The federal government should “urgently” pass laws that give rise to an economy-wide digital identity scheme, as well as prevent government and private sector organisations from storing copies of credentials, according to the expert panel that audited myGov.
The panel led by former CSIRO chair David Thodey this week declared in its review of the digital platform that the government could no longer drag its feet on the vexed issue of digital identity, which is now weighing on service delivery.
“Government should prioritise digital identity as the primary way to sign into government digital service,” the panel said, adding that “investing further in myGov without acting on this issue will lead to further fragmentation, leaving it to Australians to do the hard work to bridge the gap”.
The government has spent the last seven years developing its answer to digital identity, with the then-Digital Transformation Office kicking off initial work on the Trusted Digital Identity Framework in 2015 after receiving funding.
Subsequent years have seen the government sink more than $600 million into the program, which has stalled over the last 12 months without the necessary legislation for an economy-wide expansion of the scheme.
Draft legislation developed by the Digital Transformation Agency has been ready since late 2021, but the former Morrison government failed to introduce or debate the bill before Parliament was prorogued ahead of the May 2022 election.
In its report, the panel commended the government for developing a “generally sound” framework over the last seven years, but said that “slow progress on legislation, both for the identity framework and biometric matching” is restricting uptake and exposing Australians to privacy risks.
“In its absence, use of digital identity and limited facial recognition is accelerating without any dedicate legal safeguards or governance frameworks in place, leaving Australians vulnerable to security, privacy and other human rights violations,” the report said.
“Establishing these legislative foundations, supported by a robust and effective governance and accountability framework is now urgent.”
With states such as New South Wales forging ahead with their own digital identity plans and looking to “imminently introduce their own legislative frameworks”, the panel said the government is also now risking “national fragmentation”.
“Some states and territories which have been ready and waiting for a legislated national system for several years have gone it alone,” the panel said.
The panel recommends the government “rapidly progress legislation for a national digital identity system, the safe use of biometric matching… and to allow the states and territories to participate” by mid-2023.
“This will provide enduring privacy and security safeguards for Australians, establish independent regulatory oversight, and pave the way for Australians to use driver licences to set up a ‘strong’ digital identity’,” the report said.
Only Australians with a passport can currently obtain a strong identity proofing level, while 200,000 First Nations people are unable to meet the ‘standard’ proofing requirements due to the absence of a birth certificate. The panel wants this changed by the end of 2023.
The panel also recommends bringing together the “front ends of the myGovID and myGov mobile apps or rebrand[ing] myGovID”, as the current experience is “clunky” and difficult to differentiate from myGov itself.
“The similarities in branding between myGov and myGovID cause confusion. People have told the audit that navigating between the services is ‘too difficult to understand’, the process is ‘circular’ and ‘self-referencing’, and the overall useability is ‘dreadful’,” the report said.
To avoid fragmentation also emerging with the digital forms of identity being pursued by the state, a “national standard for digital credentials” is necessary to prevent a “new series of ‘digital rail gauges’”, the panel said.
“A national interoperability framework for digital credentials should be quickly progressed with states and territories and the private sector, setting standards for the issuance, content and verification of digital credentials,” the report said.
“Once this has been established, government should pass legislation to progressively prohibit the storage of Australians’ personal identity details by government and non-government.”
The panel also believes that identity policy would benefit from a simplification of governance arrangements. Responsibility is currently split between the Digital Transformation Agency, Department of Home Affairs, Services Australia and the Australian Taxation Office.
“As a result, decision-making is slow and engagement is complex for those outside the Australian Government. The panel considers the current arrangements lack the clarity to deliver on the national priority for a more robust digital identity and credential ecosystem,” it said.
The Albanese government is understood to be progressing digital identity reforms in the wake of the Optus data breach that compromised the identity credentials of almost 10 million Australians, but the nature of these are unclear.
Government Services minister Bill Shorten told InnovationAus.com on Wednesday that work led by Finance minister Katy Gallagher is “being done on digital ID and its moving along”.
Mr Shorten also pointed to the arrival of the myGov digital wallet, which will offer users the ability to add up to 100 points of ID and prove their identity with a service provider using a QR code.
“We want to take the pressure off private organisations and the private sector having to ask for a whole lot of data from citizens,” he said.
“I hope that that build block will protect peoples privacy, give citizens control over their data, and also take some of the pressure off private companies to have to try and assemble all their big honey pots of data for hackers.”
Do you know more? Contact James Riley via Email.
This is a sham review and has not been conducted by people who are properly qualified to undertake such an audit. It is designed to cover up the incompetence of the same dysfunctional Governance culture that dreamed up Robo Debt. As an independent developer with unique authentication that can be used to protect the public from endemic phishing attacks that are also being perpetrated on MyGov we approached the Government to be included in the review of MyGov. The Government denied our request, it is a national disgrace and another example of corruption at the highest levels of Government with the symbiotic relationships between contractors, lobbyist and politicians each benefiting from the other to the detriment of an unsuspecting public who are being subjected to services with seriously defective authentication and validated service identification.
The failure of the Commonwealth, after many years and lots of dollars, proves conclusively that it is should stop. It should stop the waste, stop the failure and stop the fiasco. This has been futile from the very start, and demonstrates the hollowing-out of the APS and any ability it may have had to deal with complexity. It’s not capable of success and should stop. I say the Commonwealth has no business providing identity services to the for-profit business sector – for free. It can’t deliver on the “national priority for a more robust digital identity and credential ecosystem” – because that’s not its job and it should not be pretending to attempt it. Future failure guaranteed.