The Senate Legal and Constitutional Affairs Legislation Committee has issued 12 recommendations on how to improve the Identity Verification Services Bill 2023, focusing on privacy safeguards. The Bill creates a legislative framework that underpins the function of the government’s identity verification services, which are used to compare and verify individual information against documents and existing government records.
The Committee provided the following recommendations after reviewing the Bill:
- The Bill is to be amended to provide a rule making power to strengthen privacy safeguards
- The Bill is to be amended to provide that ‘identification information’ as defined in clause 6 is ‘personal information’ for the purposes of the Privacy Act
- The Bill is to be amended to provide that a breach of a participation agreement that relates to a privacy matter by an Australian Privacy Principles (APP) entity constitutes an interference with privacy under the Privacy Act
- The Explanatory Memorandum is to be amended to make clear that participation agreements must be privacy-enhancing and consistent with the APPs
- The Explanatory Memorandum is to be amended to clarify that the compliance obligations under the Bills do not alter a participating entity’s obligations under the Privacy Act
- Clause 40 of the Bill is to be amended to enliven the Office of the Australian Information Commissioner’s (OAIC) existing assessment powers in subsection 33C(1) of the Privacy Act in relation to the annual assessment requirements
- The Bill is to be amended to ensure that individuals are notified when there is a data breach that is likely to cause them serious harm
- The Bill is to be amended to allow entrusted persons (for example, a departmental employee) to disclose protected information to the Information Commissioner or an OAIC staff member, for the purpose of the Commissioner or OAIC exercising a power or performing a function or duty
- Clause 44 of the Bill is to be amended to require the Information Commissioner to be consulted on the rules, as they relate to privacy, before they are made under clause 44
- The Bill is to be amended to only include express consent and not implied consent
- The Bill is to be amended to provide for an interim review after 12 months. That interim review should focus on the adequacy of the privacy and security protections operating in the identification verification services scheme and whether there is merit in developing a civil penalties framework within the scheme
- Subject to the preceding recommendations, the Committee recommends that the Senate pass the bills.
For a full reading of the recommendations, see here.