Greens Senators' Dissenting Report
1.1The move towards a digital ID has large potential privacy benefits if done well and clear risks if it is rushed or mishandled.
1.2Done well, a government Digital ID will protect people’s online identity by preventing countless private and public entities from holding vulnerable data sets of their personal information, details of drivers licences, addresses and personal particulars. It does this by allowing these entities to confirm a person’s identity by accessing the digital identity service.
1.3Done badly, a government Digital ID can exclude people who do not have digital literacy, or access, from accessing essential services or even being a fully functioning member of society. It can also erode trust in digital security by being an easy pathway for security agencies to gain access to critical personal information that would otherwise be protected from their reach.
1.4This Bill represents a unique opportunity to rebuild trust in the Government’s digital capability. It is clear from the many hundreds of individual submissions that have expressed serious concerns about the privacy implications of Digital ID, that the Government has not yet earned this trust.
1.5There was a strong argument from many organisations that the Privacy Act overhaul should have been completed before this reform was brought forward. These submissions are right. A coherent best practice privacy scheme should underpin all of this and build trust in the community that the Government cares about protecting them.
1.6The reforms are slow to materialise and in the meantime we have no greater security for our online identities. This is the best argument for proceeding with this Bill now, noting as well that it contains significantly improved privacy protections from those that are currently available under the Privacy Act.
1.7A core factor identified in submissions is the need to limit third party access to people’s digital identities and in particular to limit law enforcement access. The Department, and many stakeholders, correctly identify that the scheme does not create a “honeypot” of data. Rather the Bill seeks to create what is essentially a linking service. This will allow data that is already contained in state and territory databases (such as drivers’ licences) and federal databases (such as the ATO) to be accessed under strict controls to determine a person’s identity. It does not create a new data set or any federal data “honeypot.”
1.8Getting this message out is significantly undermined by a model which says law enforcement can, and should, have access to the scheme. Put simply, if law enforcement wants access to any of the data that is linked through the proposed new Digital ID scheme, they can already access this information by court issued warrants addressed to the existing data sets. Permitting law enforcement access to the Digital ID scheme creates the impression that there is a large and useful data set that police and security agencies will want to access. This is not true, and retaining this in the Bill will inevitably erode public confidence in the scheme. It is bad messaging and bad policy.
1.9If Parliament is of the view there must be some provision for law enforcement access, then at a minimum it must be limited to a very narrow subset of law enforcement bodies, require a warrant issued by a superior court of record, that it only be in relation to either an extremely serious offence or an imminent threat to life.
1.10Genuine voluntariness of the scheme is also a core issue identified by many of the institutional stakeholders and also the hundreds of private submissions. For the scheme to work it needs to have a strong social licence and for this to occur this fundamental issue of accessible alternatives must be addressed. Clause 74 should be updated to reflect that alternatives to digital ID that are available are reasonably comparable.
1.11Amending clause 74 is particularly important for ensuring marginalised communities are not further disadvantaged if they can’t access a Digital ID. We agree with the recommendation from Economic Justice Australia that “safeguards for people for whom the creation and ongoing use of a Digital ID is problematic should be a legislated requirement for Digital ID Relying Parties”.
1.12Ensuring the system is properly inclusive is obviously key and there need to be real improvements to guarantee this. We also agree with Economic Justice Australia that the “design standards outlined by Australian Human Rights Commission for disability inclusion should be considered when designing the authentication processes for Digital ID creation and ongoing use”. One key way of making the system more inclusive is incorporating proof of age cards as recommended by Blind Citizens Australia.
1.13Concerns about biometrics and bias are also very real and should be addressed before the bill is made law. The Human Technology Institute submitted that there needs to be more research specifically into this aspect to allow the bills to be updated to reflect issues with facial recognition technology particularly on First Nations people.
1.14The primacy of biometric technology needs to be questioned before it is adopted wholesale into the digital identity system. Further, specific studies must be commissioned before its adoption into the digital identity system to interrogate bias, accuracy, and the impact on vulnerable categories of people.
1.15Ensuring we do not move into a world where digital identities replicate existing bias and prejudice in the non-digital world should be a critical threshold issue for the whole Parliament.
1.16Likewise the limits on the use of data for profiling in the bill are positive but the exemption that allows profiling in specified circumstances is ripe for commercial exploitation. These exemptions must at least be narrowed and subject to ongoing parliamentary review.
1.17The ability to have your digital ID deleted seems an obvious and sensible process to include in the bill and we agree with Digital Rights Watch this should be included. This accords with the Tech Council recommendations that we need to “better align record keeping, incident reporting and data storage requirements with the Government’s broader privacy and cyber security agenda”.
1.18Finally, creating a meaningful and accessible redress and penalty scheme is also important for public confidence. We agree with Digital Rights Watch on the need to get this right.
1.19The bill currently provides that a redress scheme may be created by regulation. Surely the experience of millions of Australians who have had their privacy breached through hacks and leaks with Optus, Medibank, the NDIS and countless others has told us just leaving open the possibility of a future remedy is far from adequate.
1.20The Greens are keen to work with the engaged stakeholders and the government to get this Bill right and to take a big step forward in protecting our digital identities. We are grateful to all the stakeholders who engaged with the committee, who raised every committee members’ digital literacy and who sought to drive the Parliament towards a far better position with this Bill.
1.21It’s now our job to turn those good submissions into good law.
Senator David Shoebridge
Senator for New South Wales
An inquiry into the bills of Digital ID Bill 2023 & Digital ID (Transitional and Consequential Provisions) Bill 2023.
Senate
House of Representatives
Get informed
Bills
Committees
Get involved
Visit Parliament
Website features
Parliamentary Departments