In addition to the general privacy concerns regarding the use, reliability and security of biometric information discussed in the preceding chapter, stakeholders expressed concern regarding technical components of the IMS Bill. These concerns chiefly related to what is collected, how information is used and who has access.
This chapter discusses proposed sections 5 to 15 of the IMS Bill, which define identity information, the identity-matching services, and provide for the development and operation of the interoperability hub and the National Driver Licence Facial Recognition Solution (Driver Recognition Solution).
First, the chapter examines the scope and purpose of identity‑matching information, including the definition of key terms used throughout the IMS Bill. Second, the access points for the identity‑matching services (the ‘interoperability hub’ and the Driver Recognition Solution) will be discussed, with the evidence received on each identity‑matching service presented. The chapter also presents evidence on the proposed access to the services for local governments and non‑government entities.
The Committee’s comment and recommendations for amendment appear at the end of the chapter.
Scope and purpose of identity-matching services
As discussed in Chapter 1, under the IMS Bill, the Department of Home Affairs will be able to collect ‘identification information’ for the purposes of providing identity-matching services. While the term is expressly defined in IMS Bill, it is proposed that the Minister will also have a rule‑making power to expand the definition of ‘identification information’ where it will assist in an ‘identity or community protection activity’. Further, the Department will be able to collect and disclose that ‘identification information’ through the interoperability hub or the Driver Recognition Solution to users of the service, (including government and, in some cases, non‑government entities). The Department may only share identification information for an express range of purposes, including an ‘identity or community protection activity’.
Therefore, the following terms are central to the Bill’s scope and purpose:
‘identification information’—that is, what information may be collected, and
‘identity or community protection activity’—that is, for what purpose can information be collected and shared through the interoperability hub and Driver Recognition Solution.
The following sections of this chapter discuss these key terms in detail as well as who will have access to, and how they will access, biometric information.
Proposed subsection 5(1) of the IMS Bill defines ‘identification information’ as any of a number of attributes about an individual (whether living, dead, real or fictitious). This includes an individual’s name, current or former address, date of birth and gender. An individual’s facial image, and information contained in driver’s licences, other licences, documents provided to people who are not Australian citizens, and travel documents such as passports, are also included in the definition.
The IMS Bill allows for additional items of ‘identification information’ to be prescribed under the rule‑making power contained in proposed section 5(1)(n).
Proposed subsection 5(2) provides that a number of attributes—including racial or ethnic origin, political opinions, religious beliefs or affiliations or sexual orientation or practices—are not identification information about an individual. However, this would not prevent ‘identification information’ from being used to identify a person where that information could also infer an attribute listed in proposed subsection 5(2). For example, even if an individual’s racial or ethnic origin can reasonably be inferred from his or her name or place of birth, this does not prevent his or her name or place of birth from being ‘identification information’.
Proposed subsection 5(4) provides that, before making rules prescribing additional ‘identification information’, the Minister must consult the Human Rights Commissioner and the Information Commissioner. The Minister must also be satisfied that the information,
can be used to identify an individual,
is reasonably necessary to provide one or more identity-matching services, and
assists one or more ‘identity or community protection activities’.
The term ‘identity or community protection activities’ is discussed in the next section.
Submitters raised concerns with this broad rule making power. The Law Council of Australia was concerned that the rule making power could be used to enhance the scope of the identity‑matching services. Additionally, the Law Council submitted that it is not enough that the Human Rights Commissioner and the Information Commissioner are only consulted. The Law Council considered that the Minister should be required to report to the public on the results of these consultations and provide reasons if rules are made that are contrary to the advice provided by the Commissioners.
In a submission to this Committee’s review, the Department of Home Affairs advised that, as a result of comments made by the Senate Standing Committee for the Scrutiny of Bills, the Minister has agreed to ‘seek to amend’ the IMS Bill to,
require the Minister to have regard to submissions made by the Human Rights Commissioner and the Information Commissioner when making rules to prescribe additional types of identification information or new identity-matching services, and
require the Minister to provide reasons explaining why the rules depart from that advice (if they do).
The Australian Human Rights Commission (AHRC) recommended that the rule making power in subsection 5(1)(n) not be included in the Bill. In making this recommendation, the AHRC noted its particular concerns in relation to the definition of ‘identity or community protection activities’, as discussed below.
Electronic Frontiers Australia (EFA) also recommended that subsection 5(1)(n) be removed because ‘new types of identification information and new types of identity-matching services ought not merely be subject to prescription by the Minister’. EFA went on to explain that it should be up to the legislature to decide, with proper debate, the basis for further inclusion of new and emerging technologies.
In discussing the Minister’s power in subsection 5(1)(n), the Department of Homes Affairs noted that this Committee expressed significant concerns about a regulation-making provision in its Advisory Report on the Counter-Terrorism Legislation Amendment (Foreign Fighters) Bill 2014.
However, the Department distinguished the current IMS Bill from the Counter‑Terrorism Legislation Amendment (Foreign Fighters) Bill, pointing out that,
the IMS Bill will not facilitate the collection from individuals of any new type of biometric data that may be prescribed in the rules—that is, it ‘will not provide for the collection of biometric information directly from individuals’,
proposed subsection 5(4) contains a number of additional safeguards that ‘will help to ensure rules are only made in appropriate circumstances and are subject to proper oversight’, and
proposed subsections 30(3) and (4) of the IMS Bill specifically provide for the rules to be subject to disallowance by Parliament and sunsetting arrangements.
Identity or community protection activity
As noted above, before making rules prescribing additional ‘identification information’ under paragraph 5(1)(n), the Minister must be satisfied that the information assists one or more ‘identity or community protection activities’. Further, the Department of Home Affairs will only be able to collect ‘identification information’ through the operation of the interoperability hub or the Driver Recognition Solution for an ‘identity or community protection activity’.
Proposed section 6 defines ‘identity or community protection activity’ as comprising the following activities:
preventing and detecting identity fraud,
law enforcement activities,
national security activities (including ‘gathering intelligence’) within the meaning of the National Security Information (Criminal and Civil Proceedings) Act 2004,
protective security activities,
community safety activities,
road safety activities, and
The Department’s collection of certain biometric information is further restricted to a more limited range of identity or community protection activities. The Explanatory Memorandum notes that the Face Identification Service will not be available for either road safety activities or verifying identity activities. Road safety activities are intended to refer to the ability to detect unlicenced and disqualified drivers, persons with multiple licences obtained fraudulently and the strengthening of the integrity of driver licence issuance processes.
The Explanatory Memorandum states that the verifying identity activities covered in proposed section 6 are intended to capture government or private sector service delivery where it is necessary to establish identity, such as ‘seeking government benefits, requesting a bank account, or where regulatory identity verification requirements exist’.
The AHRC raised three main concerns with the breadth of the definition of ‘identity or community protection activity’. The AHRC’s first concern was with the definition of ‘law enforcement activities’ in proposed subsection 6(3)(a), which includes ’preventing, detecting, investigating or prosecuting an offence against a law of the Commonwealth, a State or a Territory’. The AHRC submitted that allowing the identity-matching services to be used in this way
appears to contemplate intrusive surveillance of persons (or, indeed, of the community at large) before any crime has been committed, and indeed potentially before there is any reason to believe that a particular crime will be committed.
The Department of Home Affairs, responding to similar concerns expressed in a submission to a separate Queensland inquiry, stated that the IMS Bill ‘does not authorise other agencies to undertake mass surveillance’. The Department noted:
The Australian Privacy Principles will continue to operate to prohibit collection, use or disclosure of personal information that is not authorised by law …
Participating agencies need to have their own legal basis to collect information that they wish to use in a query or receive in response to a query, and to share it in the course of one or more of the identity and community protection activities, before they can use the services.
The Department also considered that use of the face-matching services for such blanket surveillance
would not be feasible in practice, given that the systems supporting the services are not designed to support this type of usage and that agencies would not have the resources, including personnel sufficiently trained in facial recognition, to devote to this kind of usage.
Secondly, the AHRC expressed concern that the range of information that could conceivably assist in ‘gathering intelligence’ is very broad. Thirdly, the AHRC stated that ‘verifying the identity of individuals’ could not justify the use of the identity-matching services alone. The Commission considered that the measures could only be justified ‘by reference to some other aim—that is, if the verification is performed to serve some other legitimate purpose’.
The AHRC recommended that the definition of ‘identity or community protection activity’ be amended so that ‘law enforcement activities’ includes only the prevention of serious offences, and that subsections dealing with ‘road safety activities’ and ‘verifying identity’ be deleted.
Mr Fergus from the Australian Strategic Policy Institute (ASPI), submitting in his private capacity, similarly stated that these definitions should be more narrowly defined.
Since the IMS Bill was introduced to the Parliament the passage of the National Security Legislation Amendment (Espionage and Foreign Interference) Act 2018 (EFI Act) inserted a new definition of national security in section 90.4 of the Criminal Code. This definition is more constrained than that in proposed section 6(4) of the IMS Bill which defines the term ‘national security’ by reference to the National Security Information (Criminal and Civil Proceedings) Act 2004 (NSI Act).
In the NSI Act, ‘national security’ is defined as ‘Australia’s defence, security, international relations or law enforcement interests’. In the EFI Act, ‘national security’ is defined as:
the defence of the country;
the protection of the country or any part of it, or the people of the country or any part of it, from activities covered by subsection 90.4(2);
the protection of the integrity of the country’s territory and borders from serious threats;
the carrying out of the country’s responsibilities to any other country or an activity covered by subsection (2);
the country’s political, military or economic relations with another country or other countries.
Subsection 90.4(2) includes espionage, sabotage, terrorism, political violence, foreign interference, or activities intended and likely to obstruct, hinder or interfere with the performance by the country’s defence force of its functions or with the carrying out of other activities by or for the country for the purposes of its defence or safety.
The Committee asked the Department of Home Affairs if the IMS Bill could be amended so that the definition of ‘national security’ in section 6(4) refers to section 90.4 of the Criminal Code. The Department stated that definitions were ‘in substance almost the same’ and offered no objection to the Criminal Code definition being used.
Use of identity-matching services
Proposed section 7(1) of the IMS Bill defines ‘identity-matching service’, which includes each of the separately defined services in proposed sections 8–12 (discussed below). In addition, proposed section 7(1)(f) gives the Minister the power to prescribe a new identity-matching service where that service involves the collection, use and disclosure of identification information; and involves the interoperability hub or the Driver Recognition Solution.
The Minister may only make rules for the purposes of paragraph (7)(1)(f) prescribing a service that ‘involves a request, from a local government authority or non-government entity, relating to an individual’ if
(a) the purpose of the service is to verify the individual’s identity; and
(b) the conditions in subsection (3) are met in relation to the local government authority or non-government entity. These conditions are described below.
Submitters raised concerns around the Ministerial power to prescribe additional identity-matching services. For example, the Office of the Information Commissioner (Queensland) echoed concerns in relation to blanket surveillance and, whilst accepting that it would not be the Government’s intention for the identity-matching services to be used in such a way, stated that ‘the broad power in section 7(1)(f) could potentially facilitate such a use.’
Likewise, the AHRC submitted that the rule making power in proposed section 7(1)(f) must be read in conjunction with the rule making power contained in section 5(1)(n), discussed above. Taken together, these powers ‘could give the Minister the power to create new identity-matching services which are far more intrusive on privacy than those explicitly created by the Bill.’
The AHRC’s position was that any new identity-matching service should only be created by amending relevant legislation. The AHRC therefore recommended that the rule making power in proposed section 7(1)(f) not be included in the IMS Bill.
Accessing identity‑matching services
The IMS Bill establishes two access points for the identity‑matching services: an ‘interoperability hub’ and the Driver Recognition Solution. Both are discussed below.
Proposed section 14 of the IMS Bill provides for the Secretary of the Department to develop, operate and maintain a facility (the interoperability hub) for relaying electronic communications between bodies and persons for the purposes of requesting and providing identity-matching services.
The Explanatory Memorandum gives further information on the expected operation of the interoperability hub stating that it operates via a ‘hub and spoke’ architecture. Participating entities at the ‘spokes’ either provide or request information on a query and response basis. The interoperability hub acts as a router to relay identification information between them. Unlike the Driver Recognition Solution, the hub does not permanently store identification information.
Dr Marcus Smith noted that facial images will remain with the states and territories or, in the case of passport photos, with the Department of Foreign Affairs and Trade. Dr Smith stated that the interoperability hub could ‘be searched as though the images were held in a Commonwealth database’ and that ‘this approach may, for practical purposes, have the same effect as if the data were held by the Commonwealth’.
The Law Council of Australia was concerned that the ‘identity matching services operating through the interoperability hub will use information taken for a particular purpose for other purposes for which the consent of individuals has not been obtained.’ The Law Council gave the example of someone who has consented to providing a photograph for a driver licence ‘but have not consented to their biometric information being extracted from that image and being used for other purposes’. This, according to the Law Council, ‘may have the effect of undermining the notion of informed consent by individuals in relation to their personal information’.
The Law Council of Australia was concerned about the sensitivity of personal information flowing through the interoperability hub and the consequences of potential breaches of the hub. The Council pointed out that any ‘inadvertent release, or breach in the security of biometric information is irrevocable’.
National Driver Licence Facial Recognition Solution
Proposed section 15 of the IMS Bill provides for the Secretary of the Department to develop, operate and maintain the Driver Recognition Solution. This consists of a database of identification information that is also contained in government identification documents issued by or on behalf of an authority of a state or territory, is supplied by the authority or its agent to the Department by electronic communication for inclusion in the database. In addition, the Secretary can develop, operate and maintain a system for biometric comparison of facial images with facial images that are in the database.
According to the Explanatory Memorandum, the database is first expected to hold driver licences but identification information from other state or territory identification documents, such as fishing, firearm and marine licences and proof of age or identity cards, may also be incorporated into the database.
The Explanatory Memorandum provides further detail on how facial matching will work in the Driver Recognition Solution. Following receipt of a matching request, the facial recognition system will create a biometric template from the facial image that is submitted. This biometric template is compared against the templates stored in the system. Once a matching request has been processed, the probe image and its associated templates are not retained anywhere in the Driver Recognition Solution.
The range of identity-matching services
As noted in Chapter 1, each identity‑matching service is defined in the IMS Bill. The listed identity‑matching services include:
Face Identification Service,
Facial Recognition Analysis Utility Service,
Face Verification Service,
Identity Data Sharing Service, and
One Person One Licence Service.
Submitters raised broad concerns around these services as a whole. The AHRC noted that features of the Face Identification Service are not described in the Bill, that the Bill does not make clear how the Facial Recognition Service operates, that no detail on the Face Verification Services is included in the Bill, and that important features of the One Licence Service are ‘not mandated’ by the Bill.
In light of this, the AHRC recommended that ‘the provisions defining each of the identity‑matching services should be substantially redrafted, so that their functionality is fully defined in the Bill’.
Similarly the Law Council was of the view that ‘additional technical information about the nature of the identity matching services and the process for ensuring that there are not false matches should be released publicly to allow informed debate about the proposed legislation’.
Likewise, Future Wise and the Australian Privacy Foundation stated that the identity-matching services ‘comprise the tools of big data in the hands of government, with limited oversight only’.
Mr Fergus Hanson stated that ‘for all identity checking, the minimum amount of personal information necessary should be exchanged.’
Stakeholders also made comment on specific identity‑matching services. Each of these is examined in further detail in the following sections.
Face Identification Service
Proposed subsection 8(1) of the IMS Bill provides that a Face Identification Service involves electronically comparing a facial image of an individual, and other identification information (if any) about the individual, and identification information about one or more individuals that is contained in one or more government identification documents of one or more kinds specified in the request.
The comparison must be for the purpose of identifying the individual, or determining whether the individual has multiple identities, in the course of an identity or community protection activity.
The identity or community protection activity for which the Face Identification Service can be used is restricted to preventing or detecting identity fraud, law enforcement, national security, protective security and community safety.
The Explanatory Memorandum explains that the Face Identification Service is a ‘one-to-many’ facial matching service where a facial image and, where known, other biographic information, is submitted for matching against a specific database through the interoperability hub. The facial matching process, consisting of two stages, will first return a small gallery of the highest matching facial images in the database. After the receiving agency has reviewed the gallery and selected a shortlist of possible matches, they will then have access to the biographic details associated with the facial images on their shortlist, for further examination.
According to the Explanatory Memorandum, providing images via the interoperability hub will mean that this service is restricted to one or more of the databases connected to the interoperability hub. That is, it will not be able to be used to compare a facial image against other facial images not contained in government identification documents, for example a database of CCTV images. Details of requests for the Face Identification Service will be subject to audit logging within the interoperability hub, to improve accountability.
Subsections 8(2)(a) to (p) provides that law enforcement, anti-corruption and Australian Government Departments administering the Australian Citizenship Act 2007, the Australian Passports Act 2005, the Foreign Passports (Law Enforcement and Security) Act 2005 and the Migration Act 1958 may request the provision of the Face Identification Service. Importantly, the service would not be available to non‑government entities, and only available to those specifically listed in the primary legislation.
Proposed subsection 8(2)(q) provides that ‘an authority prescribed by the rules’ may also request the provision of the Face Identification Service. The Explanatory Memorandum explains that, in relation to ‘an authority prescribed by rules’ the power is ‘solely intended to allow these agencies to continue using the [Face Identification Service] following a machinery of government, name or legislative change, without having to amend the Act’.
Proposed subsection 8(3) provides that before the Minister makes rules prescribing access to the Face Identification Service, the Minister must be satisfied that the authority has one or more of the functions that used to be functions of an authority described in any of paragraphs in subsections 8(2)(a) to (p).
Submitters raised specific concerns that there are not sufficient controls on the use of the Face Identification Service and that the provision do not reflect the IGA.
The AHRC referred to the process outlined in the Explanatory Memorandum (quoted above), and argued that the controls are insufficient, stating that:
There is nothing in the Identity Bill that controls what use may be made of the information returned at either of the two stages above. It would be possible for the receiving agency to capture and retain it for their own records — or even to compile their own databases of information they receive for future use in unrelated matters. It is relevant to note here that the Identity Bill places no limits on the number of [Face Identification Service] requests that may be made.
The Law Council submitted that the Face Identification Service as outlined in the Bill is not in line with the IGA. The Law Council noted that the Face Identification Service ‘has been defined in the Bill to reflect the terms of the [IGA]’, however the Bill ‘does not incorporate the limit that the offence must carry a maximum penalty of not less than three years imprisonment.’ Therefore, the Law Council concludes that the Bill ‘appears inconsistent with the provisions and the spirit of the [IGA]’.
The Queensland Office of the Information Commissioner and the Tasmanian Government also noted this requirement appears in the IGA but not the Bill.
In relation to this concern, the Department of Home Affairs stated that whilst the three-year offence threshold is not in the Bill, ‘it will apply in practice to the sharing of data between jurisdictions, through the application of the provisions in the IGA’. The Department further explained that, due to variations in criminal offences across jurisdictions, it is important that there is a degree of flexibility provided to those wanting to access the Face Identification Service. Contradicting the statement that the three-year offence provision will apply in practice, the Department stated that ‘possibly data from other jurisdictions’ could be used ‘for law enforcement purposes where they may have lower penalty for an offence that would meet the ‘penalty threshold’ in other jurisdictions’.
The Committee also received evidence that access to the Face Identification Service should only be available on the issue of a warrant. The AHRC argued that, whilst there may circumstances in which the use of a service such as the Face Identification Service is warranted, ‘the use of such a measure must be strictly controlled to ensure that it is employed only when demonstrated to be justified’ and that it ‘would be appropriate to introduce a warrant regime regulating access’ to the Face Identification Service.
The Queensland Council for Civil Liberties raised concerns regarding ‘absent consent of the individuals involved’ and the need for greater safeguards in relation to the expanded use of biometric data. They argued that access to biometric data for ‘purposes other than those for which it was collected and emergency situations, should be limited to cases where the person seeking access has obtained a warrant from a judicial officer’.
The Department of Home Affairs argued against the need for a warrant to access the Face Identification Service. The Department noted that the Attorney-General’s Department’s Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers of 2011 sets out the circumstances when it would be appropriate to require agencies to obtain a warrant. These are:
where there is entry to premises without consent,
where it is required to use reasonable force against things or persons in the execution of a warrant,
where there is seizure of items, and
where there is a monitoring regime involving the above matters.
The Department of Home Affairs stated that requiring a warrant to access the Face Identification Service ‘would have a significant impact on the ability of law enforcement or other agencies to use the services in the course of their activities’. The Department also argued that the time involved in preparing, reviewing and granting a warrant application would delay and possibly undermine law enforcement and national security investigations, impede operational activity and divert resources from investigations.
The AHRC, responding to the claim that a warrant might negatively impact on enforcement, stating that
warrant regimes can be designed, and in fact currently are designed and operated, to allow for warrants to be obtained very quickly in emergency situations and outside business hours overnight. That is quite possible and feasible, and in fact occurs. So that's a factor that needs to be taken into account in assessing just how much of an imposition a warrant regime would place on the use of the [Face Identification Service].
Facial Recognition Analysis Utility Service
Proposed section 9 of the IMS Bill defines a Facial Recognition Analysis Recognition Service (Facial Recognition Service) as electronically comparing the facial image of an individual (that is included in a request for the provision of the service made by an authority of a State or Territory) to a database in the Driver Recognition Solution.
The comparison must be for the purpose of assessing the accuracy or quality of identification information held by the authority.
The Facial Recognition Service will allow state and territory road agencies, and other state and territory authorities that may contribute to facial images to the Driver Recognition Solution, to conduct biometric matching using their own data. It allows a state or territory to use the facial recognition capability in the Driver Recognition Solution against their own replicated data. Use of this service will be limited to State and Territory authorities.
According to the Explanatory Memorandum, the Facial Recognition Service is most likely to be used by ‘road transport authorities to improve the accuracy or quality of its information holdings, for example, to check against the authority’s own records or to detect and replace poor quality photographic images.
The AHRC state that the Facial Recognition Service did not cause them significant human rights concerns as it is a ‘significantly more limited service’ than others created by the IMS Bill. However, they still raised the concern that the Bill
does not make clear precisely how the [Facial Recognition Service] would operate. In particular, it is not clear what information would be supplied in a response to a [Facial Recognition Service] request, and whether it might include information about more than one person. Those matters are not addressed in the secondary materials. The Commission submits that those matters should be clarified in the text of the Bill so that a full assessment of any privacy impacts can be made.
Face Verification Service
Proposed subsection 10(1) defines a Face Verification Service as electronically comparing identification information provided by the person or body making the request with identification information that is contained in a government identification document. The request must specify the kind of identification document used in the request and the request must include a facial image. The request must be for the purpose of verifying the identity of the individual.
The IMS Bill provides that the government authorities (Commonwealth, state, territory and local governments) as well as non‑government entities may use the Face Verification Service where certain conditions are met.
The Explanatory Memorandum provides that, under ‘access policies and data sharing agreements’, the private sector will only be provided with a ‘match or no match’ response, without returning images or biographic information about the person.
The Face Verification Service commenced operation in November 2016, enabling the Department of Foreign Affairs and Trade and the Australian Federal Police to access citizenship images held by the then Immigration Department. At the time of the launch it was announced that other types of images such as visa, passport and driver licence photos would be added over time, and that access would subsequently be expanded to other government agencies.
The Committee received submissions from the Department of Human Services and the Digital Transformation Agency supporting the implementation of the Face Verification Service.
The Department of Human Services currently utilises the Document Verification Service to confirm the authenticity of documents. The Document Verification Service informs Departmental decisions that rely on the confirmation of a person’s identity, but it does not identify whether the documents have been obtained fraudulently. Facial verification is currently undertaken manually by the Department through a ‘visual comparison of a physically present individual against the image on their photo identity document.’
The Department stated that face biometric technology
has the potential to replace this manual process and strengthen the accuracy of identity confirmation against photo identity documents, such as passports and drivers licences, and therefore reduce the risk of incorrect matching.
The Department also stated that the Face Verification Service would assist in confirming a person’s identity where no photographic identification was available, such as following a crisis or emergency.
The Digital Transformation Agency submitted that the Face Verification Service would provide efficiencies in providing government services electronically, without the need for an individual having to present in person to a shopfront.
However, the Law Council of Australia raised a concern that the ‘match or no match’ response limitation, as mentioned above, is not contained within the IMS Bill. Since access policies and data sharing arrangements supporting the implementation of the Bill have not been provided by the Government for review, they submitted that it is unclear what the terms of those policies and agreements will contain.
In addition, the Law Council noted that the provisions of the IMS Bill regarding local government or non-government entities accessing the Face Verification Service do not take into account the caveats on such access set out in the IGA. The IGA states private sector access to the Face Verification Service to match information held by states and territories will be subject to:
(a) the express approval of the relevant minister(s) in each state or territory to use their jurisdiction’s information for this purpose, to be communicated in writing to the Commonwealth at any stage following signature of this Agreement,
(b) the outcomes of a privacy impact assessment covering the types of Organisations to be given access to the service,
(c) compliance with a [Face Verification Service] Commercial Service Access Policy developed by the Coordination Group, including a fee for service arrangement, and
(d) n [Face Verification Service] Commercial Service audit and compliance programme overseen by the Coordination Group.
Mr Fergus Hanson from the Australian Strategic Policy Institute, speaking in his private capacity, raised concerns around the on selling of data linked to a verified identity. He stated:
…with the [Face Verification Service], there needs to be specific provision that if that tool is being used for digital identity purposes, then companies, and government as well, should not be able to gather data linked to that verified identity…In my view the onselling of data should be expressly banned when it's linked to use of the FVS for digital identity purposes.
Identity Data Sharing Service
Proposed section 11 of the IMS Bill provides that an Identity Data Sharing Service is disclosure of an individual’s identification information for the purpose of an identity or community protection activity, and it is by one authority of the Commonwealth or state or territory to another authority of the Commonwealth or State or Territory. The Face Identification Service, Facial Recognition Service, Face Verification Service and One Licence are not an Identity Data Sharing Service.
The Explanatory Memorandum states that the Identity Data Sharing Service allows for the ‘sharing of identification information from one entity to another in a secure and accountable manner through the interoperability hub’, [and] ‘does not involve any facial biometric or other data matching’ but ‘merely transmits identification information from one participating entity to another’.
The AHRC acknowledged the need for government to share personal information but stated that the Identity Data Sharing Service regime should not be passed in its current form. The AHRC noted that Identity Data Sharing Service ‘regime as drafted does not specify the circumstances in which disclosures may be made, nor the extent or types of information that may be disclosed’.
Further, the AHRC argued that ‘laws authorising such disclosures should be precise in their terms and ensure that disclosures will only be possible where necessary and proportionate’. Therefore it is their position that the Identity Data Sharing Service should permit ‘disclosures of information only when necessary, and only to the extent necessary, to achieve a legitimate objective’.
One Person One Licence Service
Proposed section 12 of the IMS Bill provides that a One Licence Service is electronically comparing a facial image of an individual, and any other identification information about the individual, that is included in a request for the provision of the service made by an authority of a state or territory.
The service would compare the supplied information with identification information held in one of the state or territory databases held in the Driver Recognition Solution. The request may only be made by an agency that issues government identification documents, and the comparison made by the service may only be made against a database that holds government identification documents of the same kind. The comparison must be made for the purpose of determining whether a person holds multiple identification documents of a particular type in one or more states or territories. The request may be made directly to the Driver Recognition Solution, or via the interoperability hub.
The One Licence Service will allow a state or territory road authority to check if a person has multiple or fraudulent driver licences anywhere in Australia when that person applies for a new licence or renewal of a licence.
The AHRC noted that it did not hold the same concerns about the One Licence Service as the other identity-matching services (such as the Face Identification Service). This is because, like the Facial Recognition Service, the One Licence Service
uses information that has been collected for the purpose of issuing drivers’ licences, and uses that information for the purpose of protecting the integrity of the licensing regime. That means that these services are using personal information for purposes connected to the purposes for which the information was collected.
Local government or non-government entity requests
As noted earlier, the Minister may only prescribe a new identity‑matching service that ‘involves a request, from a local government authority or non-government entity, relating to an individual’ if the conditions in proposed subsection 7(3) are met. These conditions are that:
a verification of the individual’s identity is reasonably necessary for one or more of the functions or activities of the local government authority or non-government entity,
an individual has consented to the disclosure of identification information, and
the local government authority or non-government entity either carries on activities in Australia from premises in Australia or resides in Australia.
In addition proposed subsection 7(3)(d) provides a condition that either the Privacy Act 1988 applies to the local government authority or non-government entity, or they are bound by a law of a state or territory, or they have entered into a written agreement that meets the requirements set out in subsection 7(4). Proposed section 7(4) requires that the written law or agreement
protects personal information in a way comparable to the APPs,
is capable of monitoring, and
has a means for an individual to seek recourse if his or her personal information is dealt with in a way contrary to the law or agreement.
Submitters expressed concerns about how the provision in proposed subsections 7(3) and 7(4) would operate. The Law Council pointed out that that was no indication as to who would be responsible for the ‘monitoring of compliance with the law or agreement’ and that participating agencies who are not APP entities under the Privacy Act ‘may not be subject to existing audits or independent oversight by external bodies.’
In addition, the Law Council of Australia argued that the requirement for ‘a means for an individual to seek recourse’ does not provide for that means to be the same as, or equivalent to, the options available to individuals under the Privacy Act. Individuals dealing with a non-APP entity may have a different range of dispute resolution options available to those interacting with an APP entity. The Law Council were concerned that this approach would result in complexity, possible confusion and inadvertent erosion of existing rights.
Australian Lawyers for Human Rights (ALHR) agreed with the Law Council’s concerns and argued that the proposed protection in proposed subsection 7(4) ‘provides very little protection in practice, particularly where the agreement relates to biometric data which of itself removes one of the key APP rights – to be anonymous or pseudonymous’.
Proposed subsection 7(5) provides that before making rules for the purposes of paragraph (1)(f), the Minister must consult the Human Rights Commissioner and the Information Commissioner about the proposed rules. Concerns around consultation with the Human Rights Commissioner and the Information Commissioner were discussed above in relation to the rule making power provided for at proposed subsection 5(1)(n).
Currently, the Bill provides that the only service that a local government authority or non‑government entity may request access to is the Face Verification Service.
Submitters raised a number of concerns around consent. These included concerns about how consent is given for the access and provision of identity services, the monitoring of such consent, and the use of secondary consent. Secondary consent refers to where a person has consented to use of their identification information for the provision of an identity document (such as a driver licence or passport), and that is then taken as consent for use for another purpose (such as for identity-matching services).
ALHR suggested that, if a person’s consent is a pre-condition to the provision of a service, consent given in such circumstances cannot be considered as free and fully informed.
The Law Council outlined a similar concern in relation to service provision. After detailing the four elements of consent in the context of the Privacy Act, they conclude that ‘it is unlikely that individuals will have a genuine choice to withhold consent if they wish to obtain the relevant services’. Further, given that there is no obligation imposed on entities to provide alternative ways of accessing relevant services, ‘consent’ given in such a situation will not satisfy the requirements for consent.
The Victorian Government raised concerns around the practicalities of how such consent may be monitored and ‘who would administer the checks and balances in support of this’.
In relation to secondary consent, Civil Liberties Australia argued that a person consenting to a driver’s licence photo or passport may be considered to have consented to the use of that photo for a legitimate purpose in relation to it, such as road safety or border security. However, this consent ‘is not a general permission to the state to do whatever it wants with the data.’
Similarly the Human Rights Law Centre (HRLC) argued that people who have consented to having their driver licence photo taken are not also ‘providing free, informed and express consent to the Australian Taxation Office to search and obtain their photo when applying for an [Australian Business Number] at indeterminate point in the future’. The HRLC called for ‘informed debate and careful scrutiny’ of the IMS Bill to ensure that ‘it is targeted and fully justified’.
Future Wise and the Australian Privacy Foundation echoed this view stating that the IMS Bill represents ‘unacceptable scope creep’, where information collected for one purpose is being used for secondary purposes beyond the scope or conditions supporting its original collection.
The Department of Home Affairs stated that the concept of ‘consent’ in the Bill is based on relevant provisions of the APPs in the Privacy Act and comparable state and territory privacy legislation. In relation to consent, the Department stated that the obtaining of consent for use of the Face Verification Service will operate in the same way as it does in the context of the existing Document Verification Service. The Department noted that the Document Verification Service relies on its private sector users meeting the consent and other privacy requirements referred to in the APP Guidelines.
Commenting on the issue of accessing services, the Department stated that private sector users of the Face Verification Service will need to meet their obligations under the Privacy Act and this may mean that a private sector organisation would have to provide ‘alternative options for identity verification using the [Document Verification Service] or other identity verification processes if a customer does not consent to the use of their identification information through the [Face Verification Service]’.
In relation to secondary consent, the Department stated:
The use and disclosure of personal information for secondary purposes without the consent of an individual is clearly contemplated in certain circumstances under the APPs and comparable state and territory privacy legislation.
The Department explained that it does not interact directly with individuals whose information is used in the services as it is merely the ‘facilitator’ of the identity-matching services and the ‘operator’ of the interoperability hub and the Driver Recognition Solution. Therefore the Department considered that it was impracticable for it to ‘collect consent directly from individuals for the secondary use of their information in the identity-matching services’.
The Department stated that it would
rely on APP 6.2(b), which permits use or disclosure where authorised by a Commonwealth, state or territory law – in this the case, the Bill. This will enable the Department to lawfully fulfil its role in transmitting information between agencies participating in the identity-matching services.
Responding to how local government authorities or non-government entities might demonstrate compliance with conditions relating to consent, the Department stated that in most cases ‘data‑holding agencies already have legislative permissions to share identification information without the consent of the individual for some or all of the activities for which the identity‑matching services will be available’.
The Department also undertook to ‘make publicly available information on the operation of the identity-matching services so that the community is aware of and can understand how their information is used through these services’.
Notices to individuals
The Law Council submitted that in order to ‘ensure that users or consumers fully appreciate the basis on which they are providing their identification information’ the IMS Bill should be amended to
more accurately refer to a requirement for the relevant local government authority or non-government entity to provide clear notice to individuals of the collection and use of their identifying information.
The Law Council stated that local government authorities or non-government entities should provide information to individuals whose identities are to be verified using identity-matching services. This should include information about the use of the data including:
practices undertaken in relation to the face matching services,
the risks to the individual in the event that their biometric data is compromised,
the absence of any enforceable legal remedy if the information is lost or breached,
the jurisdiction and control over the data hosting and usage mechanisms, and
the full list of identity-matching systems which may be able to use this data once collected.
In relation to notifying individuals of the use of their identification information in the identity-matching services, the Department stated that
notification to individuals will rely to a significant extent on data-holding agencies, including state and territory road agencies, to inform individuals about the intended use of their information in the identity-matching services. The Department will work closely with these agencies to ensure that these notifications are updated as the services come online for different data sources.