The DVS and consent

The DVS is a consent based service. Use of the DVS requires express consent to be gathered from the owner of the identity document prior to verification by the DVS for the following reason:

Consent is a requirement of use for the DVS and allows issuing organisations to meet their privacy requirements to the document owner. All issuing organisations have either legislation or administrative guidelines that govern how they can disclose information (including penalties for non-compliance). For most Australian Government agencies and businesses with annual turnover of over $3 million, this will be the Privacy Act 1988 (Cth) (Privacy Act). Most states and territories have equivalent laws applying to state and territory government agencies.

Elements of consent

Consent is relevant to the operation of some Australian Privacy Principles in the Privacy Act, namely those dealing with the collection, use and disclosure of personal information. Consent provides a basis to authorise the handling of personal information in a particular way.

Consent has four key elements including that:

  • the individual is adequately informed before giving consent
  • the individual gives consent voluntarily
  • the consent is current and specific
  • the individual has the capacity to understand and communicate their consent.

Consent under the Privacy Act includes either implied or express consent. Implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and the APP entity. Express consent is given explicitly, either orally or in writing. This could include a handwritten signature, an oral statement, or use of an electronic medium or voice to signify agreement.

Before handling an individual’s personal information (when using the DVS to check personal identity documents) an organisation should as far as practicable implement procedures and systems to obtain and record consent. This resolves doubt about whether consent was given.

Capacity to consent

Issues that could affect an individual’s capacity to consent include:

  • age
  • physical or mental disability
  • temporary incapacity, for example when someone is suffering from severe distress or a mental health condition
  • limited understanding of English

Capacity to consent should be considered on a case by case basis and, where possible, support provided to enable an individual to have capacity to consent for themselves (provision of an interpreter or alternate communication methods). Other options for consent may be from a guardian or someone nominated in writing by the individual involved.

Children and young people

The Privacy Act does not specify an age after which individuals can make their own privacy decisions. The Australian Privacy Principle Guidelines state that “As a general principle, an individual under the age of 18 has capacity to consent when they have sufficient understanding and maturity to understand what is being proposed. In some circumstances it may be appropriate for a parent or guardian to consent on behalf of a young person, for example, if the child is young or lacks the maturity or understanding to do so themselves.”

If it is not practicable or reasonable for an organisation or agency to assess the capacity of individuals under the age of 18 on a case by case basis, they may presume that an individual aged 15 or over has capacity to consent, unless there is something to suggest otherwise. An individual aged under 15 is presumed not to have capacity to consent and would require parent or guardian consent.

Generally, state privacy regulation adopts the same approach to children and young people as the Privacy Act. Individuals under the age of 18 are given the same rights and protections as adults, and there are no specific protections or additional provisions relating to children or young people. More information on state based regulation and how it applies to children and young people can be found on the Australian Law Reform Commission website.

DVS consent requirements

Each organisation will have its own administrative and/or legislative requirements around privacy and consent and there are multiple ways to meet the DVS consent requirements. Best practice industry examples include a checkbox on the screen where the document information is entered, paired with a consent statement such as:

I confirm that I am authorised to provide the personal details presented and I consent to my information being checked with the document issuer or official record holder via third party systems for the purpose of confirming my identity.