Senate debates

Wednesday, 6 December 2023

Bills

Identity Verification Services Bill 2023, Identity Verification Services (Consequential Amendments) Bill 2023; Second Reading

7:18 pm

Photo of Jess WalshJess Walsh (Victoria, Australian Labor Party) Share this | Hansard source

The question now is that the government amendments on sheet UD100 be agreed to.

Government's circulated amendments—

(1) Clause 2, page 2 (lines 2 to 9), omit subclause (1), substitute:

(1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.

(2) Clause 3, page 3 (after line 4), at the end of the clause, add:

Note: The objects in paragraphs 3(a), (b) and (d) are authorised and provided for by Parts 2, 3 and 5. In accordance with the object in paragraph 3(c), Part 4 prohibits the use or disclosure of, or access to, identification information, unless it is in accordance with the objects of this Act or in other limited circumstances.

(3) Clause 4, page 4 (after line 21), after the paragraph beginning "Those requests", insert:

Part 4 of this Act prohibits the use or disclosure of, or access to, identification information, unless it is in accordance with the objects of this Act or in other limited circumstances.

(4) Clause 5, page 8 (lines 9 to 12), omit the definition of IGIS official.

(5) Clause 5, page 9 (lines 9 to 13), omit the definition of Ombudsman official.

(6) Clause 6, page 14 (after line 6), at the end of the clause, add:

Identification information taken to be personal information

(6) Identification information is taken to be personal information for the purposes of the Privacy Act 1988.

(7) Clause 7, page 15 (line 9), omit "consent", substitute "express consent".

(8) Clause 9, page 16 (line 32), omit "consent", substitute "express consent".

(9) Clause 9, page 17 (line 7), omit "consent", substitute "express consent".

(10) Clause 9, page 17 (line 23), at the end of subclause (2), add:

; and (g) the Department to notify each party to the agreement that is relevant to, or impacted by, a data breach of which the Information Commissioner is informed under paragraph (f); and

(h) each party notified under paragraph (g) of a data breach, that is impacted by that breach, to take reasonable steps to notify each individual to whom the identification information relates.

(11) Clause 9, page 17 (line 25), omit "consent", substitute "express consent".

(12) Clause 9, page 18 (after line 9), at the end of the clause, add:

(4) A participation agreement must provide that a party to the agreement is not authorised to use or disclose identification information obtained for the purposes of requesting or providing identity verification services for the purposes of any of the following:

(a) engaging in activities that would allow the party to create a data profile of the person whose identity is being verified (including where it would allow the person's behaviour to be tracked (whether or not online));

(b) offering to supply goods or services;

(c) advertising or promoting goods or services;

(d) enabling another person or entity to offer to supply goods or services;

(e) enabling another person or entity to advertise or promote goods or services;

(f) market research.

(13) Clause 10, page 18 (after line 33), after paragraph (2)(a), insert:

(aa) if the identity verification service is an FVS—to take reasonable steps to destroy each facial image of an individual that is created, for the purposes of the request, by the party requesting the service, as soon as reasonably practicable after the image is no longer required for the purposes of the request, unless the image is:

(i) a Commonwealth record (within the meaning of the Archives Act 1983); or

(ii) required by a law of the Commonwealth, a State or a Territory, or by an order of a court or tribunal, to be retained; and

(14) Page 19 (after line 12), after clause 10, insert:

10A Failure to comply with participation agreements

(1) This section applies if:

(a) a party to a participation agreement is subject to the Privacy Act 1988; and

(b) an act or practice of the party, relating to personal information about an individual, does not comply with a requirement of:

(i) the agreement in relation to a matter covered by section 9 or 10 (other than paragraph 10(1)(b)) of this Act; or

(ii) rules prescribed for the purposes of subsection 44(1A) of this Act.

(2) For the purposes of the Privacy Act 1988, the act or practice is taken to be:

(a) an interference with the privacy of the individual; and

(b) covered by sections 13 and 13G of that Act.

(15) Clause 12, page 19 (line 29), after "agreement", insert ", rules made for the purposes of subsection 44(1A),".

(16) Clause 12, page 19 (after line 30), at the end of the clause, add:

Note: Under subsection 44(1A), the rules may prescribe requirements relating to privacy with which a party to a participation agreement must comply.

(17) Clause 15, page 24 (line 6), omit "12 months", substitute "the period specified by subsection (3)".

(18) Clause 15, page 24 (after line 11), at the end of the clause, add:

(3) For the purposes of subsection (2), the period is:

(a) 12 months; or

(b) if the rules prescribe a longer period of up to 18 months for the purposes of this paragraph—that longer period.

(19) Clause 23, page 30 (line 5), omit "The Department", substitute "In accordance with the object of this Act covered by paragraph 3(a), the Department".

(20) Clause 26, page 31 (line 5), omit "The Department", substitute "In accordance with the object of this Act covered by paragraph 3(b), the Department".

(21) Clause 29, page 35 (before line 4), before the paragraph beginning "Current and former", insert:

An object of this Act is to protect identification information communicated to approved identity verification facilities, and certain other information relating to the use or security of those facilities.

This Act does this by prohibiting the use or disclosure of, or access to, identification information, unless it is in accordance with the objects of this Act or in other limited circumstances.

(22) Clause 29, page 35 (lines 20 and 21), omit "an IGIS official or Ombudsman official", substitute "an official of an integrity agency".

(23) Clause 29, page 35 (line 22), omit "consent", substitute "express consent".

(24) Heading to Division 2, page 36 (lines 1 and 2), omit the heading, substitute:

Division 2 — Prohibition on recording or disclosure of, or access to, information by entrusted persons

(25) Heading to clause 30, page 36 (line 3), omit the heading, substitute:

30 Prohibition on recording or disclosure of, or access to, information by entrusted persons

(26) Clauses 33 and 34, page 39 (lines 1 to 15), omit the clauses, substitute:

33 Information communicated etc. to integrity agencies

(1) An entrusted person may disclose protected information if:

(a) the disclosure is to any of the following persons:

(i) the Inspector-General of Intelligence and Security, or a person covered by subsection 32(1) of the Inspector-General of Intelligence and Security Act 1986;

(ii) the Commonwealth Ombudsman, or another officer (within the meaning of subsection 35(1) of the Ombudsman Act 1976);

(iii) the Information Commissioner, a member of the staff of the Office of the Information Commissioner, or a consultant engaged under the Australian Information Commissioner Act 2010;

(iv) the National Anti-Corruption Commissioner, or another staff member of the NACC (within the meaning of the National Anti-Corruption Commission Act 2022);

(v) the Inspector of the National Anti-Corruption Commission, or a person assisting the Inspector (within the meaning of the National Anti-Corruption Commission Act 2022); and

(b) the disclosure is for the purpose of that person exercising a power, or performing a function or duty.

(2) An entrusted person may make a record of or access protected information for the purpose of disclosing the protected information under subsection (1).

(27) Clause 35, page 39 (line 20), omit "consented", substitute "expressly consented".

(28) Clause 35, page 39 (line 30), omit "consents", substitute "expressly consents".

(29) Clause 36, page 41 (before line 4), before the paragraph beginning "The Secretary may delegate", insert:

An object of this Act is to provide for oversight and scrutiny of the operation and management of the approved identity verification facilities. This Part provides for that oversight and scrutiny, as well as dealing with other miscellaneous matters.

(30) Clause 36, page 41 (lines 10 and 11), omit "the operation and management of".

(31) Clause 36, page 41 (lines 16 to 18), omit "A review of the operation of this Act and the provision of identity verification services must be started within 2 years. A report of the review must be tabled in Parliament.", substitute "An interim review and review of this Act must be conducted, both of which must be started within 2 years of the commencement of section 43 of this Act.".

(32) Clause 40, page 43 (lines 13 to 15), omit paragraph (1)(a), substitute:

(a) assessing the approved identity verification facilities in relation to any act or practice of the Department during the financial year;

(33) Clause 40, page 43 (lines 17 to 22), omit subclauses (2) and (3), substitute:

(2) For the purposes of the Privacy Act 1988, an assessment under subsection (1) of this section is taken to be an assessment under paragraph 33C(1)(a) of that Act.

(34) Heading to clause 43, page 46 (lines 18 and 19), omit the heading, substitute:

43 Interim review, and review of this Act and provision of identity verification services

(35) Clause 43, page 46 (before line 20), before subclause (1), insert:

Interim review

(1A) The Minister must cause an interim review to be started as soon as practicable after 12 months, and before the end of 2 years,of the commencement of this section.

(1B) The interim review must consider the adequacy and operation of:

(a) the privacy protections contained in this Act; and

(b) the security requirements and obligations contained in this Act; and

(c) the penalties for non-compliance with obligations set out in participation agreements, including considering whether civil penalties should apply.

Review of Act and provision of identity verification services

(36) Clause 43, page 46 (before line 23), before subclause (2), insert:

Consultation, preparation and tabling of reports

(2A) The President of the Australian Human Rights Commission, the Human Rights Commissioner appointed under section 8B of the Australian Human Rights Commission Act 1986, and the Information Commissioner, must be consulted in relation to a review under subsection (1A) or (1).

(37) Clause 44, page 47 (after line 4), after subclause (1), insert:

(1A) Without limiting subsection (1), the rules may prescribe requirements relating to privacy with which a party to a participation agreement must comply.

Consultation on draft rules

(1B) Before making or amending any rules under subsection (1), the Minister must:

(a) cause to be published on the Department's website a notice:

(i) setting out the draft rules or amendments; and

(ii) inviting persons to make submissions to the Minister about the draft rules or amendments within the period specified in the notice (which must be at least 28 days after the notice is published); and

(b) if the rules deal with matters that relate to the privacy functions (within the meaning of the Australian Information Commissioner Act 2010)—consult the Information Commissioner; and

(c) consider any submissions received within the specified period.

(1C) The Minister may consider any submissions received after the specified period if the Minister considers it appropriate to do so.

Limitation on rules

(38) Clause 44, page 47 (before line 14), before subclause (3), insert:

Disallowance and sunsetting of rules

Question agreed to.

I will now deal with the amendments circulated by the Australian Greens.

The question is that the amendments on sheet 2157 revised be agreed to.

Australian Greens' circulated amendments—

(1) Clause 5, page 9 (after line 19), after the definition of protected information, insert:

restricted information of an individual means:

(a) health information (within the meaning of the Privacy Act 1988) about the individual; or

(b) information or an opinion about the individual's criminal record; or

(c) information or an opinion about the individual's membership of a professional or trade association; or

(d) information or an opinion about the individual's membership of a trade union; or

(e) other information or opinion that is associated with an individual and is prescribed by the rules; or

(f) information or an opinion about the individual's:

(i) racial or ethnic origin; or

(ii) political opinions; or

(iii) membership of a political association; or

(iv) religious beliefs or affiliations; or

(v) philosophical beliefs; or

(vi) sexual orientation or practices; or

(vii) disability status.

(2) Clause 23, page 30 (after line 11), at the end of the clause, add:

However, the Department must not collect, use or disclose restricted information of an individual in developing, operating and maintaining approved identity verification facilities.

(3) Clause 25, page 30 (line 27), at the end of the clause, add:

; and (c) not collect, use or disclose information that is restricted information of an individual.

(4) Clause 26, page 31 (after line 18), at the end of the clause, add:

However, the Department must not collect, use or disclose identification information that is restricted information of an individual for any of those purposes.

(5) Page 34 (after line 12), at the end of Division 2, add:

28A Collection, use and disclosure of restricted information of individuals

Despite sections 27 and 28, the Department must not collect, use or disclose identification information that is restricted information of an individual.

Comments

No comments