Insight,

Digital Economy,

Federal Government seeks to legislate document and face-matching verification services

15 September 2023

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Tell me in thirty seconds: The Government has introduced Bills to Parliament that would formalise the Government’s ability to provide three kinds of identity verification: a document verification service, an identity verification service and a driver licence facial verification service. These services are already used as a key enabler for digital identity service providers, but new legislation will provide new clarity and enhanced protections for users of identity services.

On 13 September 2023, the Federal Government introduced the Identity Verification Services Bill 2023 to Parliament. The Bills are a scaled-down version of a failed 2019 proposal, and substantially limit the ability to conduct 1:many matching services (which would allow a photo to be searched across databases for a match, rather than a 1:1 matching service, which would allow a requesting party to verify whether a photo matches a particular government record, such as a passport).

The core purpose of the Bill is to authorise the Attorney-General’s Department to develop and operate three identity verification facilities:

  • a document verification service (the DVS hub), which allows a requesting party to verify with government whether the biographic information (such as name or date of birth) on an individual’s identity document matches the original record;
  • an identity verification service (the Face Matching Service Hub), which involves:

(a)        a 1:1 matching service, which allows a requesting party to verify with government an individual’s biometric information (such as a photograph or facial image) against a specific Commonwealth, state or territory issued identification document (such as passports and driver licences); and

(b)        a 1:many matching service, which is strictly limited to verification of ‘shielded persons’: generally, people with a legally assumed identity (such as undercover officers and protected witnesses). This service allows a requesting authority to verify a shielded person’s identity against multiple other facial images. It is designed to help government identify whether a shielded person’s identity could be compromised (i.e. if there is a ‘match’ with an existing record); and

  • a system that can compare facial images against a database of State and Territory identification documents, such as driver licences, to verify identity (the National Driver Licence Facial Recognition Solution or NDLFRS), on a 1:1 basis.

Individuals need to give their informed consent before their identity can be verified.

A new legislative framework for existing services

Importantly, the government already provides these services today but in a more limited form (you can read about ‘IDMatch’ here). States and Territories also already provide driver licence images to the national database under an intergovernmental agreement that was signed by COAG in 2017 and a series of bilateral participation agreements.

The new Bill formalises the government’s legislative right to develop and operate these services, including to non-government bodies. The government says IDMatch is useful for matters such as establishing a myGovID, for banks to verify the identity of customers and to meet their ‘know your customer’ obligations, and for government agencies to provide crisis support services.

Other features

A few other points about the draft legislation are worth noting:

  • (requesting party) not just anyone can request that an identity be verified. An authority, person or body (the “requesting party”) must first enter into a participation agreement with the Department. Participation agreements will have extensive compliance requirements (including limitations on what identification information can be used for) and are subject to annual auditing;
  • (privacy protections) the government has been quick to emphasise the privacy protections that will apply, which include:
    • a requirement that requesting parties be subject to a privacy law or agree to be bound by privacy obligations;
    • informed consent from the individual and disclosure of information regarding matters such as how facial images will be retained, used and disposed of;
    • limits on the purposes for which the services can be requested and what may be done with the information received in response to those requests;
    • mandatory notification of data breaches to individuals, the Department and the Information Commissioner;
    • mandatory privacy impact assessments for requesting parties; and
    • obligations on the Department to maintain the security of electronic communications to and from the approved identity verification facilities and the information held in the NDLFRS (including encryption);
  • (inferring other information about a person) the Bill also says that face-matching and document verification is not permitted to verify an individual’s racial or ethnic origin, political memberships, religion, membership of trade unions or professional associations, sexual orientation, criminal record, health information or genetic information. However, the fact that that information could be reasonably inferred from other legitimate information (such as name or place of birth) does not prevent face-matching or document verification. It will be important for the government to closely monitor how this works in practice if the Bill is passed;
  • (other safeguards) there are various other mechanisms designed to ensure the effectiveness of the identity verification services, including annual reporting, annual assessments by the Information Commissioner, complaint mechanisms, and a statutory review of the Bill after 2 years; and
  • (Consequential Amendments Bill) the Government has also introduced the Identity Verification Services (Consequential Amendments) Bill 2023, which simply amends the Australian Passports Act so document and face verification services can operate as intended in relation to Australian travel documents.

Addressing past criticism

The Bill appears to have addressed some of the privacy and transparency related criticisms that led to the failure of the Identity-matching Services Bill 2019 to pass Parliament. There were widespread concerns that the 2019 Bill would permit mass surveillance of citizens via 1:many matching services. As we have described above, any 1:many verification has been considerably limited in the latest iteration of the Bill, which should allay many concerns.

What’s our view on all this?

We are hopeful that, if the identity verification services contemplated by the Bill are implemented securely and effectively, we could see a decrease in the retention by the public and private sector of identity documents. Indeed, existing IDMatch verification services are already in heavy use: the EM says that in 2022 “the DVS was used over 140 million times by approximately 2700 government and industry sector organisations, and there were approximately 2.6 million FVS transactions in the 2022-23 financial year.” The services contemplated by the Bill would have great potential to replace much existing identity verification activity that takes place across the public and private sectors in less controlled environments. Of course, any enthusiasm must be counterbalanced by the need to protect against risk of errors.  The government already requires annual reporting on the accuracy of facial recognition systems operated by the Department. Clearly, the government (quite rightly) recognises that facial recognition systems are imperfect. As the Human Rights Law Centre wrote in response to the 2019 Bill, “Any use of facial recognition technology must account for the accuracy and reliability of the results that it produces. Misidentification may have serious consequences, which must be accounted for when deciding any official uses for facial recognition technology, and the reliance placed on facial identification or verification results” (consequences which are acute for particular minority ethnicities). [1]

It will also be important not to underplay security risks that may arise from the concentration of valuable identity information. The identity verification services contemplated by the Bill will involve the flow of a great deal of personal information to and from the government (i.e. as the requesting party sends a facial image or document to government, and government responds confirming whether it is a match). The encryption and other security measures of these data flows will be critical for the success of the services, as they will be an attractive target for malicious actors, given the rich nature of the information involved.

It will also be critical that personal information entered into the system is used solely for narrowly defined identity verification purposes (which appears to be the government’s intention). In other words, it is important that the regime does not inadvertently permit uses of biometric information for other purposes not intended or outside the scope of the relevant individual’s consent. This is something that privacy interest groups will no doubt wish to keep a close eye on, in order to guard against the risk of scope creep of the relevant systems.

How is this different to digital identity?

As a final note, the identity verification services contemplated by the Bill are different to the Trusted Digital Identity Framework (TDIF), which is an accreditation framework for digital identity services. The verification services already are a key enabler for persons providing digital identity services under TDIF, and this will continue under the new legislative framework. Notably, we are expecting to see more legislation introduced to Parliament regarding digital identity soon so there will potentially be two new legislative regimes debated, passed and implemented in parallel.

KWM has extensive experience in advising on digital identity. We would be happy to discuss these developments with you further if you are interested.

Update as at 7 December 2023:

Today, the Identity Verification Services Bill 2023 and the Identity Verification Services (Consequential Amendments) Bill 2023 passed the Senate. The Bills had already passed the House of Representatives and so will become law the day after they receive Royal Assent.

https://static1.squarespace.com/static/580025f66b8f5b2dabbe4291/t/5b0cebb66d2a73781c59100f/1527574029901/Human+Rights+Law+Centre+Submission+to+PJCIS+-+Identity-Matching+Services.pdf
Categories

Reference

MEET THE AUTHORS

SHOW MORESHOW LESS
LATEST THINKING
Insight
Reform Reflections: Understanding the Shift in Australia’s Industrial Landscape
The incumbent Australian Labor Party (ALP) has been re-elected to a second consecutive term in office. While all races are yet to be formally declared, the ALP is set to have more seats than at any point since its establishment, and will likely face a materially less fractured Senate, no longer having to rely on patching together support from a diverse group of independents in order to pass legislation.

12 May 2025

Insight
Wipeout! Merchant the latest decision in wave of anti-avoidance cases
On 14 May 2024 the Federal Court of Australia in Merchant v Commissioner of Taxation [2024] FCA 498 held that the general anti-avoidance rule and dividend stripping provisions contained in Part IVA of the Income Tax Assessment Act 1936 (Cth) (ITAA36) applied to deny tax benefits obtained by the taxpayer arising from steps it took in connection with a share sale to a third party.

12 May 2025

Insight
The great election wash up - and what we’re watching next…
As the post-election dust settles, the KWM team has pulled together a succinct assessment of the Government’s key policy positions, legislative priorities and issues to watch for in the next term of Parliament.

09 May 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies