Liveness detection tender from Australian Tax Office updated with new info

The Australia Taxation Office has updated its Request for Information (RFI) on a potential biometric liveness detection tool to support onboarding and identity verification for the myID App, which powers the country’s national digital ID.

The update from the ATO, which manages myID within the Australian Governments Digital ID System (AGDIS), answers a host of questions regarding the tender, which closes this week, on May 28. The RFI seeks suppliers with identity verification expertise, particularly related to liveness detection and facial image capture, biometric matching and credential validation, as the ATO seeks to replace a contract signed with iProov in 2021.

Regarding specific certification and the requirement for solutions to be tested by “a qualified third-party biometric testing entity experienced in ISO/IEC 30107,” the document says “the solution must have completed PAD testing using any ISO accredited biometric testing laboratory.” Individual labs are not favored.

“Respondents should provide evidence of the testing body’s qualifications, accreditation scope, test methodology, version of the standard used, PAD assurance level assessed, and any limitations or exclusions in the test report.”

The product must come as a SaaS solution, and support peak workloads of 10,000 verifications per hour with 95th percentile responses within one second. But, ATO says, the peak load requirement “should be treated as a combination of projected and observed load,” as applied to enrolments, reverifications and account recovery events.

The ATO can’t rightly say what kind of numbers they’re looking at in the long term.

“Forecasted growth of IP3 verifications” – the next security level ATO is pursuing – “and re-verification events cannot be provided at this stage. Respondents should provide a Software Capacity Plan and strategies for scaling that references peak load,” documenting assumptions, scalable architecture, and capacity headroom, while flagging constraints, scaling triggers, monitoring arrangements, and commercial implications for growth across the contract term.

Australian data processing law does not disqualify foreign providers of liveness detection software, as long as all personal information related to the product does not leave Australia.

Regarding retention periods for storing biometric data, a question notes that “the current arrangement included a 14-day biometric retention exemption under TDIF for suspicious or inconclusive images. What are the data retention requirements for the new solution — specifically what happens to images from failed or inconclusive liveness checks?”

The ATO responds that providers should follow privacy-by-design and data minimization principles. “Biometric data should not be retained longer than required for the authorised purpose. This may include for authentication purposes as described in the Digital ID Act.”

Article Topics

Australia  |  Australian Government Digital Identity System (AGDIS)  |  biometric liveness detection  |  biometrics  |  government services  |  myID Australia  |  procurement  |  RFI