Legislation will enable the Commonwealth to partner with states, territories and the private sector to create a better Digital ID experience for all Australians.
- strengthen the existing voluntary Digital ID accreditation scheme
- provide legislation authority for the Australian Government's Digital ID System to expand
- strengthen privacy and consumer protections
- strengthen governance for Digital ID.
Why do we need Digital ID legislation?
As Australians increasingly transact online, our identities are vulnerable in new ways. Recent cyber incidents have highlighted the need for a secure, voluntary, convenient and inclusive way to verify our ID online, and to re-use our Digital ID to access other services we have confidence and trust in.
The legislation strengthens a voluntary accreditation scheme for providers of Digital ID services, building on the existing Trusted Digital Identity Framework. Legislation is required to provide strong privacy safeguards for people creating and using Digital IDs from accredited providers. These build upon the protections in the Privacy Act 1988 with penalties for accredited providers if they fail to protect privacy and security as their accreditation requires.
Australians who use these accredited service providers to create and re-use a Digital ID can have confidence knowing that their personal information is private, safe and secure. Legislation is required to enable phased expansion of the Australian Government Digital ID System (AGDIS).
Through this system Australians can currently use the Australian Government’s accredited Digital ID provider, myGovID, to access over 130 Commonwealth, state and territory government services. While many Australians are benefitting from these government services, the phased expansion will enable more Australians to create and use their Digital ID to verify who they are and provide access to additional state and territory and private sector services. Legislation will provide Australians with greater choice in which accredited state and territory Digital ID providers they use to access Commonwealth services, and vice versa.
Over time, Australian can choose to verify their ID with an accredited private sector provider to access some Commonwealth, state, territory or private sector services.
Regulation of Digital ID providers
Legislation will also establish independent regulation of Digital ID. The ACCC will be appointed as the initial Digital ID regulator, given its strong compliance record as Australia’s competition and consumer regulator.
The ACCC will be responsible for:
- accrediting Digital ID services against legislated Digital ID Accreditation Rules
- approving which services can participate in the AGDIS
- using its investigative and compliance powers in the legislation to ensure Digital ID providers and services comply with the legislation to keep people’s information safe.
The Information Commissioner will also regulate privacy-related aspects of the Digital ID accreditation scheme to protect individuals who choose to use an accredited Digital ID provider.
Who is this legislation for?
This legislation provides assurance to consumers that their privacy and security is protected when they use the services of an accredited provider.
It is also relevant for businesses and state and territory governments who wish to:
- be accredited for the digital ID services they provide, or
- rely on a digital ID to verify the ID of their customers.
What are the benefits of the legislation?
The accreditation scheme and the AGDIS will deliver a range of benefits to consumers and business users, service providers, government, and the broader economy.
For Australians, this means a safe, secure, convenient and reusable way to prove who they are online, and having access to more services and businesses from the comfort of their home at a time that suits them.
This legislation will ensure that providers of Digital IDs will be governed by legislation and designed with privacy in mind so Australians can trust their information is safe and secure.
For business, the legislation means a simpler way to verify their customers. They get access to
a market of accredited Digital ID providers, giving them and their customers peace of mind.
For entities offering Digital ID services, the legislation will provide a nationally consistent set of standards they can be accredited against and give them greater access to government agencies and businesses requiring identity services.
For government, the legislation will improve security and streamline processes across agencies. This will make it easier for Australians to access more government services and decrease the risk of identity fraud.
For the broader economy, a whole-of-economy Digital ID is a significant economic and security opportunity.
Extensive consultation on Digital ID has taken place since 2021. The current draft legislation reflects views heard through those consultation processes. While not all views can be reflected in the legislation, amendments made strike a balance between the many competing perspectives and the objectives of the digital ID program heard in consultation.
For more information and to read the draft Bill, head to 2023 Digital ID Bill and Rules submissions | Digital Identity
2023 consultation on the draft Digital ID Bill has concluded and feedback is being reviewed and considered for the final draft legislation for introduction into Parliament.
Digital ID Bill overview
The objects of the Digital ID Bill are to promote privacy and security of personal information, convenience in accessing services, and facilitate economic advancement through the use of Digital IDs.
To achieve this the Digital ID Bill strengthens a voluntary accreditation scheme, and provides legislative authority to expand the Australian Government’s Digital ID System.
Strengthening a voluntary Accreditation Scheme
The Bill legislates a voluntary accreditation scheme for Digital ID service providers. The scheme will operate economy-wide, and build on the learnings from Trusted Digital Identity Framework (TDIF). A key change from TDIF is the strengthening of enforcement mechanisms: civil penalties will apply to accredited service providers.
- There will initially be 3 types of Digital ID services that can be accredited: identity service providers; attribute service providers; identity exchange providers. To accommodate new and emerging technologies, other types of service providers can be prescribed in the Accreditation Rules
- Accreditation requirements are set out in the Bill and Accreditation Rules. The Accreditation Rules are a legislative instrument providing technical detail about identity verification levels, privacy, security, accessibility and usability.
- While the scheme is voluntary, if an entity becomes accredited they must adhere to additional privacy safeguards that go beyond those in the Privacy Act 1988 (Cth). Key among these safeguards are prohibitions on the use of single identifiers, a prohibition on disclosing information for marketing, and restrictions on the collection, use and disclosure of biometrics and other personal information. The Information Commissioner will have powers to make sure those safeguards are provided, and any breaches are penalised.
Australian Government Digital ID System
The Bill enables the phased expansion of the Australian Government Digital ID System (AGDIS) beyond the Commonwealth. This will facilitate the reciprocal or shared use of Digital IDs between public and private sector
- The AGDIS is currently based around a Commonwealth identity service provider (myGovID), attribute provider (Relationship Authorisation Manager, or RAM) and identity exchange (operated by Services Australia).
Some Commonwealth and state and territory agencies also participate in the AGDIS as relying parties that use myGovID and/or RAM in delivering online services to individuals and businesses.
- The phased expansion of the AGDIS will enable the reciprocal use of Digital ID and attribute providers in Commonwealth and state and territory services (Phases 1 and 2) and, over time, the use of government Digital ID and attribute providers in private sector services (Phase 3) and the use of private sector Digital ID and attribute providers in some government services (Phase 4).
- Providers of Digital ID services operating within the AGDIS must be accredited and will be subject to additional regulatory requirements, some of which will also apply to participating relying parties.
- The legislation sets out additional requirements for entities wishing to participate in the AGDIS. For example, subject to limited exceptions it must be voluntary for individuals to use Digital IDs within the AGDIS (particularly when accessing government services). Additionally, there are specific requirements for cyber and fraud incident reporting, data localisation, liability and charging in the system. These are set out in the Bill and Digital ID Rules, which are another legislative instrument that set out important details of the legislation that may need to be updated over time.
The Bill provides transparency measures to build public trust. The Bill and Digital ID Rules allow trustmarks to be used by accredited service providers. The Bill requires the Regulator to maintain public registers of accredited service providers, and of service providers and relying parties participating in the AGDIS.
Australian Digital ID Regulator
The Bill strengthens the governance of the Accreditation Scheme and the AGDIS. The Bill establishes an independent Australian Digital ID Regulator (initially to be the ACCC) responsible for accreditation, approving participation in the AGDIS and enforcing compliance with the nonprivacy aspects of the legislation.
- The Bill will set out the functions of the Digital ID Regulator.
- Services Australia will regulate the more operational aspects of the AGDIS relating to the security, integrity and performance of the system.
- The Bill also provides for the appointment of a Data Standards Chair, to develop technical standards to support the operation of the AGDIS and the accreditation scheme.
Civil penalties and certain enforcement powers
The Bill provides for civil penalties and certain enforcement powers for the Regulator to help promote compliance. The Bill will give the Regulator a calibrated set of powers ranging from the power to request information, giving remedial directions, issuing enforceable undertakings, before suspending or revoking an entity’s accreditation or participation in the AGDIS.
- The Bill clarifies that breaches of the Bill’s privacy safeguards may be treated as an interference with privacy under the Privacy Act 1988 (Cth). This means the Information Commissioner can apply the powers and penalty provisions available to the Commissioner under the Privacy Act to Digital IDs.
Powers of Minister
The Bill provides for certain powers of the Minister including: rule-making; issuing directions to the Regulator, for reasons of national security, in relation to accreditation and participation in the AGDIS; appointing the Data Standards Chair; and a discretionary power to establish advisory committees.
An accompanying Digital ID (Transitional and Consequential Amendments) Bill, with supporting rules, will set out the mechanism for transitioning those entities that are currently accredited and/or participating in the AGDIS into the new legislated arrangements.
- Download this information as a factsheet: Digital ID Bill factsheet (PDF 696.47 KB)