1 Document Verification Service (DVS) Participation Agreement
2 Privacy Impact assessment
3 Annual Compliance statement
4 Overseas access
5 General
6 Face Verification Service (FVS)
7 Impacts to greenID or Cloudcheck service

Document Verification Service (DVS) Participation Agreement

The agreement submission date is the 30th April with commitment to execute agreements by 14th June. We have identified gaps and need to make changes. Given time constraints and competing priorities, what is the expectation around timing for compliance?

All terms of the participation agreement are in force from the execution of the agreement. Compliance with the agreement will be required from the date in which the agreement is executed.
The department’s priority is to ensure that users of the DVS are able to use the service in compliance with the participation agreement, the IVS Rules and the DVS Access Policy. The Framework Administrator acknowledges the challenge that users are experiencing in implementing the changes required under the new DVS Participation Agreements. Where non-compliance with the participation agreement is identified, the Framework Administrator will always in the first instance work with the user to support their efforts to remediate non-compliance. It is only when the Framework Administrator considers that these efforts are not seriously being undertaken that the Framework Administrator will explore its options for suspension or termination as set out in the DVS Participation Agreements

What is the Document Verification Service Business User Participation Agreement?

The Participation Agreement replaces your existing Business User Terms and Conditions with the DVS.

I didn’t get the Participation Agreement what do I do?

You will need to email the IVS Manager at IVS.Agreements@ag.gov.au to request the Agreement is sent to you.

I don't have my Participation Agreement number, can I still submit the agreement?

YES. Send your signed agreement to IVS.Manager@ag.gov.au for approval.

Where can I get a comparison of the old DVS Terms and Conditions and the new Participation Agreement?

Attachment B provided by the DVS provides an overview of the major difference between the two agreements.

Where do I submit my agreement?

You should submit your signed agreement via the DVS Noggin platform Noggin Public Forms

I am having problem uploading the agreement onto Noggin, what do I need to do?

Send your signed agreement to the IVS manager at IVS.Agreements@ag.gov.au

Does the new DVS Participation Agreement replace my existing DVS agreements?

YES. The new DVS Business User Participation Agreement replaces the existing DVS Business User Terms and Conditions.

What is the deadline for business users to sign the DVS Participation Agreement and what happens if the agreement is not signed by the deadline?

The Identity Verification Services Act 2023 (Cth) requires all users of the DVS to sign the Participation Agreement by 14 June 2025.
If you do not submit your signed agreement by 30 April 2025, DVS can not guarantee your agreement will be reviewed and approved by the cut of date.
Failure to sign and return the Participation Agreement in adequate time for the DVS to review and approve your application will result in connection to the DVS being automatically removed on 14 June 2025. There is no extension to this date.

Do I need to physically sign the DVS Participation Agreement?

NO. To streamline the process and eliminate the need for physical signatures, the DVS Business User Participation Agreement can be digitally signed and witnessed. Once the agreement is signed, it must be uploaded via DVS’s Noggin platform.

Does Clause 3.4 of the Business User Participation Agreement mean that business users need to sign an additional contract with Austroads and Registries of Births, Deaths and Marriages?

NO. Clause 3.4 refers to a separate Participation Agreement that will be signed between the Attorney-General’s Department, Austroads and Registries of Births, Deaths and Marriages. Business users will not be required to sign an additional contract with these organisations.

For multi entity companies, e.g. multiple ABNs as part of a Group of companies, are there restrictions on how to manage information received from IVS? E.g. where there is shared infrastructure, business processes etc.

In order for this information to be shared through shared infrastructure, the signatory will be required to authorise the members of its corporate’s group to act as their agent for the purposes of the participation agreement.

Privacy Impact assessment

What are the obligations around conducting Privacy Impact Assessments (PIA)?
The IVS Act requires that a participation agreement must provide for privacy impact assessments (PIA) of requesting identity verification services.

The Department, as the Framework Administrator, is in the process of preparing a PIA for the DVS. The Department intends for the DVS PIA to cover the standard use of the DVS, with standard user types including GSPs, IDSPs or business users. Once the PIA is finalised, the Department will publish the PIA on the IDMatch website and notify all DVS users.

In accordance with the DVS user’s privacy obligations, and paragraph 5.3 of the standard participation agreement, users are to ensure their use of the DVS is consistent with the findings and recommendations of any PIA applicable to their use of the DVS. The agreements also require users to commission their own independent PIA for their use of the DVS if it is inconsistent with the findings and recommendations of the department’s PIA.

Will all business users be expected to have a PIA?
YES, as per above, all business users will need to be covered by either the Framework Administrator’s general PIA, or have their own PIA.

When will the new PIA be available? How will it be communicated?
The PIA will be sent to all registered DVS business users and can be found here or on the IDMatch Website.

What happens if we have already signed the participation agreement and we subsequently identify that our use of the DVS is not consistent with the findings or recommendations of the updated PIA when it is published? How long do I have to address this?
Clause 5.3(d) of the DVS business user participation agreement provides that once users identify that their usage of the DVS is not consistent with the PIA, then they must promptly notify the Department, commission an independent PIA, and share the findings with DVS.

The agreement does not specify a timeframe that any subsequent PIA needs to be commissioned by. However, it is recommended that users seek their own legal advice to ensure they meet their obligations under the agreement, and ensure any subsequent PIAs are conducted as soon as practicable.

Has GBG undertaken it’s own Privacy Impact Assessment (PIA) as required under the new Participation Agreement.

The Participation Agreement requires a PIA to be undertaken where use of the DVS is inconsistent with the recommendations and findings of the PIA undertaken by the Framework Administrator (ie the DVS). GBG considers our use of the DVS is consistent with the recommendations and findings of the DVS PIA and therefore do not consider we need to undertake an additional PIA.

Annual Compliance statement

Do I need to submit a Compliance Statement with my Participation Agreement?

NO. Business users do not need to complete a compliance statement with your Participation Agreement. The compliance statement process is being finalised and will be announced after the 14 June 2025.

What is the submission process for the annual compliance statement as per Addendum 1? Where does a business submit the compliance statement?

Businesses are not required to complete a compliance statement prior to 14 June 2025. Annual compliance statements will be due on a date that will be advised by the Department. DVS will provide further communication regarding the annual compliance statement process once the details have been finalised.

Are compliance statements required after 12 months usage or a set date during the year?

Clause 6.3 of the DVS business user participation agreement provides that the compliance statement should cover the 12 months preceding its submission date, or for a shorter duration if the DVS has been utilised for a shorter period. The Department will provide further guidance after the DVS business user participation agreements have been executed or closer to when compliance statements are due.

In relation to requirements 3.1 d) and 6.1 set out in the DVS Business User Agreement, is there a specified period of time that a DVS user is required to hold records of DVS Information Match Results for auditing purposes?

The user must maintain evidence of their compliance in line with their compliance statement. This evidence should be maintained in line with the most recently submitted compliance statement. The audit program will cover the period of the previous financial year.

Overseas access

Can you confirm what is meant by overseas access?

Individuals or entities having access to Information Match Data from outside of Australia or New Zealand.

Is there a specified form or method through which a DVS user must notify the Framework Administrator of any proposed use or access to the DVS by Overseas Personnel? Is the notice required to include the details of individual overseas personnel, and is there a requirement to update this notice before additional overseas personnel can use the DVS?

Any requests for overseas personnel or access must be sent to IVS.Manager@ag.gov.au. Our Audit and Compliance team will review your request and will contact you if any further information is required before processing it.

To complete the question with respect overseas access. We use DVS via our website, the website collects the information to be checked and we send this via the greenID API to be checked against the DVS data source. We may also use the greenID Admin portal to submit a request for a DVS check. Are we saying in both cases the end user has to be based in Australia?

Please notify the IVS.Manger.ag.gov.au. We may require further clarification of your overseas access. The person whose identity your wish to verfiy does not need to be based in Australia (they are not considered as a User of the DVS under the Act or the Participation Agreement).

General

Are there any changes to the requirements for obtaining customer consent under the new DVS Participation Agreement? Where can I find the consent statement?

YES. Where previously express consent was a requirement under the Privacy Act, it is now a requirement under the Identity Verification Services Act 2023 (Cth). Guidelines for obtaining express consent can be found in the DVS Access Policy, Part 2, Section 2.50. including the below sample consent statement:

☐ I confirm that I am authorised to provide the personal details presented and I consent to my information being checked with the document issuer or official record holder via third party systems for the purpose of confirming my identity.

NOTE: the new IVS Act 2023 consent requirement is not materially different to the existing Privacy Act requirement, but you should review your current process and consent statement to ensure you remain compliant.

Can you please provide more detail around the express consent requirements? What level of detail would be sufficient, particularly as it relates to informing customers of the legal rights related to collection of Identification Information

Regarding the requirement of Clause 5.5(b) it would be suffecient to note if you are subject to
i. the Australian Privacy Act;
ii. the New Zealand Privacy Act; or
iii. the privacy law of an Australian State or Territory which is prescribed in the IVS Rules for the purposes of section 9(1)(b) of the IVS Act; or
iv. If you are not subject to the Privacy Laws specified above, that you comply with the Australian Privacy Principles as if you are an APP entity

Will the new Participation Agreements mean the DVS users are no longer required to sign a Commonwealth Electoral Roll Declaration?

Commonwealth Electoral Roll Declaration will still be required as per the current process.

If a business such as a credit provider has been audited for DVS compliance, then can it be assumed that the credit provider has met all participation agreement obligations (contingent to closing audit findings if any)?

NO. All previous audits were conducted assessing compliance against the previous DVS term and conditions. The User may need to make changes in order to comply with the requirements of the new participation agreement.

Can we use our existing complaints processes which deal with privacy complaints to comply with clause 7?

YES. These process should facilitate complaints specifically on the use of the DVS and the user must be informed of the complaints process before seeking the consent of the individual

Could you please clarify what would be considered a breach in security or privacy relating to the use of DVS.

Any incident where unauthorized access, disclosure, or modification of sensitive data or systems occurs in relation to your use of the DVS

When was the first email notification be sent to all the business users?

The first email notification was sent to business users on 20 January 2025 from IVS Manager. This email advised business users that a separate email will be sent from Attorney-General’s Department Noggin platform, with instructions on how to sign and submit the DVS Business User Participation Agreement.

Face Verification Service (FVS)

What is the Face Verification Service?

The FVS is a government service that compares a person's photo to the image on their government-issued ID, such as their passport or driver licence.

The FVS is currently only available to government agencies, however the IVS Act (2023) has provision to make this available to commercial entities, similar to the DVS.

Based on updates received from the IVS Manager, it is expected that the FVS will become commercially available in the second half of 2025. GBG are currently working to ensure that we make the FVS service available to our customers as soon as possible once it is available commercially.

GBG customers wishing to use the FVS will need to sign a separate FVS participation agreement, details will be provided when they are available.

Impacts to greenID or Cloudcheck service

How does the new Participation Agreement impact my identity service?

If you do not sign and return the Participation Agreement to DVS in adequate time for the DVS to review and approve your agreement by 13 June 2025, your access to DVS will cease on 14 June 2025 and DVS transactions will not be processed.

Can GBG submit the new Participation Agreement for me?

NO. You will need to use the link provided by the IVS Manager to sign and upload your Participation Agreement, Gateway Service Provider’s such as GBG cannot do this on your behalf.

Can GBG provide advice on the changes to the Participation Agreement?

NO. GBG cannot provide specific advice on the changes to the Participation Agreement. As each business is unique, the impacts and necessary adaptations required to implement the new terms are best evaluated by your legal and compliance teams.

If a private entity only uses greenID service for verifying individuals identities die the purpose of obtaining a copy of their credit report, is the agreement still required to use greenID service?

NO. Only business users who require access to government data for identity verifications need to sign the Participation Agreement.