Skip to main content

Response to Recommendations – Document Verification Service – Greater Private Sector Access – Privacy Impact Assessment

  • Privacy Impact Assessment


In early 2014, the Attorney-General’s Department (AGD) commissioned Clayton Utz to undertake independent privacy impact assessments (PIAs) of a proposal to expand private sector access to the Document Verification Service (DVS). Separate PIAs of the proposal were conducted:

  • a Commonwealth PIA under the Privacy Act 1988 (Privacy Act); and
  • a National PIA under state and territory privacy regimes.1

The PIAs were undertaken to inform the decision of Commonwealth, state and territory government Ministers to expand the DVS Commercial Service at the Council of Australian Government’s Law Crime and Community Safety Council (LCCSC) meeting on 4 July 2014. The expanded DVS Commercial Service commenced on 31 March 2015.

The PIAs identify some potential privacy risks associated with expanding private sector access to the DVS, but indicate that these risks are speculative in nature. The Commonwealth PIA made a number of recommendations to address the privacy impacts of expanding DVS access. The National PIA found that these recommendations would be sufficient to manage any privacy impacts under state and territory legislation.

This paper outlines AGD’s response to the recommendations of the PIAs. This response is reflected in the revised DVS Commercial Service Access Policy (Access Policy) and supporting DVS Commercial Service Access Guidelines (Access Guidelines) and should be read in conjunction with those documents.

AGD agrees in-principle with the intent of all the PIAs’ recommendations. In some cases, however, AGD has chosen to implement the intent of these recommendations in different ways to those recommended by the PIAs. This position is informed by the following observations.

Firstly, the obtaining of consent (both express and informed) is a contractual requirement of DVS Users in conducting DVS information matches. In many cases this is over and above DVS Users’ legal requirements under the Privacy Act. The Privacy Act does not require consent for the collection of personal information where this is reasonably necessary for the organisation’s functions or activities.

Secondly, we note that some of the recommendations relate to organisations’ broader privacy obligations as entities subject to the Privacy Act (APP entities). The Privacy Act regulates business with a turnover of more than $3,000,000 per annum by imposing obligations as APP entities, and by empowering the Office of the Australian Information Commissioner (OAIC) as a regulator. As such, responsibility for assessing a DVS User’s privacy compliance rests with the organisation itself and the OAIC, rather than AGD.

Nevertheless, AGD recognises that it is good privacy practice for organisations to implement privacy by design principles, that is, to build effective privacy controls into their policies, projects and systems. To encourage a ‘privacy by design’ approach, AGD has developed controls to ensure that commercial DVS Users comply with the Privacy Act, insofar as it relates to their use of the DVS, through auditing processes, contractual terms and conditions and DVS Access Policy and Access Guidelines.

Finally, expanded private sector access to the DVS brings broader benefits for the Australian community, businesses and governments, including the promotion of privacy. The PIAs themselves indicate that the DVS is less intrusive from a privacy perspective than alternative methods of identity verification as businesses no longer have a need to make copies of identity documents. Moreover, expanded access helps to combat identity crime by allowing more organisations access and use the DVS, mitigating the risks of relying on fraudulent identity documents. ID crime is recognised by all Australian governments as a major invasion of privacy.2

Recommendation 1

Response: Agree

Compliance with the Privacy Act continues to be a contractual requirement for private sector DVS users. Users without automatic coverage under the Act are required to formally opt in through the mechanism provided by s 6EA of the Privacy Act and the Privacy Commissioner. This opt-in mechanism will obligate Users to adhere to the Privacy Act and be regulated by the Privacy Commissioner.

Recommendation 2

Response: Agree

AGD respects the privacy rights of individuals and privacy considerations are at the forefront of the DVS design and operation. The current PIA process satisfies this recommendation.

The PIAs commissioned by AGD have examined the privacy impacts of expanding private sector DVS access under Commonwealth and state and territory privacy regimes respectively. These PIAs were developed in consultation with DVS and other government agencies from all jurisdictions. Two PIAs about the DVS that were previously undertaken in 2007 and 2012 have been published on AGD’s website.

Recommendation 3

Response: Agree

Such reviews will be included as part of the DVS governance arrangements.

Recommendation 4

Response: Agree

All private sector DVS users are required to comply with the Privacy Act 1988 (Cth) including APP 9.2(a) (see response to Recommendation 1). The Access Policy provides that a prospective user must be able to use a government related identifier under APP 9.2 before the may apply to access the DVS Commercial Service.

The Business User terms and conditions require a prospective user to acknowledge APP 9.2 (a)-(c) and must self-assert their compliance with APP 9.2 as part of the application process for DVS access. It is a contractual requirement for Gateway Service Providers to confirm that prospective users, at all times, meet and comply with the DVS Access Criteria.

Recommendation 5

Response: Agree in-part

The new DVS Access Policy contains criteria for granting DVS access based on the language of APP 9.2 and the OAIC’s Australian Privacy Principles Guidelines. The Access Policy is supported by the DVS Access Guidelines to help applicants understand their obligations.

AGD does not consider that the third criterion should be expressly included in the Access Policy. While this criterion appears to be related to the law enforcement exception under APP 9.2(e), it is unlikely that there will be any organisations that will apply for access to the DVS for such a purpose. This does not mean that organisations which meet APP 9.2(e) cannot access or use the DVS. All organisations which meet APP 9.2 may apply to use the DVS.

Recommendation 6

Response: Agree

AGD agrees that use of the DVS should be subject to an appropriate risk-based compliance regime, that any data security or privacy breaches should be reported by the affected entity to the relevant regulatory authorities, and that all users will be subject to internal contractual remedies where appropriate. AGD is currently implementing an enhanced risk management and compliance regime, which includes targeted auditing, enhanced monitoring, and spot-checks of DVS users.

Under contractual terms for DVS access, any privacy or security breaches that involve use of the DVS must be reported to AGD as the DVS Hub Manager. Failure to report such an incident, or to respond appropriately to such an incident, may result in suspension or termination of DVS access. A breach of the DVS terms and conditions of use may result in legal action being taken by the relevant Gateway Service Provider (GSP) or AGD.

Privacy breaches by DVS user organisations that do not involve use of the DVS should be reported to the OAIC or other relevant state and territory privacy regulator. As the DVS Hub Manager, AGD will act promptly on any report of a data security or privacy breach by a DVS user organisation that it receives from the OAIC or other relevant state and territory privacy regulator. This may include considering suspension or termination of DVS access.

In more serious cases, misuse of the DVS may also involve offences under the Commonwealth and/or state and territory criminal laws. Where any criminal conduct involving use of the DVS is suspected, the matter will be referred to the relevant law enforcement agencies.

Recommendation 7

Response: Agree in-principle

AGD agrees that it is important for individuals to able to lodge complaints about potential misuse of the DVS. However, AGD does not agree that it should manage the complaints process.

This recommendation replicates an existing legal requirement imposed on all APP entities, who must take reasonable steps to enable them to deal with inquiries or complaints from individuals (APP 1.2).

As APP entities, AGD, Commonwealth user agencies, Commonwealth issuing agencies, private sector users and GSPs are responsible for maintaining their own complaints processes. Responsibility for enforcing the complaints process for APP entities rests on the privacy regulator, the OAIC.

Most state and territory issuing agencies are bound by similar requirements under their respective state and territory privacy regimes and, where a privacy regime exists, are regulated by their respective privacy regulator.

Additional complaints mechanisms are also available through relevant agency or industry oversight bodies (such as Ombudsmen).

Details of these complaints processes should already be reflected in the privacy policies of DVS User organisations and GSPs, as required by APP 1.

Recommendation 8

Response: Agree

The National Identity Security Coordination Group (NISCG) has developed a robust audit and compliance regime which will regularly review the DVS Commercial Service taking into consideration complaints received.

Recommendation 9

Response: Agree in-principle

AGD agrees that DVS users should be required to gain individuals’ informed consent before any DVS checks of their personal information are undertaken. The requirement to obtain consent (informed and express) is currently included in DVS business user contracts.

The current contractual requirements for informed consent are augmented by the DVS Access Guidelines, which include suggested wording for a consent notification along the lines of that suggested by the PIA.

The Access Guidelines, not the DVS business user contract, are the appropriate place to include such details. This is because of the diversity of DVS Users’ business models and their interactions with individual clients, and AGD’s preference to avoid dictating Users’ business processes.

Additionally, AGD requires any organisations using their own wording to submit it to AGD as the DVS Hub Manager for approval before it may be used.

Recommendation 10

Response: Agree in-principle

AGD agrees that DVS users should notify a person of the consequences of not being able to verify a person’s identity to the satisfaction of the organisation. However, AGD does not agree that this should be a contractual requirement. Instead, AGD will be including the wording suggested in Recommendation 10 in the DVS Access Guidelines.

APP entities are already required to notify an individual of the main consequences (if any) for the individual if all or some of the personal information is not collected by the APP entity (under APP 5.2(e)).

AGD notes that the DVS is just one tool assisting organisations to make a decision on a person’s identity.

Decisions about whether and when it is necessary to verify a person’s identity—and the consequences for the person of not being able to verify their identity—are matters for individual DVS User organisations (and their relevant regulatory agencies). This is separate to any decision to use the DVS.

Recommendation 11

Response: Agree

AGD agrees that it is important for individuals to be able to correct information about them held by government agencies. AGD will include available contact details for DVS issuing agencies on the DVS website (

AGD notes that the primary obligation for making this information available rests with APP entities under:

  • APP 5.2(g), which places an obligation on APP entities to notify an individual that the privacy policy of the APP entity contains information about how the individual may access the personal information about the individual that is held by the entity and seek the correction of such information, and
  • APP 12, which places an obligation on APP entities which hold personal information about an individual, to, on request by the individual, give the individual access to the information, unless certain exceptions apply.

These requirements extend more broadly than the operation of the DVS. Access to and correction of personal information is a matter for individual agencies and the relevant privacy regulators.


  1. Privacy Impact Assessment addressing the privacy impacts of greater private sector access to the DVS and National Privacy Impact Assessment addressing the privacy impacts of greater private sector access to the DVS.
  2. Intergovernmental Agreement to a National Identity Security Strategy (2007).