Ministers set national digital ID principles

Biometrically anchored digital identity credentials that work across state boundaries are set to become the norm in Australia after all governments agreed to take a nationally consistent approach to identity resilience.

But expansion of the federal government’s current answer to digital ID appears to have hit further setbacks, with legislation previously expected to be introduced in the Spring sitting now only promised for consultation later this year.

At the Data and Digital Ministers Meeting on Friday, Commonwealth, state and territory ministers unveiled the new National Strategy for Identity Resilience developed in response to Optus and Medibank data breaches last year.

The strategy, which replaces the 2012 National Identity Security Strategy, also responds in-kind to the recommendations of a 2019 identity protection and management arrangements review that was shelved by the former Coalition government until a Freedom of Information request last year.

“Our approach to identity resilience needs to keep pace with our economic and social activity, and the changing nature of identity crime. It is essential we deliver a future-ready identity system,” Home Affairs and Cybersecurity minister Clare O’Neil said announcing the strategy.

Under the strategy, all Australian governments have agreed to adopt 10 shared principles that will guide their approach to identity, addressing issues that stem from the “federated nature of identity arrangements”.

Governments have committed to “work together to achieve interoperability between digital ID systems and credentials so that Australians can access services in any jurisdiction”, with Australians unable to access such services also to remain supported.

They have also agreed to “develop stronger, nationally consistent standards for issuing physical and digital credentials”, namely by updating the National Identity Proofing Guidelines that provide guidance to government and private sector organisations within the next 12 months.

“The guidelines will be updated and aligned with the Trusted Digital Identity Framework to support consistent processes across digital and non-digital credentials,” National Strategy for Identity Resilience states.

“This will help to address longstanding inconsistencies in identity management practices between jurisdictions; support less collection and retention of data; and build confidence in the use of Commonwealth, state and territory digital ID systems.”

A higher standard of identity proofing was recommended in the 2019 identity protection and management arrangements review, with not all states and territories issuing drivers licence’s with biometrics at the time.

However, “biometric establishment and verification of identity with consent” will now be expected to improve the resilience of credentials, according to the first update to the federal government’s identity strategy in more than a decade.

“Where appropriate, and with an individual’s consent, Australia governments will use biometrics to make it harder for criminals to misuse identity credentials,” the strategy states.

“Combinations of biographic attributes (e.g. name, date of birth and licence number) do not adequately protect Australians from identity crime, and can be exposed in a data breach. Passwords can be forgotten, stolen or compromised.”

The strategy will also see the government establish data sharing arrangements to “better protect victims of cyber incidents and data breaches”, a norm that was established following the recent spate of high-profile data breaches.

In the wake of the Optus data breach, for instance, the federal government amended the Telecommunications Regulations 2021 to allow the telco to share the data of impacted customers with banks and government agencies.

A Centre of Excellence will also be established within 12 months to better respond to and minimise the damage from significant data breaches. It is, however, not yet known whether this will form part of the newly created National Office for Cyber Security led by Air Vice-Marshall Darren Goldie.

“This will be a single and highly visible point of expertise that support the management of the identity security aspects of breaches at a Commonwealth level, and works with state and territory bodies, to minimize harm for individuals, businesses and governments,” the strategy states.

Over the next three years, governments will further develop the Credential Protection Register developed in response to last year’s Optus data breach. The register stops identity matching services like the Document Verification System from verifying a compromised credential if it has been listed.

A ‘Mobile phone trust score’ system will also be developed to help prevent fraud, allowing telecommunications providers to “assign trust scores to mobile phone numbers based on risk factors such as recent sim swaps, tenure of phone plan and virtual private numbers.

Governments also agreed to look how digital credentials might be reissued through digital wallets and explore how the integrity of identity records can be improve so that they remain up to date with life events.

While Commonwealth, state and territory governments make progress on national identity arrangements, the federal government’s Digital ID system remains months away from expanding to state governments and the private sector.

Despite previously indicating that legislation required for the expansion would be before Parliament for the Spring sitting, the Commonwealth now “plans to release draft legislation for public consultation later this year”, according to the Data and Digital Ministers Meeting communique.

Prior to the change of government, the Digital Transformation Agency consulted extensively on draft legislation, releasing the first discussion paper as far back as November 2020. However, the former government ultimately never brought on the legislation for debate before the 2022 election.

Last week, shadow government services minister Paul Fletcher said the federal government had lost five years of momentum towards developing a national system of digital identity and that the lack of action is having an impact on the wider digital economy.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories