Anne Stanley (Werriwa, Australian Labor Party) Share this | Hansard source

I rise to make my contribution on the Identity Verification Services Bill 2023 and Identity Verification Services (Consequential Amendments) Bill 2023. Many Australians are familiar with verifying their identities, whether it be with a business or to access government services. Most wouldn't know that these verification processes rely on our national identity verification services provided by the Australian government, such as the Document Verification Service, DVS, and the Face Verification Service, FVS. These are a series of automated services that help businesses and government agencies verify personal identity by matching the information provided by existing government records. Last year alone, the DVS was used 140 million times, and in the 2022-23 financial year the FVS was used 2.6 million times.

The use of these systems includes common interactions we're all familiar with, from identifying our ID with our banks to verifying our identification when creating a myGovID, but these systems are also used in difficult times for Australians, helping government agencies verify people's identities and effectively deliver disaster relief and social security payments. The past few years have highlighted the importance of these systems, with a pandemic, bushfires and floods. Millions of Australians had to navigate various state and federal government services, from the myGov portal to Service NSW, in order to access social security payments and support when they needed it most.

In the background, the verification services underpin and support essential government services. These bills before the House today will ensure these systems have a clear legislative underpinning and are subject to robust privacy safeguards. They will authorise one-to-one matching for DVS, which allows the verification of biographic information, such as a name and date of birth, against government issued IDs. They will also authorise one-to-one matching through FVS, which will allow the matching of photographs with government issued IDs.

One-to-one matching will also be authorised through the National Driver Licence Facial Recognition Solution, which stores drivers licence data from across the country, enabling the use of FVS with license data. The states and territories that participate in the NDLFRS will be subject to the new privacy rules. The use of the NDLFRS to verify the identity of a person will be vital in helping more Australians create a stronger myGovID. A strong myGovID is necessary to access services such as Centrelink and the ATO through myGov. Without the NDLFRS, an Australian passport would be the only ID that could be used. We know more Australians have a drivers licence than a passport, so strengthening the privacy safeguards around the NDLFRS will give Australians that extra security and assurance that their license data is well protected and can be safely used to get the strong myGovID.

These bills will also limit the use of one-to-many matching by authorising its use for specific circumstances. It may only be used when protecting the identity of persons with a legally assumed identity, such as undercover officers or those in witness protection. There is a strong case for one-to-many matching for these individuals. One-to-many matching in these circumstances is necessary to ensure that the person's safety and security is not compromised by the intentional or unintentional exposure of their true identities. All other uses of one-to-many matching will be prohibited.

As we continue to rely on these identity verification services, we must ensure that there are strong privacy safeguards in place. Australians are becoming more and more conscious of their privacy, and they must be able to trust that their information is being used responsibly. This legislation will ensure these services are underpinned by strong privacy requirements. Private and public organisations that use the identity verification services to verify an individual's identity will be subject to the Privacy Act 1988 or a state or territory privacy law or have agreed to comply with the Australian Privacy Principles.

Requesting organisations must be a party to a participation agreement, which will contain minimum security standards and privacy obligations for the parties involved. This will require requesting organisations to provide a privacy impact assessment regarding the use of identity verification services, and organisations will require informed consent from individuals. 'Informed consent' means that an individual has been informed on how the information will be used, how facial images will be used and disposed of, whether those images will be retained or used for other purposes, the rights of an individual in relation to the collection of that information, the consequences of declining to consent, information about how to make a complaint and the legal obligations of the parties seeking that information.

Being a party to a participation agreement will prevent the disclosure of identification information obtained through the verification services and will be subject to extensive compliance requirements. Parties will be subjected to annual auditing to ensure that they are compliant with the agreement, and the outcomes must be reported to the department. Parties that breach their obligation under participation agreements may have their access and use of verification services suspended. Additionally, the department will be required to use encryption when identification information is being transferred to and from their databases.

To ensure that Australians can trust that their data is being protected, this legislation contains a number of measures to increase transparency and accountability in all these services. Participation agreements and relevant documents must be published. There will be mandatory annual assessments of the operation of verification services, and security instances and data breaches must also be reported. In the event of a data breach, the department will be required to inform the Information Commissioner of the breach if it may result in serious harm to an individual, in line with the obligations under the Privacy Act. Within two years of the commencement of this bill, a review of the operations and provisions of verification services must commence.

A division having been called in the House of Representatives—

Sitting suspended from 10 : 42 to 10 : 54

Public and private organisations regularly ask individuals for sensitive identification data to verify their identities, and individuals should be able to do so with confidence that these services are underpinned by strong transparency and accountability measures so that their data is subject to strong privacy safeguards. These bills will ensure that they can trust the Australian government's identification verification services and continue to access vital government and non-government services. I commend the bills to the House.

See this speech in context