This article was written by Clea Denham, Ben Dennell, Annabel Griffin and Cheng Lim.
The Commonwealth proposes to expand its digital identity system to allow greater participation by States, Territories and the private sector in order to give more government agencies and businesses a simpler and trustworthy way to verify the identity of their customers online.
The Federal Government has released an exposure draft of the highly anticipated Trusted Digital Identity Bill (the Bill). The Bill’s “whole-of-economy” approach will allow the Australian Government Digital Identity System (the DI System) to be accessed by States, Territories and private sector entities.
Broadly, the Bill builds on the existing DI System and its digital identity infrastructure and embeds legislative safeguards to strengthen privacy and consumer protections. In so doing, the Bill seeks to enable the growing digital identity ecosystem. If passed, the Bill has the potential to increase benefits across the entire digital economy and provide new economic opportunities.
In addition to expanding the current DI System, the Bill introduces a new ‘accreditation-only’ scheme for entities that wish to leverage the benefits of accreditation but who choose not to participate in the DI System.
What does this mean for you?
The expansion in use of the DI System is a first step in giving the private sector and States and Territories access to a standardised means of verifying identity digitally. It is supporting digital infrastructure for the further development of the digital economy and other data initiatives, such as the consumer data right.
Any business that currently has a need to verify the identity of customers and users should consider the extent to which use of the DI System could improve their ability to do so. Similarly, participants in the digital economy should consider how they can leverage identify verification through accreditation and participation in the DI System to support their businesses, and the advantages of accreditation (and the associated privacy and cyber security compliance obligations that follow).
What is the DI System?
The Bill relates to the expansion of the DI System, which allows individuals to create a Digital Identity and entities to use that Digital Identity for verification purposes. The DI System is designed so that a Digital Identity only needs to be created once, is voluntary and enables individuals to access various secure services online. The current DI System is already used by Australians to access a suite of Australian Government services.
Through the Bill, the DI System will:
- enable the expansion of the DI System, specifically to enable greater participation by State and Territory governments and the private sector;
- enshrine in law various privacy and consumer protections, so that Australians can have confidence in the DI System and know that their personal information is safe and secure; and
- establish permanent governance arrangements and a strong regulatory regime.
We set out below how the Bill proposes to achieve these outcomes.
Enabling DI System expansion
The Bill provides rules for the expansion, maintenance and regulation of the DI System and introduces two distinct, voluntary schemes. Specifically, the Bill enshrines in law:
- The Trusted Digital Identity Framework (TDIF) accreditation scheme – this is proposed for providers of identity related services and stipulates the requirements for accreditation of entities (including those in other digital identity systems) on matters such as privacy, fraud protection, security, and identity proofing; and
- The trusted digital identity system – this is the current DI System run by the Australian Government which will be the primary source of digital identity services for Australian Government entities and may now be access by other customers. Entities accredited under the TDIF accreditation scheme, and customers for the digital identity services, will be able to (but do not have to) apply to be ‘onboarded’ to the DI System.
The schemes entail different benefits and levels of regulation and, beyond Australian, State and Territory governments, are open to Australian and foreign companies registered with ASIC. Under these schemes, an entity may wish to either:
- be accredited under the TDIF accreditation scheme for the digital identity services they provide; or
- participate in the trusted digital identity system as either an accredited onboarded participant (provides identity services) or a relying party (services that require their customer to verify their identity online).
Importantly, the Bill does not prevent entities participating in, or being accredited under, other digital identity systems or frameworks while being regulated under either scheme.
Separately, the legislation establishes a redress scheme that provides consumers protections in the event of a digital identity fraud or cyber security incident in the DI System. The Bill requires certain entities to contact any individual or business affected by such an incident as soon as practicable after becoming aware of it occurring. The Bill also positively obliges entities to have and maintain written policies to deal with digital identity fraud and cyber security incidents and requires entities to take reasonable steps to prevent, detect and deal with security risks.
Strengthening privacy and consumer protections
The Bill enshrines in law privacy and user protections, in addition to those which exist under current legislation. The Bill requires any entity under either scheme to meet these protections. It generally requires any entity applying for accreditation to be covered by the federal Privacy Act 1988 (Cth) (the Privacy Act), which includes the Australian Privacy Principles (APPs). State and Territory government agencies operating in jurisdictions with local privacy legislation however are not required to meet these protections – such State and Territory entities are not required to be covered by the APPs if they are already covered by local laws which require a comparable level of privacy protection.
The Bill also broadens the definition of ‘personal information’ from the Privacy Act to include ‘attributes’, ‘restricted attributes’ and ‘biometric information’ of individuals. The effect of this is to ensure that the requirements from the Privacy Act relating to collecting, using and disclosing personal information extend to these three additional types of information.
Beyond these existing privacy laws, the Bill also imposes additional privacy-related protections and expanded powers for the Information Commissioner. These new protections operate to prohibit entities from data profiling, using single identifiers, disclosing restricted information without express consent, and disclosing biometric information to various organisations, including law enforcement. Due to its sensitivity, the restrictions on biometric information and circumstances when this information can be retained are particularly narrow.
Entities electing to join either scheme will need to consider the impact of these additional protections.
Establishing governance arrangements
The Bill also establishes a permanent and independent Oversight Authority with responsibility for governing the two schemes. The Oversight Authority will be responsible for, among other things, deciding which entities are allowed to be onboarded. The relevant factors include whether:
- the entity will be able to comply with the technical standards that apply to it;
- the entity is a fit and proper person;
- the entity poses any national security concerns; and
- it is appropriate to approve the entity.
The Government is still considering which Government entity will house and support the Oversight Authority.
Notably, the Oversight Authority will not regulate the Bill’s various privacy aspects. Rather, the Bill proposes to grant additional functions and powers to the Information Commissioner for these purposes.
Potential Risks & Key Takeaways
This Bill will underpin Australia’s digital identity ecosystem, which will only evolve as services continue to turn digital in droves. Importantly, the Bill recognises the need for digital infrastructure to be accompanied by legislative safeguards. With this framework, the Bill has the potential to generate opportunities across sectors of the digital economy
The federal government is seeking submissions on the Bill until October 27. This is certainly a space to watch with the Bill expected to be introduced to Parliament in late 2021.