Follow us

In late 2023, the Federal Parliament of Australia passed legislation introducing a new statutory framework for the Commonwealth’s identity verification services.

The Identity Verification Services Act 2023 (Cth) (the Act) provides a legislative basis to operate three identity verification facilities. Through these facilities, government and private sector entities can verify the personal information of a person against Federal or state government records, such as the electoral roll, passport or drivers licence records.

The Commonwealth’s 1:1 identity verification services are already in heavy use, with the Document Verification Service (DVS) used over 140 million times in 2022. In particular, the DVS is promoted by AUSTRAC, Australia’s Anti Money Laundering/Counter Terrorism Financing regulator, as a means for financial service providers to verify individual customer and beneficial owner information, for the purposes of complying with ‘know your customer’ identity verification requirements under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).1

Access to the DVS is largely governed by contractual terms with the Attorney-General’s Department (the Department) and service agreements with gateway service providers (i.e., the intermediary technology service providers through which private sector entities access the DVS). The Act introduces a new legislative overlay with a particular focus on privacy safeguards that existing and new business users will need to consider in the coming months.

Private sector access to identity verification services

The Act provides that non-government entities can access two 1:1 identity-matching services,2 namely:

  1. The DVS, through which the entity can verify the biographic information of a person contained in any identity document against government records. For example, this would allow a person’s date of birth to be verified against the Commonwealth electoral roll or state drivers licence records. This service is already live, with current access governed under contractual business user terms and conditions (see here for further information).
  2. The Face Verification Service (FVS), through which the entity can verify the biometric information of a person against the image on the person’s government-issued identification document. For example, this would allow a person’s image to be verified against their passport photo. While the existing FVS is only accessible by Commonwealth agencies, the Department has indicated that private sector organisations will have access to the FVS in future. Such access would be subject to compliance with the new requirements under the Act.3

New requirements

Key requirements of the new statutory framework include the following:

The entity seeking to access the 1:1 identity-matching services (the requesting party) must have entered into a written participation agreement with the Department. That agreement would govern the requesting party’s access to the DVS and/or FVS. The participation agreement must meet minimum requirements outlined in the Act (described below).

The Department has indicated that while a model participation agreement is being developed to help guide implementation, the terms appropriate for one class of entities may not be the same for another. For example, the terms appropriate for a major bank may not be appropriate for a small business. We nevertheless expect that the model agreement will be instructive of the Department’s expectations. In particular, we note that the Act contemplates that there may be multiple parties to a participation agreement. Under the existing contractual framework to access the DVS, private sector entities generally enter into separate contractual terms with the Department and gateway service providers. However, the commercial arrangement with gateway service providers is not explicitly dealt with under the Act. It is hoped that the model agreement will provide clarity on whether the Department expects a tripartite participation agreement between a requesting party, the Department and a gateway service provider moving forward, or if these will remain separate contractual documents.

While agreements entered into before the commencement of the Act can be treated as a participation agreement (provided the minimum requirements are adequately dealt with), the Department is required to publish copies of participation agreements online. As such, some entities may decide to uplift and leverage existing agreements. However, caution should be taken, particularly where existing access to the DVS may be governed by master service agreements with gateway service providers that cover a range of services in addition to the DVS, the terms of which may be commercially sensitive.

Core to the identity verification services is the exchange of personal and/or sensitive information. Accordingly, each party to a participation agreement must:

  • be subject to the Privacy Act 1988 (Cth) (i.e., an APP entity);4
  • agree to be subject to the Australian Privacy Principles; or
  • otherwise be subject to the privacy laws of a state or territory prescribed by the Rules for the purposes of the Act.

The participation agreement must provide for privacy impact assessments in connection with requesting identity verification services. This may be satisfied by completing a privacy impact assessment specific to the requesting entity, or being within scope of a privacy impact assessment completed for its class of requesting entities.

The participation agreement must provide:

  • that the express consent of an individual must be obtained for the collection, use and disclosure of the identification information for the purposes of accessing the DVS or FVS;
  • that information regarding specified matters are disclosed to the person providing express consent, including:
    • the consequences of declining consent. For example, if the requesting party is not able to verify a customer’s identification information online if they decline their consent, advising the customer that they will need to attend a branch of the business in person with their identity documentation for manual verification;
    • how the requesting entity uses the identity verification services;
    • how any facial images of the person collected will be used, retained for a purpose other than identity verification (if applicable) and disposed of;
    • a description of the legal obligations the requesting party has in relation to that information;
    • a description of the rights the person has in relation to the collection of the identification information; and
    • a description of how the person can get information about making complaints relating to the collection, use and disclosure of the identification information.

A participation agreement must provide that each party has arrangements in place to deal with complaints from individuals whose identification information is held by them. This is not novel for financial services institutions, who will likely have an internal dispute resolution system in place for compliance with ASIC’s RG 271 on Internal Dispute Resolution.

This requirement is not intended to preclude any separate complaint mechanisms that may be available, such as complaints under the Privacy Act or to an applicable Ombudsman.

A participation agreement must provide that each party must report to the Department on breaches of security that relate to matters dealt with in the agreement. Where a data breach is likely to result in serious harm to an individual whose data is involved in the breach:

  • reasonable steps must be taken to notify persons impacted by the data breach; and
  • the Department will be required to report the breach to the Information Commissioner.

A participation agreement must provide that a requesting party is required to comply with the access policies for the DVS and/or FVS. 

A participation agreement must provide that requesting parties:

  • only use the DVS or FVS for the purposes of verifying the identity of an individual;
  • not use or disclose identification information to create a data profile of the person being verified, conduct market research or advertise / offer goods or services;
  • not disclose identification information received from the identity verification services unless required by law or permitted by law as specified in the agreement; and
  • if accessing the FVS, take reasonable steps to destroy each facial image as soon as reasonably practicable after the image is no longer required (unless required to retain the facial image by law).

Government authorities that make available identification information may also limit the purposes for which that information can be used.

A participation agreement must provide for annual auditing of compliance with the agreement, with each party required to report to the Department annually on their compliance. 

A participation agreement must provide for a right of suspension or termination of the ability to access the identity verification services if the party does not comply with:

  • the terms of the participation agreement;
  • Rules made by the Minister under the Act to give effect to the Act; or
  • the access policies for the DVS or FVS.

Additionally, where a party is an APP entity and breaches an obligation in a participation agreement relating to the personal information of an individual, the breach is taken to be an interference with privacy of the individual for the purposes of the Privacy Act. This enlivens the civil penalty regime under the Privacy Act for serious and repeated interferences with privacy.

In response to criticisms that there was no standalone civil penalty regime within the body of the Act for non-compliance, an amendment was passed requiring the Minister to conduct a review of the Act within 12 – 24 months of commencement. The review is required to consider the adequacy of the privacy protections and security requirements contained in the Act, as well as whether civil penalties for non-compliance should be introduced.

On 3 April 2024, the Department opened submissions on the draft rules (Rules) to be made under the Act. The draft Rules address matters to support the operation of the identity verification services and the Act, including:

  • prescribing the specific state and territory privacy laws which apply to participation agreements under the Act. Entities subject to these laws (e.g., state and territory government agencies) will be eligible to become party to a participation agreement.
  • Prescribing the fees that government authorities and private sector organisations will pay to connect and use the identity verification services.

In response to industry concerns regarding the lead time required to negotiate and implement participation agreements, there is a staggered approach to the commencement of the obligations within the Act.

The operative provisions relevant to private sector entities accessing the DVS / FVS are due to commence on the same date as the commencement of the Rules, which is set for 14 June 2024 (the commencement date).

From the commencement date, there is a 12-month grace period before the requirement to be a party to a participation agreement takes effect (participation agreement date). The grace period for the participation agreement date may be extended to up to 18-months if prescribed by the Minister under the Rules. This extension of the grace period is not currently contemplated in the draft Rules open for consultation.

  2. The Act also authorises 1:many matching services for the limited purpose of protecting the identity of persons with a legally assumed identity, such as undercover police officers and protected witnesses. We have not canvassed this use case in this article.
  4. Entities domiciled in New Zealand may also access the DVS, provided that they are subject to the Privacy Act 1993 of New Zealand.

Key contacts

Alice Molan photo

Alice Molan

Partner, Melbourne

Alice Molan
Charlotte Henry photo

Charlotte Henry

Partner, Sydney

Charlotte Henry
Ayman Shash photo

Ayman Shash

Solicitor, Melbourne

Ayman Shash

Stay in the know

We’ll send you the latest insights and briefings tailored to your needs

Sydney Australia Perth Brisbane Melbourne Financial Services Regulatory Dispute Resolution Fraud and White Collar Crime Corporate Crime and Investigations Alice Molan Charlotte Henry Ayman Shash