Michaelia Cash (WA, Liberal Party, Shadow Minister for Employment and Workplace Relations) Share this | Link to this | Hansard source

I rise to speak on the Identity Verification Services Bill 2023 and the Identity Verification Services (Consequential Amendments) Bill 2023. This legislation came forward in strange circumstances and was rushed into this place without warning.

No-one knew it was coming, and certainly a major stakeholder in this area, that I had spoken to some time ago, was not aware that this legislation was coming; it was a shock to them. And it left many questions unanswered. But what it does do is deal with something very fundamental: the Document Verification Service that underpins the operation of many of our anti-money-laundering and counterterrorism-financing laws, and it also deals with like services.

As we made clear in the other place, we have no fundamental objection to putting those services onto a statutory footing. Let's go through, though, what those services are.

The Document Verification Service has been in operation since at least 2009 and open to the private sector since 2014. It is used by the Commonwealth, by state and territory government agencies and by the private sector to confirm that the details on a person's identity document, such as a driver's licence or passport, match the original record held by the government. The Face Verification Service allows a person's face to be biometrically matched to their driver's licence or passport photo. The Face Verification Service is currently in use and only used by Commonwealth agencies—for example, to set up a myGov account. The Face Identification Service will be a service which enhances law enforcement—in particular, in relation to undercover police—and will crossmatch photos biometrically against driver's licence photos to find potential matches. The Face Identification Service will be used solely to protect lawfully assumed identities. The driver's licence photos are provided by states and territories through a database called the National Driver Licence Facial Recognition Solution.

As I have already indicated, the coalition has never had an in-principle concern with putting these services on a legislative basis. The coalition is now in a position where we, on this side, can support the legislation, because of the very significant concessions that have been made by the government.

In that regard, I want to particularly call out the work of Senator Scarr. Senator Scarr led the coalition efforts in the inquiry into this bill, and his excoriating additional comments make clear that, as it was presented to the parliament, there were very significant shortfalls in the bill that the Attorney-General of Australia wanted us to agree to. Senator Scarr called for the bill to be rewritten to address his significant concerns.

I am pleased that the government has taken up Senator Scarr's work and has seen it as a wake-up call to indeed remedy the deficiencies that were in the bill that were initially presented to the parliament. In fact, in the wake of Senator Scarr's work, the Attorney-General's office reached out to engage with us on the passage of this bill. The approach was certainly late, but it was welcome. The Attorney-General and I have since exchanged letters about the basis upon which this bill should proceed. The Attorney-General has agreed to implement, as Senator Scarr had set out in his dissenting report, every one of the 11 substantive recommendations in the committee report. The Attorney-General has also agreed to the further changes that the coalition, both Senator Scarr and I, have requested.

The many changes that have been agreed, and the supporting work around the edges, have improved this legislation. The legislation is now in a position where the coalition can support it.

David Shoebridge (NSW, Australian Greens) Share this | Link to this | Hansard source

The Identity Verification Services Bill 2023 and the Identity Verification Services (Consequential Amendments) Bill 2023 were rushed through by the government, for reasons that they have still not come clean about. The conclusion that pretty much every stakeholder has drawn is that the current identity verification services procedure is unlawful, and, in the absence of any statutory underpinning, is open to legal challenge.

Unless that's is resolved rapidly by the government, they face, potentially, significant civil damages claims—potentially aggravated by the fact that they continue to operate a service knowing full well that it is unlawful, and in breach of, amongst other matters, the privacy laws. It would be useful, in terms of a frank exchange with the government if they would tell us, and also tell the Australian public. That kind of frankness should be expected from the government, particularly for service that's used some 120-odd million times a year and which involves the intimate personal details of pretty much every adult Australian. But we don't have that degree of transparency and clarity from the government, and I think that that's unfortunate, to say the least.

I commend the various stakeholders who engaged with the Senate inquiry into the Identity Verification Services Bill 2023 and who spent countless hours pointing out the deficiencies in the government's initial draft—the huge privacy gaps in the initial draft and the deeply problematic nature of its drafting. There were things as obvious as allowing implied consent when, on any valid privacy principle, if you're talking about sharing your biometric or other personal data, clearly, express consent is needed. There were things like ensuring clarity of drafting. There were very real and significant concerns about the bill, as drafted by the Attorney-General, and initially introduced into the parliament. That's why there were some 12 recommendations by the Legal and Constitutional Affairs Legislation Committee, ranging from ensuring that breaches of participation agreements can be dealt with properly through to ensuring that something as obvious as participation agreements be privacy-enhancing and consistent with Australia's privacy principles; ensuring that an entity's legal obligations under privacy laws can't be watered down by agreements entered into under the scheme; ensuring that there are rule-making powers to actually enhance the privacy elements in the bill; and ensuring that there be an interim review—an urgent interim review—within 12 months of operation.

When dealing with such important issues as the private details of millions and millions of Australian citizens—details which are essential for obtaining financial services or for accessing the many essential services we now require through online activity, it's remarkable that the bill, as initially drafted, failed to deal with all of that. We had the benefit of incredibly detailed submissions from entities such as UNSW's Allen's Hub for Technology; Digital Rights Watch—and I particularly want to highlight the clarity of the evidence from Ms Lizzie O'Shea; the Law Council of Australia; the Australian Human Rights Commission; and the Human Technology Institute at UTS. It would also be wrong not to give a shout-out to Professor Ed Santow for the help he gave to the committee in his evidence.

The government having received not just the majority report but the excellent dissenting report from Senator Paul Scarr—which, I have to say, grappled with the complex evidentiary and legal issues and set out a roadmap for reform of the bill—and evidence from critical stakeholders, thankfully we now see a raft of amendments from the government that make this bill passable. It's far from perfect but probably, on balance, it's passable.

But that's not what the sector wants. It may be what the financial sector, the Australian Banking Association and the Attorney want, but it's not what the engaged stakeholders in the privacy space want. What they want is consistency in privacy laws. What they want is a set of privacy laws that will stand the test of time. One of the most extraordinary things about this little legislative venture from the Attorney-General was that, whilst the Identity Verification Services Bill 2023 was working through one track with very inadequate privacy protections in it—no doubt they would have been cutting-edge in 1983 but they don't cut the mustard in 2023—the draft Digital ID Bill 2023, which had substantially higher privacy protections, was going through under another minister. There was a draft digital ID bill out on public exhibition with substantially higher privacy protections. They were much closer to what you'd expect in 2023 in the draft Digital ID Bill, which was out on consultation at the same time as the government was trying to force through the Identity Verification Services Bill. The stakeholders said to do them together—do them once and make them coherent. For that reason, we have a second reading amendment that aims to do just that—to defer this bill until we can have a coherent set of privacy reforms and do the two bills together as core business in the first half of next year. If that doesn't succeed, then we will with some reluctance support the bill, but only because of the very significant amendments that have been drafted.

I raise one significant issue that we would normally address in committee but that, given the guillotine motion that's been moved today, there won't be an opportunity for—that is, the Greens amendments to prohibit the identity verification system from collecting or disseminating protected information. Protected information is information about an individual's health, criminal record, membership of a professional or trade association, membership of a trade union, racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, or disability status. For the Greens, this is a critical amendment. Information of this nature should never find its way into a federal database about us. We'll be moving amendments to expressly prohibit this information being captured or disseminated through the identity verification services process, and we would expect wholehearted cross-party support for those amendments.

We understand that the government won't support them, because they say that there's a policy in place, that they don't collect this stuff about us now, and that this bill isn't really about limiting what information we can use; it's just about making it happen. That bells the cat for us. That raises concerns for us. There should be clear legal constraints preventing critical information, which we've outlined in our amendments, ever being collected under this system, held by the government and distributed under this system.

We would urge members in this chamber to have close regard to those amendments and think, 'Do I want the next government to be collecting this information about us?' Do you want to have the protections just founded under policy which can be changed from Attorney-General to Attorney-General? Why not make it clear in black and white that this is information the government should not be collecting about us, should not be storing about us and should not be disseminating about us. I note the time, and I know other senators have contributions, so I'll conclude my observations there. I move a second reading amendment:

Omit all words after "that", substitute "further consideration of this bill be postponed until the Government's comprehensive privacy reforms are available to ensure the best possible privacy protections are in place for personal information".

Paul Scarr (Queensland, Liberal Party) Share this | Link to this | Hansard source

I will speak very briefly on the Identity Verification Services Bill 2023 because I know other senators want to speak, and there's not much time to speak. I will make three points.

The first point is in relation to timing of the process. The Law Council of Australia said:

It is troubling that such a short reporting period has been imposed on this inquiry, providing a little over two weeks for stakeholders to make submissions about a proposed legislative framework for identity verification services …

… … …

The Law Council is concerned that the timeframe for this inquiry does not reasonably enable the Committee to carefully scrutinise whether the Bills strike the correct balance.

It is very disturbing when the Law Council of Australia makes that comment with respect to a process.

The second point I will make is again a quote from the Law Council of Australia. I think the government needs to reflect on this as it takes forward its review of the Privacy Act and also of the Digital ID Bill. The Law Council said:

As a general comment, the fragmented approach to privacy and data reform that is illustrated by these bills is not conducive to promoting harmonisation and clarity across Australia's digital identity, privacy and identity verification frameworks. The Law Council reiterates its call for a roadmap of the harmonisation of Australia's privacy and data laws to ensure the development of a national privacy framework that is consistent, clear and accessible.

The government would do well to heed those words. My colleague Senator Shoebridge, who makes an outstanding contribution on the Legal and Constitutional Affairs committees on which I serve with him, raised the issue of consent. Can I just say that expressed consent is one thing, but it also can't be Hobson's choice. It's got to be a real choice for people with respect to these matters.

The last point is to thank the members of the Attorney-General's Department for their work in relation to the bill. There were a lot of amendments that had to be made in a short period of time, and it was a pleasure to engage with them through the committee process, so thank you very much. I acknowledge Senator Anita Green for her chairing of the Legal and Constitutional Affairs Legislation Committee. We have robust debate, but she always chairs it very well. Lastly, I would like to acknowledge the input from Ms Shohini Sengupta, of the University of New South Wales Allens Hub for Technology, Law and Innovation, and also Ms Olga Ganopolsky, the chair of the Privacy Law Committee of the Business Law Section of the Law Council of Australia.

Malcolm Roberts (Queensland, Pauline Hanson's One Nation Party) Share this | Link to this | Hansard source

One Nation strongly opposes the Identity Verification Services Bill 2023. Here's why. The Albanese government's great mate, Blackrock boss Larry Fink, and predatory billionaires at the World Economic Forum are fond of the phrase 'you will own nothing and be happy'. What they really mean is that they will own everything and you will comply. Why would people voluntarily enslave themselves, give up their homes, cars and household goods and lose the right to travel freely, I hear you ask. The answer is that people will not be given a choice. They will be coerced—forced into it. That's the purpose of this government's triad of tyranny. First is the Identity Verification Services Bill 2023, which will normalise and allow the use of biometric data to locate and track citizens. Second is the Digital ID Bill 2023, which will force every Australian into having a digital ID. Third is the Misinformation and Disinformation Bill 2023, which will ensure media and social media only carry government sanctioned opinions; the government will be exempted and can be free to spread misinformation and disinformation.

Biometric data is your face turned into a data file based on your physical characteristics. It allows for faster and more accurate identification. They will capture your face. The national drivers licence database is being upgraded to become the repository of your master identification record, which is already used to establish your identity with a paper check. Now it will have a facial scan.

Australians do not need to consent in a meaningful manner. The bill currently uses the word 'consent' without definition. Consent can be implied. Here's an example. If a person sees a video of themselves on a self-service check-out at the supermarket and uses the check-out anyway, it's considered implied consent. The government has accepted that implied consent is no consent at all and has upgraded the reference to 'consent' in their amendment on sheet UD100 to 'explicit consent'. That isn't good enough either. Explicit consent can be provided as blanket consent. An example would be MasterCard changing their terms and conditions to allow for facial recognition whenever their card is used. Once the card owner gets the email saying, 'We have updated our terms and conditions. Click here to approve,' and people click without reading it, one of those new terms could be permission for facial recognition. Did you give consent? No.

Banks currently record the image of anyone using their ATMs and then use that in the case of a fraudulent transaction. Banks will update their terms and conditions to give themselves the right to run your biometric verification on each occasion before allowing access to your account. Refusing the new permission gives your bank or card company the right to refuse service. It's that simple. It's blackmail. This is why the government suggesting a digital ID or biometric data check will be voluntary is a complete lie. It's compulsory, because not agreeing means you lose your bank account or payment card or service—just as those voluntary COVID injections were compulsory if you wanted to keep your job and your house and feed your family.

I foreshadow an amendment in the committee stage on sheet 2327 to change the definition of 'explicit' to 'active', meaning on each occasion your face is to be scanned they must ask permission before they scan it and make sure they get your permission each time. That's active consent. This should be supported, because the government already says Australians will have to consent to their biometric data being used—unless, of course, that was misinformation.

This bill does not offer a direct link between the authentication action at a check-out, office, airport et cetera and the master file. A government hub receives a request and pulls the master file, meaning only the government has access to the master file. This seems to look acceptable, yet it means there's a master file with 17 million records containing name, address, telephone, date of birth, drivers licence number, passport number and a biometric identification file all sitting in the same database. That's all the information necessary to steal someone's ID and impersonate them online—a hacker's paradise.

Robodebt proved that our bureaucrats are incapable of even a simple one-to-one database match, and now they're being trusted to pull this off. It's impossible without a high level of compulsion and without completely ignoring victims of software or data-matching errors. If the look-up fails, then your purchase, travel, document, signing or whatever other use fails. If the purchase was for petrol, your family could be stranded late at night. We might as well start the royal commission now.

Downstream from the big government database are what I call intermediaries or entities with participating agreements. There are 20 of these so far. Their role is to take a request for authentication from a bank or card processor, solicitor, real estate agent, airline—anyone needing you to prove you are who you say you are—and submit that to the national drivers licence database hub to run past the master database. In the original bill there were no effective checks and balances on those businesses. The government's amendment of its own bill has added a few checks and balances to ensure that intermediaries must delete data received as part of the verification process. Thank you, Minister Gallagher. That, taken together with my amendment to make the level of consent clear, takes some of the potential abuse out of the bill. A clear privacy statement would have helped. The government have promised they will do that later. There are trust issues around that promise.

Questions remain around the New South Wales government's comment that this bill will allow them to verify that every person detected driving a car past a surveillance camera has a drivers licence.

The only way this can be achieved is if every driver is scanned every time they pass a detection camera and their image is compared to the national database. Does this mean those cameras going up around Australia are just the right height to scan the driver's face and that the cameras will be used to scan and verify your identity each time you pass one? Yes, it does. Before they work out who you are and whether you have a licence, they have to scan and verify your biometrics. It's the only explanation for the New South Wales government's comment.

For those listening to this with incredulity, I remind you that this is exactly the system now in place in London, with Lord Mayor Khan's ULEZ, Ultra Low Emission Zone, and in Birmingham, Manchester and other cities in Britain. It's really the World Economic Forum's 15-minute cities happening right now. Residents are locked into their zone and can only leave a certain number of times a year. This is happening in Britain. That depends on the make and model of the car you drive. If you drive a car they don't like, you can't move. Rich people who can afford electric cars can, of course, come and go as they please. Everyday citizens are locked in or, when they leave, the cameras detect them leaving and fine them on the spot. It's a fine of 180 pounds a week for leaving over seven days. That's in Britain now. Already it has raised hundreds of millions of pounds because people will pay for freedom. Look it up. Don't just trust me: look it up. There are fines for not registering with the system and fines for breaching the 15-minute limits. It's a virtual fence. It's like an electric dog collar. It's the foundation for a social credit system to completely control people's lives. So don't tell me this is a conspiracy theory. It's real and it's happening now in our mother country.

Cash is necessary to ensure these measures are ameliorated as much as possible, which is why the globalist wing of the Liberal Party tried to ban cash in the last parliament, which One Nation defeated. It should be obvious that predatory, parasitic billionaires and some of their lackeys in the Labor and Liberal Party are getting their ducks in a row because they want to be ready for the full implementation of their globalist masters' control agenda, exactly as they promised. It's not like they're hiding any of this. When they tell us what they're going to do, listen.

Remember this government's triad of tyranny. Already entered into parliament is the Identity Verification Services Bill 2023 to normalise and allow the use of biometric data to locate and track citizens. Here it is. There's the Digital ID Bill 2023 to force every Australian into having a digital ID. There's the misinformation and disinformation bill 2023, which will ensure media and social media only carry government sanctioned opinions, and the government is exempted. I implore the Senate to vote against this bill and to reject this bill. This is the first of three bills necessary to turn Australia into the world's first World Economic Forum digital prison.

Matthew Canavan (Queensland, Liberal National Party) Share this | Link to this | Hansard source

Senator Roberts has rightly outlined the serious concerns with privacy in the Identity Verification Services Bill 2023 that were similarly outlined to the Senate committee on this bill. Digital rights campaigners are aghast at the government, which is proceeding with this massive expansion of a surveillance state without introducing related reforms to the Privacy Act that would protect people's data when it's centralised with a government that will be unaccountable now because of these changes.

Nothing demonstrates more why we should oppose this bill tonight than that the government has allotted the sum total of 30 minutes for debate. One of the most significant pieces of legislation to come before our parliament this year, massively expanding the amount of power and surveillance the state has over Australian citizens and individuals, has been given the sum total of 30 minutes for debate. I will not get to make the normal 15-minute contribution here because I rose with just one minute left on the clock. The government is trying to gag any opposition to this bill because it cannot defend why it needs to collect so much data on law-abiding Australian citizens in this country.

Jess Walsh (Victoria, Australian Labor Party) Share this | Link to this | Hansard source

Senators, in accordance with the resolution agreed to earlier today, the time for consideration of the Identity Verification Services Bill 2023 and a related bill has expired. After I have put the question before the chair, I will then put the questions on the remaining stages of the bills. The question is that the second reading amendment on sheet 2158, moved by Senator Shoebridge, be agreed to.

Question negatived.

David Shoebridge (NSW, Australian Greens) Share this | Link to this | Hansard source

by leave—We don't want a division on this, but we want our position recorded.

Malcolm Roberts (Queensland, Pauline Hanson's One Nation Party) Share this | Link to this | Hansard source

by leave—Could I have my name recorded as supporting the Greens' amendment on sheet 2158 please.

Jess Walsh (Victoria, Australian Labor Party) Share this | Link to this | Hansard source

The question now is that these bills be now read a second time.

Question agreed to.

Bills read a second time.

I will now deal with the Committee of the Whole amendments, starting with the amendments circulated by the government. I understand the minister has documents to table.

Katy Gallagher (ACT, Australian Labor Party, Minister for the Public Service) Share this | Link to this | Hansard source

I table a supplementary explanatory memorandum relating to the government amendments to the bill.

Jess Walsh (Victoria, Australian Labor Party) Share this | Link to this | Hansard source

I will first deal with the Committee of the Whole amendments to the Identity Verification Services (Consequential Amendments) Bill 2023 on sheet UD100. The Australian Greens have circulated amendments to government amendments (31) and (35). The question is that the Australian Greens amendments on sheet 2326 to government amendments (31) and (35) be agreed to.

Australian Greens' circulated amendments—

(1) Amendment (31), omit the amendment, substitute:

"(31) Clause 36, page 41 (lines 16 to 18), omit "A review of the operation of this Act and the provision of identity verification services must be started within 2 years. A report of the review must be tabled in Parliament.", substitute "An interim review and review of this Act must be conducted."."

(2) Amendment (35), subclause 43(1A), omit "as soon as practicable after 12 months, and before the end of 2 years,", substitute "within 12 months".

(3) Amendment (35), after paragraph 43(1B)(a), insert:

(aa) any other law of the Commonwealth that regulates privacy, facial recognition or biometric data, to the extent that the other law is relevant to this operation of this Act; and

Question negatived.

Pauline Hanson's One Nation have circulated amendments to government amendments (8) and (27).

The question is that the Pauline Hanson's One Nation amendments on sheet 2327 to government amendments (8) and (27) be agreed to.

(1) Amendment (8), omit the amendment, substitute:

"(8) Clause 9, page 16 (line 32), omit "consent to", substitute "active express consent to each instance of"."

(2) Amendment (27), omit the amendment, substitute:

"(27) Clause 35, page 39 (line 20), omit "consented to", substitute "actively and expressly consented to each instance of"."

Jess Walsh (Victoria, Australian Labor Party) Share this | Link to this | Hansard source

The question now is that the government amendments on sheet UD100 be agreed to.

Government's circulated amendments—

(1) Clause 2, page 2 (lines 2 to 9), omit subclause (1), substitute:

(1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.

(2) Clause 3, page 3 (after line 4), at the end of the clause, add:

Note: The objects in paragraphs 3(a), (b) and (d) are authorised and provided for by Parts 2, 3 and 5. In accordance with the object in paragraph 3(c), Part 4 prohibits the use or disclosure of, or access to, identification information, unless it is in accordance with the objects of this Act or in other limited circumstances.

(3) Clause 4, page 4 (after line 21), after the paragraph beginning "Those requests", insert:

Part 4 of this Act prohibits the use or disclosure of, or access to, identification information, unless it is in accordance with the objects of this Act or in other limited circumstances.

(4) Clause 5, page 8 (lines 9 to 12), omit the definition of IGIS official.

(5) Clause 5, page 9 (lines 9 to 13), omit the definition of Ombudsman official.

(6) Clause 6, page 14 (after line 6), at the end of the clause, add:

Identification information taken to be personal information

(6) Identification information is taken to be personal information for the purposes of the Privacy Act 1988.

(7) Clause 7, page 15 (line 9), omit "consent", substitute "express consent".

(8) Clause 9, page 16 (line 32), omit "consent", substitute "express consent".

(9) Clause 9, page 17 (line 7), omit "consent", substitute "express consent".

(10) Clause 9, page 17 (line 23), at the end of subclause (2), add:

; and (g) the Department to notify each party to the agreement that is relevant to, or impacted by, a data breach of which the Information Commissioner is informed under paragraph (f); and

(h) each party notified under paragraph (g) of a data breach, that is impacted by that breach, to take reasonable steps to notify each individual to whom the identification information relates.

(11) Clause 9, page 17 (line 25), omit "consent", substitute "express consent".

(12) Clause 9, page 18 (after line 9), at the end of the clause, add:

(4) A participation agreement must provide that a party to the agreement is not authorised to use or disclose identification information obtained for the purposes of requesting or providing identity verification services for the purposes of any of the following:

(a) engaging in activities that would allow the party to create a data profile of the person whose identity is being verified (including where it would allow the person's behaviour to be tracked (whether or not online));

(b) offering to supply goods or services;

(c) advertising or promoting goods or services;

(d) enabling another person or entity to offer to supply goods or services;

(e) enabling another person or entity to advertise or promote goods or services;

(f) market research.

(13) Clause 10, page 18 (after line 33), after paragraph (2)(a), insert:

(aa) if the identity verification service is an FVS—to take reasonable steps to destroy each facial image of an individual that is created, for the purposes of the request, by the party requesting the service, as soon as reasonably practicable after the image is no longer required for the purposes of the request, unless the image is:

(i) a Commonwealth record (within the meaning of the Archives Act 1983); or

(ii) required by a law of the Commonwealth, a State or a Territory, or by an order of a court or tribunal, to be retained; and

(14) Page 19 (after line 12), after clause 10, insert:

10A Failure to comply with participation agreements

(1) This section applies if:

(a) a party to a participation agreement is subject to the Privacy Act 1988; and

(b) an act or practice of the party, relating to personal information about an individual, does not comply with a requirement of:

(i) the agreement in relation to a matter covered by section 9 or 10 (other than paragraph 10(1)(b)) of this Act; or

(ii) rules prescribed for the purposes of subsection 44(1A) of this Act.

(2) For the purposes of the Privacy Act 1988, the act or practice is taken to be:

(a) an interference with the privacy of the individual; and

(b) covered by sections 13 and 13G of that Act.

(15) Clause 12, page 19 (line 29), after "agreement", insert ", rules made for the purposes of subsection 44(1A),".

(16) Clause 12, page 19 (after line 30), at the end of the clause, add:

Note: Under subsection 44(1A), the rules may prescribe requirements relating to privacy with which a party to a participation agreement must comply.

(17) Clause 15, page 24 (line 6), omit "12 months", substitute "the period specified by subsection (3)".

(18) Clause 15, page 24 (after line 11), at the end of the clause, add:

(3) For the purposes of subsection (2), the period is:

(a) 12 months; or

(b) if the rules prescribe a longer period of up to 18 months for the purposes of this paragraph—that longer period.

(19) Clause 23, page 30 (line 5), omit "The Department", substitute "In accordance with the object of this Act covered by paragraph 3(a), the Department".

(20) Clause 26, page 31 (line 5), omit "The Department", substitute "In accordance with the object of this Act covered by paragraph 3(b), the Department".

(21) Clause 29, page 35 (before line 4), before the paragraph beginning "Current and former", insert:

An object of this Act is to protect identification information communicated to approved identity verification facilities, and certain other information relating to the use or security of those facilities.

This Act does this by prohibiting the use or disclosure of, or access to, identification information, unless it is in accordance with the objects of this Act or in other limited circumstances.

(22) Clause 29, page 35 (lines 20 and 21), omit "an IGIS official or Ombudsman official", substitute "an official of an integrity agency".

(23) Clause 29, page 35 (line 22), omit "consent", substitute "express consent".

(24) Heading to Division 2, page 36 (lines 1 and 2), omit the heading, substitute:

Division 2 — Prohibition on recording or disclosure of, or access to, information by entrusted persons

(25) Heading to clause 30, page 36 (line 3), omit the heading, substitute:

30 Prohibition on recording or disclosure of, or access to, information by entrusted persons

(26) Clauses 33 and 34, page 39 (lines 1 to 15), omit the clauses, substitute:

33 Information communicated etc. to integrity agencies

(1) An entrusted person may disclose protected information if:

(a) the disclosure is to any of the following persons:

(i) the Inspector-General of Intelligence and Security, or a person covered by subsection 32(1) of the Inspector-General of Intelligence and Security Act 1986;

(ii) the Commonwealth Ombudsman, or another officer (within the meaning of subsection 35(1) of the Ombudsman Act 1976);

(iii) the Information Commissioner, a member of the staff of the Office of the Information Commissioner, or a consultant engaged under the Australian Information Commissioner Act 2010;

(iv) the National Anti-Corruption Commissioner, or another staff member of the NACC (within the meaning of the National Anti-Corruption Commission Act 2022);

(v) the Inspector of the National Anti-Corruption Commission, or a person assisting the Inspector (within the meaning of the National Anti-Corruption Commission Act 2022); and

(b) the disclosure is for the purpose of that person exercising a power, or performing a function or duty.

(2) An entrusted person may make a record of or access protected information for the purpose of disclosing the protected information under subsection (1).

(27) Clause 35, page 39 (line 20), omit "consented", substitute "expressly consented".

(28) Clause 35, page 39 (line 30), omit "consents", substitute "expressly consents".

(29) Clause 36, page 41 (before line 4), before the paragraph beginning "The Secretary may delegate", insert:

An object of this Act is to provide for oversight and scrutiny of the operation and management of the approved identity verification facilities. This Part provides for that oversight and scrutiny, as well as dealing with other miscellaneous matters.

(30) Clause 36, page 41 (lines 10 and 11), omit "the operation and management of".

(31) Clause 36, page 41 (lines 16 to 18), omit "A review of the operation of this Act and the provision of identity verification services must be started within 2 years. A report of the review must be tabled in Parliament.", substitute "An interim review and review of this Act must be conducted, both of which must be started within 2 years of the commencement of section 43 of this Act.".

(32) Clause 40, page 43 (lines 13 to 15), omit paragraph (1)(a), substitute:

(a) assessing the approved identity verification facilities in relation to any act or practice of the Department during the financial year;

(33) Clause 40, page 43 (lines 17 to 22), omit subclauses (2) and (3), substitute:

(2) For the purposes of the Privacy Act 1988, an assessment under subsection (1) of this section is taken to be an assessment under paragraph 33C(1)(a) of that Act.

(34) Heading to clause 43, page 46 (lines 18 and 19), omit the heading, substitute:

43 Interim review, and review of this Act and provision of identity verification services

(35) Clause 43, page 46 (before line 20), before subclause (1), insert:

Interim review

(1A) The Minister must cause an interim review to be started as soon as practicable after 12 months, and before the end of 2 years,of the commencement of this section.

(1B) The interim review must consider the adequacy and operation of:

(a) the privacy protections contained in this Act; and

(b) the security requirements and obligations contained in this Act; and

(c) the penalties for non-compliance with obligations set out in participation agreements, including considering whether civil penalties should apply.

Review of Act and provision of identity verification services

(36) Clause 43, page 46 (before line 23), before subclause (2), insert:

Consultation, preparation and tabling of reports

(2A) The President of the Australian Human Rights Commission, the Human Rights Commissioner appointed under section 8B of the Australian Human Rights Commission Act 1986, and the Information Commissioner, must be consulted in relation to a review under subsection (1A) or (1).

(37) Clause 44, page 47 (after line 4), after subclause (1), insert:

(1A) Without limiting subsection (1), the rules may prescribe requirements relating to privacy with which a party to a participation agreement must comply.

Consultation on draft rules

(1B) Before making or amending any rules under subsection (1), the Minister must:

(a) cause to be published on the Department's website a notice:

(i) setting out the draft rules or amendments; and

(ii) inviting persons to make submissions to the Minister about the draft rules or amendments within the period specified in the notice (which must be at least 28 days after the notice is published); and

(b) if the rules deal with matters that relate to the privacy functions (within the meaning of the Australian Information Commissioner Act 2010)—consult the Information Commissioner; and

(c) consider any submissions received within the specified period.

(1C) The Minister may consider any submissions received after the specified period if the Minister considers it appropriate to do so.

Limitation on rules

(38) Clause 44, page 47 (before line 14), before subclause (3), insert:

Disallowance and sunsetting of rules

Question agreed to.

I will now deal with the amendments circulated by the Australian Greens.

The question is that the amendments on sheet 2157 revised be agreed to.

Australian Greens' circulated amendments—

(1) Clause 5, page 9 (after line 19), after the definition of protected information, insert:

restricted information of an individual means:

(a) health information (within the meaning of the Privacy Act 1988) about the individual; or

(b) information or an opinion about the individual's criminal record; or

(c) information or an opinion about the individual's membership of a professional or trade association; or

(d) information or an opinion about the individual's membership of a trade union; or

(e) other information or opinion that is associated with an individual and is prescribed by the rules; or

(f) information or an opinion about the individual's:

(i) racial or ethnic origin; or

(ii) political opinions; or

(iii) membership of a political association; or

(iv) religious beliefs or affiliations; or

(v) philosophical beliefs; or

(vi) sexual orientation or practices; or

(vii) disability status.

(2) Clause 23, page 30 (after line 11), at the end of the clause, add:

However, the Department must not collect, use or disclose restricted information of an individual in developing, operating and maintaining approved identity verification facilities.

(3) Clause 25, page 30 (line 27), at the end of the clause, add:

; and (c) not collect, use or disclose information that is restricted information of an individual.

(4) Clause 26, page 31 (after line 18), at the end of the clause, add:

However, the Department must not collect, use or disclose identification information that is restricted information of an individual for any of those purposes.

(5) Page 34 (after line 12), at the end of Division 2, add:

28A Collection, use and disclosure of restricted information of individuals

Despite sections 27 and 28, the Department must not collect, use or disclose identification information that is restricted information of an individual.

Jess Walsh (Victoria, Australian Labor Party) Share this | Link to this | Hansard source

I will now deal with the government amendment to the Identity Verification Services (Consequential Amendments) Bill 2023. The question is that the amendment on sheet UD102 be agreed to.

Government's circulated amendment—

(1) Clause 2, page 2 (table item 1), after "commencement of", insert "section 24 of".

Question agreed to.