Did you recently receive an email from the Attorney-General’s Department about signing a Participation Agreement to continue to access the Document Verification Services (DVS)? You weren’t alone if you questioned whether it was a legitimate email. Many of our clients reached out to verify the email’s validity. So we’re here to reassure you: it’s legitimate.
The email was circulated by the Department of the Attorney-General as part of a new legal requirement under the Identity Verification Services Act 2023 (Cth) (IVS Act) and the Identity Verification Service Rules 2024 (Cth).
Here’s what you need to know about these changes: how they impact you, why they’re happening, and what steps you need to take.
What is the DVS?
The Document Verification Service (DVS) is a secure, government-run system that enables businesses to verify identity documents against official records. Many businesses across Australia, such as real estate agents, conveyancers, and legal or financial services, access these DVS back-to-source checks through their Gateway Service Provider, such as Scantek, to verify their client’s identities to reduce the risk of fraud.
This back-to-source check examines whether much of the information on the identity document matches the original record held by the government agency.
The DVS checks documents such as:
- Australian passports
- Driver licences
- Birth, marriage, and change-of-name certificates
- Medicare cards
- Immigration and visa records
Relying on this back-to-source check via DVS means that fraudulent document details can’t be used to complete a VOI, and gives certainty to the business that the ID document is legitimate.
Why is the Participation Agreement required?
The IVS Act 2023 introduces stronger security, privacy, and oversight measures for DVS users. The goal is to ensure that businesses handling sensitive personal data follow strict security protocols and compliance measures, which will ultimately protect consumers.
Some of the key changes include:
- Stronger data security and privacy measures: Businesses must treat personal information as though they are subject to the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).
- Annual compliance reporting: Businesses using the DVS must submit an annual compliance statement confirming they meet security and privacy obligations.
- Overseas access restrictions: If a business needs DVS access outside of Australia or New Zealand, it must obtain explicit approval from the Attorney-General’s Department. This was previously a requirement, but we expect it will be more rigorously enforced under these new requirements.
- Formalising obligations: Businesses will now have a direct agreement with the Attorney-General’s Department, outlining their responsibilities when using the DVS.
If you fail to sign the Participation Agreement, your business will lose access to the DVS checks through your GSP from 14 June 2025. The Attorney-General’s Department has explicitly stated that no extensions will be granted.
What do you need to do?
If your business currently uses Scantek’s Digital VOI solution (and thus, indirectly the DVS), here’s what you need to do:
- Check your email inbox (and junk folder).
The Participation Agreement has been sent from IVS Manager Noggin IVS.Manager@ivs.nogginapp.io.
- Follow the instructions in the email.
You’ll need an authorised representative from your business to sign the agreement by 13 June 2025. If you haven’t received the email, reach out to the IVS Agreements team at IVS.agreements@ag.gov.au.
- Review the updated requirements.
The IVS Act introduces new compliance obligations, so it’s essential to understand how they impact your business. These compliance obligations include:
-
- Annual compliance statements: More information around how annual compliance statements will be requested and submitted is still to come from the Attorney General’s Department. Scantek will provide more information as it becomes available. However, our customers can rest assured that we will be happy to assist with any queries that arise completing the Compliance Statement forms (through our Support email channel).
-
- Notification of data breaches: The BU is responsible for notifying the Framework Administrator, OAIC and the individual to whom the Identification Information that was the subject of any breach. Notification to the framework administrator can be conducted in the first instance can be done via IVS.manager@ag.gov.au further action may be required.
-
- Updates to definitions and processes: BU’s should ensure that they keep appropriate records of all privacy training undertaken by staff with access to sensitive data, including a record of staff who have received training in the last 24 months. Privacy policies on how to handle personal identifiable information (PII) should also be documented.
-
- Privacy Impact Assessments: More information to be provided by the Framework Administrator.
We recommend reviewing your current processes to ensure alignment with the Privacy Act and IVS requirements. The Addendum 1 Annual Compliance Statement Template that is attached to the IVS Agreement is a great place to start.
When reviewing your current processes, you may like to consider the following:
- Complaints Requirements
Business Users will be required to establish appropriate arrangements for dealing with complaints by individuals whose Identification Information they hold.
- Consent Statement
There is now an additional legislative requirement that in collecting consent, you must provide the individual with the following information:
-
- How you will use the DVS;
- What legal obligations you have in relation to the collection of the relevant Identification Information;
- What rights the individual has in relation to the collection of the Identification Information;
- The consequences of the individual declining to consent;
- Where the individual can get information about making complaints relating to the collection, use and disclosure of Identification Information for the purposes of requesting and provision of the DVS; and
- Where the individual can get information about the operation and management of the DVS Hub by the Framework Administrator in connection with the request and provision of the DVS.
- Keep an eye out for further communication from Scantek.
We are preparing updated Business User Agreements (BUAs) to align with the IVS requirements, which will be distributed in the coming months. These updated BUAs will directly align with the DVS requirements concerning consent, data security, storage, and audit requirements.
While Scantek’s system currently covers these, the new contracts will address them explicitly.
Why these changes are actually a good thing
While this may feel like just another compliance hoop to jump through, these changes are ultimately good news for businesses and consumers alike.
- Better protection against identity fraud: Stricter security measures make it harder for criminals to manipulate the DVS for fraudulent purposes.
- Greater trust in identity verification: Ensuring businesses handle personal data responsibly builds confidence among clients and regulators.
- Alignment with evolving cyber security standards: The new framework aligns Australia with global best practices for digital identity verification.
At Scantek, we fully support these changes and believe they are essential for strengthening identity verification processes across Australia.
Where should you go for help?
Compliance changes can be overwhelming, but we’re here to help. If you need assistance understanding the new requirements, locating or signing the Participation Agreement or ensuring your business stays compliant, please read the email with attachments sent from IVS Manager via their Noggin platform.
Scantek is also here to assist during this transition if additional guidance is needed. Please email our team at Support@scantek.com.au.
One final piece of advice: Don’t leave it until the last minute. Take these steps as soon as possible to ensure uninterrupted, continued access to the DVS system.