Glossary

Purpose of the Bills

As expressed in clause 3, the objects of the Digital ID Bill 2023 (the DID Bill) are:

(a) to provide individuals with secure, convenient, voluntary and inclusive ways to verify their identity in online transactions with government and businesses;

(b) to promote privacy and the security of personal information used to verify the identity or attributes of individuals;

(c) to facilitate economic benefits for, and reduce burdens on, the Australian economy by encouraging the use of digital IDs and online services;

(d)  to promote trust in digital ID services amongst the Australian community.

Currently the Australian Government Digital Identity System (AGDIS) comprises:

the unlegislated AGDIS which facilitates the use of government-issued digital IDs (currently myGovIDs) by individuals accessing government services [and]

an unlegislated Accreditation Scheme for providers of digital ID services in the government and private sectors, based on requirements set out in the Trusted Digital Identity Framework (TDIF).[1]

The DID Bill and the Digital ID (Transitional and Consequential Provisions) Bill 2023 (together, the DID Bills) will legislate to establish:

a network of organisations that provide or use Digital ID services in delivering participating government and commercial services. Participants will include 'accredited entities', who can provide Digital ID services, and 'relying parties', who can offer access to their services using a Digital ID (but generally must also provide a non-Digital ID option for access).

Australian companies, foreign companies registered with ASIC, and Australian government entities can apply for accreditation. Having an accredited ID will be required for use with some government services. Accredited entities will then be permitted to use a 'trustmark', which is intended to provide peace of mind to customers by showing that the Digital ID provider meets the additional privacy and security measures required for accreditation.[2]

The Explanatory Memorandum contends that:

By reducing the sharing and retention of personal information used to verify Australian’s identities, expanding the use of digital IDs will help reduce the impact of data breaches, scams and cybercrime, supporting the 2023-2030 Australia Cyber Security Strategy (2023) and the National Strategy for Identity Resilience (2023).[3]

The Explanatory Memorandum also states that ‘the Bill will provide a range of governance and regulatory mechanisms to administer and promote compliance with the Act’ and will ‘embed strong privacy and consumer safeguards, in addition to the Privacy Act 1988 (Cth) to ensure users are protected’.[4]

Structure of the Bills

The DID Bill comprises ten chapters and each chapter commences with a simplified outline. This Digest’s discussion of key provisions and issues assumes the reader is familiar with the high-level scope of each chapter as summarised below.

• Chapter 1 includes introductory material, including definitions.
• Chapter 2 sets out arrangements for the accreditation of certain kinds of entities as accredited attribute service providers, accredited identity exchange providers, accredited identity service providers or entities that provide, or propose to provide, services of a kind prescribed by Accreditation Rules made by the Minister under Chapter 10. In relation to entities’ accreditation the Minister may direct the Digital ID Regulator on the basis of advice from the Australian Security Intelligence Organisation (ASIO).
• Chapter 3 sets out privacy arrangements, including provisions’ interaction with the Privacy Act 1988.
• Chapter 4 sets out arrangements for entities’ participation in the Australian Government Digital ID System (AGDIS), including the Minister’s role in the ‘phasing-in’ of participation. In relation to entities’ participation the Minister may direct the Digital ID Regulator on the basis of advice from ASIO.
• Chapter 5 establishes the Digital ID Regulator and identifies the Australian Competition and Consumer Commission (ACCC) as the Regulator.
• Chapter 6 establishes the System Administrator and identifies the Chief Executive of Centrelink as the System Administrator.
• Chapter 7 establishes the Digital ID Data Standards Chair whose role is to make Digital ID Data Standards, particularly technical integration requirements for entities to participate in the AGDIS.
• Chapter 8 sets out that the Digital ID Rules made by the Minister under Chapter 10 may set out marks, symbols, logos or designs (called digital ID trustmarks) that may or must be used by accredited entities and participating relying parties. Chapter 8 also requires the Regulator to establish and maintain registers of accredited and participating entities.
• Chapter 9 comprises provisions relating to administration, including compliance and enforcement, directions powers, fees, and review of decisions.
• Chapter 10 comprises provisions relating to other matters, including the establishment of advisory committees, annual reports, delegations, and rule-making powers.

The Digital ID (Transitional and Consequential Provisions) Bill 2023 (TCP Bill) comprises two schedules:

• Schedule 1 comprises additional definitions, and transitional provisions that aim to ensure certain entities currently involved in the unlegislated AGDIS are taken to be accredited for the AGDIS, or approved to participate in the AGDIS, immediately after commencement of the DID Bill.
• Schedule 2 comprises consequential amendments to the: Administrative Decisions (Judicial Review) Act 1977; Age Discrimination Act 2004; Australian Security Intelligence Organisation Act 1979; Competition and Consumer Act 2010; Privacy Act 1988; and Taxation Administration Act 1953.

Background to the Digital Identity System

In her Second Reading speech, Minister Gallagher stated that the Digital ID system to be legislated by the DID Bill will provide ‘a secure, convenient and voluntary way to verify who you are online against existing government-held identity documents without having to hand over any physical information’.[5] Although the intended outcome for the individual user is relatively uncomplicated, the frameworks to be established by the DID Bills are complex and must define and provide for a wide range of players and circumstances, including:

• the entities that enable and fulfill online verification of identity;
• protections for personal and sensitive information;
• consequences for entities that, for various reasons, may not conform to requirements, including arrangements for liability and redress; and
• the roles and powers of the Government entities responsible for the governance of the above arrangements.

Australia already has existing digital systems that are used for identity verification, the National Exchange of Vehicle and Driver Information System (NEVDIS) and the Document Verification Service (DVS). On their own they do not constitute a digital identity system and are not formally part of or dependent on the Digital ID system as such, but the NEVDIS and the DVS can be considered important foundational supports for the Digital ID system proposed by the DID Bills. If the DID Bills are passed, the NEVDIS and the DVS would support the operation of Digital ID system. If the DID Bills are not passed the NEVDIS and the DVS will continue to operate.

Digital ID developments since 2014

In 2014, the Financial System Inquiry recommended a national digital identity strategy and improvements in access to, use and protection of data,[6] and initial steps commenced in that year.[7] In 2015 the Digital Identity project commenced with initial funding for a Trusted Digital Identity Framework (TDIF).[8] In 2021 the Coalition Government began using the ‘Australian Government Digital Identity System’ (AGDIS) as the overarching term for initiatives related to Digital Identity.[9]

In 2019 the myGovID app developed by the Australian Tax Office (ATO) and the Digital Transformation Agency was released on Android and iOS mobile platforms[10] as a Digital Identity solution ‘to prove who you are online’ and ‘access participating government online services’.[11]

Under the current non-legislated arrangements, through myGovID Australians can access over 130 Commonwealth, state and territory government services.[12] However, legislation is necessary for the AGDIS to be expanded, to provide access to additional state and territory and private sector services, and greater choice in which accredited Digital ID providers can be used to access services.[13]

To this end, in October 2021 the Coalition Government consulted on an exposure draft of a Trusted Digital Identity Bill 2021 (TDI Bill). As the TDI Bill was not introduced before Parliament was prorogued in April 2022, the TDI Framework currently operates without a legislated basis.[14]

Figure 1 shows a citizen interacting with the current unlegislated digital ID ecosystem to apply for a Unique Student Identifier (USI). Figure 2 shows key aspects of the current unlegislated Digital ID ecosystem under the TDIF.

Although a wide range of Commonwealth services can be accessed through the current unlegislated arrangements, the Explanatory Memorandum for the DID Bills notes that legislation will enable expansion of the system to a wider range of services from state and territory governments and eventually private sector organisations, and will improve privacy and consumer safeguards and governance arrangements.[15]

Figure 1: A citizen interacting with the current unlegislated digital ID ecosystem to apply for a new Unique Student Identifier (USI)

Step	Type of Participating Entity	Service	Name of Participating Entity	URL (intermediate ‘redirect’ URLs have been omitted)
	Needing a Unique Student Identifier (USI), an individual’s internet search leads them to:			www.usi.gov.au/students/get-a-usi
1	Relying Party		Student Identifiers Registrar — In the future there may be additional private-sector relying parties.	https://portal.usi.gov.au/student
	Because the individual already has a myGovID, they choose to create their USI using their Digital Identity, rather than creating an account.
	This prompts the Relying party to send an Authentication Request to an Identity Exchange, specifying the required attributes and Identity-Proofing Level (‘identity strength’). At present, only the Government exchange is available - in the future an individual may be offered a choice of multiple exchanges (including private-sector).
2	Identity Exchange		Services Australia— In the future there may be additional private-sector exchanges.	https://auth.identity.gov.au/choose-identity-provider/selection
	The individual selects myGovID. In the future there may be additional private-sector identity options.
	This prompts the Identity Exchange to send an Authentication Request to the selected Identity Service Provider, myGovID.
3	Identity Service Provider (ISP)		Commissioner of Taxation as provider of myGovID	https://mygovid.gov.au/AuthSpa.UI/index.html#login
	The individual is asked to provide the email address they use with myGovID.
	This prompts myGovID to send a login request to the myGovID app on the individual’s phone.
	The individual logs in to myGovID, and this permission prompts myGovID to send a response to the identity exchange, comprising: required attributes; achieved Identity-Proofing Level; and the individual’s unique myGovID user identifier, which ensures pairwise pseudonymity.
4	Identity Exchange		Services Australia	https://auth.identity.gov.au/consent/return
	The Identity Exchange sends to the Relying Party: required attributes; and pairwise identifier.
	This stage does not require action by and is not visible to the individual, who sees a ‘redirecting’ message.
5	Relying Party		Student Identifiers Registrar	https://portal.usi.gov.au/student/Usi/Create/PersonalDetails
	On receiving the required attribute information, the Relying Party permits the individual to commence the process of obtaining a USI.
6	The individual completes the application form, with their full name and date of birth provided by digital identity, and is issued with a USI.

Source: Trusted Digital Identity Framework: release 4.8, Australian Government, 2022, Document 06A Federation Onboarding Guidance, 5-12; Library observation and analysis.

Figure 2: Current unlegislated Digital ID ecosystem under TDIF

×

Sources and further information follow.

Statement of Compatibility with Human Rights

As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.[22]

Committee consideration

Parliamentary Joint Committee on Human Rights

In its Report 14 of 2023 the Parliamentary Joint Committee on Human Rights (the Human Rights Committee) recorded ‘no comment’ in relation to the TCP Bill.[23]

In relation to the DID Bill the Human Rights Committee observed:

This bill, in seeking to establish an Australian Government Digital ID System, engages and limits the right to privacy, insofar as it would involve the collection, use, disclosure and retention of personal information. However, as individuals cannot be required to create or use a digital ID to access government services, and noting the numerous safeguards in the bill, the committee considers the proposed limitation on the right to privacy may be reasonable, necessary and proportionate. However, the committee notes much will depend on how securely the personal information and data is held within the system and by accredited entities in practice.

With respect to the sharing of personal information for law enforcement purposes, the committee reiterates its previous concerns regarding the sharing of personal information for secondary purposes, as recently set out in Report 12 of 2023 in relation to the Identity Verification Services Bills. The committee further notes that much of the operational detail of the measures are to be set out in delegated legislation. The committee will closely scrutinise any such legislative instruments if made for compatibility with human rights. As such, the committee makes no further comment on this bill at this stage.[24] [emphasis added]

Senate Economics Legislation Committee

The Bill was referred to the Senate Economics Legislation Committee for inquiry and report by 28 February 2024. The Committee reported on 28 February 2024, recommending that the Bills be passed.[25] The Coalition, the Greens and One Nation issued dissenting reports and LNP Senators for Queensland Matt Canavan and Gerard Rennick issued additional comments.

The Coalition Senators’ dissenting report made 3 recommendations. Firstly, that the Bill be amended to remove the phasing-in provisions, allowing for private sector involvement in the AGDIS from commencement. The Coalition recommended that the Bill should not be progressed without simultaneous involvement of the private sector.[26]

The second recommendation was that the Bills only be considered once the proposed reforms of the Privacy Act are introduced to the Parliament, to ensure that privacy, data protections and compliance requirements are consistent and coordinated across various related legislation.[27]

Finally, the Coalition Senators recommended that the Bill be amended to include further guarantees for consumers and businesses to ensure the AGDIS is fully voluntary.[28]

Senators Canavan and Rennick supported the Coalition Senators’ dissenting report and made additional comments questioning whether the proposed Digital ID framework would remain voluntary in the future and raised a lack of consistency between the Bills and the Privacy Act.[29]

Senator David Shoebridge of the Greens also issued a dissenting report, stating that ‘the move towards a digital ID has large potential privacy benefits if done well and clear risks if it is rushed or mishandled’.[30] Acknowledging the argument put forward by some submitters that the reform of the Privacy Act should have preceded the introduction of the DID Bills, Senator Shoebridge commented:

The [Privacy Act] reforms are slow to materialise and in the meantime we have no greater security for our online identities. This is the best argument for proceeding with this Bill now, noting as well that it contains significantly improved privacy protections from those that are currently available under the Privacy Act.[31]

Senator Shoebridge stated that it was necessary to limit third party access to digital identities and in particular to limit law enforcement access. Senator Shoebridge considered:

If Parliament is of the view there must be some provision for law enforcement access, then at a minimum it must be limited to a very narrow subset of law enforcement bodies, require a warrant issued by a superior court of record, that it only be in relation to either an extremely serious offence or an imminent threat to life.[32]

Other concerns raised by Senator Shoebridge included the ‘genuine voluntariness’ of the Digital ID scheme and the need to ensure alternative means of accessing services are ‘reasonably comparable’; the need to ensure the Digital ID system is properly inclusive; and concerns about biometrics and bias, which the Senator considered should be addressed before the Bills are enacted; the desirability of a mechanism to facilitate deletion of a Digital ID; and the need to ensure that a ‘meaningful and accessible redress and penalty scheme’ is created.[33]

One Nation Senator Malcolm Roberts also issued a dissenting report, with 10 recommendations, including that the Bill not be passed in its current form.[34] Senator Roberts’ other recommendations included:

• that the Treasury Laws Amendment (Consumer Data Right) Bill 2022 be passed by the Senate prior to resumption of the second reading debate on the Digital ID Bill 2023[35]
• that the Bills should be amended to remove the ability for data to be held outside Australia
• that the Bills should be amended to require law enforcement to have a reasonable suspicion that a crime is being committed by an individual before accessing their digital ID data and
• details of the redress scheme be dealt with in the DID Bill, rather than in delegated legislation.[36]

Senate Standing Committee for the Scrutiny of Bills

• The Senate Standing Committee for the Scrutiny of Bills had no comment in relation to the TCP Bill.[37] In relation to the DID Bill, on 7 February 2024 the Committee requested the Minister’s advice on a number of matters that are discussed below in relation to the provisions to which they relate.

Position of major interest groups

Phasing-in

Phasing-in is the progressive opening of the AGDIS to additional entities beyond the initial Commonwealth entities, by means of the Minister determining under clause60 the entities that may apply to the Digital ID Regulator for approval to participate in the AGDIS. Phasing-in as an administrative process and the specific phasing-in proposed by Minister Gallagher are discussed below under ‘Approval to participate in the AGDIS’.

Although generally supportive of the proposed AGDIS in principle, the private sector has generally been critical of the phasing-in, arguing that the lack of clarity about timing creates risk for continuing investment of private sector providers in digital ID products. Digital service providers, for example, noted that the current sequence of phases will disincentivise the participation of private sector providers, by establishing the public sector as the primary Digital ID provider.[38] Others have argued that the phased approach would produce fragmentation in the Digital ID ecosystem, limit community awareness of the technology,[39] and discourage early and large volume take up.[40]

Arguing that these issues would have detrimental flow-on effects for those providers, consumers, and the overall success of the system, business stakeholders have proposed amendments to the phasing-in set out in the Digital ID Bill consultation process in 2023. Submissions have suggested that public and private sector Digital ID solutions should be released concurrently in Phase 1 of the AGDIS rollout,[41] or that citizens should be allowed to use their Government-issued Digital ID to open bank accounts earlier on in the AGDIS rollout, by moving Phase 3 to a new ‘Phase 1b’.[42]

Governance arrangements

Submissions from the ACT Government, the Australian Banking Association (ABA) and Australian Payments Plus (AP+) considered the proposed governance arrangements too complex, with too many entities in too many portfolios, leading to concerns about delineation and coordination of roles, and the risk that these shortcomings could be exacerbated when Machinery of Government (MoG) changes occur.

The ABA and AP+ expressed concern that the ‘distributed governance’ model of the Consumer Data Right (CDR) scheme was being emulated for Digital ID. The CDR Data Standards Chair submitted that Digital ID and CDR data standards should be made by the same Data Standards Chair, advised by a single data standards body.

In its submission, the ABA recommended that an over-arching governance mechanism be introduced with appropriate Ministerial accountability for oversight and policy co-ordination across the six different government agencies and collaborative public-private task forces to drive the uptake of Digital ID be established.

Fees

Under subclause 144(3) fees cannot be charged to an individual for the creation or use of a digital ID. The Digital ID Rules may make provision in relation to the charging of fees by the Digital ID Regulator (paragraph 144(1)(a)) and may also make provision in relation to the charging of fees by accredited entities for services provided in relation to the AGDIS (subclause 148(2)).

No fee information was released with the consultation process in 2023, nor with the introduction of the DID Bills in November 2023, and a law firm has noted that:

The Government will not charge entities for accreditation and participation in the first two phases of expansion (across Commonwealth and state and territory governments). However, the Department of Finance will develop and conduct public consultations on an approach for charging ahead of private sector participation in the AGDIS [in phases 3 and 4].[43]

In that context, stakeholder commentary does not refer to any specific proposals by the Government for fees or charges. However, it generally expresses concerns about the potential financial burden on private and public entities participating in the AGDIS.

In its submission to the exposure draft consultation process in 2023, the ACT Government argued that:

The cost of administering the central (and critical) infrastructure to support AGDIS should be the responsibility of the Commonwealth (as recommended in the recent myGov audit), particularly given the value in ensuring all States and Territories participate in the AGDIS, and all jurisdictions have invested in their own identity systems to date (p. 6).

Similarly, in its submission to the same consultation process, civil rights group Digital Rights Watch recommended that no entity, either public or private, be allowed to charge fees for the provision of Digital ID services (p. 10).

Private sector stakeholders, such as Australian Payment Plus, have expressed similar concerns about the potential financial burden derived from the accreditation process, which may result in a potential barrier for less resourced private sector actors to fully participate in the AGDIS:

The cost of the proposed accreditation process will likely be a disincentive for full private sector participation. The requirement for at least six external assessments (a privacy assessment and privacy impact assessment; protective security assessments including both pen test and ISO 27001 accreditation; fraud, and usability/ accessibility including WCAG accreditation) will make it hard to get a critical mass of participants beyond large well-resourced participants. Further, many large institutions (public and private) are already subject to significant regulation, standards and oversight, and the products of these existing similar regulatory obligations should be leveraged wherever possible to minimise duplication of effort and encourage participation.[44]

In this Digest, the Digital ID Rules and fees are discussed in ‘Key issues and provisions of the DID Bills’. An expanded overview of stakeholders’ views on fees is provided in ‘Key issues and provisions to be addressed in delegated instruments’.

Collection and management of data

Civil rights groups, academic groups and digital payment businesses have expressed contrasting views on the collection and management of personal data, including sensitive and protected attributes, as well as timeframes for the preservation of such data.

Civil rights and independent academic groups have advocated for stronger data protection, stronger data safety safeguards and greater data ownership, as well as limitations on the collection and disclosure of sensitive personal data. IDCARE’s submission to the exposure draft consultation process recommended that the Bill address deficiencies in the minimum response standards in the event of exposure or misuse for users of Digital ID in the current TDIF; provision be added for relying parties not being allowed to impose additional identity-verification; and for delegated legislation or rules to provide an unambiguous requirement to validate against current sources of identity information in a timely way, to prevent threat exposure and identities being compromised. [45]

To strengthen user control of their own data, IDCARE also proposed that the DID Bill be amended to: contain explicit statements of ownership of the Digital Identity, with consumers being allowed to determine when their identity credential has been consumed and enable a much more citizen-centric means of responding and protecting against threats; include an erasure right to allow for information to be destroyed, should an individual wish to withdraw their information entirely from any entity or shared provider to which they have previously given consent; be clearer about deactivation requirements, such as prompt notification of the individual; set a limit for the 'as soon as practicable' timeframe provision and extension to refer to 'the individual or their representatives or nominees'; add capacity to freeze Digital ID or flag identity compromise rather than straight erasure/deletion; provisions for the data of deceased people to be erased; narrow the threshold at which the Minister can amend rules without consultation; and funding arrangements for IDCARE should be urgently considered.[46]

Digital Rights Watch expressed its opposition to any repurposing of Digital ID data or infrastructure for surveillance purposes and recommended tighter protections against data profiling to track online behaviour. It recommended that the Digital ID Bill include specific data retention limitations and a clearer requirement for entities to delete or destroy personal information if an individual requests deactivation of their Digital ID.[47]

Conversely, private digital providers have suggested that amendments be made to the provisions dealing with the collection, use and disclosure of restricted personal information, in order to improve or facilitate the provision of services to end users and ensure fairness in the AGDIS. AP+ argued that in order to enable Indigenous Australians to access services where ‘proof of Aboriginality’ is required:

the legislation should not restrict accredited entities offering the ability for individuals to be able to reflect their cultural identity in certain digital representations. There are positive practical use cases for “proof of Aboriginality” as an attribute, including:

Demonstrating Aboriginal or Torres Strait Islander status for access to concessions such as education, government, banking and health, whilst also helping to reduce fraudulent access to those concessions.

Proving representation in native title access discussions.

Voting for elected representatives in indigenous bodies.

Facilitating employment opportunities for first nations people.[48]

Analytics company BixeLab Pty Ltd similarly argued against a blanket ban on collection of racial or ethnic attributes as contained in subclause 44(1) of the DID Bill, as it would prevent independent assessors from testing the AGDIS for demographic fairness, which might otherwise have been authorised under subclause 49(6) of the DID Bill.[49] It also recommended that timeframes for retention of sensitive personal information be extended to allow for fraud investigation, similarly to suggestions by other cybersecurity and digital communication stakeholders, such as the Communications Alliance Ltd and Optus.[50]

Accessibility, voluntariness and equitable access

Public and private stakeholders have also expressed concerns on the voluntary nature of the AGDIS, as well as on issues of consent, accessibility and equitable access.

In its submission to the draft consultation process in October 2023, the Office of the Victorian Information Commissioner recommended that the Bill include a definition of consent that specifies the five elements of consent (voluntary, informed, specific, current, and the individual must have capacity to consent).

Civil rights and disability advocacy groups have recommended that the DID Bill provide more avenues to access the AGDIS for citizens who have a disability, identify as First Nations or Indigenous, and live in rural areas. Blind Citizens Australia suggested that the DID Bill be amended to include non-photographic biometric options for crosschecking identity, such as voice authentication, and provide people unable or unwilling to sign up for a Digital ID with a genuine choice of platforms to access government services.[51] Reflecting similar concerns, Economic Justice Australia added:

people with disabilities, First Nations people and people in remote Australia have reported significant issues with processes for online identity authentication because the processes required to obtain and re-use already obtained IDs and related passwords do not reflect their access to technology and the devices needed to administer authentication systems. … Safeguards for people for whom the creation and ongoing use of a Digital ID is problematic should be a legislated requirement for Digital ID Relying Parties. …The design standards outlined by Australian Human Rights Commission for disability inclusion should be considered when designing the authentication processes for Digital ID creation and ongoing use. [52]

UNSW Allens Hub submission expressed reservations on the use of biometric technology and recommended more studies be conducted prior to its introduction in the AGDIS, particularly due to the limitation and potential bias of the technology when used on Indigenous
populations.[53]

Guarantees of equal access to services

Some submissions to the Committee inquiry expressed concerns about the extent to which the AGDIS will be voluntary. The UTS Human Technology Institute noted:

Consent is only meaningful when people are not unreasonably disadvantaged if they opt to use traditional methods of proving their identity; in other words, they must retain equal entitlements and access to the same services and products … clause 74 should be amended to include an explicit guarantee of equal access to services for those who opt out of digital ID. ^[54]

Digital Service Providers Australia New Zealand warned that a voluntary system will ‘create significant cyber security risks for individuals who do not have a Digital ID’.^[55]

The Coalition Senators' Dissenting Report recommended that the Bill should be amended to include ‘further guarantees for consumers and businesses to ensure the AGDIS is fully voluntary’ (p. 65).

Financial implications

The Explanatory Memorandum notes that ‘the Commonwealth has spent $781.9 million on the Digital ID Program over the financial years 2016–17 to 2023–24 [and] further expenditure will be required in future’.[56] Following the introduction of the DID Bills on 30 November 2023, the Mid-Year Economic and Fiscal Outlook (MYEFO) statement on 13 December 2023 included $145.5 million over four years from 2023–24 (and $17.0 million per year ongoing) for the Digital ID system. In the details reproduced below, Services Australia is not one of the agencies to share in the funding, despite its proposed key role in the Digital ID system.[57]

The MYEFO statement also noted that ‘the Government will consider future funding for the Digital ID framework ahead of the commencement of enabling legislation’.[58] This appears to anticipate further funding for the Digital ID system in the May Budget including, perhaps, funding for Services Australia.

 Digital ID

  Payments ($m)

The Government will provide $145.5 million over four years from 2023–24 (and $17.0 million per year ongoing) to support the next stages of the Digital ID program and related identity security initiatives. Funding includes:

$67.0 million over three years from 2023–24 to the Australian Competition and Consumer Commission (ACCC) to perform regulatory functions under the Digital ID legislation from 1 July 2024

$56.0 million over four years from 2023–24 (and $17.0 million per year ongoing) to the Attorney-General’s Department for the continued operation of the Identity Matching Services

$11.5 million over two years from 2023–24 to the Australian Taxation Office to rebrand myGovID and deliver ICT updates to enable choice of identity service provider when accessing business services

$4.9 million in 2024–25 to the Department of Finance for communications activities to increase individual and business awareness and understanding of Digital ID

$3.3 million in 2023–24 to the Attorney-General’s Department to enhance the Credential Protection Register to better respond to future data breaches

$1.4 million in 2023–24 to the Treasury to support the ACCC to deliver its Digital ID functions and scope options for an enduring data and digital regulator

$1.4 million in 2023–24 to the Office of the Australian Information Commissioner to prepare for its expanded oversight role under the Digital ID and Identity Verification Services legislation.

The cost of this measure will be partially met from within the existing resourcing of the Department of Finance and the Treasury.[59]

The Explanatory Memorandum anticipates but does not quantify financial savings for the Commonwealth from increased use of Digital ID by people to access government services instead of ‘more costly identity verification such as in-person or phone-based methods’, while noting that ‘these methods will remain available for government services required to maintain alternative channels’. It is suggested that the Bills ‘may also enable reduced identity-related fraud across government services’. In addition, a report prepared for the Department of Finance contends that ‘individual time savings’ could result in an indirect whole-of-economy benefit to the amount of an estimated $3.3 billion annually.[60]

In a funding decision not specifically related to the Digital ID project, the MYEFO statement on 13 December 2023 also included $21.2 million over five years from 2023–24 for the Department of Home Affairs to provide ‘services for victims of identity crime and misuse’.[61]

Key issues and provisions

Overview of architecture of the Digital ID System

In order that the AGDIS can effectively and safely include and support a range of providers and participating entities, the DID Bill establishes the architecture of a complex regulatory framework, while providing that many detailed aspects will be clarified in a range of instruments that will be issued from time to time by the various governance entities.

There are two parallel streams of assurance: accreditation; and approval to participate in the AGDIS. Accreditation is required for participants other than relying parties to participate in the AGDIS, but accredited entities operating outside of the AGDIS is also envisaged, with consultation material describing accreditation being open to private sector providers prior to their eligibility to participate in the AGDIS.[62]

The TDIF comprised 13 policy documents which outlined the functional details of the system. In contrast, the DID Bill is based around three ‘core instruments’: Accreditation Rules; Digital ID Rules; and Digital ID Data Standards (subclause 167(1)). In a 2023 consultation process, a draft Digital ID Bill and draft Digital ID Rules and Digital ID Accreditation Rules were published.[63] These draft rules are indicative but not conclusive regarding rules that will be issued under the DID Bill.

In addition, a range of other governance instruments will be issued. Governance instruments and the entities responsible for governance are discussed below.

Governance arrangements

Figure 3 below outlines the proposed governance arrangements for the Digital ID system in diagrammatic form, with a focus on the relationships of the key governance entities.

Main actors

Minister

The Minister will be responsible for determining Digital ID Rules and Accreditation Rules (clause168). Before making or amending any rules under clause168 the Minister must consult the Information Commissioner if the rules deal with matters that relate to the Commissioner’s privacy functions (clauses 19 and 169). In some circumstances, the Minister may give directions (clauses 27, 73, 97 and 104) to the Digital ID Data Standards Chair, the Digital ID Regulator and the System Administrator.

The Minister can issue directions to the Digital ID Regulator for reasons of security, including on the basis of security assessments provided to them by the Australian Security Intelligence Organisation (ASIO).

Under subclause 27(1) (in relation to accreditation) and subclause 73(1) (in relation to approval to participate in AGDIS) the Minister may issue directions to the Regulator, for reasons of security within the meaning of the Australian Security Intelligence Organisation Act 1979, including on the basis of an adverse or qualified security assessment in respect of a person, to direct the Regulator to: refuse to accredit/approve an entity; impose conditions on an accreditation/approval; suspend an accreditation/approval; or revoke an accreditation/approval. The involvement of ASIO in the AGDIS is a protective one; the TCP Bill provides for ASIO to provide to the Minister security assessments of an entity’s suitability for accreditation (chapter 2) and participation (chapter 4) in the digital identity system.^[64]

Digital ID Data Standards Chair

A Digital ID Data Standards Chair (chapter 7) is to be appointed by the Minister on a full time or part time basis for a period not exceeding three years at a time and in the absence of an appointment the Minister will be the Chair (clauses 9, 105 and 106). The Chair will make standards for the AGDIS and the Accreditation Scheme, for example, technical, data, design or integration requirements (clause 99). Standards may relate to accreditation (clause 15) and participation (clause 62). Under clause 100, before making, amending or revoking Digital ID Data Standards, the Chair must consult the Minister, the Digital ID Regulator, the System Administrator and the Information Commissioner, and must consider any submissions received from the public. The Chair may also prescribe service levels for accredited entities and participating relying parties but must first consult the System Administrator (clause 80).

Digital ID Regulator

Clause 90 establishes that the Digital ID Regulator (chapter 5) will be the Australian Competition and Consumer Commission (ACCC).[65] The Regulator will have responsibility for administering the Accreditation Scheme and for overseeing and maintaining the AGDIS, including approving entities’ participation in the AGDIS. In performing this role, the Regulator must establish and maintain registers of Accredited Entities (clause 120) and entities approved to participate in AGDIS (clause 121). The Regulator may give directions to entities regarding accreditation and participation in the AGDIS (clause 127). The Regulator may take enforcement action against accredited entities and other entities (clause 122). Either at their own initiative or on request, the Regulator will advise the Minister, the System Administrator and the Chair on matters relating to the provisions of the Bill (paragraph 91(d)) and advise the Information Commissioner on privacy matters that relate to the Bill (paragraph 91(e)).

System Administrator

Within the current unlegislated Digital ID system, Services Australia performs multiple roles, being an Identity Exchange, an Attribute Service Provider, a Relying Party, and the Temporary Oversight Authority (TOA).[66]

Replacing the TOA, clause 94 establishes the role of System Administrator and specifies that it will be performed by the Chief Executive, Centrelink, who under section 7 of the Human Services (Centrelink) Act 1997 is also the CEO of Services Australia. As Services Australia will continue most of its current roles in the system as a participant (Identity Exchange, Attribute Service Provider, and Relying Party), the nomination of the Chief Executive, Centrelink may be intended to distinguish the System Administrator role from Services Australia’s continuing roles as a participant in the system.

The responsibilities of the System Administrator (chapter 6) will include: monitoring and managing the availability of the system, including by coordinating system changes and outages; providing assistance to entities participating in the system (government and private entities); and managing digital ID fraud incidents and cyber security incidents involving entities participating in the system (clause 95).

Information Commissioner

In addition to already-established functions under the Privacy Act 1988, the Information Commissioner must be notified of data breaches by accredited entities (clauses 39, 40 and 41) and may take enforcement action against accredited entities and other entities (clause 122). The Information Commissioner must be consulted by the Minister prior to the making of Digital ID and Accreditation Rules if the rules deal with matters that relate to the Commissioner’s privacy functions (including where accredited entities will be authorised to collect, use or disclose restricted attributes or biometric information of individuals (clause 169)). On request by the Regulator, the Information Commissioner must provide advice on matters relating to the operation of the DID legislation (clause 42). Under clause 155 the Information Commissioner’s annual report must include information about the performance of their functions and the exercise of their powers under or in relation to Part 2 of Chapter 3 of the DID Bill.

Other entities

The Bill anticipates the Regulator will also ‘consult with … as required’ the Australian Securities and Investments Commission, the Australian Prudential Regulation Authority, the Australian Financial Complaints Authority, the part of the Australian Signals Directorate known as the Australian Cyber Security Centre and ‘any other body the Digital ID Regulator considers appropriate’ (paragraph 91(c)). The Bill also provides for the establishment of committees, advisory panels and consultative groups. Subclause 150(1) provides for the Minister to establish advisory committees to provide advice about matters arising under the Act. Clause 103 provides for the Digital ID Data Standards Chair to establish committees, advisory panels and consultative groups. Advisory committees set up by the Minister will have terms of reference and other terms, conditions and procedures set out in writing (subclause 150(3)). There is no similar requirement for committees, panels and groups established by the Digital ID Data Standards Chair.

The Senate Standing Committee for the Scrutiny of Bills (Scrutiny Committee) sought advice from the Minister for Finance on a number of aspects of clause 150 of the DID Bill. Firstly, the Scrutiny Committee sought advice on why it is considered necessary and appropriate to leave the matter of establishing an advisory committee under subclause 150(1), and determining matters relating to the operation and members of such committees under subclause 150(3), to written instruments, rather than these matters being included in the Bill. Secondly, why it is considered necessary and appropriate to specify that instruments made under subclauses 150(1) and 150(3) are not legislative instruments (including why it is considered that the instruments are not legislative in character). Finally, whether the Bill could, at a minimum, be amended to provide that these instruments are legislative instruments, to ensure that they are subject to appropriate parliamentary oversight.^[67]

The Minister advised that the composition, purpose and terms of Advisory Committees are appropriately left to executive control to ensure committees are able to be established as required (which may be on a short-term basis) with appropriate subject-matter experts and terms of reference. The Minister further advised that instruments establishing committees, their composition, purposes and terms are administrative in character as they do not determine the law or alter the content of the law.^[68]

The Scrutiny Committee thanked the Minister for her response, but reiterated its concern that as these committees are established to provide advice about matters arising under the DID Bill, including in relation to the Digital ID Regulator’s powers and functions, their establishment forms a significant part of the overall legislative scheme. It noted that it was open for the Minister to prescribe an instrument as a legislative instrument, even if it does not determine or alter the law. The Scrutiny Committee drew the matter to the attention of the Senate and left to the Senate as a whole to consider the appropriateness of the provisions.^[69]

Figure 3: Proposed governance arrangements

×

Source: Derived from Library analysis of the DID Bill and Explanatory Memorandum.

Governance: Instruments

The DID Bill establishes the architecture of the Digital ID system, but many aspects of the system’s operation will be settled through a range of instruments, determinations and directions, as outlined in Table 1.

Table 1: Instruments and determinations under the DID Bill

Disallowance

The TCP Explanatory Memorandum states that item 10 of the TCP Bill’s Schedule 1 would enable the Minister to make disallowable transitional rules that ‘will be able to address any unforeseen consequences of the principal Bill and minimise the likelihood of any regulatory uncertainty during transition’.[70]

Because the transitional rules under item 10 of the TCP Bill’s Schedule 1 and the Accreditation Rules and Digital ID Rules established by the Minister under clause 168 of the DID Bill may deal with a wide range of matters it is appropriate that the rules are disallowable, and that clause 169 would require the Minister to consult before making or amending legislative rules.

Other instruments that will relate to technical or specific operational aspects, for example data standards and service levels, are less suited to disallowance. The Explanatory Memorandum explains that subjecting this type of instrument to disallowance could adversely affect certainty in relation to the day-to-day operation of the AGDIS.[71]

‘Core instruments’

Subclause 167(1) provides that the Accreditation Rules, Digital ID Rules and Digital ID Data Standards are ‘core instruments’. This designation appears to be a mechanism to facilitate flexibility in the application, adoption or incorporation from time to time of matter contained in other material. This overrides subsection 14(2) of the Legislation Act 2003, which provides that a legislative instrument or notifiable instrument ‘may not make provision in relation to a matter by applying, adopting or incorporating any matter contained in an instrument or other writing as in force or existing from time to time’, unless the contrary intention appears.

This approach affords flexibility in relation to adaptation and evolution of the system in the context of, for example, technological change, and the Explanatory Memorandum offers some useful examples:

Examples of documents that may be incorporated by reference from time to time include Commonwealth documents relating to protective security and cyber security (such as the Protective Security Policy Framework and the Information Security Manual), international standards (such as those relating to the testing of presentation attack detection processes used in biometric verification), and digital identity standards set by internationally recognised organisations such as the US Department of Commerce’s National Institute of Standards and Technology.

It is intended that, to ensure accredited entities and others are aware when changes in an incorporated document would take effect [and] are given sufficient time to comply with any changes … the Accreditation Rules would specify when those changes would take effect.[72]

The Scrutiny Committee sought advice from the Minister as to whether documents applied, adopted or incorporated by reference under clause 167 will be made freely available to all persons interested in the law and why it is necessary to apply the documents as in force or existing from time to time, rather than when the instrument is first made.^[73]

The Minister advised that the Digital ID Bill and legislative rules seek to adopt existing frameworks, standards or policies that are appropriate for digital ID, which change over time as circumstances, risks and threats change. The Minister further advised that the draft Accreditation Rules include a provision [subrule 1.5(2)] stating accredited entities will have 12 months to comply with changes in any incorporated standard or policy unless the incorporated document itself sets out a longer timeframe.[74]

In relation to access to incorporated documents, the Minister advised that there will be two kinds of incorporated documents in the legislative rules, one of which includes standards relating to security, biometric technology operation and biometric technology testing which are not freely and publicly available in full and are unable to be made publicly available due to copyright. The Minister advised summaries and previews of each of these standards are publicly available and the legislative rules will include links to where the public information may be accessed.^[75]

The Scrutiny Committee thanked the Minister for her response, but remained concerned that entities will be required to comply with standards that are not fully and freely accessible, particularly as these standards relate to the handling of highly sensitive biometric information. The importance of public access to these documents was also highlighted by the Committee, which noted that the availability of summaries and previews of standards was inadequate to properly comply with the standards in full.^[76] In light of these concerns, the Committee requested the Minister’s further advice ‘as to whether free access to documents that will be applied, adopted or incorporated by reference into legislative instruments as a result of clause 167 can be provided via other means such as display in public libraries or departmental offices’.[77]

The Minister’s response advised that the Department of Finance ‘is further investigating the ways in which documents that are incorporated by reference and that are subject to copyright can legally be made available for free viewing by interested parties’.[78] The Committee thanked the Minister for her advice and noted that it would appreciate further advice on the conclusion of the Department’s investigations on this matter in due course. The Committee made no further comment on this matter.[79]

The consultation process about proposed rules is set out in subclauses 169(1) and (2), which require consultation with the Information Commissioner about proposed rules that relate to the Commissioner’s privacy functions, including rules that would authorise accredited entities to collect, use or disclose restricted attributes or biometric information of individuals.

Subclause 169(4) provides that the consultation process does not apply if the Minister is satisfied that there is an imminent threat to AGDIS, or that a hazard has had, or is having, a significant impact on the system (threats and incidents are discussed in more detail below). If rules are made on this basis without consultation:

the Secretary of the Department must review the rules, seek submissions on the rules and complete a report on the rules within 60 days of being made. The Minister is required to table in Parliament a copy of the Secretary’s statement of findings.[80]

However, a failure to consult or otherwise comply with the requirements of clause 169 does not affect the validity or enforceability of rules (subclause 169(9)).

Accreditation Rules

The purpose of the Accreditation Rules is to provide a set of nationally consistent standards that a provider of digital ID services must meet in order to become and remain an accredited entity. Under clause 28, Accreditation Rules made by the Minister will prescribe a range of matters related to the scope and operation of the Accreditation Scheme, including the privacy, security, accessibility and other standards to apply to accredited entities. Subclause 28(2) provides a non-exhaustive list of matters that the Accreditation Rules may address, including: technical, data or design standards relating to the provision of accredited services; mandatory requirements for becoming and remaining an accredited entity (for example relating to privacy, security, fraud control, and incident management and reporting); and requirements or restrictions relating to the generation of digital IDs for children.

Whereas much of the accreditation requirements will be established in the Accreditation Rules, several key requirements are featured in the Bill. For example, accredited services must be accessible and inclusive (clause 30).

The Digital ID Accreditation Rules will be applicable to all service providers, including those operating outside the AGDIS, and trustmarks provided for under clause 117 may be available to entities operating parallel Digital ID systems. Private exchange ConnectID is already advertising government accreditation as ensuring the security of their system.[81]

Digital ID Rules

The following discussion notes the wide range of matters the disallowable Digital ID Rules may deal with.

Clause 12 provides that in having regard to whether an entity is a fit and proper person, the Digital ID Regulator must have regard to any matters specified in the Digital ID Rules, which may relate to:

• for accreditation of an entity: whether to accredit (clause 15); suspension of accreditation (clause 25); and revocation of accreditation (clause 26) and
• for approval to participate in the AGDIS: whether to approve (clause 62); conditions on approval (clauses 63 and 64); suspension of approval (clause 71); and revocation of approval (clause 72).

With respect to accreditation and approval to participate, the Digital ID Rules may also address aspects of: requirements for applications (clause 141); the Digital ID Accredited Entities Register (clause 120) and the AGDIS Register (clause 121); statutory contracts between entities participating in the AGDIS (clause 85); record keeping by participating entities and former participating entities (clause 135); compliance assessments (clause 131); dispute resolution procedures (clause 87); the redress framework (clause 88); and reviewable decisions (clause 137).

In relation to technical aspects of the system, the Digital ID Rules may address: holding information outside Australia (clause 77); reportable incidents (clause 78); and interoperability (clause 79). The Digital ID Rules may also address aspects of: Digital ID Data Standards (clause 99); and confidentiality, particularly authorised uses and disclosures of protected information by entrusted persons (clause 152).

In relation to system regulation and administration, the Digital ID Rules may address the powers of the Digital ID Regulator (clause 128) and the System Administrator (clauses 95 and 130) to give directions to protect the integrity or performance of AGDIS. The Digital ID Rules may: make provision in relation to the charging of fees by the Digital ID Regulator (clause 144) and by accredited entities (clause 148); and specify Digital ID trustmarks that may or must be used by accredited entities or participating relying parties, and prescribe conditions or requirements in relation to the use or display of trustmarks (clause 117).

Digital ID Data Standards

Clause 99 provides for the Digital ID Standards Chair to make Digital ID Data Standards in writing. The Explanatory Memorandum anticipates that the data standards will be ‘largely in the nature of specifications for technical processes, to ensure for example there are appropriate levels of security protecting the AGDIS and other digital ID systems used by accredited entities’.[82]

Clause 100 ‘imposes mandatory consultation requirements by the Chair before data standards are made to ensure that further expert input is provided’, including submissions from the public and ‘consultation with the Information Commissioner to ensure expert advice is provided on privacy matters and the System Administrator for further expert advice on the effect of technical and design standards on the operation of the AGDIS’. These standards will ‘be made so as to operate at the commencement of the Act, ensuring that the Accreditation Scheme and the AGDIS can properly operate immediately’.[83]

Accreditation

The DID Bill assigns to the Minister and the Digital ID Regulator responsibilities for accrediting entities and approving entities to participate in the Digital ID system (refer to figures 3 and 4).

A law firm has described accreditation as a ‘trust baseline’:

accredited Digital ID service providers will be required to comply with privacy, security, consumer protection, record-keeping, data destruction, and other requirements. Accreditation provides a baseline set of obligations and regulatory oversight that apply to all accredited service providers, whether they provide services in the Australian Government Digital Identity System or in a separate Digital ID system.[84]

Types of entities that may be accredited

The DID Bill continues the architecture of the current unlegislated TDIF by providing for three types of accredited entities: identity exchange provider; identity service provider: and attribute service provider (subclause 14(1)). Future expansion is provided for by an additional category of ‘an entity that provides, or proposes to provide, a service of a kind prescribed by the Accreditation Rules’ (paragraph 14(1)(d)). Entities can apply for accreditation as more than one type of provider.[85]

Subclause 14(2) sets out the types of entities that may apply to be accredited: public sector entities (Commonwealth entities and Commonwealth companies, and state and territory departments and authorities); private sector corporations (a body corporate incorporated by or under a law of the Commonwealth or a state or territory); or a registered foreign company (within the meaning of the Corporations Act 2001).

Accreditation processes

Under clause 15 the Regulator must decide whether to accredit an entity. The DID Bill sets out the processes to be followed by the Regulator when deciding whether or not to accredit an entity. The Regulator must not accredit an entity:

• unless the entity provides, or will provide, some or all of the services described in the definition of that type of provider as set out in clause 9 (subclause 15(3))
• if the Regulator is not satisfied that the entity is able to comply with the provisions of the DID Bill (paragraph 15(4)(b))
• if a direction made by the Minister under subclause 27(1) directing the Regulator to refuse to accredit the entity on the basis of security is in force (paragraph 15(4)(a)) or
• if Accreditation Rules made by the Minister for the purposes of clause 28:

• require specified criteria to be met and the entity does not meet the criteria (paragraph 15(4)(c)); or
• require the Regulator to be satisfied of specified matters and the Regulator is not satisfied of those matters (paragraph 15(4)(d)).

The Regulator may also have regard to whether the entity is a fit and proper person (subparagraph 15(5)(b)(i)). Clause 12 provides that, in doing so, the Regulator must have regard to the matters (if any) specified in the Digital ID Rules. The Explanatory Memorandum expects that, on this matter, the Digital ID Rules will ‘align where possible’ with fit and proper person considerations for entities applying for accreditation under the Consumer Data Right (CDR) scheme, for which the ACCC is already the regulator.[86]

The Regulator may also have regard to any other matters it considers relevant (subparagraph 15(5)(b)(ii)). As an example, the Explanatory Memorandum notes that ‘if not already a mandatory consideration in the Digital ID Rules, [the Regulator] could take into account a determination made by a State privacy commissioner dealing with breach by an entity of that State’s privacy law’.[87]

As noted above the Regulator must not accredit an entity if a direction made by the Minister under subclause 27(1) directing the Regulator to refuse to accredit the entity for reasons of security is in force (paragraph 15(4)(a)). Subclause 27(1) sets out that the Minister ‘for reasons of security within the meaning of the Australian Security Intelligence Organisation Act 1979, including on the basis of an adverse or qualified security assessment in respect of a person’ may, in writing, direct the Digital ID regulator to: refuse to accredit an entity; impose conditions on an accreditation; suspend an accreditation; or revoke an accreditation (item 3 of Schedule 2 to the TCP Bill is also relevant). As outlined in subclause 27(3) any such direction ‘remains in force unless it is revoked by the Minister’, with subclause 27(4) noting that a direction to revoke accreditation cannot itself be revoked. Subclause 27(5) sets out that a direction is not a legislative instrument.

Any decisions made for reasons of security (within the meaning of the ASIO Act) in relation to an entity that is not an Australian entity are not reviewable decisions (subclause 137(3), and item 4 of Schedule 2 to the TCP Bill). Clause 9 includes a definition of ‘Australian entity’. The Explanatory Memorandum notes that non-Australian entities will be able to seek judicial review of such decisions.[88]

Item 2 of Schedule 1 to the TCP Bill provides that, immediately after commencement:

• the Commissioner of Taxation will be taken to be an accredited attribute service provider and an accredited identity service provider and
• Services Australia will be taken to be an accredited identity exchange provider

with both entities being subject to the conditions specified in item 2.

The Explanatory Memorandum provides that the Commissioner of Taxation and Services Australia ‘have already been accredited by the Australian Government under the TDIF, as the specified kind of entity and subject to the same conditions’.[89] This ‘avoids those entities needing to re-apply for accreditation to the new Digital ID Regulator when they have already achieved accreditation against substantially the same requirements’.[90]

Other entities may be prescribed in transitional rules made by the Minister under item 10 of Schedule 1 to the TCP Bill to be taken to be accredited entities on commencement.

Accreditation criteria

Under clause 28, Accreditation Rules made by the Minister will prescribe a range of matters related to the scope and operation of the Accreditation Scheme. Subclause 28(2) provides a non-exhaustive list of matters that the Accreditation Rules may address. Draft Accreditation Rules released for consultation in September 2023 also provide a guide to likely accreditation criteria, including: privacy impact assessment; protective security assessment; fraud assessment; usability and accessibility assessment; systems testing; penetration testing; usability testing; Web Content Accessibility Guidelines (WCAG) testing.

The consultation draft of the Digital ID Accreditation Rules includes cyber security controls among the protective security requirements which an entity must comply with. This includes compliance with the Essential Eight standards and additional controls with flexibility between different risk management frameworks, including the internationally accepted ISO 27001 and 27002 framework, the Australian Protective Security Policy Framework, and a possibility for ‘another standard or framework’.[91] In the draft accreditation rules ‘all protective security requirements that have equivalent…controls’ as those in ISO 27001 and the Australian Protective Security Policy Framework have been removed, in favour of compliance with those frameworks.[92]

Notification of accreditation outcomes

Subclause 15(6) requires that the Regulator inform the applicant in writing of its decision and to provide reasons if an accreditation application is refused. The notice of a decision to accredit an entity must set out: the kind of accredited entity that the entity is accredited as; the day the accreditation comes into force; and any conditions imposed by the Regulator on the entity’s accreditation (subclause 15(7)). Details of the accreditation, including any conditions imposed, must be entered in the Digital ID Accredited Entities Register (clause 120).

A decision to refuse to accredit an entity would be a ‘reviewable decision’ (see clauses 137 to 140), except when that refusal results from a direction by the Minister under subclause 27(1) to refuse to accredit the entity for reasons of security (see Table item 1 in the table at subclause 137(1) and subclause 137(3)).

Accreditation conditions

An entity’s accreditation is subject to accreditation conditions (clause 16). The accredited entity must comply with those conditions, and failure to do so may result in suspension or revocation of the entity’s accreditation (clause 16). The Regulator may impose conditions on an entity at the time of accreditation, or later (paragraph 17(2)(a)), either at the Regulator’s initiative or on application by the entity (subclause 17(3)). Under paragraph 17(2)(b) the Regulator must impose conditions if directed to do so by a ministerial direction regarding accreditation under subclause 27(1), related to reasons of security.

Subclause 17(4) comprises a non-exhaustive list of matters to which conditions imposed by the Regulator may relate, including:

• limitations, exclusions or restrictions in relation to the accredited services of the entity;
• the circumstances or manner in which the accredited services of the entity must be provided;
• the kinds of restricted attributes of individuals (if any) that the entity is authorised to collect or disclose;
• the kinds of restricted attributes of individuals (if any) that the entity must not collect;
• the kinds of biometric information (if any) of an individual the entity is authorised to collect, use or disclose;
• the entity’s information technology systems through which the entity’s accredited services are provided, including restrictions on changes to such systems;
• actions that the entity must take before the entity’s accreditation is suspended or revoked.

Subclause 17(5) provides that the Accreditation Rules issued by the Minister may determine that the accreditation of each accredited entity, or each accredited entity included in a specified class, is subject to specified conditions.

Conditions relating to restricted attributes

As defined in clause 11, a restricted attribute includes: health information; information about a criminal record; and an identifier of an individual that has been issued or assigned by the Commonwealth, a state or territory, or a foreign government (including the individual’s tax file number, Medicare number or driver’s licence number). The Explanatory Memorandum observes:

A key objective of the Accreditation Scheme, and use of the AGDIS, is to minimise the collection of restricted attributes by relying parties, ensuring they receive only those that are necessary for the particular relying party service their customer is accessing. Minimising disclosure of restricted attributes in this will help mitigate the increasing risk of data breaches involving identity information.[93]

However, the Bill also recognises that restricted attributes may be essential or incidental components of some transactions. The Bill addresses circumstances where the Regulator imposes a condition on an entity’s accreditation that would authorise the entity to collect or disclose a restricted attribute of an individual (clause 18), or where the Minister is proposes to make Accreditation Rules that would impose an accreditation condition authorising an accredited entity to collect or disclose a restricted attribute or collect, use or disclose biometric information (clause 19). Subparagraph 65(2)(f)(iii) sets out that among the issues to which the Digital ID Regulator must have regard prior to imposing a condition on an entity’s approval to participate in the AGDIS, relating to restricted attributes (ie collection or disclosure), is that of the effectiveness of the entity’s fraud control arrangements.

As discussed in relation to privacy provisions, accredited entities may also disclose a restricted attribute of an individual to a relying party if, for example, the individual has given express consent for the disclosure (subclause 46(1)).

Accreditation register

The fact of a revocation of an entity’s accreditation will be publicly available on a Digital ID Accredited Entities Register that the Regulator is required to maintain and make available on its website (clause 120). The Register must also include accreditation conditions imposed by the Regulator (other than conditions for reasons of national security[94]), and details on whether an entity’s accreditation has been suspended or revoked. Information about an accredited entity must remain on the register for 12 months after the entity’s accreditation is revoked. The Digital ID Rules may prescribe other information to be included in the Register.

Approval to participate in the AGDIS

Roles of the Minister and the Digital ID Regulator

To apply for approval to participate in the AGDIS, entities must first be specified in a determination by the Minister under clause60. Subclause 60(2) allows the Minister to specify entities in any way, including by reference to: whether the entities are relying parties or accredited entities; kinds of relying parties; kinds of accredited entities; or whether the entity belongs to the public or private sector. Under subclause 60(3) the Minister cannot revoke a determination and may only vary a determination to add additional kinds of entities that may apply for approval, or to correct an error, defect or irregularity in a determination.

The requirement that entities must be specified in a determination by the Minister under clause 60 is the mechanism by which ‘phasing-in’ will be given effect. Phasing-in is the progressive expansion of the AGDIS to additional entities beyond the initial Commonwealth entities—in other words, the means by which an economy-wide digital ID system will be established.[95] ‘Phasing-in’ is discussed below and depicted in Figure 4.

Under clause 62 the decision-maker on applications for approval to participate in the AGDIS is the Regulator. Under subclause 73(1) the Minister may issue directions to the Regulator, for reasons of security within the meaning of the ASIO Act, including on the basis of an adverse or qualified security assessment in respect of a person, to direct the Regulator to: refuse to approve an entity; impose conditions on an approval; suspend an approval; or revoke an approval.

Types of entities that may be approved to participate

Paragraphs 61(a) and (b) have the effect that a wide range of Commonwealth entities may apply for approval at the commencement of the legislation. Under paragraph 61(c) other kinds of entities must be specified in a determination by the Minister under clause 60 and must be either: an accredited entity; an entity that has applied for accreditation; an Australian relying party; or a relying party that is a foreign company registered under the Corporations Act to carry on business in Australia.

A relying party is an entity that needs to have verification of a person's identity, or an element of their identity (such as proof of age), in order to provide a service to the person or to enable the person to access a service. For example, a real estate agent would need to verify the identity of a person to whom they are leasing a property, and a licenced bottle shop would need to verify that a person is at least 18 years of age.[96] A relying party will request the necessary verification from an accredited entity and will rely on that information. Relying parties themselves are not accredited because they do not provide services to other entities within the system.

Although they don’t need accreditation, under paragraph 61(b) a relying party still needs to apply to the Regulator to participate in AGDIS. In doing so, under the exposure draft Digital ID Rules a relying party needs to show that it has plans for interoperability testing, fraud management and business continuity, and have conducted a cyber security incident risk assessment.[97] If under clause 62 a relying party is approved to participate, it is a ‘participating relying party’ (clause 9).

A key objective of the AGDIS is to minimise relying parties’ collection of restricted and superfluous attributes by ensuring relying parties receive only those attributes that are necessary for the particular service the individual is seeking to access.[98]

A great example is getting into a bar: at the moment, most people would hand over their driver’s licence which, on top of information about your age and your face, also tells the bouncer your address completely unnecessarily. Digital identification systems like the federal government’s digital ID scheme restrict redundant information. … A digital identity system replaces these [ie requests for unnecessarily information-rich driver’s licences or bank statements] by creating a scheme that allows the government to “vouch” for you to whoever needs it. So, instead of every institution having to ask for various documents (like the dreaded 100 points of identification documents), they could instead just use this system.[99]

Approval criteria

Subclause 62(4) provides that the Regulator must not approve an entity to participate if a ministerial direction under subclause 73(1) is in force directing the Regulator not to approve the entity on security grounds.

Subclause 73(1) sets out that the Minister ‘for reasons of security within the meaning of the Australian Security Intelligence Organisation Act 1979), including on the basis of an adverse of qualified security assessment in respect of a person’ may, in writing, direct the Digital ID regulator to: refuse to approve an entity’s participation in AGDIS; impose conditions on an approval; suspend an approval; or revoke an approval (item 3 of Schedule 2 to the TCP Bill is also relevant). As outlined in subclause 73(3) any such direction ‘remains in force unless it is revoked by the Minister’, with subclause 73(4) noting that a direction to revoke approval cannot itself be revoked. Subclause 73(5) sets out that a direction is not a legislative instrument.

Any decisions made for reasons of security in relation to an entity that is not an Australian entity are not reviewable decisions (subclause 137(3), and item 4 of Schedule 2 to the TCP Bill). Clause 9 includes a definition of ‘Australian entity’. The Explanatory Memorandum notes non-Australian entities will be able to seek judicial review of such decisions.[100]

Subclause 62(1) provides that the Regulator may approve an entity to participate if:

(a) the entity has made an application under section 61; and

(b)  unless the entity is a relying party—the entity is an accredited entity; and

(c)  the Digital ID Regulator is satisfied that the entity will comply with the Digital ID Data Standards that apply in relation to the entity and that relate to participation in the Australian Government Digital ID System; and

(d)  if the Digital ID Regulator makes a requirement under paragraph 131(1)(a) in relation to the entity—the entity has been assessed as being able to comply with this Act; and

(e)  the Digital ID Regulator is satisfied that it is appropriate to approve the entity to participate in the system; and

(f)  any other requirements prescribed by the Digital ID Rules are met.

Subclause 62(2) comprises a non-exhaustive list of matters that may be relevant to whether approval would be appropriate under paragraph 62(1)(e) (set out above): whether the entity has appropriate procedures for dealing with the identities of shielded persons (as defined in clause 9), such as those in a witness protection program; and whether the entity is a fit and proper person (see clause 12). In having regard to whether an entity is a fit and proper person, the Regulator must have regard to any matters specified in the Digital ID Rules and may have regard to any other matters considered relevant.

Notification of approval outcomes

Subclause 62(5) will require the Regulator to inform the applicant in writing of its decision and to provide reasons if an application is refused. A decision to not approve would be a ‘reviewable decision’ (see clauses 137 to 140), except for decisions to not approve because a ministerial direction about security is in force (see discussion above about subclauses 62(4) and 73(1)).

Under subclause 62(6) the notice of a decision must set out: whether the entity is a participating relying party or an accredited entity and, if the entity is an accredited entity, the kind of accredited entity it is accredited as; any conditions imposed by the Regulator on the entity’s approval; and the day on which the entity must begin to participate.

Approval conditions

An entity’s  approval is subject to conditions. The approved entity must comply with those conditions, and failure to comply may result in suspension or revocation of the entity’s approval (clause 63). Subclause 64(4) comprises a non-exhaustive list of matters to which conditions imposed by the Regulator may relate.

Approved entities’ compliance with the Bill is specified as a condition (subclause 64(1)). In addition, the Regulator may impose conditions on an entity at the time of approval, or later (paragraph 64(2)(a)), either at the Regulator’s initiative or on application by the entity (subclause 64(3)). Under paragraph 64(2)(b) the Regulator must impose conditions if directed to do so by a ministerial direction under subclause 73(1), which relates to security.

Subclause 64(5) provides that the Digital ID Rules issued by the Minister may determine that the approval of each entity, or each entity included in a specified class, is subject to specified conditions.

The Bill address circumstances where the Regulator is proposing to impose a condition on an entity’s approval for participation that would authorise the entity to collect or disclose a restricted attribute of an individual (subclause 65(1) and (2)), or where the Minister is proposing to make Digital ID Rules that would impose a condition authorising an approved entity to collect or disclose a restricted attribute (subclauses 65(4) and (5)). If the Regulator imposes a condition authorising the entity to collect or disclose a restricted attribute of an individual, the Regulator must publish on its website a statement of reasons for giving the authorisation (subclause 65(3)).

Approvals register

Clause 121 provides that the Regulator must establish and maintain the ‘AGDIS Register’ of entities that are approved to participate in the AGDIS. The Register must be made publicly available on the Digital ID Regulator’s website.

The Register must include: each service a participating relying party is approved to provide or provide access to; and, if the entity is an accredited entity, the kind of accredited entity it is accredited as. The Register must also include any participation conditions imposed by the Regulator, and information about whether the entity’s approval has been suspended or revoked. Information about an entity will remain on the register for three years after the entity’s approval is revoked. The Digital ID Rules may prescribe other information to be included in the Register.

Varying accreditation or approval to participate

Clauses 24 and 70 will (respectively) allow the Digital ID Regulator to vary an entity’s accreditation or approval to participate in AGDIS where the entity’s name has changed. The Explanatory Memorandum provides the example of a government entity that changes its name in a Machinery of Government (MOG) change.[101] The Digital ID Regulator may also vary conditions on accreditation or an approval to participate.

Suspending accreditation or approval to participate

Clauses 25 and 71 specify when an entity’s accreditation or approval to participate must or may be suspended, and the effects of suspension. Subclauses 25(1) and 71(1) provide that the Regulator must suspend an entity’s accreditation or approval to participate if, for reasons of national security (see clauses 27 and 73), the Minister has given a direction to suspend the entity’s accreditation or approval. The suspension remains in force until revoked by the Minister.

Subclauses 25(2) and 71(2) list grounds on which the Regulator may suspend an entity’s accreditation or approval to participate in the AGDIS. An example is if a body corporate is in receivership or under administration (a Chapter 5 body corporate within the meaning of the Corporations Act). Alternatively, circumstances specified in the Accreditation Rules or Digital ID Rules (as relevant) may apply to the entity, resulting in suspension.

Other possible circumstances are less clear-cut and involve the Regulator’s reasonable belief. The Regulator may reasonably believe the accredited or approved entity has contravened or is contravening the Act, or is satisfied that it is not appropriate for the entity to be an accredited entity or participate in the AGDIS.

In relation to suspension of approval to participate in the AGDIS, the Regulator may reasonably believe there has been a cyber security incident involving the entity and the incident involves a risk to the operation of the AGDIS. In relation to suspension of accreditation, the Regulator may reasonably believe there has been a cyber security incident involving the entity, or that a cyber security incident involving the entity is imminent. Noting that the Bill has changed since the exposure draft in 2023, a law firm has observed:

Previously, accreditation could be suspended for a cyber security incident attempt. However, during consultation, industry commented that entities and government agencies are routinely subject to ‘attempts’, which are successfully prevented. Accordingly, allowing accreditation to be suspended for cyber security incident attempts may overburden regulators and participants, who may be subject to unnecessary notification requirements where there has been no actual breach. The wording has since been amended so that an entity’s accreditation cannot be suspended unless the Regulator is satisfied that the relevant cyber security attempts involve an unacceptable risk to the provision of the entity’s accredited services.^[102] [emphasis added]

Cyber security incidents are discussed in more detail in a later section of this Digest.

Subclauses 25(6) and 71(5) provide that an entity may apply for its accreditation or approval to be suspended, in which case the Regulator may (but is not required to) agree to the suspension. The Explanatory Memorandum provides the example of an entity seeking suspension while it is considering whether to end its accreditation or participation.[103]

If the Regulator proposes to suspend an accreditation or approval, subclauses 25(7) and (8) and 71(6) and (7) will require that a ‘show cause’ notice is given to the entity, but subclauses 25(9) and 71(8) provide that this is not required if the suspension is on cyber security grounds. Subclauses 25(1) and 71(9) provide that if the Regulator suspends an accreditation or approval, the Regulator must give a written notice to the entity. Revocation of a suspension must also be by written notice to the entity (subclauses 25(12) and (13) and subclauses 71(11) and (12)).

Subclauses 25(11) and 71(13) provide that, while a suspension is in force:

• an accredited entity is taken not to be accredited and not to hold an approval to participate in the AGDIS and
• an approved entity is taken not to hold the approval.

The Explanatory Memorandum clarifies that the entity will continue to be subject to regulatory powers of the Regulator and may also be subject to compliance action for matters that occurred while the entity was accredited or participating in the AGDIS.^[104]

Revoking accreditation or approval to participate

Subclauses 26(1) and 72(1) will provide that the Digital ID Regulator must revoke an entity’s accreditation or approval to participate in the AGDIS (as relevant) if the Minister has given a direction, for reasons of security, to revoke the entity’s accreditation or approval (see clauses 27 and 73). Under subclauses 27(4) and 73(4) the Minister cannot revoke a direction under which an entity’s accreditation or approval is revoked. The Explanatory Memorandum states that ‘nothing prevents the entity from re-applying’ for accreditation or approval.[105]

Subclauses 26(2) and 72(2) list grounds on the Regulator which may revoke an entity’s accreditation or approval to participate in the AGDIS. An example is if a body corporate is in receivership or under administration (a Chapter 5 body corporate within the meaning of the Corporations Act). Alternatively, circumstances specified in the Accreditation Rules or the Digital ID Rules (as relevant) may apply to the entity, resulting in revocation.

Other possible circumstances are less clear-cut and involve the Regulator’s reasonable belief. The Regulator may reasonably believe there has been a cyber security incident involving the entity and the incident is serious. Cyber security incidents are discussed in more detail in a later section of this Digest. The Regulator may reasonably believe the accredited or approved entity has contravened or is contravening the Act, or be satisfied that it is not appropriate for the entity to be an accredited entity or participate in the AGDIS.

Subclauses 26(5) and 72(5) provide that an entity may apply for its accreditation or approval to be revoked, in which case the Regulator must approve the revocation. Under subclauses 26(8) and 72(6) before revoking an entity’s accreditation or approval under subclauses 26(2) or 72(2) the Regulator must have given a show cause notice to the entity. However, this is not necessary if the revocation of accreditation is on cyber security grounds (paragraph 26(2)(b)).

Under subclauses 25(11) and 72(8) the Regulator must give written notice of revocation to the entity.

Under subclause 26(7), if an accredited entity’s accreditation is revoked and it holds an approval to participate in the AGDIS, the Digital ID Regulator must at the same time revoke the entity’s approval to participate.

Revocation of accreditation or approval to participate will be reviewable decisions (clauses 137 to 140), other than when revocation results from a direction by the Minister under subclauses 27(1) or 73(1) to revoke the entity’s accreditation or approval for reasons of security (see Table items 8 and 18 in the table at subclause 137(1) and subclause 137(3)).

On commencement of the Bills

Paragraphs 61(a) and (b) have the effect that, at the commencement of the legislation, a wide range of Commonwealth entities may apply for approval.

Additionally, subitem 4(1) of Schedule 1 to the TCP Bill provides that, immediately after commencement:

• the Commissioner of Taxation will be taken to be approved to participate in the AGDIS as an accredited attribute service provider and an accredited identity service provider and
• Services Australia will be taken to be approved to participate in the AGDIS as an accredited identity exchange provider

with both entities being subject to the conditions specified in subitem 4(1).

The Explanatory Memorandum provides that the Commissioner of Taxation and Services Australia ‘have already been approved to participate in the existing, unlegislated the AGDIS and accredited under the unlegislated TDIF, subject to the same conditions’.[106] This ‘will help ensure these entities can continue providing uninterrupted services to the Australian community upon the commencement of the [DID] Bill’.^[107]

Other entities may be prescribed in transitional rules made by the Minister under item 10 of Schedule 1 to the TCP Bill to be taken to be approved to participate in the AGDIS as accredited entities on commencement.

Subitem 4(2) of Schedule 1 to the TCP Bill further provides that, immediately after commencement, the following will be taken to be participating relying entities in the AGDIS:

• the Australian Communications and Media Authority (ACMA)
• the Australian Financial Security Authority
• the Australian Sports Commission
• the Commissioner of Taxation
• the Civil Aviation Safety Authority
• Defence
• IP Australia
• Services Australia and
• the Student Identifiers Registrar.

These entities will be subject to the conditions specified at subitem 4(2) and are approved to provide the services set out in that provision (for example, ACMA is approved to provide the service known as ACMA Assist and the Commissioner of Taxation is approved to provide the online Tax File Number service and the ATO Online Services for Individuals). The Explanatory Memorandum provides that ‘these are Commonwealth entities that have already been approved to participate in the unlegislated AGDIS, as participating relying parties, subject to the same conditions’.^[108]

Other entities may be prescribed in transitional rules made by the Minister under item 10 of Schedule 1 to the TCP Bill to be taken to be approved to participate in the AGDIS as relying parties on commencement.

Subsequent phasing-in

As indicated by Figure 4, phasing-in is the progressive opening of the AGDIS to additional entities beyond the initial Commonwealth entities—in other words, the means by which an economy-wide digital ID system will be established, as distinct from a digital ID system largely limited to Commonwealth Government agencies.[109]

The mechanism by which ‘phasing-in’ will be given effect is that, to apply for approval to participate in the AGDIS, entities must first be specified in a determination by the Minister under clause60 (as discussed above).

Anticipated phases

Without specifying timeframes Minister Gallagher has foreshadowed the following four phases:

Phase 1: Legislate the DID Bills; establish the rules, the regulator and protections; and expand use across government and the accreditation of public and private providers.

Phase 2: Allow use of state and territory Digital IDs to access Commonwealth services.

Phase 3: Allow use of myGovID in the private sector for example, to open a new account with an Australian bank, or for identity verification when signing a contract such as a real estate lease.

Phase 4: Allow use of accredited private sector Digital IDs to verify identity when accessing some government services.[110]

Following phase 1, the Minister will determine the timing of each subsequent phase by determining the entities that may apply to the Digital ID Regulator for approval to participate in the system (clause60). After each such decision by the Minister, each phase will be given effect by the Regulator accrediting entities and approving additional entities to participate in the system.

Subclause 60(2) provides that a determination by the Minister ‘may specify entities in any way’.

Timing of phases

The Explanatory Memorandum states that ‘it is expected that each phase will proceed sequentially as each preceding phase is demonstrated to be sufficiently matured’ but the Government has not foreshadowed the timing of the phases. According to the Explanatory Memorandum, the proposed mechanism (ie the provisions of clause 60) ‘allows the Minister to ensure the new legislated AGDIS is bedded down and operating as necessary to allow expansion by phases’.[111]

This suggests that the timing will be decided by the Minister based on the Minister’s views on the extent to which, after each new phase is added, the system is ‘bedded down’ and ‘operating as necessary’. As these criteria are not technical in nature, it can be assumed or hoped that, in forming a view about the two criteria, the Minister would seek advice from participants in the system and the entities involved in the governance arrangements.

Stakeholders’ views on phasing-in are discussed above in the context of ‘Position of major interest groups’ and ‘Committee consideration’.

Figure 4: Potential phasing-in of approval to participate in the AGDIS under the DID Bill

×

Sources and further information follow.

Notes on Figure 4

Created by the Library, this diagram is based on analysis of the DID Bill, Your guide to the Digital ID legislation and Digital ID Rules and public comments by Minister Gallagher.[112] The Department of Finance has stated that the details of phasing-in may be adjusted based on stakeholder feedback.[113] Additional notes on specific elements are:

1. Attribute Verification Services: Under subclause 78(3), the Regulator may need to be informed of contractors participating in the ecosystem, for example facilitating document verification and liveness checks.

2. Commonwealth Identity Service Provider: There are no announced plans for another Commonwealth identity service provider.
3. Commonwealth Identity Exchange: Services Australia will continue to operate the exchange.
4. Government Relying Parties: Only Commonwealth Government services are included in the TCP Bill, not the state and territory services currently available in the AGDIS.
5. Attribute Service Providers: Only the ATO’s Relationship Attribute Manager is taken to be approved in the TCP Bill. There could potentially be other attribute service providers operated by governments or the private sector.
6. State and Territory Identity Service Providers: Only identity service providers appear to be envisaged, but these governments may also operate identity exchanges, and it is unclear if they would be incorporated into the AGDIS.
7. Private sector Identity Service Providers and Identity Exchanges: Which private sector services intend to operate in the AGDIS is not known. Private sector entities accredited under the TDIF are discussed in the notes for Figure 2.
8. Private sector Relying Parties: Examples given by the Explanatory Memorandum include opening a bank account and signing up for an energy provider.[114]