Australian digital identity gains traction – a new national strategy, and legislation on its way
07 August 2023
07 August 2023
Australia's Trusted Digital Identity System is currently used to access Commonwealth Government services.
The Government has come under increasing pressure to advance digital identity, including to expand Commonwealth systems to States and Territories and private sector participation.
Federal Finance Minister Katy Gallagher has outlined her objectives to:
The consultation will likely be led by the Attorney-General's Department – last week, the Australian Parliament's Administrative Arrangements Order was amended to allocate identity and biometrics to the matters dealt with by the Attorney-General's Department.
In 2021, the former Coalition Government consulted on legislation to expand the Australian Government's Trusted Digital Identity System to allow participation by private sector as well as State and Territory bodies, and to establish a voluntary national accreditation scheme for digital identity service providers. That Bill was not introduced to Parliament. You can read more in our update: A trusted digital identity framework for Australia.
Australia's recent experience of high-profile cyber incidents involving theft of identity information has brought renewed calls for a cohesive national approach to digital identity, which we discussed in our update: Managing cyber risk digital identity comes back into focus in Australia.
We expect revised legislation will focus on security, privacy and safety, and better align with Australia's new National Strategy for Resilient Identity, discussed below.
Former NSW Minister for Customer Service and Digital Government, Victor Dominello has called for "fit-for-purpose" digital identity, that minimises personal information risks, and gives individuals more control over what information they share, and for how long – an argument he will continue to prosecute in his new role on the Board of the Tech Council of Australia, leading a new working group focused on digital identity and credentials.
Interoperability and portability of credentials has become a key requirement, likely to be achieved through government mandated standards.
This challenge of allowing a high level of trust in credentials using wallets or systems issued or managed by different governments is not unique to Australia; it is also at the core of the revamped European Digital Identity (eID).
We expect Australia will watch global developments closely. Representatives of the Council and Parliament of the European Union have reached political agreement on key elements of an updated framework for a European Digital Identity (eID), which includes an expanded range of trust services, including electronic ledgers, e-signatures and seal creation devices, and the issuing of electronic attestations (such as medical certificates or professional qualifications).
Australia will likely want to ensure its arrangements strike the right balance between accelerating the rollout and uptake of digital identity, while ensuring robust security and recovery arrangements are in place.
An Australian Government consultation on a new framework that will allow people to use their digital identity to sign Commonwealth statutory declarations (for example, using the myGov mobile app) closed at the end of July. If enacted, this would be an end-to-end electronic process, with a Trusted Digital Identity Framework service provider acting as a "witness" for the signature.
Consistent with the National Strategy for Identity Resilience discussed below, traditional paper-based execution will be retained as an option for those who cannot or do not want to use digital identity.
This consultation demonstrates the complexity in making digital identity ubiquitous. Various other uses of digital identity may require technology investment and changes to the law, and we might need to address road blocks (for example, the current need for a human witness to a statutory declaration) on a use case by use case basis.
Identity resilience promises more secure, robust and trustworthy systems to prove we are who we say we are – it makes identity information harder to steal, harder to abuse, and easier to recover if compromised.
The National Strategy for Identity Resilience looks to overcome "silos" that have emerged because different identity documents are administered by different agencies and governments.
The Strategy is more than Commonwealth policy: it sets out ten Shared Principles for Resilient Identities – supported by Australia's Data and Digital Ministers – which will drive digital identity policy and decision making across governments and agencies.
Rather than trying to replace different Commonwealth, State and Territory systems with a single homogenous system, the Strategy looks to build technical and legal interoperability and portability – creating policy, processes and systems that will allow various agencies to issue digital "wallets" that can hold credentials from other agencies – all driven by consistent standards and requirements.
Australian governments have committed to short-, medium- and long- term initiatives giving effect to the principles. These initiatives appear to be deliberately cautious and achievable rather than aspirational, and they recognise the complexity inherent in building a cohesive national approach. Short-term initiatives are designed for immediate impact, while longer-term initiatives recognise the not insubstantial challenges of an integrated and interoperable national approach.
|Seamless Commonwealth, State and Territory digital ID systems will support identity resilience||Governments will work together to achieve interoperability between digital identity systems and credentials.||Credentials issued by one government must be usable in the "digital wallet" issued by another government – for example, current work by the NSW and Commonwealth governments to share Medicare and driver's licence credentials in their respective apps.|
|Identity needs to be inclusive||Governments must support access of all of Australia's diverse communities, including people from culturally and linguistically diverse communities, people with disability, and people who choose not to use digital services or credentials. Where practical, Australian governments are committed to providing digital and non-digital options.||Digital identity won't be mandatory, and therefore won't be universal – businesses and agencies will need to plan for this.|
This may mean continuing to maintain parallel systems, processes, data stores and support staff.
|Individuals, industry and government have a role to play||Industry and governments can promote best practice for deterring and responding to identity misuse, including actively coordinating efforts to improve education, secure cyber practices, and support services.||We can expect stronger stakeholder engagement and consultation with industry to drive this "active coordination".|
|All jurisdictions will work towards consistent high national standards||Assured security and trust, regardless of who issues the credentials.|
Stronger, nationally consistent standards for physical and digital credentials, together with security measures to make them resilient.
|This is more than standardisation. We expect a focus on capability uplift with an emphasis on sharing best practices across agencies, particularly in relation to security and trust measures.|
|Biometric establishment and verification of identity with consent can improve resilience||Passwords and biographic information (date of birth, licence number) are no longer adequate.||Governments will be reliant on the biometric techniques widely available in mobile phone handsets (eg facial recognition, thumbprints).|
Over time, we may see new forms of biometric verification emerge, and it is important that digital identity systems remain flexible.
|All jurisdictions will allow an individual to update their information conveniently across agencies||The ability to easily update credentials if the individual wishes to do so. We are at greater risk of identity fraud if records held by multiple government agencies or jurisdictions are not consistent.||The principle emphasises that the option to update details is the user's choice.|
There is no suggestion of a single "one stop shop" interface – rather that credentials maintained in multiple systems can be updated through any one of those systems.
|Less data collection and retention||Australian governments will support the private and public sectors to collect and retain less identity information. This needs to be balanced against existing legitimate law enforcement and regulatory needs.||This is an important commitment for agencies, regulators and industry. Now is the time to review data retention obligations, and push for a cyber-risk-informed alternatives and compromises (whether or not driven by digital identity considerations).|
|Clear data-sharing arrangements||Allowing government bodies to collect and share data to better protect victims impacted by cyber incidents and data breaches.||Learning from recent experience of major data breaches, institutions need to share information to prevent fraudulent use of identity following a data breach. |
Information sharing will also be required to support the Strategy's vision of harmonious sharing, updating and management of credentials.
|Consistent revocation and re-issuance||Once identity information is compromised, credentials like passports and driver's licences need to be cancelled and re-issued, with different agencies and governments following different processes.|
Governments will work towards streamlining these processes.
|Rapid cancelation and re-issuing of credentials (if necessary) is an important step in reducing not only the financial harm that may flow from a data breach, but also the trauma and stress experienced by individuals.|
|Clear accountability and liability||Liability for the cost of remediating credentials needs to be clear, along with appropriate enforcement actions.|
Solutions should minimise harm to individuals.
|Expect organisations targeted by cyber attacks to foot the bill for replacing passports, etc.|
The Strategy emphasises that protecting individuals is a key priority. While the initiatives and principles proposed will also help the organisations targeted by cyber criminals, it is clear that the targets of cyber attacks will be held responsible for security failures.
|Short-term initiatives (Up to 12 months to implement)||Update of the National Identity Proofing Guidelines to align with the Trusted Digital Identity Framework, providing consistent processes across digital and non-digital credentials.|
|Centre of Excellence on responding to identity data breaches – a point of expertise to support incident response at Commonwealth level, and working with State and Territory bodies to minimise harm.|
|Identity resilience education and awareness – amplify and coordinate existing education and awareness (eg by ACCC and ID Support NSW).|
|Medium-term initiatives (1-3 years to implement)||Credential protection register – improve the current register of compromised identity credentials, for example to give individuals greater control.|
|Mobile phone trust scores – allowing telecommunications providers to assign trust scores to mobile phone numbers based on risk factors such as recent SIM card swaps, tenure of phone plan and virtual private numbers. The trust score will help to prevent use of mobile phones to facilitate fraud.|
|Long-term initiatives (3-5 years to implement)||Reissuing Digital Credentials through Digital wallets –addressing technical and legislative differences and barriers across jurisdictions to help reduce fraud, improve customer experience and reduce duplication of effort.|
|No wrong doors for identity remediation – individuals should be able to engage with only one government organisation to fully and quickly recover their identity.|
|Strong, consistent commencement of identity records – birth certificates or immigration records are not always linked to change of identity processes (such as change of name) in other jurisdictions. This initiative will explore updating identity records for life events.|
Author: Rebecca Cope, Partner; Andrew Hilton, Expertise Counsel; Kerry Liang, Lawyer; Zoe Huang, Graduate; Rebecca Lim, Expertise Paralegal.
This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.
The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com