Completing a compliance statement

Completing a compliance statement

This information guides organisations using the identity verification services (IVS) on how to complete a compliance statement. You must complete a compliance statement each year to continue to use the Document Verification Service (DVS).

Who needs to complete a compliance statement

A compliance statement is a questionnaire that documents your organisation’s compliance with its DVS participation agreement, the Identity Verification Services Rules 2024 and the DVS Access Policy. It ensures that your organisation has implemented the necessary technical, privacy and security safeguards to sufficiently protect individuals’ personal information.

Your organisation must submit a compliance statement each year – even if you haven’t accessed or used the DVS in the 12‑month reporting period. This is outlined in clause 6 of your DVS participation agreement.

The Attorney-General’s Department will request that you complete your compliance statement within a set timeframe. We will then review your compliance statement.

Not completing a compliance statement within the timeframe may result in your access to the DVS being suspended or terminated.

To address the questions in the compliance statement, you will need to complete an annual self-audit. Your compliance statement will document the outcomes of your audit. For more on self-audits, visit Understanding your compliance reporting requirements.

When you will receive your compliance statement

Each reporting period, we will email you a compliance statement template. We may update templates from year to year, so it’s important to use the template we send you for the current reporting period. Do not reuse a compliance statement from a previous year.

How to complete your compliance statement

Your compliance statement template will include instructions on how to complete your statement. Read the instructions and complete the questions as prompted. You must complete:

  • every multiple-choice question
  • extended response questions when applicable.

We will send you the compliance statement template as a fillable PDF so you can complete it electronically. You can print, complete and sign the statement by hand if your organisation prefers. A senior representative of your organisation must sign the compliance statement.

How the compliance statement is structured

The compliance statement contains 2 types of questions.

‘Yes/no’ questions

These questions confirm whether your organisation is meeting your obligations under your participation agreement or following our best practice recommendations. For some questions, we encourage best practice procedures that demonstrate compliance with the DVS business user participation agreement or DVS Access Policy.

If your organisation does not adhere to our recommended best practice, you will be given an opportunity to supply an extended response to explain how you otherwise comply with the requirements of your participation agreement. 

Extended responses

The template will prompt you to complete extended responses based on your answers to the ‘yes/no’ questions. The extended response must give clear and specific details of how you comply (or haven’t complied) with the requirements of your participation agreement. 

What you need to report

You will be asked to report on your compliance with the following aspects and corresponding clauses in your DVS participation agreement depending on your role:

  • Question 1: Personnel training (clause 4.1)
  • Question 2: Privacy information and processes (clause 5.5)
  • Question 3: Express consent statements (clause 5.4)
  • Question 4: Alternative methods of identity verification (clause 12.1)
  • Question 5: Security requirements (clause 10.1)
  • Question 6: Privacy and security breach reporting (clause 10.3)
  • Question 7: Audit and compliance reporting (clause 6)
  • Question 8: Personal information use and retention (clauses 4.7 and 5.6)
  • Question 9: Public statements about the DVS (clause 4.7)
  • Question 10: Privacy Impact Assessment (clause 5.3)
  • Question 11: Overseas personnel (clause 4.7)
  • Question 12: Intermediary service providers (clause 3.6 of the DVS Access Policy)

  • Question 1: ID Service Clients compliance (clause 3.1)
  • Question 2: Personnel training (clause 4.5)
  • Question 3: Privacy information and processes (clause 5.5)
  • Question 4: Express consent statements (clause 5.4)
  • Question 5: Alternative methods of identity verification (clause 12.1)
  • Question 6: Security and technical requirements (clause 10.1)
  • Question 7: Privacy and security breach reporting (clause 10.3)
  • Question 8: Audit and compliance reporting (clause 6)
  • Question 9: Personal information use and retention (clauses 4.12 and 5.6)
  • Question 10: Public statements about the DVS (clause 4.12)
  • Question 11: Privacy Impact Assessment (clause 5.3)
  • Question 12: Overseas personnel (clause 4.12)
  • Question 13: Intermediary service providers (clause 3.6 of the DVS Access Policy)

  • Question 1: Gateway user compliance (clause 3.1)
  • Question 2: Personnel training (clause 4.7)
  • Question 3: Privacy information and processes (clause 5.5)
  • Question 4: Express consent statements (clause 5.4)
  • Question 5: Alternative methods of identity verification (clause 12.1)
  • Question 6: Security and technical requirements (clause 10.1)
  • Question 7: Privacy and security breach reporting (clause 10.3)
  • Question 8: Audit and compliance reporting (clause 6)
  • Question 9: Personal information use and retention (clauses 4.15 and 5.6)
  • Question 10: Public statements about the DVS (clause 4.15)
  • Question 11: Privacy Impact Assessment (clause 5.3)
  • Question 12: Overseas personnel (clause 4.15)
  • Question 13: Intermediary service providers (clause 6.7)

The information in your compliance statement must apply to the reporting period we specify. We will outline the dates for this period when we send your compliance statement template at the beginning of the reporting process.

How to lodge your compliance statement

When we send you the compliance statement template at the start of your reporting period, we will include instructions on how to lodge your completed statement.

What to do if you report non-compliance

All non-compliance must be documented in your compliance statement.

If you report non-compliance, you must send us a management response detailing how and when you will address the non-compliance. You must submit the management response within 14 calendar days of lodging your compliance statement. We can help you work out what steps to take to become compliant.

Visit Audit and compliance remediation process for more on remediating non-compliance.

Contact us

If you need help completing or submitting your compliance statement, please email us at ivscompliancereporting@ag.gov.au.

The information on this page is not and should not be taken as legal advice.