Digital ID assessment: Law enforcement access to personal and biometric information

On this page

Published: 27 August 2025

Download the Law enforcement access assessment

Law enforcement access assessment (PDF, 142 KB)

Last updated: 27 August 2025

Part 1: Executive Summary

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of the Australian Taxation Office (ATO) in its role as operator of both the myID application (myID) and the Relationship Authorisation Manager (RAM). The OAIC considered the ATO’s compliance with requirements for handling requests by enforcement agencies for personal and biometric information collected by myID and personal information collected by the RAM.

1.2 myID and the RAM form part of the Australian Government’s Digital ID System (AGDIS). The Digital ID system (also known as Digital ID) is a voluntary way for Australians to prove their identity online and access certain Government services.

1.3 The ATO’s myID is an Identity Service Provider that generates, binds^[1] and distributes credentials to individuals. The ATO’s RAM is an Attribute Service Provider that allows authorised persons to act on behalf of a business online when linked with their Digital ID. A person’s Digital ID is used to log in to the RAM.

1.4 The objective of this assessment was to determine whether the ATO, as the provider of the accredited myID and the RAM, had effective arrangements to respond to requests for personal and biometric information for enforcement purposes, in accordance with the Digital ID Act 2024 (Cth) (Digital ID Act).

1.5 Specifically in relation to the ATO’s role as the operator of myID and the RAM, this assessment focused on the steps the ATO took to:

effectively comply with requirements for handling requests by enforcement agencies for personal and biometric information
implement practices, procedures and systems to comply with requests by enforcement agencies for personal and biometric information.

1.6 We found the ATO had robust practices, procedures and systems in place to respond to requests by enforcement bodies for personal information that is not biometric information in line with s 54 of the Digital ID Act. The procedures adequately address the risk of improperly releasing personal information obtained via the use of myID or the RAM.

1.7 While the ATO did not have any processes in place to deal with warrants from law enforcement agencies for biometric information, we considered it was highly unlikely to hold the information required by the warrant. It was not reasonably necessary for the ATO to have a process.

1.8 However, we found that not having a procedure creates a low privacy risk; in the event the ATO received a warrant it would need to search for the biometric information regardless of whether or not it held the information. We, therefore, suggest the ATO should form some high-level procedures to be able to respond to these requests, in the event they receive one.

1.9 The OAIC has made one suggestion and no recommendations.

Part 2: Introduction

Background

2.1 Digital ID is a voluntary way for Australians to prove their identity online^[2] and access a range of Government services. The ATO operates both myID^[3] and the RAM^[4] service, which form part of the ADGIS.

myID

2.2 myID is both an identity provider and a credential provider

as an identity provider, myID creates, maintains, or manages information about an individual’s identity and offers identity-based services
as a credential provider, myID generates, binds (process of linking the credential with the digital identity) and distributes credentials to individuals or can bind and manage credentials generated by individuals.

2.3 myID holds the personal information of its users that is not biometric information for the purpose of administering the myID system, including identity verification. This includes:

name
date of birth
address
contact details, including email address and phone number
details contained in Australian Government issued identity documents.

2.4 In certain limited circumstances, myID may hold biometric information^[5] as a part of the ‘liveness checking’ function of myID. When a user seeks to link an identity document with an image (such as a passport) to a myID account, myID takes a series of photos (a ‘liveness stream’) for 2 reasons. The first is to confirm a live person is in front of the device camera during identity verification. The second is to facilitate matching the biometric data from a photo against a passport photograph.

2.5 The ATO has contracted iProov Limited (iProov) as the ‘liveness testing’ vendor to provide the liveness detection service.

2.6 iProov retains images from the liveness check in very limited circumstances: where the image is suspicious or inconclusive. iProov may then hold this image for up to 14 days, which it uses for performance validation and testing purposes.

2.7 An image from the liveness stream is transmitted to the Department of Foreign Affairs and Trade (DFAT) to compare the biometric materials from the user against a passport photograph. DFAT temporarily holds the image to compare against the passport photograph. The ATO advised that at no time does the ATO hold the image data from the passport photograph; DFAT sends the ATO, via myID, an affirmative or negative response about the facial match.

2.8 The liveness checks are conducted in a separate system, which runs parallel to the main myID system and databases (holding all other components used for the functioning of the app). The interaction between the liveness checking and the main myID system is through a connected database utilised for temporary storage only and is not subject to backups.

2.9 The liveness checking and biometric matching are two separate processes occurring from the same stream of photographs. This process only occurs when a user is first setting up a ‘strong identity strength’. While these processes are separate, they are conducted in a single transaction.

RAM

2.10 As an attribute service provider, the RAM is an authorisation service that enables individuals to act on behalf of a business online using their Digital ID when accessing government services. The RAM is the system that manages who can access services on behalf of a business.

2.11 Essentially, to access the RAM on behalf of a business, myID is the app individuals first use to prove their identity (as above). They can then link their myID to their Australian Business Number (ABN) in the RAM. The RAM holds personal information such as the business’ ABN and associated business relationships.

2.12 The only personal information RAM collects is the connection between the individual and the business.

Enforcement access to Digital ID data

2.13 The Digital ID Act prohibits an accredited entity (when providing accredited services) from using or disclosing information for enforcement and law enforcement purposes, unless one of a limited number of exceptions under the Act apply.^[6]

2.14 In contrast, the Privacy Act 1988 (Cth) (the Privacy Act), including the Australian Privacy Principles (APPs), permits disclosure of personal and sensitive information to an enforcement body when it is reasonably necessary for an ‘enforcement related activity’.

2.15 The Digital ID Act overrides the Privacy Act to prohibit enforcement access to information collected through Digital ID, with some exceptions. This represents a strengthening of privacy protections, by creating a more stringent test for the release of information and specifying the circumstances when accredited entities can release information.

2.16 The Digital ID Act allows the disclosure of personal information that is not biometric information to enforcement bodies . Enforcement bodies include not only police but a wide range of Commonwealth, state and territory agencies with an enforcement remit, such as the Australian Securities and Investments Commission, the Home Affairs and state and territory anti-corruption commissions (for a full list, see Appendix B ).

2.17 The Digital ID Act allows the disclosure of personal information that is biometric information to law enforcement agencies . This includes Commonwealth, state and territory policing bodies (for a full list, see Appendix B )

2.18 In order to comply with these requirements, a reasonable step for accredited entities is to create policies, procedures and systems to ensure they only release personal information in the permitted circumstances.

2.19 The purpose of this assessment is to consider the ATO’s systems, policies and procedures to ensure it can appropriately deal with requests from enforcement and law enforcement agencies for Digital ID data.

Previous digital identity assessments

2.20 The Digital ID Act came into force on 1 December 2024. The OAIC is the privacy regulator of Digital ID and is responsible for ensuring individuals’ privacy is protected by overseeing the privacy safeguards that apply to all accredited entities. This includes conducting assessments of accredited Digital ID entities. ^[7]

2.21 The OAIC’s previous Digital ID assessments have included:

whether Services Australia, in its capacity as the operator of the Identity Exchange for the Digital ID, was handling personal information in accordance with APP 1.2. View the assessment page.
whether the ATO and its third-party vendor (iProov) were taking reasonable steps under APP 11.2 to destroy, or de-identify biometric information handled as part of myID. View the assessment page.
whether the ATO, as operator of myID, were complying with requirements under APPs 1.3 and 1.4 (regarding a clearly expressed and up to date privacy policy), APP 5 (regarding notification of collection of personal information) and APP 6 (regarding the use or disclosure of personal information). View the assessment page.

Part 3: Observations and Findings

Responding to an enforcement body’s request for personal information that is not biometric information

3.1 The ATO provided detailed Standard Operating Procedures that explained its process for managing a request from enforcement bodies for personal information that is not biometric information from myID and the RAM. It also provided template investigation reports and 2 checklists (1 for the requesting enforcement body, and 1 for the ATO when managing the request).

3.2 The OAIC also conducted fieldwork interviews with the ATO as a part of this assessment. During these interviews, the ATO ran through its process for managing a request from an enforcement body for personal information that is not biometric information. At the time of fieldwork, the process was:

Upon requiring personal information for enforcement purposes, the requesting enforcement body must fill out a checklist that ensures that the enforcement body meets the requirements of s 54 of the Digital ID Act.
This checklist gives a detailed breakdown of s 54 of the Digital ID Act. It included a tick box section that the enforcement body must fill out to ensure that the information they are requesting is permissible under s 54. This checklist listed 5 specific types of information that can only be requested under s 54; 3 of which the enforcement body can only request if the case has proceeded to court and they require the information as part of a brief of evidence. The enforcement body must also include a statement describing which criteria within s 54 is relevant to them for the ATO to authorise the disclosure.
If the enforcement body does not meet the requirements of s 54, the checklist explicitly states that they should not proceed with their request for disclosure.
The request is processed through internal ATO teams who coordinate these types of requests. They will only forward the request to the Fraud Investigation team if it meets the requirements of s 54. The Fraud Investigation team handle the request with appropriate security measures, including additional access controls and access disclosure logs.
Once the Fraud Investigation team have gathered all information and evidence in relation to the request, they finalise their report and email it back to the coordinating team, including any evidence.
The ATO finalises its report and authorises the release of personal information by providing the report and relevant evidence relating to the enforcement activity to the enforcement body.

3.3 Our review of the ATO’s documents and processes showed that any request for release of personal information under s 54 of the Digital ID Act is reviewed against the legislation. We were satisfied that the ATO had adequately implemented practices, procedures and systems to ensure compliance with s 54 of the Digital ID Act.

Finding

The ATO’s procedures adequately addressed all aspects of s 54 of the Digital ID Act and sufficiently addressed the risk of improperly releasing personal information obtained via the use of myID or the RAM.

Responding to a law enforcement body’s request for biometric information

3.4 The ATO does not conduct biometric matching, nor does it retain biometric materials except throughout the process of liveness checking and in instances where the image is suspicious. It advised that it does not have a process or procedure for the release of biometric materials to law enforcement agencies.

Liveness testing and the retention of biometric information

3.5 The ATO has contracted iProov as the ‘liveness testing’ vendor to supply the ATO with the liveness detection services. Liveness testing ensures that myID is reading a true, conscious biometric source.

3.6 The image taken from the liveness stream is temporarily held for the purpose of comparison to the passport photograph, held by DFAT. Once verification has taken place, the ATO retains the affirmative or negative response, and the image data captured from the liveness stream (including the image transmitted to DFAT) is destroyed.

3.7 While the process of liveness testing is separate to the process of biometric matching, the liveness stream does contain a series of images that may contain biometric material.

3.8 iProov may hold biometric information for 14 days in circumstances where the image is suspicious in terms of the liveness checking function.

3.9 The ATO advised that as they obtained this image for the purposes of liveness checking and that the images retained are those that have failed the liveness check, it often does not contain biometric information (this is because the image may be out of focus, not a complete face or not an image of a face at all). Further, the ATO advised that they rarely hold this information for a full 14 days in any event.

3.10 The ATO provided estimates of the number of images that iProov retains through liveness checks. The OAIC is satisfied that the number of images retained is a very small proportion of liveness checks conducted.

3.11 This demonstrates the low proportion of biometric information retained for 14 days or less. Further, iProov deletes the images as it resolves any issues around the liveness check, and the ATO advises it rarely retains the images for the full 14-day period.

Law enforcement requests for biometric information held in myID

3.12 At the time of assessment, the ATO had not received a request for the release of biometric information from a law enforcement agency.

3.13 The ATO considered it would be highly unlikely a law enforcement agency would provide the ATO a warrant during the maximum 14-day period during which iProov potentially held the relevant individual’s biometric information.

3.14 The circumstances in which this would occur would require the law enforcement agency to issue a warrant for an individual who was one of the very small proportion of people whose biometric data iProov held for any given period, and for the ATO to process this warrant in the maximum of 14 days before the destruction of this information.

3.15 At this point the OAIC is satisfied that it is impractical for the ATO to deal with requests under s 49(3) on the Digital ID Act.

3.16 We find it is reasonable that, at this time, the ATO has not developed any processes or procedures for the release of biometric materials to law enforcement agencies.

3.17 However, the ATO could receive a warrant for biometric information from a law enforcement agency at any time. While it may be unlikely the ATO will hold that biometric information, it will still need a procedure for dealing with these warrants, regardless of whether or not it holds the requested biometric information. Not having a process in place creates a low privacy risk.

3.18 Accordingly, we suggest the ATO addresses this risk by developing a high-level procedure to follow in the event it receives a warrant from a law enforcement agency for biometric information. In the event the number of individuals’ images iProov retains substantially increases, or in the event the ATO receives its first warrant for biometric information, the ATO should develop a more detailed procedure.

Finding

At this time, we find it reasonable the ATO has not developed any processes or procedures for the release of biometric materials to law enforcement agencies. However, this creates a low privacy risk as the ATO could still receive a warrant from law enforcement agencies requesting the release of biometric information, and it would need to deal with that warrant.

Suggestion

To address this privacy risk, the OAIC suggests the ATO develop a basic, high-level procedure in the event they receive a warrant from a law enforcement agency for biometric information. This procedure can mirror those procedures the ATO have in place for requests for personal information that is not biometric information received under s 54 of the Digital ID Act.

Part 4: Suggestions and responses

Suggestion 1

OAIC suggestion

The OAIC suggests the ATO develop a basic, high-level procedure in the event they receive a warrant from a law enforcement agency for biometric information. This procedure can mirror those procedures the ATO have in place for requests for personal information that is not biometric information received under s 54 of the Digital ID Act.

ATO response

The ATO accepts the suggestion from the OAIC and will update its process to include handling requests under s 49 of the Digital ID Act.

Part 5: Description of assessment

Objective and Scope

5.1 The objective of this assessment was to determine whether the ATO, in its role as the operator of both myID and the RAM, has effective arrangements to respond to requests for personal and biometric information for enforcement purposes, in accordance with the Digital ID Act.

5.2 Specifically in relation to the ATO’s role as the operator of myID and the RAM, we assessed this objective against two criteria:

has the ATO established effective arrangements under s 54 of the Digital ID Act^[8] to respond to requests from enforcement agencies for personal information that is not biometric information?
has the ATO established effective arrangements under s 49(3) of the Digital ID Act^[9] to respond to requests from law enforcement agencies for biometric information?

5.3 The assessment’s scope did not include:

a physical review or testing of the technical controls and capabilities of the ICT systems used by the ATO or contracted service providers to operate or support myID.

Privacy risks

5.4 Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance (see Appendix A ), the OAIC makes recommendations to the ATO about how to address those risks. Where we find low privacy risks, we make one suggestion.

5.5 For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’. Chapter 9 of the OAIC’s Guide to privacy regulatory action provides further detail on this approach.

Conduct of the assessment

5.6 The OAIC conducted a risk-based assessment of the ATO in its role as the operator of myID and the RAM in accordance with ss 49(3) and 54 of the Digital ID Act.

5.7 The assessment involved the following:

review of relevant documents provided by the ATO
fieldwork, which included virtual interviews of key staff members through videoconferencing platforms in March 2025.

Reporting

5.8 The OAIC generally publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.

Assumptions and Caveats

5.9 The OAIC conducts its assessments as a ‘point in time’ assessment; that is, our observations and opinions are only applicable to the time period in which we undertook the assessment.

5.10 This report is not an endorsement of myID or the RAM by the OAIC, or any other ATO product or service.

Part 6: Appendices

Appendix A – Privacy risk guidance

Privacy risk rating	Entity action required	Likely outcome if risk is not addressed
High risk Entity must, as a high priority, take steps to address mandatory requirements of Privacy and related legislation	Immediate management attention is required This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects	Likely breach of relevant legislative obligations (for example, APP, TFN, Credit, privacy safeguard, or not likely to meet significant requirements of a specific obligation, for example, an enforceable undertaking) Likely adverse or negative impact upon the handling of individuals’ personal information Likely violation of entity, policies or procedures Likely reputational damage to the entity, such as negative publicity in national or international media Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines Likely ministerial involvement or censure (for agencies)
Medium risk Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy and related legislation	Timely management attention is expected This is an internal control or risk management issue that may lead to the following effects	Possible breach of relevant legislative obligations (for example, APP, TFN, Credit privacy safeguard or meets some (but not all) requirements of a specific obligation) Possible adverse or negative impact upon the handling of individuals’ personal information Possible violation of entity policies or procedures Possible reputational damage to the entity, such as negative publicity in local or regional media Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities Possible ministerial involvement or censure (for agencies)
Low risk Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy and related legislation	Management attention is suggested This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed	Risks are limited, and may be within acceptable entity risk tolerance levels Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit privacy safeguard, Part VIIIA) Minimum compliance obligations are being met

Privacy risk rating

Entity action required

Likely outcome if risk is not addressed

High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy and related legislation

Immediate management attention is required

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

Likely breach of relevant legislative obligations (for example, APP, TFN, Credit, privacy safeguard, or not likely to meet significant requirements of a specific obligation, for example, an enforceable undertaking)
Likely adverse or negative impact upon the handling of individuals’ personal information
Likely violation of entity, policies or procedures
Likely reputational damage to the entity, such as negative publicity in national or international media
Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
Likely ministerial involvement or censure (for agencies)

Medium risk

Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy and related legislation

Timely management attention is expected

This is an internal control or risk management issue that may lead to the following effects

Possible breach of relevant legislative obligations (for example, APP, TFN, Credit privacy safeguard or meets some (but not all) requirements of a specific obligation)
Possible adverse or negative impact upon the handling of individuals’ personal information
Possible violation of entity policies or procedures
Possible reputational damage to the entity, such as negative publicity in local or regional media
Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities
Possible ministerial involvement or censure (for agencies)

Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy and related legislation

Management attention is suggested

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed

Risks are limited, and may be within acceptable entity risk tolerance levels
Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit privacy safeguard, Part VIIIA)
Minimum compliance obligations are being met

Appendix B – Definitions of enforcement body and law enforcement agency

An enforcement body is defined in s 9 of the Act, by reference to the Privacy Act 1988 (Cth).

Term (s 9 of the Act)	Reference	Definition
enforcement body	has the same meaning as in the Privacy Act 1988	(a) the Australian Federal Police; or (aa) the National Anti-Corruption Commissioner; or (ab) the Inspector of the National Anti-Corruption Commission; or (b) the ACC; or (c) Sport Integrity Australia; or (ca) the Immigration Department; or (d) the Australian Prudential Regulation Authority; or (e) the Australian Securities and Investments Commission; or (ea) the Office of the Director of Public Prosecutions, or a similar body established under a law of a State or Territory; or (f) another agency, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law; or (g) another agency, to the extent that it is responsible for administering a law relating to the protection of the public revenue; or (h) a police force or service of a State or a Territory; or (i) the New South Wales Crime Commission; or (j) the Independent Commission Against Corruption of New South Wales; or (k) the Law Enforcement Conduct Commission of New South Wales; or (ka) the Independent Broad-based Anti-corruption Commission of Victoria; or (l) the Crime and Corruption Commission of Queensland; or (la) the Corruption and Crime Commission of Western Australia; or (lb) the Independent Commission Against Corruption of South Australia; or (m) another prescribed authority or body that is established under a law of a State or Territory to conduct criminal investigations or inquiries; or (n) a State or Territory authority, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law; or (o) a State or Territory authority, to the extent that it is responsible for administering a law relating to the protection of the public revenue.

Term (s 9 of the Act)

Reference

Definition

enforcement body

has the same meaning as in the Privacy Act 1988

(a) the Australian Federal Police; or

(aa) the National Anti-Corruption Commissioner; or

(ab) the Inspector of the National Anti-Corruption Commission; or

(b) the ACC; or

(ca) the Immigration Department; or

(d) the Australian Prudential Regulation Authority; or

(e) the Australian Securities and Investments Commission; or

(ea) the Office of the Director of Public Prosecutions, or a similar body established under a law of a State or Territory; or

(f) another agency, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law; or

(g) another agency, to the extent that it is responsible for administering a law relating to the protection of the public revenue; or

(h) a police force or service of a State or a Territory; or

(i) the New South Wales Crime Commission; or

(j) the Independent Commission Against Corruption of New South Wales; or

(k) the Law Enforcement Conduct Commission of New South Wales; or

(ka) the Independent Broad-based Anti-corruption Commission of Victoria; or

(l) the Crime and Corruption Commission of Queensland; or

(la) the Corruption and Crime Commission of Western Australia; or

(lb) the Independent Commission Against Corruption of South Australia; or

(m) another prescribed authority or body that is established under a law of a State or Territory to conduct criminal investigations or inquiries; or

(n) a State or Territory authority, to the extent that it is responsible for administering, or performing a function under, a law that imposes a penalty or sanction or a prescribed law; or

(o) a State or Territory authority, to the extent that it is responsible for administering a law relating to the protection of the public revenue.

The definition of law enforcement agency in the Act is:

Term (s 9 of the Act)	Reference	Definition
law enforcement agency	has the same meaning as in the Australian Crime Commission Act 2002	(a) the Australian Federal Police; (b) a Police Force of a State; or (c) any other authority or person responsible for the enforcement of the laws of the Commonwealth or of the States.

Term (s 9 of the Act)

Reference

Definition

law enforcement agency

has the same meaning as in the Australian Crime Commission Act 2002

(a) the Australian Federal Police;

(b) a Police Force of a State; or

Appendix C – Legislative exemptions for use and disclosure

Non-biometric information

Section 54 of the Act provides that an accredited entity must not use or disclose personal information for the purposes of enforcement related activities conducted by, or on behalf of, an enforcement body, unless the personal information is not biometric information and:

at the time the information is used or disclosed, the accredited entity is satisfied that the enforcement body has started proceedings against a person for an offence against a law of the Commonwealth, a State or a Territory;
at the time the information is used or disclosed, the accredited entity is satisfied that the enforcement body has started proceedings against a person in relation to a breach of a law imposing a penalty or sanction;
the disclosure of the information is required or authorised by or under a warrant issued under a law of the Commonwealth, a State or a Territory;
the information is used or disclosed for the purposes of reporting a suspected or actual digital ID fraud incident or suspected or actual cyber security incident;
the information is used or disclosed by the accredited entity for the purposes of complying with this Act;
the information is disclosed with the express consent of the individual to whom the personal information relates, or purports to relate, and the disclosure is for the purpose of verifying the identity of the individual, or investigating or prosecuting an offence against a law of the Commonwealth, a State or a Territory.

Biometric information

Section 49 of the Act provides the general rules for the authorised collection, use and disclosure of biometric information of individuals. Subsection (3) allows for the disclosure of biometric information of an individual to a law enforcement agency in limited circumstances:

49 Authorised collection, use and disclosure of biometric information of individuals – general rules

the disclosure of the information is required or authorised by or under a warrant issued under a law of the Commonwealth, a State or a Territory; or
the information is disclosed with the express consent of the individual to whom the biometric information relates, or purports to relate, and the disclosure is for the purpose of:
1. verifying the identity of the individual; or
2. investigating or prosecuting an offence against a law of the Commonwealth, a State or a Territory.

^[1] This is a process of linking the credential with the Digital ID

^[2] See www.digitalidsystem.gov.au

^[3] See www.mygovid.gov.au

^[4] See info.authorisationmanager.gov.au

^[5] Biometric information refers to unique, measurable biological characteristics of an individual that can be used for identification or verification of identity. This includes features like fingerprints, facial dimensions, iris scans, voice recordings, and even health data like heart rate and fitness metrics. This differs from a photograph as a photograph may not contain the relevant facial characteristics and measurements needed to create a biometric match.

^[6] Appendix C

^[7]The OAIC’s Digital ID regulatory strategy is available at Digital ID regulatory strategy

^[8] Appendix C

^[9] Appendix C

Facebook Twitter Linkedin

We use cookies on this site

On this page