The government is having a second go at legislation for identity and facial matching services, one that will still enable central identity data pools to exist but place heavier restrictions on usage.
Two bills - the Identity Verification Services Bill 2023 and Identity Verification Services (Consequential Amendments) Bill - were introduced to parliament on Wednesday morning.
They represent a cut-down version of what the previous LNP government tried to pass as the Identity-matching Services Bill 2019.
The bill is still intended to underpin the use of identity services that are already operational, namely:
- the document verification service (DVS), used for basic identity document checks
- the facial verification service (FVS), which matches against passport and driver licence photos
- the Face Identification Service (FIS) run by Home Affairs, which law enforcement can search and see a “small gallery” [pdf] – up to 20 images [pdf] - of potential matches, for a range of purposes
- the long-planned National Driver Licence Facial Recognition Solution (NDLFRS), which is a central store of licence photos from the states and territories.
There are some immediately noticeable absences from the Labor government’s version of the legislation.
Three identity-based mechanisms that the previous government had sought legislative backing for do not appear in the Labor bill.
The previous government had proposed a:
- One Person One Licence Service (OPOLS) to “allow state and territory agencies to detect cases where a person may hold multiple driver or other licences or fraudulent identities across jurisdictions
- Facial Recognition Analysis Utility Service (FRAUS) to “allow state and territory agencies to assess the accuracy and quality of their data holdings”; and
- Identity Data Sharing Service (IDSS) to “allow for the secure sharing of biometric identity information between Commonwealth, state and territory agencies.”
In addition, Labor’s bill, if passed, would place some significant restrictions on the Face Identification Service run by Home Affairs.
One-to-many face matching to be scaled back
The explanatory memorandum [pdf] is clear that the bill would “authorise [one-to-many] matching services through the Face Identification Service only for the purpose of protecting the identity of persons with a legally assumed identity, such as undercover officers and protected witnesses.”
“All other uses of one-to-many matching through the identity verification services will not be authorised, and will therefore be prohibited,” it states.
That likely represents a substantial walk-back in the permitted activities, which currently include [pdf] identity fraud detection and prevention, investigations of “serious offences” by law enforcement, national security, protective security, and community safety reasons.
The FIS Access Policy [pdf] states that the system can currently also be used to find witnesses to alleged crimes, and that while a search is limited to 20 potential matches, more can be provided with some authorisation.
All of this appears to be off the table if Labor’s identity bills pass.
Privacy-focused
In the explanatory memorandum covering the two bills, the government repeatedly highlights what it sees as enhanced privacy protections.
These include that when a private sector organisation tries to use the facial verification service (FVS), that the returned result will be “either a ‘match’ or ‘no match’ response in relation to [the] request”.
It also said that states and territories that contribute driver licence data to the Commonwealth would be “subject to privacy obligations and safeguards” that are enshrined in the bill and in a separate hosting agreement.
The government promised “transparency about the operation of the approved identity verification facilities, including through extensive annual reporting requirements and annual assessments by the Information Commissioner on the operation and management of the facilities”.
Data must be encrypted at rest, and “communications” between parties encrypted as well.
There are also specific rules around how any data breaches are to be reported.
Stronger myGovIDs
The government hopes that by incorporating driver licence data, more citizens will be able to opt in for “stronger” myGovID verification.
“Approximately 80 percent of Australians have a driver licence,” the memorandum states.
“The bill ensures Australians can have their identity verified against their driver licence in order to establish a ‘strong’ MyGovID which is needed to access certain government services, such as those provided by Centrelink and the Australian Tax Office.
“Without the NDLFRS, only persons with an Australian passport, which accounts for approximately 50 percent of the population, would be able to create a ‘strong’ MyGovID and access critical services.”
Joint statement
Announcing the bill, Finance Minister Katy Gallagher and Attorney-General Mark Dreyfus said it was designed “to ensure identity verification services are secure and protect the privacy of Australians.”
“Australians rightly expect greater protections, transparency and control over their personal information when they provide it to trusted organisations,” the pair said.
“The measures in these bills strike the right balance between achieving fast and convenient identity verification and maintaining strong standards of privacy and security.”