Australia is looking to develop legislation for its Trusted Digital Identity Framework (TDIF), so the framework can be rolled out economy-wide.
While some digital identity services are already commercially available, there may be a greater uptake of TDIF-accredited solutions, as they will be subject to added privacy and security safeguards, and will be interoperable with other organisations in the digital identity ecosystem.
Government and private sector service providers should start considering how they will take advantage of imminent developments in Australia’s digital identity framework.
Reducing the hassle of identity checks
Digital identities promise an end to individuals having to provide copies of identification documents to each separate service provider that needs to verify their identity.
The TDIF offers a model where an identity service provider (such as Australia Post’s ‘Digital iD’ or the ATO’s ‘myGovID’) verifies an individual’s identity documents once. If an individual then needs to verify their identity to a ‘relying party’ (a service provider to the individual), the individual can request the identity service provider to confirm to the relying party that it has performed that verification. The identity service provider only gives the relying party minimal amounts of personal information – such as name, contact details, and date of birth.
Essentially, the identity service provider says: “I have verified Jane Smith, born 1 January 2001 [to a particular assurance level]. You can rely on that verification and don’t have to undertake it yourself.”
This system is clearly underpinned by trust – trust in the verification undertaken by the identity service provider – because the relying party won’t receive its own copy of the individual’s detailed identification information. The TDIF aims to generate this trust.
How does the TDIF work?
The TDIF, which has been iteratively developed by the Digital Transformation Agency (DTA) since 2015, provides for an accreditation system with the following roles:
- identity service providers that help individuals (users) set up and manage a digital identity account (currently, accredited providers are the ATO’s myGovID and Australia Post’s Digital iD);
- credential service providers that manage credentials used in the system (e.g. passwords);
- identity exchanges that provide the infrastructure for the system and manage the transfer of information (currently the Department of Human Services); and
- attribute service providers that provide specific authoritative information about a user, such as their qualifications (currently the ATO’s Relationship Authorisation Manager which confirms whether a person is entitled to act on behalf of an organisation for taxation purposes).
The system is intended to facilitate a relying party being given the minimal amount of personal information needed for a transaction – for example, instead of an individual proving they are over 18 by showing a proposed service provider evidence of their date of birth, the system can confirm that the person is over 18.
In addition to detailed technical and functional requirements, the TDIF contains rigorous requirements in relation to security and privacy of information, updated to the latest Commonwealth Government requirements. It also provides for different levels of assurance, so that a service provider can specify a required level of identity verification commensurate to the transaction (e.g. paying a parking fine, compared with undertaking a significant financial transaction).
The TDIF is currently a standalone policy framework. However, the DTA recently announced that it intends to develop principal legislation and Operating Rules under which the TDIF and participants will operate.
Currently, the TDIF is used to provide access to a range of federal government services, such as myGov and establishing a Unique Student Identifier. The DTA is looking to make digital identity solutions available to services across the economy, through the accreditation and assurance processes in the TDIF.
What does this mean for service providers?
Some private sector service providers may be interested in developing systems and becoming accredited as an identity service provider, credential service provider, an identity exchange or an attribute service provider (if they handle attributes about an individual that other organisations may want to verify).
The DTA has proposed that entities fulfilling these roles will receive payment through charges levied on relying parties, however the proposed charging mechanism is yet to be developed in detail.
Other service providers such as banks, telecommunications providers and utilities, as well as Federal, State and local government agencies, may be looking to adopt digital identity solutions to streamline identity verification of their customers.
While some digital identity solutions are already commercially available, the DTA appears to anticipate that consumers will prefer TDIF-accredited options, which will be subject to legislative privacy and security safeguards, and oversight by an independent authority. It is proposed that TDIF participants will be able to use a ‘trust mark’ (yet to be developed) to easily identify TDIF-accredited providers.
TDIF-accredited solutions also have the benefit of:
- being interoperable with other entities in the ecosystem, for example, being able to take advantage of new attributes when a new attribute service provider is on-boarded; and
- knowing that the scheme ensures compliance with relevant laws, such as the Privacy Act 1988 (Cth) (Privacy Act), without each participant having to conduct due diligence in relation to the other participants.
However, it is worth noting that, in general, digital identity solutions will not subsume all identity verification processes. Establishing a digital identity will be voluntary for individuals. As such, most businesses will need to retain some alternative processes for individuals who have not elected to go digital.
Reducing online anonymity
The use case for digital identity is expanding. While to date people have been able to use social media and digital platforms anonymously, Federal and State governments are now considering mandating identity requirements to reduce technology-based abuse and bullying.
At the same time, regulators – including competition and data privacy regulators – are increasingly focused on social media and other digital platforms and their collection and handling of personal data. The Australian Government has committed to developing digital platform-specific privacy requirements. However this commitment is on hold pending reforms to the Privacy Act, which are currently progressing through consultation.
Preparing legislation to underpin Australia’s digital identity ecosystem
Rounds of consultation into proposed digital identity legislation to underpin the TDIF commenced in late 2020, and have culminated in the recent publication of a Digital Identity Legislation position paper which gives a clear indication on the shape of this legislation and the scheme more broadly, with some exceptions.
The key features of the proposed digital identity scheme discussed in the position paper are as follows:
1. A permanent, independent ‘Oversight Authority’ will be established as an independent statutory officeholder within the Department of Treasury, the Department of Prime Minister and Cabinet, or the ACCC. That officeholder will be supported by the Office of the Oversight Authority and a series of Advisory Boards made up of system users and other experts and stakeholders who provide advice to the Oversight Authority. Advice could be provided on matters of privacy, security and user experience.
2. The Office of the Australian Information Commissioner (OAIC), Australia’s privacy regulator, will be responsible for the privacy safeguards under the scheme (similar to its role under the Consumer Data Right (CDR) scheme).
3. The digital identity scheme will comprise:
- the Trusted Digital Identity Bill;
- general and TDIF rules, which are disallowable instruments;
- technical and other specifications, which are disallowable instruments; and
- administrative guidelines, which may prescribe administrative steps for accreditation and other processes.
4. There will be a number of privacy safeguards in the Bill, which enshrine a number of existing privacy requirements under the TDIF. In addition to the requirements of the Privacy Act, these include:
- restrictions on profiling;
- restrictions on the collection and use of biometric information;
- requirements for users’ express consent (which we envisage will be similar to some CDR requirements); and
- requirements to conduct Privacy Impact Assessments.
Interestingly, proposed record-keeping requirements will see entities retaining personal information for far longer than they might otherwise under Australian Privacy Principle 11.
The inclusion of a separate set of privacy safeguards will disappoint some stakeholders, who raised issues with the existing number of separate conflicting privacy schemes under different pieces of legislation, and the compliance burden associated with having a separate scheme in relation to digital identity.
The position paper proposes that State or Territory government bodies who participate in the system and who are subject to ‘comparable’ State or Territory privacy laws will not be required to comply with the Privacy Act. However, if State or Territory laws do not include a notifiable data breach scheme, State and Territory participants will be required to comply with specific notifiable data breach obligations in relation to digital identity data breaches.
5. There will be a number of consumer safeguards included in the Trusted Digital Identity Bill, including:
- a prohibition on creating and using a single identifier across the system;
- the requirement that entities offer an alternate identity verification method to digital identity, with some exceptions;
- strict limitations on certain restricted attributes, which can only be handled by specific entities subject to authorisation by the Oversight Authority; and
- the requirement for identity exchanges to provide consumers a dashboard showing what information has been shared with relying parties.
6. The position paper proposes a two stage approach to participation in the digital identity system. The first stage, ‘TDIF accreditation’, is granted when the entity is verified as meeting the TDIF requirements (this stage does not apply to relying parties). The second stage is for on-boarding entities that actually want to operate within the TDIF, including relying parties. The second stage test includes considerations of national security, meeting rules, risks to the system, and (in the case of relying parties) whether they are a fit and proper person.
7. This staged approach is intended to allow entities to seek accreditation even if they are not ready to be on-boarded, or do not want to participate in the system. This may allow the entity to use TDIF trustmarks, even if not operating outside the system.
8. The position paper sets out proposed obligations on relying parties, which are broad and not unexpected. They include:
- notifying the Oversight Authority of security or fraud events;
- keeping details on the public register of relying parties up to date;
- complying with conditions on using and sharing attributes;
- meeting extra requirements in relation to restricted attributes (if authorised to handled them); and
- complying with payment terms and other on-boarding terms.
9. Submissions on the first consultation issues paper indicated that two topics were of particular interest to prospective relying parties: liability and the charging framework. The position paper includes some high level principles about the charging framework, but does not indicate what it will ultimately look like. It proposes to develop it after the Trusted Digital Identity Bill.
However, stakeholders have received some answers in relation to the proposed mechanisms for dealing with liability and redress. In brief, these are:
- an organisation will not be liable for losses suffered by a third party if it has acted in good faith and complied with the requirements in relation to accreditation and the system;
- the legislation will establish a statutory contract between participants, under which participants are liable for loss suffered by other participants where the liable party has failed to comply with the requirements;
- in relation to losses suffered by individuals, the position paper suggests that participants will be required to take steps to assist individuals, such as re-establishing digital identities after identity theft or a cyber security incident – the Oversight Authority can advocate on behalf of victims of identity theft; and
- this scheme will be underpinned by requirements to hold adequate insurance.
10. There will be a range of administrative sanctions and civil penalties available for contraventions of requirements. Administrative sanctions can be imposed by the Oversight Authority. Civil penalties (including for breaches of privacy requirements) will be available under standard regulatory powers mechanisms, in addition to other enforcement options such as enforceable undertakings and injunctions.
Stakeholders and interested parties were invited to provide comments on the latest position paper by 14 July 2021.
It is anticipated that after receiving further submissions, the Australian Government will progress to develop a draft of the proposed Trusted Digital Identity Bill and introduce it to Parliament in late 2021.
The Government has indicated that the charging framework will be developed separately from, and after, the Trusted Digital Identity Bill. This appears to be on the optimistic assumption that the charging framework will not limit uptake of the system by relying parties – an assumption that seems contrary to a number of submissions made in the first round of legislation consultation.
Beyond just ‘watching this space’, businesses should be engaging with developments in digital identity at an early stage, as there may be opportunities to ready business processes and technical systems for the adoption of digital identity solutions.
 Participants will be required to retain metadata and activity logs for a period of seven years after a user deactivates their digital identity, or their account is deleted for inactivity.
 For example, under the Privacy Act 1988 (Cth), the Telecommunications Act 1997 (Cth) and the Consumer Data Right scheme in Part IVD of the Competition and Consumer Act 2010 (Cth).
 Proposed exceptions include small businesses, online-only businesses and organisations who are authorised by statute to conduct certain activities digitally (such as the ATO).
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.