The government has released more details on its plan to expand its digital identity scheme to the private sector and the states, as it pushes to significantly accelerate the program which has already cost more than $500 million over five years.
The federal government released a new position paper on its Digital Identity Legislation, which it plans to introduce to Parliament later this year. The government is now consulting on the paper, with submissions closing on 14 July.
The paper reveals the government is sticking with plans for an independent oversight authority and legislating privacy and consumer protections but has changed a key definition of digital identity, and left the verifications systems outside of the legislation.
Digital identity is an Australian government program that allows people and businesses to prove their identity and use the proof across several government and private sector services, with the goal of reducing time and costs associated with in person verification.
Identity service providers must gain accreditation and follow a set framework in verifying users’ documents and biometrics to participate in the scheme. Currently there are only two accredited identity service providers: Australia Post and the ATO’s myGovID.
The digital identity program was provided a further $250 million in last year’s October budget, more than doubling the total amount spent on the scheme.
The federal government wants to expand its system into a “whole of economy” solution but requires legislation to do so. A privacy impact assessment in 2018 also recommended legislation to enshrine the privacy and consumer protections currently only present as rules.
In the latest consultation phase on the legislation, the government has kept its proposal for a permanent Oversight Authority, an accreditation system and non-mandatory participation in the scheme, which is already used in limited government services but will eventually expand to the private sector and state and territory governments.
A new interoperability principle has been introduced to clarify how participants will work together and the proposed definition for “digital identity” has changed and will now focus on participants generating a person’s identity rather than the characteristics of a digital identity itself, a new government position paper, released on Thursday, said.
The new paper defines digital identity as “a distinct electronic representation of an individual which enables that individual to be sufficiently distinguished when interacting online, including when accessing online services”.
The precise terminology will be considered further in the drafting of the bill, which is expected to be introduced to Parliament in late 2021.
The paper makes no changes to the plan to leave the Document Verification Service and the Face Verification Service outside the scope of the legislation.
“These services are verification tools for identity providers and are expected to be subject to their own standards and legislation,” the paper said.
The Australian Human Rights Commission recently warned of the dangers of biometrics and called for a moratorium on its use in important decisions until appropriate regulations are in place.
Minister for Employment, Workforce, Skills, Small and Family Business Stuart Robert said more than 2.5 million Australians and 1.27 million businesses use digital identity to access some government services.
“Establishing the right safeguards and protections will lay the foundations for the digital identity program and grow the digital economy by improving digital infrastructure,’ Mr Robert said.
“We want a system that Australians can use and trust. The legislation will ensure the expansion of the digital identity system meets the expectations of all Australians and that users can have confidence in the integrity as the system expands.”
The legislation will only include subject matter and general rules not likely to be compromised by advances in technology, including privacy safeguards and the power of ministers to set charges for participants. Users of digital identity will not be charged.
Rules on how the wider scheme will operate are to be made by the minister but can be disallowed by Parliament, according to the proposal. Written guidelines and policies will also be provided by a new statutory office.
Technical specifications on how the scheme works won’t be a matter for Parliament, however, but will need to be publicly notified.
Under the legislation, the current interim Oversight Authority will be made permanent as an independent statutory officeholder to be advised by boards appointed by the minister. The authority will be in charge of providers accreditation and ensuring they comply with the legislation’s safeguards.
Identity providers and accredited participants will need to comply with rules and standards for usability, accessibility, privacy protection, security, risk management and fraud control.
The Information Commissioner will also oversee compliance with the privacy provisions in the Bill.
The paper suggests security requirements will continue to be updated in line with advice from the Australian Cyber Security Centre, but a baseline compliance will be with the Australian government’s own cyber policies, including the Protective Security Policy Framework PSPF and the Information Security Manual.
The government also intends to mandate the Essential Eight requirements of the Protective Security Policy Framework for government entities after nearly a decade of low levels of compliance.
Accredited participants will be allowed to share some information with each other to manage cyber incidents, a process to be overseen by the Oversight Authority.
In the first round of consultation on the digital identity legislation, a group of Australian researchers urged the government to redevelop its digital identity offering myGovID from the ground-up due to a technical flaw in the system. But the government has declined to do so, instead arguing that the issue is one of public awareness.