The federal government is rushing to “retrofit” a legislative framework onto its existing use of identity verification services and has been urged to wait until Privacy Act reforms are completed instead.
Attorney-General Mark Dreyfus last month introduced the Identity Verification Services Bill 2023 (IVS Bill) and the accompanying Identity Verification Services (Consequential Amendments) Bill to Parliament.
It represents another attempt at the previous Coalition government’s highly controversial Identity-Matching Services Bill from 2019, which was eventually shelved following recommendations from the Parliamentary Joint Committee on Intelligence and Security.
The bills lay down a legislative framework for the government and industry’s use of identity verification services, with an aim of ensuring they are “secure and protect the privacy of Australians”, Dreyfus said.
These services encompass three elements: the verification of documents, the verification of faces, and the identification of faces. This is done through the use of government-held documents and biometrics from the likes of passports and driver licences.
The Labor government made a number of changes to the Coalition’s efforts, including to severely restrict the use of controversial one-to-many identity matches to only for helping to identify “shielded people”, such as undercover police officers or witnesses under assumed names.
The bills were sent to the Senate Legal and Constitutional Affairs Legislation Committee for inquiry in mid-September, with submissions due by the start of October and the final report to be tabled on 9 November.
The Committee held its first public hearing as part of the inquiry in Brisbane on Monday, with witnesses including the Law Council of Australia, Digital Rights Watch and the Australian Human Rights Commission.
Witnesses at the hearing were largely supportive of the introduction of the legislative regime for identity-matching services and the changes made from the previous effort but were highly critical of the short timeframe given to the inquiry and the fact the government has been using these services for several years without any legislative basis.
While previous plans for these bills were ditched in 2019, the Commonwealth has continued to use the range of identity verification services at its disposal.
The Document Verification Service was used more than 140 million times by about 2,700 government and industry sector organisations last year alone, while there were 2.6 million Facial Verification Service transactions in 2022-23.
In its submission, the Attorney-General’s Department said these services are a “critical capability” that is used every day by the government and the private sector.
Digital Rights Watch chair Lizzie O’Shea told the Committee it is unclear under what legislative basis the government has been doing these checks.
“I think there’s a real question about the legality of the scheme, and the haste is about protecting the government from liability,” O’Shea said.
The government is now “retrofitting a legislative foundation to an existing set of practices”, Digital Rights Watch said in its submission.
“We note that the IVS Bill seeks to instate a legislative framework for processes that are already in practice,” the submission said.
“It is entirely inappropriate for these practices to have been occurring for so long, without a legislative authority to do so.”
The Law Council of Australia also criticised the use of these services without any laws underpinning it, and said it largely supports the introduction of the legislation.
“Pleasingly, the bills appear to be more robust, both in terms of privacy and human rights safeguards, compared to the 2019 bill,” the organisation said.
“It is vastly preferable to have a legislative foundation in place for an identity verification framework which has already been in use for several years.”
Much of the privacy protections included in the bills are based on the Privacy Act, which the government is currently in the process of significantly reforming.
Several witnesses at the public hearing called on the government to pause its identity verification services until these reforms are completed.
“The privacy protections built into the Verification Services Bills are currently incomplete and not appropriate to safeguard privacy against verification technologies,” the Human Rights Commission submission said.
“The Privacy Act reforms must be completed before the Verification Services Bills are enacted.”
Interested parties were given only 12 business days to make a submission to the inquiry into the identity services bill, and its report will be delivered less than two weeks after these public hearings.
“This inquiry does not reasonably enable the Committee to carefully scrutinise whether the bills strike the correct balance,” the Law Council of Australia told the Committee.
Digital Rights Watch also criticised the “extremely short amount of time” given to the inquiry, which “does not allow for genuine input from, or engagement with, civil society and community concerns”.
