The federal government has released an exposure draft for legislation that seeks to expand the application of Australia's federal digital identity system to state and territory governments and the private sector.
Commencement of work on the legislation, called Trusted Digital Identity Bill 2021, follows the Digital Transformation Agency (DTA) spending years developing Australia's the Trusted Digital Identity Framework (TDIF), which eventually led to myGovID -- developed by the Australian Taxation Office -- and an equivalent identity service from Australia Post going live in 2019.
While the federal government already has the TDIF in place, it is only applicable to federal government entities -- it cannot be applied to states and territories or to the private sector, which is why the federal government has commenced work on this legislation.
Looking at the Bill's exposure draft [PDF], the federal government is seeking to formally enshrine two voluntary schemes for entities that want to provide or rely on digital identity services: A federal government-run digital identity system and a new accreditation scheme that will be based on the existing TDIF system.
"Both schemes entail different benefits and levels of regulation which will affect an entity's choice to participate in the trusted digital identity system, be accredited or neither," DTA said.
Under the Bill, the federal government, state and territory governments, Australian companies and foreign companies registered with the Australian Securities and Investments Commission (ASIC) would be eligible to apply to join the two digital identity systems.
In addition to formalising the two schemes, the legislation is looking to implement a new oversight authority that will be responsible for deciding what entity is allowed to be onboarded.
The considerations this new authority would have to weigh up during that process are whether the entity will be able to comply with the technical standards that apply to it; whether the entity is a fit and proper person; does that entity pose any national security concerns; and whether it is appropriate to approve the entity.
The exposure draft does not state whether this entity would be housed within government or be an independent entity.
Entities that attempt to enter either of the two schemes would be assessed by the oversight authority, but those entities that want to join the TDIF accreditation scheme would be assessed with a higher threshold of requirements. These include having a designated privacy officer and "privacy champion", a system security plan, and the capability to conduct digital identity fraud risk assessments. The TDIF accreditation scheme will also require entities to undertake several technical tests as part of accreditation, according to the exposure draft.
New privacy protections that are separate to those in the Privacy Act are also part of the Bill's exposure draft. These new protections, if passed, would ban entities from data profiling, using single identifiers, disclosing restricted information if express consent is not given, and disclosing biometric information to various organisations such as law enforcement.
The exposure draft also states that an accredited identity service provider must, if requested by an individual, deactivate the individual's digital identity as soon as practicable after receiving the request.
While the new legislation, if passed in its current state, has its own set of privacy protections, the Privacy Act will still apply to entities within the two schemes, the exposure draft states. For example, if an entity that is part of the digital identity systems suffers a data breach, it would be required to notify individuals involved in a data breach that is likely to result in "serious harm" under the Notifiable Data Breaches (NDB) Scheme.
Enforcement of these privacy rules would be under the remit of the Information Commissioner, with the commissioner able to penalise corporations or government entities up to AU$333,000 if the Bill's privacy safeguards are breached.
In announcing the Bill's exposure draft, the Minister responsible for digital transformation Stuart Robert said the federal government would be engaging with interested parties and co-designing the Bill with industry.
The federal government is seeking submissions on the exposure draft until October 27.
As the legislation continues to be developed by government, the private sector has started developing digital identity solutions to meet customer demand. Earlier this week, Eftpos became the first accredited non-government operator of a digital identity exchange under the TDIF through its connectID technology. Since last year, Eftpos has been piloting connectID with 20 "well-known" Australian brands, including Australia Post and Yoti.
Mastercard is also separately working with the DTA to see how the former's digital identity service could enable Australians to digitally verify their age and identity. As part of the collaboration, Mastercard is examining a series of private sector-led pilots and the impact its digital verification service could have on retailer and consumer experiences and expectations online.