Legislation expanding digital identity scheme to private sector finally unveiled

Denham Sadler
National Affairs Editor

The federal government has finally unveiled exposure legislation expanding its digital identity program to state governments and the private sector, with a whirlwind consultation period commencing before it is soon introduced to Parliament.

The legislation will introduce two voluntary schemes to accredit companies and governments as service providers or relying partners in the digital identity program, as well as enshrining extra privacy safeguards in law and establishing a permanent oversight authority for the scheme.

The digital identity scheme, a whole-of-government federal program aiming to provide identity verification across a range of government services and private sector offering, has been in the works for six years at a cost of more than $450 million, but legislation is required to expand it to the private sector.

Digital Identity: Draft legislation finally released

The Digital Transformation Agency has been working on the legislation for more than a year, and an exposure draft has now been unveiled.

“The draft legislation…will build on strong safeguards already in place, providing the authority for a consistent set of rules that will protect Australians and Australian businesses,” employment minister Stuart Robert said in a statement.

“We have been actively engaging all interested parties throughout the consultation process and this commitment to co-design and ongoing conversation continues with the opportunity to comment on the proposed legislation.”

The Trusted Digital Identity Bill is a package of multiple legislative instruments which will be the “rule book” for the government’s digital identity system, including the Trusted Digital Identity Framework, accreditation rules, the Trusted Digital Identity rules and technical standards, which are yet to be released.

The government has opted to split its digital identity program into two voluntary schemes which will be enshrined in law through the legislation.

These will be the existing Trusted Digital Identity Framework (TDIF) accreditation, for providers of identity services to be accredited under the government rules, and the new Trusted Digital Identity System, which will see companies accredited to actually participate in the digital identity ecosystem.

“Both schemes entail different benefits and levels of regulation which will affect an entity’s choice to participate in the trusted digital identity system, be accredited or neither,” the draft legislation said.

Under the TDIF there will be four types of accreditation on offer: identity service provider, identity exchange, attribute service provider and credential service provider.

The DTA has recently begun accrediting a number of private operators through the TDIF before the legislation has passed. Eftpos was recently accredited as a digital exchange provider, while Sydney startup OCR Labs became the first private company to receive accreditation in August. Mastercard has also announced that it has applied for TDIF accreditation for its digital identity services.

The legislation will also introduce privacy safeguards beyond those in the Privacy Act. These include requirements for express consent when a user’s data is sent to a relying party.

There are also a number of restrictions on biometrics information under the scheme, including a prohibition on disclosing this information to law enforcement and on the use of one-to-many matches.

While most biometric information must be deleted immediately once the verification is complete, companies will be able to apply to hold data to conduct tests.

“The bill allows for retention of biometric information in narrow circumstances to enable limited operation testing and fraud detection activities,” it said.

Data in the scheme will not be able to be handed over to law enforcement unless the body reasonably believes that someone has committed an offence and has started proceedings against that person.

Any participating company in the scheme will also become subject to the federal government’s data breach notification program.

While not included in the legislation, the government did provide an update on its work to develop a charging framework for the scheme, with the intent to make the entire program self-sustained in the future.

“We are in the early stages of developing a charging framework that will provide ongoing, long-term financial sustainability for the trusted digital identity system, balancing the need for market maturity with the capacity to meet changing community needs over time, and providing commercial opportunities for private sector participants,” the government said.

“A fair and robust charging framework will help ensure the trusted digital identity system can support whole-of-economy adoption, while upholding the strict technical and security controls required.”

Users won’t be charged under the scheme, but digital identity providers and state and territory governments may be.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories