Identity crime is one of the most common crimes in Australia, costing an estimated $2bn p.a. It is also a key enabler of organised crime and terrorism.
The Document Verification Service (DVS) is an essential part of the government’s efforts to combat identity crime. The DVS is a secure, online system that enables organisations to verify information on identity documents against the records of the document issuing agency. As a key initiative of the National Identity Security Strategy agreed by the Council of Australian Governments (COAG) in April 2007, the DVS is managed by the Attorney-General’s Department (AGD) on behalf of the participating Commonwealth, state and territory document issuing agencies. Use of the DVS is growing significantly, particularly since it was made available to the private sector in 2014. There are now more than 30 government agencies and over 190 businesses using the service (as at August 2015). The DVS was designed to help prevent the use of fake identities – not necessarily cases involving the theft or takeover of a real person’s identity.
The Australian Government is augmenting the DVS with a National Facial Biometric Matching Capability to enable government agencies to better use facial images to detect and prevent this more sophisticated type of identity fraud, while maintaining robust privacy safeguards. This capability will link the facial recognition systems of participating agencies via a network in which images may be shared, on a query and response basis, via a central exchange or interoperability hub (Hub). In doing so the Hub does not store any personal information. This ‘hub and spoke’ based approach offers a range of privacy and other benefits, when compared to alternative models such a centralised biometric database.
The functions of the Hub are being designed to enable agencies to participate in a range of new identity verification and related services (collectively referred to below as ‘the Services’) to complement the DVS:
Consistent with the objectives of the National Identity Security Strategy, AGD is working with states and territories, via the COAG Law Crime and Community Safety Council (LCCSC) and Transport and Infrastructure Council (TIC) respectively, to explore the scope for police and road agencies to participate in the Capability. Arrangements to support state and territory participation are being developed in the form of an intergovernmental agreement which will outline the policy, legislative, funding and governance arrangements to support the Capability; and will be supported by data sharing agreements between participating agencies.
AGD commissioned a preliminary privacy impact assessment (PIA) on the design of the Hub that was undertaken independently by Information Integrity Solutions Pty Ltd (IIS). In its report, IIS makes 16 recommendations on the design and governance of the Hub, all of which AGD has accepted either in whole or in part. Details of AGD’s response to these recommendations are provided below.
IIS recommends that AGD in its role as Hub manager commit to complying with the APPs, whether or not the Hub is legally considered to collect or hold personal information.
AGD is committed to maintaining robust privacy safeguards in the design, implementation and ongoing management of the Hub and its Services.
AGD will implement this recommendation by adopting a ‘Privacy by Design’ approach that seeks to limit any privacy impacts, as far as practicable, and ensure that they are reasonable and proportionate to the objectives of the capability. This approach will reflect a broad view of the concept of privacy, in addition to ensuring compliance with privacy laws. Consistent with this approach, the governance arrangements for the Services will take into account the initial and future scope of information sharing through the Hub. These arrangements will include an IGA between the Commonwealth and states and territories, with oversight by the LCCSC which includes ministers with portfolio responsibility for privacy within each jurisdiction.
No biographic or biometric information can or will be stored in the Hub. However in order to ensure that the Services are operating effectively and are only accessed for legitimate purposes, certain types of transaction data must be collected for audit and control purposes.
AGD will implement this recommendation by ensuring that only the minimum amount of such data required for these purposes will be collected. Example categories of these data include:
These data will only be retained for the minimum period of time needed for efficient and effective operation of the Services and will only be made available to the transacting agencies or relevant oversight bodies.
IIS recommends that AGD ensure the Hub design supports agencies’ ability to make well-informed decisions to release images or biographic data based on a clear understanding of the purpose and authority for the request.
AGD will implement this recommendation by designing the Hub in a way that enables agencies to include details of the purpose and authority to share images as part of information sharing/matching requests. This will be supported by formal interagency data sharing agreements between participating agencies that will outline the purpose and authority for information sharing to be facilitated through the Hub. In entering into these agreements, agencies disclosing information will be free to negotiate the terms and conditions for the release of that information to requesting agencies. Agencies will be required to enter into these agreements before being provided with access to the Services.
AGD will implement this recommendation through arrangements to ensure that access to the Services will only be provided to authorised individuals within participating agencies, and that individual users will be required to re-confirm their need and authorisation to use the Services at regular intervals.
Under the proposed IGA, agencies participating in the Services should provide appropriate training to personnel using the Services, including training on privacy obligations, security awareness and employment and secrecy obligations. Access to Services will be conditional on Agencies establishing procedures for the management and training of nominated users in accordance with the interagency data sharing agreements.
Agencies will be encouraged to ensure that the caches of any online systems connected to the Hub are cleared of images and other personal information at the conclusion of each session. Where it is technically feasible, caches will be cleared automatically by the Hub on a regular basis.
Agencies’ compliance with these and other requirements will be the subject of regular audits, performed by or in consultation with agencies holding facial images, which will be a condition of Agencies’ access to the Services.
AGD will implement this recommendation through arrangements that limit access to the FIS to appropriately authorised and trained users within law enforcement and security agencies or specialist fraud prevention areas within agencies that issue passports, immigration and citizenship documents and driver licences.
AGD acknowledges that the FIS has a greater potential impact on the privacy of individuals. Further, the risk of accidental or unauthorised disclosure of certain protected identity information through this Service needs to be actively managed.
AGD notes the benefits and costs associated with use of the Services will accrue primarily with the Commonwealth, state and territory agencies that use them, rather than AGD. A benefits assessment using the methodology recommended will therefore require close engagement and input from participating agencies to complete.
AGD will implement this recommendation by developing a methodology to assess the costs and benefits of the Services that includes consideration of privacy impacts and oversight costs. Developing a methodology for assessing costs to privacy regulators will add complexity to this process and will require input and agreement from all jurisdictions.
AGD is committed to implementing and operating the Services in a transparent manner to help build and maintain public confidence in the Government’s efforts to combat identity crime.
On 9 September 2015, the Minister for Justice publicly announced the government’s establishment of the capability. The Minister’s announcement indicated the broad scope of the capability and its Services, foreshadowing that an initial FVS would commence operation in mid-2016.
In addition to publishing this PIA and this response, AGD will also make available details of the policies and agreements that support agencies participation in the Services. Further, AGD will require agencies to publish, on an annual basis, information on the outcomes of audits of their participation of the Services, except to the extent that any information published would compromise security of the system.
AGD will implement this recommendation by requiring agencies to publish details of the interagency data sharing agreements that support their participation in the Services. As the manager of the Hub, AGD will maintain a published register of these agreements.
Agencies will be expected publish these agreements, wherever possible, unless they contain information that is not suitable for public release, in which case details of the agreements will be made publicly available to the extent possible.
IIS recommends that AGD’s documents and communications in relation to the NFBMC, including design specifications, undertakings and governance proposals, make clear the limits on the initial scope of the NFBMC so it will be quite clear when a change in the number or type of participating agencies, in the nature of the biometric and/or biographic information transmitted, or the information held in the Hub, would move beyond the initial scope and therefore trigger further privacy assessments.
AGD will implement this recommendation through the proposed IGA which sets out the initial scope of the Services. The IGA also sets out a process by which changes in the nature or scope of the Services may be implemented. The LCCSC is ultimately responsible for making decisions on significant new initiatives (such as the sharing of other types of biometric information or the use of the FVS by the private sector). The LCCSC must consider the impact of the initiative on privacy and the public interest as part of its decision making process.
IIS recommends that the membership of governance bodies with a role in monitoring the operations of the NFBMC or in making decisions about changes in its scope or operations include an independent representative able to present individuals’ perspectives.
AGD acknowledges importance of ensuring that there is a public interest test in key decisions on the operation of the Services and considers that this can be achieved through proposed governance arrangements.
Under the proposed IGA, the officials-level Coordination Group will be responsible to the LCCSC for the operation and governance of the Services. Membership of the Coordination Group includes a representative of the Office of the Australian Information Commissioner who acts as an independent observer or adviser on privacy issues. State and territory representatives will be expected to consult with their respective privacy commissioners and/or ombudsmen in exercising their responsibilities for oversight of the Services.
At the ministerial level, responsibility for oversight of the Services will rest with the LCCSC, a body comprising ministers with portfolio responsibility for privacy and/or human rights. The proposed IGA requires that, in considering any significant new initiatives relating to the Services, the LCCSC must consider the impact of the initiative on privacy and the public interest.
AGD supports the intent of this recommendation and will implement it through an IGA that provides for:
AGD acknowledges that any legislative impediments to cross-jurisdictional cooperation and information sharing between oversight bodies may have an impact on the regulation and oversight of agencies’ use of the Services.
However, the oversight of cross-jurisdictional information sharing is broader than the Services and as such would be more appropriately dealt with outside of the proposed IGA.
AGD supports the intent of this recommendation to minimise the potential for information sharing that unnecessarily impacts on the privacy of individuals. To help manage this risk, AGD will make access to the Services conditional on agencies entering into agreements that:
AGD will develop a standard template for interagency data sharing agreements and will encourage and assist agencies to consolidate the number of agreements involved in the provision of the Services. For example, this could be achieved through the development of consolidated agreements covering all state and territory police and road agencies respectively.
AGD will also retain discretion not to provide access to the Services, or to suspend or terminate access to the Services, on the grounds that an Agency is suspected or found to be in breach of its privacy obligations. This discretion will be exercised in accordance with any procedures developed and maintained by the Coordination Group. For example, this discretion may be exercised upon receipt of a complaint from a privacy regulator or oversight body, or upon a request from an agency from which information is provided.
AGD supports the intent of this recommendation and will implement it through an IGA that provides for a review of the Services after three years. The detailed terms of reference for this review will be determined at that time, informed by this recommendation and the subsequent experience of agencies’ participation in the Services. In broad terms, the review will assess:
AGD will implement this recommendation through an IGA that provides for governance processes that require decisions on significant changes or new initiatives relating to the Services to be informed by consideration of benefits and costs, including privacy impacts and the broader public interest. Where possible, this will be informed by wide consultation with a range of non-government stakeholders.