Authorities will be banned from using facial recognition capabilities operated by the federal government to conduct one-to-many identity matches under re-drafted legislation first proposed more than four years ago.
The change will also allow the private sector to access government facial verification systems for the first time, addressing privacy concerns in the wake of several high-profile data breaches, including at Optus and Medibank.
Attorney General Mark Dreyfus introduced the Identity Verification Services Bill 2023 to Parliament on Wednesday, paving the way for the greater use of identity verification and reduced retention of identity documents.
The bill effectively replaces the 2019 Identity-Marching Services Bill that was thrown out by the bipartisan Parliamentary Joint Committee on Intelligence and Security in October 2019 over privacy and transparency concerns – the first time it had done so since 2002.
A major sticking point with the bill were fears that the proposed laws could allow mass surveillance of citizens, with one-to-many matches to be used to identify unknown persons and detect people using fraudulent identities.
Unlike the 2019 bill, the new legislation prohibits one-to-many matching for law enforcement to provide “increased certainty and transparency for Australians about how the services can be used”, Mr Dreyfus said.
“The bill will only authorise the use of one-to-one matching by public and private sector entities with the consent of the relevant individual,” the Attorney-General said introducing the bill to the House of Representatives on Wednesday.
“One-to-many matching will not be able to be conducted through identity verification services for law enforcement, intelligence gathering or community protection.”
One-to-many matching will now only be available for purpose of protecting the identity of persons with a legally assumed identity, such as undercover officers and protected witnesses, for which there is “substantial public interest”, Mr Dreyfus said.
The changes come as the government prepares to consult on legislation for an economy-wide expansion of its digital identity system, which will rely on identity matching services like the Face Verification Service (FVS).
The FVS is an automated capability that allows a person’s photo to be matched against an image on their identity documents, much like how the document verification service (DVS) works for biographic information.
While the service has existed since November 2016, access has been limited to government agencies for the purposes of verifying immigration documents related to citizenship and visas, as well as passports.
The service is predominately used to verify photos when a myGovID is created but has also previously been used to identify citizens following the loss of documents in a natural disaster. Last year alone, there were around 2.6 million FVS transactions.
The bill will also allow for one-to-one matching of driver’s licences through the National Driver Licence Facial Recognition Solution (NDLFRS), ensuring “more Australians can create digital IDs”, Mr Dreyfus said.
The NDLFRS is one part of the National Facial Biometric Matching Capability, also known as the Capability, which federal, state and territory leaders agreed to create for law enforcement means in October 2017.
Public and private organisations that use the services for a fee must be subject to the Privacy Act or a state or territory privacy law, or agree to be bound by the Australian Privacy Principles. Any data breaches must also be reported.
“This will give the Australian community confidence that the government is protecting their personal information,” Mr Dreyfus said.
Organisations must also gain informed consent when verifying a person’s identity, as well as provide information about how identity information will be used, retained and disposed and a person’s rights.
“These protections will be implemented through participating agreements between the department and requesting agencies or organisations, which can be suspended or terminated if terms are breached,” Mr Dreyfus said.
The Attorney General’s Department will maintain the identity verification services, including the Face Matching Services Hub and the NDLFRS, having assumed responsibility from the Department of Home Affairs last month.
Home Affairs awarded Fujitsu a $37 million contract to manage the technology behind the services over the next three years in January, replacing two separate deals with NTT worth a combined $93.8 million.
Mr Dreyfus added that the department would be required to use encryption and “do anything else necessary” to maintain the security of identity verifications services and information contained in the NDLFRS.
Do you know more? Contact James Riley via Email.