Digital Identity Legislation Position Paper

The Digital Identity system is a simple, safe and secure way for Australians to verify their identity online. With millions of people already using Digital Identity to access over 75 government services, Digital Identity is transforming the way Australians and Australian businesses engage with government services. The Australian Government is committed to rolling out a whole-of-economy Digital Identity system to:

• enable Australians to prove who they are online and reduce the administrative burden for small and medium businesses, so they can get on with doing business
• support an increased number of Australians to transact end-to-end digitally, improve privacy and accessibility, and reduce fraud
• enable innovative digital sectors of the economy to flourish.

To facilitate this expansion, the Digital Transformation Agency (DTA) is currently undertaking community consultation on the development of Trusted Digital Identity Legislation.

The Legislation will help expand the Australian Government's Digital Identity system into a whole-of-economy Digital Identity solution by establishing robust governance, as well as strengthening data and consumer protections. The Legislation will also allow entities in other digital identity systems to apply for TDIF accreditation (the TDIF accreditation scheme).

The Bill is proposed to be introduced into the Parliament in late 2021.

Phase 1 of the consultation has involved the public release of a detailed consultation paper, seeking stakeholder views on the scope and content of the Digital Identity Legislation.

This resulted in a diverse array of submissions from a range of Australians and Australian businesses. The response to this initial phase of consultation has been positive – with support for the expansion of Digital Identity and for parts of the system, particularly consumer protections, to be enshrined in the Bill.

Phase 2 of the consultation process involves engagement with stakeholders and the public to develop clear policy positions on the following key areas:

• structure of the Legislation
• scope of the Legislation and interoperability with other systems
• regulatory oversight of the system and TDIF Accreditation system
• privacy and consumer safeguards
• trustmarks
• liability and redress framework
• penalties and enforcement
• administration of charges for the Digital Identity system.

The definitions set out below are for the purposes of this Position Paper only. This glossary may not reflect how the terms will be defined in the Legislation.

Accredited Participant. A company or government body that is accredited under the TDIF and onboarded to the Digital Identity System. An accredited participant can be an attribute service provider, identity provider, credential service provider or identity exchange.

Attribute. An item of information or data associated with an individual. Examples of attributes include a name, address, date of birth, email address and mobile phone number.

Attribute service provider. A company or government body that has been accredited under the TDIF as an attribute service provider and verifies specific attributes relating to entitlements, qualifications or characteristics of an individual (for example, Jane Doe is authorised to act on behalf of business XYZ in a particular capacity).

Biometric Information. Information about any measurable biological characteristics of a natural person that can be used in the system to identify them or verify their identity, such as face, fingerprints, or voice.

Biometric matching. The process of automated identification of an individual in a system using their Biometric Information.

Consultation Paper. The Digital Identity Legislation Consultation Paper published on 16 November 2020.

Credential. The technology used to authenticate an individual’s identity. A credential may incorporate a password, cryptographic key or other form of access restriction.

Credential service provider. A company or government body that has been accredited under the TDIF as a credential service provider, and generates, binds and distributes credentials to Users or binds and manages credentials generated by Users themselves.

Digital Identity. A distinct electronic representation of an individual which enables that individual to be sufficiently distinguished when interacting online, including when accessing online services.

When capitalised it refers to the electronic representation of an individual whose identity has been verified by an identity provider participating in the system. When not capitalised it refers to it generically, including digital identities used in other systems (whether TDIF accredited or not).

The precise terminology used to refer to a Digital Identity will be considered further in the drafting of the Bill.

Digital Identity system or system. The system is the group of Participants approved by the Oversight Authority and connected electronically to collect and validate attributes of individuals with a Digital Identity allowing individuals to prove who they are online. The Participants in this system, and their roles, will be listed on the Participant List. Currently, Participants in the system are connected to an Identity Exchange operated by Services Australia.

Document Verification Service or DVS. The national online system which enables authorised entities to electronically verify the biographic information of an individual on an identity document issued by a range of Australian state and territory government agencies.

Face Verification Service or FVS. The national online system which enables a facial image associated with an individual to be compared against another image of the same individual held in government records (such as documents) of that individual, to help verify their identity.

Identity exchange. An company or government body accredited under the TDIF as an identity exchange to convey, manage and coordinate the flow of attributes and assertions between Participants.

Identity provider or IDP. An company or government body accredited under the TDIF as an identity provider to verify the identity of an individual. An identity provider maintains and manages the identity information of individuals and offers identity based services.

Legislation. The proposed legislation for the Digital Identity system, including primary and secondary legislation. Secondary legislation refers to the Rules.

Oversight Authority or OA. The statutory officeholder responsible for the administration and oversight of the system and for the accreditation of entities under the TDIF rules.

Participant. Each Accredited Participant and relying party participating in the system.

Participant register. The register to be kept by the Oversight Authority to record the Accredited Participants and relying parties approved by the Oversight Authority as Participants in the system.

Privacy Act. The Privacy Act 1988 (Cth).

Relying party. A company, government body, partnership, trust or unicorporated association approved to participate in the system as a relying party. The relying party relies on verified attributes or assertions provided by identity providers and attribute service providers to enable the provision of access to a User of a service.

Rules. The binding rules and procedural requirements for accreditation and participation in a system, made by the Minister.

TDIF list. The TDIF list is kept by the Oversight Authority to record entities accredited under the Bill.

TDIF Provider means a company or government body that is TDIF accredited under the Legislation that is not connected to the Digital Identity system. A TDIF Provider can be an attribute service provider, identity provider, credential service provider or identity exchange.

TDIF rules. Rules to be made by the Minister under the Bill that set out the requirements for accreditation under the Legislation. These requirements will be in addition to the privacy and security protections to be enshrined in the Bill.

Trusted Digital Identity Bill or Bill. The primary Bill for the Digital Identity system and TDIF accreditation scheme, to be introduced into the Parliament.

Trusted Digital Identity Framework or TDIF. The current documents which set out the requirements for accreditation of entities for their digital identity activities.

Trustmark. A trustmark will be established under the Legislation for use by Participants or TDIF Providers to demonstrate their accreditation and/or participation in the system, as further described in section 8. Trustmarks.

User. An individual who establishes and uses a digital identity to obtain a digital service.

The purpose of the Legislation is to:

• allow for independent oversight of the system, by formalising the powers and governance arrangements of the Oversight Authority
• enable expansion of the system to state and territory governments and the private sector
• provide privacy protections, consumer safeguards and security requirements to build trust in the system
• provide for a legally enforceable set of rules that set the standards for participating in the Digital Identity system. This includes the TDIF rules
• allow for entities to be TDIF accredited for their activities whether they are on the system or not.

To achieve the intended purpose of the Legislation, it is proposed the Legislation will provide for the matters set out below.

3.1 Independent oversight of the system

Effective governance of the system is essential to the efficient operation of, and instilling public trust and confidence in, the system.

Currently, an interim Oversight Authority is responsible for the administration and oversight of the system. The interim Oversight Authority’s functions are shared by the DTA and Services Australia.

The Legislation will ensure effective governance and regulation of the system. Effective governance will be assured by:

• an independent statutory officeholder, the Oversight Authority, advised expert Advisory Boards appointed by the Minister
• the Information Commissioner overseeing compliance with the additional privacy safeguards in the Bill.

These permanent governance arrangements will aim to give Users confidence that privacy and consumer safeguards enshrined in the Bill are strictly enforced.

3.2 Expansion of the system

The Legislation will provide the necessary authority for the Australian Government to expand, maintain and regulate the Digital Identity system. The Legislation will allow the system to be expanded to the private sector and state, territory and local governments.

3.3 Accreditation scheme

The Legislation will also provide the legislative authority for the Oversight Authority to administer and manage an accreditation scheme for entities seeking TDIF accreditation for their digital identity activities, including for those outside the system. TDIF Providers will meet the same safeguards in the Bill and TDIF rules as Accredited Participants in the system.

3.4 Enforceable set of rules

Central to the Digital Identity system is the TDIF. It currently sets the standards, rules and guidelines for entities accredited or seeking to be accredited to participate in the Digital Identity system or for their digital identity activities outside the system.

The TDIF makes sure all Accredited Participants and TDIF Providers meet all rules and standards for usability, accessibility, privacy protection, security, risk management, fraud control and more.

These standards are applied consistently across all Accredited Participants and TDIF Providers to provide a fast, safe and seamless experience for Users of digital identity.

The Legislation will provide an enforceable set of rules for TDIF Providers and Accredited Participants based on the standards currently in place.

It is proposed the Minister be given power to issue technical standards relating to how technology in the system works. These could include standards for security, interoperability and data specifications.

3.5 Privacy and consumer safeguards

The Digital Identity system is designed to ensure the privacy of Users is protected and strong safeguards are in place to ensure choice, data protection and accessibility.

In addition to the existing privacy protections in the Privacy Act, the TDIF currently includes a range of system specific privacy and consumer protections for Users. These protections include:

• restrictions on the creation and use of a single identifier across the system
• restrictions on data profiling
• restrictions on the collection and use of Biometric Information
• requirements for Users’ express consent before enabling their authentication to a service.

In September 2018, the second privacy impact assessment recommended legislation to ensure Accredited Participants are legally bound to key privacy standards specific to the system. Additional privacy impact assessments will be undertaken as the system expands to ensure privacy requirements are upheld.

One of the key purposes of the Legislation is to ensure privacy and consumer safeguards within the TDIF are enshrined in law, providing enhanced protections for User data and personal information on the system. This will provide clarity for Users on:

• how their data will be used and the requirement for consent
• who can access their data and in what circumstances, with strict penalties for misuse of that data
• what the liability, penalties and redress are for fraud or misuse of data.

By enshrining privacy and consumer safeguards in law, the Legislation will instil greater trust in the system as it is rolled out to more services.

3.5.1 Security requirements

The TDIF accreditation scheme and the Digital Identity system are designed to provide Users, TDIF Providers, Accredited Participants and Participants alike, a safe and secure framework to access and provide digital identity services.

The Australian Government through the Australian Cyber Security Centre (ACSC) continues to explore options to enhance its cyber security and fraud management capabilities to keep pace with the constantly evolving fraud and cyber security landscape. The DTA has consulted and will continue to consult with the ACSC throughout the life of the system to ensure it is kept abreast of, and maintains compliance with, fraud and cyber security frameworks.

The TDIF rules will contain requirements that align with security advice, guidance, policies and publications developed by the Australian Government to ensure all applicants seeking TDIF accreditation establish minimum protective security and fraud baselines for the provision of their identity services. (These include the Protective Security Policy Framework (PSPF) and the Australian Government Investigations Standards developed by the Attorney General’s Department, the Information Security Manual (ISM) developed by the Australian Cyber Security Centre and the Commonwealth Fraud Control Framework (CFCF) developed by the Attorney General’s Department.) The Digital Identity system has undergone end-to-end cyber security and risk assessments. It will continue to undergo security checks and enhancements to ensure it maintains appropriate security safeguards in line with such standards.

The Legislation will permit the Oversight Authority to coordinate the sharing of information between Participants to support each other in managing cyber security and fraud incidents. The way in which data will be shared and used amongst Participants will be a major focus of the Oversight Authority and will play a crucial part in ensuring the system operates in a safe and connected manner. This will bolster the system’s fraud and cyber security management capabilities and will ensure it maintains its reputation of being able to identify and act on fraudulent activity or cyber security threats quickly and decisively.

The legal framework for the system will include:

• a Bill passed by Parliament (the Trusted Digital Identity Bill)
• rules
• written guidelines and policies.

The Bill will include subject matter that will not need to regularly change to keep pace with technical developments, such as the privacy safeguards for individuals. It will also include important subject matter that should only be altered by Parliament, such as a power authorising the Minister to set charges.

The Minister will have power to make rules that are required to be tabled in both Houses of Parliament and are subject to disallowance by either House. There will be a general set of rules that lay down requirements that flow from the Bill itself. These rules might aim to improve the system and to ensure it keeps abreast of technological change and innovation. This could include adding new Digital Identity roles or placing requirements on relying parties joining the system.

There will be rules which will largely reflect the current requirements of the TDIF. These will outline some of the requirements for obtaining and maintaining accreditation and for onboarding to the system.

There will also be specifications that set out technical specifications and other requirements. These specifications will, among other things, explain how the system operates, how Participants interact with the system and how some of the Participant’s obligations may be fulfilled. It is proposed that they will not be disallowable by Parliament but must be notified on the Australian Government’s Legislation Register.

The Oversight Authority may also issue administrative guidelines to assist entities with useful information about making applications and the decision-making process.

It is proposed the Bill will include a public notice process before rules are amended, other than in urgent situations. This process could require the proposed amendments to be publicly notified for 21 days and not made before 28 days after the public notification. This allows people to consider making submissions on the proposed amendments.

The interaction between these components are outlined below.

Figure 1: Structure of the Legislation

The Trusted Digital Identity Bill will become law when passed by Parliament. The Bill will include important rights, such as privacy and consumer safeguards, and establish the regulatory structure of the system, including the Oversight Authority.

The General and TDIF accreditation and onboarding rules are operationally focused rules. They are legally binding and authorised by the Bill. These rules will be ‘disallowable instruments’. They must be tabled in, and can be disallowed by Parliament.

Technical and other specifications will outline technical information and requirements detailing how the system operates and how Participants interact with the system, among other things. These rules are ‘notifiable instruments’. They must be listed on the Australian Government’s Legislation Register.

Administrative guidelines assist decision making. E.g. they may provide Participants and TDIF Providers with information on completing or lodging forms (for example, application for accreditation), or may detail criteria the Oversight Authority should consider when making decisions about accreditation.

5.1 What are we trying to achieve?

The Digital Identity legislation will provide a clear and transparent framework to establish a TDIF accreditation scheme and a scheme for participation in the Australian Government’s Digital Identity system. The Legislation will provide clarity on:

• the roles of participants
• the parts of the Legislation that will apply to each of the participant roles
• the scope of regulatory oversight by the Oversight Authority
• definitions and key concepts.

The Legislation will aim to provide certainty whilst remaining flexible enough to allow for technological developments and innovation over time. It will aim to leverage existing laws, definitions and concepts, where possible, instead of creating a unique set of arrangements that may duplicate and complicate existing obligations of TDIF Providers and Participants.

5.2 What we have heard from stakeholders

Stakeholders have highlighted interest in how the system will interact with other digital identity systems.

Private sector stakeholders generally indicated support for confining the scope of the Legislation to the system. Some submissions highlighted concern that the Legislation may put pressure on entities to choose between digital identity systems, limiting opportunities for innovation. State and territory governments and information and privacy commissioners generally advocated for the Legislation to extend to all digital identity systems.

Stakeholders were generally supportive of a register to show the participants and their approved roles that will be subject to the Legislation. Stakeholders also agreed a register mechanism would provide assurance for entities wanting to publicise their accreditation and/or their participation in the system.

Many submissions agreed the Legislation needs to be flexible and forward-focussed but there was divergence about how to achieve an appropriate balance between certainty and flexibility.

Stakeholders also indicated their preference for definitions to be included in the Legislation. Around half of the submissions suggested that definitions of Digital Identity and Digital Identity information be included in the Legislation.

Stakeholders held differing opinions about whether people should be allowed to create multiple digital identities.

5.3 What’s changed since the Consultation Paper?

There has been no change to the:

• existence of the accreditation scheme
• position that accreditation is required in order to participate in the system
• principle that entities are in control of deciding whether they want to participate in the system.

A new interoperability principle has been introduced in this Position Paper to clarify how entities on the Participant Register will work together.

The Participant Register will be a publicly accessible register to allow the public to identify Participants in the system and the role they perform. The Legislation will cover the information to be recorded on the Participant Register.

The proposed definition for Digital Identity has changed since the Consultation Paper, it is now proposed to focus on the Accredited Participant generating the Digital Identity, rather than the characteristics of a Digital Identity itself. It is also proposed the definition of Digital Identity information will include a non-exhaustive list of examples, with further details to be set out in the rules.

There has been no change to the position that the Document Verification Service (DVS) and Face Verification Service (FVS) will not be covered by the Legislation. These services are verification tools for identity providers and are expected to be subject to their own standards and legislation. The Legislation is not intended to replace the FVS or DVS as these services are key inputs for identity providers to verify attributes of a User creating a Digital Identity.

5.4 Policy Positions – scope

5.4.1 Scope of the legislation

The Legislation is not intended to apply to all digital identities and digital identity systems in Australia.

It is proposed the Legislation will:

• describe the Digital Identity system in general terms as an information technology network allowing Users with a Digital Identity to establish who they are online. It is also proposed the Minister will include reference to the identity exchange operated by Services Australia and the Participants connected to it as part of the definition in the rules
• allow for a government body, company, trust, partnership or unincorporated association wishing to participate in the system as a relying party to apply to the Oversight Authority be onboarded to the system. Once approved, the relying party will be listed on the Participant Register and will become a Participant in the system
• allow for a TDIF-accredited company or government body to apply to the Oversight Authority to onboard to the system in the role(s) they are accredited for. Once approved, that company or government body will be an Accredited Participant and the Oversight Authority will include them on the Participant Register
• not prevent Participants performing roles in the system from participating in other digital identity systems or being accredited under other digital identity frameworks simultaneously whilst participating in the Digital Identity system
• allow a government body or company to be a TDIF Provider. This means a government body or company is TDIF accredited and on the TDIF Certification list but does not seek approval from the OA to onboard to the system. This situation may arise if the company or government body is not ready to be onboarded to the Digital Identity system at the time of its accreditation or chooses not to participate in the Digital Identity system
• apply only in part TDIF Providers. This means government bodies or companies which choose to be TDIF-accredited for roles they perform in their own digital identity systems can rely on TDIF accreditation to build trust in their systems without being subject to the entirety of the Legislation.

Below is a table to demonstrate the parts of the Legislation proposed to apply to TDIF Providers on the Certification list, compared with the parts that will apply to Accredited Participants listed on the Participant Register.

These components are subject to change and will be worked through further as the legislative framework develops.

Figure 2: this table does not represent the full extent of the provisions that may be in the Bill

5.4.2 Overview of application processes for TDIF accreditation and participation in the Digital Identity system

Commonwealth, state and territory governments or bodies, and private sector companies, may apply to the Oversight Authority to be accredited in a role (or roles) under the proposed legislation. If successful, the Oversight Authority will list the applicant on the TDIF List for its accredited role. The purpose of the TDIF List and the Participant Register is to provide transparency.

If a government body or company on the TDIF List wishes to participate in the system, they may apply to the Oversight Authority to be onboarded to the system. If a government body or company is accredited for more than one role, it can choose what roles it wants to perform in the system and apply to onboard any or all of those roles to the system. Once the Oversight Authority approves their application, it will list the applicant as an Accredited Participant in the system for the roles it performs and add the applicant to the Participant Register.

Relying parties may apply to the Oversight Authority to onboard to the system without TDIF accreditation.

Relying party applicants will need to nominate to the Oversight Authority the services they wish to onboard. Only those services the applicant nominates will be added to the Participant Register if the application is successful.

The Participant Register will also list the attributes and any restricted attributes to which a relying party has access for any of its services provided through the system. Further details about the information shown on the Participant Register is at section 5.4.5 Information the Participant Register will provide. The TDIF accreditation process and the onboarding process are described in more detail in the sections below.

Figure 3: Process to apply to be on the TDIF List and the Participant Register

Figure 3 shows the process for entities applying to be included on the TDIF List and the Participant Register.

5.4.3 Accreditation process

The Legislation will set out matters the Oversight Authority is to consider when deciding to accredit a company or government body for a particular role. The Oversight Authority will manage the accreditation process, assess the material required to be provided by the TDIF rules and may inspect the applicant’s system. It will accredit applicants if satisfied of matters such as:

• whether the applicant has systems and processes in place to ensure compliance with privacy, consumer and security safeguards in the Bill and requirements in the TDIF rules
• fit and proper person test, having regard, for example, to whether the applicant has any criminal convictions or civil penalty orders.

Once accredited, the Oversight Authority will enter the applicant’s details on the TDIF Certification list, with details including the service for which it has been accredited and the date the accreditation takes effect.

The TDIF accreditation process may recognise the work done by entities accredited under another framework to help reduce the processing time for TDIF accreditation.

5.4.4 Onboarding process

The Legislation will set out matters the Oversight Authority is to consider when deciding to onboard an TDIF Provider or relying party to the system. This will include:

• whether the applicant meets the requirements in the onboarding data and technical rules
• national security (as that term is defined in section 90.4 of the Criminal Code 1995). This may include where ASIO has made an adverse or qualified security assessment in respect of a person, including an organisation under the Australian Security Intelligence Organisation Act 1979, or on direction from the Minister.
• for a TDIF Provider, whether it has entered into an agreement with the Commonwealth – see section 11.4.3 Selection of service providers to the system
• for a relying party, whether it is a fit and proper person.

In practice, many entities will apply for accreditation and onboarding at the same time and the assessments will be done simultaneously.

Once approved, the Oversight Authority will enter the applicant’s details on the Participant Register, including the date the onboarding takes effect.

5.4.5 Information the Participant Register will provide

It is proposed the Participant Register will:

• show the date a Participant is entered on the list
• show the roles a Participant performs
• show the service(s) a Participant has onboarded to the system
• show the date a Participant joins, is suspended from, or re-enters the system (if a Participant is suspended or offboarded)
• be linked to the infrastructure of the Digital Identity system and give effect to the status of a Participant on (or off) the register
• be publicly available
• be free to view and search
• be updated daily.

5.4.6 Defining a Digital Identity

It is proposed the Legislation will define a Digital Identity as a digital identity generated by an identity provider who is listed on the Participant Register.

Figure 4: What is a Digital Identity?

Figure 4 details the process for identifying when a Digital Identity created by an identity provider is a Digital Identity in the system.

It is proposed the Legislation will allow a person to have a Digital Identity with multiple identity providers participating in the system.

The interoperability principle under the Legislation will require relying parties to offer a choice of identity provider. While the obligation is on the relying party, the effect of this obligation is to allow individuals to request a Digital Identity from any Identity provider listed on the Participant Register.

5.4.7 Defining Digital Identity information

It is proposed the Legislation will include a definition of Digital Identity information. The definition will reference personal or sensitive information as defined in the existing Privacy Act that is collected pursuant to their accredited role. The definition may list the core attributes in the TDIF rules as non-exhaustive examples of Digital Identity information (family name, given name and date of birth).

It is proposed the Bill will include a power for the Minister to specify attributes in the rules to capture all the attributes available under the TDIF rules, and to update those as they evolve over time.

5.4.8 Defining the Digital Identity system

It is proposed the Legislation will include a broad description of the Digital Identity system. This definition will avoid defining the Digital Identity system in terms of technical components and elements so it may adapt with technological advances and innovation. To provide certainty about how the system will operate at the time the Legislation is enacted, it is proposed the Minister will make a rule describing the system and referencing the identity exchange managed by Services Australia in the definition of system.

5.4.9 Defining roles

It is proposed the Legislation will define roles in terms of their functions and purpose. For example:

• Identity exchanges – to facilitate the private and secure sharing of digital identity information between participants in a digital identity system. The purpose of an identity exchange is to manage the flow of information and control how information is shared
• Identity providers – to generate and manage a User’s digital identity. Their purpose is to verify a User’s identity, manage information comprising the digital identity and share a verified digital identity with relying parties.
• Relying parties – to use Digital Identities. Their purpose is to provide a service to a person or business
• Attribute service providers – to generate and bind attributes to a digital identity. Their purpose is to support relying parties with their decision-making to give Users access to services using a digital identity
• Credential service providers – to generate, bind and distribute credentials to Users and give Users access to relying parties by allowing them to authenticate their digital identity.

The roles in the digital identity system may change as the digital identity environment evolves. It is proposed the Minister will have authority to amend the roles in the rules, following consultation, including from the expert Advisory Board(s). This will allow the rules to keep pace with technological developments and innovation by remaining flexible.

5.4.10 Defining TDIF accreditation terms

It is proposed the TDIF rules to be made by the Minister will include definitions of identity proofing, re-proofing, authentication, verification and credential. As much as possible, the definitions will align with terminology used in the current TDIF and other authoritative documents (including the National Identity Proofing Guidelines and documents issued by the National Institute of Standards and Technology, the United Nations Commission on International Trade Law and the Office for Economic Cooperation and Development).

The definition of re-proofing will allow identity providers or credential providers to use all, or only some of, the information required to prove an identity when it is initially generated by the identity provider. The definition of re-proofing will include an exhaustive list of the permitted purposes for re-proofing.

5.4.11 Principle of Interoperability

It is proposed the Legislation will establish a principle of interoperability, which will require Participants generating, transmitting, managing, using and re-using Digital Identities to provide a seamless User experience with the Digital Identity system. For entities wanting to participate in the system, the following requirements will be put in place:

• identity exchanges will be expected to onboard to the system once listed on the Participant Register
• identity providers will be expected to provide their services to any relying party
• relying parties will be expected to provide their customers with a choice of identity providers.

It is proposed the Legislation will establish exemptions to the principle of interoperability for relying parties and identity providers in limited circumstances. There will be no exemptions for identity exchanges.

Exemptions for relying parties and identity providers may apply if:

• there are legitimate security concerns warranting an identity provider not to be used by a relying party
• it is in violation of an identity provider’s constitution to transact with a particular type of relying party, for example, a relying party in the gambling industry
• the arrangement could assist members of the community that may otherwise be at a disadvantage (for example, if an identity provider offered a service specifically for a particular group, and the identity provider needed a technical tool to offer the service and that tool was not compatible (without excessive cost) with other information technology systems of Participants in the system).

The Oversight Authority will assess whether an exemption should be granted. If an exemption is granted, the Participant will be permitted to limit its interactions with other Participants in the system. A Participant may apply for an exemption at the time it applies to be registered on the Participant Register.

Upon granting an exemption to the principle of interoperability, the Oversight Authority will review the exemption after a period of 3 years. If the Oversight Authority determines the exemption is no longer warranted, the Participant must comply with the principle of interoperability or be offboarded from the system and removed from the Participant Register.

5.4.12 Digital Identity transactions

The obligations established by legislation apply to the role being performed. Accordingly, it is not proposed to include a definition of a ‘Digital Identity transaction’ in the Legislation. To assist Participants to understand their obligations, guidance material accompanying the legislation may explain how the obligations of a role may be implemented in a transactional context. Transactions involving digital identities generated under other accreditation frameworks or digital identity systems are not intended to be captured by the Legislation.

5.4.13 Participants participating in multiple digital identity systems – example transactions

The Legislation will not prohibit Participants from connecting to and participating in other digital identity systems.

Participants who choose to connect to multiple digital identity systems will need to put in place technical and business solutions to demonstrate how they will meet their obligations under the Legislation. This includes being able to clearly delineate which digital identity activities are conducted through the Digital Identity system and through another digital identity system. Participants will also need to demonstrate how they will link their trustmark(s) to services through the Digital Identity system or through another system.

We have provided some example transactions below where participants may participate in multiple digital identity frameworks.

Figures 5 and 6: When is a transaction a Digital Identity transaction when a Participant is acting in multiple digital identity frameworks?

Figure 5 demonstrates how transactions between Participants listed on the Participant Register are captured by the Legislation. For example, IDP 2 creates a Digital Identity for a User to receive services from relying party 1.

Figure 6 demonstrates how entities listed on the Participant Register may interact and connect with those outside the Digital Identity system. For example, IDP 2 creates a digital identity for a User to access services from outside relying party 5 (that is, the relying party is not on the Participant Register). IDP 2, will be subject to the Legislation when it is performing its role as an Accredited Participant in the Digital Identity system.

Figure 7: Can Participants engage with entities not on the Participant Register?

Figure 7 demonstrates the interaction between Participants and outside entities. Entities not listed on the Participant Register will not be prohibited from accessing services from Participants listed on the Participant Register. For example, outside relying party 3 (which is not on the Participant Register) may access services from the attribute service provider listed on the Participant Register. This transaction does not involve a Digital Identity. However, the attribute service provider would be governed by the Legislation when it performs its role as an Accredited Participant in the system.

Figure 8: Transactions guided by User choice involving entities acting in multiple digital identity frameworks

Figure 8 demonstrates how a User can choose their identity provider, and the interaction of identity exchanges when an identity provider isn’t listed on the Participant Register and connected to all identity exchanges in the system.

Example 1: A User wants to access a service from relying party 1 and chooses to have their Digital Identity created by IDP 3. Relying party 1 is only connected to identity exchange 1, and IDP 3 is only connected to identity exchange 2. Identity exchange 1 and identity exchange 2 are required to interact to give effect to the User’s desired transaction.

Example 2: A User wants to access a service from outside relying party 6. Outside relying party 6 only accepts digital identities verified by outside IDP 5, which is connected to identity exchange 2. Despite identity exchange 2 being listed on the Participant Register, the digital identity generated by outside IDP 5 is not subject to the Legislation as outside relying party 6 and outside IDP 5 are not performing roles in the system. However, identity exchange 2 will be governed by the Legislation when performing its role as an identity exchange in the system, requiring it to comply with the safeguards and TDIF accreditation requirements, among others, set out in the Legislation.

5.4.14 Relying party obligations

The Legislation will impose specific obligations on relying parties to:

• notify the Oversight Authority of any security or fraud incident impacting the system and assist with resolution
• ensure their details published on the Oversight Authority’s website are kept up to date
• comply with conditions governing when and how they may use or share attributes
• meet the extra requirements relating to some more sensitive attributes if the relying party is approved to request them
• comply with payment terms and other requirements in terms of service issued by the Oversight Authority that are agreed when onboarding to the system.

5.4.15 Defining machine-to-machine credentials

It is not proposed that the Legislation define a machine-to-machine credential as it occurs outside the system. A machine-to-machine credential allows a User to authorise certain transactions to be automatically carried out on their behalf. In order to allow for a machine-to-machine credential to be issued to the User, a relying party service may use the system to verify a User’s identity. However, once the User’s identity is verified, the machine-to-machine credential is issued outside of the Digital Identity system.

6.1 What are we trying to achieve?

The Digital Identity legislation will support the expansion of the system by establishing effective, permanent governance arrangements that strengthen consumer safeguards. This is essential to developing and maintaining operational efficiency and providing Australians with full confidence in the system and its capabilities. Permanent governance arrangements are being developed to provide confidence for Users that their privacy and consumer safeguards are protected in the Legislation and are strictly enforceable by law.

Rules will be enforced by the Information Commissioner, and the setting up of a new statutory officeholder responsible for the system and TDIF accreditation scheme. The responsible Minister will have power to issue Digital Identity rules and accreditation requirements and appoint advisory boards.

In addition to the proposed governance provisions in the Legislation, other governance arrangements are relevant. The Department responsible for the legislation will retain policy responsibility (for example, preparing legislative amendments). In addition, the agency with responsibility for digital identity policy will continue to advise the responsible Minister on digital identity policy. The public service will also advise the Minister of new legislative powers to make rules and appoint advisory boards. (For example, the DTA currently does wide ranging consultation on proposed changes to the TDIF. This will continue when the accreditation requirements are transitioned to legislative instruments.)

Figure 9: Overview of the proposed governance structure of the Bill

Figure 9 demonstrates how the Bill gives powers to the Minister to make rules and appoint an Oversight Authority as a statutory officeholder to discharge the non-privacy regulatory functions and strategic operational functions given to that officeholder by the Bill. It shows that the Minister may also appoint advisory boards to advise that statutory officeholder. The diagram depicts how the Bill confers privacy-related functions on the Information Commissioner directly.

Figure 9 also shows how the Minister is supported by their department or agency who provides policy and strategic advice and assists with running consultation processes to inform the Minister when using their rule making power. Similarly, it also shows how the Oversight Authority is supported by an Office of the Oversight Authority staffed by public servants made available by an existing Commonwealth department or agency.

6.2 What we have heard from stakeholders

Stakeholders have indicated their strong interest in the system’s governance, including the proposed Oversight Authority and its functions. Submissions received emphasise the need for the Oversight Authority to report regularly and be independent in its regulatory role. Stakeholders also put forward ideas about the composition of the Oversight Authority, ranging from utilising existing bodies to establishing new independent entities.

6.3 What’s changed since the Consultation Paper?

There has been no change to the principles of independence, transparency and accountability for the system’s governance arrangements since the release of the Consultation Paper. These principles have guided the design of the proposed governance structure.

6.4 Policy Positions – Regulatory oversight of the Digital Identity system

The DTA is proposing the following items be included in the Digital Identity legislation.

6.4.1 Regulatory oversight of privacy safeguards by the Information Commissioner

It is proposed the Legislation will give powers to the Information Commissioner to allow them to enforce privacy safeguards in the system. This includes those in the Privacy Act, as well as additional privacy safeguards enacted by the Legislation – see section 7.4 for more details of these additional safeguards.

6.4.2 Permanent Oversight Authority

It is proposed the Legislation will enable the Minister to appoint a person as an independent Oversight Authority as a statutory officeholder to regulate the non-privacy-related provisions of the Legislation. This officeholder will be responsible for the governance of the system and will be guided by expert advisory boards. There will be at least one advisory board comprising of board members appointed by the responsible Minister, and the Minister may also establish other boards through issuing rules or other legislative instruments including:

• a privacy and consumer advisory board made up of industry peak bodies, advocates and privacy commissioners
• a technical standards board made up of entities participating in the system, as well as key experts from the public and private sectors
• other strategic advisory bodies involving system Participants, state and territory governments, and other key stakeholders (including those that are not participating in the system).

Figure 10: Overview of how the Oversight Authority will interact with Participants and advisory boards

Figure 10 demonstrates the Oversight Authority’s interaction with Participants in the system and the role of advisory boards. It shows that the Oversight Authority will be independent of Participants and advisory boards. The advisory boards will be a consultative mechanism and Participants will have the opportunity to provide feedback on the operation of the Digital Identity system through their membership of advisory boards. Advisory boards could provide advice on privacy, security, functionality, charging and user experience.

6.4.3 Independence and staffing of the Oversight Authority’s office

It is proposed the Oversight Authority will be independent and will not be subject to direction when performing the functions set out in the Legislation.

It is proposed the responsible Minister may only terminate the employment of the person appointed to be the Oversight Authority in limited circumstances, including:

• for misbehaviour or if unable to perform their duties because of physical or mental incapacity
• if they become bankrupt, participate in any bankruptcy relief under law, compound with creditors or makes an assignment of remuneration for the benefit of creditors
• if they are absent (except on leave of absence) for 14 consecutive days or for 28 days in any 12-month period
• if they engage in outside paid work without approval
• if they fail, to notify a conflict of interest without a reasonable excuse.

It is proposed the Legislation include the following staffing arrangements for the Oversight Authority:

• the staff assisting the Oversight Authority are to be public servants employed under the Public Service Act 1999 (Cth) (APS employees), whose services are made available by an existing Commonwealth agency (for example, the Department of Treasury, the Australian Competition and Consumer Commission, the Department of Prime Minister and Cabinet or the DTA)
• when performing services for the Oversight Authority, APS employees of the Oversight Authority are subject to the directions of the Oversight Authority
• the Oversight Authority may engage, on behalf of the Commonwealth, contractors or consultants to assist them with their duties.

The Government is considering which agency is best suited to provide staff to the Oversight Authority, while making sure that it is suitably independent from the system and well-equipped to handle such a large digital initiative. The Department of the Treasury and the Australian Competition and Consumer Commission (ACCC) are both good candidates because of their role in administering and regulating the Consumer Data Right scheme. Alternatively, the DTA and the Department of Prime Minister and Cabinet (PMC) have extensive experience with large scale digital transformation. PMC already houses the Interim National Data Commissioner who will become responsible for regulating data after passage of the Data Availability and Transparency Bill 2020 which means that they could offer valuable regulatory experience similar to the ACCC. The Legislation will not lock in an agency, so that the Oversight Authority can be supported by the entity best equipped to do the job. Once the best candidate is identified, the DTA will make a recommendation to the Government which will make the final decision.

6.4.4 Accountability of the Oversight Authority

It is proposed the Oversight Authority will be accountable to the responsible Minister and:

• to the Parliament for their statutory functions through established processes like Senate estimates, parliamentary inquiries, and audits by the Australian National Audit Office
• accountable authority in operational matters through the usual lines of accountability in the agency in which they sit.

6.4.5 Functions of the Oversight Authority

It is proposed the Oversight Authority take over the role of the current interim Oversight Authority for the Digital Identity system. The functions will be specified in the Legislation or its instruments. Functions could be given directly to the Oversight Authority.

The functions of the Oversight Authority may include:

• accreditation of entities as TDIF Providers in the TDIF accreditation scheme and against the requirements set out in the Legislation, with power to use third party assessments to help reach a decision (for example, expert security assessments and privacy impact assessments). This could also include considering other accreditations done by applicants that demonstrate an ability to meet similar requirements to those required under the TDIF accreditation scheme
• publishing accreditation summary reports showing how TDIF Providers have met the accreditation requirements
• assessing applications from relying parties and TDIF Certified providers to be listed on the Participant Register so that they may participate in the system
• monitoring and enforcing system rules, including through audits of Participants
• issuing notices to require TDIF Providers or Participants to take remedial action to address a breach of their obligations (for example, where there has been a failure to meet TDIF accreditation requirements on information management, cyber security, fraud, or a breach of safeguards)
• administering any charges for services (for example, issuing invoices and calculating charges owed by Participants that are set in accordance with the charging framework). Note that is it not proposed that the Oversight Authority will set the charges
• suspending or terminating a Participant’s use of, or participation in, the system
• assisting with detecting and investigating cyber security, privacy breaches or fraud incidents. Including through maintaining an overarching capability to identify and respond to systemic attacks against the system (in addition to participants performing their own detection and investigations)
• referring relevant matters to police and facilitating timely access to lawful requests for information by law enforcement, as well as seeking civil penalties against Participants
• keeping lists and registers required by the Legislation (currently proposed to be the TDIF List and the Participant Register)
• coordinating responses to security incidents, disaster recovery and other incidents that impact the system, as well as issuing directions to Participants
• sharing data among Participants (as permitted by consent or by law) to support governance functions
• reporting on system performance
• reporting on material breaches of rules
• ensuring integrity and promoting trust in the system
• assisting and providing redress to victims of identity crime perpetrated using the system - see section 9.4.4 Redress for more information.
• undertaking incidental functions, such as public relations activities to assist with User support
• public education about Digital Identity, including conducting educational and consultative opportunities with other bodies on Digital Identity issues
• supporting dispute resolution through responding to requests for information from Participants
• acting collaboratively with Commonwealth, state and territory governments and private sector Participants, and other key stakeholders (including, where appropriate, those not participating) in the system
• advising the Minister on matters relating to any of the functions, or as requested.

6.4.6 Privacy functions

To facilitate building trust in the system and the TDIF accreditation scheme, the Bill will include privacy safeguards additional to those in the Privacy Act. It is proposed the Information Commissioner will monitor and investigate breaches or suspected breaches of these additional privacy safeguards.

It is intended that the Bill confers this function on the Information Commissioner, leveraging expertise and capability in existing experts. This is authorised by section 9 of the Australian Information Commissioner Act 2010. It is intended the Information Commissioner will report on the Digital Identity privacy function in the annual report required under the Privacy Act.

6.5 Administrative decisions – review rights and delegations

6.5.1 Review rights

It is proposed that discretionary decisions of the Oversight Authority under the Legislation which affect a person’s interests will be subject to internal review and external merits review by the Administrative Appeals Tribunal (AAT). (Person includes corporation and government entities. The Bill will take account that many participants will be part of a government and not have a separate legal entity (for example, the Australian Tax Office or Services Australia).)

This will include decisions:

• rejecting an application for accreditation
• rejecting an application to be onboarded to the system
• imposing a condition on accreditation or onboarding
• suspending or revoking accreditation
• suspending or revoking a Participant’s onboarding.

An internal review must be conducted by a person at a higher level than the delegate who made the initial decision. If the Oversight Authority makes the initial decision, the person whose interests are affected can go directly to the AAT for review of the decision.

The Oversight Authority can as suspend or revoke a TDIF Provider or Participant’s accreditation or onboarding or impose a condition on accreditation or onboarding. Before taking any compliance action, the Oversight Authority will be required to give the Participant details and consider any response from a Participant (other than where suspension is required urgently for the integrity of the system).

6.5.2 Delegations

It is proposed the Legislation give the Minister and the Oversight Authority power to delegate powers and functions under the rules.

It is proposed the Minister will make the rules under the Legislation. Given the significance of making delegated legislation, it is proposed the Minister be able to delegate this power only to senior executives. Some powers will not be delegable (for example, the power to specify remuneration for the Oversight Authority, if that power is included in the Legislation).

The Oversight Authority will have a range of powers. Given the number of decisions likely to be made when the expanded system is operational, it may be necessary for the Oversight Authority to be able to delegate these functions.

To ensure decisions are made at an appropriately high level, it is proposed the Oversight Authority be able to delegate significant powers such as accreditation decisions only to a Senior Executive Service level positions in the Office of the Oversight Authority.

6.5.3 Automated decision making

It is proposed the Legislation will include a provision to allow for certain decisions to be made using an automated process. This would capture decisions of the Oversight Authority under the Legislation and of the Minister or Secretary (as applicable) should automatic decisions be used in the future.

Decisions for automation would be limited to non-discretionary decisions (for example, a decision requiring a ‘yes’ or ‘no’ input) and limited to either neutral or favourable outcomes to an individual.

Participants operating in the system should ensure their use and reliance on any automated decision-making process is acceptable to them in light of any laws they may be governed by. For example, an Accredited Participant may rely on an automated decision-making process to pass an attribute to a relying party.

6.6 Offboarding of Participants

Offboarding of Participants refers to the physical disconnection of a Participant from the system and their removal from the Participant Register.

6.6.1 When can a Participant be offboarded?

It is proposed the Legislation include circumstances in which a Participant can be offboarded from the system, including:

• voluntary offboarding – at the Participant’s wish (provided there are no contractual commitments by the Participant to participate for an agreed period of time)
• if the Oversight Authority has determined the Participant’s systems are no longer capable of meeting the requirements for participation in the system (does not meet accreditation requirements)
• if the Oversight Authority has determined the Participant has not met or is unlikely to be able to meet the requirements to participate in the system, including requirements as to quality and accuracy of information
• if the Oversight Authority considers continued accreditation and connection to the Digital Identity system would pose unacceptable risks to the integrity of the system or to another Participant (for example, this could be where there has been a cyber security breach, a technical malfunction or the Participant’s system has been used for fraud)
• if a Participant’s TDIF accreditation has been revoked by the Oversight Authority
• if the Oversight Authority considers that continued accreditation and connection to the system would pose unacceptable national security risks (as that term is defined in s 90.4 of the Criminal Code 1995)
• if the Oversight Authority determines the particular role the Participant is playing is no longer required for the system
• if the Participant becomes insolvent
• if the Participant has contravened the Legislation
• on the expiry of any relevant contract between the Oversight Authority and the Participant
• any other matters prescribed in the rules.

It is proposed the Legislation will include provisions to permit the Oversight Authority to suspend connection of a Participant in any of the circumstances listed above, for a set period. The Oversight Authority may issue a direction for remedial action during a suspension and failure to comply with such direction may result in offboarding.

6.6.2 Powers of Oversight Authority in offboarding context

It is proposed the Legislation include the requirement that offboarding be under the control of the Oversight Authority, no matter the reason. The Legislation will provide specific powers to the Oversight Authority for offboarding, including powers to:

• give directions to any Participant (not just the one being offboarded), including direction to provide information and documents and to take specific steps to facilitate or give effect to the disconnection or offboarding generally
• determine the addition and removal of Participants from the Participant Register and to determine an offboarding process
• step in and control the offboarding Participant’s exit process where the Oversight Authority reasonably determines this is necessary for the integrity and security of the system. Step-in powers may be needed, for example, where the Participant has been, or is reasonably suspected of being involved in a financial crime and there is a need to secure the system urgently.

6.6.3 Continued use of a Digital Identity in an offboarding context

A User may need to establish a Digital Identity with another identity provider if their existing identity provider is offboarded from the system. This is a relatively simple step. Meta-data and logs of a User’s previous Digital Identity may be linked to their current Digital Identity through a system-run process that is designed to identify a Digital Identity of the same individual.

It is proposed that some obligations in the Legislation will continue to apply to an offboarded Participant. Generally, an offboarded Participant will continue to be subject to the Oversight Authority’s directions and powers in connection with its role so long as it holds information in connection with the system.

7.1 What are we trying to achieve?

The Legislation will provide the opportunity to enshrine key privacy and consumer safeguards in law and to ensure those standards do not change without public scrutiny. This will build trust in the system and lead to increased uptake.

Three key principles have guided the development of the policies in this Position Paper:

• Privacy protection
  We have developed a range of new legislative safeguards to protect the personal information of individuals who choose to use a digital identity. We have also developed other safeguards to help make the system accessible. This specifically includes people with disabilities, older individuals, individuals from different cultural and linguistic backgrounds, and individuals with limited access to technology.
• Building on existing laws
  The Legislation is not intended to duplicate or conflict with established principles in existing legislation, for example, the Privacy Act. The Legislation will also be developed in a way that recognises the potential changes being made to broader privacy protections as a result of the review of the Privacy Act currently underway and aims to build consistency to the greatest extent possible. Harnessing established legislation will reduce red tape for businesses and make it easier for consumers to understand their rights.
• Fostering participation and innovation
  The need for strong consumer and privacy protections has been balanced against the requirement to foster participation in the system, and to enable technological and other forms of innovation as the system grows.

7.2 What we have heard from stakeholders

Many stakeholders strongly supported privacy and consumer safeguards to be enshrined in the Legislation, specifically the additional privacy safeguards proposed in the Consultation Paper. Stakeholders were particularly interested in the consumer protections on single identifiers, consent requirements, opt-out functionality and Biometric Information.

7.3 What's changed since the Consultation Paper?

Since the release of the Consultation Paper there has been no change to the principle of enshrining key privacy and consumer safeguards in law and ensuring those standards do not change without public scrutiny.

Most of the safeguards proposed in the Consultation Paper have been retained or strengthened. In many cases, further details about how the proposed protections would work have been added.

State and territory government entities participating in the Digital Identity system as Accredited Participants will now have greater ability to adhere to local privacy legislation instead of federal privacy law, where legislation exists in their jurisdiction. This change is designed to provide greater flexibility and autonomy for state and territory agencies to align with other federal legislation and make it easier for state and territory government entities to participate.

New safeguards on biometrics and profiling have been added. These include more flexibility for the Oversight Authority to make additional rules about profiling and keeping Biometric Information, and new prohibitions on both speculative and behavioural profiling.

Submissions supported the idea that using a Digital Identity must be voluntary. While creating a Digital Identity remains voluntary, in limited circumstances relying parties may apply for an exemption to the requirement of providing an alternative channel to Digital Identity to access their service.

7.4 Policy Positions – Privacy and consumer safeguards

7.4.1 Choice and alternative channels

It is proposed the Bill will provide individuals the right to voluntarily create and use a digital identity, including the right to deregister and not use a digital identity, at any time.

It is also proposed the Bill will require a relying party using the system to provide an alternative channel to Digital Identity to enable individuals to access its services provided the relying party’s service is not an essential service (such as a welfare benefit) or is the only provider of that service (i.e., a monopolistic service). An alternative channel may be digital or non-digital. The Oversight Authority will be authorised to grant exemptions to this rule in certain circumstances where it may not be commercially or practically feasible to offer an alternative channel.

Those circumstances may include where the relying party is:

• a small business (for example, a business with an annual turnover of less than $3 million, as defined in the Privacy Act)
• an entity that only offers its services online.

For the avoidance of doubt, an exemption will be provided where existing legislation requires a relying party to provide a particular service or activity through digital only means notwithstanding they may be a provider of an essential or monopolistic service. For example, legislation requires reporting to the ATO by large businesses to be done digitally.

Exemptions provided will be recorded on the Participant Register in the entry for the relevant Participant.

7.4.2 Safeguards on biometric information

It is proposed the Bill will:

• limit biometric matching in the system to one-to-one matching only (for example, using a selfie image provided by a User to directly verify their identity against their passport photo using identity information provided by the User during the process). This will prohibit use of biometric information to conduct searches of databases to identity people generally (for example, by searching a watch list or comparing an image to a gallery of images)
• prohibit anyone other than Accredited Participants doing proofing or authentication (and their service providers used to provide their identity solution) from collecting and using Biometric Information through the system
• subject to the position on investigators’ access below, prevent Accredited Participants from sending Biometric Information received through their digital identity system to any third parties not required to perform biometric matching or authentication for the User. This will include relying parties and identity exchanges
• require identity providers and credential service providers to ask Users for express consent to use their Biometric Information, giving Users information about what Biometric Information will be used and the duration of the validity of the consent
• allow for random sampling of Biometric Information that has not yet been deleted to test and refine matching algorithms, and to inform anonymous aggregate reporting on biometric accuracy.
  • This is subject to the testing being done:
    • after obtaining User consent (either obtained when the User provides the Biometric Information or prior to the testing occurring)
    • pursuant to an ethics plan that considers human rights and privacy risks done in accordance with the TDIF rules
    • with limited sample sizes
    • for a limited time
    • with samples destroyed after testing is completed. (The Accredited Participant may be required to report on testing results to the OA.)
• require identity providers and credential service providers to delete Biometric Information when the purpose for which it was provided is completed (for example, after an identity proofing process has occurred or when the User no longer wishes to authenticate using Biometric Information). It is proposed the Oversight Authority will be able to grant an exemption where retention is required for a slightly longer period such as where there has been a suspicious transaction or for fraud prevention requirements
• allow a User who has a digital identity, or whose compromised identity has been used to create a digital identity, to consent to investigators to access stored Biometric Information in relation to a specific fraud or security incident
• allow for the rules to specify permitted and/or prohibited biometric modalities (these are types of biometrics such as voice, face or iris) that can be used.

Where Commonwealth, state and territory government entities are collecting biometrics to issue licences and other official documents there are existing legislative regimes and protections in place to safeguard those biometrics. If biometrics are collected for creating one of these official documents and a Digital Identity at the same time, then the safeguards above will only apply to the biometric while it is being used in the digital identity system.

7.4.3 Restrictions on data profiling

It is proposed the Bill will prohibit Accredited Participants from collecting, using and disclosing information about a User’s behaviour on the system, except to:

• verify the identity of a User and assist them to receive a digital service from a relying party
• allow the User to view their own behaviour on the system (for example, on a dashboard)
• support an identity fraud management function
• respond to a lawfully made requests for information for an investigatory purpose (subject to the prohibition on speculative profiling for an investigatory purpose), as defined in the Privacy Act.
• improve the performance or usability of the participant’s digital identity system
• de-identify the data to create aggregate data.

Additionally, it is proposed the Bill will prohibit Accredited Participants from using attributes and other information obtained from the digital identity system for prohibited purposes, even with a User’s consent. Prohibited purposes will include:

• unrelated marketing. Unrelated marketing will mean using or disclosing information of a User (including to a third party) to communicate directly with an individual to promote goods and services not related to their Digital Identity. However, where a User has consented, it is not a precluded purpose to communicate directly with them using Digital Identity information to promote features or provide information related to their Digital Identity if this is done in accordance with that consent
• speculative profiling (i.e. data mining for the purpose of identifying individual users for further analysis or action) on digital identity information for an investigatory purpose
• another purpose prescribed in legislative rules.

Investigatory purposes are not the same as enforcement purposes under the Privacy Act since it will not cover some fraud and security purposes directly related to keep the system secure under the legislation. It will mean any of the following purposes:

• detecting, investigating, prosecuting, or punishing:
  • an offence
  • a contravention of a law punishable by a pecuniary penalty.
• detecting, investigating, or addressing acts or practices detrimental to the protection of the public revenue
• detecting, investigating or remedying serious misconduct
• conducting surveillance or monitoring, or intelligence-gathering activities
• conducting protective or custodial activities
• enforcing a law relating to the confiscation of proceeds of crime
• preparing for, or conducting, proceedings before a court or tribunal or implementing a court/tribunal order
• a purpose that relates to, or prejudices, national security within the meaning of the National Security Information (Criminal and Civil Proceedings) Act 2004, but does cover fraud or security mitigation practices required by the TDIF rules or used by Accredited Participants to meet their obligations under the TDIF rules.

This means that speculative profiling will be prohibited for the above activities, but this does not prevent law enforcement accessing information in relation to suspected individuals under existing powers.

These restrictions will not apply to attributes received by relying parties. The attributes received by relying parties by their nature are more limited and more suitably regulated under general privacy laws such as the Privacy Act.

These legal restrictions will apply in addition to any requirements in the technical and other specifications which will also prevent profiling. Notably, the technical and other specifications will still require the identity exchange operated by Services Australia to ‘blind’ identity verification transactions (subject to limited exemptions), meaning that identity providers connected to that identity exchange will not be told which relying party a user is accessing at the time of an identity verification request, and relying parties (including government service providers) connected to that identity exchange will not be told which identity provider has been used. These technical requirements reflect how the system currently functions and are an added layer protection on top of the legal prohibitions on profiling outlined above.

7.4.4 Restricted attributes

It is proposed the Bill will give the Minister power to prescribe attributes as restricted attributes, which are only provided to relying parties who meet extra requirements. It is proposed the Bill will require the Minister to publish reasons for why attributes have been classified as restricted attributes. The restricted attributes will be prescribed in the TDIF rules.

When deciding whether an attribute should be restricted, the Legislation will require the Minister to consider:

• the potential harm that could result from that attribute being disclosed to an unauthorised third party
• community expectations on whether the attribute should be handled more sensitively than non-restricted attributes
• whether the attribute would be sensitive information under the Privacy Act
• whether the attribute has legislative controls that could not be met without classifying the attribute as a restricted attribute (for example, healthcare identifiers)
• any other matters the Minister considers relevant.

It is proposed the Bill will provide that a relying party may apply to the Oversight Authority to receive restricted attributes. Even if a relying party is approved to receive restricted attributes, they may only be passed through to the approved relying party if the User to which they relate consents to the disclosure. (Restricted attributes will typically be numbers on official documents that the user provides to the identity provider when going through a proofing process to set up a digital identity. Where a user does not consent to passing one of these attributes to a relying party, they may have to provide it separately to get the relying party’s service (for example, if the relying party is required by legislation to collect the information, such as when airlines request passport numbers for international travel).) The Oversight Authority would decide to grant a relying party’s application to receive restricted attributes where satisfied that the request is appropriate in the circumstances. The Legislation will specify the information to be provided with an application, including that the relying party has:

• justified the reason for requesting the attributes
• demonstrated the relying party’s protective security, privacy and fraud control arrangements are effective and working as intended
• demonstrated why a similar result cannot be achieved without the proposed sharing of restricted attributes
• provided a risk assessment and a Privacy Impact Assessment
• described data flows showing how the restricted attributes will be used
• demonstrated how the relying party meets any other legislative or regulatory requirements applicable to the restricted attribute
• complied with any other requirements prescribed in rules made by the Minister.

7.4.5 No single identifier

It is proposed the Bill will prohibit an Accredited Participant from generating a new identifier to refer to a User and passing that same identifier onto more than one other Accredited Participant or relying party (for example, an identity exchange would need to create a different identifier for each relying party or identity provider connection relating to a User).

This prohibition specifically addresses public concerns that the Digital Identity system could be used to create a single, all-encompassing government profile or unique identifier that is used across all of the services they access. This prohibition makes it unlawful for any new identifier to be created on the system and used across the system. This does not prevent Accredited Participants from creating an identifier for its own role (which is normal practice) that is not adopted for the person for all transactions through the system. It also does not prevent identifiers created outside the system being sent as an attribute with the consent of an individual if it meets additional attribute requirements.

7.4.6 Requirement of express consent

It is proposed the Bill will require a User to expressly consent before an Accredited Participant authenticates and sends attributes to a relying party. This will accommodate a User’s ability to provide enduring consent to an identity exchange for attributes to be passed if the User returns to the same relying party (for example, a User could tick a box saying ‘do not display next time’).

7.4.7 Requirement to conduct a Privacy Impact Assessment

It is proposed the rules will require applicants for TDIF accreditation to commission an independent assessor to conduct a Privacy Impact Assessment (PIA) as a requirement of their accreditation. (The rules will allow for the PIA to be conducted by an assessor from within the same entity as the applicant, so long as there are operational, technological and other barriers to ensure the assessor is independent.) A PIA, drawing on the definition in the Privacy Act, is a written assessment of a project or activity, which identifies the impact of the project/activity on the privacy of individuals and sets out a course of action for managing, minimising or eliminating any impacts. The Oversight Authority will consider the PIA, and the applicant’s response to it, in deciding whether to accredit the applicant.

7.4.8 Record-keeping

It is proposed the Bill will specify that metadata and activity logs be retained by Accredited Participants for a period of seven years (consistent with many of the disposal authorities under the Archives Act and retention obligations under the Corporations Act 2001 (Cth)) after a User deactivates their digital identity or their account is deleted for inactivity, or in the case of an identity exchange, seven years after it is collected. It is proposed the Minister may make rules to change the record-keeping period and may commission a PIA to consider for this purpose.

Within a reasonable timeframe following the seven-year retention period (or other retention period specified by the Minister in the rules), Accredited Participants must take such steps as are reasonable in the circumstances to either destroy or de-identify the information to the extent the information is personal information or sensitive information under the Privacy Act.

Data retained shall be for the purpose of maintaining the integrity of the system, which may include fraud or criminal investigative purposes. Retained data will be required to be protected from unauthorised access, modification, and deletion, and protected and stored to ensure the accuracy and integrity of data captured or held.

Data, other than data retained in accordance with the requirements in this section, shall be retained in accordance with applicable law.

It is proposed the record-keeping requirements in the Bill will override the Privacy Act to the extent there is any inconsistency. It will also be made clear in the Bill that the obligations in the Archives Act 1983 (Cth) will not be affected by the record keeping requirements outlined above (other than the requirements to destroy Biometric Information).

7.4.9 Exchange must not retain attributes

It is proposed the rules will contain a specific prohibition on identity exchanges from retaining any User attributes once they are passed from an identity provider to a relying party. Attributes stored during an authenticated session shall be done so securely, in compliance with the Legislation.

7.4.10 Individual history log

It is proposed the rules will require identity exchanges on the Participant Register to provide Users with a centralised view of their metadata, specifically, the relying party’s services the User has accessed; the date and time of access; and the categories or types of attributes passed to the relying party. (This means that the user will be able to see the class of attribute (e.g. ‘first name’ and ‘date of birth’), not the attribute values themselves (‘Sally’ or ’20 June 1991’).) This will be unless such information has already been destroyed by the identity exchange in accordance with the Legislation. In practice, the User will need to log into the identity exchange via their identity provider as the exchange will not know who the metadata relates to.

7.4.11 Acting on behalf of another and minimum age

It is proposed the Bill will provide a basic mechanism to authorise arrangements for a person to act on behalf of another. The specific operational details of appointing, managing and terminating an authorised representative will be covered by the rules. This will provide more flexibility for the vast array of circumstances that would need to be considered for such an arrangement. It is proposed the same privacy and security safeguards will apply to an authorised representative as they do to a User. These provisions do not intend to override any existing Commonwealth or state and territory laws regarding authorised representative arrangements.

It is proposed the Legislation will provide a default minimum age of 15 years for the use of a Digital Identity in the system. The Legislation will provide the Oversight Authority with the ability to override the default minimum age limit in circumstances where it considers appropriate (for example, to match a relying party’s statutory minimum age requirement for access to its service).

7.4.12 Accessible and inclusive website design

The Bill will require Accredited Participants providing User interfaces for the system to meet the following three requirements as part of the initial and ongoing accreditation requirements:

• compliance with specified accessibility guidelines and standards
• use of clear, concise and plain English that is accessible across all devices and browsers
• usability testing with a range of individuals who require additional accessibility requirements.

It is proposed the detail of how the Accredited Participant is to comply with the above three requirements will be set in the rules made under the Bill.

7.4.13 Alternative identity proofing mechanisms

The TDIF rules will outline specified alternative identity proofing mechanisms to assist Users who face difficulties in providing necessary identity documentation when seeking to verify their identity.

In order to implement these processes, it is proposed the rules require the identity provider to conduct a risk assessment and provide this as part of the accreditation process.

7.4.14 Application of privacy laws

It is proposed the Bill will require Accredited Participants to be covered by the Privacy Act. However, state and territory government entities will have the option of complying with a comparable state or territory privacy law. A state or territory law (other than for notifiable data breaches) will be considered comparable if it provides: (It is intended the criteria will resemble those in cl 28(1) of the Data Availability and Transparency Bill 2020 (Cth).)

• protection of personal information comparable to that provided by the Australian Privacy Principles (APP) in the Privacy Act
• monitoring of compliance with the law
• a means for an individual to seek recourse if there has been a privacy breach.

State and territory government entities in jurisdictions without privacy legislation will not have this option of complying with comparable state privacy law instead of the Privacy Act.

In order to be covered by the Privacy Act, an Accredited Participant needs to be an APP entity (as defined in the Privacy Act) or otherwise bring itself within the scope of the Privacy Act using the existing mechanisms in that Act. State and territory government entities requesting to be prescribed under the Privacy Act will only need to do so in respect of their participation in the scheme.

Relying parties will remain subject to any privacy laws that apply to them in providing their services.

7.4.15 Data breaches

The Notifiable Data Breach scheme (NDB scheme) in Part IIIC of the Privacy Act requires Commonwealth bodies and businesses which are subject to the Privacy Act (APP entities) to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals where there are reasonable grounds to believe that a notifiable data breach has occurred, and the data breach relates to the Digital Identity system. The Bill will require Accredited Participants which are APP entities to provide a copy of any data breach notice given to the OAIC under the NDB scheme to the Oversight Authority as well. This will enable the Oversight Authority to consider whether any action is required to ensure the integrity of the system, while leaving any investigation into the breach with the Information Commissioner.

For state and territory government bodies that are Accredited Participants but not subject to the Privacy Act or a comparable NDB scheme, it is proposed that if the body has reasonable grounds to believe that a NDB has occurred, the body will be required to provide a statement about the breach to the Oversight Authority. (At present, the states and territories with privacy legislation applying to their entities do not have comparable NDB schemes.) The body will also need to notify affected individuals in a similar manner to the NDB scheme.

In setting out the data breach notification requirements described above, it is proposed that the Bill will draw on the definitions and concepts in the NDB scheme. This includes specifying what is a notifiable data breach for the system,¹⁹ when a breach has occurred or a suspected breach must be investigated, when remedial action has been taken, when the breach is to be notified to the Oversight Authority, and in what form. (Specifically, it is intended that the Bill will draw on the definition of ‘eligible data breach’ in s26WE(2) of the Privacy Act.)

The body will also be required to provide a copy of that statement to the Privacy Commissioner in the relevant state and/or territory. It is proposed that a failure by an Accredited Participant to notify a data breach to the Oversight Authority and the relevant Privacy Commissioner or to assist in an investigation will be a breach of the system rules and could lead to compliance action.

Additionally, it is proposed the Bill will include a mechanism for information-sharing for data breaches between regulators including the OAIC. Such a mechanism would be designed to assist with the expedient resolution of data breaches and would not affect which regulator is ultimately responsible for investigating and resolving the breach. We will continue to consult with regulators on what mechanisms can be developed to avoid regulatory overlap or duplication and to facilitate cooperation between regulators (for example, Memoranda of Understanding and non-binding guidelines).

A trustmark is used to indicate to consumers that their services or products meet a certain minimum standard, possess a certain quality and have achieved a professional accreditation.

Displaying a trustmark which reflects well-known standards can give consumers confidence and encourage uptake of the use of a digital identity. There will be an initial period of building recognition of the digital identity trustmark(s) associated with TDIF accreditation and use of the system, and consumers will become more familiar with the trustmark(s) as uptake increases.

It is intended the Legislation establish one or more trustmarks for different purposes. As the system expands beyond Australian Government entities, a trustmark will be a valuable commercial asset for those participating in the system and for those relying on digital identity activities of Accredited Participants using other digital identity frameworks. The trustmarks will also assist consumers in identifying when the Digital Identity system is being used to create or use a Digital Identity and when an Accredited Participant using another system has met the stringent accreditation requirements in the Bill and the TDIF rules.

8.1 What would the trustmark(s) be used for?

It is proposed the Legislation will establish trustmark(s) for entities to publicly show their:

• participation and provision of Digital Identity services in the system. Accredited Participants will be able to use the system trustmark to show that a service is being provided through the system. If they are providing a service outside of the system, they will not be permitted to use the trustmark for that service, so it is clear to Users. Relying parties on the Participant Register will be entitled to use this trustmark when verifying an identity through the system.
• accreditation under the Bill. When using a trustmark, TDIF accredited entities will have to detail the role for which they are accredited and any limitations on the accreditation. For example, an identity provider accredited to a particular proofing level must ensure they do not use the trustmark for any services above this level.

It is intended that civil penalties will apply for the misuse or unauthorised use of a trustmark - see section 10 Penalties.

To assist Participants and TDIF accredited entities, it is proposed that as part of accreditation and/or onboarding decisions under the Bill, the Oversight Authority will approve trustmarks to be used and the information that must accompany the trustmark when used, such as the accredited role to which the trustmark applies.

8.2 Types of trustmarks

Trustmarks are intended to be issued for one or more of the legislated purposes. For example, if an Accredited Participant has been accredited as an identity provider with identity proofing level IP 4, it is intended that the Accredited Participant would be issued with a trustmark to indicate that its status as a TDIF-accredited IdP with IP 4.

It is proposed the Legislation will enable the Oversight Authority to issue the appropriate trustmark when the relevant requirements for receiving a trustmark are met.

8.3 Potential application for registration as a trademark

The DTA is in the process of developing appropriate trustmarks for the purposes mentioned above. The DTA may seek to apply to register trustmarks as trademarks under the Trade Marks Act 1995, which could mean additional legislative protection on these marks.

9.1 What are we trying to achieve?

The Legislation will set up a framework for working out how losses or damage suffered by individuals or entities using the system will be managed. The framework is easy to implement, understand and is transparent. This will ensure both Users of the system and Participants have clarity about their liability and avenues for redress.

The framework will aim to ensure the system is affordable, even if a loss is incurred.

9.2 What we have heard from stakeholders

Stakeholder feedback supported the development of a liability framework to help enable an expanded Digital Identity system across state and territory governments and the private sector, but they wanted more detail on how it would work. Feedback ranged from suggesting minimal or no provisions on liability in the Legislation to a more comprehensive and centralised mechanism.

This framework will clearly articulate when a Participant is liable for losses suffered by another which require them to be compensated.

Stakeholders also support appropriate mechanisms for non-financial redress to be included in the Legislation.

9.3 What’s changed since the Consultation Paper?

The Consultation Paper outlined a number of principles which could guide the development of a liability framework. Following a review of stakeholder feedback to the Consultation Paper, the DTA has developed the position outlined in this Position Paper.

There will be a liability framework in the Legislation and Accredited Participants will not be financially liable for losses suffered provided they have acted in good faith and complied with the legislative rules and requirements relating to accreditation and the system. It is proposed there will be a statutory contract between Accredited Participants and relying parties on the system, giving Participants the right to seek loss or damages where another Participant has breached the system’s rules. There will also be provisions outlining redress mechanisms to help recover losses and damages resulting from cyber crime and identity theft.

9.4 Policy positions – liability and redress

9.4.1 Liability and redress framework

The liability framework will involve two major elements:

• mechanisms providing for non-financial redress for adverse outcomes that arise as a consequence of participating in the system, including for example, assisting with re-establishing a stolen Digital Identity
• management of financial liability, including that of the Oversight Authority and its staff.

9.4.2 Financial liability

It is proposed under the Legislation that an Accredited Participant will not be liable for loss or damage suffered by a Participant using the system provided the Accredited Participant was acting in good faith and in compliance with the legislative rules and requirements relating to the system.

If the Accredited Participant does not comply with the legislative rules and act in good faith, the Accredited Participant would be liable for loss and damage suffered by all Participants flowing from that non-compliance.

If there is incomplete or incorrect information on a digital identity register and a person suffers loss or damage as a consequence, Accredited Participants will not be liable provided the loss or damage occurred solely as a result of the error on the register.

It is proposed the Legislation will enable the Minister, if needed, to make rules to provide limitations on the liability that would otherwise arise from non-compliance with the legislative rules and requirements. There is no intention to have those rules when the Legislation commences, but the rule-making power will allow the system to be flexible and responsive.

It is proposed that once an Accredited Participant is onboarded to the system, it will be subject to a statutory multiparty contract. Any Participant who suffers a loss due to the actions of an Accredited Participant can enforce that contract against that Accredited Participant. The Participant will need to establish the loss or damage suffered and the non-compliance by the Accredited Participant of the legislative rules in order to determine liability. There would be no need for the Oversight Authority to be party to a contractual dispute.

In the context of the system, the statutory contract would require the parties to comply with the standards set out in, and to engage in the conduct required by, the legislative framework, including the rules.

• an appropriate court would have jurisdiction to hear and determine actions, similar to the approach taken with respect to the Consumer Data Right (CDR)
• as a general rule, it will be the responsibility of the individual Participants to take action to recover their loss or damage
• the onus of proof will be on the Participant seeking to recover the loss, to establish there was a lack of good faith and a breach of the legislative rules and that a loss or damage arose.

9.4.3 Liability of the Oversight Authority and its staff

It is proposed that no action, suit or other proceeding for damages would lie against:

• the Oversight Authority, being the statutory officeholder appointed as the regulator
• other Australian Government entities that exercise powers, functions or duties under the Legislation. Note this will not remove liability from Australian Government Accredited Participants such as identity providers or identity exchanges
• the Office of the Oversight Authority, including any person who is or has been an officer or employee of the office
• a person who is or has been a delegate of the Oversight Authority or a consultant to the Oversight Authority
• an Advisory Board established under the Legislation.

This exemption will apply to any loss or injury directly or indirectly suffered as a result of matters such as:

• the exercise of powers, or performance of functions, or the role, of the Oversight Authority
• decisions to accredit or refuse and to revoke or suspend accreditation of Participants
• the monitoring and enforcing of the TDIF rules, including through audits of Participants
• the use of information made available through the system
• the response to security incidents, disaster recovery and other incidents that impact the system, including through issuing directions to Participants
• sharing of data relating to Participants, including to support government functions.

This exemption would only be available if the act or omission was done in good faith and in the exercise of the powers, performance of functions, or role of the Oversight Authority. The exemption would not be available in other circumstances, for example, if there was fraud or the like.

9.4.4 Redress

It is proposed the Legislation will ensure assistance is provided to Users of the system where there has been an inappropriate disclosure of information, identity theft, cyber security incident or system failure.

The Oversight Authority will have responsibility to advocate on behalf of individuals who are victims of identity fraud. The Oversight Authority will also help Users of the system with advice and assistance to deal with the consequences of a cyber security incident, including to:

• coordinate with law enforcement and other organisations that are involved in managing the consequences of identity theft
• investigate the circumstances around an identity theft and collate evidence that could be used in litigation
• where an identity fraud could be traced to a Participant, direct the Participant to take steps to assist other Participants or Users in dealing with the identity theft.

Under the Legislation, Accredited Participants will be required to:

• identify, flag and deal with identity theft and cyber security incidents
• provide support services for businesses and individuals affected by identity theft and cyber security incidents
• have mechanisms to flag records that have been compromised and prevent their continued use
• have procedures to re-establish digital identities after an identity theft or cyber security incident.

The Bill will also include provisions, mirroring those in the TDIF, where Accredited Participants:

• will be obliged to ensure Users of the system have access to, and are aware of, support services to assist with managing the consequences of a cyber security incident
• must comply with the rules in delegated legislation in relation to:
  • the identification and management of cyber security incidents
  • records that have been compromised due to a cyber security incident
  • re-establishment of the Digital Identity of a User of the system after a cyber security incident or identity theft.

The Legislation will also require Accredited Participants to:

• take steps to improve systems and address vulnerabilities
• provide staff training in relation to identifying and dealing with cyber security incidents
• develop policies and implement mechanisms for assisting and coordinating responses to a cyber security incident
• comply with requirements for collecting and collating information about identity theft.

In addition, to ensure that Accredited Participants and Users have appropriate protection from identity fraud and cyber security incidents, Accredited Participants will be required to have adequate insurance arrangements in place as part of their accreditation requirements. This will ensure that there would be a reasonable degree of protection in place for all participants in the digital identity system.

The redress mechanisms will be available to those Users of the system who are affected by a cyber security incident, as well as individuals who are not Users of the system, but whose identity has been stolen and used within the Digital Identity system.

There will be civil penalties for failure to comply with redress mechanisms - see section 10.3.3 Other civil penalties.

10.1 What we are trying to achieve

The Legislation will establish a penalty and enforcement framework to:

• ensure the privacy safeguards enshrined in the Bill can be enforced by the Information Commissioner
• support the Oversight Authority to effectively monitor and enforce compliance with the Legislation.

The framework is intended to ensure that:

• penalties for non-compliance are fair and proportionate to the harm that may be caused to Users of the system
• Users of the system will have confidence and trust in using the Digital Identity system, and there are appropriate deterrents in place to the prohibited collection, use and disclosure of Digital Identity information
• existing enforcement frameworks, where available and appropriate, are used to address compliance and enforcement.

10.2 What we have heard from stakeholders

Consultation indicated that stakeholders support an appropriate penalty and enforcement regime to generate public trust and confidence in the system.

Feedback ranged from supporting civil penalties for the misuse of Digital Identity information and administrative sanctions (such as suspension) for non-compliance, to suggesting that existing regulatory regimes (such as the Privacy Act) should be relied on to address contraventions and non-compliance. Some stakeholders asked for more information about how a proposed penalty or enforcement regime could operate.

10.3 Policy positions – penalties and enforcement

10.3.1 Administrative sanctions

It is proposed the Bill include provisions to enable the Oversight Authority to impose administrative sanctions including to:

• suspend or revoke the accreditation of an Accredited Participant
• suspend or revoke a Participant’s access to the system
• issue directions to a Participant, including a direction to take remedial action to address a breach of system requirements (such as the rules).

These decisions will be subject to merits review as discussed in section 6.5.1 Review insights of this paper.

The power to impose administrative sanctions will be available in circumstances including:

• where a Participant has breached an obligation in the Legislation, for example, by breaching any of the privacy and consumer safeguards in the Bill
• where an Accredited Participant has breached a TDIF accreditation rule
• where a Participant has provided false or misleading information to the Oversight Authority
• on the grounds of national security (as that term is defined in section 90.4 of the Criminal Code 1995). This may include where ASIO has made an adverse or qualified security assessment in respect of a person, including an organisation under the Australian Security Intelligence Organisation Act 1979, or on direction from the Minister.

10.3.2 Civil penalties for breaches of key safeguards

It is proposed the Bill will include civil penalties for contraventions by Participants in the system of key privacy safeguards that will be enforced by the Information Commissioner.

These will be available as an enforcement option independently of the administrative sanctions available to the Oversight Authority where privacy and consumer safeguards in the Legislation are contravened.

The key privacy safeguards proposed to be subject to civil penalties for contravention are:

• the collection, use and disclosure of Digital Identity information for a prohibited purpose, including unrelated marketing - See section 7.4.3 Restrictions on data profiling for more information, including a definition of ‘unrelated marketing’.
• breaches of biometric safeguards relating to how Biometric Information is collected, used and disclosed in the Digital Identity system
• the prohibition on the creation of a single identifier for individuals that can be used across the system
• requiring express consent before enabling User authentication to a service
• unauthorised disclosure of restricted attributes.

Consumer safeguards (such as User choice, and the requirement to provide alternative channels), are more appropriately addressed through administrative sanctions that will be enforced by the Oversight Authority or existing frameworks (such as the Privacy Act in respect of notifiable data breaches).

10.3.3 Other civil penalties

It is proposed the Bill will include a:

• provision to enable the Minister to designate certain rules as enforceable rules (for example, in respect of what a Participant must do to assist another Participant or a User affected by identity theft or a cyber security incident). A failure to comply with an enforceable rule will be a civil penalty provision
• civil penalty provision for unauthorised use or misuse of a trustmark protected by the Legislation
• civil penalty provision for breaches of record keeping requirements
• civil penalty provision for contraventions of continuing obligations on Participants when they are offboarded from the system, including for example, a requirement to keep records for a prescribed period to enable fraud or cyber security investigations identified after the Participant is offboarded
• civil penalty provision for failure to comply with notices issued by the Oversight Authority to provide information or documentation.

The Bill will also provide mechanisms for dealing with identity fraud and cyber security incidents - see section 9.4.4 Redress.

Where a Participant fails to comply with the requirements relating to redress (for example to identity, flag and deal with identity theft), the Oversight Authority may seek a civil penalty against the Participant. If a Participant otherwise fails to comply with a direction from the Oversight Authority following an identity fraud or cyber security incident, the Oversight Authority may also seek a civil penalty.

In the context of redress, the purpose of civil penalties is to ensure that Participants comply with their obligations to assist individuals in dealing with identity fraud and cyber security incidents.

10.3.4 Notifiable data breaches

The Bill will provide the Oversight Authority with the power to take administrative action against an Accredited Participant in response to a notifiable data breach. This will not impact the investigation of notifiable data breaches under the Privacy Act by the Information Commissioner, and where applicable, state and territory Privacy Commissioners.

Where an Accredited Participant fails to provide a copy of a notifiable data breach notice to the Oversight Authority or affected individuals, the Oversight Authority may direct the Accredited Participant to provide a copy of the notice.

10.3.5 Use of the Digital Identity system for identity crime and computer related offences

It is not proposed to include any new criminal offences in the Bill.

A range of criminal offences are available under other laws to address certain behaviours when using the system including:

• Part 9.5 of the Criminal Code, which specifies criminal offences relating to identity crime. The penalties for these offences range from 3 to 5 years’ imprisonment. One or more offences under Part 9.5 of the Criminal Code could potentially be committed where, for example, a person uses Digital Identity information to pass themselves off as another person for the purposes of fraudulently obtaining a benefit for themselves.
• Part 10.7 of the Criminal Code, which specifies criminal offences which involve the use of computer systems. The penalties for these offences range from 2 to 10 years imprisonment. One or more offences under Part 10.7 of the Criminal Code could potentially be committed where, for example, a person uses a computer system to hack into a Digital Identity provider’s system.

State and territory legislation also contain a range of criminal offences that relate to identity crime, including:

• fraud
• impersonation
• providing false or misleading information to public authorities.

10.3.6 Enforcement

It is proposed the Bill adopt the standard provisions in the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act) in relation to civil penalties, enforceable undertakings and injunctions.

The standard provisions of the Regulatory Powers Act are an accepted baseline of powers required for an effective enforcement regulatory regime, while providing adequate safeguards and protecting important common law privileges.

It is proposed the Information Commissioner will be given the privacy functions under the Legislation in relation to the additional privacy safeguards, authorising the Commissioner to investigate complaints and conduct Commissioner-initiated investigations under the Privacy Act 1988. In addition, the Information Commissioner will be given authority to seek civil penalties, enforceable undertakings and injunctions for contraventions of the additional privacy safeguards in the Bill that are deemed civil penalty provisions.

The Oversight Authority will be authorised to seek civil penalties, enforceable undertakings and injunctions for matters relating to contraventions of the enforceable rules, misuse of trustmarks, recordkeeping and breaches of obligations on offboarded Participants. In addition, it is proposed the Oversight Authority has the power to issue notices to provide information or documents (using common provisions for providing a notice stating the information sought and a timeframe) and to seek civil penalties for a failure to comply with a notice.

11.1 What are we trying to achieve?

Charging for the Digital Identity system will be fair, transparent, foster inclusion, and incentivise adoption both for Users and relying parties that benefit from Digital Identities.

The Australian Government will not impose charges on individuals using the system under the Legislation. All costs to build the system to date have been borne by the Australian Government and it is not proposed that the Government will seek to recoup these costs.

11.2 What we have heard from stakeholders

Most stakeholders have indicated they are seeking more information on a charging approach and model. Private sector entities indicated interest in understanding how they may be charged under such a framework, together with a strong emphasis on the need for market-based pricing that promotes competition.

Government and consumer advocates emphasised the need for the Digital Identity system to be free or low cost for Users and to promote inclusion. There was also support for a standard set of principles for charging. The feedback from the consultation proved that there was not enough information in the Consultation Paper to form an approach or model that could inform a charging framework and that further consultation on this is needed.

11.3 What’s changed since the Consultation Paper?

There has been no change to the principles that charging should not retrospectively recover the cost of the design and build of the initial system, that charging would cover the range of system activities and that the Government would not charge Users for the use of Digital Identity. These principles have guided the design of the proposed administration of charges.

The intention was to develop the Digital Identity Legislation concurrently with secondary legislation to enable the implementation of the charging framework. The current approach is to develop the primary legislation first. This approach allows for a comprehensive stakeholder consultation process for the charging framework and the collection of data as the system is rolled out beyond the Australian Government.

The two key additions since the Consultation Paper are:

• additional charging principles to guide the proposed administration of charges
• a proposed method to select entities to provide services in an accredited role in the system.

11.4 Policy Positions – administration of charges

The DTA is proposing the following items to be included in the Digital Identity Legislation.

11.4.1 Enable charging for the Digital Identity system

It is proposed the Legislation will not impose charges on Users, noting the proposed Legislation will not regulate fees charged by relying parties to an individual wanting to access its service(s) using the system.

It is also proposed the Bill will allow the Australian Government to charge and set out the criteria for government charging. When the charging framework is developed, the secondary legislation (likely to be rules) will provide the amount of the charge, and/or any formula for determining the charge, as well as the charging arrangements.

The charging framework will be developed in compliance with the Australian Government Charging Framework and related guidelines. The DTA proposes a detailed consultation on the amounts to be charged and the charging arrangements be undertaken later in 2021. The outcome of that consultation will determine the content of the rules.

11.4.2 Charging principles

It is proposed the following seven charging principles will guide the Australian Government’s charging framework under the Legislation. Some of these principles are proposed to be reflected in the Bill, while others will be implemented secondary legislation (such as the rules).

11.4.2.1 Reflected in the Bill

11.4.2.2 Not reflected in the Bill (may appear in the rules)

11.4.3 Selection of service providers to the system

To become a service provider in the system, the entity must be both TDIF accredited and onboarded to the system. A process will be required to select which TDIF accredited entities can be onboarded to the system and therefore become a service provider in the system.

A service provider to the Digital Identity system means a company or government body seeking to perform a TDIF accredited role for the system; that is, an identity provider, credential service provider, attribute service provider and identity exchange. The DTA proposes to select service providers outside a legislated process, which would be conducted by an Australian Government agency, effectively providing a controlled entry into the system.

The Legislation will support this selection method by requiring entities seeking to become a service provider to be on the Participant Register, which would require them to be onboarded to the system and to have an agreement with the Australian Government to provide services.

Competitive neutrality principles would apply to ensure the Australian Government would not enjoy competitive advantages over private sector competitors. In particular, it is noted that Charging Principle 1 should not apply to the competitive disadvantage of private sector competitors.

11.4.4 What the Legislation will not do

The charge will not be such as to amount to taxation (a charge that is in fact a tax must be dealt with in its own taxation bill).