Question – Facial Recognition Data Collection Additional Questions
Questions by Meg Webb MLC on 28 Nov 2019 answered for the Govt by Michael Ferguson MP, Minister for Infrastructure & Transport on 17 Mar 2020
Question 1. What legislative authority does the Register rely upon for secondary collection of facial data for the purposes of the 2017 Intergovernmental Agreement on Identity Matching Services not relating to the functions of the Registrar under section 6 of the Vehicle and Traffic Act?
Question 2. In the notice of the Vehicle and Traffic (Driver Licensing and Vehicle Registration) Amendment (Identity Matching Services) Regulations 2017, it was stated that the regulations would :
“amend the Vehicle and Traffic (Driver Licensing and Vehicle Registration) Regulations 2010 to allow the Registrar of Motor Vehicles to divulge information in accordance with the Intergovernmental Agreement on Identity Matching Services”
a) Noting the regulations may only be issued within the jurisdiction of the Act (common law/section 45 VTA) what legislative authority does the Registrar rely upon for the issuing of regulations for each and every purpose set out in clause 1.2 of the Intergovernmental Agreement on Identity Matching Services?
b) If the above stated regulations related only to the divulging of information, under what authority has the Registrar been collecting facial records for purpose of the Intergovernmental Agreement on Identity Matching Services?
ANSWER Questions 1 & 2: Driver licences are the most common form of identification used in Australia and are, therefore, a target used by criminals, including organised crime, to assume someone’s identity or create a false one. New identities are also created to obtain a new driver licence to avoid licence suspension. The new service will be a tool to assist the Registrar of Motor Vehicles (Registrar) and Tasmania Police to detect duplicate and false identities, thereby maintaining the integrity of driver licences and limiting opportunities for identity fraud and other identity-based crime.
The collection of facial images for driver licences has been in place for nearly 30 years. The Vehicle and Traffic (Driver Licensing and Vehicle Registration) Regulations 2010 (the Licensing Regulations), in particular regulations 20, 25, 29 and 138, is the current legislated authority for the collection of these images. The requirement to divulge images for the purposes of Identity Matching Services has not resulted in the collection of any additional information or images. The Registrar already held this information for the purposes of driver licensing.
In regards to the questions you have raised the following information is provided.
The data provided in accordance with the 2017 Intergovernmental Agreement on Identity Matching Services (the Agreement) is already held in the registers maintained by the Registrar. No additional data is collected for the purposes of the Agreement. These registers, and the Registrar’s powers to release information from them, have been created under the authority of s41 of the Vehicle and Traffic Act 1999 (the Act).
The data transferred into the segregated National Driver Licence Facial Recognition Solution (NDLFRS) database is a subset of the register of driver licences. The driver licence register is required to be kept under regulation 124 of the Licensing Regulations.
The Registrar maintains and owns the data in NDLFRS, and no other jurisdiction or agency is able to amend or delete or add data into this segregated database. The National Exchange of Vehicle and Driver Information System (NEVDIS) also contains a subset of the driver licence register except for images and has done so for a number of years.
Question 3. Under clause 2 of the Intergovernmental Agreement, Tasmania agreed that:
“the design and operation of the Identity Matching Services adopt robust privacy safeguards, informed by independently conducted privacy impact assessments, developed in consultation with federal and state privacy commissioners (or equivalents), to balance privacy impacts against the broader benefits to the community from sharing and matching identity information”
a) What specific privacy assessment was undertaken in respect of this undertaking prior to the collection of data of the Face Verification Service?
b) When was this privacy assessment undertaken?
c) On what basis was an exemption for the completion of a regulatory impact statement granted that means no RIS was conducted on the amendments to the Vehicle and Traffic (Driver Licensing and Vehicle Registration) Regulations 2010?
d) How does the secondary collection of data to the Face Verification Service database comply with Privacy Information Principle 1, under Schedule 1 of the Personal Information Protection Act?
ANSWER: The Registrar is empowered to divulge protected information from the driver licence register in accordance with regulation 125 of the Licensing Regulations.
Additionally, divulging information for the purposes of Identity Matching Services under the Agreement is also consistent with Personal Information Protection Principles set out in the Personal Information Protection Act 2004 (PIP Act). These Principles allow for the disclosure of personal information for a purpose other than the purpose for which it was collected if the disclosure is reasonably necessary for law enforcement purposes.
A comprehensive set of safeguards were developed in consultation with federal and state privacy commissioners including the Tasmanian Ombudsman.
Question 4. The Legislative Council was informed at the briefing on 28 November 2019 that a regulatory impact statement was not prepared for the Subordinate Legislation Committee under section 5 of the Subordinate Legislation Act?
a) Were the burdens on community and individual privacy considered in determining not to issue a regulatory impact statement?
b) Did the Registrar or Department explicitly advise the Minister no part of the regulations would impose any significant burden, cost of disadvantage on any sector of the public?
c) Did the Registrar or Department make an assessment as to whether or not the regulation was “within the regulation-making power conferred by, or in accord with the general objects of, the Act pursuant to which it is made”?
ANSWER: In accordance with the Subordinate Legislation Act 1992, an assessment of this amendment was undertaken and received endorsement from the Department of Treasury and Finance in November 2017 and final determination was given in December 2017 that a Regulatory Impact Statement was not required as the regulation did not impose a significant burden, cost or disadvantage on any sector of the public.
The then Minister for Infrastructure provided a certificate of compliance that the guidelines were followed in accordance s4 of the Subordinate Legislation Act 1992.
This was provided to the Subordinate Legislation Committee in January 2018.
