Direction under s. 41(1) of the Privacy and Personal Information Act (the PPIP Act)

Interpretation

In this Direction:

“DFAT” means Commonwealth Department of Foreign Affairs and Trade

“DIMIA” means Commonwealth Department of Immigration and Multicultural and Indigenous Affairs

“DVS” means Document Verification Service

“POI” means proof of identity

“PPIP Act” means Privacy and Personal Information Protection Act 1998

”RTA” means NSW Roads and Traffic Authority


Background

The Australian Government is investigating the feasibility of a DVS as one element of a comprehensive package of initiatives under the National Identity Security Strategy announced on 14 April 2005. See:

http://www.ag.gov.au/agd/WWW/MinisterRuddockHome.nsf/Page/Media_Releases_2005_Second_Quarter_14_April_2005_-_National_ID_Security_Initiative_to_protect_Australians_

The DVS will utilise an online computer system to verify the accuracy of details contained on key documents (including NSW drivers’ licences), which are presented by customers as POI when enrolling for services or benefits at an authorised agency.

Information will be sent via a secure communications pathway and will be verified with a yes/no response indicating whether the information provided is identical to the information on the document at the time it was issued.

Information passing through the DVS will not be stored but a log of traffic through the DVS will be maintained for auditing purposes.

A DVS prototype will run through early 2006, to inform decisions about the cost-benefit and technical feasibility of a larger scale service. The prototype will verify the details of a sample of POI documents (including NSW drivers’ licences) presented to DFAT for passport applications and to DIMIA for citizenship applications.

Details to be verified from the NSW drivers’ licences during the prototype are: the licence number, state of issue, first, middle and last name and date of birth (day, month and year). Information sent from the RTA via the DVS will comprise a yes/no response for verification of these details.


Public Interest

The DVS prototype will assist government agencies in introducing more rigorous client identification practices, including background checks on customer identity. Applicants to DIMIA and DFAT currently sign a declaration authorising these Departments to verify the details of POI documents provided as part of their application. The prototype will enable online document verification between Commonwealth and New South Wales government agencies instead of relying on manual checks, allowing DIMIA and DFAT to exchange personal information with the RTA (a NSW government agency), which is not covered by the current applicant declaration authorising verification.

The DVS process should assist measures designed to reduce instances of identity fraud or identity theft. A significant issue related to these types of activities is the production and use of false identity documents.

I am satisfied that the public interest in making this direction outweighs the public interest in requiring the RTA to comply with the relevant Information Protection Principles, referred to in the provisions set out below.


Coverage

This Direction applies only to the accessing of information through the RTA computer system, and the collection, use and disclosure of personal information by the RTA from DFAT and/or DIMIA solely for the purpose of enabling the RTA to assist in the verification of the validity of identity documents produced to DFAT for passport applications and to DIMIA for citizenship applications.


Provisions

1. If the RTA collects personal information from DFAT and/or DIMIA for the purpose of verifying the validity of the data provided by individuals using drivers’ licences as POI, then the RTA need not comply with sections 9,10, and 11 of the PPIP Act.
   
   
2. If the RTA uses personal information it holds relating to drivers’ licences to confirm the correctness, or otherwise, of data, which has been presented to DFAT for passport applications and/or to DIMIA for citizenship applications, the RTA need not comply with section 17 of the PPIP Act.
   
   The personal information used by the RTA for the purposes of this provision will consist of the drivers’ licence number, state of issue, first, middle and last name of an individual, and the date of birth (day, month and year).
   
   
3. If the RTA discloses personal information it holds in the form of a ‘yes’ or ‘no’ response to DFAT and/or to DIMIA in order to verify a licence number, state of issue, first, middle and last name and date of birth (day, month and year), the RTA need not comply with section 18 of the PPIP Act.
   
   
4. The provisions of paragraphs 1,2,3 and 4 of this Direction are not intended to override and do not override any other legal requirement dealing with the collection, use or disclosure of personal information by a relevant agency.
   
   Note: For example, this Direction does not override secrecy or confidentiality provisions in any other relevant Act.
   
   
5. This Direction does not apply to “health information” as defined in section 6 of the Health Records and Information Privacy Act 2002 (the HRIP Act).