Whole-of-economy Digital ID laws by the end of the year
28 September 2023
28 September 2023
Watch the webinar: Our panel of legal and risk experts took a deep dive into Digital ID. A recording of the webinar is available here.
A strong Digital ID ecosystem has been recognised by successive governments and industry as essential to Australia’s digital future – making access to government and private sector services simpler and safer, combatting identity-based fraud, and improving Australia’s resilience to cyber threats.
Four principles guide Australia’s Digital ID strategy – Digital ID must be secure, convenient, voluntary and inclusive. These principles inform proposed legislative protections, and will no doubt guide underlying standards over time.
The legislation sets the ground rules for:
The regime will be overseen by a Digital ID Regulator. The draft bill identifies the Australian Competition and Consumer Commission (ACCC) as the regulator but notes that the division of duties between the ACCC as regulator and Services Australia to be determined. Services Australia is likely to take on some of the more operational aspects – which may include the security, integrity and performance. As with the Consumer Data Right, privacy issues (including additional privacy safeguards) will be regulated by the Australian Information Commissioner and there will be a Data Standards Chair to develop technical standards.
Digital ID is a secure way for organisations to verify an individual's identity online, without needing to collect or store any documents. Instead, a trusted service provider who verifies an individual’s identity confirms they are who they say they are.
While early moves in Digital ID focussed on streamlining interactions with government, Australia’s recent history of high profile cyber attacks has brought renewed urgency to driving economy-wide Digital ID to help build Australia’s cyber resilience. Digital ID reduces the need for business and government to collect, share and store information that is most valuable to hackers, reduces the risk that stolen identity information can be used for identity fraud, and makes revoking and re-issuing stolen credentials simpler and more effective.
The private sector is also focussed on Digital ID opportunities, with various Digital ID solutions already in the market. Some, like ConnectID, Australia Post’s Digital iD, and Mastercard’s ID are underpinned by government accreditation.
The Government’s ultimate objective is to build an economy-wide, federated system – over time integrating the Commonwealth, states, territories, and the private sector into a common interoperable system – with government and private sector credentials and systems in Australia and overseas interoperable under common standards.
The Government’s plan to expand Digital ID economy-wide focuses initially on government, before a broader economy-wide integration. While the framework proposed is not specific to myGovID, improving myGovID, rolling it out across more Commonwealth services, and making it interoperable with state and territory and private sector services is a key short term priority.
Expansion will occur over four phases – which will likely overlap.
While the proposed legislation sets a framework for the Government’s vision, we expect it will need to change over time to facilitate these phases. Significant flexibility has been built in through exemptions, conditions and rule-making powers, similar to the approach adopted in the Consumer Data Right legislation – meaning the regime may be more easily tailored to deal with specific issues as they arise.
The Government has not committed to particular “go live” target dates for each phase – as with the Consumer Data Right, we expect the Government will need to carefully balance driving expansion of the regime with allowing the market to organically mature.
Australia's Digital ID model takes a federated approach in which various accredited providers help a relying party provide services to an end user.
Identity Service Provider
Generates and manages an end user's Digital ID, including verifying information relating to the identity of the end user (eg identity documents).
Manages authentication, allowing use of the Digital ID by the end user (and no-one else).
myGovID, operated by the Australian Taxation Office (ATO)
Attribute Service Provider
Verifies and manages attributes or characteristics not relating to identity (such as whether the end user holds a qualification or permission).
Relationship Authorisation Manager operated by the ATO manages the fact that an individual is authorised to act on behalf of a business. Similarly, myGov operated by Services Australia manages the government services linked to a myGov account.
Like a switchboard – manages flow of information between the end user, identity service provider, attribute service provider and relying party
Services Australia operating the myGov website and app and underlying systems.
Uses the Digital ID system to verify the identity of an end user, usually to provide services to the end user.
A government service accessed using the myGov app.
Sets up a Digital ID with an identity service provider, and accesses services of a relying party.
A person looking to access a government service.
(* roles accredited under the accreditation scheme)
A service provider might be accredited to perform multiple roles.
Although currently the AGDIS and other accredited Digital ID services do not have a lot of service providers to choose from, as more accredited providers participate, strict standards will ensure that services are interoperable and contestable. In the AGDIS, relying parties and end users have a choice of providers under a federated model which requires interoperability (subject to some exceptions).
This is how a Digital ID transaction might look to a user:
Behind the scenes, various participants cooperate to deliver this streamlined and secure user experience.
Australians can already use myGovID to easily and securely access a range of government services. There are also a range of private sector solutions to simplify secure access to other services.
The Government is actively expanding the services that can be accessed using myGovID, and is investigating ways of making myGovID more useful – for example, the Statutory Declarations Amendment Bill 2023 is expected to be passed by the end of the year, allowing Commonwealth statutory declarations to be signed using the AGDIS, with the digital identity service provider acting as a virtual "witness".
Digital ID can be a gateway to more secure, innovative services and collaboration, allowing personal data to flow more freely and securely between organisations.
An important capability of Digital ID lies in what is known as "zero knowledge proofs" – at the moment, to confirm a person is over 18 years of age, an organisation might need to collect and store identity documentation such as a driver's licence – which contains a range of information valuable to an attacker. Zero knowledge proof with Digital ID would allow an organisation to rely on confirmation that a person is over 18 without collecting a driver's licence or even a date of birth (and potentially without knowing who the end user is at all).
Other uses might include:
The possibilities go much further, with the potential to simplify and secure a broad range of personal and business transactions. For example, the European Union is progressing an updated framework for a European Digital Identity (eID) to improve cross-border recognition of Digital ID services. The updated framework includes an expanded range of trust tools, including electronic signatures, company seals, time stamps, documents, registered delivery services, certificate services for website authentication, and archiving and attestation (such as medical certificates and professional qualifications). Many of these tools are already available in EU member states, driving broader uptake and use of Digital ID.
In our follow-up piece, we will take a deeper dive into the draft legislation, and explore some important implications for users and providers of digital ID services.
You can also catch up on our past publications:
Authors: Tim Brookes, Partner; Rebecca Cope, Partner; Anthony Lloyd, Partner; Clare Doneley, Counsel; Sashini Walpola, Senior Associate; and Andrew Hilton, Expertise Counsel.
This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.
The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com
This material is current as at 28 September 2023 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.