On this page
This material is owned and prepared by the Office of the Australian Information Commissioner (OAIC) as the Digital ID privacy regulator under the Digital ID Act 2024. The materials linked below outline the privacy rules and responsibilities all accredited entities need to follow to maintain accreditation.
For support or queries related to the information below please contact the OAIC.
Date | Version | Description of changes |
Nov 2024 | Version 1 | Initial version |
On this page
Prohibition on handling information for enforcement and law enforcement purposes
The Digital ID Act 2024 (the Digital ID Act) prohibits the use and disclosure of information, held by an accredited entity in connection to their accredited services (section 33 of the Digital ID Act), for enforcement and law enforcement purposes, unless one of a limited number of exceptions under the Act apply. In contrast, the Privacy Act 1988 (the Privacy Act) and Australian Privacy Principles (APPs) permit disclosures of personal and sensitive information to an enforcement body when it is reasonably necessary for an ‘enforcement related activity’ (section 20E and section 21G of the Privacy Act and APPs 3, 6, 8 and 9). The Digital ID Act overrides the Privacy Act and the APPs to prohibit law enforcement access, with some exceptions. This prohibition applies despite section 86E of the Crimes Act 1914 and any other law of the Commonwealth, a State or a Territory, whether enacted or made before or after the commencement of the Digital ID Act.
Disclosure of personal information/disclosure to enforcement bodies
Section 54 of the Digital ID Act outlines that an accredited entity must not use or disclose personal information of an individual for the purposes of enforcement related activities conducted by or on behalf of an enforcement body* unless one of the following circumstances apply:
*‘Enforcement body’ in the Digital ID Act has the same meaning as in the Privacy Act 1988.
Circumstances where use or disclosure of personal information, that is not biometric information, for enforcement purposes is permitted**:
- a warrant issued under a law of the Commonwealth, State or Territory; or
- reporting a digital ID fraud or cyber security incident (suspected or actual); or
- with express consent for verifying identity or investigating/prosecuting an offence; or
- complying with the Digital ID Act; or
- proceedings have commenced against a person (for a Commonwealth, State or Territory offence or a breach of a law imposing a penalty or sanction).
**section 54 of the Digital ID Act 2024. These circumstances also apply in regard to subsection 47(4)(e).
Disclosure of biometric information/disclosure to law enforcement agencies
Section 48 and subsection 49(3) of the Digital ID Act outlines that an accredited entity must not disclose biometric information, held by an accredited entity, to a law enforcement agency, unless the disclosure is in the following circumstances:
Circumstances where disclosure of biometric information to a law enforcement agency is permitted:***
- a warrant issued under a law of the Commonwealth, a State or a Territory; or
- with express consent for verifying identity or investigating/prosecuting an offence.
***section 49(3) of the Digital ID Act.
What is a law enforcement agency?
Although the Digital ID Act generally limits the disclosure of biometric information to law enforcement agencies (section 49(3) of the Digital ID Act.), section 54 details the disclosure of other personal information to enforcement bodies.
For the purposes of the Digital ID Act, ‘enforcement body’ has the same meaning as in the Privacy Act**** and ‘law enforcement agency’ has the same meaning as in the Australian Crime Commission Act 2002.
‘Law enforcement agency’ means the Australian Federal Police (AFP), a Police Force of a State, or any other authority or person responsible for the enforcement of the laws of the Commonwealth or of the States. This includes entities such as the Australian Taxation Office (ATO), the Australian Securities and Investment Commission (ASIC) and the Australian Border Force. For example, the ATO is a law enforcement agency because it can prosecute certain offences under the Taxation Administration Act 1953 (Cth) and ASIC is a law enforcement agency because it enforces the Australian Securities and Investments Commission Act 2001 (Cth) including certain conduct amounting to criminal offences (Australian Crime Commission v AA Pty Ltd (2006) FCAFC 30).
****For a full list of enforcement bodies, refer to the Privacy Act.
Example: ID4U is an accredited entity offering digital ID verification services. Enforcement Body A requests both personal information and biometric information of a user for an investigation into corrupt practices.
ID4U evaluates the request and determines they can disclose personal information to Enforcement Body A under section 54(1)(b)(vi) of the Digital ID Act with the express consent of the individual. However, they determine that they cannot disclose any biometric information. According to subsection 49(3), biometric information can only be disclosed to law enforcement agencies (not enforcement bodies), such as the AFP under certain limited circumstances (For this example, Enforcement Body A is not a law enforcement agency as per the Australian Crime Commission Act 2002).
ID4U requests the express consent of the individual to share their personal information for the purpose of investigating an offence against a law of the State. The individual provides their consent.
Therefore, ID4U informs Enforcement Body A that they will provide the requested personal information but must decline the request for biometric information, adhering to the legal restrictions on such disclosures.
Reporting requirements
If a law enforcement agency requests or requires an accredited entity to disclose biometric information, or an enforcement body requests or requires an accredited entity to use or disclose personal information of an individual, that is not biometric information, the agency or body must prepare and provide an annual report to the AFP Minister (section 9 of the Digital ID Act – AFP Minister means the Minister administering the Australian Federal Police Act 1979.) at the end of the financial year by 30 September, or the end of any further period granted. (section 155A(3)(b) of the Digital ID Act.)
The AFP Minister must also prepare a report, as soon as practicable after the end of each financial year in relation to reports provided by each agency or body. This report must be tabled in each House of the Parliament within 15 days of the day on which the report is completed (section 155B of the Digital ID Act.)
Reporting requirements for an agency/body
A agency's/body's report must include:
- the total number of requests or requirements made by the agency/body during the financial year.
- details of the type of information requested or required (but not including personal information of a particular individual or details that would identify a particular individual) during the financial year.
- the total number of requests or requirements that were complied with by an accredited entity during the financial year.
The AFP Minister's report must include:
- the number of requests or requirements made by each agency or body during the financial year
- details of the type of information requested or required (but not including personal information of a particular individual or details that would identify a particular individual) by each agency or body during the financial year
- the total number of requests or requirements made by the law enforcement agency or enforcement body that were complied with by an accredited entity during the financial year