Site search

INSIGHT

Legislating the future of identity verification: navigating Australia's Digital ID Act

By Valeska Bloch, Isabelle Guyot, Elizabeth Brown, Scarlett Stevens 22 April 2026
ACCC Data & Privacy Digital Transformation Risk & Compliance Technology & Outsourcing Technology, Media & Telecommunications

An overview of the Digital ID system 12 min read

In late 2024, the Australian Government's Digital ID Act 2024 (Cth) (Act) took effect, establishing a Digital ID System (AGDIS) to replace the previous Trusted Digital Identity Framework. The Act creates an accreditation framework for Digital ID service providers and provides individuals with secure, convenient, voluntary and inclusive ways to verify their identity online with government and businesses, while promoting the privacy and security of personal information used for identity verification.

The regime is co-regulated by the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC). The framework has parallels with the Consumer Data Right (CDR), leveraging an existing regulatory foundation to drive innovation via established use cases.

From 30 November 2026, private sector entities will for the first time become eligible to apply to participate in the AGDIS, either as an accredited entity (ie, service provider) or a relying party (ie, business user).

In this Insight, we provide an overview of the Digital ID system established under the Act, including the accreditation and participation requirements, the overlap with privacy obligations and the roles performed by the relevant regulators.

Jump to

  1. Key takeaways
  2. Digital ID System overview
  3. Key obligations
  4. Regulatory environment
  5. Key dates and upcoming changes
  6. Contact the team

Key takeaways

  • The Act establishes a voluntary accreditation system for Digital IDs that can be used to access certain government and private sector services.
  • The Digital ID regime imposes privacy and data security obligations (in addition to any applicable requirements under the Privacy Act 1988 (Cth) (Privacy Act)) on entities seeking accreditation, and wishing to participate in the ADGIS.
  • Following consultation by the Department of Finance, reforms to the Digital ID Rules 2024 (Cth) (Digital ID Rules), the Digital ID (Accreditation) Rules 2024 (Cth) (Accreditation Rules), and the Act more broadly—including the implementation of a redress framework—were introduced in November 2025. An exposure draft of the further changes to the redress framework, the draft Digital ID Amendment (Redress Framework) Rules 2026, was subject to public consultation in March and April 2026.
  • Other jurisdictions (eg the UK) are also considering the introduction of digital identification systems to improve ease of access to government services and minimise the need to provide personal information.

Digital ID System overview

The Act and related regulations replace the previous Trusted Digital Identity Framework by providing new accreditation procedures for Digital ID providers and establishing the AGDIS (together, the Digital ID System). Within the Digital ID System, organisations that provide Digital ID services may apply to become 'accredited entities', while organisations that accept or rely on Digital IDs to provide access to their services are 'relying parties'. Participation in the Digital ID System is voluntary.

Under the Digital ID System, entities may apply to be accredited as an:

  • identity service provider or ISP: which provides a service to create and/or manage a digital ID;
  • attribute service provider or ASP: which provides a service to verify and manage an 'attribute' of an individual (being information associated with the individual such as their name, date of birth, contact information, biometric information, digital ID creation date and time, etc); or
  • identity exchange provider or IXP: which manages and coordinates data and information flows between participants in a Digital ID environment/system.1

Applications for accreditation are assessed by the ACCC as the Digital ID Regulator. The process mirrors CDR accreditation processes, requiring applicants to demonstrate a range of technical capabilities and an ability to appropriately manage privacy risks.

Accreditation requirements

When deciding whether to accredit an entity, the ACCC:

  • must have regard to any matters prescribed in the Accreditation Rules; and
  • may have regard to whether the entity is fit and proper (mirroring the corresponding CDR requirement)2 and any other matters it considers relevant.3

This gives the ACCC broad discretion to accept or refuse applications.

The key requirements for obtaining accreditation include:

  • correctly defining and documenting the boundaries of the entity's Digital ID data environment (and limiting these boundaries to the extent practicable).
  • having a clear statement of scope and applicability in relation to the Accreditation Rules and Digital ID (Accreditation) Data Standards 2024 (Cth) (Accreditation Data Standards), identifying the applicable requirements in relation to the proposed accredited services and evidence of compliance.
  • obtaining a privacy impact assessment, undertaken by an external assessor with relevant experience and qualifications, that includes an assessment of compliance with the privacy requirements in the Act and Accreditation Rules, and a risk assessment and matrix.
  • undertaking technical testing (and providing an associated technical testing attestation statement) demonstrating compliance with the Accreditation Rules and Accreditation Data Standards requirements regarding:
    • fraud and cybersecurity incident monitoring, detection, investigation, management and response
    • logging
    • user support
    • data minimisation
    • (in relation to entities proposing to use biometrics) safeguards for biometric information.

Technical testing includes requirements to undertake a protective security assessment, fraud assessment, accessibility and usability assessment, penetration testing, usability testing and testing against Web Content Accessibility Guidelines.4

AGDIS participation

'Accredited entities' (or applicants for accreditation) may also apply to the ACCC to participate in the AGDIS, provided they can meet the additional data standards and notification requirements (eg relating to IT changes and outages).5 Currently, only government or government-owned entities (including state and territory government entities) are eligible to participate in the AGDIS. Private sector accredited entities will become eligible to apply to participate from 30 November 2026.6

'Relying parties' may also apply to participate in the AGDIS. All entities applying to participate in the AGDIS must:

  • conduct a risk assessment to identify, evaluate and manage the risks of a cybersecurity incident and digital ID fraud incident occurring in relation to the relevant service;
  • have written cybersecurity and digital ID fraud management plans that address the risks identified in the risk assessment, include relevant prevention, identification, investigation and management processes for such incidents, and are reviewed at least annually; and
  • have a written disaster recovery and business continuity plan that outlines relevant procedures for critical functions of its IT system, and that is reviewed at least annually.7

All entities approved to participate in the AGDIS as 'accredited entities' or 'relying parties' are identified in the AGDIS Register maintained by the ACCC.8

Accreditation conditions

The ACCC has broad powers to impose conditions on accredited entities (including at the time of accreditation or at a later stage by notice),9 and entities may also request that conditions be applied to their accreditation (though these remain subject to ACCC approval). Conditions imposed may include:

  • compliance with the Act (default condition).
  • conditions that define or limit the scope of the accredited services the entity can provide.
  • conditions that authorise the entity to engage in conduct that may otherwise be prohibited under the Act (eg whether the entity can collect or disclose a restricted attribute such as health information).
  • conditions that direct/require the entity to engage in certain conduct (eg maintenance of insurance against liabilities arising in relation to AGDIS participants).
Accredited entities

Once an entity is accredited:

  • details of the entity and its accredited services are entered into the Digital ID Accredited Entities Register maintained by the ACCC;10 and
  • the entity may commence using the Digital ID Accreditation Trustmark for its accredited services (in accordance with the Act and Digital ID Rules requirements),11 signalling to consumers that its accredited service(s) comply with the data, privacy, cyber and fraud protection requirements set out in the Act, Accreditation Rules and Accreditation Data Standards.
Back to top

Key obligations

To maintain accreditation, accredited entities must ensure ongoing compliance with privacy safeguards, in addition to any applicable requirements under the Privacy Act and additional consumer protections, including:

  • de-activation of an individual's Digital ID upon request;12
  • ensuring services are accessible and inclusive;13
  • (for AGDIS participants) keeping logs and records containing personal information for three years;14
  • producing an annual report that includes, among other things, changes made to the entity's Digital ID data environment, results of assurance assessments and systems testing, and attestation that the entity has reviewed its various plans (eg system security plan, fraud control plan, disaster recovery and business continuity plan, etc);15 and
  • complying with key reporting obligations to the Digital ID Regulator (the ACCC).

The Act also requires accredited entities that are not APP entities (as defined in the Privacy Act, for example because they are subject to the small business exemption or are state or territory entities) to comply with the Privacy Act, and in particular the eligible data breach notification scheme in Part IIIC of the Privacy Act (except in relation to state or territory entities that are subject to a comparable scheme).16

Privacy safeguards

The Act imposes enhanced privacy obligations on accredited entities, which are intended to build on existing Privacy Act safeguards. This reflects an ongoing trend in privacy regulation whereby sector-specific obligations are layered on top of existing frameworks, adding to the regulatory burden for entities seeking accreditation.

These enhanced privacy obligations include:

  • further data breach notification obligations: accredited entities must notify the ACCC of an eligible data breach, in addition to the existing obligation to notify the OAIC under the Privacy Act.17
  • cybersecurity and Digital ID fraud incident reporting: for AGDIS participants, a requirement to notify the System Administrator (which oversees operational aspects of the AGDIS) of any cybersecurity incident or Digital ID fraud incident that has occurred or is suspected in relation to accredited services provided or received within the AGDIS.18
  • expanded definition of 'personal information': the Act expands the definition to include 'attributes' used by an accredited provider that are not otherwise captured under the Privacy Act.19 An attribute is information associated with an individual, which expressly includes name and former name, date of birth, address and former address, passport or licence numbers, and the time and date a Digital ID was created (among other things)20, as well as information derived from another attribute.21 In practice, most of these attributes would likely constitute personal information under the Privacy Act when connected to an identifiable individual. The key extension is that the Act captures attributes even where they do not directly relate to an individual (for example, a passport number without further information linking that number an individual).

The Act also introduces the following 11 Digital ID-specific privacy obligations for accredited entities,22 with a particular focus on biometric information and strict parameters for their use:

Accredited entities:

  1. must not intentionally collect certain attribute information, including a person’s racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs or sexual orientation or practices (and if unintentionally collected, destroy it as soon as practicable after becoming aware it has collected it).
  2. must not send an individual's attributes to a relying party without express consent.
  3. must not send restricted attributes to a relying party without express consent, which includes health information, government identifiers, criminal record and trade union membership.
  4. must not disclose an individual's unique identifier unless disclosure is for the detection / investigation of a breach of the Act, fraud or a cyber incident.
  5. are prohibited from using one-to-many matching of biometric information (ie comparing a kind of biometric information of an individual against that kind of biometric information of individuals generally to identify the particular individual).
  6. must abide by strict limits on the collection, use, disclosure and retention of biometric information, which generally limit the use of biometric data by accredited entities to limited identity verification or authentication purposes, and are also subject to strict time limits for destruction of biometric information.
  7. must abide by the Accreditation Rules that govern issues involving biometric information.
  8. are prohibited from data profiling to track online behaviour, unless an exception applies such as to provide services, or to demonstrate compliance with their obligations in the Act.
  9. must not disclose personal information to a law enforcement agency unless that agency is otherwise authorised to collect that information, and there is a warrant, or the agency reasonably believes that person has committed an offence or breached a law, or the agency has started proceedings against that person.
  10. must not use or disclose personal information for marketing purposes unrelated to the entity's accredited service(s), regardless of whether the individual consents.
  11. must not retain the attribute of an individual after the authentication session is complete, including an individual’s name, address, date of birth, phone number, email or restricted attributes.

Under the Act, the ACCC may revoke or suspend an entity's accreditation (or if it is a participant in the AGDIS, its approval to participate), including where:

  • it reasonably believes the entity has breached / is breaching its obligations under the Act;
  • it reasonably believes the entity has been, or will be, involved in a cybersecurity incident, or that a cybersecurity incident is imminent; or
  • it is satisfied that it is no longer appropriate for the entity to be accredited (having regard to whether the entity is a fit and proper person).23

Further, the ACCC must revoke or suspend an entity's accreditation (or its approval to participate in the AGDIS) if directed to do so by the Minister.24

Notably, the power to revoke accreditation where an entity has suffered a cyber incident marks a step towards outcomes-based cyber regulation. Historically, liability or fault—rather than the mere occurrence of an incident—has been the trigger for regulatory consequences. While the ACCC retains a discretion as to whether to exercise this power, it significantly raises the stakes for businesses that rely on accreditation.

Both the ACCC and the OAIC may take enforcement action, with a specific penalty regime split between the co-regulators. The maximum penalty for a contravention of a civil penalty provision is $2,475,000. This figure may increase significantly where penalties are applied and enforced cumulatively across multiple contraventions.25

Back to top

Regulatory environment

Digital ID regulators

As with the CDR regime, the Digital ID System is co-regulated by the ACCC and the OAIC, supported by the Office of the System Administrator and Digital ID Data Standards Chair.

Regulator Role
ACCC Digital ID Regulator—responsible for accrediting providers (including approvals to join the AGDIS), approving services seeking to use accredited providers in the AGDIS, and undertaking compliance and enforcement activities.  
OAIC Privacy regulator—responsible for overseeing applicable privacy safeguards (including assessing providers' compliance), handling complaints and conducting data breach investigations.  
Office of the System Administrator   Oversees operational aspects of the AGDIS, including applicant testing and onboarding of approved participants.  
Digital ID Data Standards Chair   Responsible for developing and maintaining the Digital ID Data Standards relating to identity service provider biometric testing and authentication requirements, and technical integration requirements for AGDIS participants.  

Legislative framework

The Digital ID System is established and governed by the following legislation and regulations.

Instrument   Purpose
Digital ID Act 2024 (Cth)   Establishes the Digital ID System.  
Digital ID Rules 2024 (Cth)   Sets out requirements for AGDIS participants and obligations and conditions for using the Digital ID Accreditation Trustmark.  
Digital ID (Accreditation) Rules 2024 (Cth)   Sets out requirements for entities to become accredited and maintain their accreditation, including to manage fraud, security, privacy, accessibility and usability.  
Digital ID (Accreditation) Data Standards 2024 (Cth)   Sets out the technical, design, data and testing standards that accredited entities (or applicants) must uphold.  
Digital ID (AGDIS) Data Standards 2024 (Cth)   Sets out the onboarding, technical and design requirements that providers must meet to participate in the AGDIS.  
Digital ID (Transitional and Consequential Provisions) Act 2024 (Cth) and Digital ID (Transitional and Consequential Provisions) Rules 2024 (Cth)   Sets out the entities taken to be accredited entities and approved to participate in the AGDIS from the Act's commencement.  
Digital ID (Phasing-in of Participation in the Australian Government Digital ID System) Determination 2024 (Cth)   Sets out the state and territory departments, authorities and entities currently permitted to apply for approval to participate in the AGDIS.  
Back to top

Key dates and upcoming changes

Date   Event
30 May 2024 The Act recieved royal assent.
30 November 2024 The Act commenced.
19 November 2025 Amendments to the Digital ID Rules 2024 and Digital ID (Accreditation) Rules 2024 took effect. These reforms introduced a redress framework for individuals affected by cybersecurity and Digital ID fraud incidents, made changes to the validity of certain consents under the regime and updated the applicable security requirements.  
1 April 2026 Consultation on the draft Digital ID Amendment (Redress Framework) Rules 2026 closed.
30 November 2026   Private sector entities will become eligible to apply to participate in the AGDIS, either as an accredited entity or a relying party. The operation of the Act is also required to be reviewed by this date.26
Back to top

Footnotes

  1. Digital ID Act 2024 (Cth) s 14.  

  2. Digital ID Act 2024 (Cth) s 15(5); Digital ID Rules 2024 (Cth) rules 2.1-2; ACCC's Guidance for organisations seeking to become accredited in Australia's Digital ID System, p 13.  

  3. Digital ID Act 2024 (Cth) s 15(5).  

  4. See generally the ACCC's Guidance for organisations seeking to become accredited in Australia's Digital ID System and the Digital ID (Accreditation) Rules 2024 (Cth). 

  5. Digital ID (AGDIS) Data Standards 2024 (Cth); Digital ID Rules 2024 (Cth) r 3.2.  

  6. Digital ID Act 2024 (Cth) s 61(d).  

  7. Digital ID Rules 2024 (Cth) r 3.3.  

  8. Digital ID Act 2024 (Cth) s 121.  

  9. Digital ID Act 2024 (Cth) ss 17, 18 and 22.  

  10. Digital ID Act 2024 (Cth) s 120. 

  11. Digital ID Act 2024 (Cth) ss 117-9; Digital ID Rules 2024 (Cth) r 5.3. An entity may be required to pay a civil penalty of $330,000 (being the current value of 1,000 penalty units, in accordance with the Crimes Act 1914 (Cth) s 4AA) if the entity uses the trustmark (or a deceptively similar mark) without authorisation, or fails to use it when required under the Rules.

  12. Digital ID Act 2024 (Cth) s 29.  

  13. Digital ID Act 2024 (Cth) s 30.  

  14. Digital ID Act 2024 (Cth) s 135; Digital ID Rules 2024 (Cth) rule 6.2. 

  15. Digital ID (Accreditation) Rules 2024 (Cth) rules 6.3-9. 

  16. Digital ID Act 2024 (Cth) ss 33, 34, 35A, 36 and 40.  

  17. Digital ID Act 2024 (Cth) ss 39, 40. The Digital ID Regulator must also be informed of notifiable data breaches under equivalent State and Territory laws in relation to accredited entities that are State or Territory departments or authorities (Digital ID Act 2024 (Cth) s 41).  

  18. Digital ID Rules 2024 (Cth) rule 4.2. 

  19. Digital ID Act 2024 (Cth) s 9 (definition of 'personal information').  

  20. Digital ID Act 2024 (Cth) s 10.

     

  21. Digital ID Act 2024 (Cth) s 10(1).  

  22. Digital ID Act 2024 (Cth) ss 44-56.

     

  23. Digital ID Act 2024 (Cth) ss 25-6, and 71-2.  

  24. Digital ID Act 2024 (Cth) ss 25-7, 71-3. 

  25. In October 2025, the Federal Court in Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224, found that there will be a separate contravention for each individual impacted in the same cyber incident, but the fact those contraventions arise from the same conduct will be relevant for determining the appropriate penalty. While this decision may be distinguished as it relates to the eligible data breach scheme under the Privacy Act, it underscores the risk that regulators and courts may be more likely to consider that penalties operate cumulatively in relation to contraventions arising from the same incidents (particularly in relation to cyber). Read our Insight on this decision here.  

  26. Digital ID Act 2024 (Cth) s 162.  

Explore further

INSIGHT

Legislating the future of identity verification: navigating Australia's Digital ID Act

22 Apr 2026

INSIGHT

The Cyber Brief: cyber wars - a Prime Minister's perspective, with Malcolm Turnbull

20 Apr 2026

INSIGHT

Draft Children's Online Privacy Code: proposed protections to have material impact on online services

09 Apr 2026

INSIGHT

The Cyber Brief: inside cyber defence at Australia's largest bank

01 Apr 2026