Tell me in thirty seconds: The government has published an exposure draft of legislation for an economy-wide digital identity system. The draft legislation expands the current framework by proposing a roadmap for reciprocal use of digital identity in the private and government sectors, and formalises and strengthens the current accreditation scheme.
The broader economic and productivity benefits of the digital identity system are not likely to be realised until Phases 3 and 4 of the roadmap, which is when government digital identity can be used in private sector services and private sector digital identity can be used in some government services. At this stage, the government has not provided any indication as to when it aims to roll out each phase.
On 20 September 2023, the Federal Government released an exposure draft of the Digital ID Bill 2023 (Exposure Draft) and drafts of the Digital ID Rules 2024 (Digital ID Rules) and Digital ID Accreditation Rules 2024 (Accreditation Rules). The core purpose of the draft legislation is to:
- legislate a voluntary accreditation scheme that builds on learnings from the current accreditation scheme, the Trusted Digital Identity Framework (TDIF); and
- expand the Australian Government Digital ID System (AGDIS) to additional state, territory and private sector services.
If passed, this legislation has the potential to facilitate secure and efficient online interactions between individuals, government and the private sector.
The Government has allowed 3 weeks for consultation on the Exposure Draft and Digital ID Rules so if you want to make a submission, you’ll need to do so by 10 October (you have until 31 October to make submissions on the Digital ID Accreditation Rules). You can do so by answering a survey or uploading a submission here. Following consultation, the government intends to introduce the final bill before the end of this year.
What is a digital identity?
A digital identity is the body of information about an individual that verifies who they are in the digital world. It can constitute standard personal information such as date of birth and email or postal address but may also extend to information such as education qualifications, health information or residency and income status. Digital identity can be used for a wide range of purposes, from identity verification to assessment of qualifications and entitlements. Notably, digital identity is distinct from a digitised identity document, which is simply a digital version of identity documentation, such as a digital driver licence. Whether and how to implement economy-wide digital identity frameworks are matters that many countries globally are currently grappling with. Australia currently has a limited framework for digital identity (see further below), which the government now proposes to expand.
It's also important to note that digital identity is different from document and face-matching verification services, which we discuss in this previous insight, although these services can certainly facilitate an efficient and effective digital identity framework.
Australia's current digital identity framework
- TDIF: the TDIF is an accreditation framework for digital identity services. Currently, the framework is unlegislated and managed by the Department of Finance.
- AGDIS: the AGDIS allows individuals to verify their identity when accessing a range of government services. Currently, the AGDIS is a narrow system delivered by two TDIF-accredited Commonwealth government entities (Services Australia and the ATO).
- Accreditation program for private sector: private sector businesses may also apply to be accredited under the TDIF, though they operate outside the AGDIS once accredited. At this stage, only four private sector entities have been accredited under the TDIS (Australia Post, OCR Labs, Mastercard and eftpos Digital Identity Pty Ltd).
An economy-wide digital identity system
Broadly, the AGDIS relies on 4 types of accredited participants:
TYPE OF ACCREDITED PARTICIPANT
|
FUNCTION
|
CURRENT AGDIS ENTITIES ACCREDITED UNDER TDIF
|
Identity service provider |
helps individuals set up and manage their digital identity |
myGovID |
Attribute service provider |
verifies specific attributes, entitlements or characteristics of an individual (e.g. that they have a particular qualification or are of a certain age) |
|
Identity exchange provider |
transfers information between relying parties, identity providers and attribute service providers |
Services Australia |
Credential provider |
ensures the security of passwords and other forms of authentication |
myGovID |
Additionally, relying service providers provide online services to individuals who have verified their identity through the AGDIS. Relying service providers do not need to be accredited.
Under the Exposure Draft, entities may be accredited as identity providers, attribute service providers and identity exchange providers. To accommodate new and emerging technologies, other types of services providers may also be prescribed in the Accreditation Rules.
Importantly, the voluntary accreditation scheme will not be limited to government entities. Rather, it will operate economy-wide, with the latter phases of the rollout designed to allow the use of government digital identity in private sector services (Phase 3), and use of private sector digital identity in some government services (Phase 4).
The Exposure Draft allows for the phased rollout by providing the Minister with the power to phase in the entities that may apply to participate in the AGDIS. However, at this stage, the government has not provided any indication of the timing of the rollout, or of each phase. A summary of the objectives of each phase is below.
OBJECTIVE
|
EXAMPLES
|
Example
uses 2
|
|
Phase 1
|
Legislate for digital identity, establish the rules and regulator, accreditation of public and private providers |
Accreditation of other Commonwealth and state and territory entities, as well as private sector entities such as banks and telcos |
|
Phase 2
|
Reciprocal use of digital identity and attribute providers in Commonwealth and state and territory services |
Use of myGovID or other newly accredited state or territory government identity providers to access services like Medicare or Centrelink, to apply for government documents such as driver licences, police checks and passports, or access entitlements such as public housing |
|
Phase 3
|
Use of government digital identity and attribute providers in private sector services |
Use of myGovID or other newly accredited government identity providers to open a new bank account, sign a telco contract, or enter a real estate lease |
|
Phase 4
|
Use of private sector digital identity and attribute providers in some government services |
Use of digital identity managed by accredited private sector entities (e.g. banks and telcos) to access Medicare, Centrelink or other government services, as well as to access private sector services such as purchasing or leasing real estate, renting vehicles, booking flights, or accessing age-restricted products or services such as alcohol or gambling |
|
A stronger accreditation system
In addition to expanding the AGDIS, the Exposure Draft strengthens the safeguards and governance of the voluntary accreditation scheme by:
- introducing additional privacy safeguards: accredited entities must adhere to additional privacy safeguards that go beyond those in the Privacy Act 1988 (Cth). These include restrictions on collection, use or disclosure of biometrics and other personal information, a requirement to destroy biometric information immediately upon verification, prohibitions on data profiling to track online behaviour, prohibitions on using or disclosing information for marketing purposes, and prohibitions on retaining certain attributes post-authentication. A breach of any of these additional privacy safeguards will result in a civil penalty of 300 penalty units (currently $93,900). Additionally, the Information Commissioner may also apply the powers and penalty provisions under the Privacy Act;
- implementing civil penalties for breach: other than penalties imposed for breach of privacy safeguards, the Exposure Draft implements civil penalties contraventions including penalties for providing or receiving services within the AGDIS without fulfilling the relevant requirements, breach of data localisation requirements, failure to report incidents relating to cyber security or fraud, and refusal to comply with directions. Generally, the penalty for such contraventions is between 200 and 300 penalty units (currently $62,600 – $93,900);
- establishing an independent digital identity regulator: the Exposure Draft proposes the establishment of a new Digital ID regulator (Regulator), who will be responsible for accreditation, approving participation in the AGDIS and enforcing compliance with the non-privacy safeguards of the legislation. However, the Information Commissioner will remain responsible for enforcing compliance with the additional privacy safeguards discussed above.
The Regulator will also have a range of powers, including the power to request information, give remedial directions, issue enforceable undertakings and suspend or revoke an entity’s accreditation or participation in the AGDIS. Initially, the Australian Competition and Consumer Commission (ACCC) will be appointed as the Regulator. This appointment positions the ACCC as the key regulator for the data economy, particularly when considered in light of the ACCC’s role in relation to the implementation and operation of the Consumer Data Right;
- establishing a Data Standards Chair to develop and review technical standards for the operation of AGDIS and the accreditation scheme; and
- creating new powers for the Minister, including rulemaking, issuing directions to the Regulator in relation to accreditation and participation in the AGDIS, appointing the Data Standards Chair and a discretionary power to establish advisory committees.
The requirements to acquire and maintain accreditation are set out in the Accreditation Rules. The accreditation process is complex and thorough, requiring applicants to conduct assessments on privacy, technical capabilities, cyber security, fraud control, usability and accessibility. Entities must comply with similar requirements to maintain accreditation.
Other features
A few other points about the draft legislation are worth noting:
- (digital identity must be voluntary) subject to limited exceptions, individuals must not be required to create a digital identity as a condition of receiving a service, particularly when accessing government services;
- (individuals must be over 15) under the Accreditation Rules, an identity service provider must not deal with information or authenticators of individuals under 15. The government has proposed to change this to individuals under 14 to maintain consistency with other schemes, but the proposal is still subject to consultation;
- (cyber and fraud incidents) under the Digital ID Rules, entities will be required to notify the Digital ID Regulator of a cyber or fraud incident within 24 hours of becoming aware of that incident. Further, under the Accreditation Rules, digital identities that are identified or suspected to be involved with a cyber security or fraud incident must be suspended if the relevant individual cannot verify or confirm control over the relevant digital identity;
- (other digital identity systems) under the Digital ID Rules, if an entity proposes to use the system through which it provides its accredited services to provide or receive services within a digital identity system other than AGDIS, it must notify the Regulator 4 weeks before the proposed use;
- (data localisation) under the Digital ID Rules, subject to limited exceptions, accredited entities must not hold, store or handle information generated or collected in relation to the AGDIS outside Australia;
- (interoperability obligation) accredited entities must provide their accredited services to other entities participating in the system. This is intended to provide consumers with greater flexibility, increase data portability, and accommodate technological developments;
- (changes in circumstances) under the Digital ID Rules, entities must notify the Regulator of a proposed or actual change of control, or the proposed engagement of a contractor to provide all or part of the relevant accredited services;
- (public trust and confidence) service providers will be allowed to use a trustmark as evidence of their accreditation. The Digital ID Regulator will also be required to maintain a public Digital ID Accredited Entities Register, which sets out the details of each service provider’s accreditation, including the date and type of accreditation and any conditions on, or variations to, the accreditation; and
- (currently accredited entities) an accompanying Digital ID (Transitional and Consequential Amendments) Bill will set out a mechanism to transition entities that are currently accredited under the TDIF and/or participating in the AGDIS into the new legislated arrangements.
What do we think about these developments?
We think that implementing a secure, trusted digital identity can drive economic development and productivity. A robust economy-wide digital identity has the potential to simplify individuals’ interactions with government and private sector businesses, and streamline authentication and verification processes for businesses and other service providers. The timing of Phases 3 and 4 of the implementation of the AGDIS will be critical to driving uptake of the digital identity in the broader economy and our ability to reap the economic and productivity benefits of being able to transact and verify ourselves using a secure and trusted digital identity.
The government will be guided by four principles in expanding the digital identity framework: secure, convenient, voluntary and inclusive. To this list we would add the following themes that are crucial for an effective digital identity framework: trustworthiness, transparency, consumer choice, privacy, and self-determination (the ability for consumers to choose how they will self-identify).
Critically, similarly to the identity verification services contemplated by the Identity Verification Services Bill 2023, the uptake and use of digital identity should reduce the volume of sensitive identity information that businesses hold about individuals. For instance, under an economy-wide digital identity regime, a business who previously retained copies of identity information as proof that an individual is over 18 would no longer be required to do so. Rather, the business would simply be required to maintain a record that this attribute had been verified for the relevant individual through their digital identity. This reduces the risk of a data security breach for individuals and businesses, and should mitigate the impact of any actual breach. Again, these benefits may not begin to be realised in the broader economy until Phases 3 and 4 are implemented.
Of course, there are also risks associated with the concentration of personal data and identity information in a select group of accredited entities. Given the quantity and value of the information held, such entities will be an appealing target for malicious actors. While the Accreditation Rules do require providers to comply with international information security standards or equivalent, such measures are not necessarily foolproof, and cyber attacks may still occur.
The consolidation of identity information may also raise the risk of identity fraud. While digital identity makes it more difficult to establish a fraudulent identity in the first instance, if such identity is successfully established, the fraudulent token could be reused repeatedly without further verification.
KWM has extensive experience in advising on digital identity. Please get in touch if you have any questions about the opportunities and challenges presented by the draft legislation or would like assistance with preparing a submission.
17 - 25 October 2023 | Virtual
Join our four-day summit to discover a wide range of perspectives on the future of digitisation and regulation of data and emerging technologies.