Consent obligations for private sector users

This page provides information for business users, gateway service providers and identity service providers. It outlines information on collecting consent when verifying an individual’s identity through the Document Verification Service (DVS), as contained in:

Using a consent statement

You must collect a person’s express consent to verify their identity using the DVS.

You can collect consent through a written statement that seeks a person’s permission for your organisation to collect, use and disclose their personal information to verify their identity. Consent statements protect privacy by allowing a person to control when their personal information is collected, used and disclosed.

Writing a consent statement for the DVS

Seeking express consent

Clause 5.4 of your participation agreement requires you to collect express consent before verifying a person’s identity through the DVS. It requires you to make sure certain information is included in your consent statement:

  • confirmation that the person is authorised to provide their personal information
  • the reason the information is being requested and what it will be used for.  

What express consent is

Express consent is consent that a person gives openly and obviously. They can give it verbally or in writing. You can collect express consent electronically through methods such as a checkbox.

You are not allowed to infer that a person has given their express consent for a DVS check. Because express consent must be unambiguous, requiring individuals to ‘opt out’ of consent is also not permitted.

What informed consent is

A person gives informed consent when they are aware of the consequences of giving or not giving their consent. This means you need to clearly state how your organisation will handle personal information. You should make sure your consent statement is written in plain language and clearly sets out what will happen if a person gives or does not give consent.

Consent statement example

You may want to refer to the following model consent statement when drafting your consent statement. This example is in the DVS Access Policy:

☐ I confirm that I am authorised to provide the personal details presented and I consent to my information being checked with the document issuer or official record holder via third party systems for the purpose of confirming my identity.

To ensure the consent statement reflects your organisation’s specific circumstances, you may want to seek legal advice.

Other necessary information

Clause 5.5 of your participation agreement includes information you must give a person before they can give their express consent. It is up to you to decide how to provide this information. It can be:

  • a link within the consent statement to external documents
  • included in the text of the consent statement itself.

If you choose to link to external documents – such as privacy policies or legislation – you must make sure your consent statement links to them clearly. You must make sure that individuals can review this information before giving their consent. 

Obligation not to use or disclose identification information

  • Clause 5.6 of your participation agreement prohibits you from using identification information collected as part of a DVS check to:
  • create a data profile of the person
  • offer to supply goods and services (or enable another to do so)
  • advertise or promote goods or services (or enable another to do so)
  • conduct market research.

If you do not meet this obligation, you will be in breach of your participation agreement. Your use and access to the DVS may therefore be suspended or terminated.

Using the Collection Notice Template

We have published a Collection Notice Template. You can customise this template to create a notice that will let people know:

  • when you can collect their personal information
  • how you will handle their information after you have collected it.

The Collection Notice Template also has general guidance to help you meet your obligations under the participation agreement.

Your obligations when providing information

The box below helps you understand how to meet each of the requirements under clause 5.5 of your participation agreement.

  1. How you use the DVS: You must inform individuals about how you use the DVS. You may refer to the process of verifying an identity but are not permitted to refer directly to using the DVS. This may require that your consent statement includes reference to using a ‘third-party system’ for the purpose of identity verification.
  2. Your legal obligations: You must inform individuals about your own legal obligations when collecting their personal information. This may include directing a person to the privacy legislation that your organisation applies (such as the Privacy Act 1988 (Cth) or equivalent state, territory or New Zealand legislation).
  3. Rights of individuals: You must inform individuals of their legal rights in relation to their personal information. This may include providing information about their ability to access and correct their information, about destruction of their information or about their right to know what information is being held.
  4. Consequences of declining to consent: You must inform a person about what will happen if they choose to withhold consent, such as not being able to access your organisation’s services.
  5. Complaints mechanisms: You must provide individuals with information about how they can make complaints about the collection, use or disclosure of their personal information.
  6. Information about operation of the DVS: Although you are not permitted to disclose that you use the DVS, you are permitted to direct a person to the IDMatch website for information about the operation of the DVS. You may wish to provide the link to the IDMatch homepage in your consent statement.

More on consent obligations

The OAIC has published resources explaining express, informed and bundled consent at Consent to the handling of personal information.

If you need more information on consent statements, please contact us at ivscompliancereporting@ag.gov.au.

This information should not be taken as legal advice. You should seek legal advice if you do not understand your legal obligations or how the legal requirements for collecting consent apply to you.