A national inquiry into identity and data sharing is “absolutely necessary” in the wake of the Optus data breach, according to New South Wales Minister for Customer Service and Digital Government Victor Dominello.
With investigations into Australia’s largest data breach since 2018 now underway by privacy and communications regulators, Minister Dominello has called for a broader inquiry to be led by the federal government.
The inquiry would explore reducing the oversharing of personal information – now regarded as more of a “hot potato” than “hot property” – and what best practice looks like for recovering compromised personal data following a data breach, among other issues.
Minister Dominello, who has long advocated giving NSW residents greater control over their data, told InnovationAus.com a national inquiry would allow all the issues facing a federated identity system to be examined.
“The inquiry can’t just be the feds doing the heavy lifting on their own – the states and councils, everyone needs to. This is a national discussion we need to have, and we’ve got our job as well to help the feds navigate this,” he said.
Mr Dominello said that in NSW there has been a “significant adoption of digital channels” in recent years, pointing to the more than 70 per cent of people who had their driver’s licence number compromised in the Optus breach opting to apply for replacement credentials online.
It’s a similar figure to the 71 per cent of all drivers in the state – or 4.2 million people – that have adopted the NSW Digital Driver Licence (DDL), which officially launched in October 2019 and gained acceptance during COVID-19.
But despite the popularity of the DDL in everyday settings, more advanced uses of the credentials is lagging in both New South Wales – due to absence of verification mechanism that businesses can use – and interstate.
“When you go interstate and show your DDL, institutions, organisations and companies won’t accept it. The NSW government and agencies are required to accept it, as we passed a law, and while some companies do accept the DDL, many still do not,” he said.
“This gives us an opportunity to really push why we need a national inquiry in relation to how can we better protect the sharing of personal information. If industry does not embrace the solution it will be a very piecemeal response.”
Minister Dominello described the current situation, where people provide their driver’s licence, birth certificate and passports, as a “Band-Aid until the broader ecosystem, whether its non-governmental organisations or corporations, catch up”.
“That’s why the feds have to help drive it, because we need to get to a position where, whether I’m using my myGovID or my Australia Post Digital iD, I don’t need to share all my personal information. If I log-in with my ID, that’s it, I’m verified as a real person not a bot,” he said.
One barrier remains the Trusted Digital Identity Bill, which the former federal government failed to introduce to parliament before parliament was prorogued for this year’s election despite two years of consultation.
The legislation would extend the digital identity scheme that the Digital Transformation Agency (DTA) has spent the last seven years – and more than $500 million – developing to the private sector and state and territory governments.
Despite the absence of that legislation, and perhaps in anticipation of it, the New South Wales government has been forging ahead with a digital identity solution of its own, having outlined its vision for decentralised credentials late last year.
Through a digital wallet or credential vault, the government wants to allow residents to manage, share and verify credentials from both government and the private sector, and verify the credentials of others.
Mr Dominello said the solution, which is separate to efforts by Births, Death and Marriages to digitise birth certificates on behalf of Australia, promises to “significantly enhance privacy and security settings”.
“It’s based on web3 principles where people are in control of their data and who they share it with and have the ability to top sharing… and the state doesn’t create the honeypot of collecting all the data,” he said, adding that it is “not too far away”.
The government went down the path of verifiable credentials after ditching plans for a copy solution that would have allowed businesses to take copies of the DDL, much like they do for physical licences.
“A copy solution is solving for the old world, it doesn’t solve for the new world. If we provide a copy, it’s no different to photocopying or scanning your driver’s licence – that does not move the dial in term of improving privacy and security settings,” Minister Dominello said.
The government through Service NSW is also planning to bring face verification technology to its digital channels. It shortlisted companies to provide the liveness check and face matching capabilities earlier this year.
The technology would allow customer to verify their identity for services that require identity proofing level three (IP3) – the highest level of verification offered under the federal government’s Trust Digital Identity Framework (TDIF) — without requiring in-person checks.
“Biometrics is another part of the armoury against fraud. You get multi-factorial authentication, you get biometrics. Every time you put another layer of security on, you’re making it harder and harder for the crooks,” Mr Dominello said.
Do you know more? Contact James Riley via Email.