Introduction to Digital Identity Webinar

Questions and answers

As part of the Digital Transformation Agency's (DTA) Digital Identity consultations, on 25 June 2021 a webinar was hosted where key stakeholders attended and had the opportunity to ask questions surrounding the system and legislation.

Questions asked and answered live

1. How will the scheme prevent third party attribute markets from developing off the back of the scheme?

2. Given the double blind model, how will the relying party know if the transaction is subject to Trusted Digital Identity Framework rules?

3. If a business relying on the Digital Identity cannot know who they are dealing with, what happens if the User subjects the business to fraud?

4. If the business relying on the Digital Identity will not get access to the person's identity, how will they be certain the person they are dealing with is not on the Australian sanctions list?

5. How do we use Digital Identity for non-government services?

6. Is AUSTRAC involved in relation to AML/CTF ID verification obligations?

7. Does a User need to be an Australian Citizen?

8. What will DTA's role be going forward? Driving legislation and technical interoperability?

9. Are there rules or restrictions about what information providers can ask for?

10. Are there rules or restrictions about whether providers must offer an alternative to people who don’t want to use the system?

11. The position paper proposes that disclosure of the information about a User may happen in response to a 'lawfully made request for information for an investigatory purpose'. Is it proposed that such requests will only be permitted via a court order or is this still to be determined?

12. What approach is planned to facilitate the recognition/acceptance and uptake of Digital Identity in both the public and private sectors?

13. Does the system allow a single User to have more than one Digital Identity?

14. If an employer for a freelance worker has a preferred Digital Identity, can myGovID ‘handshake’ with other third party DI’s so the User doesn't have to rebuild their identity?

15. Will you design what data fields specific relying parties or groups can receive?

16. Is Digital Identity and the Trusted Digital Identity Framework replacing other ID standards such as Verification of Identity (VOI) for property conveyancing and the 100 point check?

17. What is the thinking behind and the purpose of the Provider role within the Trusted Digital Identity Framework. How will it be covered by the legislation?

18. Will Digital Identity link to voter registration?

19. Is there a target for the Digital Identity, i.e. every citizen having a unique Digital Identity?

20. How will other jurisdictions like States use this? Will they create a ‘version’ of Australian Government capability?

21. How was the term and definition of “speculative profiling” developed with regards to the context of a law enforcement agency with powers to obtain, use and disseminate identity information (in strictly controlled and lawful contexts)?

22. What rights will people have if something does go wrong?

23. Is the 2.5 million “sign ups” based on those who have myGov accounts only?

24. Is there a minimum age for a Digital Identity?

25. Is the Digital ID sitting on a blockchain (Permissioned/permissonless)?

26. Why is there such a gap between 2.5 million digital identities with myGovID and only 250,000 linked to myGov?

27. Will AusPost's Digital ID and myGovID be integrated so that User’s won’t need multiple Digital Identities due to mismatches between services?

28. Will multiple Digital Identity Providers lead to a monopoly position as services/businesses gravitate to which ever system has the most pre-existing Users?

29. How will it work for jurisdictions such as Western Australia that do not have state privacy legislation?

30. How can one individual have multiple Digital Identities when the underlying physical identity needs to be proven?

31. Can the digital identities be linked?

32. Noting that myGov uses myGovID, will people will able to use myGovID for other commercial services?

Questions not answered live

1. There were references to myGov which is currently limited to government services. Will myGov continue to be limited to government services?

2. How much is the Government investing in Digital Identity?

3. Can I use my Digital Identity as proof of identity for face-to-face services?

4. What costs will a business using the service incur? Initial membership, ongoing association costs and transaction fees, or both?

5. Will banks be able to rely on myGovID as an identity provider given banks can only rely on reporting entities regulated by the AML-CTF Act to rely on third party KYC assessments?

6. Will Digital Identity be able to be used for businesses where we need to verify that an individual is authorised to act on behalf of a business/ABN? For example, to lodge a BAS?

7. Could I use myGovID if I work for an international organisation, for example, the UN?

8. How will Digital Identity work? Will the consumer be provided with links to submit their Digital Identity and the business be provided with confirmation of identity for record keeping?

Questions asked and answered live

1. How will the scheme prevent third party attribute markets from developing off the back of the scheme?

It’s outside the scope of this program to answer what the role of attribute markets are in Australia. The system is designed to be interoperable with other Digital Identity systems and the minimum number of attributes are passed to the relying party as required.

2. Given the double blind model, how will the relying party know if the transaction is subject to Trusted Digital Identity Framework rules?

There will be rules around when an organisation can say it is covered by the Digital Identity Legislation or not. These rules will ensure it is clear to relying parties whether a transaction is subject to Trusted Digital Identity Framework rules. There is further information on this on page 27 of the Position Paper, in chapter 5.

3. If a business relying on the Digital Identity cannot know who they are dealing with, what happens if the User subjects the business to fraud?

The Digital Identity system operates in a way that ensures businesses will have a greater level of confidence in who they’re transacting with than they do currently. All the service providers are subject to strong accreditation requirements, including fraud, risk management and security.

The ability to investigate fraud and other security breaches is paramount to the integrity of the Digital Identity system to make sure it meets, and exceeds, community expectations.

4. If the business relying on the Digital Identity will not get access to the person's identity, how will they be certain the person they are dealing with is not on the Australian sanctions list?

The person’s identity attributes will be passed on to the relying parties, they will get the attributes they need with the consent of the individual. The DTA has been working closely with AUSTRAC to ensure the Digital Identity system is specifically designed to help businesses meet their Know Your Customer obligations.

5. How do we use Digital Identity for non-government services?

The DTA is developing legislation that will ensure that state, territory and private sector services can be onboarded to the system in a safe and secure way. It will be a similar process for private sector relying parties, as is the process currently with Commonwealth relying parties.

6. Is AUSTRAC involved in relation to AML/CTF ID verification obligations?

Yes, the DTA has had ongoing engagements with AUSTRAC and the Department of Home Affairs. Our intention is to make the system so it can be easily used to satisfy Know Your Customer requirements.

7. Does a User need to be an Australian Citizen?

Individuals who have Australian identity documents, such as a visa, will be able to create a Digital Identity. Australians will also be able to access their Digital Identity if they are travelling or living overseas.

8. What will DTA's role be going forward? Driving legislation and technical interoperability?

The DTA is the policy owner, including progressing the Legislation and serving the strategic direction. It is the role of the Commonwealth Government to determine what happens in the future. You can find more on this in Chapter 6 of the Position Paper, which refers to governance and the functions of the Oversight Authority.

9. Are there rules or restrictions about what information providers can ask for?

Yes. This is a very important security and privacy principle, which ensures the Digital Identity system only collects the information needed to establish and maintain a Digital Identity.

10. Are there rules or restrictions about whether providers must offer an alternative to people who don’t want to use the system?

Yes. An important feature of the Digital Identity system is that creating and using a Digital Identity is a personal choice. For those people who cannot or do not want to use Digital Identity, government shop fronts and face-to-face services will remain. Organisations participating in the system have to provide an alternative channel to Digital Identity to enable individuals to access their services.

11. The position paper proposes that disclosure of the information about a User may happen in response to a 'lawfully made request for information for an investigatory purpose'. Is it proposed that such requests will only be permitted via a court order or is this still to be determined?

There are specific restrictions around biometrics and speculative profiling, which will mean law enforcement will not be able to access that information. A User’s metadata can only be passed onto law enforcement agencies in the case of a fraud investigation and only with the User’s consent. The DTA is still working through the details about law enforcement requirements for access beyond the two principles already mentioned.

12. What approach is planned to facilitate the recognition/acceptance and uptake of Digital Identity in both the public and private sectors?

This is just the start of an ongoing conversation to raise awareness and understanding about Digital Identity. We believe that with a system that’s simpler, safer and more secure, the community will choose to adopt it over time.

13. Does the system allow a single User to have more than one Digital Identity?

Yes. Users can choose to have multiple digital identities if they wish. The Legislation will allow a person to have a Digital Identity with multiple identity providers participating in the system.

People might choose their identity providers based on the type of service they’re trying to access or choose to create a Digital Identity with a different identity provider for work or personal use.

14. If an employer for a freelance worker has a preferred Digital Identity, can myGovID ‘handshake’ with other third party DI’s so the User doesn't have to rebuild their identity?

This would need to be looked at in greater detail, however, those services could potentially be a relying party and get attributes with the consent of the individual.

There’s a lot of interest about how Digital Identity will operate with other systems and there is more information on this in Chapter 5 of the Position Paper.

15. Will you design what data fields specific relying parties or groups can receive?

Yes, we already have core attributes in the Trusted Digital Identity Framework which the DTA is working to enshrine in Legislation. The Legislation will put limits around what types of attributes can be passed within the Digital Identity system. The rules will also make it clear what other attributes are available to a relying party, with the consent of the individual.

16. Is Digital Identity and the Trusted Digital Identity Framework replacing other ID standards such as Verification of Identity (VOI) for property conveyancing and the 100 point check?

Digital Identity is not superseding or taking over other identity systems in Australia. The Trusted Digital Identity Framework is being built on a number of existing standards, and the security and proofing requirements will be as rules, so they can be updated as international standards change.

17. What is the thinking behind and the purpose of the Provider role within the Trusted Digital Identity Framework. How will it be covered by the legislation?

The Trusted Digital Identity Framework has been developed over many years and various iterations. The Trusted Digital Identity Framework role refers to the four key players in the current Digital Identity system; identity providers, the identity exchange, attribute service providers and credential service providers. The Legislation will allow for other entities to get accredited in these roles.

18. Will Digital Identity link to voter registration?

No, it doesn’t link to a voter register.

19. Is there a target for the Digital Identity, i.e. every citizen having a unique Digital Identity?

Digital Identity is entirely optional and opt-in. It’s up to the customer, or User to decide if Digital Identity is right for them. This is a voluntary system and people can have multiple digital identities if they wish.

20. How will other jurisdictions like States use this? Will they create a ‘version’ of Australian Government capability?

The Digital Identity system will be interoperable, so that states and territories can choose to onboard and leverage the existing identity providers and system if they wish.

21. How was the term and definition of “speculative profiling” developed with regards to the context of a law enforcement agency with powers to obtain, use and disseminate identity information (in strictly controlled and lawful contexts)?

The DTA is aiming to prevent anyone obtaining large amounts of data to profile Users. There is more information on this in Chapter 7 of the Position Paper. That chapter also includes extensive information about the proposed protections. The DTA does not intend to stop genuine law enforcement investigations.

22. What rights will people have if something does go wrong?

The liability framework will involve non-financial redress, such as assisting people to re-establish their stolen identities. There is more information on this in Chapter 9 of the Position Paper.

23. Is the 2.5 million “sign ups” based on those who have myGov accounts only?

myGovID is different to myGov. The only identity provider currently available is myGovID. The DTA is proposing for other identity providers to join the system as it expands to become a whole of economy solution.

Note: 2.5 million myGovID Identities statistics correct as of 1 June 2021.

24. Is there a minimum age for a Digital Identity?

It is proposed the Legislation will provide a default minimum age of 15 years for the use of a Digital Identity in the system. The Legislation will provide the Oversight Authority with the ability to override the default minimum age limit in circumstances where it considers appropriate. For example; to match a relying party’s statutory minimum age requirement for access to its service. Chapter 7 of the Position Paper provides more detail on this.

25. Is the Digital Identity sitting on a blockchain (Permissioned/permissonless)?

No.

26. Why is there such a gap between 2.5 million digital identities with myGovID and only 250,000 linked to myGov?

The myGov public beta is not particularly prominent on the myGov site as yet as it is still running as a public beta.

Note: 2.5 million myGovID Identities and 250,000 myGov accounts linked to Digital Identity statistics correct as of 1 June 2021.

27. Will AusPost's Digital ID and myGovID be integrated so that User’s won’t need multiple Digital Identities due to mismatches between services.

AusPost is already accredited through the Trusted Digital Identity Framework. We hope that in the future they will join the Commonwealth system.

28. Will multiple Digital Identity Providers lead to a monopoly position as services/businesses gravitate to which ever system has the most pre-existing Users?

It’s not about who has the most pre-existing Users, it’s about providing Australians with a choice around which identity provider best meets their needs. We believe having multiple identity providers is the best way to build trust in the system.

29. How will it work for jurisdictions such as Western Australia that do not have state privacy legislation?

This is discussed in depth in the Position Paper in Chapter 7.

If Western Australia want to be a provider on the system, they will need to bring themselves under the Privacy Act.

For states and territories with privacy legislation, we are committed to avoiding unnecessary duplication of legislation, and harnessing existing legislation wherever possible.

30. How can one individual have multiple Digital Identities when the underlying physical identity needs to be proven?

You can have multiple digital identities by having one with each identity provider, for example one with AusPost and one with myGovID.

31. Can the digital identities be linked?

No, the digital identities could not be linked because they are with different identity providers.

32. Noting that myGov uses myGovID, will people will able to use myGovID for other commercial services?

If other commercial services onboard to the Digital Identity system, a person could use their myGovID to access a range of services.

Questions not answered live

1. There were references to myGov which is currently limited to government services. Will myGov continue to be limited to government services?

At present, myGov is limited for use with Government services (both federal and state). The DTA and its partner agencies have committed to a complete enhancement of the myGov product from the ground up. As part of this, we’re looking at ways that myGov and private sector can be interlinked in order to provide a better service.

2. How much is the Government investing in Digital Identity?

The Australian Government is investing $256.6 million over the next two years as part of the Digital Business Package to expand Australia’s Digital Identity capability to a whole of economy solution and support economic recovery.

3. Can I use my Digital Identity as proof of identity for face-to-face services?

Digital Identity gives services the ability to proof a user’s identity digitally, thus removing the need for face-to-face interactions. Digital Identity’s current identity provider myGovID is completely digital. As other identity providers join the eco-system, they may provide an assisted digital experience (i.e. AusPost Digital iD).

4. What costs will a business using the service incur? Initial membership, ongoing association costs and transaction fees or both?

The DTA is currently consulting to develop a Charging Framework.

The intention is that the system will be free to use for individuals who want to prove their identity to access a range of online services.

5. Will banks be able to rely on myGovID as an identity provider given banks can only rely on reporting entities regulated by the AML-CTF Act to rely on third party KYC assessments?

The DTA has been working closely with AUSTRAC to ensure the Digital Identity System is specifically designed to help businesses meet their Know Your Customer obligations.

6. Will Digital Identity be able to be used for businesses where we need to verify that an individual is authorised to act on behalf of a business/ABN? For example, to lodge a BAS?

Yes. Digital Identity can now be used for business services.

7. Could I use myGovID if I work for an international organisation, for example, the UN?

For information on eligibility for myGovID, visit the myGovID website.

8. How will Digital Identity work? Will the consumer be provided with links to submit their Digital Identity and the business be provided with confirmation of identity for record keeping?

Australians have the choice of whether or not they want to set up a Digital Identity and which identity provider they would prefer to use. There, the user will be prompted for the information that is required to set up a Digital Identity. The information required will depend on what services you need to access and how strong the proof of identity needs to be.

Identity providers will be accredited under rules provided for in the legislation. They can then apply to be onboarded onto the Australian Government system. This ensures that identity providers need to meet high standards of privacy protection and data security to keep your personal information safe.

Businesses wishing to use the Australian system to verify the identity of their customers will need to be approved to join the system as relying parties. If approved as a relying party, a business will be able to use the system to verify a customer provided the customer has given their express consent for the identity information to be given to the business. The business will need to adhere to its existing record keeping obligations (for example, obligations under the federal Privacy Act).

Set it up once, and then reuse it whenever you are asked to prove who you are.

Icon of a phone with tick
Back to top