Hundreds of millions of identity checks under the federal government’s ID verification service may have been illegally conducted, with the Albanese government rushing through legislation to underpin the service.
Identity verification services are used by government departments and businesses – such as credit card providers and power companies – to combat fraud and identity theft.
Legislation to allow the identity verification service was abandoned by the former Morrison government in 2019 after the parliamentary joint committee on intelligence and security recommended it be redrafted over concerns there were insufficient privacy safeguards for the proposal.
However, the service began operating and, four years on, the Albanese government has pushed through new legislation in the House of Representatives. It is now under review in the Senate.
Part of the rush, according to witnesses at the Senate inquiry on Monday, was that verification services linking up the state and territory ID systems to businesses carrying out ID checks appeared to have been operating without a legislative framework. This would make them illegal.
The Greens senator David Shoebridge asked the Digital Rights Watch chair, Lizzie O’Shea, if the speed at which the legislation was being pushed through parliament was to shield the government from unlawful practice of the service.
“I think there’s a real question about the legality of the scheme, and the haste is about protecting the government from liability,” O’Shea said.
In 2022 alone, the Document Verification Service was used more than 140m times by 2,700 public and private sector organisations. In the last financial year there were about 2.6m transactions of the Facial Verification Service by government agencies.
The Human Rights Law Centre senior lawyers Kieran Pender and David Mejia-Canales said in a submission to the inquiry that there was no evident federal legislative basis for either system.
“It is extraordinary that the Australian government is, it seems, presently using identity-verification services on a mass scale without a lawful basis. And it is all the more extraordinary that the Australian government would seek to rush through such important legislation, with minimal opportunity for parliamentary scrutiny, in these circumstances.”
When Shoebridge asked the attorney general’s department first assistant secretary, Tara Inverarity, whether the system had been operating to date unlawfully, she said she could not comment on legal advice, but said it was “highly desirable” for a legislative framework to be in place.
“We think there are extremely good reasons why the services that are being provided now should have appropriate legislative authority that provides parameters within which the services can be used that have been set by the parliament.”
Shoebridge said the legislation appeared to be rushed, not to protect privacy and data, but to protect the government from litigation.
after newsletter promotion
A spokesperson for the attorney general said the legislation provided clear legislative authority and privacy safeguards to the services.
Multiple submissions to the inquiry raised concerns that privacy issues were not adequately addressed in the bill, and questioned why it was being introduced and passed before the reform of the Privacy Act – which will not reach parliament until next year at the earliest.
“We have concerns about proceeding with the current bills [before the Privacy Act reforms]. We would say the better position would be to have all of those reforms dealt with at the one time so that we can have a harmonised position [on privacy],” the Australian Human Rights Commissioner, Lorraine Finlay, told the committee on Monday.
The former Morrison government’s proposed legislation would have allowed for one-to-one facial identification matching between driver’s licences and other photo IDs. It would also allow law enforcement to do one-to-many searches which would search the entire collection of IDs for a specific person, where that person might be unknown to police.
Under the new legislation, the one-to-many search has been limited just to law enforcement authorities that need to search for people either undercover or in witness protection, to ensure that their previous identity records can be scrubbed.
The Law Council of Australia said in its submission that it welcomed the restrictions but it remained concerned about law enforcement using other facial recognition services such as Clearview AI which would not be regulated by the proposed bill and lack their own legislative framework.
The committee is due to report back to parliament by 9 November.