Business Insight

Whole-of-economy Digital ID laws by the end of the year

Insight Hero Image

    Watch the webinar: Our panel of legal and risk experts took a deep dive into Digital ID. A recording of the webinar is available here.

    What you need to know

    • The Australian Government is consulting on draft legislation and rules to deliver the regulatory framework for "whole-of-economy" Digital ID. We explain the "what, why and how" below. In our follow-up article we will take a deeper dive into the legislation and its implications.
    • The legislation lays the groundwork to expand the Australian Government Digital ID System (AGDIS) with more state, territory and private sector participation. The AGDIS is currently limited to the myGovID Digital ID, used to access government services.
    • The AGDIS will enable individuals to interact with business and governments and enable identity verification and potentially attribute (such as age) and credential (such as licence or skills) verification, and potentially to authenticate parties when entering into agreements online. By the end of the year, we should be able to sign Commonwealth statutory declarations using Digital ID.
    • It also legislates an accreditation scheme for Digital ID service providers – an evolution of the current Trusted Digital Identity Framework accreditation. Accreditation is mandatory to supply services in the AGDIS, but may be obtained voluntarily, including for other Digital ID systems which are not part of the AGDIS.
    • The Government will expand the AGDIS in phases, with an initial focus on maturing digital identity within government, followed by integration of state and territory Digital IDs, culminating in economy-wide Digital ID – enabling use of government Digital IDs for private sector services (such as opening a bank account and age verification), and private sector Digital IDs for government services.
    • Digital ID is an essential part of Australia’s National Strategy for Identity Resilience and will be a key pillar of the upcoming 2023-2030 Cybersecurity Strategy to build Australia's resilience to cyber threats and identity fraud at an ecosystem level.
    • The consultation period is deliberately tight, aiming to introduce legislation by the end of the year and to integrate of state and territory systems next year. Consultation on the Digital ID Bill and Rules closes Tuesday, 10 October, and consultation on the Accreditation Rules closes Tuesday, 31 October.

    What you need to do

    • Engage in the consultation – With a short consultation period and an ambitious legislative agenda, to have the most impact, prioritise your key issues with a particular focus on the use cases that matter for you and your customers.
    • Have a long-term engagement plan – Similar to the Consumer Data Right, Digital ID will involve an ongoing dialogue with the Australian Government, with important matters dealt with under further amendments, rule-making powers or data standards. Implementing the Consumer Data Right while engaging on regulatory expansion and development was a significant challenge for participants – we expect similar challenges as Digital ID evolves and grows.
    • Factor Digital ID into your future state – Expanding Digital ID across public and private sectors has been bipartisan policy of successive governments. Understand how you can participate now and in the future, and how Digital ID can benefit your organisation – including by participating in the AGDIS or leveraging private sector solutions.
    • Continue to manage identity data risks – A phased expansion means the AGDIS will not immediately be ready for the private sector. In the meantime, continue to look at data collection, handling and retention practices through a cyber-risk lens, and engage with regulators and law-makers on mandatory data collection. Consider if private sector Digital ID solutions can help manage risks.

    Australia’s vision for a “whole-of-economy" Digital ID

    A strong Digital ID ecosystem has been recognised by successive governments and industry as essential to Australia’s digital future – making access to government and private sector services simpler and safer, combatting identity-based fraud, and improving Australia’s resilience to cyber threats.

    The Commonwealth Government is currently consulting on a draft Digital ID Bill and Rules and Accreditation Rules that set the framework to develop a "whole-of-economy" Digital ID ecosystem.

    Four principles guide Australia’s Digital ID strategy – Digital ID must be secure, convenient, voluntary and inclusive. These principles inform proposed legislative protections, and will no doubt guide underlying standards over time.

    The legislation sets the ground rules for:

    • an accreditation scheme – a voluntary scheme to accredit providers of Digital ID services. To become accredited, Digital ID service providers will need to demonstrate compliance with a range of privacy, security and other requirements, and can be liable for compliance failures. The accreditation framework is an evolution of the currently operating but unlegislated Trusted Digital Identity Framework – mandatory to participate in the AGDIS, but may be voluntary for other Digital ID systems. Participants accredited in the current scheme will transition into the new regime (Services Australia and the Australian Taxation Service as part of the AGDIS, as well as private sector participants Australia Post, OCR Labs, Mastercard, and eftpos Digital Identity).
    • an expanded Australian Government Digital Identity System (AGDIS) – Australians will recognise the AGDIS as the myGovID used in the myGov app to access government services, with over 10.5 million users accessing 130 services from 40 government agencies. The draft legislation is intended to expand the AGDIS by enabling greater participation by state and territory government bodies and the private sector.

    The regime will be overseen by a Digital ID Regulator. The draft bill identifies the Australian Competition and Consumer Commission (ACCC) as the regulator but notes that the division of duties between the ACCC as regulator and Services Australia to be determined. Services Australia is likely to take on some of the more operational aspects – which may include the security, integrity and performance. As with the Consumer Data Right, privacy issues (including additional privacy safeguards) will be regulated by the Australian Information Commissioner and there will be a Data Standards Chair to develop technical standards.

    What is Digital ID, and why does it matter?

    Digital ID is a secure way for organisations to verify an individual's identity online, without needing to collect or store any documents. Instead, a trusted service provider who verifies an individual’s identity confirms they are who they say they are.

    While early moves in Digital ID focussed on streamlining interactions with government, Australia’s recent history of high profile cyber attacks has brought renewed urgency to driving economy-wide Digital ID to help build Australia’s cyber resilience. Digital ID reduces the need for business and government to collect, share and store information that is most valuable to hackers, reduces the risk that stolen identity information can be used for identity fraud, and makes revoking and re-issuing stolen credentials simpler and more effective.

    The private sector is also focussed on Digital ID opportunities, with various Digital ID solutions already in the market. Some, like ConnectID, Australia Post’s Digital iD, and Mastercard’s ID are underpinned by government accreditation.

    The Government’s ultimate objective is to build an economy-wide, federated system – over time integrating the Commonwealth, states, territories, and the private sector into a common interoperable system – with government and private sector credentials and systems in Australia and overseas interoperable under common standards.

    The plan to expand – in four phases

    The Government’s plan to expand Digital ID economy-wide focuses initially on government, before a broader economy-wide integration. While the framework proposed is not specific to myGovID, improving myGovID, rolling it out across more Commonwealth services, and making it interoperable with state and territory and private sector services is a key short term priority.

    Expansion will occur over four phases – which will likely overlap.

    • Phase 1 lays the legislation groundwork for Digital ID, and expands the government services accessible using Digital ID. The Government is also aiming to accredit more public and private service providers within the scheme.
    • Phase 2 integrates state and territory systems, allowing state and territory Digital IDs to be used to access Commonwealth services.
    • Phase 3 allows myGovID to be used in the private sector – for example, myGovID could be used to verify identity to open a new bank account, sign up for an electricity or telco service, or sign a lease.
    • Phase 4 will allow approved private sector Digital IDs to be used to verify users accessing some government services.

    While the proposed legislation sets a framework for the Government’s vision, we expect it will need to change over time to facilitate these phases. Significant flexibility has been built in through exemptions, conditions and rule-making powers, similar to the approach adopted in the Consumer Data Right legislation – meaning the regime may be more easily tailored to deal with specific issues as they arise.

    The Government has not committed to particular “go live” target dates for each phase – as with the Consumer Data Right, we expect the Government will need to carefully balance driving expansion of the regime with allowing the market to organically mature.

    But, how does it all work?

    Australia's Digital ID model takes a federated approach in which various accredited providers help a relying party provide services to an end user.

    Role Description AGDIS example

    Identity Service Provider

    Generates and manages an end user's Digital ID, including verifying information relating to the identity of the end user (eg identity documents).

    Manages authentication, allowing use of the Digital ID by the end user (and no-one else).

    myGovID, operated by the Australian Taxation Office (ATO)

    Attribute Service Provider

    Verifies and manages attributes or characteristics not relating to identity (such as whether the end user holds a qualification or permission).

    Relationship Authorisation Manager operated by the ATO manages the fact that an individual is authorised to act on behalf of a business. Similarly, myGov operated by Services Australia manages the government services linked to a myGov account.

    Identity Exchange*

    Like a switchboard – manages flow of information between the end user, identity service provider, attribute service provider and relying party

    Services Australia operating the myGov website and app and underlying systems.

    Relying party

    Uses the Digital ID system to verify the identity of an end user, usually to provide services to the end user.

    A government service accessed using the myGov app.

    End User

    Sets up a Digital ID with an identity service provider, and accesses services of a relying party.

    A person looking to access a government service.

    (* roles accredited under the accreditation scheme)

    A service provider might be accredited to perform multiple roles.

    Although currently the AGDIS and other accredited Digital ID services do not have a lot of service providers to choose from, as more accredited providers participate, strict standards will ensure that services are interoperable and contestable. In the AGDIS, relying parties and end users have a choice of providers under a federated model which requires interoperability (subject to some exceptions).

    This is how a Digital ID transaction might look to a user:

    Digital ID transaction process flow diagram

    Behind the scenes, various participants cooperate to deliver this streamlined and secure user experience.

    Diagram showing setting up digital identity and exchange process in Australia

    • To set up their Digital ID, the end user will verify their identity with an identity service provider. To achieve this, the identity service provider might collect and verify identity documents or attributes (like a driver's licence number, or potentially biometric information), and may use an identity verification service, such as the Australian Government’s Document Verification Service or Face Verification Service (which are not accredited service providers or part of the AGDIS). Identity document information will not be collected or transferred in subsequent steps.
    • End user wants to use a relying party’s service – for example by accessing a relying party’s website or app.
    • Relying party needs to verify that the end user is who they say they are, and that they are 18+ (additional information, known as an attribute).
    • End user is redirected to the identity exchange, and selects their preferred identity service provider.
    • Identity exchange sends an authentication request to the identity service provider, who authenticates the user (eg by logging into an account, perhaps using facial recognition or thumbprint to unlock an app).
    • Some attributes might be confirmed by the identity service provider (potentially using an identity verification service outside the AGDIS). For other attributes, the identity exchange might request confirmation from an accredited attribute service provider.
    • Identity exchange confirms the end user's consent to sharing the fact that they are 18+, and then provides confirmation of identity and any consented attributes to the relying party.
    • End user obtains service from the relying party.

    How might we use Digital ID in the future?

    Australians can already use myGovID to easily and securely access a range of government services. There are also a range of private sector solutions to simplify secure access to other services.

    The Government is actively expanding the services that can be accessed using myGovID, and is investigating ways of making myGovID more useful – for example, the Statutory Declarations Amendment Bill 2023 is expected to be passed by the end of the year, allowing Commonwealth statutory declarations to be signed using the AGDIS, with the digital identity service provider acting as a virtual "witness".

    Digital ID can be a gateway to more secure, innovative services and collaboration, allowing personal data to flow more freely and securely between organisations.

    An important capability of Digital ID lies in what is known as "zero knowledge proofs" – at the moment, to confirm a person is over 18 years of age, an organisation might need to collect and store identity documentation such as a driver's licence – which contains a range of information valuable to an attacker. Zero knowledge proof with Digital ID would allow an organisation to rely on confirmation that a person is over 18 without collecting a driver's licence or even a date of birth (and potentially without knowing who the end user is at all).

    Other uses might include:

    • Consumer Data Right: Authenticating customers and managing consents to sharing data has been a key stumbling block for broader uptake of Australia’s Consumer Data Right – and in particular banks and others have raised concerns about managing security and fraud risks of new functions under action initiation laws currently before the Senate. By integrating Digital ID into Consumer Data Right processes, we may see a safer, frictionless customer experience that will drive uptake and innovation.
    • Know-your-customer checks and verification of identity: We may see simplified processes for verifying identity, particularly with broader access to the Commonwealth Document Verification Service and Facial Verification Service proposed in the Identity Verification Services Bill 2023 (currently being considered by a Senate Committee, accepting submissions until 2 October 2023). Identity verification services are not part of the AGDIS, but are used by identity service providers to verify an individual's identity when setting up a Digital ID. Proposed reforms will allow more people to use (and more identity service providers to offer) face recognition to create the "strong" Digital IDs required to access more sensitive services, like creating a tax file number.
    • Payments: Simple and secure authentication could massively simplify payments. Card issuers are looking to reduce collection of credit card numbers, expiry dates and CCV codes throughout the economy, and to make this information less useful when compromised. A trusted national Digital ID will go a long way to making this an economy-wide reality.
    • Age verification: Endeavour Group is working with accredited services ConnectID and OCR Labs to deliver online age verification for alcohol delivery. While the eSafety Commissioner's Roadmap for Age Verification recognised that the market was not sufficiently mature to mandate age verification technology for access to age-restricted online content, it recommended that future age assurance technologies be subject to accreditation and oversight equivalent to Digital ID accreditation.
    • Credentials and qualifications: Nationally interoperable Digital ID might make it easier for employers to find and vet the staff they need and reduce the risk of fraudulent qualifications. The Business Council of Australia has recently called for digital tracking of formal qualifications and micro-credentials, other training and recognition of prior learning.

    The possibilities go much further, with the potential to simplify and secure a broad range of personal and business transactions. For example, the European Union is progressing an updated framework for a European Digital Identity (eID) to improve cross-border recognition of Digital ID services. The updated framework includes an expanded range of trust tools, including electronic signatures, company seals, time stamps, documents, registered delivery services, certificate services for website authentication, and archiving and attestation (such as medical certificates and professional qualifications). Many of these tools are already available in EU member states, driving broader uptake and use of Digital ID.

    Want to know more?

    In our follow-up piece, we will take a deeper dive into the draft legislation, and explore some important implications for users and providers of digital ID services.

    You can also catch up on our past publications:

    Authors: Tim Brookes, Partner; Rebecca Cope, Partner; Anthony Lloyd, Partner; Clare Doneley, Counsel; Sashini Walpola, Senior Associate; and Andrew Hilton, Expertise Counsel.

    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com

    This material is current as at 28 September 2023 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    image

    Stay ahead with our business insights, updates and podcasts

    Sign-up to select your areas of interest

    Sign-up