New legislative framework for Australian identity verification services

The entity seeking to access the 1:1 identity-matching services (the requesting party) must have entered into a written participation agreement with the Department. That agreement would govern the requesting party’s access to the DVS and/or FVS. The participation agreement must meet minimum requirements outlined in the Act (described below).

The Department has indicated that while a model participation agreement is being developed to help guide implementation, the terms appropriate for one class of entities may not be the same for another. For example, the terms appropriate for a major bank may not be appropriate for a small business. We nevertheless expect that the model agreement will be instructive of the Department’s expectations. In particular, we note that the Act contemplates that there may be multiple parties to a participation agreement. Under the existing contractual framework to access the DVS, private sector entities generally enter into separate contractual terms with the Department and gateway service providers. However, the commercial arrangement with gateway service providers is not explicitly dealt with under the Act. It is hoped that the model agreement will provide clarity on whether the Department expects a tripartite participation agreement between a requesting party, the Department and a gateway service provider moving forward, or if these will remain separate contractual documents.

While agreements entered into before the commencement of the Act can be treated as a participation agreement (provided the minimum requirements are adequately dealt with), the Department is required to publish copies of participation agreements online. As such, some entities may decide to uplift and leverage existing agreements. However, caution should be taken, particularly where existing access to the DVS may be governed by master service agreements with gateway service providers that cover a range of services in addition to the DVS, the terms of which may be commercially sensitive.

Core to the identity verification services is the exchange of personal and/or sensitive information. Accordingly, each party to a participation agreement must:

• be subject to the Privacy Act 1988 (Cth) (i.e., an APP entity);⁴
• agree to be subject to the Australian Privacy Principles; or
• otherwise be subject to the privacy laws of a state or territory prescribed by the Rules for the purposes of the Act.

The participation agreement must provide for privacy impact assessments in connection with requesting identity verification services. This may be satisfied by completing a privacy impact assessment specific to the requesting entity, or being within scope of a privacy impact assessment completed for its class of requesting entities.

The participation agreement must provide:

• that the express consent of an individual must be obtained for the collection, use and disclosure of the identification information for the purposes of accessing the DVS or FVS;
• that information regarding specified matters are disclosed to the person providing express consent, including:
  • the consequences of declining consent. For example, if the requesting party is not able to verify a customer’s identification information online if they decline their consent, advising the customer that they will need to attend a branch of the business in person with their identity documentation for manual verification;
  • how the requesting entity uses the identity verification services;
  • how any facial images of the person collected will be used, retained for a purpose other than identity verification (if applicable) and disposed of;
  • a description of the legal obligations the requesting party has in relation to that information;
  • a description of the rights the person has in relation to the collection of the identification information; and
  • a description of how the person can get information about making complaints relating to the collection, use and disclosure of the identification information.

A participation agreement must provide that each party has arrangements in place to deal with complaints from individuals whose identification information is held by them. This is not novel for financial services institutions, who will likely have an internal dispute resolution system in place for compliance with ASIC’s RG 271 on Internal Dispute Resolution.

This requirement is not intended to preclude any separate complaint mechanisms that may be available, such as complaints under the Privacy Act or to an applicable Ombudsman.

A participation agreement must provide that each party must report to the Department on breaches of security that relate to matters dealt with in the agreement. Where a data breach is likely to result in serious harm to an individual whose data is involved in the breach:

• reasonable steps must be taken to notify persons impacted by the data breach; and
• the Department will be required to report the breach to the Information Commissioner.

A participation agreement must provide that a requesting party is required to comply with the access policies for the DVS and/or FVS. 

A participation agreement must provide that requesting parties:

• only use the DVS or FVS for the purposes of verifying the identity of an individual;
• not use or disclose identification information to create a data profile of the person being verified, conduct market research or advertise / offer goods or services;
• not disclose identification information received from the identity verification services unless required by law or permitted by law as specified in the agreement; and
• if accessing the FVS, take reasonable steps to destroy each facial image as soon as reasonably practicable after the image is no longer required (unless required to retain the facial image by law).

Government authorities that make available identification information may also limit the purposes for which that information can be used.

A participation agreement must provide for annual auditing of compliance with the agreement, with each party required to report to the Department annually on their compliance. 

A participation agreement must provide for a right of suspension or termination of the ability to access the identity verification services if the party does not comply with:

• the terms of the participation agreement;
• Rules made by the Minister under the Act to give effect to the Act; or
• the access policies for the DVS or FVS.

Additionally, where a party is an APP entity and breaches an obligation in a participation agreement relating to the personal information of an individual, the breach is taken to be an interference with privacy of the individual for the purposes of the Privacy Act. This enlivens the civil penalty regime under the Privacy Act for serious and repeated interferences with privacy.

In response to criticisms that there was no standalone civil penalty regime within the body of the Act for non-compliance, an amendment was passed requiring the Minister to conduct a review of the Act within 12 – 24 months of commencement. The review is required to consider the adequacy of the privacy protections and security requirements contained in the Act, as well as whether civil penalties for non-compliance should be introduced.

On 3 April 2024, the Department opened submissions on the draft rules (Rules) to be made under the Act. The draft Rules address matters to support the operation of the identity verification services and the Act, including:

• prescribing the specific state and territory privacy laws which apply to participation agreements under the Act. Entities subject to these laws (e.g., state and territory government agencies) will be eligible to become party to a participation agreement.
• Prescribing the fees that government authorities and private sector organisations will pay to connect and use the identity verification services.