Managing cyber risk digital identity comes back into focus in Australia
18 April 2023
18 April 2023
- the consultation on the 2023-2030 Australian Cyber Security Strategy;
- the recommendations of the final report of a panel of independent experts commissioned to oversee an audit of the Commonwealth's myGov online portal released in January 2023 (myGov Audit Report); and
- the recommendations of the Productivity Commission's 5-year Productivity Inquiry Report published in March 2023 (Productivity Commission Report).
- the Government rapidly progress legislation for a national digital identity system and a regulator with independent oversight to put privacy, human rights and security safeguards in place for Australians to participate in the national system (including as an digital identity services provider) by mid-2023;
- deliver a national framework for the interoperability of credentials across jurisdictions and the economy and require all federal government digital services to use the Australian Government identity exchange by the end of 2023; and
- with user consent, use digital identity 'attribute providers' to make linking to services easier and give users the choice to store extra attributes in myGov by mid-2024.
What you need to do
Digital identity is going to come sooner rather than later with recent momentum pushing the implementation of an expanded national digital identity system.
In the meantime, you can:
A national digital identity system could reliably verify a person's identity against the records of the issuing agency without the need for businesses to collect and store that person's government identifier or a copy of their identity document.
Identity information can be collected by organisations from the largest corporates to the smallest businesses, with varying cyber security capabilities and obligations under privacy laws. Often this collection is driven by know-your-customer requirements or the need to manage other business risks. Individuals are used to providing identity data to enable us to do anything from opening a bank, telecommunications or electricity account to renting a house.
Collecting and storing identity information, particularly sensitive government identifiers, such as passport and drivers licence numbers, can heighten the risk that a cyberattack could cause impacted individuals serious harm through identity fraud – for example using stolen identity credentials to fraudulently borrow money, or access accounts.
The unauthorised disclosure or loss of identity information is more likely trigger obligations to notify the privacy regulator and impacted individuals under the Australian Privacy Act Notifiable Data Breaches scheme. Guidance from Australia's privacy regulator lists theft and financial loss through fraud as examples of "serious harm" that could trigger these obligations.
The widespread adoption of digital identity technology should reduce the need to reproduce, collect, store and secure identity information. This would in turn would reduce the value of the information and data stored by businesses to cyber attackers.
Digital identity adoption can also support compliance with existing principles of data minimisation underpinning key obligations under the Privacy Act 1988 (Cth) (and proposed reforms to the Act) and equivalent legislation in other jurisdictions. For example, the Australian Privacy Principles require organisations only collect personal information that is reasonably necessary for one or more of the organisation's functions or activities, and take reasonable steps to destroy or de-identify personal information when no longer required for the purpose for which it was collected.
From a business perspective, digital identity can make simpler and safer interactions with customers, such as onboarding, know-your-customer, and sign-on processes.
Following recent large-scale data breaches, the development of Australia's national digital identity ecosystem is a key priority for the Australian Government.
Expanding our digital identity ecosystem has been on the radar for some time. An exposure draft of the Trusted Digital Identity Bill 2021 (Cth) was released for consultation in 2021 by the former Coalition Government which proposed to:
The Bill was not introduced to Parliament. You can read more about the Bill here.
In our current cybersecurity climate, there is a renewed push to expand and harmonise digital identity.
The enabling legislation may not be passed exactly as proposed in the exposure draft - there are strong indications that it will be reconsidered with a greater focus on security, privacy, safety and other human rights. The myGov Audit Report recommended the acceleration of the development of Australia's national digital identity ecosystem, whilst prioritising these rights.
The myGov Audit Report recommended, amongst other things, the following actions and timeframes to give effect to this recommendation:
The Federal and state and territory Data and Digital Ministers welcomed this recommendation at a Data and Digital Ministers Meeting convened on 24 February 2023. The Federal Government intends to provide a full response to the recommendations of the myGov Audit Report later in the year.
In the meantime, the Data and Digital Ministers have endorsed in-principle a draft National Strategy for Identity Resilience which will set out principles and government initiatives to make Australian identities difficult to steal and if compromised, easy to restore. The final strategy will also be considered by the Data and Digital Ministers later this year with a view that it will complement the development of the Australian Cyber Security Strategy announced by the Minister for Home Affairs and Minister for Cybersecurity in December 2022.
A digital identity system is unlikely to achieve the high adoption and usage levels required to achieve meaningful long term benefits unless there are high-value use cases across government and private sector services generating the network effects to create demand.
Some national digital identity systems in other jurisdictions have been able to achieve high adoption and usage levels:
The Productivity Commission reported that there has been a recent increase in the uptake of the Australian Government's Trusted Digital Identity System with 8.7 million individuals on the system as at July 2022 which is an increase from 6 million individuals as at December 2021.
However, the myGov Audit Report found that 'despite the potential benefits of digital identities, fewer than 1% of people signing in to myGov use a digital identity'.
The number of individuals on the Australian Government's Digital Identity System does not necessarily translate into habitual usage by individuals to access government services.
The Productivity Commission identified the current limited use cases for digital identity as a key barrier to further uptake. The Australian Government's digital identity is currently only used as a way for individuals to verify their identity for selected government services, such as applying for a tax file number and director identification number, or updating business details on the Australian Business Register.
The Productivity Commission recommended that the Australian Government, working with the Council on Federal Financial Relations, expand the use cases for the Australian Government Trusted Digital Identity System to state and territory government services and private sector services.
Beyond the legislative framework for the expanded Trusted Digital Identity System consulted on by the previous Government, further amendments to existing regulations are required to support high-value use cases and entrench the use of digital identity, such as giving digital identity the same legal status as hard copy identity documents. For example, the NSW Government amended the Births, Deaths and Marriages Registration Regulation 2017 (NSW) in November 2022 to enable a digital birth certificate to be validly issued by the Registrar of the NSW Registry of Births, Deaths and Marriages, giving digital birth certificates the same legal status as a paper-based birth certificate.
Financial services is likely to be one of the sectors to lead the adoption of digital identity given the number of high-value use cases stemming from regulatory requirements to conduct anti-money laundering and know-your-customer identity checks imposed by financial services regulators. The growing use of FinTech applications (e.g. buy now pay later) and cryptocurrencies will also create further use cases for digital identity, as regulators extend identity check requirements to more nascent areas of the sector.
Some financial services entities have already developed digital identity solutions but may be waiting for legislation to provide certainty around liability protection in case of any errors or failures.
A long term measure of the progress of a national digital identity system will be the degree of interoperability of digital identities between the public and private sectors, and across jurisdictions. Will systems communicate with each other, and will credentials be portable or visible between solutions?
There have been some efforts made to ensure interoperability and mutual recognition of digital identities across jurisdictions through high-level principles to support the development of mutually recognised and interoperable digital identity systems. For example, Australia and New Zealand have committed to mutual recognition of digital identity services under the Single Economic Market agenda.
This renewed focus on Australia's national digital identity system is part of a global push to implement digital identities driven by our current cybersecurity climate and the experiences of many jurisdictions during the COVID-19 pandemic rolling out digital vaccination certificates which highlighted the need for access to critical services online.
Some recent key developments include:
Authors: Rebecca Cope, Partner; Andrew Hilton, Expertise Counsel; Kerry Liang, Lawyer.