amended to provide that a breach of a participation agreement that relates to a privacy matter by an APP entity constitutes an interference with privacy under the Privacy Act.

2.112The committee supports the OAIC's view that the Explanatory Memorandum could be amended to make it clear that participation agreements are intended to be privacy-enhancing and may therefore impose additional requirements to the APPs, but any such requirements must not be contrary to, or inconsistent with, the APPs. Such an amendment would provide additional clarity in relation to the privacy safeguards included in the IVS scheme.

2.113The committee recommends that the Explanatory Memorandum is amended to make clear that participation agreements must be privacy-enhancing and consistent with the APPs.

2.114The committee notes evidence from the OAIC that the ExplanatoryMemorandum should be amended to make it clear that compliance obligations under the IVS bill would not alter entities' obligations under the Privacy Act. The committee supports such an amendment to the ExplanatoryMemorandum to further clarify entities' privacy obligations.

2.115The committee recommends that the Explanatory Memorandum is amended to clarify that the compliance obligations under the bills do not alter a participating entity's obligations under the Privacy Act.

2.116The OAIC advised the committee that the provisions contained in clause 40 of the IVS bill are 'unusual' as they would not activate that office's usual assessment regulatory powers. The HTI, DRW and Law Council also called for an enhanced oversight function and role of the Information Commissioner. The committee agrees that the Information Commissioner should have the power to compel a party to a participation agreement to provide documents relevant to the OAIC's annual assessment without relying on the party's agreement. Bringing the provisions contained in clause 40 of the IVS bill into line with the OAIC's existing assessment powers would assist in securing the independence of the office and strengthen the annual assessment provision of the IVS bill.

2.117The committee recommends that clause 40 of the IVS bill is amended to enliven the OAIC's existing assessment powers in subsection 33C(1) of the Privacy Act in relation to the annual assessment requirements.

2.118The committee agrees with the OAIC's recommendation that the IVS bill should be amended to better align the data breach notification requirements with the Notifiable Data Breach Scheme in Part IIIC of the Privacy Act. In particular, it is critical that parties to a participation agreement that is notified by the department of a data breach takes reasonable steps to notify each individual affected by an eligible data breach. That amendment would assist in building public trust in the IVS scheme.

2.119The committee recommends that the IVS bill is amended to ensure that individuals are notified when there is a data breach that is likely to cause them serious harm.

2.120The committee supports the strengthening of the OAIC's oversight role and enforcement powers by allowing entrusted persons to disclose protected information to the OAIC or the Information Commissioner. Strengthening those powers would also increase public trust in the IVS scheme.

2.121The committee recommends that the IVS bill is amended to allow entrusted persons (for example, a departmental employee) to disclose protected information to the Information Commissioner or an OAIC staff member, for the purpose of the Commissioner or OAIC exercising a power, or performing a function or duty.

2.122The committee supports the OAIC's and HTI's recommendation that the Information Commissioner be consulted prior to any rules being developed under clause 44 of the IVS bill. That consultation would ensure that any rules developed under that clause are privacy-enhancing.

2.123The committee recommends that clause 44 of the IVS bill is amended to require the Information Commissioner to be consulted on the rules, as they relate to privacy, before they are made under clause 44.

2.124The committee acknowledges that many civil society organisations indicated that there should be greater consistency between the Digital Identification Bill2023 and the Identification Verification Services Bill 2023. The committee notes evidence from the AGD that the privacy safeguards and protection in these two bills reflect their differing purposes, scope and policy intent. While the committee acknowledges the differences between the two bills, the committee considers that requiring express consent in the IVS bill would improve consistency and public confidence in the identity verification services. The Australian Banking Association indicated that it did not have any concerns with the Identification Verification Services Bill 2023 requiring express consent. By requiring express consent, individuals will be able to give meaningful consent when they participate in the IVS scheme. The adoption of an expressed consent model would also more closely align the IVS bill with the draft DigitalIdentification Bill 2023.

2.125The committee recommends that the IVS bill is amended to only include express consent and not implied consent.

2.126The committee acknowledges that the IVS bill contains a provision that would require a statutory review of the legislation to commence within two years of the bill's passage. The committee received compelling arguments in favour of an interim 12–month review into the adequacy of the privacy and security protections related to the operation of the IVS scheme. Conflicting evidence was also received about whether the IVS scheme should include a civil penalties framework in addition to the proposed criminal offences in the IVS bill. Thecommittee considers that there should be an interim review to examine the privacy and security protections related to the IVS scheme and determine whether there is merit in developing a civil penalties framework within the scheme. Conducting an interim 12–month review would assist in ensuring that any shortcomings with the privacy and security provisions are identified in a timely manner.

2.127The committee recommends that the IVS bill is amended to provide for an interim review after 12 months. That interim review should focus on the adequacy of the privacy and security protections operating in the IVS scheme and whether there is merit in developing a civil penalties framework within the IVS scheme.

2.128Subject to the preceding recommendations, the committee recommends that the Senate pass the bills.

Senator Nita Green

Chair

Footnotes

[1]See, for example: Australian Banking Association (ABA), Submission 5, p. 1; Office of the Australian Information Commissioner (OAIC), Submission 11, p. 2; Mr Daniel Mossop, National Manager, Reform Policy and Mutual Evaluation, Australian Transaction Reports and Analysis Centre (AUSTRAC), CommitteeHansard, 30 October 2023, p. 33; Ms Lucelle Veneros, Executive Director, Australian Passport Office, Department of Foreign Affairs and Trade (DFAT), Committee Hansard, 30October 2023, p. 34.

[2]Mr Christopher Taylor, Chief of Policy, ABA, Committee Hansard, 30October 2023, p. 1.

[3]Mr Taylor, ABA, Committee Hansard, 30October 2023, p. 1.

[4]Mr Taylor, ABA, Committee Hansard, 30October 2023, p. 1.

[5]Mr Taylor, ABA, Committee Hansard, 30October 2023, p. 1.

[6]Mr Taylor, ABA, Committee Hansard, 30October 2023, p. 1.

[7]Mr Chris Whittingham, General Manager, Financial Crime and Fraud Prevention, Westpac Banking Group, Committee Hansard, 30 October 2023, p. 6.

[8]AUSTRAC, Submission 16, p. 1.

[9]AUSTRAC, Submission 16, p. 1.

[10]AUSTRAC, Submission 16, p. 2.

[11]AUSTRAC, Submission 16, p. 2.

[12]Ms Tara Inverarity, Acting Deputy Secretary, National Security and Criminal Justice Group, Attorney-General's Department (AGD), Committee Hansard, 30 October 2023, p. 36.

[13]See, for example: Law Council of Australia (Law Council), Submission 12, p. 1; Human Technology Institute, UTS (HTI), Submission 4, p. 6; Digital Rights Watch (DRW), Submission 9, p. 2; HumanRights Law Centre, Submission10, p. 2; Professor Edward Santow, Director, Policy and Governance, HTI, Committee Hansard, 30 October 2023, p. 8.

[14]Professor Santow, HTI, Committee Hansard, 30 October 2023, p. 10.

[15]Professor Santow, HTI, Committee Hansard, 30 October 2023, p. 10.

[16]Mr Nathan MacDonald, Deputy Director of Policy, Law Council, Committee Hansard, 30October2023, p. 22.

[17]Professor Santow, HTI, Committee Hansard, 30 October 2023, pp. 10–11.

[18]HTI, Submission 4, p. 2.

[19]HTI, Submission 4, p. 2.

[20]Law Council, Submission 12, p. 2.

[21]Digital Transformation Agency (DTA), Submission 3.1, p. 2.

[22]AGD, Submission 2, p. 3.

[23]Ms Inverarity, AGD, Committee Hansard, 30 October 2023, p. 37.

[24]See, for example: HTI, Submission 4, p. 2; DRW, Submission 9, p. 2; Law Council, Submission 12, p. 5; IIS Partners, Submission 15, p. 1.

[25]HTI, Submission 4, p. 9.

[26]HTI, Submission 4, p. 2.

[27]Law Council, Submission 12, p. 5.

[28]DRW, Submission 9, p. 2.

[29]Committee Hansard, 30 October 2023, p. 16.

[30]IIS Partners, Submission 15, p. 1.

[31]Committee Hansard, 30 October 2023, p. 9.

[32]Law Council, Submission 12, p. 3. Also see: Ms Olga Ganopolsky, Chair, Privacy Law Committee of the Business Law Section, Law Council, Committee Hansard, 30 October 2023, p. 20.

[33]Ms Angelene Falk, Australian Information Commissioner and Privacy Commissioner, OAIC, Committee Hansard, 30 October 2023, p. 29.

[34]Ms Inverarity, AGD, Committee Hansard, 30 October 2023, p. 37.

[35]Committee Hansard, 30 October 2023, pp. 36–37.

[36]DTA, Submission 3.1, p. 2.

[37]Law Council, Submission 12, p. 5.

[38]Law Council of Australia, Submission 12, p. 1.

[39]Law Council of Australia, Submission 12, pp. 1–2. Also see: Ms Ganopolsky, Law Council, CommitteeHansard, 30October2023, p.20.

[40]Professor Santow, HTI, Committee Hansard, 30 October 2023, p. 8. Also see: HTI, Submission4, p. 7.

[41]Professor Santow, HTI, Committee Hansard, 30 October 2023, p. 8. Also see: HTI, Submission 4, p. 3.

[42]Australian Human Rights Commission (AHRC), Submission 7, p. 2.

[43]AHRC, Submission 7, p. 2.

[44]AHRC, Submission 7, p. 2.

[45]HTI, Submission 4, p. 9.

[46]HTI, Submission 4, p. 9.

[47]HTI, Submission 4, p. 9.

[48]Ms O'Shea, DRW, Committee Hansard, 30 October 2023, p. 15. Also see: DRW, Submission 9, p. 3.

[49]Ms O'Shea, DRW, Committee Hansard, 30 October 2023, p. 15. Also see: DRW, Submission 9, p. 3.

[50]Law Council, Submission 12, p. 5. Also see: Ms Ganopolsky, Law Council, Committee Hansard, 30October 2023, p. 20.

[51]OAIC, Submission 11, p. 6.

[52]HTI, Submission 4, p. 8.

[53]HTI, Submission 4, p. 8.

[54]Mr Taylor, ABA, CommitteeHansard, 30October 2023, pp. 5–6.

[55]Ms Inverarity, AGD, Committee Hansard, 30 October 2023, p. 37.

[56]Ms Inverarity, AGD, Committee Hansard, 30 October 2023, p. 38.

[57]Ms Inverarity, AGD, Committee Hansard, 30 October 2023, p. 36.

[58]HTI, Submission 4, p. 7.

[59]Law Council, Submission 12, p. 3.

[60]Law Council, Submission 12, p. 3.

[61]Law Council, Submission 12, p. 3.

[62]OAIC, Submission 11, p. 3.

[63]Ms Inverarity, AGD, Committee Hansard, 30 October 2023, p. 40.

[64]See, for example: Law Council of Australia, Submission 12, p. 5; NSW Council for Civil Liberties (NSWCCL), Submission 13, p. 2; Equifax, Submission 17, p. 3.

[65]NSWCCL, Submission 13, p. 2.

[66]Law Council, Submission 12, p. 5.

[67]Law Council, Submission 12, p. 5.

[68]Mr MacDonald, Law Council, Committee Hansard, 30October2023, p. 22.

[69]Committee Hansard, 30October2023, p. 22.

[70]Committee Hansard, 30October 2023, p. 2. Also see: Equifax, Submission 17, p. 3.

[71]Ms Tehani Legeay, General Manager, Identity, Fraud and Anti-Money Laundering Compliance, Equifax, Committee Hansard, 30 October 2023, p. 2.

[72]Ms Legeay, Equifax, Committee Hansard, 30 October 2023, pp. 2–3.

[73]Mr Taylor, ABA, Committee Hansard 30October 2023, p. 1.

[74]Professor Santow, HTI, Committee Hansard, 30 October 2023, p. 12.

[75]DRW, Submission 9, p. 4.

[76]OAIC, Submission 11, p. 4.

[77]OAIC, Submission 11, p. 4.

[78]OAIC, Submission 11, p. 4.

[79]Ms Falk, OAIC, Committee Hansard, 30 October 2023, pp. 34–35.

[80]Ms Inverarity, AGD, Committee Hansard, 30 October 2023, p. 38.

[81]DRW, Submission 9, p. 5.

[82]DRW, Submission 9, p. 5.

[83]OAIC, Submission 11, p. 3.

[84]OAIC, Submission 11, p. 3.

[85]OAIC, Submission 11, p. 3.

[86]OAIC, Submission 11, p. 3.

[87]OAIC, Submission 11, p. 3.

[88]OAIC, Submission 11, p. 3.

[89]OAIC, Submission 11, p. 2.

[90]OAIC, Submission 11, p. 4.

[91]OAIC, Submission 11, p. 4.

[92]OAIC, Submission 11, p. 5.

[93]Law Council, Submission 12, p. 8.

[94]Law Council, Submission 12, p. 8.

[95]OAIC, Submission 11, p. 4.

[96]OAIC, Submission 11, p. 4.

[97]OAIC, Submission 11, pp. 4–5.

[98]OAIC, Submission 11, p. 5.

[99]AGD, Submission 2, p. 19.

[100]AGD, Submission 2, p. 19.

[101]Mr MacDonald, Law Council, CommitteeHansard, 30 October 2023, p. 21.

[102]DRW, Submission 9, p. 5.

[103]DRW, Submission 9, p. 5. Also see: EM, p. 53.

[104]DRW, Submission 9, p. 5.

[105]DRW, Submission 9, p. 5.

[106]DRW, Submission 9, p. 5.

[107]NSWCCL, Submission 13, p. 2.

[108]EM, p. 53.

[109]HTI, Submission 4, p. 9.

[110]Mr MacDonald, Law Council, Committee Hansard, 30October2023, p. 21.

[111]Mr MacDonald, Law Council, Committee Hansard, 30October2023, p. 21.

[112]HTI, Submission 4, p. 9.

[113]HTI, Submission 4, p. 9.

[114]Mr Taylor, ABA, Committee Hansard, 30October 2023, p. 4.

[115]Professor Bennett Moses, Allens Hub, Committee Hansard, 30 October 2023, p. 12.

[116]Ms Shohini Sengupta, PhD student, Allens Hub, Committee Hansard, 30 October 2023, p. 12.

[117]Law Council, Submission 12, p. 7.

[118]Ms Inverarity, AGD, Committee Hansard, 30 October 2023, p. 44.

[119]Identity Verification Services Bill 2023, cl. 43.

[120]See, for example: HTI, Submission 4, p. 3; Law Council, Submission12, p. 8.

[121]Professor Santow, HTI, Committee Hansard, 30 October 2023, p. 13. Also see: HTI, Submission 4, p.19.

[122]Professor Santow, HTI, Committee Hansard, 30 October 2023, p. 13.

[123]Law Council, Submission 12, p. 8. Also see: Ms Ganopolsky, Law Council, Committee Hansard, 30October 2023, p. 20.

[124]Law Council, Submission 12, p. 8. Also see: Ms Ganopolsky, Law Council, Committee Hansard, 30October 2023, p. 20.

[125]Professor Lyria Bennett Moses, Director, University of New South Wales Allens Hub for Technology, Law and Innovation (Allens Hub), Committee Hansard, 30 October 2023, p. 14.

[126]Professor Bennett Moses, Allens Hub, Committee Hansard, 30 October 2023, p. 14.

[127]AHRC, Submission 7, p. 2.

[128]AHRC, Submission 7, p. 2.

[129]AHRC, Submission 7, p. 2.

[130]Ms O'Shea, DRW, Committee Hansard, 30 October 2023, p. 17.

[131]Ms O'Shea, DRW, Committee Hansard, 30 October 2023, p. 17.

[132]AGD, Submission 2, p. 20.