Direction relating to the document verification service - NSW Registry of Births, Deaths and Marriages

Under this Direction the Registry may deal with personal information in ways which allow it to participate in the Commonwealth Government Initiative, the Document Verification Service. This Direction was renewed on 9 July 2009 and was valid for six months.

Direction under s. 41(1) of the Privacy and Personal Information Act (the PPIP Act)

This is a Direction under s. 41(1) of the Privacy and Personal Information Protection Act 1998.  It should be read in conjunction with that Act. 

Interpretation

In this Direction:

“DFAT” means Commonwealth Department of Foreign Affairs and Trade

“DIAC” means Commonwealth Department of Immigration and Citizenship formerly the Department of Immigration and Multicultural Affairs (DIMA)

“DVS” means Document Verification Service

“NISS” means National Identity Security Strategy

“POI” means proof of identity

“PPIP Act” means Privacy and Personal Information Protection Act 1998

“RTA” means NSW Roads and Traffic Authority

Background

The Australian Government sees the establishment of a National Document Verification Service (DVS) as a key component in its efforts to enhance procedures for verifying the integrity of key identity documents. It is intended that the DVS be accessible to all Australian, State and Territory government document issuing agencies to strengthen and enhance existing proof of identity (POI) processes and systems.

The DVS is one element of a comprehensive package of initiatives under the National Identity Security Strategy (NISS) announced on 14 April 2005.  The Council of Australian Government endorsed the NISS at its meeting in April 2007 see: http://www.coag.gov.au/meetings/130407/docs/coag130407.pdf

The DVS will utilise an online computer system to verify the accuracy of details contained in key documents (including NSW drivers’ licences), which are presented by customers as POI when seeking to obtain services or benefits from an authorised agency.

Information will be sent via a secure communications pathway and will be verified with a yes/no response indicating whether the information provided is identical to data recorded in the register in the relevant document issuing agencies.

Information passing through the DVS will not be stored but a log of traffic through the DVS will be maintained for auditing purposes.

A DVS prototype is expected to run through early 2008, to inform decisions about the cost-benefit and technical feasibility of a larger scale service.  The prototype will verify the details of a sample of POI documents (including NSW drivers’ licences) presented to the Department of Foreign Affairs and Trade (DFAT) for passport applications and to the Department of Immigration and Citizenship (DIAC) for citizenship applications.

Details to be verified from the NSW drivers’ licences during the prototype are: the licence number, state of issue, first, middle and last name and date of birth (day, month and year).  Information sent from the RTA via the DVS will comprise a yes/no response for verification of these details.

Public Interest

The DVS prototype will assist government agencies in introducing more rigorous client identification practices, including background checks on customer identity.  Applicants to DIAC and DFAT currently sign a declaration authorising these Departments to verify the details of POI documents provided as part of their application.  The prototype will enable online document verification between Commonwealth and New South Wales government agencies instead of relying on manual checks.  It will allow DIAC and DFAT to exchange personal information with the RTA (a NSW government agency).  This is not permitted by the RTA’s current applicant declaration.

The DVS process should assist measures designed to reduce instances of identity fraud or identity theft.  A significant issue related to these types of activities is the production and use of false identity documents.

I am satisfied that the public interest in making this direction outweighs the public interest in requiring the RTA to comply with the relevant Information Protection Principles, referred to in the provisions set out below.

Coverage

This Direction applies only to the accessing of information through the RTA computer system.  The Direction also only applies to the collection of personal information by the RTA (from DFAT and/or DIAC) and the RTA’s use and disclosure of personal information, when that collection, use and disclosure are solely for the purpose of enabling the RTA to assist in the verification of the validity of identity documents, which have been produced to DFAT for passport applications and to DIAC for citizenship applications.

Provisions

(1).  If the RTA collects personal information from DFAT and/or DIAC for the purpose of verifying the validity of the data provided by individuals using drivers’ licences as POI, then the RTA need not comply with sections 9, 10, and 11 of the PPIP Act.

(2).  If the RTA uses personal information it holds relating to drivers’ licences to confirm the correctness, or otherwise, of data, which has been presented to DFAT for passport applications and/or to DIAC for citizenship applications, the RTA need not comply with section 17 of the PPIP Act.

The personal information used by the RTA for the purposes of this provision will consist of the drivers’ licence number, state of issue, first, middle and last name of an individual, and the date of birth (day, month and year).

(3).  If the RTA discloses personal information it holds in the form of a ‘yes’ or ‘no’ response to DFAT and/or to DIAC in order to verify a licence number, state of issue, first, middle and last name and date of birth (day, month and year), the RTA need not comply with section 18 of the PPIP Act.

(4).  The provisions of paragraphs 1, 2, 3 and 4 of this Direction are not intended to override and do not override any other legal requirement dealing with the collection, use or disclosure of personal information by a relevant agency.

Note:  For example, this Direction does not override secrecy or confidentiality provisions in any other relevant Act.

(5).  This Direction does not apply to “health information” as defined in section 6 of the Health Records and Information Privacy Act 2002 (the HRIP Act).

Duration

This Direction will operate from 1 July 2007 until the end of the project.  This Direction replaces the Direction made on 4 July 2006.

Signed by me on this 19th of June 2007.

John Dickie
Acting Privacy Commissioner