New Bill Aims To Extend The Government’s Digital Identity System To States And The Private Sector
The federal government has issued an exposure draft for legislation to extend the application of Australia’s federal digital identity system to state and territory governments and the private sector.
Beginning of work on legislation, called 2021 Trusted Digital Identity Bill, follows the Digital Transformation Agency (DTA) which spent years developing Australia’s Trusted Digital Identity Framework (TDIF), which ultimately led to myGovID – developed by the Australian Taxation Office – and an equivalent identity service of ‘Australia Post in 2019.
Although the federal government has already implemented the TDIF, it only applies to federal government entities – it cannot be applied to states and territories or the private sector, which is why the federal government started to work on this legislation.
Looking at the Bill’s Exposure Draft [PDF], the federal government is seeking to formally enshrine two voluntary regimes for entities wishing to provide or rely on digital identity services: a federally administered digital identity system and a new accreditation regime that will be based on on the existing TDIF system.
“The two programs involve different benefits and levels of regulation that will affect an entity’s choice to participate in the trusted digital identity system, whether or not to be accredited,” DTA said.
Under the bill, the federal government, state and territory governments, Australian companies and foreign companies registered with the Australian Securities and Investments Commission (ASIC) would be eligible to apply to join the two systems of Numeric identity.
In addition to formalizing the two regimes, the legislation seeks to set up a new supervisory authority that will be responsible for deciding which entity is allowed to be integrated.
The considerations that this new authority should weigh during this process are whether the entity will be able to comply with the technical standards that apply to it; whether the entity is a fit and appropriate person; does this entity pose national security concerns? and whether it is appropriate to approve the entity.
The Exposure Draft does not specify whether this entity would be housed within government or be an independent entity.
Entities attempting to join one of the two programs would be assessed by the supervisory authority, but entities wishing to join the TDIF accreditation program would be assessed with a higher threshold of requirements. These include the designation of a privacy officer and “privacy champion”, a system security plan and the ability to perform identity fraud risk assessments. digital. The TDIF accreditation program will also require entities to undertake several technical tests as part of accreditation, according to the exposure draft.
New privacy protections separate from the Privacy Act are also part of the bill’s exposure draft. These new protections, if enacted, would prohibit entities from profiling data, using unique identifiers, disclosing restricted information if express consent is not given, and disclosing biometric information to various organizations such as law enforcement.
The Exposure Draft also states that an accredited identity service provider must, at an individual’s request, deactivate the individual’s digital identity as soon as possible after receiving the request.
While the new legislation, if passed in its current state, has its own set of privacy protections, the Privacy Act will still apply to entities within both regimes, the statement says. -survey. For example, if an entity that is part of the digital identity systems experiences a data breach, it would be required to notify those involved in a data breach that could result in “serious harm” as part of the notification system. data breaches (NDB). .
Enforcement of these privacy rules would fall within the purview of the Information Commissioner, with the Commissioner able to penalize businesses or government entities up to A $ 333,000 if the bill’s confidentiality safeguards are breached.
In announcing the bill’s exposure draft, the minister responsible for digital transformation, Stuart Robert, said the federal government would work with stakeholders and co-design the bill with industry.
The federal government is seeking submissions on the exposure draft until October 27.
As legislation continues to be developed by the government, the private sector has started to develop digital identity solutions to meet customer demand. Earlier this week, Eftpos became the first accredited non-governmental operator of a digital identity exchange under TDIF using its connectID technology. Since last year, Eftpos has piloted connectID with 20 âwell-knownâ Australian brands, including Australia Post and Yoti.
Mastercard is also working separately with the DTA to see how the premiere’s digital identity service could allow Australians to digitally verify their age and identity. As part of the collaboration, Mastercard is examining a series of pilot projects led by the private sector and the impact that its digital verification service could have on the experiences and expectations of retailers and consumers online.