Chapter 1Introduction
Referral of the inquiry
1.1The bill was introduced in the Senate and read a first time on 30 November 2023.
1.2On 30 November 2023, the Senate referred the provisions of the Digital ID bill 2023 (the Digital ID bill) and the Digital ID (Transitional and Consequential Provisions) Bill 2023 (the Amendment bill) to the Senate Economics Legislation Committee (the committee) for inquiry and report by 28 February 2023.
Purpose of the bills
1.3The Digital ID bill would establish new primary legislation to legislate and expand the Australian Government Digital ID System (AGDIS), which currently exists in an unlegislated form, and would provide a legislative basis for the accreditation of providers of digital ID services. The Digital ID bill would also establish privacy and consumer protections additional to those in the Privacy Act 1988 and would ensure these protections are implemented through establishing a Digital ID Regulator, a Systems Administrator and a Data Standards Chair.
1.4The Amendment bill would make transitional arrangements for the transition from the current, unlegislated Trusted Digital Identity Framework (TDIF) to the legislated AGDIS proposed by the Digital ID bill. The Amendment bill would also make consequential amendments to six Acts to ensure the AGDIS is implemented as intended.
Provisions of the Digital ID bill
1.5The Digital ID bill contains 10 Chapters:
Chapter 1 – Introduction
Chapter 2 – Accreditation
Chapter 3 – Privacy
Chapter 4 – Australian Government Digital ID System
Chapter 5 – Digital ID Regulator
Chapter 6 – System Administrator
Chapter 7 – Digital ID Data Standards
Chapter 8 – Trustmarks and registers
Chapter 9 – Administrative, compliance, and enforcement matters
Chapter 10 – Other matters
Chapter 1 – Preliminary and interpretative matters
1.6Chapter 1 of the Digital ID bill outlines the objects of the Bill and how these objects are to be achieved. This Chapter would also contain definitions of terms used in the Bill and a simplified outline of the Bill.
1.7References throughout the Digital ID bill are made to the ‘Accreditation Rules’ and the ‘Digital ID Rules’. These terms are each defined under clause 9 as ‘rules made under section 168 for the purposes of the provisions in which the term occurs.’ The Minister would be empowered under clause 168 to create these rules to prescribe relevant matters.
Chapter 2 – Accreditation of digital ID providers
1.8Chapter 2 provides for the accreditation of three types of accredited entities:
Accredited attribute service providers, who would provide services verifying a particular attribute of an individual.
Accredited identity service providers, who would provide services to verify an individual’s identity to either create an individual’s digital ID or authenticate an individual against that digital ID.
Accredited identity exchange providers, who would provide services involving the flow of information between entities in a digital ID system.
1.9Australian public bodies, Australian companies, and foreign businesses registered under the Corporations Act 2001 (the Corporations Act)would be eligible to apply for accreditation.
1.10The accreditation provisions are intended to ensure providers meet privacy, security and accessibility requirements, and replaces the existing TDIF with legislation. Only trustworthy and reliable private and public entities are intended to be accredited to provide these services and accreditation would be suspended, revoked or cancelled if these entities do not meet the relevant standards. Civil penalties would apply to entities falsely advertising that they meet the relevant standards.
Obligations on the Digital ID Regulator regarding accreditation
1.11The Digital ID Regulator, established under Chapter 5, would be responsible for determining accreditation for entities. Chapter 2 sets out various matters that the Digital ID Regulator might or would be required to consider in determining accreditation of entities, as well as the notice requirements in relation to these decisions.
1.12In deciding whether to accredit an entity, the Digital ID Regulator would be required to have regard to matters, if any, specified in or prescribed by the Accreditation Rules. The Digital ID Regulator may, but would not be required to, have regard to whether an entity is a fit and proper person and, if the Digital ID Regulator chooses to do so, it would be required to have regard to the matters (if any) specified in the Digital ID Rules. The rules may include matters such as privacy, security, fraud control and user experience and inclusion.
1.13The Digital ID Regulator would be required not to accredit an entity if:
the entity does not provide, or will not provide, some or all of the relevant services that the relevant type of accredited entity is specified to provide;
the Minister has directed that the entity must not be accredited for reasons of national security;
the Digital ID Regulator is not satisfied that the entity would be able to comply with the Act and legislative rules applicable if the entity were accredited; or
the Digital ID Regulator would not be satisfied that the entity would meet requirements or specified matters in the Accreditation Rules.
1.14The Digital ID Regulator would be required to inform applicants of its reasons if it denied an application for accreditation. A decision to refuse such an application would be a ‘reviewable decision’ under the Act, except for a decision made for security reasons regarding a non-Australian entity. Decisions made for security reasons about non-Australian entities would remain subject to judicial review through the courts. The process for reviewable decisions would be provided for in chapter 9 of the Digital ID bill, outlined below.
Conditions on accreditation
1.15Details of accreditation, including any conditions on accreditation, would be required to be entered on the Digital ID Accredited Entities Register, which would be established under Chapter 8 of the Digital ID bill.
1.16The Digital ID Regulator would be required to impose conditions on accreditation if directed to do so by the Minister for reasons of security.
1.17A non-exhaustive list of matters to which any conditions may relate are listed in subclause 17(4). These include:
any limitations, exclusions or restrictions in relation to an entity’s accredited services;
the circumstances or manner in which an entity would be required to provide an accredited service; and
the kind of restricted attributes or biometric information that may or may not be collected, used or disclosed.
Ministerial directions regarding security and accreditation
1.18As well as being able to vary accreditation conditions, the Digital ID Regulator would be able to vary, suspend or revoke an entity’s accreditation. The Minister would be able to direct the Digital ID Regulator, who would be required to comply with the direction and accordingly either refuse to accredit an entity, impose accreditation conditions on an entity or suspend or revoke an entity’s accreditation. Such directions may only be made for reasons of ‘security’ within the meaning of the Australian Security Intelligence Organisation Act 1979 (the ASIO Act). The ASIO Actwould be amended by the Amendment Bill to ensure ASIO has the requisite functions for these purposes.
1.19Where the Digital ID Regulator is directed by the Minister to suspend an entity on national security grounds, only the Minister may revoke such a suspension. The power to suspend, revoke and vary accreditation and conditions on accreditation is explored further below in Chapter 4 of the Digital ID bill.
1.20It is not intended that the bill would limit or exclude an entity’s right to procedural fairness in respect of Ministerial decisions.
Chapter 3 – Privacy safeguards
1.21For the purposes of digital ID, the Digital ID bill would apply privacy protections mirroring those that currently exist in the Privacy Act. ‘Personal information’ is defined in the Privacy Act by reference to information ‘about an individual’. The Digital ID bill intends to extend the application of the Privacy Act protections regarding use and disclosure of personal information to ‘attributes’. Attributes are defined as any information ‘associated with an individual’ that would otherwise not be covered by the Privacy Act definition of personal information.
1.22The protections regarding attributes of individuals would apply to the extent that the information is in the possession or control of accredited entities and to the extent of the provision of accredited services, but not other business operations, of an accredited entity.
1.23Where a department or authority of a state or territory is not covered by the Privacy Act, or a law of a state or territory that is equivalent to the Privacy Act, that entity would not be able to provide accredited services unless they enter into an ‘APP-equivalent agreement’. Such an agreement would require the relevant entity to effectively comply with the Australian Privacy Principles (APPs) in the Privacy Act.
1.24The Bill states that a contravention of a term of the agreement in relation to an individual’s personal information would be an interference with the privacy of an individual. Accordingly, the Information Commissioner would regulate the accredited entity’s compliance with the terms of the agreement.
1.25The Information Commissioner would be able to apply for civil penalties under the Digital ID bill in respect of an interference, or serious and repeated interferences, with privacy. However, an accredited entity would not be liable to pay both a Digital ID bill and Privacy Act penalty for the same conduct.
1.26All accredited entities are intended to be covered by a notifiable data breach scheme and there would be obligations on accredited entities to provide notification of relevant data breaches to the Digital ID Regulator and either the Information Commissioner or other relevant entity.
Restrictions on collection of personal information
1.27Additional privacy safeguards are contained in part 2, division 2 of the Digital ID bill, and would do the following:
restrict the collection of certain attributes of individuals, such as racial or ethnic origin, political opinions, beliefs, affiliations, or sexual orientation or practices;
require express consent in order to disclose to relying parties certain attributes of individuals, namely current and former names, addresses, date of birth, phone number and email address;
require express consent for an accredited entity, when verifying or authenticating an individual, to disclose a restricted attribute of an individual to a relying party;
prohibit the disclosure of unique identifiers unless an exemption applies, such as detecting, reporting or investigating a fraud or cyber security incident within a digital ID system; and
restrict the collection of biometric information to certain situations in which this information can be collected. For the purpose of an accredited entity issuing a government identity document, an individual’s express consent to the collection is required.
Restrictions on use and disclosure of personal information
1.28The use of data profiling to track online behaviour would be prohibited under subclause 53(1). The EM states that an accredited entity would be prohibited from conducting data profiling ‘by using personal information within the entity’s possession or control that is of a kind which, when combined, would enable the entity to track the individual’s online behaviour’. This prohibition would apply regardless of whether the individual consents to their data being used for data profiling.
1.29Exemptions apply where the use or disclosure relates to the provision of the accredited services or to the entity complying with the Bill or Accreditation Rules, or where the use or disclosure would be required or authorised by or under a law of the Commonwealth, a state or a Territory.
1.30To protect the integrity of the Accreditation Scheme, the prohibition on accessing personal information cannot be lifted by the entity obtaining consent from an individual for data profiling. Subclause 53(1) lists the kinds of information that the prohibition relates to:
information about the services provided by the entity that the individual has accessed, or attempted to access;
information relating to how or when access was obtained or attempted to be obtained by the individual;
information relating to the method of access or attempted access by the individual;
the date and time the individual’s identity was verified.
1.31Personal information may not be used for prohibited marketing purposes, which are listed and include offering to supply, advertising, or promoting goods or services, enabling another entity to do those things, or undertaking market research. An exemption would apply where an accredited entity has an individual’s express consent for that entity to offer to supply, advertise or promote their accredited services to that individual.
1.32In addition, one-to-many matching using biometric information would be prohibited under subclause 48(3). However, this does not limit subclause 48(1), which would allow the use or disclosure of biometric information if authorised under clause 49 or 50. For example, it appears that paragraph 49(3)(a) would allow disclosure of biometric information to a law enforcement agency for one-to-many matching where the disclosure is required or authorised by or under a warrant issued under a law of the Commonwealth, state or a territory.
Restrictions on information retention
1.33Accredited identity exchange providers would be prohibited from retaining ‘core attributes’ of an individual, specifically an individual’s name, address, date of birth, phone number, and email address. These attributes are only able to be used and disclosed for the purposes of an ‘authenticated session’, as defined in the Accreditation Rules.
1.34Biometric information used for verifying an individual’s identity would be required to be destroyed after the verification or authentication is complete, except if the individual gives express consent to the retention of their biometric information. The accredited entity would be required to destroy this biometric information immediately after the individual withdraws consent.
1.35An accredited entity could retain biometric information for testing or fraud activities but would be required to destroy this information immediately after the testing or activities are completed, or 14 days after the information is collected, whichever occurs first. Civil penalties apply for breaching restrictions relating to biometric information. The Accreditation Rules may also deal with collection, use, disclosure, storage or destruction of biometric information.
Chapter 4 – Legislating the Australian Government Digital ID System
1.36Chapter 4 sets out provisions relating to the AGDIS and oversight and maintenance of that system by the Digital ID Regulator.
1.37Commonwealth government entities that have been accredited under the unlegislated TDIF, such as Services Australia and the Australian Tax Office, as well as relying parties currently participating in the unlegislated AGDIS, would transition to the legislated AGDIS on commencement of the Bills.
Approval and conditions for participating in the Australian Government Digital ID System
1.38Participation in the AGDIS is intended to occur in phases, proceeding sequentially. The Minister would be empowered to implement the phasing-in of participation in any way. The Bill is intended to support a gradual expansion of the AGDIS by requiring the Minister to specify certain kinds of entities which may apply to participate in the AGDIS.
1.39The Digital ID Regulator would be required to follow requirements regarding approval of entities for participation in the AGDIS, including that the Digital ID Regulator is satisfied that the entity would comply with applicable Digital ID Data Standards, the entity would comply with the Act and rules, and any requirements in the rules are met. Conditions on participation may be subject to conditions contained in the Digital ID bill, the Digital ID Rules, and any conditions made by the Digital ID Regulator. Any conditions imposed by the Digital ID Regulator would be required to be published on the AGDIS Register to be maintained by the Digital ID Regulator.
1.40In order for an accredited entity to collect or disclose restricted attributes of individuals, there must be a condition on the entity’s accreditation which authorises the entity to collect the relevant restricted attributes. The Digital ID Regulator would be required to publish reasons if it imposes such a condition explaining why the condition is appropriate.
Suspending, revoking, and varying accreditation
1.41The Digital ID Regulator would be empowered to vary, suspend or revoke entities’ approval to participate in the AGDIS, on its own initiative or on application by an entity. The Digital ID Regulator would be required to give natural justice to entities, other than in some cases involving cyber security incidents. As noted above, the Digital ID Regulator would be required to suspend an entity’s approval if directed to do so by the Minister for reasons of national security.
1.42Variation of accreditation would only be allowed where an accredited entity’s name is changed, such as where a machinery of government change results in a name change. Accreditation may not otherwise be varied.
1.43Notice requirements would apply where the Digital ID Regulator proposes changing conditions on an entity’s approval and would be required to provide reasons for refusing an application to vary or revoke conditions on approval.
1.44‘Show cause’ requirements would apply where the Digital ID Regulator proposes suspension or revocation of accreditation, requiring the Digital ID Regulator to provide notice of and state grounds for the suspension or revocation, and to provide an opportunity for the entity to respond. These requirements do not apply where the grounds involve a cyber security incident or imminent cyber security incident.
1.45Suspension of accreditation may be for a specified duration or until a specified event or action occurs. During suspension, an entity would be taken not to be accredited but the entity would remain subject to the regulatory powers of the Digital ID Regulator, in addition to any other compliance action. Revocation of an entity’s accreditation may occur even if accreditation were suspended.
1.46The grounds of suspension and the grounds for revocation in the bill are similar but not identical. The grounds which would allow the Digital ID Regulator to either suspend or revoke accreditation are that:
the Digital ID Regulator reasonably believes:
the accredited entity has contravened or is contravening the Act or rules;
there is an imminent cyber security incident involving the entity; or
that an entity who is a body corporate is being wound up, has had a receiver appointed and acting, is under administration, has executed an ongoing deed of company arrangement, or has entered into an ongoing compromise or arrangement with another person;
the Digital ID Regulator is satisfied that it is not appropriate for the entity to be an accredited entity; or
circumstances specified in the Accreditation Rules apply in relation to the entity.
1.47The Digital ID Regulator may suspend but not revoke an entity’s accreditation where:
the Digital ID Regulator reasonably believes that there is in an imminent cyber security incident involving the entity, or there has been a cyber security incident involving the entity, where:
the incident involved unauthorised access to, modification of, interference with or impairment of a system, service or network; or
an attempt to do so that involves an unacceptable risk to the provision of the entity’s services.
1.48In contrast, the Digital ID Regulator may revoke an entity’s accreditation if the Digital ID Regulator reasonably believes that there has been a cyber security incident involving the entity and the incident is serious.
1.49Decisions to suspend or to revoke an entity’s accreditation would be reviewable decisions, except those decisions made for reasons of security in relation to an entity that is not an Australian entity. Decisions made for reasons of national security relating to non-Australian entities would be subject to judicial review in the courts, and decisions of the Minister about directions involving national security would be reviewable decisions under the Act if they do not relate to a non-Australian entity. The review process is outlined below in relation to Chapter 9 of the Digital ID bill.
Voluntariness of Digital ID
1.50Subclause 74(1) would mean that a relying party that is approved to participate in the AGDIS must not require an individual to create or use a digital ID as a condition of receiving a service from the relying party or accessing a service through the relying party. There would be some exemptions from this.
1.51The subclause 74(1) requirement would not apply where the service is one that allows an individual to access another service online if the other service does not require digital ID. This exemption would depend on whether an individual can access a given service without a digital ID. Subclause 74(2) of the Digital ID bill provides an example where a customer opening an account at a bank is required to verify their identity. If that bank required a customer to use digital ID to open an account online, the bank would not contravene subclause 74(1) if the customer can alternatively go to the nearest branch in‑person and verify their identity without digital ID.
1.52The subclause 74(1) requirement also would not apply if the service were obtained or accessed by an individual acting on behalf of another entity in a professional or business capacity, such as a tax agent acting on behalf of a client to lodge taxation information.
1.53Exemptions from this requirement could be granted under subclause 74(4) by the Digital ID Regulator in response to an application of a participating relying party, if the Digital ID Regulator is satisfied that it is appropriate to do so. Matters that may satisfy the regulator include if the relying party is a small business, or if the relying party provides services only online. A decision not to grant an exemption under subclause 74(4) would be a reviewable decision.
Liability and redress framework
1.54When participating in the AGDIS, accredited entities would be protected from civil and criminal liability for providing or failing to provide an accredited service to another entity participating in the AGDIS. This protection would be subject to the entity having acted in good faith and in compliance with the Act and Rules, or where non-compliance with the Act and rules is not the cause of the action or the proceeding. The entity seeking protection bears an evidential burden to establish the matters required for protection from liability.
1.55Participating entities would be required to enter into a statutory contract to provide services. Under the contract, each accredited entity would agree to comply with the Act and the rules, and the contract would be enforceable in court in accordance with the general law of contract regarding breaches by accredited entities, although action cannot be taken against participating relying parties. Dispute resolution procedures would be required to be followed by an entity before that entity sought court action for breach of contract.
1.56The Digital ID Regulator would be empowered to establish a redress framework for AGDIS-related incidents through the Digital ID Rules. The matters the redress framework may deal with include notifying entities affected by incidents, procedures for dealing with incidents, provision of information, support and assistance, and the development and publication of policies relating to identifying and managing incidents.
Holding information overseas
1.57The Digital ID Rules are intended to prescribe localisation requirements regarding holding information outside of Australia to cater for a changing security environment.
Reporting requirements
1.58The Digital ID Rules are also intended to provide reporting requirements and the kind of incidents that would be required to be reported to the Digital ID Regulator and to authorise disclosure of reportable information to the Minister and other specified bodies, such as law enforcement or government bodies.
Interoperability
1.59The Minister would be empowered to make Digital ID Rules regarding interoperability obligations, obliging participating relying parties to provide individuals with a choice of service providers for digital ID, and to oblige accredited entities in the AGDIS to provide their accredited services to other entities participating in the AGDIS, subject to interoperability exemptions introduced into the Digital ID Rules by the Minister.
Chapter 5 – Establishing the Digital ID Regulator
1.60The Australian Competition and Consumer Commission (ACCC) would be empowered as the Digital ID Regulator. The functions of the Digital ID Regulator would include promoting compliance with the Act and rules, providing general guidance on the Digital ID Regulator’s functions and powers, consulting with relevant stakeholders, advising and sharing information with the Minister and other stakeholders, and undertaking enforcement powers regarding AGDIS participants. Clause 92 would empower the ACCC to do anything necessary or convenient for, or in connection with, these functions.
Chapter 6 – Establishing the System Administrator
1.61The Chief Executive Centrelink, who is the CEO of Services Australia, would be the System Administrator for the AGDIS, with responsibility to manage the system and identify and manage operational risks. Services Australia has performed these functions for the unlegislated AGDIS. Clause 96 would empower the Chief Executive Centrelink to do anything necessary or convenient for, or in connection with, these functions.
1.62The Minister would be empowered to direct the System Administrator about the performance of its functions or exercise of its powers. These directions would be required to be of a general nature; for example, the Minister could not direct the System Administrator to make a particular decision involving an AGDIS participant.
Chapter 7 – Establishing Digital ID data standards and the Digital ID Data Standards Chair
1.63The Digital ID Data Standards are expected to deal with technical matters regarding, for example, technological requirements for transmitting data. The Digital ID Data Standards Chair would be responsible for making and reviewing the Digital ID Data Standards in addition to any other functions conferred on the Chair by the Act and rules.
Digital ID Data Standards
1.64The Digital ID Data Standards are intended to specify technical processes to ensure, for example, that appropriate levels of security protect the AGDIS and other systems used by accredited entities. It is expected that they would be based on nationally and internationally recognised standards and modified or expanded as necessary to be appropriate for the AGDIS.
1.65The Digital ID Data Standards may apply differently to different entities and in different circumstances. The Accreditation Rules would take precedence over the Digital ID Data Standards where there is inconsistency.
1.66Current standards for the AGDIS are specified in Chapter 6 of the unlegislated TDIF and all entities that would participate in the AGDIS from commencement have developed their information systems based on TDIF requirements. Accredited entities operating in other digital ID systems have designed their information systems in accordance with the contemporaneous standards which are also in the unlegislated TDIF. Both the current standards for the AGDIS and the contemporaneous standards would be adopted in the Digital ID Data Standards on commencement of the Act to ensure continued operation of the AGDIS, to ensure government and commercial certainty, and to avoid security implications by ensuring participants are required to adhere to data standards.
Digital ID Data Standards Chair
1.67In order to determine the technical, data and design features of a digital ID system, the bill establishes the role of the Data Standards Chair. This role will require expertise in data security, IT systems, digital ID systems and services, and risk management would be required. The establishment of the Digital ID Data Standards Chair is intended to bring expertise on these matters.
1.68The Digital ID Data Standards Chair would be appointed by the Minister, by written instrument, for a specified period not exceeding three years. The remuneration of the Digital ID Data Standards Chair would be determined by the Remuneration Tribunal.
1.69The Digital ID Data Standards Chair would be an official of the Department of Finance for the purposes of the Public Governance, Performance and Accountability Act 2013. Information about the Digital ID Data Standards Chair would be included in the Department’s annual report and staff assisting would be APS employees in either the Department of Finance, or another Department, made available by the relevant Secretary.
1.70The functions and power of the Digital ID Data Standards Chair are set out in the bill. The powers include establishing committees, advisory panels and consultative groups to provide additional expertise when preparing standards for the AGDIS.
Chapter 8 – Trustmarks and Registers
1.71Digital ID trustmarks would be a mark, symbol, logo or design that accredited entities and participating relying parties might use or be required to use. Civil penalties would apply to unauthorised use of Digital ID trustmarks, to failure to use digital ID trustmarks where required to under the rules, and to use of similar marks which are likely to induce reasonable people to believe that the entity is an accredited entity or participating relying entity.
1.72The Digital ID Regulator would be required to establish, maintain, and publish two different registers, the Digital ID Accredited Entities Register and the AGDIS Register.
1.73The Digital ID Accredited Entities Register would be a register that lists entities which are, or have been, accredited entities and any conditions imposed by the Digital ID regulator other than conditions imposed for national security reasons. The Digital ID Rules may prescribe matters for inclusion in the register. The Digital ID Regulator would be required to maintain information about accredited entities whose accreditation is revoked for 12months on the register to ensure public availability of that information.
1.74The AGDIS Register would be a register similar to the Digital ID Accredited Entities Register, but would list entities which are approved or have held approval to participate in the AGDIS. Additionally, the Digital ID Regulator would be required to maintain information about entities whose accreditation is revoked for three years on this register to reflect the entity’s ongoing obligations regarding record-keeping after revocation.
Chapter 9 – Administration
Civil penalties
1.75The bill proposes civil penalties for contraventions of various clauses. The introduction of civil penalties in the Digital ID bill was made having regard to the following matters:
Accredited entities handle significant amounts of personal information, and unauthorised collection, use or disclosure may cause serious harm to individuals, such as through identity theft and fraud.
Individuals providing their personal information would reasonably expect accredited entities to handle their information in accordance with specific safeguards and to face appropriate penalties for contraventions.
Civil penalties deter unlawful conduct, and the civil penalties in the bill reflect the seriousness of the contraventions of the additional privacy safeguards and reflect deterrence purposes.
Civil penalties for breaches of privacy safeguards have several advantages over criminal penalties, as their purpose is primarily deterrence rather than punishment as with criminal offences, and the onus of proof is ‘on the balance of probabilities’, rather than ‘beyond reasonable doubt’.
Infringement notices would supplement civil penalty provisions by providing an alternative to civil proceedings for less serious contraventions or where authorised enforcement is straightforward.
1.76However, the Digital ID bill would introduce a criminal penalty under clause 151, relating to use or disclosure of certain kinds of protected information. This offence is outlined below in discussion of Chapter 10 of the Digital ID bill.
1.77The maximum penalty a court may impose on an individual for a breach of the privacy safeguards is 1500 penalty units, and the maximum penalty for body corporates and government bodies is five times this amount (7500 penalty units.) At the time of the Bill’s introduction to Parliament, one penalty unit is set as $313, making the maximum penalty for individuals $469500 and the maximum penalty for body corporates and government bodies over $2.3million.
1.78The maximum penalty has been set considering contemporary offences for mishandling government and consumer data. The maximum penalties are intended to encourage use of digital IDs and to meet community expectations about the handling of personal information in a digital ID context, including the risk of harm to individuals from mishandling of personal information by accredited entities.
1.79Infringement notices, injunctions and enforceable undertakings are available to the Information Commissioner in relation to the additional privacy safeguards and they are available to the Digital ID Regulator for all other civil penalties.
Directions power of the Digital ID Regulator
1.80The Digital ID Regulator would be empowered to issue written directions which require an entity to do, or refrain from doing, a specified thing, and which provide reasons for the direction. These directions may relate to accreditation and participation, remedial directions to accredited entities or protecting the integrity or performance of the AGDIS. Such directions would not be legislative instruments. Penalty provisions would apply to non-compliance with any such directions.
Directions power of the System Administrator
1.81The System Administrator would be empowered to issue written directions to entities approved to participate in the AGDIS and those whose accreditation has been suspended, if the System Administrator considers it necessary to do so in order to protect the integrity or performance of the AGDIS.
Compliance assessments
1.82The Digital ID Regulator would be empowered to give written notice to an entity to undergo compliance assessments by the Digital ID Regulator or an independent assessor arranged by the entity. Such an assessment may consider whether the entity has complied, is complying, or can comply with the Act or rules, or whether certain incidents have occurred, such as a cyber security incident, a fraud incident, an incident that may materially impact the entity’s risk profile or an incident that may materially impact the operation of the entity’s IT systems.
1.83The Digital ID Rules may prescribe rules relating to compliance assessments, as well as procedural requirements and reporting requirements for assessment results. Entities would be required by the Act to cooperate in the carrying out of an assessment and provide facilities and assistance that are reasonably necessary for the compliance assessment.
Power to obtain information
1.84The Digital ID Regulator would be able to provide notice to require an entity to provide information or documents specified in the notice, not earlier than 28days after the notice was given. Such information or documents would be required to be related to the entity’s compliance with the Act or rules, or the Digital ID Regulator’s functions or powers.
1.85This notice may be given to any entity, not only entities participating in the AGDIS. Accordingly, the Digital ID Regulator would be required to inform an entity that a failure to comply with a notice may attract a civil penalty. An entity would not be liable for the civil penalty if they have a reasonable excuse for noncompliance, although the entity bears the evidential burden of proving that they have such a reasonable excuse. This power would not affect legal professional privilege or other privileges, such as the privilege against self-incrimination.
1.86The System Administrator would have similar powers to obtain information. However, the power of the System Administrator would depend on the System Administrator holding reasonable belief that the entity has documents or information relevant to the operation of the AGDIS.
Record keeping
1.87Entities participating in the AGDIS would be required to keep records relating to information obtained through the AGDIS and would be required to keep the records in a manner prescribed by the Digital ID Rules. The period for which the records must be kept would not be longer than seven years. The rules are expected to include a requirement to maintain audit logs for transactions and consent given by individuals.
1.88Personal information may be kept by an accredited entity approved to participate in the AGDIS, or whose approval has been suspended or revoked. This personal information would be required to be destroyed where both the entity is no longer required or authorised to retain the information, and the information does not relate to any current or anticipated legal or dispute resolution proceedings to which the entity is a party.
Review of decisions
1.89Decisions made under the Act could be subject to both internal review and external review through the AAT. The form and manner of applications for review would be required to be approved by the person to whom the application is made and accompanied by any information or documents required by that person, the Digital ID Rules or the Accreditation Rules. A decision would not have to be made in response to applications that do not meet the relevant form and manner requirements.
1.90Clause 137 would set out the types of decisions which are reviewable, and for each of these decisions it would also set out the ‘affected entity’ for the decision. The Digital ID Rules can also specify reviewable decisions.
1.91An affected entity would be able to apply to the decision-maker for internal review of the decision within 28 days of the affected entity learning of the decision. The decision-maker would then have 90 days from receiving the application to affirm, vary or revoke the decision, and would be required to provide reasons for the review decision and to provide notice of the availability to seek review by the AAT. The delegate making the review decision would be required not to have been involved in making the original decision.
1.92Review by the AAT of decisions under the Act would be enabled under clause 140 and the process of review by the AAT is governed by the Administrative Appeals Tribunal Act 1975.
1.93Decisions made for reasons of national security in relation to non-Australian entities would not be reviewable decisions under the Act and would not be reviewable under the Administrative Appeals Tribunal Act 1975 but would instead be subject to judicial review by the courts.
Fees
1.94The Digital ID Regulator would be able to charge fees for applications, including a fee for a nil amount, as prescribed by in the Digital ID Rules. However, fees would not be able to be charged to an individual for the creation or use of a digital ID by the individual. The charging framework would be reviewed by the Minister within two years of the Bill commencing and completed within 12months, with further reviews conducted every two years.
1.95Accredited entities may also charge fees, including a nil amount, for services in the AGDIS but this charging would be required to occur in compliance with the Digital ID Rules. Accredited entities would be able to charge fees to verify the identity of or authenticate information about an individual, or to charge other accredited entities for services provided. A non-exhaustive list of matters that the rules may cover regarding fees is contained in subclause 148(3).
Chapter 10 – Other matters
Advisory committees
1.96The Minister would be able to establish advisory committees to advise about matters arising under the Act. These committees may advise the Minister, Secretary, System Administrator and the Digital ID Data Standards Chair, but not the Digital ID Regulator, which would be the ACCC. The ACCC is considered to have a governance structure that provides for expert advice.
Confidential, protected and sensitive information
1.97The Digital ID bill establishes that certain uses or disclosures of confidential information is a criminal offence. In particular, disclosures of personal information about an individual, or commercially sensitive information where there is a risk that the use or disclosure might substantially prejudice the commercial interests of a person, would be a criminal offence under clause 151. The maximum penalty would be two years’ imprisonment or 120 penalty units, or both.
1.98The use or disclosure of protected information would be subject to authorisation under the Act or by consent from the person to whom the information relates. The use or disclosure of such information would be authorised where it would assist in the administration or enforcement of Commonwealth or territory law, or state law where that state law is prescribed in the Digital ID Rules. If the information is already publicly available, or certified in writing by the Minister in accordance with the Digital ID Rules to be in the public interest, the use or disclosure would also be authorised.
1.99A person entrusted with personal or commercially sensitive information would not be required to produce information or documents containing that information to courts, tribunals, authorities, or another person requiring production of documents or answering of questions, except where it is necessary to do so for the purposes of the Act.
Reporting
1.100The Digital ID Regulator would be required to prepare an annual report and provide it to the Minister for presentation by 30 October each year. Additionally, the Information Commissioner would be required to include in their annual report information about the Commissioner’s performance of functions and exercise of powers regarding the additional privacy safeguards.
Review of the Act
1.101The operation of the Act would be reviewed within two years of commencing, with the Minister to table this review within 15 sitting days of having received such a document. The review would consider the operation of the privacy safeguards and whether they would benefit from amendments or additions, and would consider developments in other legislation, such as the Privacy Act.
Delegation
1.102The Minister could delegate functions and powers to the Digital ID Regulator, the Secretary, Senior Executive Staff (SES) or acting SES employees in the Department. The Digital ID Regulator would also be empowered to delegate functions and powers to a member of the ACCC or to an SES or acting SES employee in the ACCC or the Department.
1.103The System Administrator is prevented from delegating functions or powers to certain people. Specifically, these are people who have functions or duties relating to IT systems through which an accredited entity provides its accredited services. Delegation by the System Administrator otherwise applies under the Human Services (Centrelink) Act 1997.
1.104The Digital ID Data Standards Chair could delegate functions or powers other than those for making the standards to an SES or acting SES employee in the Department.
Rules
1.105Requirements for the rules made by the Minister may apply to the Digital ID Rules, the Accreditation Rules, or any other rules the Minister makes under the Digital ID bill. The rules would be legislative instruments, subject to parliamentary scrutiny and subject to disallowance by motion in either house.
1.106Except where rules are made urgently and therefore without consultation, stakeholders, such as technical experts, industry, privacy regulator, and consumer advocates, would have the opportunity to comment on proposed rules. A notice would be required to be published on the Department’s website setting out the proposed new rules or amendments, providing 28 days’ notice for people to make a submission, which the Minister would be required to consider. The Information Commissioner must be consulted by the Minister if the Minister were to propose to make rules authorising accredited entities to collect or disclose restricted attributes or biometric information of individuals, or to use biometric information of individuals.
1.107Where rules are made urgently without consultation, the Secretary of the Department would be required to review the rules, seek submissions and complete a report within 60 days of the rules being made. The Minister would be required to table a copy of the Secretary’s statement of findings in Parliament.
Provisions of the Amendment bill
1.108The Amendment bill contains two schedules. Schedule 1 deals with transitional and application provisions from the unlegislated Trusted Digital Identity Framework for accreditation of digital ID services to the rules under the Digital ID bill. Schedule 2 makes consequential amendments to the following six Acts:
Administrative Decisions (Judicial Review) Act 1977
Age Discrimination Act 2004
Australian Security Intelligence Organisation Act 1979
Competition and Consumer Act 2010
Privacy Act 1988
Taxation Administration Act 1953
Administrative Decisions (Judicial Review) Act 1977
1.109The Amendment Act would insert a new paragraph in Schedule 1 to the Administrative Decisions (Judicial Review) Act 1977 (ADJR Act). Schedule 1 sets out classes of decisions excluded from review under the Act. The new paragraph (zi) would exclude certain decisions by the Minister to issue a direction to the Digital ID Regulator from review under the ADJR Act. Specifically, decisions by the Minister to issue directions for reasons of security which would require the Digital ID Regulator to make a decision regarding an entity’s accreditation or an entity’s participation in the AGDIS. This is intended to mitigate the risk of exposing classified or sensitive details about Australia’s security through review under the ADJR Act.
Age Discrimination Act 2004
1.110The Accreditation Rules would provide that an accredited entity must not generate a digital ID for a person if the person is under 14 years of age. The Amendment Act would insert a new item in Schedule 2 to the Age Discrimination Act 2014 (Age Discrimination Act)to ensure compliance with this requirement in the Accreditation Rules is not unlawful. The Age Discrimination Act does not make any thing unlawful if a person does that thing in compliance with a provision of an Act, regulation or other instrument covered in Schedule 2 to the Age Discrimination Act.
Australian Security Intelligence Organisation Act 1979
1.111The Amendment bill would insert a new paragraph (ca) into the definition of ‘prescribed administrative action’ in subsection 35(1) of the ASIO Act. Under the ASIO Act, a statement in writing furnished by ASIO to the Minister expressing a recommendation, opinion or advice on whether ‘prescribed administrative action’ would be necessary, desirable, or consistent with the requirements of security, is a security assessment. Part IV of the ASIO Act enables certain assessments to be reviewed by the AAT and for the subjects of such assessments would be notified of the advice.
1.112The Amendment bill would also insert a new paragraph (bb) into subsection 36(1) of the ASIO Act, which would provide that Part IV of the ASIO Act does not apply to a security assessment in respect of an entity that is not an Australian entity, in relation to an exercise of power under Chapter 2 or 4 of the Digital ID bill. Such decisions would not be reviewable by the AAT and subjects of advice furnished to the Minister would not be notified of the advice.
Competition and Consumer Act 2010
1.113The Amendment bill would insert a reference to the Digital ID bill into subsections 19(1) and 19(7) of the Competition and Consumer Act 2010. These subsections refer to powers which are conferred on the Chairperson of the ACCC and the insertions made would include the Digital ID Regulator’s powers in these subsections.
1.114Subsection 19(1) would enable the Chairperson of the ACCC to direct that the Chairperson’s powers would be exercise by a Division of the ACCC specified in the direction. Subsection 19(7) would clarify that more than one Division of the ACCC may exercise the powers of the Chairperson at the same time.
Privacy Act 1988
1.115The Amendment bill would insert a new paragraph (g) into subsection 33C(1) of the Privacy Act 1988. This new paragraph would empower the Information Commissioner to conduct compliance assessments regarding accredited entities. This amendment is intended to ensure the Information Commission can investigate complaints relating to contravention of privacy requirements set out in the Digital ID bill, or under an APP-equivalent agreement.
Taxation Administration Act 1953
1.116The Amendment bill would insert a new section 3J into the Taxation Administration Act 1953. This amendment would confer on the Commissioner of Taxation the functions of providing services or access to services within digital ID systems, as well as broad powers to do all things necessary and convenient in connection with the performance of those powers.
1.117The Commissioner of Taxation currently provides services in the unlegislated AGDIS for both Commonwealth purposes and to state and territory agencies for the limited purpose of testing viability of services to inform planning and expansion of the AGDIS outside the Commonwealth. The effect of this amendment would be that the Commissioner of Taxation may participate as an accredited entity in the AGDIS.
1.118When the Commissioner of Taxation participates as an accredited entity, the Commissioner will do so under the Digital ID bill and not under taxation law, and would be required to meet the requirements under the Digital ID bill. When participating as a relying party, the Commissioner would be operating under or for the purposes of a taxation law and would be required to meet requirements under that law.
Consultation
1.119Stakeholder consultation by the Department of Finance on the draft digital ID legislation and the draft digital ID accreditation rules commenced 19 September 2023. This consultation on the draft digital ID legislation closed on 10 October 2023 and consultation on the draft digital ID accreditation rules closed on 31October2023. The Department of Finance received 113 submissions in response to this consultation, of which 88 were agreed to be published.
Commencement
1.120Commencement of the bill would be on a single day to be fixed by Proclamation.
Financial impact
1.121The financial impacts of the Digital ID bill and Amendment bill are estimated to be $1.5 billion per year. Estimates to the benefits to the Australian economy vary in scale and scope, and it is difficult to verify these. The benefits across the whole of the economy resulting from these bills is estimated to be up to $3.3 billion annually from individual time saving, based on current digital ID arrangements.
Legislative scrutiny
1.122At the time of tabling, the Joint Committee on Human Rights had not commented on this bill.
1.123In its Scrutiny Digest 4 of 2024, the Senate Standing Committee on the Scrutiny of Bills (the Scrutiny Committee) sought the minister’s advice regarding the following aspects of the digital ID bill:
immunity from civil and criminal liability for accredited entities;
whether reports on reviews of the Digital ID Rules can be tabled in Parliament;
the level of parliamentary oversight of matters included in written instruments;
reversal of the burden of proof for an offence established under the bill; and,
incorporation of external materials, and publication of these materials.
1.124At the time of this report’s publication, the Scrutiny Committee has not published any advice from the Minister’s office regarding these matters.
Immunity from liability
1.125The Scrutiny Committee noted that accredited entities are provided immunity from civil and criminal liability in certain circumstances under clause 84 of the digital ID bill:
where an accredited entity acts in good faith in either providing or not providing the accredited service; or
the accredited entity does not comply with the bill in relation to the accredited service, and the non-compliance is not the ground or reason for the action or other proceeding.
1.126The Scrutiny Committee considered that this immunity ‘removes any common law right to being an action to enforce legal rights … unless it can be demonstrated that a lack of good faith is shown’. However, subclause 84(2) of the bill notes that an entity that wishes to rely on the subclause 84(1) immunity bears an evidential burden. Where an entity seeking immunity can provide such evidence, only then would an aggrieved accredited entity be required to show the entity seeking immunity did not act in good faith.
1.127The Scrutiny Committee also considered that where an accredited service is not rendered to an individual, that individual could suffer consequences until they were able to prove the accredited entity acted in bad faith. Despite this, the clause 84 immunity would apply only in relation to service provision or non-provision in relation to accredited entities or participating relying parties, rather than individuals using the system to prove their identity.
1.128The Scrutiny Committee considered that the provision of immunity from civil and criminal liability in a bill must be soundly justified, and that the explanatory memorandum provides no explanation for this provision. The Scrutiny Committee has requested the Minister’s advice on the necessity and appropriateness of this immunity.
Reports on reviews of Digital ID Rules
1.129The Scrutiny Committee noted that subclause 145(1) would require the Minister to cause periodic reviews of the fee charging provisions in the Digital ID Rules, and subclause 145(4) requires the Minister to cause a written report to be prepared about each review. The Scrutiny Committee observed that there is no requirement to table the report in each House of the Parliament, noting that this may impact parliamentary scrutiny, and requested the Minister’s advice as to whether the bill can be amended to require tabling of these reports.
1.130While the EM does not explain the absence of a requirement to table the report in Parliament, it does note that subclause 145(4) requires the publication of the reports online.
Matters in delegated legislation
1.131Subclause 150(1) would provide that the Minister may establish advisory committees in writing. The Scrutiny Committee considered that this power is a significant part of the overall legislative scheme. The Scrutiny Committee has requested the Minister’s advice as to why the determination of these matters is done by instrument rather than through primary legislation or legislative instrument, and whether the bill could be amended to subject this power to parliamentary oversight.
Reversal of the evidential burden of proof
1.132Subclause 151(1) of the bill would create an offence regarding the disclosure of protected information in some circumstances. Subclause 151(3) provides that the offence does not apply where subclause 152 authorises the disclosure, with a note to this subclause stating that a defendant bears an evidential burden of proof in relation to this offence-specific defence.
1.133On the basis that a reversal of the burden of proof should be appropriately justified, and the Scrutiny Committee considered that the EM does not adequately address this issue, the Scrutiny Committee has requested the Minister’s explanation regarding the proposed reversal of the burden of proof.
Incorporation of external materials
1.134The Scrutiny Committee raised concern regarding subclause 167(2), which provides that the Accreditation Rules, the Digital ID Data Standards and the Digital ID Rules may apply, adopt or incorporate any matter contained in other materials. The Scrutiny Committee considered that the EM does not provide sufficient explanation and requested the minister’s advice regarding whether the documents applied, adopted or incorporated will be made freely publicly available, and why it is necessary to apply the documents as in force or as existing from time to time, rather than when the instrument is first made.
Regulatory impact
1.135The Department of Finance conducted an impact analysis of the Digital ID bill, which is published in the EM.
1.136The impact analysis identified need for government intervention in the implementation of digital ID as it currently exists, namely:
the absence of legal authority for non-Commonwealth Government agencies in AGDIS as relying parties and for a charging framework;
a potential lack of trust in privacy and security safeguards; and
the absence of a permanent oversight body and legislative governance framework.
1.137The impact analysis identified constraints and barriers to government intervention, including that most Australians do not have a strong understanding of digital ID, and that there is a low level of public confidence in digital ID.
1.138Three policy options were explored in the impact analysis, namely maintaining the status quo, leveraging existing legislative frameworks to enhance privacy safeguards, and dedicated legislation (the Digital ID bill) to establish a new regulatory scheme.
Conduct of the inquiry
1.139The committee advertised the inquiry on its website and wrote to relevant stakeholders and interested parties to invite written submissions by 19 January 2024.
1.140The committee received and published 398 submissions of which 19 were accepted as confidential. The committee also received 156 pieces of correspondence from individuals which were accepted as campaign correspondence, representations from over 29,000 individuals as part of a CitizenGO campaign, and over 450 pieces of unique correspondence from individuals which were not accepted as submissions.
1.141The committee also received additional information and answers to questions on notice, which are listed at Appendix 1. The committee held one public hearing for the inquiry at Parliament House on 9 February 2024. The names of witnesses who appeared at the hearing can be found at Appendix 2.
Acknowledgements
1.142The committee thanks all individuals and organisations who assisted with the inquiry, especially those who made written submissions and participated in the public hearing.
Notes on references
1.143In this report, references to the Committee Hansard are to the Proof Hansard and page numbers may vary between Proof and Official Hansard transcripts.
Structure of report
1.144Chapter 1 of this report provides an overview of the bill and the conduct of the inquiry. Chapter 2 of this report provides views on the bill from stakeholders taken from submissions, evidence given at the public hearing on 9February2024, and additional material provided, as well as providing the committee’s view on the evidence and recommendations on the bill.