If you use identity verification services (IVS), this information will help you meet your compliance reporting requirements.
To protect the privacy of individuals when verifying their identity, safeguards were introduced under the Identity Verification Services Act 2023 (Cth) (IVS Act). These include compliance reporting requirements.
As an IVS user, your organisation has a participation agreement that sets out what you need to do to meet your compliance reporting requirements each year. Not meeting these requirements may result in your IVS access being suspended or terminated.
The Attorney-General’s Department has established a compliance reporting process to help you meet your obligations when engaging with the IVS, including the handling of personal and sensitive information.
We require all IVS users to:
All users with a participation agreement must submit a compliance statement, even if they have not accessed or used the IVS in the 12‑month reporting period.
We will contact your organisation each year to start the compliance reporting process. Reporting will cover the previous 12‑month period, so you should keep records of how you use the IVS.
We will send you a compliance statement template 10 weeks before you need to submit your statement. This will give you sufficient time to complete a self-audit of your IVS use and complete your compliance statement.
Your compliance statement template will include instructions on how to complete and submit your statement. It will also specify the due date.
You must complete and return your compliance statement by the deadline to meet the requirements of your participation agreement.
You do not need to start your self-audit or your compliance statement before we advise that your compliance reporting is due for the year.
Your organisation must complete a self-audit of its IVS usage each year as part of your participation agreement. You can conduct the audit internally or use an independent auditor. If your organisation chooses to use an independent auditor, this will be at your own expense.
We have developed the compliance statement template to help you complete your self-audit by reflecting on the requirements in your participation agreement.
Your self-audit should:
If your organisation identifies any non-compliance with its participation agreement, you must disclose all non-compliance in your compliance statement.
Once you have completed your self-audit, you do not need to send us an audit report. Instead, you must ensure that your self-audit is finalised and your compliance statement is completed and submitted before the deadline.
You must retain all records relating to the self-audit in line with clause 6.5 of your participation agreement.
You must take steps to address any non-compliance discovered during your self-audit process. We can help you work out what action to take.
We will email you a compliance statement template at the beginning of each year’s compliance reporting process. Compliance statements guide and record the process and outcomes of your self-audit. Under your participation agreement, compliance statements are the only documentation you need to submit to us.
Your organisation must complete one compliance statement for each participation agreement that it holds. If you need to submit multiple compliance statements, we will provide you with each of the templates with a due date.
Your organisation will need to complete a compliance statement even if it has not accessed or used the IVS during the 12-month compliance reporting period.
We may update the compliance statement template between reporting periods, so it is important that your organisation does not reuse a template from a previous year. Compliance statement templates differ between the types of IVS users, so please only use the template we send you.
The compliance statement is made up of ‘yes/no’ and extended response questions. You must ensure that your compliance statement is completed in full.