Legal development

Australian digital identity gains traction – a new national strategy, and legislation on its way

Insight Hero Image

    What you need to know

    • The Australian Government expects to consult on new digital identity legislation in September 2023, hoping to introduce legislation by the end of the year and to link Commonwealth and State and Territory digital identity systems by mid-2024 (before extending the system to the private sector).  The consultation will likely be led by the Attorney-General's Department.
    • The private sector is gearing up to engage, with former NSW Minister Victor Dominello heading a new dedicated working group for the Tech Council of Australia.
    • Australia's recently released National Strategy for Identity Resilience will shape the reforms – recognising digital identity as a key part of a cyber-resilient ecosystem. We explore the principles and initiatives expected to guide digital identity in Australia below including a Centre of Excellence, new phone "trust scores", and longer term ecosystem shifts.
    • Government is looking at the practical ways digital identity can transform business and government.  By the end of the year, we should be able to electronically sign Australian statutory declarations, while new European Digital Identity (eID) plans cover new services, including electronic ledgers, e-signatures and seal creation devices, and electronic attestations (such as medical certificates or professional qualifications).

    What you need to do

    • Prepare for imminent consultation –  with an ambitious agenda, and the benefit of consultations made under the previous government, we expect a short, sharp consultation. To have an effective voice it is important to understand now what uses of digital identity matter to you and your customers, and be prepared to prioritise key issues.
    • Consider your future state – laws will shift to accommodate identity resilience, and more and better use of digital identity – but will your use cases be covered?  Factor digital identity into your technology strategy.
    • Assess your capabilities – getting the most out of digital identity developments may require accreditation. We can help you understand what this may mean for your business. 
    • Government bodies need to get across the National Strategy for Identity Resilience – it includes a useful checklist of things to consider when developing policy, services and digital customer interactions. When the goal is national cohesion, it is more important than ever to understand what other agencies and governments are doing.
    • Risk-analyse your data collection and retention and review data retention through a cyber-risk lens.

    The rubber is hitting the road for digital identity

    Australia's Trusted Digital Identity System is currently used to access Commonwealth Government services.

    The Government has come under increasing pressure to advance digital identity, including to expand Commonwealth systems to States and Territories and private sector participation. 

    Federal Finance Minister Katy Gallagher has outlined her objectives to:

    1. consult on an exposure draft digital identity legislation in September this year;
    2. introduce revised legislation to Parliament by the end of 2023; and
    3. complete the first phase of linkages with State and Territories to ensure systems are interoperable by this time next year, before bringing the private sector on board.

    The consultation will likely be led by the Attorney-General's Department – last week, the Australian Parliament's Administrative Arrangements Order was amended to allocate identity and biometrics to the matters dealt with by the Attorney-General's Department.

    In 2021, the former Coalition Government consulted on legislation to expand the Australian Government's Trusted Digital Identity System to allow participation by private sector as well as State and Territory bodies, and to establish a voluntary national accreditation scheme for digital identity service providers. That Bill was not introduced to Parliament. You can read more in our update: A trusted digital identity framework for Australia.

    Australia's recent experience of high-profile cyber incidents involving theft of identity information has brought renewed calls for a cohesive national approach to digital identity, which we discussed in our update: Managing cyber risk digital identity comes back into focus in Australia

    We expect revised legislation will focus on security, privacy and safety, and better align with Australia's new National Strategy for Resilient Identity, discussed below.

    Former NSW Minister for Customer Service and Digital Government, Victor Dominello has called for "fit-for-purpose" digital identity, that minimises personal information risks, and gives individuals more control over what information they share, and for how long – an argument he will continue to prosecute in his new role on the Board of the Tech Council of Australia, leading a new working group focused on digital identity and credentials.

    Interoperability and portability of credentials has become  a key requirement, likely to be achieved through government mandated standards.

    This challenge of allowing a high level of trust in credentials using wallets or systems issued or managed by different governments is not unique to Australia; it is also at the core of the revamped European Digital Identity (eID).

    More than identity?  European Digital Identity (eID)

    We expect Australia will watch global developments closely. Representatives of the Council and Parliament of the European Union have reached political agreement on key elements of an updated framework for a European Digital Identity (eID), which includes an expanded range of trust services, including electronic ledgers, e-signatures and seal creation devices, and the issuing of electronic attestations (such as medical certificates or professional qualifications). 

    Australia will likely want to ensure its arrangements strike the right balance between accelerating the rollout and uptake of digital identity, while ensuring robust security and recovery arrangements are in place.

    Digital identity for electronic signatures

    An Australian Government consultation on a new framework that will allow people to use their digital identity to sign Commonwealth statutory declarations (for example, using the myGov mobile app) closed at the end of July. If enacted, this would be an end-to-end electronic process, with a Trusted Digital Identity Framework service provider acting as a "witness" for the signature. 

    Consistent with the National Strategy for Identity Resilience discussed below, traditional paper-based execution will be retained as an option for those who cannot or do not want to use digital identity. 

    This consultation demonstrates the complexity in making digital identity ubiquitous. Various other uses of digital identity may require technology investment and changes to the law, and we might need to address road blocks (for example, the current need for a human witness to a statutory declaration) on a use case by use case basis.

    National Strategy for Identity Resilience

    In our previous update, we discussed Australia's Digital and Data Ministers' endorsement of a National Strategy for Identity Resilience – that Strategy has now been published

    What is identity resilience?

    Identity resilience promises more secure, robust and trustworthy systems to prove we are who we say we are – it makes identity information harder to steal, harder to abuse, and easier to recover if compromised. 

    The National Strategy for Identity Resilience looks to overcome "silos" that have emerged because different identity documents are administered by different agencies and governments. 

    The Strategy is more than Commonwealth policy: it sets out ten Shared Principles for Resilient Identities – supported by Australia's Data and Digital Ministers – which will drive digital identity policy and decision making across governments and agencies. 

    Rather than trying to replace different Commonwealth, State and Territory systems with a single homogenous system, the Strategy looks to build technical and legal interoperability and portability – creating policy, processes and systems that will allow various agencies to issue digital "wallets" that can hold credentials from other agencies – all driven by consistent standards and requirements.

    Australian governments have committed to short-, medium- and long- term initiatives giving effect to the principles. These initiatives appear to be deliberately cautious and achievable rather than aspirational, and they recognise the complexity inherent in building a cohesive national approach. Short-term initiatives are designed for immediate impact, while longer-term initiatives recognise the not insubstantial challenges of an integrated and interoperable national approach. 

    Shared Principles for Resilient Identities

    Shared Principle  Summary Implication 
    Seamless Commonwealth, State and Territory digital ID systems will support identity resilienceGovernments will work together to achieve interoperability between digital identity systems and credentials.Credentials issued by one government must be usable in the "digital wallet" issued by another government – for example, current work by the NSW and Commonwealth governments to share Medicare and driver's licence credentials in their respective apps.
    Identity needs to be inclusiveGovernments must support access of all of Australia's diverse communities, including people from culturally and linguistically diverse communities, people with disability, and people who choose not to use digital services or credentials. Where practical, Australian governments are committed to providing digital and non-digital options.Digital identity won't be mandatory, and therefore won't be universal – businesses and agencies will need to plan for this.
    This may mean continuing to maintain parallel systems, processes, data stores and support staff.
    Individuals, industry and government have a role to playIndustry and governments can promote best practice for deterring and responding to identity misuse, including actively coordinating efforts to improve education, secure cyber practices, and support services. We can expect stronger stakeholder engagement and consultation with industry to drive this "active coordination".
    All jurisdictions will work towards consistent high national standardsAssured security and trust, regardless of who issues the credentials.
    Stronger, nationally consistent standards for physical and digital credentials, together with security measures to make them resilient.
    This is more than standardisation. We expect a focus on capability uplift with an emphasis on sharing best practices across agencies, particularly in relation to security and trust measures.
    Biometric establishment and verification of identity with consent can improve resiliencePasswords and biographic information (date of birth, licence number) are no longer adequate.Governments will be reliant on the biometric techniques widely available in mobile phone handsets (eg facial recognition, thumbprints).
    Over time, we may see new forms of biometric verification emerge, and it is important that digital identity systems remain flexible.
    All jurisdictions will allow an individual to update their information conveniently across agencies The ability to easily update credentials if the individual wishes to do so. We are at greater risk of identity fraud if records held by multiple government agencies or jurisdictions are not consistent.The principle emphasises that the option to update details is the user's choice.
    There is no suggestion of a single "one stop shop" interface – rather that credentials maintained in multiple systems can be updated through any one of those systems.
    Less data collection and retentionAustralian governments will support the private and public sectors to collect and retain less identity information. This needs to be balanced against existing legitimate law enforcement and regulatory needs.This is an important commitment for agencies, regulators and industry. Now is the time to review data retention obligations, and push for a cyber-risk-informed alternatives and compromises (whether or not driven by digital identity considerations).
    Clear data-sharing arrangements Allowing government bodies to collect and share data to better protect victims impacted by cyber incidents and data breaches. Learning from recent experience of major data breaches, institutions need to share information to prevent fraudulent use of identity following a data breach. 
    Information sharing will also be required to support the Strategy's vision of harmonious sharing, updating and management of credentials.
     
    Consistent revocation and re-issuance Once identity information is compromised, credentials like passports and driver's licences need to be cancelled and re-issued, with different agencies and governments following different processes.
    Governments will work towards streamlining these processes.
     
    Rapid cancelation and re-issuing of credentials (if necessary) is an important step in reducing not only the financial harm that may flow from a data breach, but also the trauma and stress experienced by individuals.
    Clear accountability and liability Liability for the cost of remediating credentials needs to be clear, along with appropriate enforcement actions.
    Solutions should minimise harm to individuals.
    Expect organisations targeted by cyber attacks to foot the bill for replacing passports, etc.
    The Strategy emphasises that protecting individuals is a key priority. While the initiatives and principles proposed will also help the organisations targeted by cyber criminals, it is clear that the targets of cyber attacks will be held responsible for security failures.

    Initiatives – Building on existing work and being future ready

    Short-term initiatives (Up to 12 months to implement)Update of the National Identity Proofing Guidelines to align with the Trusted Digital Identity Framework, providing consistent processes across digital and non-digital credentials.
    Centre of Excellence on responding to identity data breaches – a point of expertise to support incident response at Commonwealth level, and working with State and Territory bodies to minimise harm.
    Identity resilience education and awareness – amplify and coordinate existing education and awareness (eg by ACCC and ID Support NSW).
    Medium-term initiatives (1-3 years to implement)Credential protection register – improve the current register of compromised identity credentials, for example to give individuals greater control.
    Mobile phone trust scores – allowing telecommunications providers to assign trust scores to mobile phone numbers based on risk factors such as recent SIM card swaps, tenure of phone plan and virtual private numbers. The trust score will help to prevent use of mobile phones to facilitate fraud.
    Long-term initiatives (3-5 years to implement)Reissuing Digital Credentials through Digital wallets –addressing technical and legislative differences and barriers across jurisdictions to help reduce fraud, improve customer experience and reduce duplication of effort.
    No wrong doors for identity remediation – individuals should be able to engage with only one government organisation to fully and quickly recover their identity.
    Strong, consistent commencement of identity records – birth certificates or immigration records are not always linked to change of identity processes (such as change of name) in other jurisdictions. This initiative will explore updating identity records for life events.

     

    Author: Rebecca Cope, Partner; Andrew Hilton, Expertise Counsel; Kerry Liang, Lawyer; Zoe Huang, Graduate; Rebecca Lim, Expertise Paralegal. 

    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    image

    Stay ahead with our business insights, updates and podcasts

    Sign-up to select your areas of interest

    Sign-up