Laws paving the way for the widespread use of digital identity must be amended to prohibit law enforcement agencies from accessing digital ID information, civil and digital rights groups have warned.
Without the changes, the legislation threatens to “undermine trust” in the scheme, which is expected to allow participation by state and territory governments and the private sector from later this year if passed.
The Digital ID Bill was introduced to Parliament in November after more than three years of development and multiple rounds of consultation by the Albanese government and the former Coalition government.
It will regulate the federated system of identity that the government has been working towards since it was recommended in the 2014 Financial System Inquiry, including its own digital identity, known as myGovID.
During the latest consultation round last year, the government was urged to consider stronger restrictions on law enforcement access to Digital ID information held by accredited entities to boost community trust.
The bill was subsequently redrafted so that law enforcement agencies can only request access to non-biometric information with consent, a warrant, or where court proceedings have begun. Biometric information, meanwhile, can only be accessed with warrant or with consent.
But the New South Wales Council for Civil Liberties (NSWCCL), along with Digital Right Watch, believe the revised restrictions do not go far enough and that access by law enforcement should be prohibited altogether.
“NSWCCL believe that the proposed safeguards are not sufficient. There should be no law enforcement access to information in the digital ID system with or without a warrant,” it said in a submission to the parliamentary inquiry into the bill.
In order to maintain community trust, the organisation said that the legislation underpinning the Digital ID system should “at least be on the same level as the federal COVIDSafe [contact tracing] app”.
Access to the national COVIDSafe Data Store was intentionally restricted by the former Government early on in the pandemic to prevent information being used for any reason other than contact tracing by state health authorities.
“There should be no justification for allowing Digital ID data for surveillance. Accordingly, NSWCCL recommends that law enforcement agencies be explicitly prohibited from accessing Digital ID data held by any accredited entities,” it said.
Digital Rights Watch said that while it approved of the government’s efforts “narrow the scope of disclosure to law enforcement that is permissible in the Privacy Act”, law enforcement access remains a concern.
“We strongly oppose any repurposing of Digital ID data or infrastructure for surveillance purposes. No justification has been put forward for allowing such access,” the group said in a separate submission to the inquiry.
“Individuals ought to voluntarily use a Digital ID without any concerns that doing so may later be used to enable mass surveillance. Such concerns undermine public trust in these systems.
“Prohibiting the use of Digital ID data from law enforcement purposes is the most effective way to prevent this from occurring. We recommend that law enforcement agencies should be explicitly prohibited from accessing Digital ID data held by any accredited agencies.”
Both Digital Rights Watch and NSWCCL also used their submissions to the inquiry to raise concerns with exemptions that allow accredited entities to use information about an individual’s online activities, where the use of the data is otherwise prohibited.
“Subsection (3) provides exemptions to this prohibition, including for ‘purposes relating to the provision of the entity’s accredited services (including performance or usability of… information technology systems through which those services are provided)’,” Digital Rights Watch said.
“We are somewhat concerned that this provision may allow scope for companies to use information collected or otherwise accessed through the Digital ID system for their own benefit, such as in order to personalise services and generate further revenue.”
“It is extremely important that individuals are able to use their Digital ID to access services without the feat of their online behaviour being tracked or logged, or tied back to their Digital ID.”
Do you know more? Contact James Riley via Email.