What you need to know
- The Australian Government is consulting on draft legislation to help the private and public sectors do business safely online.
- Private sector and state and territory bodies will be able to use the Australian Government's Digital Identity System to verify the identities of people and businesses they deal with online. They may also offer digital identity services as part of that system.
- The draft legislation also establishes a Trusted Digital Identity Framework (TDIF) accreditation scheme for digital identity service providers. Accreditation allows service providers participate in the Australian Government system, or can be used to build trust when providing services using other systems.
- With the growing risk of identity fraud and cyber attack, expansion of access to the Australian Government system and the introduction of TDIF accreditation may make supplying online services simpler, safer and more consistent, and may enhance user trust by delivering minimum standards, transparency, additional privacy and consumer protections and regulatory oversight.
- Public consultation on the exposure draft of the draft Trusted Digital Identity Bill 2021 (Cth) and related legislation closes 27 October 2021, and is available on the Australian Government's Digital Identity website.
What you need to do
- Consider if you might accept the Australian Government Digital Identity System as proof of identity when doing business online.
- Review your liability and risk positions. When using the Australian Government's system, you might not be able to make claims against service providers if things go wrong. Consider managing this exposure in your contracts with end users and business partners outside of the system.
- Consider if TDIF accredited and regulated digital identity verification (whether using the Australian Government system or not) will protect you and your customers from the growing risk of identity fraud and cyber crime.
- Review whether your suppliers should be accredited and regulated under the TDIF.
- If you supply digital identity services, consider if accreditation under the Trusted Digital Identity Framework is right for you – whether to provide services as part of the Australian Government Digital Identity System, or to provide the extra assurance of independent accreditation and oversight for your customers and business partners.
Trusted digital identities
The draft Trusted Digital Identity Bill 2021 (Cth) and related legislative instruments set a legal framework for two separate but related initiatives:
- The Australian Government's Trusted Digital Identity System is currently used as proof of identity to access Australian Government services. The system will be expanded to allow private sector and state and territory bodies to rely on digital identities provided by the system (known as "relying parties").
- The Trusted Digital Identity Framework (TDIF) accreditation scheme will set minimum standards and rules for providers of digital identity services. Accredited service providers can be "onboarded" to deliver digital identity services as part of the Government system (taking on additional responsibilities) or can supply services using a different system. Accreditation will be available to private and public sector bodies.
These initiatives are detailed in consultation drafts of the Trusted Digital Identity Bill 2021 (Cth), the Trusted Digital Identity Framework Accreditation Rules and the Trusted Digital Identity Rules, available on the Australian Government's Digital Identity website. There will also be technical standards for the Government system (not covered by the current consultation).
The legislation adopts the statutory contract model used in Consumer Data Right (CDR) legislation. Each TDIF accredited service provider that is "onboarded" to provide services using the Government system is taken to have a separate statutory contract with each other accredited service provider and each relying party using the system, under which it agrees to comply with its obligations under the legislation. The service provider will have no civil or criminal liability to other onboarded service providers or relying parties provided it has acted in good faith and complied with its legislated obligations.
Relying entities that accept digital identities as proof of identification using the Government system have a limited set of obligations – these include ensuring that users can chose their identity service provider, allowing interoperability within the Government system, and reporting and supporting end users following digital identity fraud or cyber security incidents. The responsibilities of accredited service providers are more extensive (discussed below).
Trust marks will let users know that their identity is being verified using the Government system, or by a TDIF accredited service provider using another system.
Service provider accreditation
There are four types of accreditation:
- Identity service providers – collect, verify and validate attributes that confirm a person's identity (checking driver's licence or passport).
- Attribute service providers – verify specific attributes that relate to a person's authorisation or characteristics (such as holding a licence or qualification).
- Credential service providers – manage passwords and other access restrictions (such as facial recognition), providing assurance that the person accessing the service is the same person whose digital identity was verified by the identity service providers.
- Identity exchange providers – manage the flow and transfer of information between identity service providers, attribute service providers and relying parties.
The accreditation process involves a series of evaluations, requiring an applicant to demonstrate how its digital identity services meet requirements relating to accessibility and usability, privacy protection, security and fraud control, risk management and technology integrity.
Safeguards and protections
Requirements apply whether or not a TDIF accredited service provider is "onboarded" to supply services using the Government system – these include consumer safeguards relating to children, deactivating of digital identities on request and accessible/inclusive services, reporting and record keeping requirements, and additional privacy safeguards.
Some of these additional privacy safeguards include:
- Privacy Act coverage. To be accredited, a service provider must either be covered by the federal Privacy Act 1998 (Cth), or "opt in" to be covered (other than state and territory government entities covered by similar laws).
- Expanded definition of "personal information. Attributes, restricted attributes and biometric information used in digital identity management will be considered "personal information" under the relevant privacy law (to the extent they are not already).
- Additional protections including requirements around active consent (ie actively ticking a tick box) and the collection, disclosure, retention and deletion of a user's attributes and restricted attributes. There are limits on profiling user access to and use of identity services, and on issuing single identifiers that might otherwise be used to link transactions.
- Restrictions around biometric information (such as facial recognition data), including prohibitions on disclosure to law enforcement bodies and relying entities and a prohibition on "one to many" matches that might be used to identify, rather than confirm the identity of, and individual.
Importantly, digital identity information must not be held, stored, handled or transferred outside of Australia (with limited exceptions).
Additional requirements apply if a TDIF accredited entity is "onboarded" to provide services as part of the Government system – for example, use of the Government system must be optional, and there are additional notification and user support obligations following a digital identity fraud incident or cyber security incident.
The draft legislation establishes an independent "oversight authority" for the TDIF and the Government system, to be supported by Australian Public Service staff from an existing Australian Government agency as well as an advisory board and any advisory committees appointed by the Minister.
The functions of the oversight authority range from the development and operation of the Government system, to decisions around onboarding and accreditation, to enforcement functions.
The oversight authority will have powers to revoke or suspend accreditation or approval to onboard to the Government system, issue infringement notices, seek enforceable undertakings and injunctions, and seek civil penalties of up to $330,000. The oversight authority also may also grant exemptions to certain requirements.
The Government is still considering which Australian Government agency will house or support the oversight authority.
Authors: Tim Brookes, Partner; Andrew Hilton, Expertise Senior Associate; and Kate Pantelidis, Graduate.