Australia to open digital ID system to private sector with consultation on new legislation
Legislation will enter Parliament later this year that will allow non-government entities to provide digital identification services to Australians.
The Digital Transformation Agency (DTA) has been working on Australia’s digital identity system for a number of years, going live with myGovID — developed by the Australian Taxation Office — and accrediting an equivalent identity service from Australia Post in 2019.
myGovID and the Australia Post Digital ID are essentially just forms of digital identification that then allow the user to access certain online services, such as the government’s online portal myGov.
The digital identity system is touted by the government as a simple, safe, and secure way to verify identity online, as well as one allowing for better interaction with government services. But it also believes digital ID can “enable innovative digital sectors of the economy to flourish”.
While the DTA has developed the Trusted Digital Identity Framework (TDIF), which sets out the operating model for digital identity, it is a set of rules that only Australian government entities can follow — it can’t be applied to states and territories, or to the private sector. This is why legislation is required.
“It is important to note, today we’re using myGovID, but into the future, you’ll be able to use a choice of identity provider, there’ll be additional providers … it could be a bank, it could be a state and territory identity provider,” DTA CDO Peter Alexander said during Senate Estimates in October. “So individuals and businesses dealing with the Australian government and national services will be able to make a choice.”
Instead of listening to researchers recommending the Australian government abandon its existing digital identity system and start again from scratch, after highlighting again security flaws in two of the systems already accredited, the government has opened a second round of consultation, this time on the development of legislation.
Highlighting eight “key” elements, the government wishes to discuss with those interested in the structure of the legislation, scope and interoperability of the system, governance, privacy and other consumer safeguards, trustmarks, liability and redress options, penalties and enforcement, and the administration of the scheme.
The purpose of the legislation, the government states [PDF], is to allow for independent oversight of the system, by formalising the powers and governance arrangements of the oversight authority; enable expansion of the system to state and territory governments and the private sector; provide privacy protections, consumer safeguards, and security requirements to build trust in the system; provide for a legally enforceable set of rules that set the standards for participating in the Digital Identity system, including the TDIF rules; and allow for entities to be TDIF accredited for their activities whether they are on the system or not.
It is expected the legislation will consist of primary legislation with privacy and consumer safeguards and rules and policies, including accreditation standards. The government believes the legislation will leverage existing laws, not duplicate them.
The legislation, it said, will have a “clearly defined scope”.
It said the legislation will not limit a person to having one digital identity with one provider, nor will it be intended to regulate all digital identities and digital identity systems. It said entities decide whether they will use the system or provide services on the system.
The legislation will also require entities generating, transmitting, managing, using, and reusing digital identities to provide a “seamless user experience with the digital identity system”.
Rules will be enforced by the oversight authority and Information Commissioner. The oversight authority will be extended powers to suspend or revoke accreditation and access to the system, and issue directions for remedial action to address a breach.
On privacy and consumer safeguards, the legislation is hoping to “protect personal information” and “ensure accessibility” for all.
It will prohibit the creation of a single identifier used across the system and all government services and create a voluntary system giving users the right to create and use a digital identity, including the right to deregister and not use a digital identity at any time.
It will require individuals to expressly consent before their attributes are shared with a relying party.
With the DTA flagging previously its biometric testing with regards to the digital ID, the legislation is expected to limit the system to one-to-one biometric matching only and prohibit anyone other than those involved in proofing or authentication from collecting or using biometric information.
It will also aim to prevent biometric information being sent to third parties not required to perform or proofing or authenticate a person and require biometric information to be deleted once it has been used for its intended purpose.
However, the legislation will contain a caveat to allow users to consent to their biometric information being accessed for fraud or security investigations.
The government is hoping to also prevent “data profiling”.
“Prohibit the collection, use, and disclosure of information about a user’s behaviour on the system except to verify their identity, assist them to receive a digital service, allow them to view their own behaviour (for example, a dashboard), or support identity fraud management,” the government writes.
It will also enforce record-keeping of metadata and activity logs for a minimum seven years to maintain the system’s integrity, and to allow for fraud or criminal investigations.
With talk around the digital ID’s use in verifying an individual is of age before accessing online services such as pornography, the legislation will set a minimum age of 15 years for the use of a digital identity.
Meanwhile, a liability and redress framework will aim to ensure accredited participants are not liable for loss or damage suffered “provided they were acting in good faith, and complied with the legislative rules and requirements relating to the system”.
It will also establish a mechanism available to users affected by a cybersecurity incident, identity theft, inappropriate disclosure of information, or system failure.
Submissions to the consultation close 15 July 2021.
Elsewhere in Canberra, the government has funded an additional 51 projects, totalling AU$27 million, in the latest round of the Regional Connectivity Program (RCP).
The funding contributes to co-funding from the applicant, and from other levels of government, as well as industry and other organisations. The first tranche of the RCP funded, in theory, 81 projects.
“The federal government’s total contribution of AU$117.4 million (GST inclusive) towards round 1 RCP projects will deliver total new investment of more than AU$232 million (GST inclusive) together with co-contributions from the funding recipients, state and territory governments and other third parties, including local governments, regional businesses, and community development organisations,” a statement from Minister for Communications, Urban Infrastructure, Cities and the Arts Paul Fletcher and Minister for Regional Health, Regional Communications and Local Government Mark Coulton said.
HERE’S MORE ON DIGITAL ID
Researchers find myGovID is subject to an easily-implemented code proxying attack, while the digital identity solution from Australia Post does not possess a fundamental requirement for accreditation.
Also flags privately-owned PharmacyID and payments company Eftpos as eager to provide identity services once the Bill becomes law.
The Australian government has said the Digital Transformation Agency is well placed to explore extending the digital identity program to online age verification to access things such as pornography.