Chapter 2Views on the bill

Introduction

2.1This chapter examines stakeholder views on the provisions of the Digital ID Bill 2023 and the Digital ID (Transitional and Consequential) Bill 2023. It provides an account of what stakeholders considered to be the key issues relating to the bills and concludes with the committee’s views and recommendations.

2.2This examination is informed by the bills’ explanatory material, submissions received by the inquiry, and evidence provided at a public hearing held on 9 February 2024 at Parliament House.

Broad views on the bills

2.3Most organisations who made submissions to the inquiry supported the intent behind the bills and their passage.[1] Submitters brought a variety of perspectives when considering the benefits of this legislation, and reasons to support the bills.

2.4Organisations were generally supportive of the intent of the bills, and several submitters identified suggestions to refine or improve the intended functioning of the digital ID system.

2.5There was a contrast between this broad support for the bills from organisations with the concerns raised by the many individuals who wrote to the committee, either individually or through organised campaigns.

2.6Most individuals who made submissions to the inquiry opposed the bills either fully or in part. Key concerns raised included concerns about privacy, surveillance and data security, radiofrequency radiation, voluntariness of digital ID and social exclusion of those who chose not to obtain a digital ID, the drafting of and consultation process regarding the bills, ideas of authoritarian misuse of digital ID, and the influence of international entities in causing the implementation of digital ID. Many of these concerns are explored in more detail later in this chapter.

2.7Organisational submitters highlighted that the benefits of this legislation include enhancing privacy and control of personal data by individuals, mitigating the risks that fraud, scams and cyber security incidents pose to individuals, uplifting Australia’s digital economic capabilities, and helping to reduce transaction costs for individuals and businesses.

2.8The Department of Finance echoed these benefits, and stated that the legislative reforms are intended to:

… make using a Digital ID safer, drive consistency across the economy through the Accreditation Scheme and enable people to use a Digital ID if they choose with confidence their personal information is safe and secure when they use an accredited provider.[2]

2.9The Office of the Australian Information Commissioner also considered that digital ID, subject to oversight and safeguard mechanisms, could deliver various benefits:

When accompanied by strong statutory safeguards and robust regulatory oversight, digital identity systems have the potential to improve privacy protections by minimising the collection and use of personal information by businesses and government agencies, and giving individuals greater security and control over their identification documents and credentials.[3]

Privacy and security benefits

2.10Several submitters identified that recent high profile data breaches have increased the demand and the need for more secure methods of identity verification.[4] While some submitters were concerned that digital ID would increase the insecurity of personal information,[5] submitters generally were supportive of the capability of digital ID to make the use and storage of personal information more private and secure.[6]

2.11BixeLab and CyberCX identified privacy and security benefits that would be provided under the AGDIS. They wrote that the bills sought to provide better data protection by creating a system that would allow individuals more control over the use and disclosure of their personal information online.[7]

2.12Westpac and the Commonwealth Bank supported a digital ID system as an increasingly important means of protecting Australians’ personal information from bad actors.[8]

2.13Despite expressing reservations about some aspects of the legislation, Digital Rights Watch acknowledged the ‘potential benefits associated with the establishment of a digital identity system’, and stated:

A well-functioning, robustly safeguarded and carefully implemented government-led digital identity system has the potential to minimise the risks associated with billions of people being compelled to repeatedly hand over their identity documents.[9]

2.14The Australian Competition and Consumer Commission supported the privacy standards that would be set by the legislation and stated the bills ‘will establish an economy-wide accreditation scheme which will set a benchmark for privacy and information security for entities involved in digital identity services …’[10]

Economic benefits

2.15Multiple submitters recognised economic benefits that would arise from a legislated digital ID system and saw digital ID occupying an important role in an increasingly digital economy. These submitters argued that bolstering trust in the identity of individuals and reducing the financial and time costs of identity verification would have positive economic impacts.[11]

2.16Several submitters indicated that the bills would reduce the costs of identifying individuals, benefitting both individuals and businesses operating online.[12] Financial Advice Association Australia and the Australian Retail Credit Association each highlighted the importance of trust in identity verification systems and supported the introduction of the legislation on economic bases.[13]

2.17The Australian Banking Association noted their prior advocacy for broad adoption of digital ID services, and endorsed the bills on the basis that digital ID would be ‘an essential element of the evolving digital economy that will deliver widespread productivity gains across the economy …’[14]

2.18The impact analysis paper for the Digital ID bills estimated that select indirect benefits from digital ID are estimated to be around $3 billion per year. While MDR Security questioned some of the cost-benefit calculations in this impact paper, they also noted that the potential for the bills to unlock digital economy transactions in the private sector is possibly understated, and may be greater than indicated by the impact paper.[15]

2.19The Department of Finance reiterated the economic benefits that the digital ID bill would bring:

The [2014 Financial System] Inquiry highlighted that the fragmented approach to ID verification in Australia creates significant costs to individuals, businesses and the broader Australian economy.

…

The Productivity Commission also recognised Digital ID’s place more broadly as a major economy-wide reform with potential significant economic, security and privacy benefits.

…

From a broader economy perspective, Digital ID can help improve productivity by reducing time spent verifying people’s ID and can also reduce losses associated with data breaches involving people’s ID data and information.[16]

Voluntariness

2.20Stakeholders were supportive of the voluntary nature of the bill and emphasised the importance of a scheme which will allows Australians full access to services regardless of their choice regarding whether to create or use a digital ID.

2.21At the public hearing, witnesses were asked about their views on the voluntariness requirements in the Digital ID bill and whether these protections were sufficient protections for individuals. Various witnesses agreed that genuine voluntariness was essential for the proper operation of AGDIS.[17]

2.22Mr Ryan Black of the Tech Council of Australia expressed support for the protections outlined in the bill for encouraging voluntariness of digital ID, and stated that ‘there is an inherent commercial incentive for a voluntary approach to [digital ID]’.[18]

Express consent

2.23The digital ID bill requires that individuals provide express consent to create a digital ID and before any information about that individual is collected or used by, or disclosed to, a service they wish to access.[19]

2.24Some submitters suggested means of more clearly identifying express consent. The Human Technology Institute suggested:

It is welcome that the Bill provides that only individuals who provide express consent will be enrolled in the digital ID scheme. These provisions could be strengthened through the inclusion of a definition and explanation of how consent should be obtained, as well as provision for accessible means of withdrawing consent.[20]

2.25Digital Service Providers Australia New Zealand suggested voluntariness could be enhanced if individuals could register with a single identity provider and prevent their identity documents from being used to register with any other provider. They noted this would be ‘consistent with the ‘voluntary’ principle and ensure individuals have sovereignty over their identity.’[21]

2.26Some submitters considered that the express consent requirement is undermined by the fact that opting out of digital interactions is not a realistic option for most individuals. For example, the UNSW Allens Hub noted that ‘the availability of alternatives does not create a system where service providers can be precluded from offering digital identity as the more convenient and cheaper option.’[22]

2.27The New South Wales Council for Civil Liberties took the stance that the government could ‘prioritise consumer protections set out in the Australian Consumer Laws with greater obligations on participating businesses.’[23]

2.28In response to questioning at the public hearing regarding the convenience and cost of services which do not require digital ID, the Department of Finance provided information regarding the exception under subclause 74(2):

The Digital ID Regulator will enforce compliance with this provision and would ultimately need to consider matters on a case-by-case basis. In general terms however, if an alternative service offered to an individual by a participating relying party is not made available in practical and timely way this would be unlikely to satisfy subclause 74(1).[24]

Preventing social exclusion

2.29Some submitters underscored the potential for exemptions to result in social exclusion. These submitters were concerned that digital ID, while voluntary, could effectively result in exclusion or discrimination against individuals who choose not to obtain a digital ID.[25]

2.30Digital Rights Watch pointed to subclause 74(5), which would allow the Digital ID Regulator to grant an exemption to the voluntariness requirement for participating relying parties providing services in exceptional circumstances, noting its concerns over this potential exemption.[26]

2.31Submitters emphasised that digital ID ought not indirectly discriminate against groups of people, such as elderly people, people in rural and remote areas with access to limited telecommunications infrastructure, and Indigenous Australians. The New South Wales Council for Civil Liberties identified that the legislation does not include express provision to prevent discriminatory uses of digital ID.[27]

2.32Blind Citizens Australia indicated that requiring certain documents, such as a driver’s licence, may be exclusionary where certain groups, such as blind people, are unlikely to hold those documents. Blind Citizens Australia also identified barriers that vision impaired and blind people may experience when taking self-portrait photos, and identified audio and vibration prompts that could be implemented to enhance the accessibility of this process.[28]

2.33The UNSW Allens Hub advised of the exclusion of individuals from digital identification systems in countries which have adopted widespread biometric identification technology.[29] They suggested ‘additional future-proof safeguards around actual practices surrounding the national digital identity system, voluntary or otherwise, and to protect against any mission creep.’[30]

2.34The Human Technology Institute also provided helpful guidance on what would be required to prevent social exclusion:

The Bill provides that creating and using a digital ID will be voluntary, which gives individuals the choice to opt out. The Bill should also include a guarantee of ongoing equal access to services for those who make this choice. This is necessary to ensure that engaging with digital ID systems is genuinely consent-based, and to prevent exclusion for vulnerable groups.[31]

2.35Cuscal submitted that exemptions to the voluntariness requirement in the digital ID bill could potentially mean pockets of society would be excluded from participating in the digital ID system.[32] They noted:

Digital ID is intended to reduce fraud and those who are less digitally literate or have other digital access restrictions, should be included on the journey, and facilitated by the government and industry to embrace the more safe and secure process of controlling and verifying their identity.[33]

Exemptions and exceptions to the voluntariness requirement

2.36Various concerns were raised regarding the possible exemptions and exceptions to the voluntariness requirement in the bill under subclause 74(1), which would prohibit participating relying parties[34] from requiring an individual to create or use a digital ID as a condition of service access.

2.37Subclause 74(2) provides an exemption to the voluntariness requirement where a relying party provides a service (service A), service A provides access to another service (service B), and an individual can access service B without creating or using a digital ID under the government’s digital ID system.

2.38At the public hearing for this inquiry, the Department of Finance was questioned regarding the intended operation of the subclause 74(2) exception. A representative from the department explained the context for this exception:

There were concerns raised about the definition of a service. There was an argument that having a portal is a service, and so the portal is a different service from the in-store service. So subsection 2 is just trying to deal with that issue and say that the end service has to be the same type of service.[35]

2.39Some submitters expressed concern that subclause 74(4) would mean that the Digital ID Regulator could grant an exemption either arbitrarily or in a manner that expands the exemption clause.[36]

2.40The New South Wales Council for Civil Liberties expressed concern that exceptions to the voluntariness requirement tend to undermine the provision of non-digital alternatives, and commented that they hold ‘particular concerns about enforcing voluntary participation by accredited and relying service providers.’[37]

2.41The Department of Finance reassured the committee that the categories for exemptions are limited and appropriate, and that the voluntariness requirement would not be undermined by these exemptions. They listed some circumstances where it may be appropriate for the Digital ID Regulator to grant an exemption to a non-Commonwealth relying party including where it is a small business, or operates solely online, or to provide a service in exceptional circumstances.[38] Furthermore, the Department noted that ‘Commonwealth relying parties cannot seek exemptions from the voluntariness requirements.’[39]

Security

2.42Submitters spoke of the risks under the status quo relating to cyberattacks, scams and fraud being perpetrated, and noted the prevalence of organisations collecting identity documents.[40]

2.43Witnesses and submitters expressed views that digital ID, subject to appropriate safeguards and oversight, would enhance security of users’ personal information.[41]

2.44The Australian Banking Association noted the current practice of storing electronic versions of physical identity documents poses considerable security risks. They explained how the adoption of digital identity bills will help protect individuals from fraud and scams:

Firstly, that Australians will have a much greater control and choice over their own digital identity, where it's used and how it is used; and, secondly, they can have much more confidence that their identity is better protected than it is using current physical documents where … you are scanning and effectively taking photographs of your identity documents but then have no control over how they're ultimately used.[42]

2.45AUCloud submitted that many cyber risks would be mitigated by digital ID, as the extent of data held by compromised organisations would be reduced.[43]

2.46CyberCX welcomed the bills as a ‘positive development for government, citizens and industry’[44] and outlined that:

From a cyber security perspective, a voluntary system that reduces the need for Australians to repeatedly provide identity documents to different organisations reduces the threat exposure across Australia’s digital economy.[45]

2.47The Tech Council of Australia highlighted the potential for digital ID to:

play a crucial role in uplifting cyber security and privacy, supporting broader public policy goals and reform processes (such as the 2023-2030 Australian Cyber Security Strategy and the Privacy Act reform process).[46]

2.48Digital Service Providers Australia New Zealand warned that cyber security risks from a voluntary digital ID system may fall on individuals without digital ID, rather than those with digital ID.[47]

Data centralisation

2.49Many submissions from individuals expressed data security concerns. These individuals pointed to high profile hacking incidents and argued that the digital ID system would create a honeypot; a repository of valuable data that would be targeted by hackers.[48]

2.50Canberra Declaration, who self-describe as a grassroots network of caring Australians committed to the preservation of faith, family, freedom and life, submitted that the digital ID bill will collate all personal data into one system, which would result in a single point of failure that would allow for large-scale identity fraud if the single point of failure came under the control of a malicious party.[49]

2.51However, witnesses and submitters with cyber security expertise expressed support for the digital ID bills from the perspective of fraud and scam prevention. Both Australian Payments Plus and CyberCX stated that the digital ID system would not create a centralised repository of personal data, and there would be no ‘honeypot’ of personal information.[50]

2.52At the public hearing, Dr Ted Dunstone of BixeLab agreed with the assertion that pools of personal data already exist, and that the digital ID system would be a way of securely verifying information from these pre-existing datasets.[51]

2.53The Department of Finance supported this view rejecting the concerns of a ‘honeypot’, and stated that under the legislation, ‘[t]here is no centralisation of all digital ID information.’ They also confirmed that ‘under data minimisation principle in the Privacy Act, the government’s digital ID, again, seeks to limit the amount of information that it stores to enable the identification or verification of the person, and with their consent if needed to access a service.’[52]

Legislative consistency

2.54Submitters provided feedback regarding reporting obligations concerning cyber security incidents and the alignment of cyber security terms between the bills and other legislation.

2.55Submitters were cautious of the obligations on organisations for reporting cyber security incidents. The Australian Retail Credit Association was concerned that the digital ID bill would introduce uncertainty around reporting obligations for attempted cyber security breaches. They expressed a preference to define the term cyber security incident in accordance with the Security of Critical Infrastructure Act 2018.[53]

2.56This was echoed by Equifax, who noted the ‘Australian Cyber Security Strategy 2023–2030 and the call to design and align common security standards.’[54]

2.57The Northern Territory Department of Corporate and Digital Development considered that the requirement to provide notification of reportable incidents within 24 hours of becoming aware of them may not be feasible in all cases.[55]

2.58Australian Payments Plus identified that some accredited entities participating in the digital ID system may be subject to other legislation which imposes obligations relating to the prevention of fraud and money laundering. They suggested that these regulatory obligations imposed on business activities ought to be accommodated by the digital ID bill.[56]

2.59The Free Speech Union of Australia submitted that the bill imposes overly broad restrictions on communicating security details of the system. They argued that the restrictions on communications about security systems will likely mean that security risks will remain undetected. They suggested that the bill be amended so that disclosing information about the technological operation of digital ID systems or existing security risks would not attract a penalty.[57]

2.60The Department of Finance noted that delegated legislation will contain matters regarding security requirements and data standards to enable the best response to evolving threats. The Department considered that dealing with cyber security matters related to digital ID in the rules will accommodate new technologies and support ongoing administration of the legislation.[58]

Privacy

2.61Stakeholders were generally supportive of the ability of digital ID to improve the security of personal and private information.[59] Submitters believed that these enhancements would result from reducing the data that must be stored by businesses and reducing the types of personal attributes that need to be shared.[60]

2.62The Office of the Australian Information Commissioner (OAIC) identified that the Digital ID bill contains strong privacy protections including protections beyond and additional to those that currently exist in the Privacy Act 1988.[61]

2.63The Department of Finance elaborated on the privacy safeguards and how they extend above and beyond the Privacy Act, stating:

There are a range of privacy safeguards in chapter 3 of the bill which apply over and above the Privacy Act. It is important to note that all accredited entities here would need to be subject to the Privacy Act or a comparable privacy law. There are additional safeguards around requirements for express consent for creating digital IDs, around providing people with the option to deactivate their digital ID. There are prohibitions or restrictions on sharing certain types of sensitive information, through either prohibited attributes or restricted attributes. I know that has been the subject of some questions earlier today. There are restrictions on the use and disclosure of biometric information, including a ban on what's called one-to-many biometric matching— biometrics are only being used to verify a known person's identity, not to try to identify people. There are also restrictions on the use of unique identifiers, data profiling, as well as on the use of personal information for direct marketing.[62]

2.64Some submitters believed that the digital ID bills should be progressed after the government implement reforms following the Review of the Privacy Act. Others, including the Business Council of Australia, said that postponing is not a supported option and that both can be done in parallel:

An enormous amount of work is underway on the review of the Privacy Act at the moment. I think we can do these things in parallel. Many of the changes that, hopefully, will come through in the Privacy Act to address some key principles will flow through and add extra protections here. That is a good way of going. But I believe that we also have to keep going with the digital ID because you have already got the government ID, you've got New South Wales, you've got Queensland and you've got private operators that are not in a system that has this tighter framework. It exists already. Let's not stop with that. Let's get on with it. I think we can do the things together and they will complement each other. Because we have a problem and a gap, as we have today, we can't just stand still.[63]

Data profiling

2.65The potential for commercial organisations to use data profiling for the purposes of profit was raised as a concern. While the bill contains protections against data profiling, some submitters warned against allowing organisations to track the online and transactional behaviour of individuals for commercial interests.

2.66Digital Rights Watch expressed preference for the digital ID bill’s protections against data profiling to be tightened. They identified that the bill provides an exemption to the prohibition which would allow an entity to use data profiling for purposes related to the provision of the entity’s accredited services.[64]

2.67Equifax was concerned about the effect of data profiling prohibitions on their capacity to undertake fraud prevention. Equifax identified that the bill currently prohibits the use of data profiling for fraud prevention purposes and suggested that the bill should be amended to allow data profiling to track online behaviour for the purposes of preventing, detecting or investigating potential fraud.[65]

2.68The Department of Finance described the digital ID bill’s restrictions on data profiling as one of multiple measures designed to enhance the protection of information used by accredited entities and to enhance community trust in digital ID.[66]

Biometrics and sensitive attributes

2.69Submitters advised that caution should be exercised around the use of biometric attributes for verifying individuals’ identities.

2.70The UNSW Allens Hub was concerned about the primacy of biometrics as a means of identifying individuals. They asserted that:

the capacity of biometrics to accurately identify people is largely unverified and untested

biometrics may exclude people who fail to be identified by them and exacerbate discrimination, inequality and violation of dignity, and

special protections are warranted for biometric data.[67]

2.71The Office of the Information Commissioner Queensland supported the safeguards proposed by the bill, including restricting the collection, use and disclosure of prohibited attributes, and introducing additional biometric protections, such as a prohibition on one-to-many matching.[68]

2.72Some submitters were concerned that use of biometrics may have collateral consequences. The New South Wales Council for Civil Liberties noted that errors in facial recognition technology may result in denial of essential government services. They underscored that:

[s]hould biometric technology be used for verification, even in a limited way, robust testing should be a prerequisite to its adoption in order to interrogate bias, accuracy, and the impact on vulnerable categories of people.[69]

2.73The Commonwealth Bank of Australia also alluded to potential unintended exclusion:

[w]hile these provisions [restricting collection of certain attributes] are undoubtedly well-intentioned, they may undercut inclusiveness of the Digital ID System for certain ethnic or religious groups, particularly where regular methods of identification may be more difficult due to a lack of documentation.[70]

2.74Some submitters were concerned about the timeframes under which entities would be required to delete biometric data. BixeLab suggested amendments regarding biometric data testing, namely that collection of certain attributes, such as racial or ethnic attributes, should be allowed for the purposes of assessing system bias, and that the current limit of 14 days to retain biometric data for testing is too short and should be extended to a 28- or 60-day period.[71]

2.75Equifax expressed concern that the obligation to delete biometric data after a certain period would impede fraud investigation. Equifax considered that the set time frame for deletion of biometric information will indicate when fraudsters could commit fraud.[72]

2.76Digital Rights Watch welcomed the requirement under clause 48 to immediately destroy data after using it to verify an individual’s identity, and emphasised the importance of protecting against potential misuse, over-collection, or unreasonable retention of biometric data. They also considered that exemptions to this deletion requirement under subclauses 48(3) and (4) are reasonable.[73]

2.77The Department of Finance clarified the intention of the bill and the balance that has been struck between retaining and destroying data:

…we're seeking to balance competing perspectives here. On the one hand there are people who are concerned at any retention of biometric information for any period that is longer than strictly necessary to verify a person's identity because of the potential privacy and security risks about having retained biometric data; on the other hand, as your question alludes to, there is the ability to use biometric information for fraud prevention purposes. We've had some stakeholders suggest that it should be retained for longer. Others have suggested that it should only be retained as strictly necessary. It is about trying to strike a balance between those two perspectives.[74]

Access to data by law enforcement and national security bodies

2.78The restrictions in the digital ID bill on access to personal information are applied to a range of ‘enforcement bodies’, as defined in the Privacy Act 1988.

2.79Several submitters were pleased to see the circumstances in which enforcement bodies would be able to access data in the digital ID system had been narrowed from the exposure draft.[75] Some submitters asserted law enforcement agencies are still likely to make many applications for digital ID information.[76]

2.80Some submitters argued that the restrictions on enforcement bodies’ access to data did not go far enough. The New South Wales Council for Civil Liberties objected to exemptions for law enforcement entities to access identifying information from the digital ID system. They stated that ‘[i]ndividuals should have no concerns when using the AGDIS that it may be accessed by law enforcement or for other unauthorised purposes by private enterprise’.[77]

2.81Digital Rights Watch reiterated their strong opposition to ‘any repurposing of digital ID data or infrastructure for surveillance purposes’,[78] and asserted that:

[n]o justification has been put forward for allowing such access. Individuals ought to be able to voluntarily use a Digital ID without any concern that doing so may later be used to enable mass surveillance. Such concerns undermine public trust in these systems. Prohibiting the use of Digital ID data from law enforcement purposes is the most effective way to prevent this from occurring.[79]

2.82Information Integrity Solutions Partners (IIS Partners) expressed support for the proposed access restrictions in the bill. IIS Partners supported the proposal that biometric information could only be disclosed to law enforcement entities by accredited entities where the law enforcement entities obtained a warrant.[80]

2.83The OAIC supported the proposed privacy framework for the digital ID system regarding access to data by enforcement bodies. The OAIC also identified that there may be inconsistency between clause 54, which restricts the disclosure of personal information to enforcement bodies, and paragraph 47(4)(e), which permits the disclosure of unique identifiers for purposes related to identifying and prosecuting criminal offences. They suggest that paragraph 47(4)(e) could be removed or revised to align it with clause 54.[81]

2.84IIS Partners expressed concern that the digital ID bill is silent regarding national security agencies,[82] which do not fall under the definition of ‘enforcement body’. IIS Partners suggested that national security agencies could have ‘untrammelled access to information in the digital ID system through provisions in other legislation’ and noted that ‘National security agencies were barred from access to personal information created by the COVIDsafe app’.[83]

2.85Providing further detail on how the bills had been narrowed following consultation on the exposure draft, the Department of Finance said:

There are strong public policy interests in the ability of law enforcement agencies to access digital ID information to help protect the integrity of digital ID services and to help protect the community from cybercrime and other crimes, more broadly.

We are conscious of that, and of the need to address understandable community concerns about privacy issues around access to law enforcement information. The starting point has been to look at existing legal frameworks governing law enforcement access to information outside the digital ID system, and then to look at building in additional safeguards over and above those.

…

So, as to what the bill provides for in terms of non-biometric information: law enforcement agencies, in order to request information, would either need to obtain a warrant or have the express consent of an individual for the disclosure of information. That would be only for the purpose of verifying that individual's identity, for the purpose of investigating or prosecuting an offence, or thirdly, if an enforcement body has commenced proceedings against a person.

The exposure draft bill contained additional grounds on which law enforcement might access information, which is where an enforcement body reasonably suspected that an offence had occurred. Based on feedback through the consultation process, the government has decided to amend the bill to remove that ground as an additional safeguard over the disclosure of information.[84]

Offshore processing of data

2.86The Australian Banking Association suggested that an exemption should be introduced to the bill which would allow digital ID system data to be held offshore in certain circumstances. They noted that the draft Digital ID Rules would provide the Minister with the power to grant an exemption from the requirement under the draft Rules from the requirement to hold, store, handle, or transfer data onshore in Australia. They suggested legislation should ‘enable the Minister to grant class exemption in appropriate cases to improve efficiency of scheme administration and provide greater consistency across the scheme.’[85]

2.87At the public hearing, they elaborated on this position:

The statement in our submission refers to the fact that some service providers may have data hosting capacities both in Australia, in the region and in other parts of the world. We were asking parliament to consider whether, in defining the ability to seek an exemption from the requirement to hold data onshore, the capacity and appropriateness of service providers could be taken into account.[86]

Costs

2.88Some individuals expressed concern at the cost of the system, both from the perspective of public expenditure and from the costs that could be incurred for individuals and businesses.[87]

2.89The Department of Finance noted that under the current legislated AGDIS, individuals are not charged for use of a digital ID. The Department identified that any future charging arrangements remain subject to Government consideration but noted that any such arrangements would be subject to the Australian Government Charging Framework and periodic review.[88]

2.90The potential cost to businesses of digital ID verification was raised as a concern. Digital Service Providers Australia New Zealand indicated that, depending on the fee structure chosen for the digital ID system, participating relying parties could face high operating costs. While noting the fee structure may need to differentiate between identity verification and ongoing authentication, they suggested applying the fee structure across the system and aligning this fee structure with the fee structures of Twilio, Google or Amazon.[89]

2.91Retail Drinks Australia emphasised the importance of cost-effectiveness for methods for digital ID verification. They maintained that the absence of cost-effective and practical solutions to verify customers’ identities online would have an adverse outcome for consumers and the liquor retail industry.[90]

2.92Submitters also clearly indicated that the status quo is already costly to businesses. At the public hearing, Australian Payments Plus indicated the cost benefits that a digital ID system could bring to businesses:

There is a real cost to businesses of data. There is a cost associated with acquiring that data. There is a cost of storing the data and keeping insecure and is a cost to safely deleting the data. And for many small businesses, these costs can be significant.[91]

2.93The Tech Council of Australia also identified the significant cost to business of manual identity verification methods:

Manual identity verification … comes with significant costs and imposts for businesses and individuals. That includes things like physically scanning documents, certifying documents, mailing documents by post, travelling to a physical site in person and manual processing.[92]

Interoperability

2.94Interoperability requirements were supported by submitters as a means of ensuring consumer choice in the AGDIS.

2.95The Department of Finance described the interoperability requirements in the bill as prohibiting participating relying parties from limiting consumer choice and prohibiting accredited entities from limiting their interactions with each other. They argued that the interoperability requirements are intended to ensure people can choose which digital ID provider they use to access services.[93]

2.96Australian Payments Plus was highly supportive of the interoperability requirements, and made suggestions for supporting full interoperability:

Strengthening Australia’sresilience to cyber threats and identity fraud at an ecosystem level will only be achieved once there is full interoperability within the Digital ID System … Overseas experience shows a successful national digital identity ecosystem relies on interoperability and mutual recognition of digital credentials between the public and private sectors, which in the case of the AGDIS is the proposed ‘Phase 4’.[94]

2.97Digital Transformation Agency supported the interoperability requirements in the bill:

Interoperability will help reduce the administrative burden upon people and businesses when engaging with various parts of the Government and facilitate the development of new streamlined services such as those centred around Life Events.[95]

Exemptions from the interoperability requirement

2.98Digital Rights Watch conveyed that they were ‘somewhat concerned that such an exemption may result in the unintended consequence of limiting the choice and data control of people with additional needs.’[96]

2.99The Department of Finance indicated that exemptions from interoperability:

will only be granted in limited circumstances, such as for government services where there is potential for identity fraud to have a significant impact on the financial circumstances of individuals or businesses in Australia.[97]

Phasing

2.100Several organisations representing businesses expressed a preference for greater clarity surrounding the timing of proposed phasing on the basis that this would be important for delivering benefits of digital ID to citizens and to improve certainty and participation rates for businesses.[98]

2.101This was echoed by the Tech Council of Australia, who wrote that:

A timely rollout scheduleunderpinned by transparent communication is crucial for private sector entities tostrategically align their preparations with the phased implementation of the national digitalID system.[99]

2.102The Australian Retail Credit Association also expressed a desire for clarity around the timing of different phases, because such clarity:

will provide the private sector with more certainty to base investment decisions, and drive increased innovation in the sector and quicken the speed of economy-wide adoption of digital ID, and the benefits that will accrue from this.[100]

2.103Financial Advice Association Australia endorsed the current proposed phasing and stated that phase 4 would be ‘revolutionary’ for its members’ businesses.[101] They noted that, while it is important to ensure public trust and maintain security of data, the rollout of digital ID should be accelerated because ‘[t]he economy needs this functionality as soon as possible, and delays are damaging to the nation’s future growth and client data security.’[102]

2.104Cuscal recognised a need to develop robust technical and oversight capabilities in preparation for phases involving the private sector. They wrote of the need to identify gaps as the digital ID system scales up in order to support smooth transitions and ensure the digital ID system is ready for private sector use.[103]

2.105The Department of Finance noted that ‘[t]he Government will consult with stakeholders to inform decision-making on phasing.’[104] The Department justified the current proposed approach to phasing in the digital ID bill, submitting that the managed, gradual expansion of the system:

allows the Minister to ensure the system is operating appropriately once the Digital ID Bill commences and in each phase, before expansion to the next phase occurs. It is expected that each phase will proceed sequentially as each preceding phase demonstrates sufficient maturity, for example the readiness of different relying party services to support users of Digital IDs.[105]

Redress

2.106Submitters were supportive of a redress mechanism specifically for digital ID. For example, CyberCX noted the benefits a legislated redress scheme would bring.[106]

2.107Digital Rights Watch echoed the importance of a redress scheme, and noted that the digital ID scheme anticipates the introduction of a redress scheme, but does not guarantee one:

There are provisions that relate to relationships between the government and providers of the service, but for individuals who might be harmed as a result of a breach or some kind of misuse of personal information under the scheme, there is no direct right of redress. There's the possibility that it may be created, but that's not enough.[107]

2.108Submitters also expressed a desire for more certainty in the operation of redress mechanisms. The OAIC identified that it is unclear how immunity from liability under clause 84 would interact with obligations under other laws, such as the Privacy Act 1988 and Australian Privacy Principles, and suggests the provision is clarified to ensure it does not provide immunity from obligations under the Privacy Act.[108]

2.109The Governance Institute of Australia indicated its members would welcome clarity around the role of the ACCC as Digital ID Regulator where the OAIC continues to exercise complaint handling functions for privacy breaches.[109]

2.110Some submitters spoke about other redress mechanisms. Blind Citizens Australia argued that, for digital ID-related discrimination or misidentification, a streamlined complaints pathway is needed. They identified that the Australian Human Rights Commission could provide recourse in such a situation but indicated that the timeframe for review could be too long.[110]

2.111The Financial Services Council noted that individuals may be able to pursue redress in cases of fraud or scams through the Australian Financial Complaints Authority.[111]

Committee view

2.112The committee is pleased with the numerous benefits that a legislated digital ID scheme will bring to individuals and businesses who choose to participate in the system, giving greater control over personal information and when it is shared, and to reduce insecure storage of personal information by institutions.

2.113The committee was pleased to hear that industry and business groups support the potential for a digital ID system to enhance economic outcomes for businesses and consumers, including convenience and productivity.

2.114The committee is encouraged by the level of personal privacy and data protections in the Bill – that go above the Privacy Act – and agree with witnesses that digital ID is a very secure alternative to verify an individual’s identity.

2.115The committee is reassured by the provisions of the bill and commitments from participants that voluntariness is a fundamental and critical element of the digital ID scheme’s continuing success as it is expanded across the economy.

2.116The committee is encouraged by the level of consultation undertaken across the economy and with individuals that has contributed to the development of these bills. The committee strongly believes the government has struck the right balance in adopting feedback to improve the bill, particularly security and protections, while ensuring participants can positively operate in the digital ID system. The committee particularly welcomes the narrowing of the bill in relation to accessing law enforcement bodies as an outcome of consultation on the exposure draft.

Voluntariness and access

2.117The committee recognises the importance of a voluntary digital ID system and views expressed by some individuals and organisations who are wary that the digital ID system may be mandatory, either in actual or practical terms.

2.118On considering the evidence, the committee believes the bills strike the right balance between facilitating businesses to participate in the system, while ensuring that individuals have a free, voluntary choice whether they chose to obtain or when they use a digital ID.

2.119The committee notes views that the exemptions and exceptions provisions were met with some caution and understands that they are not being expanded beyond their current scope.

2.120The committee is encouraged by the evidence which indicated that the exemption provisions were intended to apply only in limited circumstances, and that no exemption would be granted for Australian Government entities where there will always be voluntary access for individuals accessing services.

2.121The committee thanks submitters’ for providing their views on the risks of potential social exclusion and accessibility, and feedback on how to mitigate those risks. The committee believes the government should continue to consider these issues as the digital ID system is phased across the economy, and believe the statutory review is a good opportunity to further consider these issues.

2.122The committee notes the importance of access to government services and welcomes that digital ID will continue to be voluntary for individuals accessing government services and that Australian Government entities will be required to provide services for those without a digital ID or choosing not to use a digital ID.

2.123The committee is encouraged by private sector organisations’ commitment to provide alternatives to digital ID for individuals who choose not to, or are unable to, obtain a digital ID.

2.124The committee welcomes the procedures that would be implemented to ensure that participating entities are of highly trustworthy and reliable character, and that ongoing oversight and review of these entities will protect individuals against any misconduct.

Security

2.125The committee welcomes the submissions of a range of stakeholders who have demonstrated a clear desire to address data security concerns in an environment of prevalent cyber security threats. The committee also appreciates the technical expertise submitters shared through their submissions to the inquiry.

2.126While some concerns were raised regarding data security, the committee considers that the proposed legislated digital ID system would be more secure than the non-digital processes currently used to verify ID.

2.127The committee notes the helpful context provided by witnesses at the public hearing which addressed concerns that the digital ID system could create a ‘honeypot’ of personal information one centralised storage data. These witnesses stressed that the digital ID system would provide a more secure way of providing access to already-existing personally identifying data and that data is not stored in one central location.

2.128The committee agrees with submitters who argued that the digital ID system would enhance the security of individuals’ personal information, reducing the potential for individuals to have their data affected by cyber security incidents.

Privacy

2.129The committee welcomes the commitment from submitters to ensure that individuals’ privacy and personal information is protected in a digital ID system. The committee was pleased to see numerous submitters agree that a digital ID system is a more secure way for personal information to be stored and verified.

2.130The committee notes the commercialised use of data through profiling and tracking of a person using digital ID is prohibited, as is the disclosure of information for marketing purposes in the Bill. The committee believes this addresses concerns from submitters regarding data profiling and the need to ensure participating entities in the digital ID system do not expansively interpret the limited circumstances under which data profiling is allowed.

2.131The committee notes the security tension between identifying fraudulent use of digital ID and ensuring that personal information is not retained for longer than is necessary. The committee thanks submitters for providing reasoned arguments concerning these important considerations and believes the bill strikes the right balance between the need for retention and deletion.

2.132The committee believes that the proposed safeguards will help ensure people who choose to create and reuse digital IDs can be confident that their information is safe and secure, and that their privacy will be protected.

2.133The committee is of the view that the bills’ safeguards for the access by enforcement bodies are appropriately balanced and improved on the previous exposure draft of the bill. As proposed in the digital ID bill, access to identifying information will require a warrant, unless it is being disclosed with consent, or disclosed for the purpose of an accredited entity reporting digital ID fraud and cyber security incidents.

Interoperability

2.134The committee welcomes the strong interoperability provisions in the digital ID bill. This ensures consumers have choice of providers when using a digital ID and enjoy recognition across verification services in the public and private sectors.

2.135The committee notes the evidence provided in submissions which indicated that interoperability would reduce administrative burdens and will contribute to Australia’s cyber resilience.

2.136The committee is of the view that the interoperability requirement is appropriate for protecting these individuals’ choice and that the circumstances for exemptions are reasonable and appropriate.

Phasing

2.137The committee notes the clear appetite of the private sector to be involved as early as possible in a digital ID system and is pleased to see this enthusiasm to implement digital ID across the economy.

2.138The committee is of the view that ensuring the smooth and intended operation of the AGDIS is crucial to the success of the digital ID system, and that the phased expansion of the AGDIS is the appropriate means of ensuring the system operates as intended.

2.139The committee is of the view that the current proposed phasing is important and welcomes evidence that the approach will be non-linear.Ensuring the system can upscale and transition smoothly and enabling the most user-friendly experience possible for businesses and individuals will be critical to its expansion across the economy.

2.140The committee notes and supports the commitment from the Australian Government to consult with digital ID stakeholders regarding system phasing which is ongoing.

Redress

2.141The committee appreciates that a redress scheme is an important part of consumer trust in the digital ID system, and that safeguards for the privacy and security of individuals’ data must be enforced.

2.142The committee notes submitters’ concerns and expectations regarding appropriate means of redress being introduced through digital ID legislation.

2.143The committee notes that the establishment and details of a redress scheme can be appropriately introduced through the rules, which will support the implementation and maintenance of a redress scheme in a way that is responsive to the needs of the individuals.

2.144The committee is of the view that the bills and subsequent rules and delegated legislation will provide individuals with the necessary means of redress should any harm occur. The committee is assured by the experience of the digital ID Regulator and other oversight bodies which will be responsible for ensuring the proper functioning of the system.

2.145The committee recommends that the bills be passed.

Senator Jess Walsh

Chair

Footnotes

[1]See, for example, Endeavour Group, Submission 6, p. 1; Governance Institute of Australia, Submission 16, p. 1; Digital Transformation Agency, Submission 20, p. 2; New South Wales Council for Civil Liberties, Submission 21, p. 2; Equifax, Submission 25, p. 2; Department of Corporate and Digital Development - Northern Territory Government, Submission 27, p. 1; Cuscal, Submission 30, p. 1; Financial Services Council, Submission 32, p. 1; Business Council of Australia, Submission 38, p. 2; Private Healthcare Australia, Submission 47, p. 2.

[2]Department of Finance, Submission 28, p. 4.

[3]Office of the Australian Information Commissioner, Submission 19, p. 2.

[4]See, for example, Blind Citizens Australia, Submission 13, p. 5; Commonwealth Bank, Submission 41, p. 1; New South Wales Council for Civil Liberties, Submission 21, p. 3.

[5]See, for example, Ashley, Francina, Leonard and Associates, Submission 26, pp. 2–4.

[6]See, for example, Woolworths Group, Submission 1, p. 1; Office of the Information Commissioner Queensland, Submission 7, p. 2; Human Technology Institute, Submission 39, p. 1; Australian Retail Credit Association, Submission 48, p. 3.

[7]BixeLab, Submission 15, p. 1; CyberCX, Submission 31, p. 2.

[8]Westpac, Submission 36, p. 2; Commonwealth Bank, Submission 41, p. 1.

[9]Digital Rights Watch, Submission 14, p. 3.

[10]Australian Competition and Consumer Commission, Submission 8, p. 1.

[11]See, for example, Woolworths Group, Submission 1, p. 1; Australian Retailers Association, Submission 34, p. 1; Private Healthcare Australia, Submission 47, p. 2; Digital Service Providers Australia New Zealand, Submission 9,p. 1; National Australia Bank, Submission 18, p. 1; Tech Council of Australia, Submission 45, p. 1.

[12]See, for example, TechnologyOne, Submission 2, p. 2; Retail Drinks Australia, Submission 5, p. 1.

[13]Australian Retail Credit Association, Submission 48, p. 2; Financial Advice Association Australia, Submission 22, p. 2.

[14]Australian Banking Association, Submission 33, p. 2.

[15]MDR Security, Submission 17, p. 3.

[16]Department of Finance, Submission 28, pp. 3, 9.

[17]See, for example, Ms Lynn Kraus, Chief Executive Officer, Australian Payments Plus, Committee Hansard, 9 February 2024, p. 6; Mr Christopher Taylor, Chief of Policy, Australian Banking Association, Committee Hansard, 9 February 2024, p. 6; Ms Shohini Sengupta, PhD Candidate, UNSW Allens Hub for Law and Technology, Committee Hansard, 9 February 2024, p. 13; Professor Ed Santow, Co-director, Human Technology Institute, University of Technology Sydney, Committee Hansard, 9 February 2024, pp. 13–14; Ms Wendy Black, Head of Policy, Business Council of Australia, Committee Hansard, 9 February 2024, p. 26.

[18]Committee Hansard, 9 February 2024, p. 25.

[19]Digital ID Bill 2023, cl. 45.

[20]Human Technology Institute, Submission 39, p. 3.

[21]Digital Service Providers Australia New Zealand, Submission 9, p. 3.

[22]UNSW Allens Hub for Technology Law and Innovation, Submission 12, p. 5.

[23]New South Wales Council for Civil Liberties, Submission 21, p. 9.

[24]Department of Finance, answer to question on notice, 9 February 2024 (received 19 February 2024).

[25]See, for example, Economic Justice Australia, Submission 11, pp. 1–2; Human Technology Institute, Submission 39, p. 13.

[26]Digital Rights Watch, Submission 14, p. 9.

[27]New South Wales Council for Civil Liberties, Submission 21, p. 10.

[28]Blind Citizens Australia, Submission 13, pp. 5–8.

[29]UNSW Allens Hub for Technology Law and Innovation, Submission 12, p. 3.

[30]UNSW Allens Hub for Technology Law and Innovation, Submission 12, pp. 4–5.

[31]Human Technology Institute, Submission 39, p. 3.

[32]Cuscal, Submission 30, p. 2.

[33]Cuscal, Submission 30, p. 2.

[34]A participating relying entity is a term defined in the bill. It means an entity which has been approved by the Digital ID Regulator to participate in the digital ID system. These are entities that rely or seek to rely on the digital ID system for assurance of individuals’ identities and with whom individuals would interact to access services.

[35]Mr Jacob Suidgeest, Director, Digital ID Legislation Unit, Digital ID Legislation and Engagement Branch, Digital ID and Data Policy Division, Department of Finance, Committee Hansard, 9 February 2024, p. 35.

[36]Maat’s Method, Submission 42, p. 4; UNSW Allens Hub for Technology Law and Innovation, Submission 12, p. 5.

[37]New South Wales Council for Civil Liberties, Submission 21, p. 8.

[38]Department of Finance, Submission 28, p. 16.

[39]Department of Finance, Submission 28, p. 16.

[40]See, for example, AUCloud, Submission 46, p. 2; Digital Rights Watch, Submission 14, p. 3; Mr Christopher Taylor, Chief of Policy, Australian Banking Association, Committee Hansard, 9 February 2024, p. 2.

[41]See, for example, TechnologyOne, Submission 2, p. 3; Office of the Australian Information Commissioner, Submission 19, p. 2.

[42]Mr Christopher Taylor, Chief of Policy, Australian Banking Association, Committee Hansard, 9 February 2024, p. 2.

[43]AUCloud, Submission 46, p. 2.

[44]CyberCX, Submission 31, p. 2.

[45]CyberCX, Submission 31, p. 2.

[46]Tech Council of Australia, Submission 45, p. 2.

[47]Digital Service Providers Australia New Zealand, Submission 9, p. 3.

[48]See, for example, Ms Shae Karringten, Submission 60, p. 1; Ms Melissa Anderson, Submission 61, p.1; Ms Susie Young, Submission 106, pp. 1–2; Mr Rodney Lewis, Submission 112, p. 4; Mr Grant Wilson, Submission 162, p. 1.

[49]Canberra Declaration, Submission 29, p. 5.

[50]Mr Jordan Newnham, Executive Director, Corporate Affairs, Brand and Policy, CyberCX, Committee Hansard, 9 February 2024, p. 22; Ms Lynn Kraus, Chief Executive Officer, Australian Payments Plus, Committee Hansard, 9 February 2024, p. 9.

[51]Dr Ted Dunstone, Chief Executive Officer,BixeLab, Committee Hansard, 9 February 2024, p. 23.

[52]Mr John Shepherd, First Assistant Secretary, Digital ID and Data Policy Division, Department of Finance, Committee Hansard, 9 February 2024, p. 30.

[53]Australian Retail Credit Association, Submission 48, p. 6.

[54]Equifax, Submission 25, p. 7.

[55]Department of Corporate and Digital Development – Northern Territory Government, Submission 27, p. 2.

[56]Australian Payments Plus, Submission 43, p. 6.

[57]Free Speech Union of Australia, Submission 10, p. 2.

[58]Department of Finance, Submission 28, pp. 13–14.

[59]See, for example, Australian Competition and Consumer Commission, Submission 8, p. 1; Westpac Group, Submission 36, p; Business Council of Australia, Submission 38, p. 3.

[60]See, for example, Business Council of Australia, Submission 38, p. 2; Australian Payments Plus, Submission 43, p. 1; Tech Council

[61]Office of the Australian Information Commissioner, Submission 19, pp. 2–3.

[62]Mr Duncan Anderson Assistant Secretary, Digital ID Legislation and Engagement Branch, Digital ID and Data Policy Division, Department of Finance, Committee Hansard, 9 February 2024, p. 30.

[63]Ms Wendy Black, Head of Policy, Business Council of Australia, Committee Hansard, 9 February 2024, p. 24.

[64]Digital Rights Watch, Submission 14, p. 8.

[65]Equifax, Submission 25, p. 5.

[66]Department of Finance, Submission 28, p. 17.

[67]UNSW Allens Hub for Technology Law and Innovation, Submission 12, p

[68]Office of the Information Commissioner Queensland, Submission 7, p. 2.

[69]New South Wales Council for Civil Liberties, Submission 21, p. 6.

[70]Commonwealth Bank, Submission 41, p. 3

[71]BixeLab, Submission 15, p. 2.

[72]Equifax, Submission 25, pp. 4–5.

[73]Digital Rights Watch, Submission 14, p. 5.

[74]Mr Duncan Anderson Assistant Secretary, Digital ID Legislation and Engagement Branch, Digital ID and Data Policy Division, Department of Finance, Committee Hansard, 9 February 2024, p. 31.

[75]See, for example, IIS Partners, Submission 37, p. 2; Digital Rights Watch, Submission 14, p. 1.

[76]World Council for Health Australia, Submission 35, p. 14; Maat’s Method, Submission 42, p. 5.

[77]New South Wales Council for Civil Liberties, Submission 21, p. 7.

[78]Digital Rights Watch, Submission 14, p. 1.

[79]Digital Rights Watch, Submission 14, p. 6.

[80]IIS Partners, Submission 37, p. 2.

[81]Office of the Australian Information Commissioner, Submission 19, pp. 4–5.

[82]National security agencies do not fall within the definition of ‘enforcement bodies’ under the Privacy Act 1988.

[83]IIS Partners, Submission 37, p. 3.

[84]Mr Duncan Anderson Assistant Secretary, Digital ID Legislation and Engagement Branch, Digital ID and Data Policy Division, Department of Finance, Committee Hansard, 9 February 2024, p. 32.

[85]Australian Banking Association, Submission 33, p. 7.

[86]Ms Rhonda Luo, Policy Director, Australian Banking Association, Committee Hansard, 9 February 2024, p. 6.

[87]See, for example, Name withheld, Submission 76, p. 1; Name withheld, Submission 85, p. 1; Ms Tessa Rasmussen, Submission 108, p. 1; Mr Ratu Mara, Submission 116, p. 1; Mrs Sandra Baxter, Submission 218, pp. 2–3.

[88]Department of Finance, Submission 28, p. 21.

[89]Digital Service Providers Australia New Zealand, Submission 9, pp. 3–4.

[90]Retail Drinks Australia, Submission 5, p. 2.

[91]Ms Lynn Kraus, Chief Executive Officer, Australian Payments Plus, Committee Hansard, 9 February 2024, p. 2.

[92]Mr Ryan Black, Acting Chief Executive Officer, Tech Council of Australia, Committee Hansard, 9 February 2024, p. 25.

[93]Department of Finance, Submission 28, p. 20.

[94]Australian Payments Plus, Submission 43, p. 2.

[95]Digital Transformation Agency, Submission 20, p. 4.

[96]Digital Rights Watch, Submission 14, p. 9.

[97]Department of Finance, Submission 28, p. 20.

[98]See, for example, Endeavour Group, Submission 6, p. 2; National Australia Bank, Submission 18, p. 1; Business Council of Australia, Submission 38, p. 2; Australian Payments Plus, Submission 43, p. 3.

[99]Tech Council of Australia, Submission 45, p. 4.

[100]Australian Retail Credit Association, Submission 48, pp. 3–4.

[101]Financial Advice Association Australia, Submission 22, p. 2.

[102]Financial Advice Association Australia, Submission 22, p. 3.

[103]Cuscal, Submission 30, p. 2.

[104]Department of Finance, Submission 28, p. 19.

[105]Department of Finance, Submission 28, p. 19.

[106]CyberCX, Submission 31, p. 3.

[107]Ms Elizabeth O’Shea, Chair, Digital Rights Watch, Committee Hansard, 9 February 2024, p. 16.

[108]Office of the Information Commissioner, Submission 19, p. 5.

[109]Governance Institute of Australia, Submission 16, p. 3.

[110]Blind Citizens Australia, Submission 13, p. 8.

[111]Financial Services Council, Submission 32, p. 3.