Commonwealth of Australia Bills Commonwealth of Australia Bills[Index] [Search] [Download] [Related Items] [Help]
This is a Bill, not an Act. For current law, see the Acts databases.
2022-2023
The Parliament of the
Commonwealth of Australia
HOUSE OF REPRESENTATIVES
Presented and read a first time
Identity Verification Services Bill 2023
No. , 2023
(Attorney-General)
A Bill for an Act about dealing with information for
providing identity verification services, and for
related purposes
No. , 2023
Identity Verification Services Bill 2023
i
Contents
Part 1
--
Preliminary
1
Division 1
--
Preliminary
1
1
Short title ........................................................................................... 1
2
Commencement ................................................................................. 2
3
Objects of this Act ............................................................................. 2
4
Simplified outline of this Act ............................................................ 3
Division 2
--
Definitions
5
Subdivision A
--
General definitions
5
5
Definitions ......................................................................................... 5
6
Definitions relating to identification information ............................ 10
Subdivision B
--
Common provisions for definitions of identity
verification services
14
7
Simplified outline of this Subdivision ............................................. 14
8
Definition of
participation agreement
............................................. 15
9
General privacy obligations of parties to participation
agreement ........................................................................................ 16
10
Extra privacy obligations of parties to participation
agreement that request services ....................................................... 18
11
Participation agreement must let parties limit use of
identification information they make available for identity
verification services ......................................................................... 19
12
Requirements relating to compliance with participation
agreement ........................................................................................ 19
13
NDLFRS hosting agreement............................................................ 19
14
Access policies for services ............................................................. 22
Subdivision C
--
Definition of DVS
22
15
Definition of
DVS
............................................................................ 22
Subdivision D
--
Definition of FIS
24
16
Definition of
FIS
............................................................................. 24
17
Requirements for valid request for FIS ............................................ 24
18
Characteristics and purpose of comparison involved in FIS ............ 26
Subdivision E
--
Definition of FVS
27
19
Definition of
FVS
............................................................................ 27
20
Characteristics and purpose of comparison involved in FVS .......... 28
Division 3
--
Miscellaneous
29
21
False and misleading statements in requests for services ................ 29
22
This Act binds Crown ...................................................................... 29
ii
Identity Verification Services Bill 2023
No. , 2023
Part 2
--
Developing, operating and maintaining approved
identity verification facilities
30
23
Simplified outline of this Part .......................................................... 30
24
Department may develop, operate and maintain approved
identity verification facilities ........................................................... 30
25
How facilities are to be developed, operated and maintained .......... 30
Part 3
--
Authorising collection, use and disclosure of
identification information
31
Division 1
--
Simplified outline
31
26
Simplified outline of this Part .......................................................... 31
Division 2
--
Collection, use and disclosure of identification
information by the Department
32
27
Collection of identification information by the Department ............ 32
28
Use and disclosure of identification information by the
Department ...................................................................................... 33
Part 4
--
Protection of information
35
Division 1
--
Simplified outline
35
29
Simplified outline of this Part .......................................................... 35
Division 2
--
When protected information can be recorded,
disclosed or accessed
36
30
Offences by entrusted persons ......................................................... 36
31
Exercising powers, or performing functions or duties, as an
entrusted person ............................................................................... 38
32
Disclosure to lessen or prevent threat to life or health ..................... 38
33
Disclosure to IGIS official ............................................................... 39
34
Disclosure to Ombudsman official .................................................. 39
35
Disclosure etc. with consent ............................................................ 39
Part 5
--
Miscellaneous
41
36
Simplified outline of this Part .......................................................... 41
37
No requirement for individuals to identify themselves .................... 41
38
Delegation of Secretary's powers and functions under this
Act ................................................................................................... 42
39
Publication of agreements and policies............................................ 42
40
Annual assessment by Information Commissioner .......................... 43
41
Annual reporting .............................................................................. 43
42
Fees ................................................................................................. 46
43
Review of operation of this Act and provision of identity
verification services ......................................................................... 46
No. , 2023
Identity Verification Services Bill 2023
iii
44
Rules ................................................................................................ 46
No. , 2023
Identity Verification Services Bill 2023
1
A Bill for an Act about dealing with information for
1
providing identity verification services, and for
2
related purposes
3
The Parliament of Australia enacts:
4
Part
1--Preliminary
5
Division
1--Preliminary
6
1 Short title
7
This Act is the
Identity Verification Services Act 2023.
8
Part 1
Preliminary
Division 1
Preliminary
Section 2
2
Identity Verification Services Bill 2023
No. , 2023
2 Commencement
1
(1) Each provision of this Act specified in column 1 of the table
2
commences, or is taken to have commenced, in accordance with
3
column 2 of the table. Any other statement in column 2 has effect
4
according to its terms.
5
6
Commencement information
Column 1
Column 2
Column 3
Provisions
Commencement
Date/Details
1. The whole of
this Act
The day after this Act receives the Royal
Assent.
Note:
This table relates only to the provisions of this Act as originally
7
enacted. It will not be amended to deal with any later amendments of
8
this Act.
9
(2) Any information in column 3 of the table is not part of this Act.
10
Information may be inserted in this column, or information in it
11
may be edited, in any published version of this Act.
12
3 Objects of this Act
13
The objects of this Act are:
14
(a) to authorise the Department to develop, operate and maintain
15
the 3 approved identity verification facilities (the DVS hub,
16
the Face Matching Service Hub and the NDLFRS); and
17
(b) to authorise the Department (but not other persons or bodies)
18
to collect, use and disclose identification information
19
communicated to an approved identity verification facility, or
20
generated using the NDLFRS, for purposes relating to:
21
(i) verifying the identity of an individual using a DVS or
22
FVS; or
23
(ii) protecting a shielded person or someone else associated
24
with a shielded person using an FVS or FIS; or
25
(iii) the NDLFRS; and
26
(c) to protect identification information communicated to
27
approved identity verification facilities, and certain other
28
information relating to the use or security of those facilities,
29
Preliminary
Part 1
Preliminary
Division 1
Section 4
No. , 2023
Identity Verification Services Bill 2023
3
from unauthorised recording, disclosure or access by certain
1
persons who do work for the Department; and
2
(d) to provide for oversight and scrutiny of the operation and
3
management of the approved identity verification facilities.
4
4 Simplified outline of this Act
5
The Department may develop and operate the 3 approved identity
6
verification facilities. They are:
7
(a) the DVS hub, which relays electronic communications
8
between persons and bodies requesting and providing
9
DVSs (which stands for Document Verification Service,
10
a particular kind of 1:1 matching service); and
11
(b) the Face Matching Service Hub, which relays electronic
12
communications between persons and bodies requesting
13
and providing identity verification services; and
14
(c) the NDLFRS, which includes a database of
15
identification information from State and Territory
16
authorities and may be used to provide identity
17
verification services.
18
There are 2 kinds of identity verification services:
19
(a) 1:1 matching services (FVS (which stands for Face
20
Verification Service) and DVS); and
21
(b) 1:many matching services (Face Identification Service
22
or FIS).
23
A 1:1 matching service matches particular biometric information
24
(such as a photograph) or biographic information (such as a name
25
or date of birth) against a particular record. A 1:many matching
26
service compares a facial image (such as a photograph) against
27
other facial images.
28
The Department may collect identification information through the
29
approved identity verification facilities for any of the following
30
purposes:
31
(a) providing or developing DVSs or FVSs for the purposes
32
of verifying the identity of individuals;
33
Part 1
Preliminary
Division 1
Preliminary
Section 4
4
Identity Verification Services Bill 2023
No. , 2023
(b) providing or developing FVSs or FISs for the purposes
1
of protecting identities of persons (or associates) who
2
have legally assumed identities or are under witness
3
protection;
4
(c) developing, operating or maintaining the NDLFRS.
5
The Department may use or disclose for any of those purposes
6
information so collected.
7
An identity verification service involves a request for an electronic
8
comparison of identification information that relates to an
9
individual to do any of the following:
10
(a)
verify the individual's identity
;
11
(b) protect the identity of the individual if the individual is a
12
shielded person;
13
(c) manage identification information that relates to the
14
individual in the NDLFRS.
15
Those requests can be made only by parties to agreements that
16
contain safeguards for the privacy of individuals whose
17
identification information is used in requesting or providing the
18
services. The identification information used for comparison with
19
that in the request must have been supplied by a government
20
authority that is party to such an agreement.
21
Persons who work for the Department, and contractors whose
22
duties relate to an approved identity verification facility, may
23
commit an offence for unauthorised recording, disclosure of or
24
access to certain information held in, generated using or relating to
25
an approved identity verification facility.
26
Operation and use of the approved identity verification facilities
27
are open to oversight and scrutiny in various ways, including
28
publication of documents, annual assessment by the Information
29
Commissioner and annual reporting.
30
Preliminary
Part 1
Definitions
Division 2
Section 5
No. , 2023
Identity Verification Services Bill 2023
5
Division
2--Definitions
1
Subdivision A
--
General definitions
2
5 Definitions
3
In this Act:
4
1:1 matching service
means DVS or FVS.
5
1:many matching service
means FIS.
6
access policy
has the meaning given by section 14.
7
approved identity verification facility
means:
8
(a) the DVS hub; or
9
(b) the Face Matching Service Hub; or
10
(c) the NDLFRS.
11
data breach
means an occurrence of unauthorised access to,
12
unauthorised disclosure of or loss of identification information.
13
DVS
has the meaning given by section 15.
14
Note:
DVS is short for Document Verification Service, a term used in the
15
intergovernmental agreement.
16
DVS document
means any of the following:
17
(a) a birth certificate issued by or on behalf of an authority of a
18
State or Territory;
19
(b) a death certificate issued by or on behalf of an authority of a
20
State or Territory;
21
(c) a concession card (within the meaning of the
Social Security
22
Act 1991
);
23
(d) a notice given under section 37 of the
Australian Citizenship
24
Act 2007
stating that a person is an Australian citizen at a
25
particular time;
26
(e) a certificate issued by an authority of a State or Territory
27
indi
cating that an individual has changed the individual's
28
name;
29
Part 1
Preliminary
Division 2
Definitions
Section 5
6
Identity Verification Services Bill 2023
No. , 2023
(f)
a driver's licence (however described) issued by or on behalf
1
of an authority of a State or Territory;
2
(g) a document issued by or on behalf of an authority of a State
3
or Territory to assis
t an individual to prove the individual's
4
age or identity;
5
(h) a document issued to an individual, as a person who is not an
6
Australian citizen, by the Department administered by the
7
Minister administering the
Migration Act 1958
to assist the
8
individual t
o prove the individual's identity;
9
(i) a certificate of marriage issued by or on behalf of an
10
authority of a State or Territory whose function it is to
11
register marriages;
12
(j) a document issued by a court setting out a divorce order
13
made under the
Family Law Act 1975
;
14
(k) an Australian travel document (within the meaning of the
15
Australian Passports Act 2005
);
16
(l) a certificate signed by an officer (within the meaning of the
17
Migration Act 1958
) stating that, at a specified time, or
18
during a specified period, a specified person was the holder
19
of a visa that was in effect;
20
(m) an entry in a Roll (within the meaning of the
Commonwealth
21
Electoral Act 1918
) relating to a particular individual;
22
(n) an aviation security identification card issued under
23
regulations made for the purposes of the
Aviation Transport
24
Security Act 2004
;
25
(o) an MSIC issued under regulations made for the purposes of
26
the
Maritime Transport and Offshore Facilities Security Act
27
2003
;
28
(p) a medicare card (within the meaning of subsection 84(1) of
29
the
National Health Act 1953
).
30
DVS hub
means a facility that:
31
(a) is for relaying electronic communications between persons
32
and bodies for the purposes of requesting and providing
33
DVSs; and
34
(b) is developed, operated and maintained by the Department
35
under Part 2.
36
Preliminary
Part 1
Definitions
Division 2
Section 5
No. , 2023
Identity Verification Services Bill 2023
7
DVS information
has the meaning given by section 6.
1
electronic communication
means a communication of information,
2
in the form of data, text or images by means of guided
3
electromagnetic energy, unguided electromagnetic energy or both,
4
carried by a telegraphic, telephonic or other like service within the
5
meaning of section 51(v) of the Constitution.
6
entrusted person
has the meaning given by section 30.
7
Face Matching Service Hub
means a facility that:
8
(a) is for relaying electronic communications between persons
9
and bodies for the purposes of requesting and providing
10
identity verification services; and
11
(b) is developed, operated and maintained by the Department
12
under Part 2.
13
face-matching service information
has the meaning given by
14
section 6.
15
facial image
means a digital still image of an individual's face
16
(whether or not including the shoulders).
17
FIS
has the meaning given by section 16.
18
Note:
FIS is short for Face Identification Service, a term used in the
19
intergovernmental agreement.
20
FVS
has the meaning given by section 19.
21
Note:
FVS is short for Face Verification Service, a term used in the
22
intergovernmental agreement.
23
government authority
means:
24
(a) an authority of the Commonwealth; or
25
(b) an authority of a State or Territory;
26
other than a local government authority.
27
government identification document
means a document or other
28
thing that:
29
(a) contains identification information; and
30
Part 1
Preliminary
Division 2
Definitions
Section 5
8
Identity Verification Services Bill 2023
No. , 2023
(b) can be used to identify an individual or to pass an individual
1
off as someone else (whether living, dead, real or fictitious);
2
and
3
(c) is issued by or on behalf of a government authority.
4
identification information
has the meaning given by section 6.
5
identity verification service
means:
6
(a) a 1:1 matching service; or
7
(b) a 1:many matching service.
8
IGIS official
means:
9
(a) the Inspector-General of Intelligence and Security; or
10
(b) a member of the staff referred to in subsection 32(1) of the
11
Inspector-General of Intelligence and Security Act 1986
.
12
intergovernmental agreement
means the Intergovernmental
13
Agreement on Identity Matching Services made on 5 October 2017
14
by the Commonwealth, the States, the Australian Capital Territory
15
and the Northern Territory.
16
Note:
The intergovernmental agreement must be published on the
17
Departm
ent's website
(see section 39).
18
NDLFRS
means a system that consists of:
19
(a) a database of identification information that:
20
(i) is also either contained in government identification
21
documents issued by or on behalf of an authority of a
22
State or Territory or associated with those documents by
23
the authority; and
24
(ii) is supplied by or on behalf of the authority to the
25
Department by electronic communication for inclusion
26
in the database; and
27
(b) a system for biometric comparison of facial images with
28
facial images that are in the database described in
29
paragraph (a);
30
and is developed, operated and maintained by the Department
31
under Part 2.
32
Note:
NDLFRS is short for National Driver Licence Facial Recognition
33
Solution, a term used in the intergovernmental agreement.
34
Preliminary
Part 1
Definitions
Division 2
Section 5
No. , 2023
Identity Verification Services Bill 2023
9
NDLFRS hosting agreement
has the meaning given by section 13.
1
non-government entity
means a person, or body, other than:
2
(a) the Commonwealth, a State or a Territory; or
3
(b) a government authority.
4
Note:
Local government authorities are non-government entities because
5
they are excluded from the definition of
government authority
.
6
Authorities of New Zealand are non-government entities because they
7
are not covered by the definition of
government authority
.
8
Ombudsman official
means:
9
(a) the Commonwealth Ombudsman; or
10
(b) a Deputy Commonwealth Ombudsman; or
11
(c) a member of the staff referred to in subsection 31(1) of the
12
Ombudsman Act 1976
.
13
participation agreement
has the meaning given by section 8.
14
personal information
has the meaning given by section 6 of the
15
Privacy Act 1988
.
16
privacy impact assessment
has the meaning given by
17
subsection 33D(3) of the
Privacy Act 1988
.
18
protected information
has the meaning given by section 30.
19
rules
means rules made under section 44.
20
Secretary
means the Secretary of the Department.
21
shielded person
means a person to whom one or more of the
22
following paragraphs apply:
23
(a) the person has acquired or used an assumed identity under
24
Part IAC of the
Crimes Act 1914
or a corresponding assumed
25
identity law within the meaning of that Part;
26
(b) an authority for the person to acquire or use an assumed
27
identity has been granted under that Part or such a law;
28
(c) a witness identity protection certificate has been given for the
29
person under Part IACA of the
Crimes Act 1914
;
30
(d) a corresponding witness identity protection certificate has
31
been given for the person under a corresponding witness
32
Part 1
Preliminary
Division 2
Definitions
Section 6
10
Identity Verification Services Bill 2023
No. , 2023
identity protection law within the meaning of Part IACA of
1
the
Crimes Act 1914
;
2
(e) the person is a participant (as defined in the
Witness
3
Protection Act 1994
);
4
(f) the person is or was on a witness protection program
5
conducted by a State or Territory in which a complementary
6
witness protection law (as defined in the
Witness Protection
7
Act 1994
) is in force;
8
(g) the person is involved in administering such a program under
9
such a law and the person has acquired an identity under that
10
law.
11
6 Definitions relating to identification information
12
Definition of
identification information
13
(1)
Identification information
is:
14
(a) face-matching service information; or
15
(b) DVS information.
16
Definition of
face-matching service information
17
(2)
Face-matching service information
that relates to an individual
18
(whether living, dead, real or fictitious) is any of the following,
19
subject to subsections (4) and (5):
20
(a) a name by which the individual is or has been known;
21
(b) a current or former address of the individual;
22
(c) the place or date the individual was born;
23
(d) the age of the individual (whether expressed by reference to a
24
range or not);
25
(e) the current or former sex, gender identity or intersex status of
26
the individual;
27
(f) information about whether the individual is alive or dead;
28
(g) any information that is:
29
(i)
contained in a driver's licence (however described)
30
issued by or on behalf of an authority of a State or
31
Territory in a name of the individual; or
32
Preliminary
Part 1
Definitions
Division 2
Section 6
No. , 2023
Identity Verification Services Bill 2023
11
(ii) otherwise associated with such a licence by such an
1
authority;
2
(h) any information that is:
3
(i) contained in any document (however described) that is
4
issued by or on behalf of an authority of a State or
5
Territory in a name of the individual, contains a
6
photograph purporting to be of the individual and can be
7
used to assist in proving the individual's identity; or
8
(ii) otherwise associated with such a document by the
9
authority;
10
(i) any information that is:
11
(i) contained in a document issued to the individual, as a
12
person who is not an Australian citizen, by the
13
Department administered by the Minister administering
14
the
Migration Act 1958
to assist the individual to prove
15
the individual's identity; or
16
(ii) otherwise associated with such a document by that
17
Department;
18
(j) any information that is:
19
(i) contained in an Australian travel document (within the
20
meaning of the
Australian Passports Act 2005
) issued in
21
a name of the individual; or
22
(ii) otherwise associated with the Australian travel
23
document by the Minister administering the
Australian
24
Passports Act 2005
or the Department administered by
25
that Minister; or
26
(iii) otherwise associated with the Australian travel
27
document by a government authority by which the
28
travel document may be inspected or seized under a law
29
of the Commonwealth or of a State or Territory;
30
(k) any information that is:
31
(i) contained in a foreign travel document (within the
32
meaning of the
Foreign Passports (Law Enforcement
33
and Security) Act 2005
) issued in a name of the
34
individual; or
35
(ii) otherwise associated with the foreign travel document
36
by a government authority by which the travel
37
Part 1
Preliminary
Division 2
Definitions
Section 6
12
Identity Verification Services Bill 2023
No. , 2023
document may be inspected or seized under a law of the
1
Commonwealth or of a State or Territory;
2
(l)
the individual's current or former citizenship;
3
(m) any information that is:
4
(i) contained in a current or past application for Australian
5
citizenship for the individual; or
6
(ii) contained in a document issued by an authority of the
7
Commonwealth to provide evidence that the individual
8
is or was an Australian citizen; or
9
(iii) otherwise associated with an application or document
10
described in subparagraph (i) or (ii) by the Department
11
administered by the Minister administering the
12
Australian Citizenship Act 2007
;
13
(n) information about a visa, or an entry permit under the
14
Migration Act 1958
, that the individual holds or held;
15
(o) any information that is:
16
(i) contained in a current or past application for a visa, or
17
entry permit, for the individual under the
Migration Act
18
1958
; or
19
(ii) contained in a visa, or entry permit, for the individual
20
granted under that Act; or
21
(iii) otherwise associated with an application, visa or entry
22
permit described in subparagraph (i) or (ii) by the
23
Department administered by the Minister administering
24
that Act;
25
(p) a facial image of the individual, a biometric template derived
26
from such an image or a result of biometric comparison
27
involving such an image;
28
(q) information about the outcome of a comparison involved in
29
an FVS requested in relation to the individual.
30
Definition of
DVS information
31
(3)
DVS information
that relates to an individual is either of the
32
following, subject to subsections (4) and (5):
33
(a) information (but not a facial image or biometric information)
34
that either:
35
Preliminary
Part 1
Definitions
Division 2
Section 6
No. , 2023
Identity Verification Services Bill 2023
13
(i) is contained in a document (the
specimen document
)
1
that relates to the individual and purports to be a DVS
2
document of a particular kind; or
3
(ii) is, or is reasonably expected to be, associated, with a
4
DVS document of a particular kind relating to the
5
individual, by a government authority that is responsible
6
for the issue of DVS documents of that kind;
7
and helps indicate whether the specimen document is a DVS
8
document of that kind;
9
(b) information about the outcome of a comparison involved in a
10
DVS relating to the individual.
11
What is not face-matching service information or DVS information
12
(4) The following is neither face-matching service information, nor
13
DVS information, that relates to an individual:
14
(a) information or an opinion that relates to
the individual's:
15
(i) racial or ethnic origin; or
16
(ii) political opinions; or
17
(iii) membership of a political association; or
18
(iv) religious beliefs or affiliations; or
19
(v) philosophical beliefs; or
20
(vi) membership of a professional or trade association; or
21
(vii) membership of a trade union; or
22
(viii) sexual orientation or practices; or
23
(ix) criminal record;
24
(b) health information (within the meaning of the
Privacy Act
25
1988
) that relates to the individual;
26
(c) genetic information that relates to the individual.
27
(5) Subsection (4) does not prevent information described in any of the
28
paragraphs of subsection (2) or (3) from being face-matching
29
service information or DVS information if the information is not
30
primarily of any of the kinds described in subsection (4), even if
31
information of any of those kinds can reasonably be inferred from
32
the information.
33
Example 1: Even
if an individual's racial or ethnic origin can reasonably be
34
inferred from the individual's name or place of birth, this does not
35
Part 1
Preliminary
Division 2
Definitions
Section 7
14
Identity Verification Services Bill 2023
No. , 2023
prevent the individual's name or place of birth from being
1
face-matching service information or DVS information.
2
Example 2: Ev
en if an individual's racial or ethnic origin or religious affiliations
3
can reasonably be inferred from a facial image of the individual, this
4
does not prevent the image from being face-matching service
5
information.
6
Subdivision B
--
Common provisions for definitions of identity
7
verification services
8
7 Simplified outline of this Subdivision
9
Two types of agreement govern the requesting and provision of
10
identity verification services:
11
(a) participation agreements (which are agreements between
12
the Department and other authorities, persons and bodies
13
about the requesting and provision of identity
14
verification services using the approved identity
15
verification facilities); and
16
(b) the NDLFRS hosting agreement (which is an agreement
17
between the Department and authorities of a State or
18
Territory that supply identification information stored
19
and used in the NDLFRS).
20
A request for an identity verification service can be made only by a
21
party to a participation agreement, and only identification
22
information made available by a party to a participation agreement
23
can be used in an identity verification service.
24
The Department may develop, operate and maintain the approved
25
identity verification facilities. The Department is required to
26
maintain the security of electronic communications to and from the
27
facility, including by encrypting the information, and to protect the
28
information from unauthorised interference or unauthorised access.
29
Participation agreements and the NDLFRS hosting agreement
30
contain safeguards for the privacy of individuals whose
31
identification information is used in requesting identity verification
32
services or responding to such requests. The safeguards include
33
Preliminary
Part 1
Definitions
Division 2
Section 8
No. , 2023
Identity Verification Services Bill 2023
15
committing the parties to the agreement to complying with
1
standards set by the
Privacy Act 1988
or similar State or Territory
2
laws (even if those standards would not otherwise apply to a party).
3
Participation agreements also need to provide for a range of other
4
privacy safeguards relating to identity verification services,
5
including:
6
(a) privacy impact assessments of requesting the services;
7
and
8
(b)
obtaining an individual's consent to the collection, use
9
and disclosure of the individual's identification
10
information for the purposes of requesting the services
11
(unless the collection, use and disclosure is by a
12
government authority authorised by another law to do
13
so); and
14
(c) limits on the purposes for which the services may be
15
requested and on what may be done with information
16
received in response to requests; and
17
(d) annual reporting and auditing of compliance with
18
agreements; and
19
(e)
suspension or termination of a party's ability to request
20
services if the party has not complied with the
21
agreement or access policies for the services.
22
8 Definition of
participation agreement
23
(1) A
participation agreement
is a written agreement, between the
24
Department (representing the Commonwealth) and one or more
25
other parties, that:
26
(a) deals with the requesting and provision of identity
27
verification services of one or more kinds using identification
28
information made available by the parties; and
29
(b) meets the requirements in sections 9, 10, 11 and 12.
30
Timing and nature of agreement
31
(2) To avoid doubt:
32
Part 1
Preliminary
Division 2
Definitions
Section 9
16
Identity Verification Services Bill 2023
No. , 2023
(a) an agreement may be a participation agreement whether it
1
was made before, on or after the commencement of this
2
section; and
3
(b) different participation agreements may be made between the
4
Department and different other parties; and
5
(c) paragraph (1)(b) and sections 9, 10, 11 and 12 do not limit
6
the matters a participation agreement may deal with.
7
9 General privacy obligations of parties to participation agreement
8
(1) Each party to a participation agreement must:
9
(a) be subject to the
Privacy Act 1988
; or
10
(b) be subject to a privacy law that:
11
(i) is a law of a State or Territory; and
12
(ii) is prescribed by the rules for the purposes of this
13
subparagraph; or
14
(c) agree in the agreement to comply with the Australian Privacy
15
Principles, with any modifications of subclauses 7.8 and 12.2
16
of those principles (about laws of the Commonwealth)
17
specified in the agreement, as if the party were an APP
18
entity; or
19
(d) be a government authority prescribed by the rules for the
20
purposes of this paragraph; or
21
(e) if the agreement deals only with the requesting of DVSs by,
22
and provision of DVSs to, an authority of New Zealand or a
23
person or body operating in New Zealand
--
be an authority,
24
person or body subject to the
Privacy Act 1993
of New
25
Zealand.
26
Note:
A DVS is the only identity verification service available to a party to
27
an agreement described in paragraph (e).
28
(2) A participation agreement must provide for:
29
(a) privacy impact assessments of requesting identity verification
30
services; and
31
(b) the obtaining of a
n individual's consent to the collection, use
32
and disclosure, for the purposes of requesting identity
33
verification services, of identification information that relates
34
to the individual included in such a request, unless:
35
Preliminary
Part 1
Definitions
Division 2
Section 9
No. , 2023
Identity Verification Services Bill 2023
17
(i) the request is made by or on behalf of a government
1
authority; and
2
(ii) collection, use and disclosure of that information for the
3
purposes of protecting a shielded person, or someone
4
else associated with a shielded person,
are implicit in
5
functions conferred by law on the authority; and
6
(c) the provision, to an individual from whom such consent is
7
being sought, of information about matters described in
8
subsection (3); and
9
(d) each party to have arrangements for dealing with complaints
10
by individuals whose identification information is held by the
11
party; and
12
(e) each party to the agreement (except the Department) to report
13
to the Department on breaches of security that relate to the
14
party and are relevant to a matter dealt with in the agreement;
15
and
16
(f) the Department to inform the Information Commissioner of a
17
breach of security that:
18
(i) is reported to the Department under a provision of the
19
agreement covered by paragraph (e); and
20
(ii) is a data breach that is reasonably likely to result in
21
serious harm to an individual whose identification
22
information is involved in the breach.
23
(3) For the purposes of paragraph (2)(c), the matters are as follows:
24
(a) how the party seeking consent uses identity verification
25
services;
26
(b) how any facial images of the individual collected by the party
27
from the individual for requesting an identity verification
28
service or from a response to a request for an identity
29
verification service will be used and disposed of;
30
(c) whether any such facial images will be retained or used for
31
purposes other than those for which the identity verification
32
service is to be requested;
33
(d) what legal obligations the party seeking to collect the
34
identification information has in relation to that collection;
35
(e) what rights the individual has in relation to the collection of
36
the identification information;
37
Part 1
Preliminary
Division 2
Definitions
Section 10
18
Identity Verification Services Bill 2023
No. , 2023
(f) the consequences of the individual declining to consent;
1
(g) where the individual can get information about making
2
complaints relating to the collection, use and disclosure of
3
the identification information for the purposes of requesting
4
and provision of identity verification services;
5
(h) where the individual can get information about the operation
6
and management of the approved identity verification
7
facilities by the Department in connection with the requesting
8
and provision of identity verification services.
9
10 Extra privacy obligations of parties to participation agreement
10
that request services
11
(1) A participation agreement must require each party to the agreement
12
that proposes to request identity verification services:
13
(a) either:
14
(i) to request a DVS or FVS for the purposes of verifying
15
the identity of an individual; or
16
(ii) to request an FVS or FIS for the purposes of protecting
17
a shielded person or someone else associated with such
18
a person; and
19
(b) to comply with the access policy for each service the party
20
requests; and
21
(c) not to use the outcome of an identity verification service the
22
party requested in relation to an individual as the only
23
evidence of the individual's identity in crimina
l or civil
24
proceedings to which the individual is a party.
25
(2) A participation agreement must provide for each party to the
26
agreement that proposes to request identity verification services:
27
(a) not to disclose identification information received by the
28
party as a result of an identity verification service the party
29
requested, except:
30
(i) as required by law; or
31
(ii) as permitted by law in circumstances specified in, or
32
identified in accordance with, the agreement; and
33
Preliminary
Part 1
Definitions
Division 2
Section 11
No. , 2023
Identity Verification Services Bill 2023
19
(b) if the party is a government authority
--
not to permit an
1
individual who is an officer, member of staff, employee or
2
contractor of the party to:
3
(i) make on behalf of the authority a request for an identity
4
verification service that may result in a facial image
5
being provided in response; or
6
(ii) deal with a facial image provided in response to such a
7
request;
8
unless the individual has been trained in facial recognition
9
and image comparison.
10
Note:
Facial images are not provided in response to requests by or on behalf
11
of non-government entities.
12
11 Participation agreement must let parties limit use of
13
identification information they make available for
14
identity verification services
15
A participation agreement must provide for a party that is a
16
government authority that makes available identification
17
information for an identity verification service (except in a request
18
for the service) to be able to limit the use of that information.
19
12 Requirements relating to compliance with participation
20
agreement
21
A participation agreement must provide for:
22
(a) annual auditing of compliance with the agreement; and
23
(b) each party to the agreement (except the Department) to report
24
annually to the Department on the party's compliance with
25
the agreement; and
26
(c) suspension or termination of the ability of a party to the
27
agreement to request identity verification services if the party
28
does not comply with the agreement or access policies for
29
those services.
30
13 NDLFRS hosting agreement
31
(1) The
NDLFRS hosting agreement
is a written agreement that:
32
Part 1
Preliminary
Division 2
Definitions
Section 13
20
Identity Verification Services Bill 2023
No. , 2023
(a) is between the Department (representing the Commonwealth)
1
and each authority that:
2
(i) is an authority of a State or Territory; and
3
(ii) meets the requirement in subsection (2); and
4
(iii) supplies or proposes to supply identification information
5
to the Department for inclusion in a database in the
6
NDLFRS; and
7
(b) deals with the NDLFRS and the collection, use and
8
disclosure of identification information in a database in the
9
NDLFRS; and
10
(c) meets the requirements in subsections (3), (4) and (5).
11
State and Territory parties must be subject to privacy obligations
12
(2) Each authority of a State or Territory that is party to the agreement
13
must:
14
(a) be subject to a privacy law that:
15
(i) is a law of the State or Territory; and
16
(ii) is prescribed by the rules for the purposes of this
17
subparagraph; or
18
(b) be one of the following to which the
Privacy Act 1988
19
applies (with or without modifications) as if it were an
20
organisation:
21
(i) a State or Territory authority (as defined in that Act);
22
(ii) an instrumentality of a State or Territory; or
23
(c) agree in the agreement to comply with the Australian Privacy
24
Principles, with any modifications of subclauses 7.8 and 12.2
25
of those principles (about laws of the Commonwealth)
26
specified in the agreement, as if the party were an APP
27
entity.
28
Note:
The Department, which is the other party to the agreement, is subject
29
to the
Privacy Act 1988
.
30
Requirements on each State or Territory party
31
(3) The agreement must provide for each party that is an authority of a
32
State or Territory:
33
Preliminary
Part 1
Definitions
Division 2
Section 13
No. , 2023
Identity Verification Services Bill 2023
21
(a) to take reasonable steps to inform each individual whose
1
identification information is, or is to be, included in a
2
database in the NDLFRS of that inclusion; and
3
(b) to provide each individual whose identification information
4
is included in a database in the NDLFRS with means of:
5
(i) finding out what that information is; and
6
(ii) having any errors in that information corrected in the
7
database; and
8
(c) to inform each such individual and the Department of any
9
data breaches that:
10
(i) involve identification information that relates to the
11
individual and the NDLFRS; and
12
(ii) are reasonably likely to result in serious harm to the
13
individual; and
14
(d) to provide means for dealing with complaints by individuals
15
relating to the NDLFRS and identification information that
16
relates to them that is included in a database in the NDLFRS;
17
and
18
(e)
to report annually to the Department on the party's
19
compliance with the agreement.
20
Requirements on the Department
21
(4) The agreement must provide for the Department:
22
(a) to maintain the security of identification information
23
included in a database in the NDLFRS, including by
24
encrypting the information; and
25
(b) to inform the other parties to the agreement of any data
26
breaches involving that information and the NDLFRS; and
27
(c) to inform the Information Commissioner of any data
28
breaches that:
29
(i) involve that information and the NDLFRS; and
30
(ii) are reasonably likely to result in serious harm to an
31
individual to whom that information relates.
32
Note:
For paragraph (4)(a), see also paragraph 25(a).
33
Part 1
Preliminary
Division 2
Definitions
Section 14
22
Identity Verification Services Bill 2023
No. , 2023
Requirement relating to compliance
1
(5) The agreement must provide for suspension or termination of the
2
ability of a party to the agreement to request identity verification
3
services involving the NDLFRS if the party does not comply with
4
the agreement.
5
Timing and nature of agreement
6
(6) To avoid doubt:
7
(a) an agreement may be the NDLFRS hosting agreement
8
whether it was made before, on or after the commencement
9
of this section; and
10
(b) paragraph (1)(c) and subsections (3), (4) and (5) do not limit
11
the matters the agreement may deal with.
12
14 Access policies for services
13
The
access policy
for a service is the conditions that:
14
(a) are to be complied with by parties to participation
15
agreements for the parties to have access (on request by the
16
parties) to services of that kind; and
17
(b) are set out in a document approved by the Coordination
18
Group provided for by the intergovernmental agreement; and
19
(c) include conditions providing for the parties to give the
20
Secretary statements of the legal basis for disclosing and
21
using identification information for the purposes of
22
requesting and providing services of that kind to the parties.
23
Note:
Under section 39, the Secretary must publish documents setting out
24
access policies.
25
Subdivision C
--
Definition of DVS
26
15 Definition of
DVS
27
(1) A service is a
DVS
if:
28
(a) it is, or is sought to be, provided on a request made by or on
29
behalf of an authority, person or body (each the
requesting
30
party
); and
31
Preliminary
Part 1
Definitions
Division 2
Section 15
No. , 2023
Identity Verification Services Bill 2023
23
(b) the requesting party is a party to a participation agreement;
1
and
2
(c) the request includes DVS information, that relates to an
3
individual (other than information described in
4
paragraph 6(3)(b)), and to a specimen document purporting
5
to be a DVS document that:
6
(i) is of a kind specified in the request; and
7
(ii) is issued by a government authority that is or was
8
responsible for the issue of DVS documents of that
9
kind; and
10
(d) the service involves, or is to involve, an electronic
11
comparison of the DVS information described in
12
paragraph (c) and information that:
13
(i) is contained in DVS documents of the kind specified in
14
the request, or is associated with such documents by the
15
government authority (the
issuing authority
) that is
16
responsible for issuing them and is a party to a
17
participation agreement; and
18
(ii) is made available for the comparison by the issuing
19
authority; and
20
(e) the comparison is carried out in accordance with any
21
limitations, provided for under that participation agreement,
22
subject to which the issuing authority made the information
23
available for the comparison; and
24
(f) the purpose of the comparison is to help determine whether
25
the specimen document is a DVS document of the kind
26
identified in the request; and
27
(g) the response to the requesting party about the outcome of the
28
comparison is limited to either:
29
(i) a statement that the information compared matched; or
30
(ii) a statement that the information compared did not
31
match, with or without reasons why the information did
32
not match; and
33
(h) the request and the response to the request are communicated
34
by electronic communications relayed through the DVS hub
35
or the Face Matching Service Hub.
36
Part 1
Preliminary
Division 2
Definitions
Section 16
24
Identity Verification Services Bill 2023
No. , 2023
Note 1:
DVS is short for Document Verification Service, a term used in the
1
intergovernmental agreement.
2
Note 2:
DVS is an example of a 1:1 matching service (see the definition of
1:1
3
matching service
in section 5).
4
(2) The following provisions do not apply in relation to a service
5
requested within 12 months after the commencement of this
6
section:
7
(a) paragraph (1)(b);
8
(b) subparagraph (1)(d)(i), so far as it relates to the issuing
9
authority being a party to a participation agreement;
10
(c) paragraph (1)(e).
11
Subdivision D
--
Definition of FIS
12
16 Definition of
FIS
13
A service is an
FIS
if:
14
(a) it is, or is sought to be, provided on a request; and
15
(b) the requirements in section 17 are met in relation to the
16
request; and
17
(c) the service involves, or is to involve, a comparison that has
18
the characteristics and purpose set out in section 18; and
19
(d) the request and the outcome of the comparison are
20
communicated by electronic communications relayed
21
through the Face Matching Service Hub.
22
Note 1:
FIS is short for Face Identification Service, a term used in the
23
intergovernmental agreement.
24
Note 2:
FIS is the only kind of 1:many matching service that is permitted
25
under this Act.
26
17 Requirements for valid request for FIS
27
Requesting authorities
28
(1) A request for an FIS must be made only:
29
(a) by any of the following officers of a Commonwealth, State or
30
Territory government authority that is a party to a
31
participation agreement:
32
Preliminary
Part 1
Definitions
Division 2
Section 17
No. , 2023
Identity Verification Services Bill 2023
25
(i) a law enforcement officer or intelligence officer (within
1
the meaning of section 15K of the
Crimes Act 1914
);
2
(ii) an officer (however described) of an agency authorised
3
under a corresponding assumed identity law (within the
4
meaning of section 15K of the
Crimes Act 1914
);
5
(iii) an officer (however described) of an approved authority
6
(within the meaning of the
Witness Protection Act 1994
)
7
that is permitted to participate in the National Witness
8
Protection Program under that Act, or a complementary
9
witness protection law declared under section 3AA of
10
that Act; and
11
(b) if the officer is required to make the request for the purpose
12
of protecting the identity of a shielded person or someone
13
else associated with a shielded person.
14
Person making request
15
(2) The person making the request on behalf of the authority must be
16
an officer who is approved as a suitable person to make the request
17
(or requests of that kind) by:
18
(a) the head (however described) of the authority; or
19
(b) a person who:
20
(i) is the holder of a management office or position in the
21
authority; and
22
(ii) is authorised, by notice in writing given to the
23
Department, by that head to approve persons to make
24
requests for FISs on behalf of the authority; and
25
(iii) is senior to the person making the request.
26
Note:
To comply with the participation agreement to which the authority is
27
party, an officer approved to make the request must have been trained
28
in facial recognition and image comparison: see paragraph 10(2)(b).
29
Request stating relevant activity
30
(3) The request must:
31
(a) include a single facial image of an individual (whether or not
32
other face-matching service information that relates to the
33
individual is included); and
34
Part 1
Preliminary
Division 2
Definitions
Section 18
26
Identity Verification Services Bill 2023
No. , 2023
(b) specify the kinds of government identification documents
1
against which the face-matching service information in the
2
request is to be compared, partly by reference to whether the
3
authority by or on behalf of which the documents are issued
4
is:
5
(i) an authority of the Commonwealth; or
6
(ii) an authority of a specified State; or
7
(iii) an authority of a specified Territory.
8
Note:
Making a false or misleading statement in the request may be an
9
offence against section 136.1 of the
Criminal Code
.
10
Endorsement of request
11
(4) The request must be:
12
(a) endorsed by the head (however described) of the authority, or
13
a person who:
14
(i) is the holder of a management office or position in the
15
authority; and
16
(ii) is authorised, by notice in writing given to the
17
Department, by that head to endorse requests for FISs
18
made on behalf of the authority; and
19
(iii) is senior to the person making the request; and
20
(b) made by electronic communication to the Face Matching
21
Service Hub.
22
Note:
The endorsement may be given at the same time as, or after, the
23
request is made by electronic communication to the Face Matching
24
Service Hub.
25
(5) A person must not endorse a request made on behalf of an
26
authority unless the person is satisfied that the request is made for
27
the purposes of:
28
(a) protecting the shielded person, or associate, stated in the
29
request; and
30
(b)
the performance of the authority's functions
.
31
18 Characteristics and purpose of comparison involved in FIS
32
(1) The comparison involved in an FIS is an electronic comparison of:
33
Preliminary
Part 1
Definitions
Division 2
Section 19
No. , 2023
Identity Verification Services Bill 2023
27
(a) a single facial image of an individual, and other
1
face-matching service information (if any) that relates to the
2
individual, that is included in the request for the service; and
3
(b) face-matching service information that:
4
(i) relates to one or more individuals; and
5
(ii) is contained in, or associated with, one or more
6
government identification documents of one or more
7
kinds specified in the request; and
8
(iii) is made available for the comparison by a government
9
authority (the
supplying authority
) that is a party to a
10
participation agreement.
11
(2) The comparison is carried out in accordance with any limitations,
12
provided for under the participation agreement, subject to which
13
the supplying authority made the face-matching service
14
information available for the comparison.
15
(3) The comparison is for the purpose of protecting an individual who
16
is a shielded person, or someone else associated with a shielded
17
person.
18
Subdivision E
--
Definition of FVS
19
19 Definition of
FVS
20
A service is an
FVS
if:
21
(a) it is, or is sought to be, provided on a request, made by or on
22
behalf of a party (the
requesting party
) to a participation
23
agreement that does not deal only with the requesting of
24
DVSs by, and provision of DVSs to, an authority of New
25
Zealand or a person or body operating in New Zealand; and
26
(b) the request includes face-matching service information that
27
relates to the individual; and
28
(c) the service involves, or is to involve, a comparison that has
29
the characteristics and purpose set out in section 20; and
30
(d) if the requesting party is a non-government entity
--
the
31
response to the requesting party about the outcome of the
32
comparison:
33
Part 1
Preliminary
Division 2
Definitions
Section 20
28
Identity Verification Services Bill 2023
No. , 2023
(i) is either that the comparison resulted in a match for the
1
individual or that the comparison did not result in a
2
match for the individual; and
3
(ii) does not contain any other face-matching service
4
information that relates to the individual; and
5
(e) the request and the response are communicated by electronic
6
communications relayed through the Face Matching Service
7
Hub.
8
Note 1:
FVS is short for Face Verification Service, a term used in the
9
intergovernmental agreement.
10
Note 2:
FVS is an example of a 1:1 matching service (see the definition of
1:1
11
matching service
in section 5).
12
20 Characteristics and purpose of comparison involved in FVS
13
(1) The comparison involved in an FVS is an electronic comparison
14
of:
15
(a) face-matching service information that relates to the
16
individual that is included in the request for the service; and
17
(b) face-matching service information that:
18
(i) is contained in, or associated with, a government
19
identification document of a kind specified in the
20
request that was issued to the individual; and
21
(ii) is made available for the comparison by a government
22
authority (the
supplying authority
) that is a party to a
23
participation agreement.
24
(2) The comparison is carried out in accordance with any limitations,
25
provided for under the participation agreement, subject to which
26
the supplying authority made the face-matching service
27
information available for the comparison.
28
(3) The comparison is for the purpose of:
29
(a) verifying the identity of the individual; or
30
(b) protecting an individual who is a shielded person, or
31
someone else associated with a shielded person.
32
Preliminary
Part 1
Miscellaneous
Division 3
Section 21
No. , 2023
Identity Verification Services Bill 2023
29
Division
3--Miscellaneous
1
21 False and misleading statements in requests for services
2
To avoid doubt, a request for an identity verification service is an
3
application for a benefit for the purposes of section 136.1 of the
4
Criminal Code
.
5
Note:
That section creates offences for making false or misleading
6
statements in applications for benefits.
7
22 This Act binds Crown
8
This Act binds the Crown in each of its capacities.
9
Part 2
Developing, operating and maintaining approved identity verification facilities
Section 23
30
Identity Verification Services Bill 2023
No. , 2023
Part
2--Developing, operating and maintaining
1
approved identity verification facilities
2
3
23 Simplified outline of this Part
4
The Department may develop, operate and maintain the 3 approved
5
identity verification facilities (the DVS hub, the Face Matching
6
Service Hub and the NDLFRS).
7
The Department is required to maintain the security of electronic
8
communications to and from the facility, including by encrypting
9
the information, and to protect the information from unauthorised
10
interference or unauthorised access.
11
24 Department may develop, operate and maintain approved
12
identity verification facilities
13
(1) The Department may develop, operate and maintain the approved
14
identity verification facilities.
15
(2) The authorisation by subsection (1) to develop, operate and
16
maintain the DVS hub does not limit the authorisation by that
17
subsection to develop, operate and maintain the Face Matching
18
Service Hub.
19
25 How facilities are to be developed, operated and maintained
20
In developing, operating and maintaining an approved identity
21
verification facility, the Department must:
22
(a) maintain the security of electronic communications to and
23
from the facility, including by encrypting the information;
24
and
25
(b) protect the information from unauthorised interference or
26
unauthorised access.
27
Authorising collection, use and disclosure of identification information
Part 3
Simplified outline
Division 1
Section 26
No. , 2023
Identity Verification Services Bill 2023
31
Part
3--Authorising collection, use and disclosure
1
of identification information
2
Division
1--Simplified outline
3
26 Simplified outline of this Part
4
The Department may collect certain identification information by
5
means of particular approved identity verification facilities for any
6
of the following purposes:
7
(a) providing or developing DVSs or FVSs for the purposes
8
of verifying the identity of individuals;
9
(b) providing or developing FVSs or FISs for the purposes
10
of protecting identities of persons (or associates) who
11
have legally assumed identities or are under witness
12
protection;
13
(c) developing, operating or maintaining the NDLFRS.
14
The Department may use or disclose for any of those purposes:
15
(a) information so collected (regardless of the purpose for
16
which it was collected); and
17
(b) identification information generated by the NDLFRS.
18
Part 3
Authorising collection, use and disclosure of identification information
Division 2
Collection, use and disclosure of identification information by the
Department
Section 27
32
Identity Verification Services Bill 2023
No. , 2023
Division
2--Collection, use and disclosure of identification
1
information by the Department
2
27 Collection of identification information by the Department
3
General
4
(1) The Department may collect identification information (whether or
5
not it is sensitive information as defined in the
Privacy Act 1988
)
6
that relates to an individual from someone other than the
7
individual, if the collection:
8
(a) is for a purpose described in subsection (2); and
9
(b) is covered by subsection (3), (4) or (5).
10
Note:
One effect of this section is that such collection of identification
11
information is authorised for the purposes of provisions of Australian
12
Privacy Principle 3, such as paragraph 3.4(a) (about sensitive
13
information) and subparagraph 3.6(a)(ii) (about personal information).
14
Purpose of collection
15
(2) The purposes for which identification information may be collected
16
under this section (or used or disclosed under section 28) are as
17
follows:
18
(a) providing a DVS and FVS for the purpose of verifying the
19
identity of a person;
20
(b) providing an FVS or FIS for the purpose of protecting a
21
shielded person or someone else associated with such a
22
person;
23
(c) developing identity verification services, or facilities for
24
providing those services, for the purpose mentioned in
25
paragraph (a) or (b) (as applicable);
26
(d) developing, operating or maintaining the NDLFRS.
27
Collection of DVS information via DVS hub
28
(3) This subsection covers collection of DVS information by means of
29
an electronic communication to the DVS hub requesting provision
30
of a DVS or responding to a request for provision of a DVS.
31
Authorising collection, use and disclosure of identification information
Part 3
Collection, use and disclosure of identification information by the Department
Division
2
Section 28
No. , 2023
Identity Verification Services Bill 2023
33
Collection of identification information via Face Matching Service
1
Hub
2
(4) This subsection covers collection of identification information by
3
means of an electronic communication to the Face Matching
4
Service Hub that:
5
(a) requests provision of an identity verification service; or
6
(b) responds to a request for provision of an identity verification
7
service; or
8
(c) supplies the information to a database in the NDLFRS.
9
Collection of identification information via NDLFRS
10
(5) This subsection covers collection of identification information by
11
means of an electronic communication to the NDLFRS that:
12
(a) requests provision of an identity verification service; or
13
(b) supplies the information to a database in the NDLFRS.
14
This section does not authorise disclosure to the Department
15
(6) This section does not, by implication:
16
(a) authorise the disclosure of identification information to the
17
Department; or
18
(b) affect whether another provision of a law of the
19
Commonwealth or of a State or Territory providing for
20
collection of information authorises (by implication)
21
disclosure of that information to the person or body
22
authorised by that provision to collect it.
23
28 Use and disclosure of identification information by the
24
Department
25
(1) The Department may, for any purpose described in
26
subsection 27(2), use or disclose identification information:
27
(a) collected by means of an electronic communication to an
28
approved identity verification facility; or
29
(b) held in, or generated using, the NDLFRS.
30
Note:
One effect of this section is that such use or disclosure of
31
identification information by the Department is authorised for the
32
Part 3
Authorising collection, use and disclosure of identification information
Division 2
Collection, use and disclosure of identification information by the
Department
Section 28
34
Identity Verification Services Bill 2023
No. , 2023
purposes of provisions of Australian Privacy Principle 6, such as
1
paragraph 6.2(b) (use or disclosure of personal information authorised
2
by law).
3
(2) This section does not, by implication:
4
(a) authorise a person or body to collect identification
5
information disclosed by the Department under
6
subsection (1); or
7
(b) affect whether another provision of a law of the
8
Commonwealth or of a State or Territory providing for
9
disclosure of information authorises (by implication)
10
collection of that information by a person or body to which
11
the information is disclosed under that provision.
12
Protection of information
Part 4
Simplified outline
Division 1
Section 29
No. , 2023
Identity Verification Services Bill 2023
35
Part
4--Protection of information
1
Division
1--Simplified outline
2
29 Simplified outline of this Part
3
Current and former entrusted persons may commit an offence if
4
they record, disclose or access certain information connected with
5
an approved identity verification facility.
6
Basically, entrusted persons are the following:
7
(a) persons who work for the Department;
8
(b) contractors (and their officers and employees) engaged
9
to provide services to the Department in connection with
10
an approved identity verification facility.
11
There are exceptions for recording, disclosure or access authorised
12
by a law of the Commonwealth or of a State or Territory. The
13
exceptions include recording, disclosure or access:
14
(a) for the purposes of this Act; or
15
(b) in exercising powers, or performing functions or duties,
16
relating to an approved identity verification facility; or
17
(c) for lessening or preventing a serious and imminent
18
threat to human life or health; or
19
(d) relating to the work of an IGIS official or Ombudsman
20
official; or
21
(e) with the consent of the person to whom the information
22
recorded, disclosed or accessed relates.
23
Part 4
Protection of information
Division 2
When protected information can be recorded, disclosed or accessed
Section 30
36
Identity Verification Services Bill 2023
No. , 2023
Division
2--When protected information can be recorded,
1
disclosed or accessed
2
30 Offences by entrusted persons
3
Offence for recording or disclosing information
4
(1) A person commits an offence if:
5
(a) the person is, or has been, an entrusted person; and
6
(b) the person has
obtained protected information in the person's
7
capacity as an entrusted person; and
8
(c) the person:
9
(i) makes a record of the information; or
10
(ii) discloses the information to another person.
11
Note:
The fault element for the physical elements in paragraphs (a) and (b)
12
is recklessness: see section 5.6 of the
Criminal Code
.
13
Penalty: Imprisonment for 2 years.
14
Offence for accessing information
15
(2) A person commits an offence if:
16
(a) the person is an entrusted person; and
17
(b) the person accesses protected information.
18
Note:
The fault element for the physical elements in paragraph (a) is
19
recklessness: see section 5.6 of the
Criminal Code
.
20
Penalty: Imprisonment for 2 years.
21
Exceptions
22
(3) Each of the following is an exception to the prohibition in
23
subsection (1) or (2):
24
(a) the conduct is authorised by a law of the Commonwealth or
25
of a State or Territory;
26
(b) the conduct is in compliance with a requirement under a law
27
of the Commonwealth or of a State or Territory.
28
Protection of information
Part 4
When protected information can be recorded, disclosed or accessed
Division 2
Section 30
No. , 2023
Identity Verification Services Bill 2023
37
Note 1:
A defendant bears an evidential burden in relation to the matter in
1
subsection (3): see subsection 13.3(3) of the
Criminal Code
.
2
Note 2:
For paragraph (3)(a), see also sections 31 to 35 which authorise
3
conduct.
4
Definitions of
entrusted person
and
protected information
5
(4) In this Act:
6
entrusted person
means:
7
(a) the Secretary; or
8
(b) an APS employee in the Department; or
9
(c) a person who is:
10
(i) an employee of an Agency (within the meaning of the
11
Public Service Act 1999
); or
12
(ii) an officer or employee of a State or Territory; or
13
(iii) an officer or employee of a government authority; or
14
(iv) an officer or employee of the government of a foreign
15
country; or
16
(v) an officer or employee of an authority of a foreign
17
country; or
18
(vi) an officer or employee of a public international
19
organisation (within the meaning of section 70.1 of the
20
Criminal Code
);
21
and whose services are made available to the Department; or
22
(d) a contractor engaged to provide services to the Department in
23
connection with an approved identity verification facility
24
(whether the contractor is engaged directly by the
25
Commonwealth or as a subcontractor); or
26
(e) an officer or employee of such a contractor whose duties
27
relate wholly or partly to an approved identity verification
28
facility.
29
protected information
means any of the following:
30
(a) identification information that was obtained by a person, in
31
the person's capacity as an entrusted person, from:
32
(i) an electronic communication to or from an approved
33
identity verification facility; or
34
Part 4
Protection of information
Division 2
When protected information can be recorded, disclosed or accessed
Section 31
38
Identity Verification Services Bill 2023
No. , 2023
(ii) the NDLFRS;
1
(b) information about either of the following:
2
(i) the making, content or addressing of an electronic
3
communication made to or from an approved identity
4
verification facility;
5
(ii) identification information relating to a particular
6
individual held in, or generated using, the NDLFRS;
7
that was obtained by a person, in the person's capacity as an
8
entrusted person;
9
(c) information that enables access to an approved identity
10
verification facility and was obtained by a person, in the
11
person's capacity as an entrusted person.
12
31 Exercising powers, or performing functions or duties, as an
13
entrusted person
14
An entrusted person may make a record of, disclose or access
15
protected information if the record is made, or the information is
16
disclosed or accessed:
17
(a) for the purposes of this Act; or
18
(b) in the course of exercising powers, or performing functions
19
or duties, relating wholly or partly to an approved identity
20
verification facility.
21
32 Disclosure to lessen or prevent threat to life or health
22
(1) An entrusted person may disclose protected information if:
23
(a) the entrusted person reasonably believes that the disclosure is
24
necessary to lessen or prevent a serious and imminent threat
25
to the life or health of an individual; and
26
(b) the disclosure is for the purpose of lessening or preventing
27
that threat.
28
(2) An entrusted person may make a record of or access protected
29
information for the purpose of disclosing the protected information
30
under subsection (1).
31
Protection of information
Part 4
When protected information can be recorded, disclosed or accessed
Division 2
Section 33
No. , 2023
Identity Verification Services Bill 2023
39
33 Disclosure to IGIS official
1
(1) An entrusted person may disclose protected information to an IGIS
2
official for the purpose of the IGIS official exercising a power, or
3
performing a function or duty, as an IGIS official.
4
(2) An entrusted person may make a record of or access protected
5
information for the purpose of disclosing the protected information
6
under subsection (1).
7
34 Disclosure to Ombudsman official
8
(1) An entrusted person may disclose protected information to an
9
Ombudsman official for the purpose of the Ombudsman official
10
exercising a power, or performing a function or duty, as an
11
Ombudsman official.
12
(2) An entrusted person may make a record of or access protected
13
information for the purpose of disclosing the protected information
14
under subsection (1).
15
35 Disclosure etc. with consent
16
Consent of person to whom protected information relates
17
(1) An entrusted person may make a record of, disclose or access
18
protected information that relates to the affairs of a person if:
19
(a) the person has consented to the recording,
disclosure or
20
access; and
21
(b) the recording, disclosure or access is in accordance with that
22
consent.
23
Consent of jurisdiction responsible for NDLFRS protected
24
information
25
(2) An entrusted person may make a record of, disclose or access
26
protected information that was:
27
(a) held in, or generated using, NDLFRS; and
28
(b) supplied by an authority of a State or Territory;
29
if the authority consents to the recording, disclosure or access.
30
Part 4
Protection of information
Division 2
When protected information can be recorded, disclosed or accessed
Section 35
40
Identity Verification Services Bill 2023
No. , 2023
Note:
The NDLFRS hosting agreement also contains privacy requirements
1
that relate to the authority (see subsection 13(2)).
2
Miscellaneous
Part 5
Section 36
No. , 2023
Identity Verification Services Bill 2023
41
Part
5--Miscellaneous
1
2
36 Simplified outline of this Part
3
The Secretary may delegate
the Secretary's
powers and functions
4
under this Act.
5
The Secretary must publish certain documents relating to identity
6
verification services, including the intergovernmental agreement,
7
participation agreements, the NDLFRS hosting agreement and
8
documents setting out access policies.
9
The Information Commissioner is to assess the operation and
10
management of the approved identity verification facilities
11
annually.
12
Annual reports must be prepared and tabled in Parliament about
13
things done in connection with certain identity verification
14
services.
15
A review of the operation of this Act and the provision of identity
16
verification services must be started within 2 years. A report of the
17
review must be tabled in Parliament.
18
The Minister may make rules for the purposes of this Act,
19
including rules for fees.
20
37 No requirement for individuals to identify themselves
21
(1) To avoid doubt, this Act does not affect whether individuals have
22
the option of not identifying themselves, or of using pseudonyms,
23
when dealing with another person or body.
24
Note:
This Act does not affect the operation of Australian Privacy
25
Principle 2 (about anonymity and pseudonymity).
26
(2) Subsection (1) does not affect the circumstances in which an
27
identity verification service may be requested or provided.
28
Part 5
Miscellaneous
Section 38
42
Identity Verification Services Bill 2023
No. , 2023
38
Delegation of Secretary's powers
and functions under this Act
1
(1) The Secretary may, in writing, delegate all or any of the
2
Secretary's
powers or functions under this Act to an SES employee
3
or acting SES employee in the Department.
4
Note 1:
SES employee
and
acting SES employee
are defined in section 2B of
5
the
Acts
Interpretation Act 1901
.
6
Note 2:
Sections 34AA to 34A of the
Acts Interpretation Act 1901
contain
7
provisions relating to delegations.
8
(2) In performing a delegated function or exercising a delegated
9
power, the delegate must comply with any written directions of the
10
Secretary.
11
39 Publication of agreements and policies
12
(1)
The Secretary must publish on the Department's website a copy of
13
each of the following documents:
14
(a) the intergovernmental agreement;
15
(b) a participation agreement;
16
(c) the NDLFRS hosting agreement;
17
(d) an instrument that causes a person or body to become, or
18
cease to be, a party to a participation agreement or the
19
NDLFRS hosting agreement;
20
(e) a document that is approved by the Coordination Group
21
provided for by the intergovernmental agreement and sets out
22
an access policy for a service;
23
(f) a document varying, terminating or revoking a document
24
described in paragraph (a), (b), (c), (d) or (e).
25
(2) However, the copy need not include part of the document if the
26
Secretary considers that publication of the part:
27
(a) creates a risk to the security of identification information or
28
an approved identity verification facility; or
29
(b) unreasonably discloses personal information that relates to an
30
individual; or
31
(c) if the document is a participation agreement or a document
32
described in paragraph (1)(e)
--creates a risk to Australia's
33
national security (within the meaning of the
National
34
Miscellaneous
Part 5
Section 40
No. , 2023
Identity Verification Services Bill 2023
43
Security Information (Criminal and Civil Proceedings) Act
1
2004
).
2
(3) If the Secretary publishes the copy without part of the document
3
because of subsection (2), the Secretary must publish on the
4
Department's website written reasons for not publishing the part,
5
except so far as publication of the reasons would create a risk
6
described in subsection (2) or unreasonably disclose personal
7
information.
8
40 Annual assessment by Information Commissioner
9
(1) The Information Commissioner has the function of doing both of
10
the following within 6 months of the end of each financial year
11
ending after the commencement of this section:
12
(a) assessing the operation and management of the approved
13
identity verification facilities by the Department in the
14
financial year;
15
(b) giving the Secretary a written report on the assessment.
16
(2) The Secretary must ensure that there is in place an arrangement
17
with the Information Commissioner for providing information to
18
the Information Commissioner for making assessments under
19
subsection (1).
20
(3) To avoid doubt, the arrangement may have been made before, or
21
be made on or after, the commencement of this section.
22
41 Annual reporting
23
(1) The Secretary must give the Minister a report including the
24
following information for each financial year ending after the
25
commencement of this section:
26
(a) statistics relating to all requests in the financial year, by or on
27
behalf of government authorities, for 1:1 matching services,
28
broken down by:
29
(i) requesting authority (identified by name); and
30
(ii) the service requested; and
31
(iii) requests in response to which there was provided either
32
information contained in, or associated with, a
33
Part 5
Miscellaneous
Section 41
44
Identity Verification Services Bill 2023
No. , 2023
government identification document, or an indication of
1
a match being the outcome of the comparison involved
2
in the service; and
3
(iv) requests in response to which there was provided neither
4
information contained in, or associated with, a
5
government identification document nor an indication of
6
a match being the outcome of the comparison involved
7
in the service;
8
(b) statistics relating to all requests in the financial year from
9
non-government entities for 1:1 matching services, including:
10
(i) the total number of those requests; and
11
(ii) the names of the non-government entities that made
12
those requests; and
13
(iii) the number of those requests the response to which was
14
that the requested comparison resulted in a match for an
15
individual; and
16
(iv) the number of those requests the response to which was
17
that the requested comparison did not result in a match
18
for an individual;
19
(c) for 1:many matching services:
20
(i) the number of times that the service was used in the
21
year; and
22
(ii) whether the requests were endorsed as required by
23
section 17 or not;
24
(d) information about the accuracy of each system for biometric
25
comparison of facial images that is operated by:
26
(i) the Department; or
27
(ii) the Department administered by the Minister
28
administering the
Australian Passports Act 2005
;
29
for the purpose of providing identity verification services; or
30
(e) the following material relating to disclosures of identification
31
information that were made in the financial year and were
32
authorised by subsection 32(1) (about disclosures to lessen or
33
prevent threats to life or health):
34
(i) the total number of disclosures;
35
(ii) the number of individuals whose identification
36
information was disclosed;
37
Miscellaneous
Part 5
Section 41
No. , 2023
Identity Verification Services Bill 2023
45
(f) information about security incidents occurring in the
1
financial year in connection with one or more of the
2
approved identity verification facilities;
3
(g) information about actions taken in the financial year in
4
response to security incidents that occurred (in the financial
5
year or earlier) in connection with any of the approved
6
identity verification facilities;
7
(h) information about data breaches connected with the operation
8
of any of the approved identity verification facilities in the
9
financial year;
10
(i) information about actions taken in the financial year in
11
response to data breaches connected with the operation of
12
any of the approved identity verification facilities in the
13
financial year or earlier;
14
(j) information about termination or suspension in the financial
15
year of the ability of a party to a participation agreement or
16
the NDLFRS hosting agreement to request an identity
17
verification service because the party does not or did not
18
comply with the agreement or the access policy for the
19
service;
20
(k) any other information that:
21
(i) relates to the financial year and either an identity
22
verification service or the administration of this Act;
23
and
24
(ii) is required by the Minister.
25
(2) The report must not unreasonably disclose personal information
26
that relates to an individual.
27
Timing of annual report
28
(3) The Secretary must give the Minister the report as soon as
29
practicable after the end of the financial year and in any case
30
within 6 months after the end of the financial year.
31
Part 5
Miscellaneous
Section 42
46
Identity Verification Services Bill 2023
No. , 2023
Tabling of annual report
1
(4) The Minister must, subject to subsection (5), cause a copy of the
2
report to be tabled in each House of the Parliament within 15
3
sitting days of that House after the Minister receives the report.
4
(5) For the purposes of tabling the report, the Minister may make any
5
deletions from the report as the Minister considers necessary to
6
avoid prejudicing an investigation or compromising the operational
7
activities of a Commonwealth, State or Territory government
8
authority referred to in paragraph 17(1)(a).
9
42 Fees
10
(1) The rules may make provision relating to the imposition, collection
11
and recovery of fees for either or both of the following:
12
(a) connections to the approved identity verification facilities, to
13
allow the making of electronic communications to, and the
14
receipt of electronic communications from, those facilities;
15
(b) requests for identity verification services.
16
(2) A fee must not be such as to amount to taxation.
17
43 Review of operation of this Act and provision of identity
18
verification services
19
(1) The Minister must cause a review of the operation of this Act and
20
the provision of identity verification services to be started within 2
21
years of the commencement of this section.
22
(2) The Minister must cause a report of the review to be prepared and
23
given to the Minister.
24
(3) The Minister must cause a copy of the report to be tabled in each
25
House of the Parliament within 15 sitting days of that House after
26
the Minister receives the report.
27
44 Rules
28
(1) The Minister may, by legislative instrument, make rules
29
prescribing matters:
30
Miscellaneous
Part 5
Section 44
No. , 2023
Identity Verification Services Bill 2023
47
(a) required or permitted by this Act to be prescribed by the
1
rules; or
2
(b) necessary or convenient to be prescribed for carrying out or
3
giving effect to this Act.
4
(2) To avoid doubt, the rules may not do the following:
5
(a) create an offence or civil penalty;
6
(b) provide powers of:
7
(i) arrest or detention; or
8
(ii) entry, search or seizure;
9
(c) impose a tax;
10
(d) set an amount to be appropriated from the Consolidated
11
Revenue Fund under an appropriation in this Act;
12
(e) directly amend the text of this Act.
13
(3) Despite subsection 44(1) of the
Legislation Act 2003
, section 42
14
(disallowance) of that Act applies to the rules.
15
(4) Despite subsection 54(1) of the
Legislation Act 2003
, Part 4 of
16
Chapter 3 (sunsetting) of that Act applies to the rules.
17