Managing Identity Documents
Recent data breaches have led to a consideration of processes used by public authorities to collect and manage identity documents received during provision of services to Queenslanders.
Queensland government departments will be subject to new requirements for managing personal information, and a new mandatory data breach scheme will be established, with reforms expected to commence on 1 July 2025.
Identity documents, or other card-based credentials like driver licences, contain key attributes (such as name, date of birth, unique identifier) that are the core elements of a person’s documented identity.
Identity documents can be used by individuals throughout their lifetime as evidence to:
- verify identity
- enable access to goods and services
- claim benefits
- protect legal rights and entitlements.
For the appropriate management and disposal of identity documents, public authorities have responsibilities under the:
- Public Records Act 2002 (the PR Act)
- Information Privacy Act 2009 (the IP Act).
Under section 7 of the PR Act, the Chief Executive Officer (CEO) of a Department is responsible for creating, managing and keeping public records about the activities of the business.
Public authorities may also have privacy protection obligations under the IP Act to comply with either the Information Privacy Principles or the National Privacy Principles.
Using disposal authorisations
QSA has developed five disposal authorisations, located within the Identity Documents activity in the General retention and disposal schedule (GRDS), to help public authorities to actively manage identity documents received during business transactions.
Identity documents, like all public records, need to be actively managed by public authorities. Some considerations specific to managing identity documents include reviewing the storage, security, privacy and access controls of identity documents.
Disposal authorisations set a minimum retention period for any identity documents that a public authority has received or collected as part of a business transaction.
When using disposal authorisations, public authorities must ensure lawful disposal of public records is undertaken in accordance with the direction(s) outlined in the disposal authorisation.
Public authorities make their own decisions about when the minimum retention period for identity documents has been met – taking into account their business, legal and information security needs – to determine when lawful disposal of identity documents will take place.
You may find that multiple, current disposal authorisations apply to identity documents received or collected by your public authority during business transactions. In these instances, you may choose to retain identity documents for the longest applicable minimum retention period as long as any legal obligations under the Public Records Act 2002, the Information Privacy Act 2009 or any other applicable legislation are met.
Disposal Authorisation 2643 and Disposal Authorisation 2644 are designed to be used together by public authorities to manage identity documents that have been collected or received during an identity verification transaction.
Identity verification processes are common transactions between the individual and the government. These processes are necessary to:
- successfully verify the identity of the individual
- protect the legal rights and entitlements of the individual
- ensure the individual’s identity is not fraudulently used by another person.
Public authorities may lawfully dispose of any identity documents they receive during identity verification transactions under Disposal Authorisation 2643 once evidence of the identity verification outcome has been created and will be retained under Disposal Authorisation 2644.
This approach aligns with the IPP and NPP under the IP Act.
The Office of the Information Commissioner (OIC) provides further guidance, available on the OIC website, on the requirements for evidence of identity and authority under the Right to Information Act 2009 (the RTI Act) and the IP Act.
Disposal Authorisation 2646 is designed to allow public authorities to manage identity documents where there are no legal requirements to be met. This is because there are instances, outside of identity verification processes, where public authorities may collect or receive identity documents during a business transaction and:
- there is no legal requirement for the public authority to retain the identity documents, or
- the identity documents are not required as evidence of the business transaction.
The minimum retention period for this disposal authorisation allows public authorities to choose when business action has been completed and lawful disposal of the identity documents can occur.
The destruction documentation retained in accordance with Disposal Authorisation 1131 can act as evidence, if required, that the identity documents were received and lawfully disposed of by the public authority.
Public authorities may have collected or received identity documents under past or legacy business processes and, sometimes, there is no legal requirement to retain these legacy identity documents.
Disposal Authorisation 2646 and Disposal Authorisation 2647 are designed to be used together by public authorities to manage identity documents that have been collected or received under a legacy business process.
Previously, these legacy identity documents were often managed in accordance with the current disposal authorisation(s) that applied to the related records (e.g. an application file) held by the public authority.
Public authorities may lawfully dispose of any legacy identity documents under Disposal Authorisation 2646 if:
- no exclusions under Disposal Authorisation 2647 apply to the legacy identity documents
- evidence about the legacy identity documents has been created and will be retained by the public authority in accordance with Disposal Authorisation 2647.
When sentencing legacy identity documents, public authorities must ensure that none of the following exclusions under Disposal Authorisation 2647 apply:
- the legacy identity documents must be retained in accordance with a legal requirement
- the legacy identity documents have been filed as part of a permanent value public record.
Additionally, Disposal Authorisation 2647 does not apply to destruction documentation created and retained by public authorities in accordance with Disposal Authorisation 1131.
Public authorities must make their own decision about the management and disposal of legacy identity documents collected or received by the public authority.
Disposal Authorisation 2645 is designed to assist public authorities with managing identity documents that have been collected or received to meet a legal requirement.
Legal requirements for a public authority may relate to contractual obligations or legislative instruments. Multiple legal requirements, with differing retention obligations, may also apply to identity documents held by some public authorities.
The minimum retention period for this disposal authorisation allows public authorities to choose when the legal requirement(s) have been met and lawful disposal of the identity documents can occur.
To limit information security concerns, and to align with the principles of the IP Act, public authorities should consider whether:
- the legal requirement mandates that the identity document must be retained
- the legal requirement cannot be met by any other means (e.g. retaining evidence about the identity document in place of the identity document collected or received by the public authority).
Next steps
The Information Privacy and Other Legislation Amendment Bill 2023 (the IPOLA Bill) was passed in November 2023.
The IPOLA Bill provides critical legal reforms to improve and strengthen:
- government transparency and accountability
- consistency with the Privacy Act 1988 (Cth)
- privacy protections for individuals.
The Bill establishes the Mandatory Data Breach Notification Scheme (the Scheme) which will apply to all Queensland public authorities to strengthen and regulate responses to data breaches.
The Scheme provides greater transparency concerning data security and encourages public authorities to actively manage information assets to reduce risk of data breaches. It is anticipated that the Scheme will commence on 1 July 2025 for most public authorities.
These legal reforms align with the principles of the current PR Act and the Public Records Act 2023 that will commence on 5 December 2024.
In partnership with the OIC, QSA will develop and present information sessions to provide advice to public authorities on best practice for managing business processes that may refer to identity documents.
More information on the amendments introduced by the IPOLA Bill is available on the OIC website.
More information on the significant changes introduced by the Public Records Act 2023 is available on the QSA website.