Key points
- The Digital ID Bill 2023 and the Digital ID (Transitional and Consequential Provisions) Bill 2023 (the DID Bills) will establish in legislation a network of organisations that provide or use Digital ID services in delivering participating government and commercial services.
- The DID Bills will establish the architecture and framework for the network. These aspects are based on the Coalition Government’s Trusted Digital Identity Framework (TDIF), which is the basis for current unlegislated arrangements under which myGovID enables access to government services.
- Under the DID Bills governance arrangements will be shared among the Minister and four agencies, with additional agencies providing advice, including the Australian Security Intelligence Organisation (ASIO). Some stakeholders consider the proposed governance arrangements too complex, with too many entities in too many portfolios, leading to concerns about delineation and coordination of roles, and the risk that these shortcomings could be exacerbated when Machinery of Government (MoG) changes occur.
- Individuals’ participation in the Digital ID system will be at no financial cost and voluntary. However, fees for participating entities will be prescribed at a later date in rules and there are stakeholder concerns about protections for individuals who choose not to participate.
- The DID Bills will establish protections for citizens and their data, and consequences for entities’ non-compliance with those protections and the governance requirements. However, there are ambiguities and concerns about, for example, the definition of and responses to cyber security and digital ID fraud incidents.
- There are ambiguities and concerns around the interaction of DID Bill provisions with other legislated regimes for identity verification and digital transactions, such as Know Your Customer (KYC), anti-money laundering and counter-terrorism financing (AML-CTF), and security of critical infrastructure (SOCI).
- The Bill provides for phasing-in, the progressive opening of the system to additional entities beyond initial Commonwealth entities. There is considerable stakeholder criticism that the scope and timing of the phases will be at the Minister’s discretion, and particularly that the Minister has indicated that private sector entities will not fully participate until phase four.
Introductory Info
Date introduced: 30 November 2023
House: Senate
Portfolio: Finance
Commencement: On the earlier of proclamation, or 6 months after Royal Assent.
Purpose of the Bills
As expressed in clause 3, the objects of the Digital ID Bill 2023 (the DID Bill) are:
(a) to provide individuals with secure, convenient, voluntary and inclusive ways to verify their identity in online transactions with government and businesses;
(b) to promote privacy and the security of personal information used to verify the identity or attributes of individuals;
(c) to facilitate economic benefits for, and reduce burdens on, the Australian economy by encouraging the use of digital IDs and online services;
(d) to promote trust in digital ID services amongst the Australian community.
Currently the Australian Government Digital Identity System (AGDIS) comprises:
- the unlegislated AGDIS which facilitates the use of government-issued digital IDs (currently myGovIDs) by individuals accessing government services [and]
- an unlegislated Accreditation Scheme for providers of digital ID services in the government and private sectors, based on requirements set out in the Trusted Digital Identity Framework (TDIF).[1]
The DID Bill and the Digital ID (Transitional and Consequential Provisions) Bill 2023 (together, the DID Bills) will legislate to establish:
a network of organisations that provide or use Digital ID services in delivering participating government and commercial services. Participants will include 'accredited entities', who can provide Digital ID services, and 'relying parties', who can offer access to their services using a Digital ID (but generally must also provide a non-Digital ID option for access).
Australian companies, foreign companies registered with ASIC, and Australian government entities can apply for accreditation. Having an accredited ID will be required for use with some government services. Accredited entities will then be permitted to use a 'trustmark', which is intended to provide peace of mind to customers by showing that the Digital ID provider meets the additional privacy and security measures required for accreditation.[2]
The Explanatory Memorandum contends that:
By reducing the sharing and retention of personal information used to verify Australian’s identities, expanding the use of digital IDs will help reduce the impact of data breaches, scams and cybercrime, supporting the 2023-2030 Australia Cyber Security Strategy (2023) and the National Strategy for Identity Resilience (2023).[3]
The Explanatory Memorandum also states that ‘the Bill will provide a range of governance and regulatory mechanisms to administer and promote compliance with the Act’ and will ‘embed strong privacy and consumer safeguards, in addition to the Privacy Act 1988 (Cth) to ensure users are protected’.[4]
Structure of the Bills
The DID Bill comprises ten chapters and each chapter commences with a simplified outline. This Digest’s discussion of key provisions and issues assumes the reader is familiar with the high-level scope of each chapter as summarised below.
- Chapter 1 includes introductory material, including definitions.
- Chapter 2 sets out arrangements for the accreditation of certain kinds of entities as accredited attribute service providers, accredited identity exchange providers, accredited identity service providers or entities that provide, or propose to provide, services of a kind prescribed by Accreditation Rules made by the Minister under Chapter 10. In relation to entities’ accreditation the Minister may direct the Digital ID Regulator on the basis of advice from the Australian Security Intelligence Organisation (ASIO).
- Chapter 3 sets out privacy arrangements, including provisions’ interaction with the Privacy Act 1988.
- Chapter 4 sets out arrangements for entities’ participation in the Australian Government Digital ID System (AGDIS), including the Minister’s role in the ‘phasing-in’ of participation. In relation to entities’ participation the Minister may direct the Digital ID Regulator on the basis of advice from ASIO.
- Chapter 5 establishes the Digital ID Regulator and identifies the Australian Competition and Consumer Commission (ACCC) as the Regulator.
- Chapter 6 establishes the System Administrator and identifies the Chief Executive of Centrelink as the System Administrator.
- Chapter 7 establishes the Digital ID Data Standards Chair whose role is to make Digital ID Data Standards, particularly technical integration requirements for entities to participate in the AGDIS.
- Chapter 8 sets out that the Digital ID Rules made by the Minister under Chapter 10 may set out marks, symbols, logos or designs (called digital ID trustmarks) that may or must be used by accredited entities and participating relying parties. Chapter 8 also requires the Regulator to establish and maintain registers of accredited and participating entities.
- Chapter 9 comprises provisions relating to administration, including compliance and enforcement, directions powers, fees, and review of decisions.
- Chapter 10 comprises provisions relating to other matters, including the establishment of advisory committees, annual reports, delegations, and rule-making powers.
The Digital ID (Transitional and Consequential Provisions) Bill 2023 (TCP Bill) comprises two schedules:
Background to the Digital Identity System
In her Second Reading speech, Minister Gallagher stated that the Digital ID system to be legislated by the DID Bill will provide ‘a secure, convenient and voluntary way to verify who you are online against existing government-held identity documents without having to hand over any physical information’.[5] Although the intended outcome for the individual user is relatively uncomplicated, the frameworks to be established by the DID Bills are complex and must define and provide for a wide range of players and circumstances, including:
- the entities that enable and fulfill online verification of identity;
- protections for personal and sensitive information;
- consequences for entities that, for various reasons, may not conform to requirements, including arrangements for liability and redress; and
- the roles and powers of the Government entities responsible for the governance of the above arrangements.
Australia already has existing digital systems that are used for identity verification, the National Exchange of Vehicle and Driver Information System (NEVDIS) and the Document Verification Service (DVS). On their own they do not constitute a digital identity system and are not formally part of or dependent on the Digital ID system as such, but the NEVDIS and the DVS can be considered important foundational supports for the Digital ID system proposed by the DID Bills. If the DID Bills are passed, the NEVDIS and the DVS would support the operation of Digital ID system. If the DID Bills are not passed the NEVDIS and the DVS will continue to operate.
Digital ID developments since 2014
In 2014, the Financial System Inquiry recommended a national digital identity strategy and improvements in access to, use and protection of data,[6] and initial steps commenced in that year.[7] In 2015 the Digital Identity project commenced with initial funding for a Trusted Digital Identity Framework (TDIF).[8] In 2021 the Coalition Government began using the ‘Australian Government Digital Identity System’ (AGDIS) as the overarching term for initiatives related to Digital Identity.[9]
In 2019 the myGovID app developed by the Australian Tax Office (ATO) and the Digital Transformation Agency was released on Android and iOS mobile platforms[10] as a Digital Identity solution ‘to prove who you are online’ and ‘access participating government online services’.[11]
Under the current non-legislated arrangements, through myGovID Australians can access over 130 Commonwealth, state and territory government services.[12] However, legislation is necessary for the AGDIS to be expanded, to provide access to additional state and territory and private sector services, and greater choice in which accredited Digital ID providers can be used to access services.[13]
To this end, in October 2021 the Coalition Government consulted on an exposure draft of a Trusted Digital Identity Bill 2021 (TDI Bill). As the TDI Bill was not introduced before Parliament was prorogued in April 2022, the TDI Framework currently operates without a legislated basis.[14]
Figure 1 shows a citizen interacting with the current unlegislated digital ID ecosystem to apply for a Unique Student Identifier (USI). Figure 2 shows key aspects of the current unlegislated Digital ID ecosystem under the TDIF.
Although a wide range of Commonwealth services can be accessed through the current unlegislated arrangements, the Explanatory Memorandum for the DID Bills notes that legislation will enable expansion of the system to a wider range of services from state and territory governments and eventually private sector organisations, and will improve privacy and consumer safeguards and governance arrangements.[15]
Figure 1: A citizen interacting with the current unlegislated digital ID ecosystem to apply for a new Unique Student Identifier (USI)
Step |
Type of Participating Entity |
Service |
Name of Participating Entity |
URL (intermediate ‘redirect’ URLs have been omitted) |
|
Needing a Unique Student Identifier (USI), an individual’s internet search leads them to: |
www.usi.gov.au/students/get-a-usi |
1 |
Relying Party |
|
Student Identifiers Registrar — In the future there may be additional private-sector relying parties. |
https://portal.usi.gov.au/student |
|
Because the individual already has a myGovID, they choose to create their USI using their Digital Identity, rather than creating an account. |
|
This prompts the Relying party to send an Authentication Request to an Identity Exchange, specifying the required attributes and Identity-Proofing Level (‘identity strength’).
At present, only the Government exchange is available - in the future an individual may be offered a choice of multiple exchanges (including private-sector).
|
2 |
Identity Exchange |
|
Services Australia— In the future there may be additional private-sector exchanges. |
https://auth.identity.gov.au/choose-identity-provider/selection |
|
The individual selects myGovID. In the future there may be additional private-sector identity options. |
|
This prompts the Identity Exchange to send an Authentication Request to the selected Identity Service Provider, myGovID. |
3 |
Identity Service Provider (ISP) |
|
Commissioner of Taxation as provider of myGovID |
https://mygovid.gov.au/AuthSpa.UI/index.html#login |
|
The individual is asked to provide the email address they use with myGovID. |
|
This prompts myGovID to send a login request to the myGovID app on the individual’s phone. |
|
The individual logs in to myGovID, and this permission prompts myGovID to send a response to the identity exchange, comprising:
required attributes; achieved Identity-Proofing Level; and the individual’s unique myGovID user identifier, which ensures pairwise pseudonymity.
|
4 |
Identity Exchange |
|
Services Australia |
https://auth.identity.gov.au/consent/return |
|
The Identity Exchange sends to the Relying Party: required attributes; and pairwise identifier. |
|
This stage does not require action by and is not visible to the individual, who sees a ‘redirecting’ message. |
5 |
Relying Party |
|
Student Identifiers Registrar |
https://portal.usi.gov.au/student/Usi/Create/PersonalDetails |
|
On receiving the required attribute information, the Relying Party permits the individual to commence the process of obtaining a USI. |
6 |
The individual completes the application form, with their full name and date of birth provided by digital identity, and is issued with a USI. |
Source: Trusted Digital Identity Framework: release 4.8, Australian Government, 2022, Document 06A Federation Onboarding Guidance, 5-12; Library observation and analysis.
Figure 2: Current unlegislated Digital ID ecosystem under TDIF
×
Sources and further information follow.
Notes on Figure 2
Created by the Library, this is a simplified depiction of functions and information flows in the current unlegislated Digital ID ecosystem. In contrast, Figure 4 below illustrates proposed arrangements under the DID Bill.
Figure 2 is largely derived from Document 06A – Federation Onboarding Guidance from the TDIF documentation. Additional notes on specific elements are:
- Attribute Verification Services: A list of currently available services is available at the IDMatch website. Verification of documents using these services is facilitated by contractors, in addition to specific processes such as biometric verification and liveness checking.[16]
- Commonwealth Identity Service Provider: The only identity service provider in the AGDIS is myGovID.
- Credential Service Provider: The TDIF lists credential service providers and identity service providers as different categories, but all credential service providers currently accredited are also identity service providers, and myGovID is both credential service provider and identity service provider.
- Commonwealth Identity Exchange: Services Australia, among other roles in the AGDIS, operates the identity exchange.[17]
- Attribute Service Providers: An example is the Relationship Authorisation Manager operated by the ATO.
- Government Relying Parties: The current AGDIS allows users to log in to ‘130 services across 40 different government agencies’.[18] This includes federal and state services. Seven services are for personal use (including the myGov portal, ServiceWA, and applications for a new Tax File Number or Unique Student Identifier). The remainder are for business users.[19]
- Private sector Identity Service Providers, Identity Exchanges and Relying Parties: A range of private sector entities are accredited under the TDIF, but most do not appear to be active. ConnectID, an exchange operated by AP+ (formed by a merger of BPAY Group Holding Pty Ltd, eftpos Payments Australia Limited and NPP Australia Limited in 2022), launched in late 2023 with Commonwealth Bank and NAB acting as identity service providers, and a small set of relying parties.[20] Other organisations which are accredited under the TDIF but do not appear to be operational include Mastercard (accredited as both an identity service provider and exchange) and AusPost (whose Digital ID service is operational, but does not support an exchange).
Statement of Compatibility with Human Rights
As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.[22]
Committee consideration
Parliamentary Joint Committee on Human Rights
In its Report 14 of 2023 the Parliamentary Joint Committee on Human Rights (the Human Rights Committee) recorded ‘no comment’ in relation to the TCP Bill.[23]
In relation to the DID Bill the Human Rights Committee observed:
This bill, in seeking to establish an Australian Government Digital ID System, engages and limits the right to privacy, insofar as it would involve the collection, use, disclosure and retention of personal information. However, as individuals cannot be required to create or use a digital ID to access government services, and noting the numerous safeguards in the bill, the committee considers the proposed limitation on the right to privacy may be reasonable, necessary and proportionate. However, the committee notes much will depend on how securely the personal information and data is held within the system and by accredited entities in practice.
With respect to the sharing of personal information for law enforcement purposes, the committee reiterates its previous concerns regarding the sharing of personal information for secondary purposes, as recently set out in Report 12 of 2023 in relation to the Identity Verification Services Bills. The committee further notes that much of the operational detail of the measures are to be set out in delegated legislation. The committee will closely scrutinise any such legislative instruments if made for compatibility with human rights. As such, the committee makes no further comment on this bill at this stage.[24] [emphasis added]
Senate Economics Legislation Committee
The Bill was referred to the Senate Economics Legislation Committee for inquiry and report by 28 February 2024. The Committee reported on 28 February 2024, recommending that the Bills be passed.[25] The Coalition, the Greens and One Nation issued dissenting reports and LNP Senators for Queensland Matt Canavan and Gerard Rennick issued additional comments.
The Coalition Senators’ dissenting report made 3 recommendations. Firstly, that the Bill be amended to remove the phasing-in provisions, allowing for private sector involvement in the AGDIS from commencement. The Coalition recommended that the Bill should not be progressed without simultaneous involvement of the private sector.[26]
The second recommendation was that the Bills only be considered once the proposed reforms of the Privacy Act are introduced to the Parliament, to ensure that privacy, data protections and compliance requirements are consistent and coordinated across various related legislation.[27]
Finally, the Coalition Senators recommended that the Bill be amended to include further guarantees for consumers and businesses to ensure the AGDIS is fully voluntary.[28]
Senators Canavan and Rennick supported the Coalition Senators’ dissenting report and made additional comments questioning whether the proposed Digital ID framework would remain voluntary in the future and raised a lack of consistency between the Bills and the Privacy Act.[29]
Senator David Shoebridge of the Greens also issued a dissenting report, stating that ‘the move towards a digital ID has large potential privacy benefits if done well and clear risks if it is rushed or mishandled’.[30] Acknowledging the argument put forward by some submitters that the reform of the Privacy Act should have preceded the introduction of the DID Bills, Senator Shoebridge commented:
The [Privacy Act] reforms are slow to materialise and in the meantime we have no greater security for our online identities. This is the best argument for proceeding with this Bill now, noting as well that it contains significantly improved privacy protections from those that are currently available under the Privacy Act.[31]
Senator Shoebridge stated that it was necessary to limit third party access to digital identities and in particular to limit law enforcement access. Senator Shoebridge considered:
If Parliament is of the view there must be some provision for law enforcement access, then at a minimum it must be limited to a very narrow subset of law enforcement bodies, require a warrant issued by a superior court of record, that it only be in relation to either an extremely serious offence or an imminent threat to life.[32]
Other concerns raised by Senator Shoebridge included the ‘genuine voluntariness’ of the Digital ID scheme and the need to ensure alternative means of accessing services are ‘reasonably comparable’; the need to ensure the Digital ID system is properly inclusive; and concerns about biometrics and bias, which the Senator considered should be addressed before the Bills are enacted; the desirability of a mechanism to facilitate deletion of a Digital ID; and the need to ensure that a ‘meaningful and accessible redress and penalty scheme’ is created.[33]
One Nation Senator Malcolm Roberts also issued a dissenting report, with 10 recommendations, including that the Bill not be passed in its current form.[34] Senator Roberts’ other recommendations included:
- that the Treasury Laws Amendment (Consumer Data Right) Bill 2022 be passed by the Senate prior to resumption of the second reading debate on the Digital ID Bill 2023[35]
- that the Bills should be amended to remove the ability for data to be held outside Australia
- that the Bills should be amended to require law enforcement to have a reasonable suspicion that a crime is being committed by an individual before accessing their digital ID data and
- details of the redress scheme be dealt with in the DID Bill, rather than in delegated legislation.[36]
Senate Standing Committee for the Scrutiny of Bills
- The Senate Standing Committee for the Scrutiny of Bills had no comment in relation to the TCP Bill.[37] In relation to the DID Bill, on 7 February 2024 the Committee requested the Minister’s advice on a number of matters that are discussed below in relation to the provisions to which they relate.
Position of major interest groups
Phasing-in
Phasing-in is the progressive opening of the AGDIS to additional entities beyond the initial Commonwealth entities, by means of the Minister determining under clause60 the entities that may apply to the Digital ID Regulator for approval to participate in the AGDIS. Phasing-in as an administrative process and the specific phasing-in proposed by Minister Gallagher are discussed below under ‘Approval to participate in the AGDIS’.
Although generally supportive of the proposed AGDIS in principle, the private sector has generally been critical of the phasing-in, arguing that the lack of clarity about timing creates risk for continuing investment of private sector providers in digital ID products. Digital service providers, for example, noted that the current sequence of phases will disincentivise the participation of private sector providers, by establishing the public sector as the primary Digital ID provider.[38] Others have argued that the phased approach would produce fragmentation in the Digital ID ecosystem, limit community awareness of the technology,[39] and discourage early and large volume take up.[40]
Arguing that these issues would have detrimental flow-on effects for those providers, consumers, and the overall success of the system, business stakeholders have proposed amendments to the phasing-in set out in the Digital ID Bill consultation process in 2023. Submissions have suggested that public and private sector Digital ID solutions should be released concurrently in Phase 1 of the AGDIS rollout,[41] or that citizens should be allowed to use their Government-issued Digital ID to open bank accounts earlier on in the AGDIS rollout, by moving Phase 3 to a new ‘Phase 1b’.[42]
Governance arrangements
Submissions from the ACT Government, the Australian Banking Association (ABA) and Australian Payments Plus (AP+) considered the proposed governance arrangements too complex, with too many entities in too many portfolios, leading to concerns about delineation and coordination of roles, and the risk that these shortcomings could be exacerbated when Machinery of Government (MoG) changes occur.
The ABA and AP+ expressed concern that the ‘distributed governance’ model of the Consumer Data Right (CDR) scheme was being emulated for Digital ID. The CDR Data Standards Chair submitted that Digital ID and CDR data standards should be made by the same Data Standards Chair, advised by a single data standards body.
In its submission, the ABA recommended that an over-arching governance mechanism be introduced with appropriate Ministerial accountability for oversight and policy co-ordination across the six different government agencies and collaborative public-private task forces to drive the uptake of Digital ID be established.
Fees
Under subclause 144(3) fees cannot be charged to an individual for the creation or use of a digital ID. The Digital ID Rules may make provision in relation to the charging of fees by the Digital ID Regulator (paragraph 144(1)(a)) and may also make provision in relation to the charging of fees by accredited entities for services provided in relation to the AGDIS (subclause 148(2)).
No fee information was released with the consultation process in 2023, nor with the introduction of the DID Bills in November 2023, and a law firm has noted that:
The Government will not charge entities for accreditation and participation in the first two phases of expansion (across Commonwealth and state and territory governments). However, the Department of Finance will develop and conduct public consultations on an approach for charging ahead of private sector participation in the AGDIS [in phases 3 and 4].[43]
In that context, stakeholder commentary does not refer to any specific proposals by the Government for fees or charges. However, it generally expresses concerns about the potential financial burden on private and public entities participating in the AGDIS.
In its submission to the exposure draft consultation process in 2023, the ACT Government argued that:
The cost of administering the central (and critical) infrastructure to support AGDIS should be the responsibility of the Commonwealth (as recommended in the recent myGov audit), particularly given the value in ensuring all States and Territories participate in the AGDIS, and all jurisdictions have invested in their own identity systems to date (p. 6).
Similarly, in its submission to the same consultation process, civil rights group Digital Rights Watch recommended that no entity, either public or private, be allowed to charge fees for the provision of Digital ID services (p. 10).
Private sector stakeholders, such as Australian Payment Plus, have expressed similar concerns about the potential financial burden derived from the accreditation process, which may result in a potential barrier for less resourced private sector actors to fully participate in the AGDIS:
The cost of the proposed accreditation process will likely be a disincentive for full private sector participation. The requirement for at least six external assessments (a privacy assessment and privacy impact assessment; protective security assessments including both pen test and ISO 27001 accreditation; fraud, and usability/ accessibility including WCAG accreditation) will make it hard to get a critical mass of participants beyond large well-resourced participants. Further, many large institutions (public and private) are already subject to significant regulation, standards and oversight, and the products of these existing similar regulatory obligations should be leveraged wherever possible to minimise duplication of effort and encourage participation.[44]
In this Digest, the Digital ID Rules and fees are discussed in ‘Key issues and provisions of the DID Bills’. An expanded overview of stakeholders’ views on fees is provided in ‘Key issues and provisions to be addressed in delegated instruments’.
Collection and management of data
Civil rights groups, academic groups and digital payment businesses have expressed contrasting views on the collection and management of personal data, including sensitive and protected attributes, as well as timeframes for the preservation of such data.
Civil rights and independent academic groups have advocated for stronger data protection, stronger data safety safeguards and greater data ownership, as well as limitations on the collection and disclosure of sensitive personal data. IDCARE’s submission to the exposure draft consultation process recommended that the Bill address deficiencies in the minimum response standards in the event of exposure or misuse for users of Digital ID in the current TDIF; provision be added for relying parties not being allowed to impose additional identity-verification; and for delegated legislation or rules to provide an unambiguous requirement to validate against current sources of identity information in a timely way, to prevent threat exposure and identities being compromised. [45]
To strengthen user control of their own data, IDCARE also proposed that the DID Bill be amended to: contain explicit statements of ownership of the Digital Identity, with consumers being allowed to determine when their identity credential has been consumed and enable a much more citizen-centric means of responding and protecting against threats; include an erasure right to allow for information to be destroyed, should an individual wish to withdraw their information entirely from any entity or shared provider to which they have previously given consent; be clearer about deactivation requirements, such as prompt notification of the individual; set a limit for the 'as soon as practicable' timeframe provision and extension to refer to 'the individual or their representatives or nominees'; add capacity to freeze Digital ID or flag identity compromise rather than straight erasure/deletion; provisions for the data of deceased people to be erased; narrow the threshold at which the Minister can amend rules without consultation; and funding arrangements for IDCARE should be urgently considered.[46]
Digital Rights Watch expressed its opposition to any repurposing of Digital ID data or infrastructure for surveillance purposes and recommended tighter protections against data profiling to track online behaviour. It recommended that the Digital ID Bill include specific data retention limitations and a clearer requirement for entities to delete or destroy personal information if an individual requests deactivation of their Digital ID.[47]
Conversely, private digital providers have suggested that amendments be made to the provisions dealing with the collection, use and disclosure of restricted personal information, in order to improve or facilitate the provision of services to end users and ensure fairness in the AGDIS. AP+ argued that in order to enable Indigenous Australians to access services where ‘proof of Aboriginality’ is required:
the legislation should not restrict accredited entities offering the ability for individuals to be able to reflect their cultural identity in certain digital representations. There are positive practical use cases for “proof of Aboriginality” as an attribute, including:
Demonstrating Aboriginal or Torres Strait Islander status for access to concessions such as education, government, banking and health, whilst also helping to reduce fraudulent access to those concessions.
Proving representation in native title access discussions.
Voting for elected representatives in indigenous bodies.
Facilitating employment opportunities for first nations people.[48]
Analytics company BixeLab Pty Ltd similarly argued against a blanket ban on collection of racial or ethnic attributes as contained in subclause 44(1) of the DID Bill, as it would prevent independent assessors from testing the AGDIS for demographic fairness, which might otherwise have been authorised under subclause 49(6) of the DID Bill.[49] It also recommended that timeframes for retention of sensitive personal information be extended to allow for fraud investigation, similarly to suggestions by other cybersecurity and digital communication stakeholders, such as the Communications Alliance Ltd and Optus.[50]
Accessibility, voluntariness and equitable access
Public and private stakeholders have also expressed concerns on the voluntary nature of the AGDIS, as well as on issues of consent, accessibility and equitable access.
In its submission to the draft consultation process in October 2023, the Office of the Victorian Information Commissioner recommended that the Bill include a definition of consent that specifies the five elements of consent (voluntary, informed, specific, current, and the individual must have capacity to consent).
Civil rights and disability advocacy groups have recommended that the DID Bill provide more avenues to access the AGDIS for citizens who have a disability, identify as First Nations or Indigenous, and live in rural areas. Blind Citizens Australia suggested that the DID Bill be amended to include non-photographic biometric options for crosschecking identity, such as voice authentication, and provide people unable or unwilling to sign up for a Digital ID with a genuine choice of platforms to access government services.[51] Reflecting similar concerns, Economic Justice Australia added:
people with disabilities, First Nations people and people in remote Australia have reported significant issues with processes for online identity authentication because the processes required to obtain and re-use already obtained IDs and related passwords do not reflect their access to technology and the devices needed to administer authentication systems. … Safeguards for people for whom the creation and ongoing use of a Digital ID is problematic should be a legislated requirement for Digital ID Relying Parties. …The design standards outlined by Australian Human Rights Commission for disability inclusion should be considered when designing the authentication processes for Digital ID creation and ongoing use. [52]
UNSW Allens Hub submission expressed reservations on the use of biometric technology and recommended more studies be conducted prior to its introduction in the AGDIS, particularly due to the limitation and potential bias of the technology when used on Indigenous
populations.[53]
Guarantees of equal access to services
Some submissions to the Committee inquiry expressed concerns about the extent to which the AGDIS will be voluntary. The UTS Human Technology Institute noted:
Consent is only meaningful when people are not unreasonably disadvantaged if they opt to use traditional methods of proving their identity; in other words, they must retain equal entitlements and access to the same services and products … clause 74 should be amended to include an explicit guarantee of equal access to services for those who opt out of digital ID. [54]
Digital Service Providers Australia New Zealand warned that a voluntary system will ‘create significant cyber security risks for individuals who do not have a Digital ID’.[55]
The Coalition Senators' Dissenting Report recommended that the Bill should be amended to include ‘further guarantees for consumers and businesses to ensure the AGDIS is fully voluntary’ (p. 65).
Financial implications
The Explanatory Memorandum notes that ‘the Commonwealth has spent $781.9 million on the Digital ID Program over the financial years 2016–17 to 2023–24 [and] further expenditure will be required in future’.[56] Following the introduction of the DID Bills on 30 November 2023, the Mid-Year Economic and Fiscal Outlook (MYEFO) statement on 13 December 2023 included $145.5 million over four years from 2023–24 (and $17.0 million per year ongoing) for the Digital ID system. In the details reproduced below, Services Australia is not one of the agencies to share in the funding, despite its proposed key role in the Digital ID system.[57]
The MYEFO statement also noted that ‘the Government will consider future funding for the Digital ID framework ahead of the commencement of enabling legislation’.[58] This appears to anticipate further funding for the Digital ID system in the May Budget including, perhaps, funding for Services Australia.
Digital ID
Payments ($m)
|
2022-23 |
2023-24 |
2024-25 |
2025-26 |
2026-27 |
Australian Competition and Consumer Commission |
- |
15.9 |
30.0 |
21.1 |
- |
Attorney-General’s Department |
- |
9.3 |
16.7 |
17.2 |
16.2 |
Australian Taxation Office |
- |
5.4 |
6.1 |
- |
- |
Office of the Australian Information Commissioner |
- |
1.4 |
- |
- |
- |
Department of the Treasury |
- |
0.9 |
- |
- |
- |
Department of Finance |
- |
-2.2 |
4.9 |
- |
- |
Total – Payments |
- |
30.8 |
57.7 |
38.3 |
16.2 |
The Government will provide $145.5 million over four years from 2023–24 (and $17.0 million per year ongoing) to support the next stages of the Digital ID program and related identity security initiatives. Funding includes:
$67.0 million over three years from 2023–24 to the Australian Competition and Consumer Commission (ACCC) to perform regulatory functions under the Digital ID legislation from 1 July 2024
$56.0 million over four years from 2023–24 (and $17.0 million per year ongoing) to the Attorney-General’s Department for the continued operation of the Identity Matching Services
$11.5 million over two years from 2023–24 to the Australian Taxation Office to rebrand myGovID and deliver ICT updates to enable choice of identity service provider when accessing business services
$4.9 million in 2024–25 to the Department of Finance for communications activities to increase individual and business awareness and understanding of Digital ID
$3.3 million in 2023–24 to the Attorney-General’s Department to enhance the Credential Protection Register to better respond to future data breaches
$1.4 million in 2023–24 to the Treasury to support the ACCC to deliver its Digital ID functions and scope options for an enduring data and digital regulator
$1.4 million in 2023–24 to the Office of the Australian Information Commissioner to prepare for its expanded oversight role under the Digital ID and Identity Verification Services legislation.
The cost of this measure will be partially met from within the existing resourcing of the Department of Finance and the Treasury.[59]
The Explanatory Memorandum anticipates but does not quantify financial savings for the Commonwealth from increased use of Digital ID by people to access government services instead of ‘more costly identity verification such as in-person or phone-based methods’, while noting that ‘these methods will remain available for government services required to maintain alternative channels’. It is suggested that the Bills ‘may also enable reduced identity-related fraud across government services’. In addition, a report prepared for the Department of Finance contends that ‘individual time savings’ could result in an indirect whole-of-economy benefit to the amount of an estimated $3.3 billion annually.[60]
In a funding decision not specifically related to the Digital ID project, the MYEFO statement on 13 December 2023 also included $21.2 million over five years from 2023–24 for the Department of Home Affairs to provide ‘services for victims of identity crime and misuse’.[61]
Key issues and provisions
Overview of architecture of the Digital ID System
In order that the AGDIS can effectively and safely include and support a range of providers and participating entities, the DID Bill establishes the architecture of a complex regulatory framework, while providing that many detailed aspects will be clarified in a range of instruments that will be issued from time to time by the various governance entities.
There are two parallel streams of assurance: accreditation; and approval to participate in the AGDIS. Accreditation is required for participants other than relying parties to participate in the AGDIS, but accredited entities operating outside of the AGDIS is also envisaged, with consultation material describing accreditation being open to private sector providers prior to their eligibility to participate in the AGDIS.[62]
The TDIF comprised 13 policy documents which outlined the functional details of the system. In contrast, the DID Bill is based around three ‘core instruments’: Accreditation Rules; Digital ID Rules; and Digital ID Data Standards (subclause 167(1)). In a 2023 consultation process, a draft Digital ID Bill and draft Digital ID Rules and Digital ID Accreditation Rules were published.[63] These draft rules are indicative but not conclusive regarding rules that will be issued under the DID Bill.
In addition, a range of other governance instruments will be issued. Governance instruments and the entities responsible for governance are discussed below.
Governance arrangements
Figure 3 below outlines the proposed governance arrangements for the Digital ID system in diagrammatic form, with a focus on the relationships of the key governance entities.
Main actors
Minister
The Minister will be responsible for determining Digital ID Rules and Accreditation Rules (clause168). Before making or amending any rules under clause168 the Minister must consult the Information Commissioner if the rules deal with matters that relate to the Commissioner’s privacy functions (clauses 19 and 169). In some circumstances, the Minister may give directions (clauses 27, 73, 97 and 104) to the Digital ID Data Standards Chair, the Digital ID Regulator and the System Administrator.
The Minister can issue directions to the Digital ID Regulator for reasons of security, including on the basis of security assessments provided to them by the Australian Security Intelligence Organisation (ASIO).
Under subclause 27(1) (in relation to accreditation) and subclause 73(1) (in relation to approval to participate in AGDIS) the Minister may issue directions to the Regulator, for reasons of security within the meaning of the Australian Security Intelligence Organisation Act 1979, including on the basis of an adverse or qualified security assessment in respect of a person, to direct the Regulator to: refuse to accredit/approve an entity; impose conditions on an accreditation/approval; suspend an accreditation/approval; or revoke an accreditation/approval. The involvement of ASIO in the AGDIS is a protective one; the TCP Bill provides for ASIO to provide to the Minister security assessments of an entity’s suitability for accreditation (chapter 2) and participation (chapter 4) in the digital identity system.[64]
Digital ID Data Standards Chair
A Digital ID Data Standards Chair (chapter 7) is to be appointed by the Minister on a full time or part time basis for a period not exceeding three years at a time and in the absence of an appointment the Minister will be the Chair (clauses 9, 105 and 106). The Chair will make standards for the AGDIS and the Accreditation Scheme, for example, technical, data, design or integration requirements (clause 99). Standards may relate to accreditation (clause 15) and participation (clause 62). Under clause 100, before making, amending or revoking Digital ID Data Standards, the Chair must consult the Minister, the Digital ID Regulator, the System Administrator and the Information Commissioner, and must consider any submissions received from the public. The Chair may also prescribe service levels for accredited entities and participating relying parties but must first consult the System Administrator (clause 80).
Digital ID Regulator
Clause 90 establishes that the Digital ID Regulator (chapter 5) will be the Australian Competition and Consumer Commission (ACCC).[65] The Regulator will have responsibility for administering the Accreditation Scheme and for overseeing and maintaining the AGDIS, including approving entities’ participation in the AGDIS. In performing this role, the Regulator must establish and maintain registers of Accredited Entities (clause 120) and entities approved to participate in AGDIS (clause 121). The Regulator may give directions to entities regarding accreditation and participation in the AGDIS (clause 127). The Regulator may take enforcement action against accredited entities and other entities (clause 122). Either at their own initiative or on request, the Regulator will advise the Minister, the System Administrator and the Chair on matters relating to the provisions of the Bill (paragraph 91(d)) and advise the Information Commissioner on privacy matters that relate to the Bill (paragraph 91(e)).
System Administrator
Within the current unlegislated Digital ID system, Services Australia performs multiple roles, being an Identity Exchange, an Attribute Service Provider, a Relying Party, and the Temporary Oversight Authority (TOA).[66]
Replacing the TOA, clause 94 establishes the role of System Administrator and specifies that it will be performed by the Chief Executive, Centrelink, who under section 7 of the Human Services (Centrelink) Act 1997 is also the CEO of Services Australia. As Services Australia will continue most of its current roles in the system as a participant (Identity Exchange, Attribute Service Provider, and Relying Party), the nomination of the Chief Executive, Centrelink may be intended to distinguish the System Administrator role from Services Australia’s continuing roles as a participant in the system.
The responsibilities of the System Administrator (chapter 6) will include: monitoring and managing the availability of the system, including by coordinating system changes and outages; providing assistance to entities participating in the system (government and private entities); and managing digital ID fraud incidents and cyber security incidents involving entities participating in the system (clause 95).
Information Commissioner
In addition to already-established functions under the Privacy Act 1988, the Information Commissioner must be notified of data breaches by accredited entities (clauses 39, 40 and 41) and may take enforcement action against accredited entities and other entities (clause 122). The Information Commissioner must be consulted by the Minister prior to the making of Digital ID and Accreditation Rules if the rules deal with matters that relate to the Commissioner’s privacy functions (including where accredited entities will be authorised to collect, use or disclose restricted attributes or biometric information of individuals (clause 169)). On request by the Regulator, the Information Commissioner must provide advice on matters relating to the operation of the DID legislation (clause 42). Under clause 155 the Information Commissioner’s annual report must include information about the performance of their functions and the exercise of their powers under or in relation to Part 2 of Chapter 3 of the DID Bill.
Other entities
The Bill anticipates the Regulator will also ‘consult with … as required’ the Australian Securities and Investments Commission, the Australian Prudential Regulation Authority, the Australian Financial Complaints Authority, the part of the Australian Signals Directorate known as the Australian Cyber Security Centre and ‘any other body the Digital ID Regulator considers appropriate’ (paragraph 91(c)). The Bill also provides for the establishment of committees, advisory panels and consultative groups. Subclause 150(1) provides for the Minister to establish advisory committees to provide advice about matters arising under the Act. Clause 103 provides for the Digital ID Data Standards Chair to establish committees, advisory panels and consultative groups. Advisory committees set up by the Minister will have terms of reference and other terms, conditions and procedures set out in writing (subclause 150(3)). There is no similar requirement for committees, panels and groups established by the Digital ID Data Standards Chair.
The Senate Standing Committee for the Scrutiny of Bills (Scrutiny Committee) sought advice from the Minister for Finance on a number of aspects of clause 150 of the DID Bill. Firstly, the Scrutiny Committee sought advice on why it is considered necessary and appropriate to leave the matter of establishing an advisory committee under subclause 150(1), and determining matters relating to the operation and members of such committees under subclause 150(3), to written instruments, rather than these matters being included in the Bill. Secondly, why it is considered necessary and appropriate to specify that instruments made under subclauses 150(1) and 150(3) are not legislative instruments (including why it is considered that the instruments are not legislative in character). Finally, whether the Bill could, at a minimum, be amended to provide that these instruments are legislative instruments, to ensure that they are subject to appropriate parliamentary oversight.[67]
The Minister advised that the composition, purpose and terms of Advisory Committees are appropriately left to executive control to ensure committees are able to be established as required (which may be on a short-term basis) with appropriate subject-matter experts and terms of reference. The Minister further advised that instruments establishing committees, their composition, purposes and terms are administrative in character as they do not determine the law or alter the content of the law.[68]
The Scrutiny Committee thanked the Minister for her response, but reiterated its concern that as these committees are established to provide advice about matters arising under the DID Bill, including in relation to the Digital ID Regulator’s powers and functions, their establishment forms a significant part of the overall legislative scheme. It noted that it was open for the Minister to prescribe an instrument as a legislative instrument, even if it does not determine or alter the law. The Scrutiny Committee drew the matter to the attention of the Senate and left to the Senate as a whole to consider the appropriateness of the provisions.[69]
Figure 3: Proposed governance arrangements
×
Source: Derived from Library analysis of the DID Bill and Explanatory Memorandum.
Governance: Instruments
The DID Bill establishes the architecture of the Digital ID system, but many aspects of the system’s operation will be settled through a range of instruments, determinations and directions, as outlined in Table 1.
Table 1: Instruments and determinations under the DID Bill
|
Made by |
Enabling clause(s) |
Disallowable |
‘Core instruments’ |
|
167 |
|
Accreditation Rules |
Minister |
168 |
Yes |
Digital ID Rules |
Minister |
168 |
Yes |
Digital ID Data Standards |
Data Standards Chair |
99 |
No |
Determinations |
|
|
|
Service levels |
Data Standards Chair |
80 |
No |
Phasing-in |
Minister |
60 |
No |
Directions |
|
Not legislative instruments |
To Digital ID Regulator |
Minister |
27, 73 |
|
To System Administrator |
Minister |
97 |
|
To Digital ID Data Standards Chair |
Minister |
104 |
|
To entities |
Regulator |
86, 127, 128, 129 |
|
To entities |
System Administrator |
130 |
|
Disallowance
The TCP Explanatory Memorandum states that item 10 of the TCP Bill’s Schedule 1 would enable the Minister to make disallowable transitional rules that ‘will be able to address any unforeseen consequences of the principal Bill and minimise the likelihood of any regulatory uncertainty during transition’.[70]
Because the transitional rules under item 10 of the TCP Bill’s Schedule 1 and the Accreditation Rules and Digital ID Rules established by the Minister under clause 168 of the DID Bill may deal with a wide range of matters it is appropriate that the rules are disallowable, and that clause 169 would require the Minister to consult before making or amending legislative rules.
Other instruments that will relate to technical or specific operational aspects, for example data standards and service levels, are less suited to disallowance. The Explanatory Memorandum explains that subjecting this type of instrument to disallowance could adversely affect certainty in relation to the day-to-day operation of the AGDIS.[71]
‘Core instruments’
Subclause 167(1) provides that the Accreditation Rules, Digital ID Rules and Digital ID Data Standards are ‘core instruments’. This designation appears to be a mechanism to facilitate flexibility in the application, adoption or incorporation from time to time of matter contained in other material. This overrides subsection 14(2) of the Legislation Act 2003, which provides that a legislative instrument or notifiable instrument ‘may not make provision in relation to a matter by applying, adopting or incorporating any matter contained in an instrument or other writing as in force or existing from time to time’, unless the contrary intention appears.
This approach affords flexibility in relation to adaptation and evolution of the system in the context of, for example, technological change, and the Explanatory Memorandum offers some useful examples:
Examples of documents that may be incorporated by reference from time to time include Commonwealth documents relating to protective security and cyber security (such as the Protective Security Policy Framework and the Information Security Manual), international standards (such as those relating to the testing of presentation attack detection processes used in biometric verification), and digital identity standards set by internationally recognised organisations such as the US Department of Commerce’s National Institute of Standards and Technology.
It is intended that, to ensure accredited entities and others are aware when changes in an incorporated document would take effect [and] are given sufficient time to comply with any changes … the Accreditation Rules would specify when those changes would take effect.[72]
The Scrutiny Committee sought advice from the Minister as to whether documents applied, adopted or incorporated by reference under clause 167 will be made freely available to all persons interested in the law and why it is necessary to apply the documents as in force or existing from time to time, rather than when the instrument is first made.[73]
The Minister advised that the Digital ID Bill and legislative rules seek to adopt existing frameworks, standards or policies that are appropriate for digital ID, which change over time as circumstances, risks and threats change. The Minister further advised that the draft Accreditation Rules include a provision [subrule 1.5(2)] stating accredited entities will have 12 months to comply with changes in any incorporated standard or policy unless the incorporated document itself sets out a longer timeframe.[74]
In relation to access to incorporated documents, the Minister advised that there will be two kinds of incorporated documents in the legislative rules, one of which includes standards relating to security, biometric technology operation and biometric technology testing which are not freely and publicly available in full and are unable to be made publicly available due to copyright. The Minister advised summaries and previews of each of these standards are publicly available and the legislative rules will include links to where the public information may be accessed.[75]
The Scrutiny Committee thanked the Minister for her response, but remained concerned that entities will be required to comply with standards that are not fully and freely accessible, particularly as these standards relate to the handling of highly sensitive biometric information. The importance of public access to these documents was also highlighted by the Committee, which noted that the availability of summaries and previews of standards was inadequate to properly comply with the standards in full.[76] In light of these concerns, the Committee requested the Minister’s further advice ‘as to whether free access to documents that will be applied, adopted or incorporated by reference into legislative instruments as a result of clause 167 can be provided via other means such as display in public libraries or departmental offices’.[77]
The Minister’s response advised that the Department of Finance ‘is further investigating the ways in which documents that are incorporated by reference and that are subject to copyright can legally be made available for free viewing by interested parties’.[78] The Committee thanked the Minister for her advice and noted that it would appreciate further advice on the conclusion of the Department’s investigations on this matter in due course. The Committee made no further comment on this matter.[79]
The consultation process about proposed rules is set out in subclauses 169(1) and (2), which require consultation with the Information Commissioner about proposed rules that relate to the Commissioner’s privacy functions, including rules that would authorise accredited entities to collect, use or disclose restricted attributes or biometric information of individuals.
Subclause 169(4) provides that the consultation process does not apply if the Minister is satisfied that there is an imminent threat to AGDIS, or that a hazard has had, or is having, a significant impact on the system (threats and incidents are discussed in more detail below). If rules are made on this basis without consultation:
the Secretary of the Department must review the rules, seek submissions on the rules and complete a report on the rules within 60 days of being made. The Minister is required to table in Parliament a copy of the Secretary’s statement of findings.[80]
However, a failure to consult or otherwise comply with the requirements of clause 169 does not affect the validity or enforceability of rules (subclause 169(9)).
Accreditation Rules
The purpose of the Accreditation Rules is to provide a set of nationally consistent standards that a provider of digital ID services must meet in order to become and remain an accredited entity. Under clause 28, Accreditation Rules made by the Minister will prescribe a range of matters related to the scope and operation of the Accreditation Scheme, including the privacy, security, accessibility and other standards to apply to accredited entities. Subclause 28(2) provides a non-exhaustive list of matters that the Accreditation Rules may address, including: technical, data or design standards relating to the provision of accredited services; mandatory requirements for becoming and remaining an accredited entity (for example relating to privacy, security, fraud control, and incident management and reporting); and requirements or restrictions relating to the generation of digital IDs for children.
Whereas much of the accreditation requirements will be established in the Accreditation Rules, several key requirements are featured in the Bill. For example, accredited services must be accessible and inclusive (clause 30).
The Digital ID Accreditation Rules will be applicable to all service providers, including those operating outside the AGDIS, and trustmarks provided for under clause 117 may be available to entities operating parallel Digital ID systems. Private exchange ConnectID is already advertising government accreditation as ensuring the security of their system.[81]
Digital ID Rules
The following discussion notes the wide range of matters the disallowable Digital ID Rules may deal with.
Clause 12 provides that in having regard to whether an entity is a fit and proper person, the Digital ID Regulator must have regard to any matters specified in the Digital ID Rules, which may relate to:
- for accreditation of an entity: whether to accredit (clause 15); suspension of accreditation (clause 25); and revocation of accreditation (clause 26) and
- for approval to participate in the AGDIS: whether to approve (clause 62); conditions on approval (clauses 63 and 64); suspension of approval (clause 71); and revocation of approval (clause 72).
With respect to accreditation and approval to participate, the Digital ID Rules may also address aspects of: requirements for applications (clause 141); the Digital ID Accredited Entities Register (clause 120) and the AGDIS Register (clause 121); statutory contracts between entities participating in the AGDIS (clause 85); record keeping by participating entities and former participating entities (clause 135); compliance assessments (clause 131); dispute resolution procedures (clause 87); the redress framework (clause 88); and reviewable decisions (clause 137).
In relation to technical aspects of the system, the Digital ID Rules may address: holding information outside Australia (clause 77); reportable incidents (clause 78); and interoperability (clause 79). The Digital ID Rules may also address aspects of: Digital ID Data Standards (clause 99); and confidentiality, particularly authorised uses and disclosures of protected information by entrusted persons (clause 152).
In relation to system regulation and administration, the Digital ID Rules may address the powers of the Digital ID Regulator (clause 128) and the System Administrator (clauses 95 and 130) to give directions to protect the integrity or performance of AGDIS. The Digital ID Rules may: make provision in relation to the charging of fees by the Digital ID Regulator (clause 144) and by accredited entities (clause 148); and specify Digital ID trustmarks that may or must be used by accredited entities or participating relying parties, and prescribe conditions or requirements in relation to the use or display of trustmarks (clause 117).
Digital ID Data Standards
Clause 99 provides for the Digital ID Standards Chair to make Digital ID Data Standards in writing. The Explanatory Memorandum anticipates that the data standards will be ‘largely in the nature of specifications for technical processes, to ensure for example there are appropriate levels of security protecting the AGDIS and other digital ID systems used by accredited entities’.[82]
Clause 100 ‘imposes mandatory consultation requirements by the Chair before data standards are made to ensure that further expert input is provided’, including submissions from the public and ‘consultation with the Information Commissioner to ensure expert advice is provided on privacy matters and the System Administrator for further expert advice on the effect of technical and design standards on the operation of the AGDIS’. These standards will ‘be made so as to operate at the commencement of the Act, ensuring that the Accreditation Scheme and the AGDIS can properly operate immediately’.[83]
Accreditation
The DID Bill assigns to the Minister and the Digital ID Regulator responsibilities for accrediting entities and approving entities to participate in the Digital ID system (refer to figures 3 and 4).
A law firm has described accreditation as a ‘trust baseline’:
accredited Digital ID service providers will be required to comply with privacy, security, consumer protection, record-keeping, data destruction, and other requirements. Accreditation provides a baseline set of obligations and regulatory oversight that apply to all accredited service providers, whether they provide services in the Australian Government Digital Identity System or in a separate Digital ID system.[84]
Types of entities that may be accredited
The DID Bill continues the architecture of the current unlegislated TDIF by providing for three types of accredited entities: identity exchange provider; identity service provider: and attribute service provider (subclause 14(1)). Future expansion is provided for by an additional category of ‘an entity that provides, or proposes to provide, a service of a kind prescribed by the Accreditation Rules’ (paragraph 14(1)(d)). Entities can apply for accreditation as more than one type of provider.[85]
Subclause 14(2) sets out the types of entities that may apply to be accredited: public sector entities (Commonwealth entities and Commonwealth companies, and state and territory departments and authorities); private sector corporations (a body corporate incorporated by or under a law of the Commonwealth or a state or territory); or a registered foreign company (within the meaning of the Corporations Act 2001).
Accreditation processes
Under clause 15 the Regulator must decide whether to accredit an entity. The DID Bill sets out the processes to be followed by the Regulator when deciding whether or not to accredit an entity. The Regulator must not accredit an entity:
- unless the entity provides, or will provide, some or all of the services described in the definition of that type of provider as set out in clause 9 (subclause 15(3))
- if the Regulator is not satisfied that the entity is able to comply with the provisions of the DID Bill (paragraph 15(4)(b))
- if a direction made by the Minister under subclause 27(1) directing the Regulator to refuse to accredit the entity on the basis of security is in force (paragraph 15(4)(a)) or
- if Accreditation Rules made by the Minister for the purposes of clause 28:
- require specified criteria to be met and the entity does not meet the criteria (paragraph 15(4)(c)); or
- require the Regulator to be satisfied of specified matters and the Regulator is not satisfied of those matters (paragraph 15(4)(d)).
The Regulator may also have regard to whether the entity is a fit and proper person (subparagraph 15(5)(b)(i)). Clause 12 provides that, in doing so, the Regulator must have regard to the matters (if any) specified in the Digital ID Rules. The Explanatory Memorandum expects that, on this matter, the Digital ID Rules will ‘align where possible’ with fit and proper person considerations for entities applying for accreditation under the Consumer Data Right (CDR) scheme, for which the ACCC is already the regulator.[86]
The Regulator may also have regard to any other matters it considers relevant (subparagraph 15(5)(b)(ii)). As an example, the Explanatory Memorandum notes that ‘if not already a mandatory consideration in the Digital ID Rules, [the Regulator] could take into account a determination made by a State privacy commissioner dealing with breach by an entity of that State’s privacy law’.[87]
As noted above the Regulator must not accredit an entity if a direction made by the Minister under subclause 27(1) directing the Regulator to refuse to accredit the entity for reasons of security is in force (paragraph 15(4)(a)). Subclause 27(1) sets out that the Minister ‘for reasons of security within the meaning of the Australian Security Intelligence Organisation Act 1979, including on the basis of an adverse or qualified security assessment in respect of a person’ may, in writing, direct the Digital ID regulator to: refuse to accredit an entity; impose conditions on an accreditation; suspend an accreditation; or revoke an accreditation (item 3 of Schedule 2 to the TCP Bill is also relevant). As outlined in subclause 27(3) any such direction ‘remains in force unless it is revoked by the Minister’, with subclause 27(4) noting that a direction to revoke accreditation cannot itself be revoked. Subclause 27(5) sets out that a direction is not a legislative instrument.
Any decisions made for reasons of security (within the meaning of the ASIO Act) in relation to an entity that is not an Australian entity are not reviewable decisions (subclause 137(3), and item 4 of Schedule 2 to the TCP Bill). Clause 9 includes a definition of ‘Australian entity’. The Explanatory Memorandum notes that non-Australian entities will be able to seek judicial review of such decisions.[88]
Item 2 of Schedule 1 to the TCP Bill provides that, immediately after commencement:
- the Commissioner of Taxation will be taken to be an accredited attribute service provider and an accredited identity service provider and
- Services Australia will be taken to be an accredited identity exchange provider
with both entities being subject to the conditions specified in item 2.
The Explanatory Memorandum provides that the Commissioner of Taxation and Services Australia ‘have already been accredited by the Australian Government under the TDIF, as the specified kind of entity and subject to the same conditions’.[89] This ‘avoids those entities needing to re-apply for accreditation to the new Digital ID Regulator when they have already achieved accreditation against substantially the same requirements’.[90]
Other entities may be prescribed in transitional rules made by the Minister under item 10 of Schedule 1 to the TCP Bill to be taken to be accredited entities on commencement.
Accreditation criteria
Under clause 28, Accreditation Rules made by the Minister will prescribe a range of matters related to the scope and operation of the Accreditation Scheme. Subclause 28(2) provides a non-exhaustive list of matters that the Accreditation Rules may address. Draft Accreditation Rules released for consultation in September 2023 also provide a guide to likely accreditation criteria, including: privacy impact assessment; protective security assessment; fraud assessment; usability and accessibility assessment; systems testing; penetration testing; usability testing; Web Content Accessibility Guidelines (WCAG) testing.
The consultation draft of the Digital ID Accreditation Rules includes cyber security controls among the protective security requirements which an entity must comply with. This includes compliance with the Essential Eight standards and additional controls with flexibility between different risk management frameworks, including the internationally accepted ISO 27001 and 27002 framework, the Australian Protective Security Policy Framework, and a possibility for ‘another standard or framework’.[91] In the draft accreditation rules ‘all protective security requirements that have equivalent…controls’ as those in ISO 27001 and the Australian Protective Security Policy Framework have been removed, in favour of compliance with those frameworks.[92]
Notification of accreditation outcomes
Subclause 15(6) requires that the Regulator inform the applicant in writing of its decision and to provide reasons if an accreditation application is refused. The notice of a decision to accredit an entity must set out: the kind of accredited entity that the entity is accredited as; the day the accreditation comes into force; and any conditions imposed by the Regulator on the entity’s accreditation (subclause 15(7)). Details of the accreditation, including any conditions imposed, must be entered in the Digital ID Accredited Entities Register (clause 120).
A decision to refuse to accredit an entity would be a ‘reviewable decision’ (see clauses 137 to 140), except when that refusal results from a direction by the Minister under subclause 27(1) to refuse to accredit the entity for reasons of security (see Table item 1 in the table at subclause 137(1) and subclause 137(3)).
Accreditation conditions
An entity’s accreditation is subject to accreditation conditions (clause 16). The accredited entity must comply with those conditions, and failure to do so may result in suspension or revocation of the entity’s accreditation (clause 16). The Regulator may impose conditions on an entity at the time of accreditation, or later (paragraph 17(2)(a)), either at the Regulator’s initiative or on application by the entity (subclause 17(3)). Under paragraph 17(2)(b) the Regulator must impose conditions if directed to do so by a ministerial direction regarding accreditation under subclause 27(1), related to reasons of security.
Subclause 17(4) comprises a non-exhaustive list of matters to which conditions imposed by the Regulator may relate, including:
- limitations, exclusions or restrictions in relation to the accredited services of the entity;
- the circumstances or manner in which the accredited services of the entity must be provided;
- the kinds of restricted attributes of individuals (if any) that the entity is authorised to collect or disclose;
- the kinds of restricted attributes of individuals (if any) that the entity must not collect;
- the kinds of biometric information (if any) of an individual the entity is authorised to collect, use or disclose;
- the entity’s information technology systems through which the entity’s accredited services are provided, including restrictions on changes to such systems;
- actions that the entity must take before the entity’s accreditation is suspended or revoked.
Subclause 17(5) provides that the Accreditation Rules issued by the Minister may determine that the accreditation of each accredited entity, or each accredited entity included in a specified class, is subject to specified conditions.
Conditions relating to restricted attributes
As defined in clause 11, a restricted attribute includes: health information; information about a criminal record; and an identifier of an individual that has been issued or assigned by the Commonwealth, a state or territory, or a foreign government (including the individual’s tax file number, Medicare number or driver’s licence number). The Explanatory Memorandum observes:
A key objective of the Accreditation Scheme, and use of the AGDIS, is to minimise the collection of restricted attributes by relying parties, ensuring they receive only those that are necessary for the particular relying party service their customer is accessing. Minimising disclosure of restricted attributes in this will help mitigate the increasing risk of data breaches involving identity information.[93]
However, the Bill also recognises that restricted attributes may be essential or incidental components of some transactions. The Bill addresses circumstances where the Regulator imposes a condition on an entity’s accreditation that would authorise the entity to collect or disclose a restricted attribute of an individual (clause 18), or where the Minister is proposes to make Accreditation Rules that would impose an accreditation condition authorising an accredited entity to collect or disclose a restricted attribute or collect, use or disclose biometric information (clause 19). Subparagraph 65(2)(f)(iii) sets out that among the issues to which the Digital ID Regulator must have regard prior to imposing a condition on an entity’s approval to participate in the AGDIS, relating to restricted attributes (ie collection or disclosure), is that of the effectiveness of the entity’s fraud control arrangements.
As discussed in relation to privacy provisions, accredited entities may also disclose a restricted attribute of an individual to a relying party if, for example, the individual has given express consent for the disclosure (subclause 46(1)).
Accreditation register
The fact of a revocation of an entity’s accreditation will be publicly available on a Digital ID Accredited Entities Register that the Regulator is required to maintain and make available on its website (clause 120). The Register must also include accreditation conditions imposed by the Regulator (other than conditions for reasons of national security[94]), and details on whether an entity’s accreditation has been suspended or revoked. Information about an accredited entity must remain on the register for 12 months after the entity’s accreditation is revoked. The Digital ID Rules may prescribe other information to be included in the Register.
Approval to participate in the AGDIS
Roles of the Minister and the Digital ID Regulator
To apply for approval to participate in the AGDIS, entities must first be specified in a determination by the Minister under clause60. Subclause 60(2) allows the Minister to specify entities in any way, including by reference to: whether the entities are relying parties or accredited entities; kinds of relying parties; kinds of accredited entities; or whether the entity belongs to the public or private sector. Under subclause 60(3) the Minister cannot revoke a determination and may only vary a determination to add additional kinds of entities that may apply for approval, or to correct an error, defect or irregularity in a determination.
The requirement that entities must be specified in a determination by the Minister under clause 60 is the mechanism by which ‘phasing-in’ will be given effect. Phasing-in is the progressive expansion of the AGDIS to additional entities beyond the initial Commonwealth entities—in other words, the means by which an economy-wide digital ID system will be established.[95] ‘Phasing-in’ is discussed below and depicted in Figure 4.
Under clause 62 the decision-maker on applications for approval to participate in the AGDIS is the Regulator. Under subclause 73(1) the Minister may issue directions to the Regulator, for reasons of security within the meaning of the ASIO Act, including on the basis of an adverse or qualified security assessment in respect of a person, to direct the Regulator to: refuse to approve an entity; impose conditions on an approval; suspend an approval; or revoke an approval.
Types of entities that may be approved to participate
Paragraphs 61(a) and (b) have the effect that a wide range of Commonwealth entities may apply for approval at the commencement of the legislation. Under paragraph 61(c) other kinds of entities must be specified in a determination by the Minister under clause 60 and must be either: an accredited entity; an entity that has applied for accreditation; an Australian relying party; or a relying party that is a foreign company registered under the Corporations Act to carry on business in Australia.
A relying party is an entity that needs to have verification of a person's identity, or an element of their identity (such as proof of age), in order to provide a service to the person or to enable the person to access a service. For example, a real estate agent would need to verify the identity of a person to whom they are leasing a property, and a licenced bottle shop would need to verify that a person is at least 18 years of age.[96] A relying party will request the necessary verification from an accredited entity and will rely on that information. Relying parties themselves are not accredited because they do not provide services to other entities within the system.
Although they don’t need accreditation, under paragraph 61(b) a relying party still needs to apply to the Regulator to participate in AGDIS. In doing so, under the exposure draft Digital ID Rules a relying party needs to show that it has plans for interoperability testing, fraud management and business continuity, and have conducted a cyber security incident risk assessment.[97] If under clause 62 a relying party is approved to participate, it is a ‘participating relying party’ (clause 9).
A key objective of the AGDIS is to minimise relying parties’ collection of restricted and superfluous attributes by ensuring relying parties receive only those attributes that are necessary for the particular service the individual is seeking to access.[98]
A great example is getting into a bar: at the moment, most people would hand over their driver’s licence which, on top of information about your age and your face, also tells the bouncer your address completely unnecessarily. Digital identification systems like the federal government’s digital ID scheme restrict redundant information. … A digital identity system replaces these [ie requests for unnecessarily information-rich driver’s licences or bank statements] by creating a scheme that allows the government to “vouch” for you to whoever needs it. So, instead of every institution having to ask for various documents (like the dreaded 100 points of identification documents), they could instead just use this system.[99]
Approval criteria
Subclause 62(4) provides that the Regulator must not approve an entity to participate if a ministerial direction under subclause 73(1) is in force directing the Regulator not to approve the entity on security grounds.
Subclause 73(1) sets out that the Minister ‘for reasons of security within the meaning of the Australian Security Intelligence Organisation Act 1979), including on the basis of an adverse of qualified security assessment in respect of a person’ may, in writing, direct the Digital ID regulator to: refuse to approve an entity’s participation in AGDIS; impose conditions on an approval; suspend an approval; or revoke an approval (item 3 of Schedule 2 to the TCP Bill is also relevant). As outlined in subclause 73(3) any such direction ‘remains in force unless it is revoked by the Minister’, with subclause 73(4) noting that a direction to revoke approval cannot itself be revoked. Subclause 73(5) sets out that a direction is not a legislative instrument.
Any decisions made for reasons of security in relation to an entity that is not an Australian entity are not reviewable decisions (subclause 137(3), and item 4 of Schedule 2 to the TCP Bill). Clause 9 includes a definition of ‘Australian entity’. The Explanatory Memorandum notes non-Australian entities will be able to seek judicial review of such decisions.[100]
Subclause 62(1) provides that the Regulator may approve an entity to participate if:
(a) the entity has made an application under section 61; and
(b) unless the entity is a relying party—the entity is an accredited entity; and
(c) the Digital ID Regulator is satisfied that the entity will comply with the Digital ID Data Standards that apply in relation to the entity and that relate to participation in the Australian Government Digital ID System; and
(d) if the Digital ID Regulator makes a requirement under paragraph 131(1)(a) in relation to the entity—the entity has been assessed as being able to comply with this Act; and
(e) the Digital ID Regulator is satisfied that it is appropriate to approve the entity to participate in the system; and
(f) any other requirements prescribed by the Digital ID Rules are met.
Subclause 62(2) comprises a non-exhaustive list of matters that may be relevant to whether approval would be appropriate under paragraph 62(1)(e) (set out above): whether the entity has appropriate procedures for dealing with the identities of shielded persons (as defined in clause 9), such as those in a witness protection program; and whether the entity is a fit and proper person (see clause 12). In having regard to whether an entity is a fit and proper person, the Regulator must have regard to any matters specified in the Digital ID Rules and may have regard to any other matters considered relevant.
Notification of approval outcomes
Subclause 62(5) will require the Regulator to inform the applicant in writing of its decision and to provide reasons if an application is refused. A decision to not approve would be a ‘reviewable decision’ (see clauses 137 to 140), except for decisions to not approve because a ministerial direction about security is in force (see discussion above about subclauses 62(4) and 73(1)).
Under subclause 62(6) the notice of a decision must set out: whether the entity is a participating relying party or an accredited entity and, if the entity is an accredited entity, the kind of accredited entity it is accredited as; any conditions imposed by the Regulator on the entity’s approval; and the day on which the entity must begin to participate.
Approval conditions
An entity’s approval is subject to conditions. The approved entity must comply with those conditions, and failure to comply may result in suspension or revocation of the entity’s approval (clause 63). Subclause 64(4) comprises a non-exhaustive list of matters to which conditions imposed by the Regulator may relate.
Approved entities’ compliance with the Bill is specified as a condition (subclause 64(1)). In addition, the Regulator may impose conditions on an entity at the time of approval, or later (paragraph 64(2)(a)), either at the Regulator’s initiative or on application by the entity (subclause 64(3)). Under paragraph 64(2)(b) the Regulator must impose conditions if directed to do so by a ministerial direction under subclause 73(1), which relates to security.
Subclause 64(5) provides that the Digital ID Rules issued by the Minister may determine that the approval of each entity, or each entity included in a specified class, is subject to specified conditions.
The Bill address circumstances where the Regulator is proposing to impose a condition on an entity’s approval for participation that would authorise the entity to collect or disclose a restricted attribute of an individual (subclause 65(1) and (2)), or where the Minister is proposing to make Digital ID Rules that would impose a condition authorising an approved entity to collect or disclose a restricted attribute (subclauses 65(4) and (5)). If the Regulator imposes a condition authorising the entity to collect or disclose a restricted attribute of an individual, the Regulator must publish on its website a statement of reasons for giving the authorisation (subclause 65(3)).
Approvals register
Clause 121 provides that the Regulator must establish and maintain the ‘AGDIS Register’ of entities that are approved to participate in the AGDIS. The Register must be made publicly available on the Digital ID Regulator’s website.
The Register must include: each service a participating relying party is approved to provide or provide access to; and, if the entity is an accredited entity, the kind of accredited entity it is accredited as. The Register must also include any participation conditions imposed by the Regulator, and information about whether the entity’s approval has been suspended or revoked. Information about an entity will remain on the register for three years after the entity’s approval is revoked. The Digital ID Rules may prescribe other information to be included in the Register.
Varying accreditation or approval to participate
Clauses 24 and 70 will (respectively) allow the Digital ID Regulator to vary an entity’s accreditation or approval to participate in AGDIS where the entity’s name has changed. The Explanatory Memorandum provides the example of a government entity that changes its name in a Machinery of Government (MOG) change.[101] The Digital ID Regulator may also vary conditions on accreditation or an approval to participate.
Suspending accreditation or approval to participate
Clauses 25 and 71 specify when an entity’s accreditation or approval to participate must or may be suspended, and the effects of suspension. Subclauses 25(1) and 71(1) provide that the Regulator must suspend an entity’s accreditation or approval to participate if, for reasons of national security (see clauses 27 and 73), the Minister has given a direction to suspend the entity’s accreditation or approval. The suspension remains in force until revoked by the Minister.
Subclauses 25(2) and 71(2) list grounds on which the Regulator may suspend an entity’s accreditation or approval to participate in the AGDIS. An example is if a body corporate is in receivership or under administration (a Chapter 5 body corporate within the meaning of the Corporations Act). Alternatively, circumstances specified in the Accreditation Rules or Digital ID Rules (as relevant) may apply to the entity, resulting in suspension.
Other possible circumstances are less clear-cut and involve the Regulator’s reasonable belief. The Regulator may reasonably believe the accredited or approved entity has contravened or is contravening the Act, or is satisfied that it is not appropriate for the entity to be an accredited entity or participate in the AGDIS.
In relation to suspension of approval to participate in the AGDIS, the Regulator may reasonably believe there has been a cyber security incident involving the entity and the incident involves a risk to the operation of the AGDIS. In relation to suspension of accreditation, the Regulator may reasonably believe there has been a cyber security incident involving the entity, or that a cyber security incident involving the entity is imminent. Noting that the Bill has changed since the exposure draft in 2023, a law firm has observed:
Previously, accreditation could be suspended for a cyber security incident attempt. However, during consultation, industry commented that entities and government agencies are routinely subject to ‘attempts’, which are successfully prevented. Accordingly, allowing accreditation to be suspended for cyber security incident attempts may overburden regulators and participants, who may be subject to unnecessary notification requirements where there has been no actual breach. The wording has since been amended so that an entity’s accreditation cannot be suspended unless the Regulator is satisfied that the relevant cyber security attempts involve an unacceptable risk to the provision of the entity’s accredited services.[102] [emphasis added]
Cyber security incidents are discussed in more detail in a later section of this Digest.
Subclauses 25(6) and 71(5) provide that an entity may apply for its accreditation or approval to be suspended, in which case the Regulator may (but is not required to) agree to the suspension. The Explanatory Memorandum provides the example of an entity seeking suspension while it is considering whether to end its accreditation or participation.[103]
If the Regulator proposes to suspend an accreditation or approval, subclauses 25(7) and (8) and 71(6) and (7) will require that a ‘show cause’ notice is given to the entity, but subclauses 25(9) and 71(8) provide that this is not required if the suspension is on cyber security grounds. Subclauses 25(1) and 71(9) provide that if the Regulator suspends an accreditation or approval, the Regulator must give a written notice to the entity. Revocation of a suspension must also be by written notice to the entity (subclauses 25(12) and (13) and subclauses 71(11) and (12)).
Subclauses 25(11) and 71(13) provide that, while a suspension is in force:
- an accredited entity is taken not to be accredited and not to hold an approval to participate in the AGDIS and
- an approved entity is taken not to hold the approval.
The Explanatory Memorandum clarifies that the entity will continue to be subject to regulatory powers of the Regulator and may also be subject to compliance action for matters that occurred while the entity was accredited or participating in the AGDIS.[104]
Revoking accreditation or approval to participate
Subclauses 26(1) and 72(1) will provide that the Digital ID Regulator must revoke an entity’s accreditation or approval to participate in the AGDIS (as relevant) if the Minister has given a direction, for reasons of security, to revoke the entity’s accreditation or approval (see clauses 27 and 73). Under subclauses 27(4) and 73(4) the Minister cannot revoke a direction under which an entity’s accreditation or approval is revoked. The Explanatory Memorandum states that ‘nothing prevents the entity from re-applying’ for accreditation or approval.[105]
Subclauses 26(2) and 72(2) list grounds on the Regulator which may revoke an entity’s accreditation or approval to participate in the AGDIS. An example is if a body corporate is in receivership or under administration (a Chapter 5 body corporate within the meaning of the Corporations Act). Alternatively, circumstances specified in the Accreditation Rules or the Digital ID Rules (as relevant) may apply to the entity, resulting in revocation.
Other possible circumstances are less clear-cut and involve the Regulator’s reasonable belief. The Regulator may reasonably believe there has been a cyber security incident involving the entity and the incident is serious. Cyber security incidents are discussed in more detail in a later section of this Digest. The Regulator may reasonably believe the accredited or approved entity has contravened or is contravening the Act, or be satisfied that it is not appropriate for the entity to be an accredited entity or participate in the AGDIS.
Subclauses 26(5) and 72(5) provide that an entity may apply for its accreditation or approval to be revoked, in which case the Regulator must approve the revocation. Under subclauses 26(8) and 72(6) before revoking an entity’s accreditation or approval under subclauses 26(2) or 72(2) the Regulator must have given a show cause notice to the entity. However, this is not necessary if the revocation of accreditation is on cyber security grounds (paragraph 26(2)(b)).
Under subclauses 25(11) and 72(8) the Regulator must give written notice of revocation to the entity.
Under subclause 26(7), if an accredited entity’s accreditation is revoked and it holds an approval to participate in the AGDIS, the Digital ID Regulator must at the same time revoke the entity’s approval to participate.
Revocation of accreditation or approval to participate will be reviewable decisions (clauses 137 to 140), other than when revocation results from a direction by the Minister under subclauses 27(1) or 73(1) to revoke the entity’s accreditation or approval for reasons of security (see Table items 8 and 18 in the table at subclause 137(1) and subclause 137(3)).
On commencement of the Bills
Paragraphs 61(a) and (b) have the effect that, at the commencement of the legislation, a wide range of Commonwealth entities may apply for approval.
Additionally, subitem 4(1) of Schedule 1 to the TCP Bill provides that, immediately after commencement:
- the Commissioner of Taxation will be taken to be approved to participate in the AGDIS as an accredited attribute service provider and an accredited identity service provider and
- Services Australia will be taken to be approved to participate in the AGDIS as an accredited identity exchange provider
with both entities being subject to the conditions specified in subitem 4(1).
The Explanatory Memorandum provides that the Commissioner of Taxation and Services Australia ‘have already been approved to participate in the existing, unlegislated the AGDIS and accredited under the unlegislated TDIF, subject to the same conditions’.[106] This ‘will help ensure these entities can continue providing uninterrupted services to the Australian community upon the commencement of the [DID] Bill’.[107]
Other entities may be prescribed in transitional rules made by the Minister under item 10 of Schedule 1 to the TCP Bill to be taken to be approved to participate in the AGDIS as accredited entities on commencement.
Subitem 4(2) of Schedule 1 to the TCP Bill further provides that, immediately after commencement, the following will be taken to be participating relying entities in the AGDIS:
- the Australian Communications and Media Authority (ACMA)
- the Australian Financial Security Authority
- the Australian Sports Commission
- the Commissioner of Taxation
- the Civil Aviation Safety Authority
- Defence
- IP Australia
- Services Australia and
- the Student Identifiers Registrar.
These entities will be subject to the conditions specified at subitem 4(2) and are approved to provide the services set out in that provision (for example, ACMA is approved to provide the service known as ACMA Assist and the Commissioner of Taxation is approved to provide the online Tax File Number service and the ATO Online Services for Individuals). The Explanatory Memorandum provides that ‘these are Commonwealth entities that have already been approved to participate in the unlegislated AGDIS, as participating relying parties, subject to the same conditions’.[108]
Other entities may be prescribed in transitional rules made by the Minister under item 10 of Schedule 1 to the TCP Bill to be taken to be approved to participate in the AGDIS as relying parties on commencement.
Subsequent phasing-in
As indicated by Figure 4, phasing-in is the progressive opening of the AGDIS to additional entities beyond the initial Commonwealth entities—in other words, the means by which an economy-wide digital ID system will be established, as distinct from a digital ID system largely limited to Commonwealth Government agencies.[109]
The mechanism by which ‘phasing-in’ will be given effect is that, to apply for approval to participate in the AGDIS, entities must first be specified in a determination by the Minister under clause60 (as discussed above).
Anticipated phases
Without specifying timeframes Minister Gallagher has foreshadowed the following four phases:
Phase 1: Legislate the DID Bills; establish the rules, the regulator and protections; and expand use across government and the accreditation of public and private providers.
Phase 2: Allow use of state and territory Digital IDs to access Commonwealth services.
Phase 3: Allow use of myGovID in the private sector for example, to open a new account with an Australian bank, or for identity verification when signing a contract such as a real estate lease.
Phase 4: Allow use of accredited private sector Digital IDs to verify identity when accessing some government services.[110]
Following phase 1, the Minister will determine the timing of each subsequent phase by determining the entities that may apply to the Digital ID Regulator for approval to participate in the system (clause60). After each such decision by the Minister, each phase will be given effect by the Regulator accrediting entities and approving additional entities to participate in the system.
Subclause 60(2) provides that a determination by the Minister ‘may specify entities in any way’.
Timing of phases
The Explanatory Memorandum states that ‘it is expected that each phase will proceed sequentially as each preceding phase is demonstrated to be sufficiently matured’ but the Government has not foreshadowed the timing of the phases. According to the Explanatory Memorandum, the proposed mechanism (ie the provisions of clause 60) ‘allows the Minister to ensure the new legislated AGDIS is bedded down and operating as necessary to allow expansion by phases’.[111]
This suggests that the timing will be decided by the Minister based on the Minister’s views on the extent to which, after each new phase is added, the system is ‘bedded down’ and ‘operating as necessary’. As these criteria are not technical in nature, it can be assumed or hoped that, in forming a view about the two criteria, the Minister would seek advice from participants in the system and the entities involved in the governance arrangements.
Stakeholders’ views on phasing-in are discussed above in the context of ‘Position of major interest groups’ and ‘Committee consideration’.
Figure 4: Potential phasing-in of approval to participate in the AGDIS under the DID Bill
×
Sources and further information follow.
Notes on Figure 4
Created by the Library, this diagram is based on analysis of the DID Bill, Your guide to the Digital ID legislation and Digital ID Rules and public comments by Minister Gallagher.[112] The Department of Finance has stated that the details of phasing-in may be adjusted based on stakeholder feedback.[113] Additional notes on specific elements are:
- Attribute Verification Services: Under subclause 78(3), the Regulator may need to be informed of contractors participating in the ecosystem, for example facilitating document verification and liveness checks.
- Commonwealth Identity Service Provider: There are no announced plans for another Commonwealth identity service provider.
- Commonwealth Identity Exchange: Services Australia will continue to operate the exchange.
- Government Relying Parties: Only Commonwealth Government services are included in the TCP Bill, not the state and territory services currently available in the AGDIS.
- Attribute Service Providers: Only the ATO’s Relationship Attribute Manager is taken to be approved in the TCP Bill. There could potentially be other attribute service providers operated by governments or the private sector.
- State and Territory Identity Service Providers: Only identity service providers appear to be envisaged, but these governments may also operate identity exchanges, and it is unclear if they would be incorporated into the AGDIS.
- Private sector Identity Service Providers and Identity Exchanges: Which private sector services intend to operate in the AGDIS is not known. Private sector entities accredited under the TDIF are discussed in the notes for Figure 2.
- Private sector Relying Parties: Examples given by the Explanatory Memorandum include opening a bank account and signing up for an energy provider.[114]
Other governance instruments
Digital ID Standards Chair: Service levels
Clause 80 provides for the Digital ID Standards Chair to determine in writing service levels for the availability and performance of services provided by entities participating in the AGDIS, and to consult with the Regulator before doing so. As explained by the Explanatory Memorandum, service levels will be a legislative instrument but ‘subjecting the service levels to disallowance could lead to inadequate management of day-to-day operation of the AGDIS, particularly should no service levels be in effect’.[115]
Minister: Directions to System Administrator and Digital ID Data Standards Chair
Clause 97 provides that the Minister may give written directions to the System Administrator about the performance of their functions or the exercise of their powers. Any directions must be of a general nature only. As an example, the Explanatory Memorandum observes that ‘the Minister cannot therefore direct the Administrator as to a particular decision involving a participant in the AGDIS’.[116]
Clause 104 provides that the Minister may give written directions to the Digital ID Data Standards Chair about the performance of their functions or the exercise of their powers. Any directions must be of a general nature only.
System Administrator: Directions to entities
Clause 130 enables the System Administrator to give a written direction to entities approved to participate in the AGDIS, or whose approval has been suspended, to protect the integrity or performance of the AGDIS. Subclause 130(2) sets out a non-exhaustive list of matters that may be the subject of a direction including, as examples, the conduct of a fraud assessment or security assessment in relation to a specified matter and the provision of a copy of the report to the System Administrator.
Digital ID Regulator: Directions to entities
Clause 128 enables the Digital ID Regulator to give a written direction to accredited entities, or entities whose accreditation has been suspended, to protect the integrity or performance of the AGDIS. Subclause 128(2) sets out a non-exhaustive list of matters that may be the subject of a direction including, as examples, the conduct of a fraud assessment or security assessment in relation to a specified matter and the provision of a copy of the report to the Regulator.
Under clause 129 if the Regulator reasonably believes that an accredited entity or an entity whose accreditation is suspended has contravened or is contravening a provision of the Act,[117] the Regulator may give the entity a written direction requiring the entity to take specified action directed towards ensuring that the entity does not contravene the provision, or is unlikely to contravene the provision, in the future.
Operation
Transitional arrangements
A law firm has summarised the transitional arrangements:
The Digital ID (Transitional and Consequential Amendments) Bill prioritises making sure that Commonwealth Government bodies currently using and relying on the (unlegislated) AGDIS can continue to operate with minimal disruption. Commonwealth Government bodies and services accredited under the (unlegislated) Trusted Digital Identity Framework (TDIF) are deemed accredited under the new regime, and those approved to participate in the current unlegislated AGDIS are deemed approved under the new regime.
Accreditation and approvals are subject to conditions similar to those that currently apply (for example, limiting accreditation and approvals to specified services, and requiring services to directly connect to Services Australia). This means new or changed services, or changes to how services interconnect, will require review and changes to accreditations and approvals.
The bill does not automatically transfer accreditation or approval for non-Commonwealth entities, recognising that the Accreditation Rules would only be made after the Digital ID Bill commences. But the door has been left open for the Minister to make further transitional rules (including to similarly deem accreditation and approval) in the first 12 months after commencement, allowing the Minister to transfer existing accreditation and approval (potentially subject to conditions).[118] [emphasis added]
Transitional rules
The TCP Explanatory Memorandum states that item 10 of the TCP Bill’s Schedule 1 would enable the Minister to make transitional rules that ‘will be able to address any unforeseen consequences of the principal Bill and minimise the likelihood of any regulatory uncertainty during transition’. The TCP Explanatory Memorandum outlines the need for such transitional rules:
The current unlegislated TDIF is complex, as are the arrangements that the Australian Government has made pursuant to it and the systems that have been developed and the services that are being provided under those arrangements. Additionally, the unlegislated TDIF will continue to operate until the commencement of the principal Bill. Accordingly, new arrangements, systems and services may be made or developed pursuant to the unlegislated TDIF prior to the commencement of the principal Bill.
Given the changing landscape and complexity of the current situation, there is the possibility that the transitional arrangements made by this Bill on commencement might not cover every potential circumstance required to be covered. There may be unintentional and unforeseen consequences that may require additional transitional arrangements being put in place to avoid placing unnecessary additional costs on people and entities.
It is necessary to have the flexibility to deal expeditiously with transitional matters in relation to the AGDIS without the need to amend the principle [sic] Bill. The most practical and appropriate way of dealing with such matters will be through subordinate legislation.[119] [emphasis added]
Transitional rules made within 12 months after commencement may modify the effect of provisions in the DID Bill or the TCP Bill (subitem 10(3)). This is a ‘Henry VIII’ clause, as it permits regulations to be made that modify the operation of primary legislation.[120] The Scrutiny of Bills Committee often raises concerns with these clauses ‘as such clauses impact on the level of parliamentary scrutiny and may subvert the appropriate relationship between the Parliament and the Executive’.[121] Subitem 10(4) specifies various matters that may not be prescribed by rules (eg create an offence or civil penalty, or impose a tax).
The transitional rules will be legislative instruments for the purposes of the Legislation Act 2003, and will be subject to Parliamentary scrutiny and disallowance. The rules will be available on the Federal Register of Legislation.
Multi-party statutory contract
Clause 85 provides for a statutory contract between entities participating in the AGDIS. This is similar to the contractual arrangement between data holders and accredited persons established in the Consumer Data Right (CDR) by section 56FD of the Competition and Consumer Act 2010.
Under clause 85 an accredited entity will be taken to have a separate contract with each other accredited entity, and with each participating relying party. Each accredited entity agrees to:
- provide the entity’s accredited services while participating in the Australian Government Digital ID System in compliance with this Act (other than the service levels determined under section 80), to the extent it relates to verifying the identity of an individual or authenticating a digital ID of, or information about, an individual [paragraph 85(1)(c)]; and
- comply with requirements in relation to intellectual property rights that are prescribed by the Digital ID Rules for the purposes of this paragraph [paragraph 85(1)(d)].
The contract is taken to start on the day that the participation start day[122] for both entities has arrived or passed, and end on the day on which the approval to participate in the system has been revoked for one or both of the entities (clause 85(2)).
The Digital ID Rules may provide that some provisions of this Act (which is defined to include the Digital ID Data Standards and other legislative instruments) are not covered by the contract (clause 85(5)).
Recourse, and protection from liability
A law firm has published its views on the statutory contract arrangements, including protection from liability in certain circumstances (clause 84):
Under the statutory contract, an accredited entity agrees to comply with a limited set of obligations:
to provide accredited services while participating in AGDIS in compliance with the obligations relating to verifying the identity of an individual or authenticating the Digital ID or information about an individual; and
to comply with prescribed requirements in relation to intellectual property rights …
This means that the direct recourse that a party to a statutory contract will be able to seek from the other party to the statutory contract is limited, as it will be restricted to these set obligations. It also means that only accredited entities, and not relying parties, have obligations under the statutory contract.
Accredited entities are protected from liability in certain limited circumstances [(clause 84)]. An accredited entity will have no civil or criminal liability if:
it provides or does not provide an accredited service within the AGDIS;
provided that it has both acted in good faith and complied with its legislated obligations (other than the service levels).
The bill has been updated since consultation to also provide a liability shield where a non-compliance occurs, but the non-compliance is not the ground or cause of the relevant action or proceeding. This change should mean that the liability shield will not be lost due to unrelated non-compliances (such as technical or irrelevant ones) … The statutory contract and liability shield leaves participants in the position where demonstrating compliance can mean the difference between absolute immunity and unpredictable liability – without the benefit of normal commercial tools like liability caps, exclusions of consequential or indirect loss, or force majeure regimes.
The Government has recognised this concern and included rule-making powers that will enable the Minister to limit the types of loss recoverable, introduce liability caps, exclude obligations from the statutory contract, or to exclude certain conduct or circumstances as breaches of the statutory contract. While no such modifications were included in the exposure draft Digital ID Rules, participants and potential participants will likely want further clarity.[123] [emphasis added]
The Senate Standing Committee for the Scrutiny of Bills sought advice from the Minister as to why it is considered necessary and appropriate to provide an accredited entity immunity from civil and criminal liability so that affected persons have their right to bring an action to enforce their legal rights limited to situations where lack of good faith is shown.[124]
The Minister for Finance advised that clause 84 is an element of the Bill’s attempt to incentivise accredited entities to participate in the AGDIS. Although the provision grants accredited entities protection from liability, the Minister advised that this is limited in a number of ways, including that the protection ‘does not apply to individuals using their Digital ID to access services within the AGDIS’ and that a limit on liability is common in commercial contractual relationships. The Minister also advised that the Department would work with drafters to ensure that the provision applies only to the parties to the statutory contract as intended.[125]
The Scrutiny Committee thanked the Minister for her response and made no further comment on this issue.[126]
Insurance
In connection with the contractual arrangements, clause 86 enables the Digital ID Regulator to direct an accredited entity participating in the AGDIS to maintain ‘adequate’ insurance against any liabilities arising in connection with the obligations under clause 85. The Bill does not offer any additional explanation of what would constitute ‘adequate’ insurance. The Explanatory Memorandum states:
The requirement to maintain adequate insurance could be satisfied by self-insurance of liability, where an entity is of sufficient size, scale and financial standing to satisfy the Regulator that self-insurance is appropriate. In deciding what insurance is adequate generally, the Regulator is expected to have regard to the practical availability of insurance in the marketplace.[127] [emphasis added]
This aspect (‘adequate’ insurance) places on the Regulator considerable latitude and responsibility, and an obligation to maintain a close familiarity with products available to participants in the insurance market. It also raises the question of whether, in a worst-case scenario, the Regulator could be subject to criticism or even legal action in relation to their judgement about ‘practical availability’ and what is ‘adequate’ or ‘appropriate’, especially in the context of self-insurance, which involves the assessment of an entity’s size, scale and financial position.
Testing
Clause 81 of the DID Bill empowers the System Administrator to authorise an entity to conduct testing on the AGDIS without having to hold an approval to participate. The Explanatory Memorandum suggests that ‘entities may wish to determine their capability or suitability to participate in the AGDIS’.[128]
A private law firm has highlighted that the TCP Bill includes a separate provision for testing:
to allow the Commonwealth to test plans, systems and business processes for future expansion of the AGDIS by:
transferring accreditation of state or territory government services accredited under the TDIF and participating in the AGDIS; or
approving state and territory services to participate as "relying parties" in the AGDIS; and
approving private sector services to participate as "relying parties" in the AGDIS.
This ability for the Commonwealth to test systems and processes is in addition to the AGDIS System Administrator (ie: Services Australia) power under the Digital ID Bill [clause 81] to authorise entities to conduct testing in the AGDIS without holding an approval to participate from the Digital ID regulator, which may be granted for up to three months and can be conditional.[129] [emphasis added]
The TCP Explanatory Memorandum outlines that:
the transitional rules listing entities in item 4 of the table in subitem 4(1) would have the effect of facilitating the transition to the legislated AGDIS a State or Territory government body accredited under the unlegislated TDIF and participating in the unlegislated AGDIS for the purposes of the Commonwealth testing its plans, systems and business processes for the future expansion of the legislated AGDIS. … Item 10 of the table in subitem 4(2) provides for entities to be prescribed in the transitional rules, made by the Minister under item 10(1) of this Bill. … State and territory government bodies or private sector entities may seek approval to participate in the existing unlegislated AGDIS as relying parties. Some of these entities might be given such approval by the Australian Government for the purposes of allowing the Commonwealth to test its plans, systems and business processes for the future expansion of the legislated AGDIS.[130] [emphasis added]
Fees and charging frameworks
Under subclause 144(3) fees cannot be charged to an individual for the creation or use of a digital ID. Individuals will not be charged for creating or using a Digital ID (subclause 144(3)).
Under paragraph 144(1)(a) the Digital ID Rules may make provision in relation to the charging of fees by the Digital ID Regulator. Clause 145 provides that the Minister must initiate a review of the Regulator’s fees every two years with a report about each review published on the Regulator’s website. There is no requirement to table these reports in Parliament.
The Scrutiny Committee sought advice from the Minister as to whether the Bill could be amended to require reports prepared under clause 145 to be tabled in Parliament to improve parliamentary scrutiny.[131]
The Minister for Finance advised that ‘should the committee express a preference for tabling in Parliament, the minister has no reservations about doing so’.[132]
The Scrutiny Committee thanked the Minister for her response and asked for amendments to clause 145 to be moved to require tabling of reports.[133]
Subclause 148(2) provides that the Digital ID Rules may also make provision in relation to the charging of fees by accredited entities for services provided in relation to the AGDIS. Subclause 148(5) clarifies that clause 148 and any associated Rules do not otherwise affect the ability of an accredited entity to charge fees for its accredited services, either in relation to the AGDIS or otherwise.
Under paragraph 144(1)(b) the Digital ID Rules may also make provision in relation to the charging of fees by ‘other persons to whom application may be made under this Act’.
Federated approach
The DID Bill provides that, initially, only Commonwealth Government providers are accredited and approved to participate in the AGDIS. However, the DID Bill provides for the AGDIS to expand in phases to include state government and private sector identity exchanges, identity service providers and relying parties.
This ‘federated’ approach contrasts with notable overseas digital identity systems, such as India and Singapore, in which a single centralised identity service provider can be used by relying parties, including private sector relying parties such as banks.
High rates of adoption have been reported for Singapore (97%) and India (94.8%).[134] However, the centralised approach has been accompanied by concerns. Singpass is reportedly a target for scams, with a single system providing digital identity to all users becoming a ‘treasure trove’ for malicious actors.[135] India’s Aadhaar system has been criticised internationally for being ‘prone to data leaks’ and enabling central surveillance.[136]
The inclusion of alternate providers in a federated system may mitigate these concerns, because having multiple services can reduce the impact of a single host being compromised and can enable greater user control of data. Figure 1 shows the current TDIF system in which the user selects the exchange and identity service provider they want to use. Currently, one option is available at each stage, but it is intended that alternate providers will join.
However, a system based around a choice of alternate providers makes for complexity. If the AGDIS were a service provided by a single government department, similar to the Digital Driver Licence currently available in NSW, much of the DID Bill may not be needed. It would not be necessary to include provisions that aim to ensure that disparate participating entities, covering a range of different organisations, are effectively integrated into an interoperable system with consistent protections for users.
With the inclusion of alternate providers, a key element in the architecture of a federated system must be interoperability, that is, ensuring that relying parties, and the providers they rely upon, are interacting through consistent and interoperable systems. Clause 79 allows for an interoperability provision to be created in the Digital ID Rules, requiring entities operating within the AGDIS to provide services to other entities participating in the system. This, along with the Digital ID Data Standards (clause 99), aim to provide a consistent experience across Digital ID providers while supporting customer choice and data portability.
Voluntariness and equity of access
The DID Bill intends to create a voluntary system. Subclause 74(1) states that a participating relying party must not require an individual to create or use a digital ID to access or receive a service. However, the DID Bill also provides for exceptions (subclauses 74(2) and (3)) and exemptions (subclauses 74(4) to (8)). In addition, there are some ambiguities around arrangements for individuals who choose not to create or use a digital ID, including in relation to vulnerable people.
Exceptions
Under subclause 74(2), if a participating relying party’s service on the AGDIS allows an individual to access another service online, and the individual can access that other service without using a Digital ID, this would not constitute a contravention of subclause 74(1), because the individual can choose whether to use their Digital ID or access the other service in another way.
The protection for the voluntary nature of Digital ID does not extend beyond the prohibition on requiring Digital ID. It is not clear from the Bill whether relying parties will be required to provide equally accessible pathways, and it is open for alternate pathways to have additional fees or barriers to service attached, such as limited accessibility.[137] Alternative pathways may also lack the privacy and security protections Digital ID providers are required to have, potentially exposing individuals who chose not to or cannot use Digital ID to fraud.
At the Committee hearing on 9 February 2023, Senator Shoebridge asked NAB/APP+/ABA whether there was an intention/expectation that the alternative service would be ‘comparable’.[138] Continuing this line of inquiry Senator Rennick and Senator Canavan queried the practical availability of alternative service when banks, for example, are closing physical branches in regional and suburban centres.[139]
Under paragraph 74(3)(a), subclause 74(1) would not be applicable in a circumstance where the participating relying party is providing a service or access to a service to an individual who is acting on behalf of another entity in a professional or business capacity. In this case the Digital ID to be used appears to be that of the principal authority for sole traders, or as an eligible individual associate or government representative. This is similar to current arrangements for access to ATO and ABRS services.[140]
Under paragraph 74(3)(b), subclause 74(1) would not apply if the participating relying party holds an exemption under subclause 74(4).
Exemptions
Under subclause 74(4), the Regulator may, on application of a participating relying party, grant an exemption from being subject to subclause 74(1) if the Regulator is satisfied that it is appropriate to do so. This option is not available to Commonwealth entities and companies (subclause 74(6)). Relying parties that may be granted exemption from the requirement for voluntary Digital ID are small businesses, services provided solely online, and services provided in exceptional circumstances (subclause 74(5)). The decision by the Regulator to refuse to grant an exemption is a reviewable decision (see clauses 137 to 140).
Representatives or nominees of individuals
Paragraph 28(2)(h) provides that the Accreditation Rules may deal with matters relating to representatives or nominees of individuals in relation to the creation, maintenance or deactivation of digital IDs of individuals.
Draft Digital ID Accreditation Rules released for a consultation process in September 2023 did not address this issue. It could be expected that Accreditation Rules will address the creation and maintenance of digital IDs in circumstances where an individual has established or is subject to powers of attorney, appointments of enduring guardianship, advance health directives or medical consents.
Helpdesk functionality
There is no specific requirement in the DID Bills for a helpdesk functionality to be available to assist individuals to use the Digital ID system. Under subclause 30(1) the Accreditation Rules must provide for requirements relating to ‘the accessibility and useability of the accredited services of accredited entities’ and, under subparagraph 28(2)(a)(vi), may deal with ‘user experience and inclusion’. The Accreditation Rules will be disallowable instruments, so the Parliament will have opportunities to scrutinise and disallow (clause 168).
In the draft Accreditation Rules released for consultation in late 2023 two clauses reproduced below were relevant (rules 4.48 and 5.33). However, the provisions appear to anticipate that:
- the helpdesk functionality will not be required to be provided for general use, but only for a subset of individuals (ie ‘individuals who are unable to use the entity’s DI [Digital ID] data environment independently’)
- the helpdesk functionality may only be required to service particular types of problems (eg ‘during the identity proofing process’) and
- there will be no single helpdesk for individuals to access – individual will liaise with ‘their’ separate accredited identity service provider (ISP).
4.48 Usability and Accessibility support
(1) An accredited entity with public-facing accredited services must:
(a) provide assisted digital support to individuals who are unable to use the entity’s DI [Digital ID] data environment independently and notify individuals of such support; and
(b) notify individuals of alternative channels (if any) made available by the entity for individuals to obtain the benefit of the entity’s accredited services.
Note 1: For subrule (a), assisted digital support may include for example, a monitored email address, a chat function or a call centre.
Note 2: For subrule (b), alternative channels may include for example, an in-person shopfront.
(2) An accredited entity with public-facing accredited services must take reasonable steps, including having processes and procedures, to:
(a) allow individuals to seek assistance or otherwise resolve disputes or complaints in relation to the entity’s accredited services … [emphasis added]
5.33 User experience requirements …
(7) The ISP must provide support to individuals who need assistance during the identity proofing process, including providing clear instructions on how the individual can update their personal information collected by the ISP as part of the identity proofing process.
Note: Examples of appropriate support included support through a shopfront, a call centre that is contactable by the national relay service and a text-based support such as an online chat window. [emphasis added]
Redress framework
The Explanatory Memorandum acknowledges that, through their participation in the AGDIS, ‘businesses and individuals may suffer loss or damage if they are affected by an incident, including digital ID fraud incidents and cyber security incidents’[141] and anticipates that:
when incidents relating to accredited services occur within the AGDIS [a] redress framework will ensure that individuals and businesses are provided with information, assistance and support by accredited entities.[142] [emphasis added]
The DID Bill does not establish a redress framework, describe how it will operate, or outline its scope. Subclause 88(1) establishes that a redress framework may be provided for in the Digital ID Rules. Subclause 88(2) lists a range of matters that may be dealt with by the redress framework.
The Explanatory Memorandum emphasises that businesses and individuals who believe they have been adversely affected by an incident will be provided with information, assistance and support by accredited entities, not by a Government entity that administers or governs the system.
Privacy and Trust
Digital IDs for children
Paragraph 28(2)(i) provides that the Accreditation Rules may deal with requirements or restrictions relating to the generation of digital IDs for children. The current threshold for obtaining a Tax File Number (TFN) and a Medicare card is 15 years of age. Draft Accreditation Rules released for a consultation process in September 2023 set the minimum age for a Digital ID at 15, but also noted:
it is proposed to change this rule to individuals of 14 years to maintain consistency with other schemes. This is subject to consultation feedback and compliance with the Age Discrimination Act.[143] [emphasis added]
The Explanatory Memorandum for the TCP Bill states that the Accreditation Rules will provide that ‘an accredited entity must not generate a digital ID for a person if the person requesting the digital ID is less than 14 years of age’.[144]
Digital ID trustmarks
Clause 117 provides that the Digital ID Rules may specify digital ID trustmarks that may or must be used by accredited entities and participating relying parties. A trustmark may be a mark, symbol, logo or design. The Digital ID Rules may also specify conditions or requirements for the use and display of a trustmark.
The purpose is to foster public trust and confidence in accredited entities and relying parties that are approved to participate in the system. For that reason, the Bill includes provisions that aim to ensure trustmarks will not be misused or misrepresented.
There will be civil penalties of up to 1,000 penalty units for: the unauthorised use of a digital ID trustmark (subclause 118(2)); the use of a mark, symbol, logo or design ‘closely resembling’ a digital ID trustmark (subclause 118(3)); or, if the Digital ID Rules require display, failure to display a digital ID trustmark (clause 119). The Explanatory Memorandum notes that:
These civil penalty provisions are enforceable by the Digital ID Regulator under the Regulatory Powers Act, which also sets out relevant evidentiary requirements. Consistent with the Guide to Framing Commonwealth Offences, in setting the maximum penalty consideration has been given to ensuring adequate deterrence, that the penalty take into account the cost of pursuing action in court and ensuring that the pecuniary penalty amounts are proportionate to the seriousness of the contravention.
The maximum penalties are intended to be a deterrent. The use of trustmarks gives consumers confidence when verifying their identity that they are dealing with an entity that has chosen to adhere to the strong privacy, consumer and security requirements of the Act and rules.[145]
Restrictions on data profiling
In clause 53 the Bill sets out prohibitions on an accredited entity’s use of data profiling to track on line behaviour, which includes using or disclosing information about an individual’s access or attempted access to services provided by the entity, how and when access was sought, the method of access, and the time and date that the individual’s identity was verified. However, paragraph 53(3)(a) provides for an exemption if this use is for purposes relating to the entity’s provision of accredited services (‘including improving the performance or useability of the entity’s information technology systems through which those services are provided’). Several other exemptions are also set out, being for the purpose of the entity complying with the Act, or when the use or disclosure of the information ‘is required or authorised by or under a law of the Commonwealth, a State or a Territory’ (paragraphs 53(3)(b) and (c)).
Access
Law enforcement access to Digital ID data
With respect to privacy safeguards, the Bill (clause 49) sets strict limits around law enforcement agency access to biometric information, providing that an accredited entity can disclose biometric information of an individual to a law enforcement agency (within the meaning of the Australian Crime Commission Act 2002) only if:
(a) the disclosure of the information is required or authorised by or under a warrant issued under a law of the Commonwealth, a State or a Territory; or
(b) the information is disclosed with the express consent of the individual to whom the biometric information relates, or purports to relate, and the disclosure is for the purpose of:
(i) verifying the identity of the individual; or
(ii) investigating or prosecuting an offence against a law of the Commonwealth, a State or a Territory.
(4) Subsection (3) applies despite:
(a) any law of the Commonwealth, a State or a Territory (whether enacted or made before or after this subsection); or
(b) a warrant (other than a warrant of a kind mentioned in paragraph (3)(a)), authorisation or order issued under such a law.
In the Australian Crime Commission Act, law enforcement agency is defined as meaning the Australian Federal Police, a police force of a state, the ACT or the NT or ‘any other authority of person responsible for the enforcement of the laws of the Commonwealth or of the States, [the ACT or the NT]’.
Intelligence agency access
The Bill is silent on intelligence agency access to Digital ID data. However, given that a key role of ASIO is in providing security assessments relating to the Digital ID system, it is possible that ASIO may require access to Digital ID information to do so.
Reportable matters
Fraud
The Bill defines what constitutes a digital ID fraud incident in clause 9, and multiple parts of the Bill address fraud-related matters. Fraud control is an area that Accreditation Rules may deal with (paragraph 28(2)(iii)), and which may include ‘requirements relating to the conduct of, and reporting on … fraud assessments …’. The Accreditation Rules may also prescribe requirements in relation to the reporting of fraud prevention or investigation activities to the Digital Regulator (paragraph 49(9)(b)). In relation to biometric information, subclause 52(2) provides that the Accreditation Rules may provide for requirements relating to fraud, among other matters.
The Bill provides exemptions from civil penalties for an accredited entity’s disclosure of a unique identifier to another accredited entity or relying party, if the disclosure is for the purpose of ‘detecting, reporting or investigation’ a digital ID fraud incident (subparagraph 47(4)(c)(i)). In the general rules relating to authorisations for an accredited entity to collect, use or disclose biometric information of an individual, the Bill provides that such information may be retained, used or disclosed by an accredited entity ‘for the purposes of preventing or investigating a digital ID fraud incident (paragraph 49(8)(b)).
Paragraph 51(5)(a) sets out conditions on the time frame in which biometric information of an individual retained for the purposes of preventing or investigating a digital fraud incident must be destroyed, providing that destruction must take place ‘at the earlier of … immediately after the completion of activities relating to the prevention or investigation of the digital ID fraud incident’, or ’14 days after the entity collects the information’. Failure to do so attracts a maximum civil penalty of 1,500 penalty units ($469,500).
Subparagraph 54(1)(b)(iv) sets out restrictions relating to the disclosure of certain personal information by an accredited entity to an enforcement body and provides an exemption for the use or disclosure of that information ‘for the purposes of reporting a suspected or actual digital ID fraud incident’. The Bill provides the Digital ID Rules may specify digital ID fraud incidents as a type of reportable incident (paragraph 78(3)(a)). Paragraph 88(2)(b) allows any redress framework set out in the Digital ID Rules to cover digital ID fraud incidents (among other matters).
The Bill provides for the Digital ID Regulator to be able to give a direction in writing to accredited entities and ‘entities whose accreditation as an accredited entity is suspended’, that directs the ‘conduct of a fraud assessment in relation to a specified matter’, and that a copy of the report in relation to the assessment be provided to the Digital Regulator (paragraph 128(2)(b)). The maximum penalty for an entity failing to comply with a direction is 1,000 civil penalty units.
Paragraph 130(2)(b) sets out the conditions under which the System Administrator may give a direction to an entity approved to participate in the AGDIS, or an entity whose approval to participate has been suspended that they ‘conduct a fraud assessment in relation to a specified matter, and provide a copy of the report in relation to the assessment to the System Administrator’. Failure to comply with the direction attracts a maximum civil penalty of 1,000 penalty units.
The Bill also provides for the Digital ID Regulator to direct an entity to undergo a compliance assessment if the Regulator suspects or is satisfied that a digital ID fraud incident has taken place (subparagraph 131(1)(b)(ii)). The Digital ID Regulator must include in its annual report the number of digital ID fraud incidents and the responses to them (subparagraph 154(2)(b)(iii)).
Cybersecurity
The definition of a cyber security incident in clause 9 of the Bill includes attempted incidents as well as successful access to, modification of, interference with, or impairment of systems, services or networks. This is inconsistent with commonly accepted definitions, for example the definition contained in the Australian Cyber Security Centre’s (ACSC) Information Security Manual (ISM) requires that an unwanted or unexpected event has ‘either compromised business operations or has a significant probability of compromising business operations’.[146] A number of submissions to the consultation drafts questioned the definition used in the Bill, with a number of industry groups suggesting that the definition be narrowed so that it only applies to ‘systems, services or networks’ that, if compromised ‘have the capacity to pose a risk to the integrity of the digital ID system’[147] or to incidents that impact the ‘availability, integrity, reliability or confidentiality of the AGDIS’.[148]
Paragraphs 25(2)(b) and (c) allow the Digital ID Regulator to suspend accreditation of an entity if the Regulator reasonably believes that a cyber security incident has occurred or is imminent. Suspension in case of an imminent incident has raised concerns among stakeholders.[149] Subclause 25(3) restricts suspension of accreditation where a cyber security event is an attempted intrusion to circumstances where the Digital ID Regulator is satisfied the attempts ‘involve an unacceptable risk to the provision of the entity’s accredited services’. This may help alleviate stakeholder concerns, but the clause still encompasses imminent cyber security events as a basis for suspension of accreditation. Suspension under paragraphs 25(2)(b) or (c) does not require advance written notice (subclause 25(9)).
Paragraph 26(2)(b) allows the Digital ID Regulator to revoke accreditation if a serious incident cyber security incident has occurred. Subclause 26(10) exempts revocation on this basis from requiring a prior show cause notice. As with digital ID fraud incidents, subparagraph 47(4)(c)(ii) provides for an exemption from civil penalty for an accredited entity’s disclosure of a unique identifier to another accredited entity or relying party, if the disclosure is for the purpose of ‘detecting, reporting or investigating’ a cyber security incident. Along with digital ID fraud incidents, subparagraph 54(1)(b)(iv) provides an exemption for the use or disclosure of personal information by an accredited entity to an enforcement body ‘for the purposes of reporting … a suspected or actual cyber security fraud incident’.
Paragraph 71(2)(b) allows the Digital ID Regulator to suspend an entity’s approval to participate in the AGDIS if the Regulator reasonably believes that a cyber security incident has occurred which ‘involves a risk to the operation of the Australian Government Digital ID System’, again narrowing the applicability beyond the definition of cyber security incident. Subclause 71(8) exempts suspension on this basis from requiring a prior show cause notice. The Digital ID Regulator can revoke approval to participate in the AGDIS if there has been a serious cyber security incident involving an entity (paragraph 72(2)(b)). This does not appear to be exempt from a show cause notice. Along with digital ID fraud incidents, paragraph 78(3)(b) includes cyber security incidents among the kinds of incidents the Digital ID Rules may specify as reportable incidents. Subparagraph 131(1)(b)(i) provides that an entity may be required to undergo a compliance assessment by the Digital ID Regulator if a cyber security has occurred or is suspected to occur.
Consequential amendments
Schedule 2 of the TCP Bill details amendments to six Acts.
Administrative Decisions (Judicial Review) Act 1977
Paragraph (d) in Schedule 1 of the Administrative Decisions (Judicial Review) Act 1977 (ADJR Act) excludes decisions made under the ASIO Act (including security assessments) from judicial review under that Act. This exclusion would apply to security assessments conducted in the context of the DID Bill.[150] To ensure that decisions made by the Minister under the DID Bill for reasons of security in relation to non-Australian entities are also exempted from review under the ADJR Act, item1 of Schedule 2 to the TCP Bill would insert new paragraph (zi) into Schedule 1 of the ADJR Act:
(zi) decisions under the Digital ID Act 2023, in relation to an entity (within the meaning of that Act) that is not an Australian entity (within the meaning of that Act), for reasons of security (within the meaning of the Australian Security Intelligence Organisation Act 1979).
The relevant decisions are those made by the Minister under clauses 27 and 73 to direct the Digital ID Regulator to:
- refuse to accredit an entity or approve it to participate in the AGDIS
- impose conditions on the accreditation of an entity or on an approval to participate in the AGDIS
- suspend the accreditation of an entity or an approval to participate in the AGDIS
- revoke the accreditation of an entity or an approval to participate in the AGDIS.
The Explanatory Memorandum states:
The amendment is designed to mitigate the risk of exposing classified or otherwise sensitive details about Australia’s national security, or jeopardise ongoing security operations, through a review under the ADJR Act. … All entities (including those that are not Australian) will maintain their judicial review rights, with respect to decisions made under the principal Bill, under section 75(v) of the Australian Constitution and section 39B of the Judiciary Act 1903. Judicial review rights of Australian entities will be unaffected by this Bill.[151]
Age Discrimination Act 2004
It is intended that the Accreditation Rules will provide that an accredited entity must not generate a digital ID for a person if the requesting person is less than 14 years of age.[152] This creates a potential conflict with Part 4 of the Age Discrimination Act 2004, which makes it unlawful to discriminate against someone on the ground of age.[153]
Item 2 will specify the Accreditation Rules made for the purposes of paragraph 28(2)(i) in the DID Bill in a new item 11 in the table in Schedule 2 of the Age Discrimination Act. Paragraph 28(2)(i) of the DID Bill provides that the Accreditation Rules may deal with requirements or restrictions relating to the generation of digital IDs for children. Schedule 2 of the Age Discrimination Act comprises a list of provisions for which an exemption is provided by subsection 39(1A) of that Act. The new item 11 will ensure that Part 4 does not make unlawful anything done by a person in direct compliance with age requirements specified by the Accreditation Rules.[154]
Australian Security Intelligence Organisation Act 1979
Part IV of the Australian Security Intelligence Organisation Act 1979 (ASIO Act) relates to security assessments. In general (and subject to some exceptions) Part IV ‘ensures the person affected by the security assessment is to be notified of the advice, and allows for review by the Administrative Appeals Tribunal’.[155]
Section 35 of the ASIO Act sets out definitions of terms used in Part IV. Item 3 of Schedule 2 to the TCP Bill amends the definition of prescribed administrative action to include the exercise of a power under Chapter 2 (Accreditation) and Chapter 4 (Australian Government Digital ID System) of the DID Bill. As discussed above, under these Chapters the Minister will be able to decide to give the Digital ID Regulator a direction in relation to the approval, conditions, suspension or revocation of an entity’s accreditation or approval to participate in the AGDIS, for reasons of security.
The Explanatory Memorandum explains that:
This item will insert a new paragraph (ca) into the definition of ‘prescribed administrative action’ in subsection 35(1) of the ASIO Act. This means the decision of the Minister to issue a direction to the Digital ID Regulator under Chapter 2 (relating to accreditation) or Chapter 4 (relating to participation in the AGDIS) of the principal Act will be a ‘prescribed administrative action’ for the purposes of Part IV of the ASIO Act.[156]
Section 36 of the ASIO Act provides that Part IV (other than specified sections) does not apply in relation to specified security assessments. Item 4 of Schedule 2 to the TCP Bill amends section 36 so that Part IV does not apply in relation to a security assessment in relation to an exercise of a power under Chapter 2 and Chapter 4 of the DID Bill, in respect of an entity that is not Australian.
The Explanatory Memorandum explains:
The underlying intent is to control the security risks associated with foreign nationals who may be affiliated with foreign powers. Disclosing knowledge of this affiliation through the review process in Part IV of the ASIO Act will risk jeopardising ongoing security operations and poses a threat to Australia’s national security. This consequential amendment will be consistent with the Administrative Review Council publication, What decisions should be subject to merits review? (1999), which states that decisions concerning national security may justify exclusion from merits review (paragraph 4.23).[157]
Competition and Consumer Act 2010
Clause 90 of the DID Bill provides that the Digital ID Regulator will be the Australian Competition and Consumer Commission (ACCC). Item 5 of Schedule 2 to the TCP Bill will empower the ACCC to exercise the powers of the Digital ID Regulator. This will be achieved by inserting references to ‘the Digital ID Act 2023’ into subsections 19(1) and 19(7) of the Competition and Consumer Act 2010.
Privacy Act 1988
Subsection 33C(1) of the Privacy Act 1988 sets out matters that may be subject to assessment by the Information Commissioner. Item 5 of Schedule 2 to the TCP Bill will insert a new paragraph (g) into subsection 33C(1) to provide that the Information Commissioner may conduct an assessment of whether accredited entities are complying with: the additional privacy requirements set out in Division 2 of Part 2 of Chapter 3 of the DID Bill, as well as rules made for the purposes that Division; and the prohibition in APP-equivalent agreements (as defined at clause 34 of the DID Bill) on collecting, holding, using or disclosing personal information in any way that will breach an Australian Privacy Principle.
Taxation Administration Act 1953
Item 7 will insert proposed section 3J at the end of Part IA of the Taxation Administration Act 1953 to confer on the Commissioner of Taxation the functions of ‘providing services, or access to services, within digital ID systems’. Proposed subsection 3J(2) provides that the Commissioner may participate in the AGDIS as one or more kinds of accredited entities.[158]
The Explanatory Memorandum notes the differing bases of the Commissioner’s roles within the digital ID system:
When participating in the AGDIS as an accredited entity, the Commissioner of Taxation will be operating entirely under the principal [DID] Bill, and not under, or for the purposes of, a taxation law. The provision of these services as an accredited entity participating in the AGDIS does not trigger any of the Commissioner’s general powers, duties or obligations under a taxation law … In contrast, when the Commissioner is participating in the AGDIS as a relying party, the Commissioner will be operating under, or for the purposes of, a taxation law. For example, as a relying party, the Commissioner could provide or enable access to services that would facilitate the management of a person’s taxation affairs. Information obtained for this purpose would be information obtained for the purposes of a taxation law and subject to relevant requirements under that law.[159] [emphasis added]