Privacy Policy

Identity Verification Services — Document Verification Service

Organisation	THELAWSTORE.COM.AU PTY LTD (ACN 653 541 729)
Policy Type	Privacy Policy — Identity Verification Services (DVS)
Applicable Law	Privacy Act 1988 (Cth); Identity Verification Services Act 2023 (Cth)

IMPORTANT: This Privacy Policy must be read in conjunction with any Collection Notice or Consent Form provided to you at the time your identification information is collected for identity verification purposes. Where there is an inconsistency between this Policy and a Collection Notice, the Collection Notice prevails to the extent of the inconsistency.

Part 1 — About This Policy

1.1 This Privacy Policy (Policy) explains THELAWSTORE.COM.AU PTY LTD (ACN 653 541 729) (we, us, our) collects, holds, uses and discloses your personal information, and in particular your identification information, when providing identity verification services using the Commonwealth Government’s Document Verification Service (DVS) operated by ID Match as part of the identity verification services framework established under the Identity Verification Services Act 2023 (Cth) (IVS Act).

1.2 This Policy is issued in compliance with:

• the Privacy Act 1988 (Cth) (Privacy Act), including the Australian Privacy Principles (APPs);
• the Identity Verification Services Act 2023 (Cth) (IVS Act), including sections 9 and 10 thereof;
• the Identity Verification Services Rules 2024 (IVS Rules);
• our Participation Agreement with the Attorney-General’s Department (AGD) in respect of the DVS; and
• any other applicable Commonwealth, state or territory legislation.

1.3 By providing your identification information for identity verification, you acknowledge that you have read and understood this Policy and the associated Collection Notice provided to you at the time your consent was sought.

Part 2 — Key Definitions

In this Policy:

Term	Meaning
AGD / ID Match	The Attorney-General’s Department of the Commonwealth, which operates the DVS Hub and is the Framework Administrator under the IVS Act.
APP	Australian Privacy Principle, as set out in Schedule 1 to the Privacy Act 1988 (Cth).
Biographic information	Information about a person such as their name, date of birth, address and other information recorded on an identity document.
Collection Notice	The notice provided to you at the time of collection of your identification information, as required by APP 5 and section 9(2)(c) of the IVS Act.
DVS	Document Verification Service — a national online system that verifies the biographic details on your identity document against government records. The DVS is operated by the AGD.
DVS Hub	The technical hub through which DVS requests are transmitted and responses are received, operated by the AGD.
Express consent	Consent that is voluntary, informed, current, specific and unambiguous, given by you in writing or by electronic means, as required by sections 9 and 10 of the IVS Act.
Identification information	Has the meaning given in section 6 of the IVS Act, and includes DVS document information and FVS document information, being personal information recorded on an identity document (e.g. name, date of birth, document number, expiry date).
Identity document	A government-issued document used to verify your identity, such as an Australian passport, driver licence, Medicare card, birth certificate or visa.
IDSP / Identity Service Provider	An identity service provider as defined in the DVS Access Policy — being an entity that provides DVS access to requesting parties via the DVS Gateway.
IVS Act	Identity Verification Services Act 2023 (Cth).
OAIC	Office of the Australian Information Commissioner.
Participation Agreement	An agreement between Thelawstore.com.au Pty Limited and the AGD under section 8 of the IVS Act governing the terms of our access to the DVS.
Personal information	Has the meaning given in the Privacy Act 1988 (Cth) — information or an opinion about an identified individual, or an individual who is reasonably identifiable.
Requesting party	The ID Service Client that requests an identity verification service for the purpose of verifying an individual’s identity.
Sensitive information	A subset of personal information defined in section 6(1) of the Privacy Act, including racial or ethnic origin, health information, biometric information, and biometric templates.
We / us / our	THELAWSTORE.COM.AU PTY LTD (ACN 653 541 729)
You / your	The individual whose identification information is collected for identity verification purposes.

Part 3 — How the Document Verification Service Works

3.1 The DVS is a national online system that allows approved organisations (including us) to verify whether the personal details on your identity document match the records held by the government agency that issued that document. The DVS does not provide us with a copy of your original record — it only returns a match or non-match result.

3.2 A standard DVS transaction works as follows:

1. You present an identity document and provide your express consent for us to verify your identification information through the DVS.
2. We (or our authorised IDSP) transmit your identification information from the document (e.g. name, date of birth, document number) to the DVS Hub operated by the AGD.
3. The DVS Hub forwards the query to the relevant government record holder (e.g. the Department of Foreign Affairs and Trade for passports, the relevant state or territory roads authority for driver licences).
4. The record holder returns a match/non-match response to the DVS Hub.
5. The DVS Hub returns the response to us.
6. We use the response for the purpose for which your consent was given (e.g. customer identity verification, account opening, or compliance with our AML/CTF obligations).

3.3 The AGD’s own handling of your personal information through the DVS Hub is governed by the AGD’s Identity Verification Services Privacy Statement, available at idmatch.gov.au. We are not responsible for the AGD’s personal information handling practices.

Part 4 — What Identification Information We Collect

4.1 For DVS verification purposes, we collect the following categories of identification information from you (as applicable to the type of identity document you present):

Identity Document Type	Information Collected	Issuing Authority
Australian Passport	Full name, date of birth, gender, passport number, expiry date	Dept of Foreign Affairs and Trade (DFAT)
Australian Driver Licence	Full name, date of birth, licence number, state of issue, card number (where applicable)	Relevant state/territory roads authority
Medicare Card	Full name, Medicare card number, reference number, expiry date	Services Australia
Australian Birth Certificate	Full name, date of birth, registration number, state/territory of registration	Relevant state/territory Registry of Births, Deaths & Marriages
Australian Citizenship Certificate	Full name, date of birth, citizenship certificate number, stock number	Dept of Home Affairs
ImmiCard / Visa	Full name, date of birth, document number	Dept of Home Affairs

4.2 We only collect identification information that is reasonably necessary for the purposes for which it is collected. We do not collect additional information beyond what is required for the identity verification transaction.

4.3 We do not collect or retain complete copies of original identity documents (such as scanned images of passports or driver licences) for DVS record-keeping purposes unless another independent legal obligation requires us to do so. We retain records of the relevant fields, the type of document, the steps taken to verify identity, and the outcome of verification.

Part 5 — Why We Collect Your Identification Information

5.1 We collect your identification information for the following primary purposes:

• verifying your identity as required by applicable law or as part of our service delivery obligations;
• complying with our obligations under the AML/CTF Act 2006 (Cth), including our ‘know your customer’ (KYC) customer identification and verification obligations;
• complying with obligations imposed on us under our Participation Agreement with the AGD;
• preventing and detecting fraud and identity theft;
• meeting our regulatory, reporting and compliance obligations.

5.2 We may also use your identification information for the following secondary purposes, where you would reasonably expect us to do so and where permitted by law:

• internal audit and compliance monitoring;
• resolving complaints or enquiries relating to identity verification; and
• assisting law enforcement or integrity agencies where required or authorised by law.

5.3 Prohibited purposes — consistent with section 9(4) of the IVS Act, we are expressly prohibited from using or disclosing your identification information for any of the following purposes:

• creating a data profile of you (including tracking your behaviour, whether online or otherwise);
• direct marketing;
• online behavioural advertising; or
• any other purpose not authorised under the IVS Act or our Participation Agreement.

Part 6 — Your Express Consent

6.1 Under section 9(2)(c) and section 10 of the IVS Act, we must obtain your express consent before collecting, using or disclosing your identification information for the purposes of requesting identity verification services through the DVS.

6.2 Your express consent must be:

• voluntary — you are not compelled to give consent, but see clause 6.4 below regarding consequences of declining;
• informed — you are provided with the information required under section 9(3) of the IVS Act (see clause 6.3 below) before consent is sought;
• current — given at or near the time of collection; and
• specific — given for the specific identity document(s) and verification purpose described.

6.3 Before seeking your consent, we are required to inform you of:

• the identification information we propose to collect from you;
• how that information will be used (i.e. to make a DVS request);
• how any facial image collected will be used, retained and disposed of;
• the consequences if you decline to consent (see clause 6.4);
• the legal obligations we have in relation to the information;
• your rights in relation to the collection of the information; and
• where you can get information about making complaints relating to the collection, use and disclosure of the information.

6.4 Consequences of declining consent — if you choose not to provide your consent or identification information, or if the DVS returns a non-match result:

• we may not be able to process your application, onboard you as a customer, or provide you with the relevant service or product;
• we may be required to carry out alternative identity verification steps (e.g. asking you to attend in person with original documents, or manual document review);
• where applicable, we may be required by law to restrict your access to certain services until your identity is verified.

6.5 You may withdraw your consent at any time by contacting our Privacy Officer using the details in Part 15. Withdrawal of consent will not affect the lawfulness of any use or disclosure based on your consent before its withdrawal, but may mean we are unable to continue to provide the service to you.

Part 7 — How We Use and Disclose Your Identification Information

7.1 Use within DVS transaction

We use your identification information solely to:

• complete the DVS transaction for which you have given consent; and
• record the outcome of the DVS check for our own compliance, audit and regulatory purposes.

7.2 Disclosure to the DVS Hub and document issuers

Your identification information is disclosed to the AGD (via the DVS Hub) and, through the DVS Hub, to the relevant government agency that issued your identity document, for the purpose of verifying whether the information on your document matches that agency’s records. This disclosure is authorised by your express consent and is required by the operation of the DVS under the IVS Act.

7.3 Disclosure to our Identity Service Provider (IDSP)

We access the DVS through our nominated IDSP gateway provider. Your identification information may be transmitted through that provider’s gateway infrastructure. The IDSP is bound by its own participation agreement with the AGD, and handles your information only for the purpose of transmitting DVS requests and responses. We do not authorise the IDSP to use or retain your identification information for any other purpose.

7.4 Other permitted disclosures

We may also disclose your personal information (including identification information) in the following circumstances:

• where required or authorised by law (including under the AML/CTF Act, court order or other legal process);
• to an integrity agency (such as the Commonwealth Ombudsman or the OAIC) for the purpose of that agency exercising a function or power under applicable legislation;
• to lessen or prevent a serious and imminent threat to the life or health of any individual;
• to our professional advisors (legal, financial, audit) who are bound by confidentiality obligations; and
• with your express written consent.

7.5 Prohibited disclosures

We will not use or disclose your identification information for the purpose of data profiling, behavioural tracking, direct marketing, online advertising, or any other purpose prohibited by section 9(4) of the IVS Act.

7.6 Overseas disclosure

We do not disclose your identification information to overseas recipients except as described above (i.e. to New Zealand organisations approved to use the DVS, where applicable under the IVS Act). We take reasonable steps to ensure that any permitted overseas recipient does not breach the APPs in relation to your information, in accordance with APP 8.

Part 8 — Storage, Security and Retention

8.1 We take reasonable steps to protect your identification information from misuse, interference, loss, and from unauthorised access, modification or disclosure, consistent with APP 11.

8.2 Our security measures include:

• encryption of identification information in transit (using TLS or equivalent) and at rest;
• access controls ensuring that only authorised personnel can access identification information;
• audit logging of all DVS requests and access to identification information;
• regular security assessments and penetration testing; and
• staff training on privacy and information security obligations.

8.3 We retain your identification information only for as long as it is required for the purposes for which it was collected, or as required by law. Our retention schedule is as follows:

• DVS transaction records (query fields and outcome): retained in accordance with our AML/CTF record-keeping obligations;
• Identification information used for other purposes: retained for the period applicable to the relevant purpose; and
• Facial images collected for FVS purposes are destroyed once they are no longer required for the verification transaction, unless a specific legal obligation requires retention.

8.4 Upon expiry of the applicable retention period, we will take reasonable steps to destroy or de-identify your identification information, in accordance with APP 11.2.

Part 9 — Facial Images

9.1 In addition to the DVS, our service includes biometric matching of your facial image against identification documents, for the purposes of us providing an Identity Opinion to ID Service Clients.

9.2 We do not collect or store biometric information derived from your facial image.

9.3 We will not retain, use or disclose your facial image for any purpose other than providing the ID Service Client with our Identity Opinion for which your express consent was given.

Part 10 — Your Rights

10.1 Right to access

You have the right to request access to the personal information (including identification information) we hold about you, under APP 12. We will respond to your access request within 30 days. We may charge a reasonable fee for providing access in some circumstances.

10.2 Right to correction

You have the right to request correction of personal information we hold about you that is inaccurate, out of date, incomplete, irrelevant or misleading, under APP 13. Note: we cannot correct the information held by the government agency that issued your identity document — you will need to contact that agency directly for corrections to your official records.

10.3 Right to be informed

You have the right to be informed about what identification information we collect, how we use and disclose it, and your rights — which this Policy provides.

10.4 Right to withdraw consent

You may withdraw your consent to the collection, use or disclosure of your identification information for DVS purposes at any time. See clause 6.5 above.

10.5 Right to make a complaint

You have the right to make a complaint about the way we handle your personal information. See Part 14 below for full details of the complaints process.

10.6 No requirement to identify

Consistent with section 37 of the IVS Act, nothing in the IVS Act requires you to identify yourself. You are not compelled by the IVS Act to present an identity document or to consent to a DVS check, though we may be unable to provide our services if you do not.

Part 11 — Accessing and Correcting Your Identity Document Records

11.1 Where you believe the information on your government-issued identity document is incorrect, you should contact the relevant issuing authority directly, as we have no ability to view or modify records held by those authorities. Key contacts are:

Document	Issuing Authority	Contact
Passport	Dept of Foreign Affairs and Trade	dfat.gov.au/passports
Driver Licence	State/Territory roads authority (e.g. VicRoads, Service NSW)	Relevant state/territory authority website
Medicare Card	Services Australia	servicesaustralia.gov.au
Birth Certificate	State/Territory Registry of BDM	Relevant state/territory BDM registry
Citizenship Certificate	Dept of Home Affairs	homeaffairs.gov.au

Part 12 — Notifiable Data Breaches

12.1 We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If we become aware of an eligible data breach involving your identification information, we will:

1. assess whether the incident constitutes an eligible data breach as soon as practicable and in any event within 30 days of becoming aware;
2. notify the OAIC and affected individuals where required by the NDB scheme;
3. notify the AGD in accordance with our obligations under our Participation Agreement; and
4. take remediation steps to contain the breach and prevent recurrence.

12.2 For further information about the NDB scheme, visit oaic.gov.au.

Part 13 — Oversight and Transparency

13.1 The operation of the identity verification services is subject to a robust regulatory and transparency framework including:

• Annual assessment of the identity verification services by the OAIC under section 40 of the IVS Act;
• Annual reporting on the use and operation of identity verification services, tabled in the Australian Parliament under section 41 of the IVS Act;
• Publication of all participation agreements and relevant policies on the AGD website at ag.gov.au;
• Annual compliance reporting by participants against participation agreements; and
• Review of the IVS Act, including adequacy of privacy protections, under section 43.

13.2 We publish this Privacy Policy, our Privacy Impact Assessment (PIA) (where required), and other relevant privacy materials on our website.

13.3 For information about how the AGD handles your personal information in its operation of the DVS Hub, please refer to the AGD’s Identity Verification Services Privacy Statement, available at idmatch.gov.au.

Part 14 — Complaints About Our Handling of Your Identification Information

This Part contains the complaints information required by section 9(3)(g) of the Identity Verification Services Act 2023 (Cth).

Step 1 — Complain to Us First

If you have a concern or complaint about the way we have collected, used or disclosed your identification information in connection with the DVS, please contact our Privacy Officer in the first instance:

Privacy Officer	Simon Duke, Director
Email	Simon.Duke@galilee.com.au
Post	Simon Duke, Thelawstore.com.au Pty Limited, Level 16, 60 Carrington Street, Sydney NSW 2000
Phone	0415 355 535
Business Hours	Monday to Friday, 9am – 5pm AEST

We will acknowledge your complaint within 5 business days and provide a substantive response within 30 calendar days. If we need more time, we will let you know.

Step 2 — Complain to the DVS Manager (AGD)

For complaints specifically relating to the operation and management of the DVS Hub and the identity verification services (i.e. matters relating to the AGD’s role), you may contact the AGD directly:

DVS Manager	Attorney-General’s Department
Website	ag.gov.au / idmatch.gov.au
Post	Identity and Biometrics Policy Branch, Attorney-General’s Department, 3-5 National Circuit, BARTON ACT 2600
Email	Available via ag.gov.au contact pages

Step 3 — Complain to the OAIC

If you are not satisfied with our response, or if you believe we have interfered with your privacy under the Privacy Act or breached our obligations under our Participation Agreement, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

OAIC	Office of the Australian Information Commissioner
Phone	1300 363 992
Website	oaic.gov.au
Online complaint form	oaic.gov.au/privacy/privacy-complaints
Post	GPO Box 5218, SYDNEY NSW 2001

A breach by us of our obligations in a participation agreement relating to your personal information is taken to be an interference with your privacy under the Privacy Act (IVS Act, section 10A), which means the OAIC can investigate and, in appropriate cases, seek civil penalties for serious and repeated interferences.

Step 4 — Commonwealth Ombudsman

If your complaint relates to a Commonwealth government agency’s handling of your information in connection with the identity verification services, you may also contact the Commonwealth Ombudsman:

Commonwealth Ombudsman	ombudsman.gov.au
Phone	1300 362 072

Part 15 — Our APP Compliance Obligations

For completeness, this Part summarises how we comply with each of the Australian Privacy Principles in the context of our identity verification activities.

APP Principle	How We Comply
APP 1 — Open and transparent management	We maintain this Privacy Policy and make it freely available. We appoint a Privacy Officer and publish relevant privacy documents on our website.
APP 2 — Anonymity and pseudonymity	Not applicable to DVS transactions, which require identity verification by their nature. Where feasible, we allow anonymous interaction for other services.
APP 3 — Collection of solicited personal information	We only collect identification information that is reasonably necessary for identity verification. We collect directly from the individual.
APP 4 — Dealing with unsolicited personal information	If we receive identification information we did not solicit, we assess whether we could have lawfully collected it and destroy or de-identify it if not.
APP 5 — Notification of the collection of personal information	We provide a Collection Notice at the time of collection, as required by APP 5 and section 9(3) of the IVS Act.
APP 6 — Use or disclosure	We use and disclose identification information only for the primary purpose of collection (DVS verification) or secondary purposes permitted by law.
APP 7 — Direct marketing	We do not use identification information for direct marketing. This is also expressly prohibited by section 9(4) of the IVS Act.
APP 8 — Cross-border disclosure	We do not disclose identification information overseas except as permitted by the IVS Act (e.g. to approved NZ DVS users). We comply with APP 8 before overseas disclosure.
APP 9 — Adoption, use or disclosure of government-related identifiers	We do not adopt government-issued identifiers as our own. We use document identifiers only for the purpose of DVS verification.
APP 10 — Quality of personal information	We take reasonable steps to verify the accuracy of identification information we collect. We cannot correct information held by document issuers.
APP 11 — Security of personal information	We implement technical and organisational security measures (see Part 8). We destroy identification information when no longer needed.
APP 12 — Access to personal information	We provide access to personal information we hold on request, subject to the exceptions in APP 12.
APP 13 — Correction of personal information	We correct personal information we hold on request. We notify relevant parties of corrections where appropriate.

Part 16 — Changes to This Policy

16.1 We may update this Policy from time to time to reflect changes in our practices, legal obligations, or the operation of the identity verification services.

16.2 We will publish the updated Policy on our website and, where changes are material, we will take reasonable steps to notify affected individuals.

16.3 The version date of this Policy is set out on the cover page. We recommend you review this Policy periodically.

Part 17 — Contact Our Privacy Officer

For all privacy enquiries, requests for access or correction, or complaints, please contact:

Privacy Officer	Simon Duke, Director
Email	Simon.Duke@galilee.com.au
Post	Simon Duke, Thelawstore.com.au Pty Limited, Level 16, 60 Carrington Street, Sydney NSW 2000
Phone	0415 355 535
Business Hours	Monday to Friday, 9am – 5pm AEST

Schedule A — Collection Notice (DVS)

This Collection Notice is provided to individuals at the time their identification information is collected for DVS verification purposes, as required by APP 5 and section 9(2)(c) and 9(3) of the Identity Verification Services Act 2023 (Cth). It should be incorporated into or accompany any consent form presented to the individual.

COLLECTION NOTICE — IDENTITY VERIFICATION (DOCUMENT VERIFICATION SERVICE)

Thelawstore.com.au Pty Limited (we) is collecting your identification information to verify your identity using the Australian Government’s Document Verification Service (DVS), operated by ID Match (Attorney-General’s Department) under the Identity Verification Services Act 2023 (Cth) (IVS Act).

What information we are collecting

We are collecting the following identification information from your driver’s licence, birth certificate and/or Medicare card:

• Full name
• Date of birth
• Document number / reference number
• Expiry date (if applicable)

Why we are collecting it and how we use it

We are collecting this information to verify your identity for the purpose of enabling our ID Service Client to meet their obligations. Your identification information will be transmitted via the DVS Hub to the government agency that issued your document. That agency will return a match or non-match response. We will not receive a copy of your original government record.

Consequences if you do not consent

If you do not provide consent or if the DVS returns a non-match result, we may be unable to open your account or may ask you to complete identity verification by attending in person with original documents.

Your legal obligations and our legal obligations

We are required to verify your identity under our agreement with our ID Service Client. Our legal obligations do not compel you to provide your consent, but we may be unable to provide services without successful identity verification.

Your rights

You have the right to:

• access the identification information we hold about you;
• request correction of inaccurate information;
• withdraw your consent at any time (by contacting our Privacy Officer); and
• make a complaint about how we handle your information.

Where to get more information or make a complaint

For more information about how we handle your identification information, see our Privacy Policy available at www.live-sign.com.au.

To make a complaint about our handling of your identification information in relation to the DVS, contact our Privacy Officer.

For complaints about the operation and management of the DVS by the AGD, visit idmatch.gov.au or ag.gov.au.

For complaints about our privacy practices that are not resolved to your satisfaction, contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or 1300 363 992.

Schedule B — Express Consent Declaration (DVS)

This form documents the express consent required by sections 9(2)(c) and 10 of the Identity Verification Services Act 2023 (Cth) for the collection, use and disclosure of identification information for DVS purposes. It should be provided to, completed and retained for each individual whose identity is verified via DVS.

Schedule C — Regulatory and Legislative Reference Summary

The following table summarises the key legislative and regulatory sources of the obligations addressed in this Policy.

Instrument	Key Provisions	Where Addressed in Policy
Privacy Act 1988 (Cth)	APPs 1–13; NDB scheme (Part IIIC); OAIC enforcement	Parts 5–15; Schedule A
Identity Verification Services Act 2023 (Cth)	ss 6, 8, 9, 10, 10A, 11, 37, 39–41	Parts 3–14; Schedules A–B
Identity Verification Services Rules 2024	Fees; participation agreement transition; prescribed privacy laws	Parts 3, 8
AML/CTF Act 2006 (Cth)	KYC obligations; record keeping; reporting	Parts 5, 8
AML/CTF Rules 2025	Customer identification procedures; electronic verification safe harbour	Parts 3–4
Intergovernmental Agreement on Identity Matching Services 2017	Roles and responsibilities of jurisdictions; safeguards	Part 3
DVS Access Policy (AGD)	Eligibility criteria; security and privacy obligations for participants	Parts 3, 8
DVS Participation Agreement (AGD)	Organisation-specific obligations including consent, complaints, PIA	Parts 4–15; Schedules A–B

Note: This Policy should be read alongside any Privacy Impact Assessment (PIA) conducted by the organisation in respect of its use of the DVS, as required by the DVS Participation Agreement. The PIA is available on request from the Privacy Officer.