The Turnbull government has edged closer to its desire for a national opt-in digital identity regime as it closes off the discussion period for its trusted framework rules that will help mesh government efforts with the private sector.
The government has held a long, 12 month feedback period into the Trusted Digital Identity Framework (TDIF) to try and avoid any nasty surprises after the feedback loop closes on October 20. A series of roundtables with privacy stakeholders will be held after the cut-off.
“We’ve been working with key stakeholders, including government, industry and privacy advocates over the past 12 months to draft this framework,” said Assistant Minister for Digital Transformation Angus Taylor in a statement.
“It lays out privacy, security, risk and fraud management requirements, as well as standards for usability and accessibility.”
There are 14 documents that make up the Trust Framework, these are summarised at the end of this article.
The Coalition sees an opt-in federated digital identity scheme as an online economy game-changer, both for delivering government services and helping ratchet up new private services, such as those emanating from the country’s FinTechs.
The Trust Framework sets out the rules to establish a nationally consistent approach to digital identity. The other big piece to a federated digital ID regime is the Govpass project.
The Feds’ digital identity platform is called Govpass, and is being tested on the ATO’s new online tax file number application service, which is also in beta.
Govpass is expected to shave the time it takes to process a tax file number application from up to 40 days to just minutes.
After the ATO test, Govpass will be tested by other agency projects.
“Govpass will solve one of the biggest barriers for the public in terms of doing business online with government —the ability for a user to easily prove who they are,” said Mr Taylor.
In an interview with Sky Business in late September Mr Taylor spruiked the benefits of a simple, fast digital identity regime and said he hoped Govpass would be taken up by the private sector.
“We’re looking at next year for the early launches of (Govpass) and we expect it to be adopted reasonably quickly across government and in time across the private sector as well,” Mr Taylor told Sky Business.
“If it is easy to establish someone’s identity, it saves money for them. If I’m a consumer and I can establish who I am, I can switch between banks or energy providers or telcos or childcare providers, then I can save money.” he told the cable news service.
“Now the truth is, whoever is selling to me can also save money because the transaction costs have been reduced and that’s a good thing for everybody
Meanwhile, Prime Minister Malcolm Turnbull has whipped privacy advocates into a frenzy after announcing a proposal that would have states and territories hand over the identities of Australian drivers.
With a database of Australian drivers that includes their photo licence details, cameras equipped with facial recognition technology could sweep public areas and flag potential security threats.
The two largest states, NSW and Victoria, have already given in-principle support for the use of the technology ahead of the Council of Australian Government meeting in Canberra this week.
Adam Molnar, a lecturer in criminology at Deakin University and a member of the Australian Privacy Foundation has said that use of the surveillance could possibly be illegal.
“It is hard to see how this would comply with international law,” said Mr Molnar told the SMH.
“It is mass undifferentiated surveillance that can be used regardless of innocence and no participation in a criminal activity,” he said.
Below is a summary of the 14 Trust Framework documents:
- Trust Framework structure and overview – which provides a high level overview of the Trust Framework including the structure and relationship between the various components.
- Trust Framework accreditation process – which defines the requirements to be met by applicants in order to achieve Trust Framework accreditation.
- Glossary of terms – a list of all identity-specific terms and their meanings
- Privacy Assessment – lists the minimum privacy controls to be assessed by a privacy auditor when evaluating an identity service
- Security Assessment (IRAP) – lists the minimum protective security controls to be assessed by an ICT security auditor when evaluating an identity service
- Core Privacy Requirements – which sets out requirements for maintaining user privacy
- Core Protective Security Requirements – which sets out requirements for maintaining secure identity services.
- Core User Experience Requirements – which sets out the requirements for usability and accessibility.
- Core Risk Management Requirements – which sets out the risk management responsibilities of entities undergoing accreditation.
- Core Fraud Control Requirements – which sets out requirements for fraud control
- Digital Identity Proofing Standard – which sets out requirements relating to the digital verification of an individual’s identity.
- Authentication Credential Standard – which sets out requirements relating to authentication credentials.
- Information Security Documentation Guide – which describes content to be included in information security documentation.
- Risk Management Guide – which sets out a risk management process that participants in the identity federation can follow in order to mitigate credible, likely and realistic risks.