Digital ID Bill 2023

Digital ID Bill 2023

What is Digital ID?

Australians are transacting increasingly online, which exposes our identities in unexpected ways. Cyber incidents have brought attention to the need for convenient, safe, and voluntary online identification (“ID”) verification methods. As of November 30, 2023, a Digital ID Bill (“the Bill”) has been proposed. It addresses the growing number of third-party data breaches and offers a way for us to reuse our Digital ID to access other reliable services. This major reform offers people and businesses a convenient and reusable way to authenticate themselves when transacting online without requiring them to repeatedly provide copies or details of more sensitive ID documents. 

Features and Overview of Legislation:

Building on the Trusted Digital ID Framework that is currently in effect, the legislation reinforces a voluntary accreditation programme for companies offering Digital ID services. The Privacy Act 1998’s safeguards are further strengthened by this act, which also imposes fines on accredited providers who violate the accreditation requirements for security and privacy protection giving assurance that all personal data is kept confidential, secure, and safe.

Under the existing system, citizens of Australia can access over 130 Commonwealth, State, and Territory government services by using the Australian Government’s approved Digital ID provider, MyGovID. With this addition, more Australians will be able to generate and use their Digital ID to verify their identity, gain access to more private sector services offered by state and territory governments, and establish their identity.

The Bill facilitates the mutual or shared use of digital IDs between public and private sector organisations by allowing the Australian Government Digital ID System (‘AGDIS’) to be gradually expanded outside the Commonwealth. The following are the components of the phased expansion:

• Phases one and two enable the reciprocal use of Digital ID and attribute providers in the Commonwealth, state, and territory services;
• Phase three permits the use of government Digital ID and attribute providers in the private sector; and
• Phase four permits the reciprocal use of Digital ID and attribute providers in the Commonwealth, state, and territory services.

Providing Biometric Information:

Verifying your identity online with biometrics, such as face ID, is a dependable, safe, and secure method. An essential security feature that lowers the danger of identity theft and fraud is the ability to match a facial scan to identification documents.

While there are various uses for biometric matching, Digital ID is limited to assisting in the verification of an individual’s identity.

There are several security measures in place to protect the biometric data. Services related to identity in the Digital ID system of the Australian government:

• After your ID has been validated, your biometric data will be deleted;
• Will only be used to authenticate your ID;
• Employ robust security and encryption to safeguard your ID; and
• Request permission for each biometric matching is performed.

Common Misconceptions about Digital ID:

The purpose of the following sections is to debunk frequent misconceptions about what a digital ID is and how the bill allows for its creation and use:

1. A digital ID is made by cross-referencing data with already issued, government identity documents, which makes it possible for an individual to be identified when interacting with an online service;
2. A Digital ID cannot be used to monitor users across assorted services or track users individually, there are safeguards in place to ensure that does not happen; and
3. The Bill, unless acting on behalf of a corporation, does not mandate people to have a digital ID to access Commonwealth services. Instead, it lays out particular conditions to guarantee that this process remains optional.

Benefits:

For Australians:

A straightforward, convenient, and safe method of proving one’s identity online, should they so desire, without having to constantly exchange copies of their identification documents with other providers. It makes it possible to easily access business and government services from the comfort of your home, improving privacy and lessens the amount of personal data that is gathered by public and private entities, lessening the impact of any prospective data breaches and eliminating the need to remember numerous usernames and passwords for various services.

For Businesses:

The Customers will be able to confirm their identities from the comfort of their homes, while businesses will have access to a network of authorised providers of digital IDs, making the process simpler for both parties. It also makes it possible to lower company risk by removing the need to gather and retain people’s identity documents and personal data. By making it quicker and simpler to verify a person’s identity and giving reassurance that a person’s ID has been confirmed to a high standard during an online transaction, especially when an accredited provider is used, it enables increased efficiency and productivity.

Additionally, it makes it possible for aid to be delivered to individuals or organisations in need more quickly. Examples of these include victims of fraud, people displaced from their homes due to family or domestic violence, and those who have lost or destroyed identification documents during and after natural disasters. In these cases, individuals can use a digital ID to continue receiving support.

For Entities Offering Digital ID Services:

Through the Bill, Entities will have more access to government organisations and enterprises that require identification services, as well as a nationally defined set of standards against which they can be accredited.

Strengthening a Voluntary Accreditation Scheme:

The Bill establishes a voluntary accreditation scheme for the providers of Digital ID services. The scheme will leverage the lessons learned from the Trusted Digital Identity Framework (TDIF) and operate across the economy. One notable departure from the TDIF is the increased vigilance of enforcement tools, including civil penalties. At the outset, three categories of digital identity services will be eligible for accreditation, including identification service providers, accommodations for new and developing technologies, and other service providers as specified by the accreditation guidelines.

Although this is a voluntary scheme, entities that wish to become authorised must abide by extra privacy protections beyond the scope of the Privacy Act 1988 (Cth). Prohibitions against using single identities, sharing information for marketing purposes, and limitations on the gathering, using, and sharing of biometric data and other personal information constitute significant examples of these measures.

Issues Raised:

Voluntariness of digital ID:

The general goal of the policy is for people to freely obtain their Digital ID while using it to access government services in their capacity. This is to ensure that no one is left out of the services if they are unable to create one or decide not to create one. This is reaffirmed in the Bill’s clause seventy-four, which guarantees the procedure will remain voluntary. This method also considers situations in which an individual might not possess the essential identification documents to complete identity verification to the extent needed to use Digital ID for a specific service. Under these circumstances, the services have to continue offering alternate access routes, like paper-based, phone-based, in-person, or through other channels.

Exemptions from the voluntariness requirements for non-Commonwealth services in limited circumstances:

Clause 74(4) of the Bill provides a limited scope for the Digital ID regulator to grant exemptions for the voluntariness requirement for non-Commonwealth services, reflecting the policy intent that Digital ID is used voluntarily. Subclause 74(5) allows for the possibility of some exceptions from the voluntariness requirements. These include situations in which the relying party is a small business as defined by the Privacy Act, only conducts business online, or offers a service in exceptional circumstances where it might be appropriate to require a Digital ID, like in the event of a temporary emergency like a flood or when people’s ID documents have been destroyed.

Protection to Minimise Data Breach Risks:

Several stakeholders have expressed concerns during the Bill’s consultation process over the possibility of a rise in data breaches involving individuals’ personal information if Digital IDs are made more widely available. The Bill’s ability to reduce the sharing of individuals’ identity documents and information with assorted services and to include the keeping of this information by numerous services is one of its main advantages. By restricting the collection of ID information by services, the decrease in sharing and collecting might lessen the effects of a data breach if one of those services is compromised as well as the number of entry points for such a data breach.

To provide protection, the Bill minimises the collection of biometric data held by Digital ID service providers and requires approved providers to meet minimum security requirements, including appropriately minimising data holdings and threats. It also leverages Australia’s existing federated architecture for ID verification, which relies on government-held ID information, such as passports, to enable verification.

Period for the Phased roll out of the Government System:

Within two years of the Act’s enactment, accredited private enterprises will have the opportunity to apply to join the AGDIS. Currently, private enterprises are not allowed to join the system. The purpose of this change is to reassure interested businesses that the government plans to open up the system to private sector participants within two-years.

Data Retention and Reporting:

The Bill restricts the ability of law enforcement to access personal information held by Digital ID providers. This establishes a structure under which law enforcement organisations and organisations that obtain or attempt to obtain personal information are required to report to the Attorney General on an annual basis, and the Attorney General is required to report to the parliament.

The capacity of Digital ID service providers to keep personal data after it is no longer required is further restricted. It will place regulation over the AGDIS service providers’ data destruction standards under the purview of the Information Commissioner.

Regulators and Strong Governance:

Given the excellent compliance record with Australia’s competition and consumer regulator, the Australian Competition and Consumer Commission (ACCC) will also be established under the Digital ID Bill as an initial independence regular. The following will fall under the authority of the ACCC:

• Using the investigative and compliance powers under the legislation to ensure Digital ID providers and services comply with the law and protect people’s personal information;
• Accrediting Digital ID services following the Digital ID Bill and Accreditation Rules; and
• Deciding which services can participate in the AGDIS.

To safeguard those who elect to use a certified Digital ID provider, the information commissioner will also oversee privacy-related components of the Digital ID accreditation programme.

Australia’s Digital ID System and Regulatory Scope:

Civil Penalties and Certain Enforcement Powers:

To encourage compliance, the bill gives the regulator some enforcement authority and the ability to impose civil fines. The Bill grants the regulator a range of well-defined authorities, including the ability to make information requests, issue corrective orders, and enforceable undertakings before suspending or cancelling an entity’s accreditation or participation in the Australian Government Digital ID System. It also grants the regulator the authority to appoint the chair of the Data Standards Committee and the discretion to form advisory committees.