Introduction

1. The misuse of false or stolen identities—commonly referred to as identity crime—poses significant threats, both in terms of national security and crime more generally. Recent estimates suggest that identity theft, a subset of identity crime, is a problem that costs the Australian economy approximately AUD$1 billon per year.¹ In turn, identity security is becoming increasingly central to Australia's national security, law enforcement and economic interests, and those of the global community generally.²

2. Identity security relates to the use and holdings of personal information. Credentials containing personal information are used extensively by individuals in interactions with the government and private sector. In the absence of a uniform national identity document, Australia relies on a range of credentials, issued for primarily operational purposes, which are routinely used by agencies, business and individuals as de–facto proof of identity (POI) documents. The current range of identity–related credentials are of variable quality and accuracy, which exposes individuals, business and government to many risks from not being able to verify that a person is who they claim to be. Within Australia, being able to verify with confidence an individual's identity is balanced against privacy considerations and broader community interests.

3. Over the last decade, the differing standards and inherent risks within Australia's identity security framework has resulted in the Australian Government intensifying its focus on identity security. In 2005, the Australian Government announced the need for a National Identity Security Strategy (NISS) to combat identity crime and the fraudulent use of stolen and assumed identities as a matter of national priority. Subsequently, the Council of Australian Government (COAG) agreed that the preservation and protection of a person's identity is a key concern and a right of all Australians. In 2007, COAG agreed to the development and implementation of the National Identity Security Strategy (NISS) to better protect the identities of Australians.

4. The first public articulation of the NISS was through an Intergovernmental Agreement (IGA) signed by all signatories to COAG in 2007. The NISS represents the current articulation of Australian, state and territory government policy. The NISS IGA contains a collective commitment from all governments to develop and implement the NISS and states that ‘the NISS will provide a framework for intergovernmental cooperation to strengthen Australia's personal identification processes.'³ To support the objective of the NISS, there are six distinct elements represented in Table 1.

Table 1 NISS six elements

Source: COAG, An Agreement to a National Identity Security Strategy, 2007.

5. The six interdependent elements of the NISS have varying requirements from developing standards through to the building of information systems. Certain elements (for example, security standards and an improved ability to verify key documents) rely on other elements (registration and enrolment standards for such key documents). The six elements of the NISS are closely linked, may operate in close conjunction with one another, and are mutually enforcing.

6. The NISS IGA establishes the overarching governance of the NISS including the National Identity Security Coordination Group (NISCG), which incorporates broad representation from Australian, state and territory agencies. The NISCG is also ‘the primary vehicle for developing the details of the NISS'. The NISS IGA establishes an internal review mechanism whereby all parties have agreed to assess the circumstances of, and the necessity for, the agreement to continue from April 2010.

7. The Attorney–General's Department (AGD), through its mandate to ‘coordinate federal criminal justice, security and emergency management activity, for a safer Australia'⁵, and Ministerial direction, is the lead Australian Government agency for identity security issues, including coordinating the development of the NISS.

Audit objectives and scope

8. The objective of the audit was to assess the effectiveness of AGD's arrangements for coordinating the development of the National Identity Security Strategy.

9. ANAO's assessment was based on the following criteria:

• governance arrangements for the NISS;
• progress, to date, of the six NISS elements; and
• AGD's administrative arrangements for developing the NISS.

Overall conclusion

10. Australia has a system of diverse personal identification credentials, issued for primarily operational purposes, which are routinely used by Australian Government agencies, business and individuals as de–facto identity documents. The current patchwork of identity–related credentials are of variable quality and accuracy, which exposes government, business and individuals to a variety of risks from not being able to verify a person is who they claim to be.

11. In 2007, the Australian, state and territory governments, as part of a COAG initiative, agreed through an Intergovernmental Agreement (IGA) to the National Identity Security Strategy (NISS). The NISS, when developed and implemented, was intended to provide a framework for intergovernmental cooperation to strengthen Australia's personal identification processes. The NISS is a body of work dependant on complementary actions by different agencies, the majority of which are located in Australia's states and territories. For the Australian Government, AGD is the lead agency for identity security issues and has lead responsibility for coordinating the development of the NISS. Overall, the ANAO concluded that there has been progress in the development of the NISS and its six elements but it is apparent that there are opportunities for AGD to build on the work achieved to date to strengthen the integrity of Australia's personal identification processes.

12. The department has established some of the foundation elements necessary to develop a whole–of–government initiative, such as: interdepartmental committees; development of the necessary infrastructure for the national Document Verification Service (nDVS); and a consultation process that has involved a diverse range of stakeholders. However, under the current governance arrangements, no agency is in a position to accept accountability for the implementation of the NISS elements. Clear identification of the key parties to the NISS and their roles and responsibilities with regards to implementation of the NISS elements would bring the NISS into line with other more recent IGA's and enhance the accountability for key NISS elements. Given its role in coordinating the development of the NISS, AGD is well placed to lead a process to clarify the governance arrangements for the strategy.

13. Progress in implementing the elements of the NISS by the parties to the IGA, as originally intended, has been limited. A range of activities tied to the six NISS elements has been undertaken which, in many cases, does not align with the original intended outcomes. The one budget funded element of the NISS, the nDVS, has been built and a range of document issuing agencies have been connected to the system, albeit more slowly than expected. However, the system is rarely used and presently, it is making little contribution to the NISS objective of strengthening Australia's personal identification processes. The passage of time and the lessons learned from the NISS related activities indicate that it is appropriate to revisit the rationale for, and appropriateness of, the NISS and its specific elements in a structured way by AGD and the NISCG.

14. The AGD's administrative arrangements to support the NISS include the planning for, and managing of, progress and specific project resourcing. Project management principles have only been applied to one element of the NISS, the nDVS, and in practice key project risks that were identified, have materialised and remediation strategies have taken longer than expected to come into effect. A more robust approach to planning and managing the implementation would have likely assisted in providing greater discipline to progress specific NISS elements, through the articulation of a shared understanding of the intended outcomes and monitoring of progress.

15. The ANAO made three recommendations aimed at improving AGD's co–ordination of this whole–of–government initiative.

Key findings by chapter

Governance (Chapter 2)

16. The governance framework for implementing the NISS was established by the NISS IGA, signed in April 2007. The NISS IGA establishes the National Identity Security Coordination Group (NISCG) that is the key oversight body responsible for reporting to COAG. AGD has also established a Commonwealth Reference Group (CRG) to coordinate Australian Government involvement for identity security related matters. The specific role and consequences of actions of the CRG, however, is unclear as there are no terms of reference or clear mandate.

17. To support the NISCG, AGD has established various working groups that are aligned to the six NISS elements. AGD has also facilitated new working groups to coordinate the development of the whole–of–government responses to emerging risks, such as the 2009 Victorian bushfires. Overall, the framework of the working groups under the NISCG has allowed the convergence of various stakeholders in a structured forum to share experiences and work towards implementing proposals for improved disaster management and recovery operations.

18. The NISS IGA outlines the six elements and includes ‘undertakings to further develop and implement the NISS to give effect to COAG commitments'.⁶ Notwithstanding the text of the NISS IGA, AGD advised ANAO that the department did not consider ‘that the NISS IGA provides a mandate for the implementation of measures'. AGD's approach in relation to NISS has been consistent with this perspective. While implementation of particular standards related to NISS elements will be a matter for each jurisdiction, a consequence of this approach is that no agency is in a position to accept accountability for the implementation of the NISS elements. In the case of AGD, the Australian Government ‘lead agency' considers it has limited leadership authority and no responsibility in relation to the implementation of the initiatives, excluding the nDVS. In these circumstances, there would be benefit in the parties to the NISS articulating their roles and responsibilities as far as implementation of the NISS elements is concerned, with AGD performing a leadership role in this process.

Progress against the six NISS elements (Chapter 3)

19. The ANAO reviewed progress of each NISS element. In the majority of elements, there had been activity but it often did not align with the specific actions set out in the work program attached to the NISS IGA. For example, four of the six NISS elements⁷ were about the development and implementation of standards. However, the ongoing development of all four ‘standards' has been to develop ‘better practice guides' which has resulted in a variance from the original intent of the NISS IGA. Two of these standards (drafted as better practice guides)⁸ have been agreed to pursuant to the NISS, however, the extent of their adoption and implementation has been limited. Thus, while some action has been undertaken in relation to these four elements, they have not been completed as originally intended and the extent of adoption of the amended approaches is uncertain.

20. In relation to the NISS element, biometric interoperability, there have been a range of activities, primarily coordinated outside the formal NISS framework, that complement the intentions of the NISS. The NISS working groups has used these activities as a basis to focus current and future work on legal and policy issues for biometric interoperability.

21. The remaining NISS element (improved ability to verify information) required the development of the nDVS. While the nDVS has been built, implementation of the nDVS is at least 18 months behind the original four year project plan implementation dates. Widespread use relies upon the nDVS being connected to the agencies that issue documents used in establishing one's identity. Further uptake will, in part, be determined by the convenience, speed and reliability of the nDVS, when compared to other means of document verification. Notwithstanding a prototype Document Verification Service funded in 2005–06 and over two years of implementation of the nDVS, the project has presented significant problems for user acceptance and, consequently, it is rarely used. While AGD has had some recent success is getting more agencies connected to the nDVS, this has not translated into increased use. Remedial strategies for the nDVS may include changes to the nDVS, assisting with changes to user's systems and work practices, or considering the future of the nDVS itself. The current, very limited, use of the nDVS indicates that it is unlikely in the immediate future that use of the nDVS will significantly contribute to strengthening Australia's personal identification processes.

AGD's administrative arrangement for implementing the NISS (Chapter 4)

22. AGD relied on the higher level groups, such as the NISCG to establish the work program for the NISS. As a consequence, for the NISS elements other than the nDVS, there was neither planning documentation nor a project methodology for implementation of the elements. As such, AGD did not: develop documented goals or objectives for the various NISS elements; articulate how implementation of the various elements would contribute to the NISS objective; or rank or prioritise the elements under the NISS. For the nDVS, planning documentation was finalised following an external request and, while potential impediments to implementation were identified, the significance was not well understood.

23. While AGD was able to identify and assess various risks to the nDVS, the absence of robust, implemented treatment options has meant that potential risks have materialised and have not been well managed. This has impacted on the ability of the nDVS to achieve the full project objectives. AGD has implemented a series of revised strategies that have had some success in progressing the nDVS. A revised project management framework within AGD provides a framework for policy and program implementation which, if implemented well, would assist AGD to fulfil its role in relation to coordinating the development of the NISS.

24. To date, public reporting of progress regarding the NISS has been limited. Further, irregular and inaccurate management reporting of the nDVS has restricted the information to which the respective governing bodies could undertake thorough and systematic assessments of the relevant issues relating to implementation. In August 2009, a revised nDVS team structure was agreed to by the relevant agencies, supplemented by the establishment of the DVS Advisory Board that reports directly to NISCG. The new structure provides an opportunity for AGD to establish a monitoring and reporting regime that better supports the DVS Advisory Board in making informed decisions.

25. Since 2005, the Australian Government has allocated $30.8 million to AGD towards identity related security measures, including $24.8 million towards the nDVS. There has been an underspend of the available funding across the financial years due to lack of progress and some of the funds allocated for the nDVS have been used for related tasks.

Summary of agency response

26. The Attorney–General's Department (AGD) welcomes the Report of the ANAO's performance audit of the Department's arrangements for the National Identity Security Strategy (the Strategy). AGD accepts the ANAO's recommendations and has commenced work to implement them.

27. Development of the Strategy takes place in a complex, multi–jurisdictional environment; an environment that has evolved since the Council of Australian Governments first agreed to develop the Strategy. Work to develop and implement the Strategy since 2005 has achieved some important outcomes and addressed vulnerabilities to Australia's identity security. The progress that has been achieved to date provides a firm foundation for taking the Strategy forward.

28. The review of the Intergovernmental Agreement that underpins the Strategy (the NISS IGA)—commencing from April 2010—provides an excellent opportunity to address issues identified in the ANAO report. The review of the NISS IGA also provides an opportunity to reshape and refresh the work agenda, ensuring that the Strategy remains relevant to addressing current and future challenges to identity management.

Footnotes

¹ OECD Committee on Consumer Policy, Online Identity Theft, February 2009, p. 37.

² ibid. See also: Securities Industry Research Centre, Identity Fraud in Australia: an Evaluation of its Nature, Cost and Extent, 2003, ANAO Audit Report No. 24 2007-08, DIAC's Management of the Introduction of Biometric Technologies, p. 34, and ANAO Better Practice Guide, Fraud Control in Australian Government Agencies, August 2004, Canberra.

³ COAG, An Agreement to a National Identity Security Strategy, 2007.

⁴ ibid., p. 3.

⁵ Commonwealth of Australia, Portfolio Budget Statements, Attorney Generals Portfolio 2009–10, p. 2.

⁶ COAG, op. cit., p. 3.

⁷ Registration and enrolment standards, security standards for proof of identity documents, standards in the processing and recording of identity data, and authentication standards.

⁸ The Gold Standard e-Authentication Requirements (GSAR) and the Security Standards for Proof of Identity Documents.