Privacy and security

Identity Verification Services keep your data private and secure

The privacy and security information on this page relates to the Identity Verification Services. For information about website privacy, please visit the Attorney-General's Department website privacy page.

Protecting privacy

'Privacy by design' is a guiding principle of the Identity Verification Services. We work to proactively embed privacy into the design, network infrastructure and operation of the services.

We’ve implemented best practice security and access arrangements to protect data from cyber-attacks and data breaches. These systems are subject to independent penetration and vulnerability tests.

We have conducted numerous privacy impact assessments (PIAs) to ensure our systems comply with Australian privacy principles and will continue to do so into the future.

This means that the Identity Verification Services protect your personal information every step of the way.

To find out more about how the Identity Verification Services protect your privacy, see our privacy statement.

Consent

The Identity Verification Services verifies your identity with your consent. If you choose not to give consent, you may need to complete an alternate method for verifying your identity that may not be as fast or secure.

We may also disclose your personal information without your consent to law enforcement or security agencies under certain circumstances required or authorised by law.

While it is important for individuals to have control over their personal information, it would be impractical to allow persons to opt-out of having their personal information shared in this way. To do so would effectively provide criminals with the ability to ‘opt-out’ of their information being made available to law enforcement agencies that are investigating criminal offences, or allow people using fraudulent identity documents to avoid detection.

Protecting information

In most cases, the government agency that originally issued your identity information will continue to hold it. The agency will also have their own system to ensure the safety of your data.

The Identity Verification Services use encryption and authorisation procedures approved by the Australian Signals Directorate to ensure data protection, security and confidentiality.

Our services are assessed and accredited in accordance with the Australian Cyber Security Centre’s Information Security Manual, and the Protective Security Policy Framework.

In the unlikely event of a data breach to the National Driver Licence Facial Recognition Solution (NDLFRS), the relevant state or territory agency will be responsible for notifying you. If your personal information is revealed accidentally, you will be notified of the steps you should take in response.

There are also strict penalties for exposing personal information without a lawful authority. Staff with access to your personal information may be liable to criminal charges or workplace disciplinary sanctions.

Information storage

The Identity Verification Services use what we call ‘hubs’ which are technical systems that act as ‘routers’ to securely transmit matching requests between the organisation using the service and the agency which holds the information on your identity document. The hubs design protects data and does not allow for the viewing or modification of any information. Only agencies that issue identity documents are able to correct data inaccuracies.

The hubs do not retain your personal information or conduct any matching. Personal information is not kept or transmitted by hubs to verify or identify individuals. As a general rule, transaction data is not retained permanently. The hubs keep transaction data for the minimum period required under the law and for auditing purposes.

In the case of driver licences, the Document Verification Service hub checks your information with the National Exchange of Vehicle and Driver Information System (NEVDIS). Austroads Ltd operates the NEVDIS on behalf of driver licencing authorities.

The Document Verification Service hub does not transmit facial images.

Over time, driver licencing authorities will provide facial images from driver licences to the National Driver License Facial Recognition Solution (hosted on behalf of the states and territories by the Attorney-General's Department). This includes a facial image template for biometric matching.

Access to information

Approved organisations in Australia and New Zealand can use the Document Verification Service while only approved Australian organisations can access the Face Verification Service (FVS). Use of the services must be reasonable, necessary and proportionate to a user’s functions or activities.

The Document Verification Service is currently used by more than 2,600 government and private sector organisations.

The Face Verification Service is only used by Australian Government agencies.

In the future, local government, state and territory governments and private sector organisations will use the Face Verification Service subject to Participation Agreements that outline strong privacy, security and oversight requirements for them to access the services, including provision of the expressed consent from individuals.

For more details on the conditions of access to the Face Verification Service, see our access policies - privacy statement.

Removing information

While individuals are not able to ‘opt-out’ of our services, a comprehensive set of protection measures are in place to protect your privacy.

One of the main reasons for establishing the Identity Verification Services is to prevent the use of stolen identities. If an ‘opt-out’ option was allowed, it could create a loophole for criminals to avoid detection.

The Identity Verification Services systems are based on best practice security and access frameworks. The Identity Verification Services use encryption and authorisation procedures approved by the Australian Signals Directorate.

For more information, read our privacy statement.

Facial images verification

With the exception of the protection of people with assumed identities (for example people in witness protection), the Identity Verification Services only verifies identity based on consent. If consent is not provided, a person may need to provide an alternate method (that may not be as fast or secure) for verifying their identity.

Personal information may be disclosed without consent to law enforcement or security agencies under certain circumstances, where this is required or authorised by law.

For more information, read our privacy statement.