The Digital ID system is changing, for the better? 10 min read
The Australian Government is continuing to refine its Digital ID Bill 2023 (the Bill), which aims to create a streamlined accreditation framework for Digital ID service providers to be used in both government and the broader digital economy.
This legislation builds upon the existing Trusted Digital Identity Framework, by establishing the Australian Government Digital ID System and providing new accreditation procedures. By aligning Australia with other countries like the UK and the USA in implementing digital identification systems, the Bill seeks to simplify how businesses verify their customers, potentially leading to increased efficiency and reduced cyber liability in sectors with significant identification requirements, such as banking and finance. The proposed 'Digital ID Regulator', likely to be the Australian Competition and Consumer Commission (Regulator), will oversee accreditation and monitoring, while privacy and security aspects will be regulated by the Office of the Information Commissioner (OAIC). This framework draws parallels with the Consumer Data Right (CDR), leveraging an existing foundation to drive innovation through regulation via established use cases.
In this Insight, we provide an overview of the Proposed Digital ID System, including its accreditation and participation requirements, increased overlap of privacy obligations and proposed regulatory powers.
- The Federal Government released an exposure draft of the Digital ID Bill 2023 that proposes an accreditation system for Digital IDs that can be used to access government and private sector services, commencing in 2024.
- The proposed regime requires accredited organisations to take on additional privacy and data security obligations (over and above existing privacy obligations) and will be co-regulated by the ACCC and OAIC, creating a complex regulatory framework in a similar vein to the Consumer Data Right regime.
- The Bill exposure draft was released shortly after the Identification Verification Services Bill 2023 was introduced into Parliament, reflecting the Government's increased focus on digital verification and broader interest in boosting the digital economy through regulatory development.
- The next phase of the Department of Finance's consultation regarding the Digital ID Accreditation Rules closes on 31 October 2023.
The Australian Government Digital ID System is a network of organisations that provide or use Digital ID services in delivering participating government and commercial services. Participants will include 'accredited entities', who can provide Digital ID services, and 'relying parties', who can offer access to their services using a Digital ID (but generally must also provide a non-Digital ID option for access).
Australian companies, foreign companies registered with ASIC, and Australian government entities can apply for accreditation. Having an accredited ID will be required for use with some government services. Accredited entities will then be permitted to use a 'trustmark', which is intended to provide peace of mind to customers by showing that the Digital ID provider meets the additional privacy and security measures required for accreditation.
Obtaining accreditation and participation rights
The Bill proposes three types of accredited entities:
- identity service providers, who will help a user set up or manage a Digital ID
- attribute service providers, who will verify and manage 'attributes', which are additional pieces of information that can be associated with a person's Digital ID
- identity exchange bodies, who will facilitate interactions and information flow between identity service providers, attribute service providers and relying parties in a Digital ID system.
The process for obtaining accreditation is similar to the CDR accreditation process, in that entities must demonstrate a number of technical capabilities and ability to manage privacy risks.
Key requirements for obtaining accreditation includes the following:
- undertaking a privacy impact assessment that includes the requirements provided in the Digital ID Accreditation Rules (Accreditation Rules), such as details of the flow of personal information and a risk matrix.
- undertaking assurance assessments and systems testing, both on application and on an annual basis, including:
- a protective security assessment against standards such as ISO 27001, 27002 or PSPF
- a fraud assessment that includes a risk matrix and assessment of the ability to respond to emerging risks and threats to its Digital ID data environment
- a usability and accessibility assessment to review accessibility, such as the clear and simple descriptions of the service in multiple accessible formats, and support available to individuals who are unable to use the Digital ID data environment
- penetration testing to evaluate the effectiveness of its security controls by emulating the tools and techniques of likely attackers to exploit security weaknesses
- usability testing to identify any issues in its design, followed by action to mitigate usability issues
- Web Content Accessibility Guidelines testing against the WCAG Version 2.1 guidelines.
- considering whether the entity is a fit and proper person. This may include requiring declarations from associated entities (which includes related bodies corporate and their directors and secretaries). This requirement mirrors the CDR requirement, and can involve assessing the fitness of the broader corporate group, regardless of whether entities or directors are involved in the provision of the accredited services.
Once accredited, the Regulator will determine if the entity may participate in the Australian Government Digital ID System. The entity must show it is able to provide an interoperable service and comply with the Digital ID data standards, relevant service levels and any conditions imposed by the Regulator or the Rules (such as promptly notifying the Regulator of IT change or outages). Participation may also be prevented on national security grounds.
Relying parties, who don't need accreditation, will still need to apply to participate—showing they have a plan for interoperability testing, fraud management, business continuity and have conducted a cyber security incident risk assessment.
Ongoing compliance requirements for accredited entities
An accredited entity must comply with privacy safeguards (detailed below), as well as conform with additional consumer protections, namely:
- de-activation of a Digital ID upon request;
- ensuring services are accessible and inclusive;
- not hold, store, handle or transfer system information outside Australia (unless an exemption applies);
- generally, keep records for seven years, or three years if accreditation has been revoked;
- produce an annual report that includes changes made to the entity's Digital ID data environment, results of assurance assessments and systems testing, and attestation that the entity has reviewed its system security and fraud control plan; and
- comply with key reporting obligations to the Regulator.
In another mirror of the CDR, and in the context of broader Privacy Act 1988 (Cth) (Privacy Act) reforms (see our Insight), the Bill also proposes a series of enhanced privacy obligations for participants.
Rather than streamlining regulatory requirements, these obligations create a further layer of privacy obligations. While they appear to be broadly sensible having regard to the purposes of the regime, they add to the increased regulatory burden for entities looking to deliver accredited services.
These enhanced obligations include:
- Further data breach notification obligations to the Regulator, which are in addition to existing notification requirements to the OAIC in the event of an eligible data breach under the Privacy Act, requiring notification to the Regulator of any 'cybersecurity incident' that includes:
- unauthorised access or attempted access to a system, service or network
- unauthorised impairment of, or an attempt to impair, the availability, reliability, security or operation of a system, service or network.
In addition, there are obligations to separately provide any notice of an eligible data breach to both the Regulator and the OAIC. There does not appear to be an obvious mechanism in place for streamlining these notification requirements, despite overlapping notice obligations being a key theme in the broader Australian Cyber Security Strategy consultation. Further, participating service providers will need to keep in mind that the Regulator will have powers to suspend or revoke a service provider's accreditation or participation rights where the Regulator reasonably believes the service provider has suffered, or will imminently experience, a cybersecurity incident.
- A requirement to notify individuals of a cyber incident or risk in the Digital ID system that is likely to adversely affect individuals using the accredited services. This is a different threshold than the requirement under the Privacy Act (which assesses the likelihood of serious harm to the affected individual) and also expands the obligation to be about risks in the broader digital ID system, not just in respect of any incident connected to data held by the entity.
- An extension of the definition of 'personal information' to ensure it includes 'attributes' used by an accredited provider that are not otherwise included in the definition under the Privacy Act. An attribute is information associated with an individual, which expressly includes date-of-birth, address, passport or licence numbers, and the time and date a Digital ID was created (among other things). It also includes information that can be derived from another attribute. Practically, attributes such as these would almost universally have been considered personal information if connected to an identified individual. The main difference under the Bill is that it will extend the meaning of personal information to attributes, even if they do not relate directly to an identifiable individual in the first instance. Given the broad scope of personal information being examined at length as part of the ongoing Privacy Act reform process, having further parallel regulation on the scope of personal information through this Digital ID regime may lead to ongoing challenges for industry.
- The introduction of 10 new 'Digital ID' privacy obligations for accredited entities (summarised below). Of particular focus is the involvement of biometric information in Digital ID systems and providing strict parameters for their use.
- must not intentionally collect certain attribute information, including a person’s racial or ethnic origin, political opinions, membership or a political association, religious or philosophical beliefs or sexual orientation or practices;
- must not send user attributes to a relying party without express consent;
- unless it is a condition of the entity's accreditation, must not send restricted attributes to a relying party without express consent; which includes health information, government identifier, criminal record and trade union membership;
- must not disclose an individual's unique identifier unless necessary for the detection of fraud or where disclosure facilitates access to a service using their Digital ID;
- is prohibited from using one-to-many matching of biometric information (eg comparing a biometric profile against others for the purpose of identification);
- must abide by strict limits on the collection, use, disclosure and retention of biometric information, which generally limit the use of biometric data by accredited entities to limited identity verification or authentication purposes, and are also subject to strict time limits for destruction of biometric information;
- must abide by the Accreditation Rules that will govern emerging issues involving biometric information;
- are prohibited from data profiling to track online behaviour, unless an exception applies such as to provide services, or to demonstrate compliance with their obligations in the Act;
- must not disclose personal information to a law enforcement agency unless that agency is otherwise authorised to collect that information, and there is a warrant, or the agency reasonably believes that person has committed an offence or breached a law, or the agency has started proceedings against that person (which narrows the provision under the Privacy Act that permits disclosure of personal information to an enforcement body if necessary for ‘enforcement related activity’);
- must not use or disclose personal information for marketing purposes unrelated to the Digital ID service provided, regardless of whether the individual consents; and
- must not retain the attribute of an individual after the authentication session is complete, including an individual’s name, address, date of birth, phone number, email or restricted attributes.
The Bill also proposes that participants will be regulated predominantly by the Regulator, with privacy aspects to be regulated by the OAIC, again following the CDR regime model.
Under the Bill, the Regulator may revoke or suspend an entity's accreditation, including if:
- the entity breaches its obligations under the Bill or Accreditation Rules;
- the entity has, or will be, involved in a cybersecurity incident;
- national security interest supports the decision; or
- the Regulator is satisfied that it is no longer appropriate (with consideration of whether the entity is a fit and proper person).
The ability to revoke accreditation by virtue of suffering a cyber incident is particularly interesting, and marks a step towards a more outcomes-based focus for cyber regulation. Historically, it has been acknowledged that cyber incidents may occur notwithstanding the best cyber practices, and liability/consequence has been the trigger for consequences, rather than a 'strict liability' outcome. While the Regulator retains a discretion as to whether to exercise this right, this significantly raises the stakes for businesses relying on accreditation.
Both the Regulator and the OAIC may seek civil penalties, with a specific penalty regime split between the co-regulators. The maximum penalty for a contravention of a civil penalty provision is $469,500. This number may grow substantially if the penalty is enforced cumulatively over multiple individual contraventions.
In addition, the Regulator will have relatively typical powers to monitor and enforce compliance, including to give directions, compel production of a document or information, and issue a compliance notice. The OAIC may also issue an infringement notice, seek enforceable undertakings and seek injunctions on matters relating to the Digital ID Privacy Principles.
Decisions of the Regulator may be subject to review, including by the Administrative Appeals Tribunal.
This release of the Digital ID Bill arrives as one part of a larger series of developments led by the Government as part of its implementation of digital identification systems across public sector service platforms, and increased scrutiny over the security and privacy of individuals' sensitive data.
Earlier this year, the Government introduced the Identification Verification Services Bill 2023 into the House of Representatives, which will authorise 1-to-1 matching of identify through identification verification services (eg matching the date of birth on a document with one held by the Government), enabled by:
- a document verification service
- a face verification service
- national drivers licence facial recognition solution.
Under this legislation, corporations will only be able to undertake such action with each customer's consent. They will also have to sign legal agreements to provide a range of privacy safeguards.
While the range of services contemplated under the Identification Verification Services Bill and Digital ID Bill differ in a number of ways, the Government's attempts at simplifying the delivery of public identity services in this way demonstrates its broader aim of bolstering public confidence in such services—which will only become more prevalent in the coming years—by ensuring that Australians' information privacy and security is kept front of mind for the regulators and participating service providers.
The Government has released a set of questions aimed at those impacted by the Digital ID Bill, and is calling for both responses and feedback. The closing date for the next phase of consultation for the Digital ID Accreditation Rules is 31 October 2023.
Timeline for phased rollout following consultation
The proposed Digital ID system will be rolled out in four phases commencing in 2024.
Phase 1: legislate and establish rules for Digital IDs; grow the use of myGovID into some state and territory services; and expand accreditation of commercial providers.
Phase 2: integrate state and territory systems with Digital ID to allow access to federal services using state and territory digital identification.
Phase 3: enable myGovID to be used to confirm identity when accessing private sector services, such as opening a bank account.
Phase 4: allow commercial providers of Digital IDs to be used to access agreed government services, as well as private sector services.
If you would like assistance to prepare a submission to either of the above submissions, please reach out to your Allens contact.