On 19 September 2023, two years after the initial exposure draft was released, the Australian Government has released the exposure draft of its proposed Digital ID Bill (Digital ID Bill), accompanied by two sets of supporting rules, being the Digital ID Rules and the Digital ID Accreditation Rules (together, the Rules).
The proposed national Digital ID scheme will involve:
- a voluntary accreditation scheme of Digital ID service providers; and
- an Australian Government Digital ID System (AGDIS), initially based around government services which will eventually be expanded to include participating private sector organisations.
The Government has been seeking feedback on the drafts, with consultation on the Digital ID Accreditation Rules remaining open until 31 October 2023.
What is a Digital ID?
The Digital ID system will better protect the privacy and security of Australians, by introducing safeguards to prevent personal information from being collected, profiled, used or sold for a variety of other purposes. A Digital ID allows people to verify their identity for certain online services, without having to repeatedly provide copies of their most sensitive personal information and documents, such as passports, birth certificates and driver licences. This will also better protect consumers in the instance of a data breach, as the Digital ID system is designed to only share the minimum amount of personal data required for each specific transaction, as opposed to copies / images of entire identity documents, limiting the amount of personal information that could be breached to the absolute minimum.
The proposed new Digital ID system will involve a phased expansion of the existing AGDIS to State and Territory Governments, as well as a voluntary accreditation scheme of Digital ID service providers that operate across the broader Australian digital economy. Currently, the AGDIS allows Australians to verify their identity digitally via the myGovID application software developed by the Australian Taxation Office and Digital Transformation Agency, to access more than 130 government services. The expansion of the proposed Digital ID scheme under the phased implementation (described further under ‘Phased Implementation’ below) will allow Australians to access a broader range of government and private sector services using their Digital ID.
The draft legislation aims to build on the existing Trusted Digital Identity Framework (TDIF) to strengthen the voluntary accreditation scheme and improve privacy and security protections for Australians. Over 10.5 million Australians already have a Digital ID, which they use to verify their identity to access government services online. While myGovID will initially remain the sole digital identity service provider that can be used by individuals to access certain government services, under the proposed Digital ID Bill, Australians may opt to verify their digital identity with an accredited private sector provider of their choice to access certain Commonwealth, State and Territory or private sector services.
Overview of framework
The draft Digital ID legislation has been introduced to allow for a phased expansion of the AGDIS (see ‘Phased Implementation’ for more information on the ‘phased approach’).
The key objectives of the Digital ID Bill include:
- establishing accreditation and government system schemes;
- building on the TDIF to strengthen the voluntary accreditation scheme for Digital ID service providers;
- building upon protections in the Privacy Act 1988 (Cth) (Privacy Act) to enshrine additional privacy safeguards for Australians creating and using a Digital ID;
- introducing penalties for accredited Digital ID service providers who fail to protect privacy and security to the standard that their accreditation requires; and
- establishing an independent Digital ID Regulator (see ‘What is Digital ID?’ for further detail on the proposed regulatory approach).
The Digital ID Bill is supplemented by two sets of supporting Rules:
- the Accreditation Rules, which set out a nationally consistent set of accreditation standards and requirements; and
- the Digital ID Rules, which deal with transparency measures, the use of trustmarks by accredited service providers, and government system onboarding requirements (including technical standards and service levels).
Overall, the Digital ID scheme aims to instil confidence in Australian consumers who choose to use the services of accredited providers that their personal information will be protected, provide greater choice of trusted providers to be used to access more services, offer a convenient and reusable way for consumers to prove their identity online, reduce the risk of cyber security theft, and provide a simpler and safer way for businesses to verify the identity of their customers online.
Commentary on the proposed framework
Being in the early stages of the consultation process, public sentiment and industry opinion on the new Digital ID scheme remains unclear. However, it is likely that key concerns will centre around the introduction of the new Digital ID scheme adding to an already disjunct approach to privacy and cybersecurity regulation in Australia, and the need to ensure that the Australian system for digital identity verification aligns to international approaches.
The Digital ID Bill and Rules have significant crossover with both privacy laws and cybersecurity laws, both of which are currently undergoing significant reform. For example, the Digital ID Bill and Rules provide specific and extended requirements for cyber incident reporting, increasing the compliance burden on accredited service providers and businesses that are already required to comply with corresponding obligations under privacy and cybersecurity laws. Further, many obligations under the Privacy Act are already applicable to a digital environment, evidenced by the Australian Government’s decision to allow the Information Commissioner to oversee certain privacy-related aspects of the Digital ID scheme and apply the powers and penalty provisions available under the Privacy Act to Digital IDs, despite not being the appointed Digital ID Regulator (for more information on the Digital ID Regulator, see ‘What is Digital ID?’).
The privacy, cybersecurity and Digital ID regulators will need to work together to ensure their powers and responsibilities are applied consistently and fairly. The introduction of new Digital ID legislation while privacy and cybersecurity reforms are on-foot will make it more difficult to ensure that the overlapping regimes fit together. On the other hand, if the Government waited for privacy and cybersecurity reforms to be completed before introducing the Digital ID Bill and the Rules, Australia would have fallen behind key international players who have already implemented national digital identity systems (see ‘International Approaches’ below).
A further point to consider is that the current draft Digital ID Bill does not contemplate application of the Digital ID to non-Australian citizens or permanent residents, or non-Australian entities. While this may not pose any issues during the implementation period, it will become increasingly important for Australia to align its approach with its international partners to promote global harmonisation in relation to the use of digital identities. As noted by the UK Government during its rollout (see ‘UK’ under ‘International Approaches’ below for further details on the UK approach), the UK intends to work with Australia and other countries to allow citizens to use their digital IDs around the world, and for UK businesses to trust digital IDs created elsewhere. These types of collaborations are likely to support greater adoption of digital identities by individuals and entities alike, but cybersecurity and national security issues will need to be evaluated in implementing these arrangements.
The Digital ID Bill provides for independent regulation of the Digital ID system and names the Australian Competition and Consumer Commission (ACCC) as the Digital ID Regulator. While the ACCC has been appointed as the initial regulator (given its consumer focus and expertise), the Government expects that a more digital-specific regulator may be established as the Digital ID system expands and grows.
The Digital ID Regulator will be responsible for accreditation (determined against the Digital ID Accreditation Rules), approvals to participate in the AGDIS, compliance and enforcement (through broad powers to issue infringement notices, seek enforceable undertakings, injunctions or civil penalties). We note that the proposed accreditation and enforcement functions overlap with the ACCC’s ongoing role in relation to the Consumer Data Right.
Alongside the Digital ID Regulator, the Digital ID Bill contemplates further functions and responsibilities split across:
- Services Australia for the more operational aspects of the AGDIS (such as risk, fraud and cybersecurity incident management). However, the draft Digital ID Bill notes that the sharing of functions between the Digital ID Regulator and Services Australia remains under consideration;
- the Information Commissioner in relation to the privacy-related aspects of the scheme (see ‘Commentary on the proposed framework’ above); and
- a Digital ID Data Standards Chair to develop nationally consistent standards to regulate technical, data and design aspects required for participation in the AGDIS (including by emerging technologies, such as verifiable credentials and digital wallets).
The Government has outlined its plan to roll out the Digital ID in four phases, namely:
- Phase One: establish the Digital ID legislation and accompanying Rules, set up the Digital ID Regulator, expand use of the Digital ID across government services, and continue accreditation of public and private providers;
- Phase Two: allow State and Territory digital IDs to be used to access Commonwealth government services;
- Phase Three: expand use of the Digital ID to the private sector; and
- Phase Four: allow certain accredited private sector digital IDs to verify individuals when accessing some government services.
This approach seeks to first implement the Digital ID nationally, and then economy-wide (being the expansion into the private sector).
The phased implementation is similar to the approach taken in the UK, which is further advanced than Australia in its rollout of an equivalent digital ID scheme (see ‘UK’ under ‘International Approaches’ below). While not characterised in distinct phases, the UK model also seeks to first create a trusted legislative framework, and then second, expand the digital ID across both the public and private sector.
While Australia is in the process of rolling out its own Digital ID framework, it is helpful to observe international developments in this space. Several jurisdictions around the world have implemented, or are implementing a similar framework, to varying degrees of success.
The UK’s ‘Digital Identity and Attributes Trust Framework’ (UK Framework) seeks to specify standards and best practices to enable the use of digital identities across the economy. The UK Framework comprises a set of ‘outcome-based’ rules against which participating entities will be certified. The rules do not prescribe the use of specific technologies or processes, instead relying on ‘open technical standards to strengthen interoperability between participants’.
The UK Government has stated its intention to ensure that the final framework is a collaborative outcome between key stakeholders, industry and the Government and has taken an iterative approach in the development and release of the UK Framework. The first ‘alpha’ prototype was published in 2021 and a ‘beta’ update was released in June 2023 following market feedback (see detail here). Consultation and further live market testing (including through regulatory sandboxes and ongoing pilot schemes for the Right to Work, Right to Rent and Disclosure and Barring Service) of the beta version is currently underway.
The UK Minister for Digital Infrastructure has noted ambitions for international interoperability to enable UK citizens to use their digital identity abroad and for UK businesses to trust digital identities created overseas.
Singpass is the Singaporean National Digital Identity (NDI) initiative that allows both citizens and businesses to transact with the Singaporean government and private service providers. Singpass was implemented in 2003, and now has over 4.2 million users and serves approximately 97% of Singapore citizens and permanent residents, making it one of the most highly adopted national digital identity systems in the world.
Users can access the Singpass app through their fingerprint, facial recognition or a 6-digit passcode. To further protect personal data, the app also introduced two-factor authentication (2FA) methods such as Singpass Face Verification and Multi-User SMS 2FA.
Current features of Singpass include:
- access to government digital services;
- notifications from government agencies for alerts such as passport renewal;
- digital signing of documents by scanning a QR code, without the need for users to be physically present to sign documents and agreements;
- services such as Myinfo business and Corppass, which allows global business transactions and the flow of cross border data and transactions; and
- use of Singpass’ APIs by the private sector to improve business processes.
In 2015, the Japanese government launched the ‘My Number’ ID card for digital verification of administrative errands including banking, tax filing and paperwork for moving house. The card includes a photo and an embedded chip.
The rollout of the My Number ID card has been complex. In June 2023, Japanese prime minister Fumio Kishida ordered an emergency review of the ID cards, due to a string of registration errors, administrative glitches and data leaks with the system.