Identity Verification Services Assessment Report – Privacy Obligations

Part 1: Executive summary

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of the Attorney-General’s Department (the Department) as administrator of the identity verification facilities.

1.2 In accordance with the Identity Verification Services Act 2023 (the Act), the identity verification services consist of 3 approved identity verification facilities. These facilities allow a requesting party to verify a person's identity against a government-issued identity document (such as a driver's licence or passport). The 3 approved identity verification facilities are administered by the Department.

1.3 This assessment focused on the Department’s management of the Face Verification Service (FVS), which is one of the 3 approved identity verification facilities. We assessed whether the Department was managing the FVS in accordance with the privacy requirements of the Act and the Privacy Act 1988, with specific focus on the Department’s privacy capability, participation agreements and the completion of privacy impact assessments.

1.4 We found that the Department is managing the FVS in accordance with privacy requirements, with 2 limited exceptions. These were that some information governance documents did not contain up-to-date information about aspects of the IVS, and that the Department’s agreements with participants did not clearly include 2 requirements of the Act.

1.5 To address these exceptions, which each presented a medium privacy risk, we recommend:

• Recommendation 1: The Department should continue to regularly review and update its privacy practices, procedures and systems, initially focusing on:
  • achieving 100% privacy training completion rate within the branch responsible for the identity verification services
  • updating the Privacy Statement – Identity Verification Services
  • updating the Document Verification Service Commercial Service Suspension and Termination Policy
  • updating the Document Verification Service Compliance Plan.
• Recommendation 2: Before any further FVS participation agreements are entered into, the Department should amend the participation agreement template to include the requirement in section 10(2)(aa) and to align relevant clauses with section 11 of the Identity Verification Services Act 2023 (Cth). The Department should also amend any other participation agreements that were made prior to this recommendation.

1.6 We also made 3 suggestions aimed at enhancing the Department’s practices in relation to privacy impact assessments conducted for the FVS.

Part 2: The identity verification services

2.1 Identity verification is the process of proving that an individual’s identity is genuine. To help facilitate identity verification the Australian Government provides identity verification services that allow the comparison and verification of personal information on identity documentation against government records (for example passports and birth certificates).

2.2 The Identity Verification Services Act 2023 (the Act) provides a legislative basis for the Commonwealth Government providing the identity verification services.[1] The Act aims to support the secure and efficient operation of identity verification services, subject to privacy obligations and oversight arrangements such as publication of documents, annual assessments by the Information Commissioner and annual reporting.

The identity verification facilities

2.3 Under the Act the identity verification facilities are administered by the Attorney-General’s Department (the Department), providing for:

• 1:1 matching to verify biographic information (such as name or date of birth) and/or biometric information (such as a photo or facial image); and
• 1:many matching of both biographic and biometric information only for the purpose of protecting the identity of persons with a legally assumed identity (such as undercover law enforcement officers) or under witness protection.

2.4 All other uses of 1:many matching through the identity verification services are not authorised by the Act, and are therefore prohibited, as per Part 1, Division 2, Subdivision D of the Act.

2.5 The 3 approved identity verification facilities developed and operated in accordance with the Act are summarised in Table 1 below.

Source: OAIC analysis

2.6 As the Framework Administrator, the Department is responsible for operating and maintaining the approved identity verification facilities. This includes the technical design of the facilities, maintaining the infrastructure of facilities, providing secretariat support to governance forums, reviewing compliance statements by participants and suspending or terminating participants from using the facilities.

The Face Verification Service

2.7 The Face Verification Service (FVS) allows for 1:1 matching to compare biographic and biometric information against information held in a government-issued identity document to verify the person’s identity.

2.8 The FVS is offered through the Face Matching Service Hub, which has a ‘hub and spoke’ technical architecture. The Hub acts as a router for requests between the organisation seeking to verify the identity (the requesting party) and the government agency that issued the identity document (the data holding agency), as shown in Figure 1 below. The Department advised the OAIC that due to the design of the Face Matching Service Hub, only metadata about the transaction is retained by the Department.

Figure 1: How the Face Matching Service Hub works

Source: OAIC analysis

2.9 There was a total of 4451 organisations (known as customers) using the identity verification services offered by the Department as at 30 June 2024 (200 public sector customers and 4251 private sector customers). Only one customer used the FVS: the Australian Taxation Office (ATO), for the purposes of the myGovID app. The only data holding agency for FVS requests was the Department of Foreign Affairs and Trade (DFAT) in relation to passports. All remaining customers used the Document Verification Service.[3]

i The 68 FVS requests made by DFAT were for testing purposes only.
Source: Attorney-General’s Department

2.10 In the future, the Department anticipates that the FVS will be expanded to include both public and private sector requesting parties, and with additional data holding agencies.

Part 3: Summary of findings

The Department’s internal privacy capability

3.1 In accordance with Australian Privacy Principle (APP) 1.2, an APP entity must take such steps as are reasonable in the circumstances to implement practices, procedures and systems that ensure it complies with the APPs and a registered APP code that binds the entity. The Department is subject to the Privacy (Australian Government Agencies – Governance) APP Code 2017 (the Code). The Code sets out specific requirements and key practical steps that government agencies must take to move towards a best practice approach to privacy governance.

3.2 To ensure the Department has taken a best practice approach to implementing the privacy elements of the Act, the OAIC assessed whether the Department was complying with the key elements of the Code. Overall, as shown in Table 3 below, the Department is complying with the Code.

Source: OAIC analysis

3.3 We found 3 documents that are important to the identity verification services, which require updating:

• Privacy Statement – Identity Verification Services
• Document Verification Service Commercial Service Suspension and Termination Policy
• Document Verification Service Compliance Plan.

3.4 While Document Verification Service Commercial Service Suspension and Termination Policy and Document Verification Service Compliance Plan are not specifically focused on privacy, they have important implications for privacy. These documents outline how the Department will monitor compliance with obligations of participants involved in the identity verification services (including privacy requirements), as well as how and when they take action in response to non-compliance (including non-compliance with privacy requirements).

3.5 Specifically, these 3 documents did not:

• reflect the commencement of the Act
• incorporate the services enabled by the Face Matching Service Hub (the FVS and Face Identification Service), in addition to the DVS
• reflect their applicability to the public sector, in addition to the private sector.

3.6 We consider this a medium privacy risk, as these omissions mean the Department’s compliance program for the FVS is not comprehensive and up to date. Updating these documents will enable the Department to better monitor privacy and other obligations, and where appropriate, act on any non-compliance.

Privacy safeguards in participation agreements

3.7 Participation agreements are written agreements between the Department and one or more parties (usually the requesting party and the data holding agency) that deal with requesting and providing identity verification services. Participation agreements must comply with the requirements of the Act, including requirements in relation to privacy.

3.8 Furthermore:

• only a requesting party that is a party to a participation agreement can request an identity verification service through an identity verification facility. They can only request the identity verification services covered by the participation agreement and can only request them from a data holding agency that is a party to the agreement
• the data holding agency that is a party to that agreement can only use the identification verification facility to provide the identity verification services covered by that agreement to a requesting party that is a party to an agreement.

3.9 At 30 June 2024 only one participation agreement was in place in relation to the FVS, between the Department, the ATO (the requesting party) and DFAT (the data holding agency). In practice, this allows a person using the myGovID app to electronically verify their identity by comparing their facial image and personal information against their Australian passport held by the DFAT ( Figure 2 below).

Figure 2: Example of FVS process

Source: OAIC analysis

3.10 The OAIC reviewed the participation agreement to determine if it complied with the privacy obligations outlined in sections 9-12 of the Act. The OAIC found that the participation agreement did not clearly include the terms required by:

• s 10(2)(aa) – regarding destruction by the requesting party of any facial image for the purpose of the request as soon as practicable after it is no longer required for the request,[7] and
• s 11 – allowing a government authority that makes available identification information for an identity verification service (except in a request for the service) to be able to limit the use of that information.

3.11 We consider this finding constitutes a medium privacy risk. During the assessment, the OAIC advised the Department that the participation agreement did not clearly include the above requirements. The Department committed to updating the participation agreement to resolve these issues as a matter of priority.

Privacy impact assessments for the Face Verification Service

3.12 A privacy impact assessment (PIA) is a systematic assessment of a project that identifies the impact the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating the impact. The Act requires that a participation agreement must provide for PIAs of requesting identity verification services. [8]

3.13 The participation agreement between the ATO, the Department and DFAT requires that before entering into a Participant Access Arrangement, [9] each requesting party must conduct a PIA for the use of services enabled by the Participant Access Arrangement. The PIA is conducted on behalf, and for the benefit, of each of the parties to the participation agreement. The participation agreement also requires the requesting party to publish the PIA report [10] and provide a copy of the PIA report to the Department (as the Framework Administrator) promptly after it is completed.

3.14 This assessment found that the requirement to conduct a PIA was satisfied by the ATO conducting PIAs in September 2018 and August 2021, in its role as a FVS requesting party in relation to the myGovID app.

3.15 Additionally, the OAIC observed, as matters of good privacy practice, that DFAT conducted a PIA in April 2023 in relation to its role as a FVS data holding agency for both biographic and biometric information, and the Department conducted a PIA in August 2015 in relation to the design of the Face Matching Service Hub (previously known as the National Facial Biometric Matching Capability). [11] Given the long duration since the Department completed its PIA for the Face Matching Service Hub, and the recent commencement of the Act, as part of this assessment process it has committed to updating this and other PIAs.

3.16 In updating its PIA, the OAIC suggests the Department could consider conducting a joint PIA (as permitted by clause 14 of the APP Code) [12] across the agencies involved in the FVS so that personal information flows can be mapped from end-to-end (from request to response). The OAIC’s Guide to undertaking privacy impact assessments explains:

To map information flows effectively, you will need to communicate with other staff and project stakeholders. If you try to map information flows in isolation, you run the risk of overlooking valuable information about how the project will work and how personal information will be handled. This could cause problems later on that may be difficult or expensive to remedy .[13]

3.17 Additionally, where there is an increased privacy risk to the FVS process (for example, when a data holding agency participates in the FVS for the first time), the Department could encourage participants to complete a PIA or joint PIA. The OAIC notes that this would support compliance with s 12 of the Code, applicable to Australian Government Agencies, which requires that a PIA be conducted for all high privacy risk projects. This includes projects that involve new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals.

3.18 A key component of PIAs is that they address privacy risks and make recommendations to address those risks where appropriate. Once recommendations are made there is benefit in seeking independent review of their implementation. While the Department is not responsible for endorsing the content of PIAs conducted on behalf of participants, the Department has implemented a good privacy practice whereby the requesting party is required to provide details of their PIA, including any relevant recommendations and responses, as part of their Participant Access Arrangement (which must be completed before access to the FVS is granted).

3.19 As discussed in paragraph 3.4 above, the Department has a Document Verification Service Compliance Plan to avoid breaches of legal and regulatory obligations and to ensure that all DVS parties meet the privacy and security requirements. One element of this plan is that all participants are required to submit annual compliance statements to the Department. To provide ongoing assurance that privacy risks have been addressed and minimised, the Department could require FVS requesting parties to report against outstanding PIA recommendations in their annual agency compliance statements.

3.20 Another key element to this plan is deterring compliance breaches through proactive monitoring and auditing, including audits by an independent external auditor.[14] The Department could also consider whether the external audit’s scope should include reviewing each requesting party’s progress against outstanding recommendations from their PIA report.

Part 4: Recommendations and responses

4.1Please see Appendix B for the Department’s full response.

4.2 Attorney-General’s Department response: Accepted. The Department will continue to regularly review and update its privacy practices, procedures and systems.

4.3 The Department further advised:

• At November 2024, the responsible branch (Identity and Biometrics Policy Branch) achieved the 100% privacy training completion rate.
• The Department expects an updated Privacy Statement to be published on the Department’s IDMatch website in February 2025.
• The Department intends to update the Suspension and Termination Policy to include the Face Verification Service by June 2025 or prior to private sector participation, whichever is earlier.
• The Department intends to finalise a Compliance Plan for the Face Verification Service by June 2025.

4.4 Attorney-General’s Department response: Accepted. The Department has amended the participation agreement to more clearly reflect these provisions. The amended participation agreement has been agreed to by the Australian Taxation Office (ATO) and the Department of Foreign Affairs and Trade (DFAT), as the only participants to the Face Matching Services.

4.5 The updated Face Matching Service participation agreement template will be used for any future participants to the Face Matching Service.

4.6 Attorney-General’s Department response: Accepted. The Department is revising the existing privacy impact assessment (PIA) for the Face Verification Service following the commencement of the IVS Act. The Department agrees it is important to take a holistic approach when undertaking a PIA and will consider whether a joint PIA is feasible when implementing this suggestion.

4.7 The Department expects a revised FVS PIA to be completed by mid-2025.

4.8 Attorney-General’s Department response: Accepted. The IVS Act requires participants requesting identity verification services to have a PIA in place. In addition to this requirement, the Department will encourage all other participants, beyond those requesting a service, to have a PIA in place for their involvement with the Face Verification Service.

4.9 Attorney-General’s Department response: Accepted. The Department will undertake work to incorporate reporting on implementing PIA recommendations into the Identity and Biometrics Policy Branch’s audit and compliance program for the Face Verification Service.

4.10 The Department expects this work to be completed by June 2025.

Part 5: Description of assessment

Role of the Australian Information Commissioner

5.1 Section 40(1) of the Act provides for annual assessments by the Information Commissioner on the operation and management of the identity verification facilities by the Department.

5.2 Specifically, the Information Commissioner has the function of:

• assessing the approved identity verification facilities in relation to any act or practice of the Department during the financial year; and
• providing the Secretary of the Department with a written report on that assessment.

5.3 The Information Commissioner is required to perform both aspects of this assurance function within 6 months of the end of each financial year ending after the commencement of s 40(1) (being 14 June 2024). For the purposes of the Privacy Act 1988 (Privacy Act), an assessment under s 40(1) of the Act is taken to be an assessment under paragraph 33C(1)(a) of the Privacy Act.[15]

5.4 The OAIC provided this report to the Secretary of the Department on 12 November 2024.

Objective, scope and methodology of the assessment

5.5 The objective of this assessment was to assess whether the Department was managing identity verification services, in particular the FVS and personal information held on this approved identity verification facility, in accordance with the requirements of the Act and the Privacy Act. This objective included determining whether the Department had established effective governance arrangements to manage FVS customers and by extension personal information handled by the FVS.

5.6 We assessed the FVS because we have not previously assessed this service, and the other identity verification services under the Act did not yet have participation agreements in place.

5.7 The scope of the assessment focused on the Department’s compliance with the Act, APP 1.2, and the Privacy (Australian Government Agencies – Governance) APP Code 2017 (the APP Code), to the extent that these requirements relate to the Department’s management of privacy impact assessments (PIAs) and participation agreements with customers.

5.8 We used 2 criteria to determine whether the Department was meeting the objective:

• do the Department’s participation agreements with the Department of Foreign Affairs and Trade (DFAT) and the ATO include the privacy safeguards required by the Act?
• has the Department taken reasonable steps to ensure completion of, and address the privacy risks identified by, PIAs in relation to the DFAT and the ATO?

5.9 We limited the assessment scope to the Department, because under the Act, the OAIC has the function of assessing the approved identity verification facilities in relation to any act or practice of the Department. We therefore did not assess the privacy practices of the ATO or DFAT.

Privacy risks

5.10 Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance (see Appendix A), the OAIC makes recommendations about how to address those risks. These recommendations are set out in Part 4 of this report.

5.11 The OAIC assessments are conducted as a ‘point in time’ assessment; that is, our observations and opinions are only applicable to the time period in which the assessment was undertaken.

5.12 For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’. Chapter 9: Privacy assessments | OAIC provides further detail on this approach.

Reporting

5.13 The OAIC publishes final assessment reports in full, or in an abridged version, on our website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.

Part 6: Appendices

Appendix A – Privacy risk guidance