Watch our webinar about the proposed Digital Identity legislation consultation
The Digital Transformation Agency (DTA) has been running a series of webinars about the consultation process on proposed Digital Identity legislation.
Consultation is now closed.
Answering your questions on Digital Identity
What exactly is stored when someone creates a Digital Identity?
Where are Digital Identities stored?
Is Digital Identity voluntary or will it be a requirement for individuals?
What is the benefit of the Exchange?
Will a centralised log of the services the Digital Identity interacts with be created?
Are there any circumstances in which personal information can be disclosed to another party?
Does the TDIF need specific safeguards around biometrics?
Why should a person share their personal details?
Will there be difficulties in private sector companies operating under a government/private system?
How will people feel about using a government credential for a private sector service?
Why is further legislation required when Australia has a Privacy Act and other laws?
Will individuals have to pay to use Digital Identity? And if so, who will be charged?
What if a Digital Identity is used in a criminal activity?
What exactly is stored when someone creates a Digital Identity?
When you create a Digital Identity, you will need to give the identity provider some personal information, and information from traditional identity documents that help prove who you are. This could include information from your driver’s licence or birth certificate, or the type of information you would give in person at a bank or government shop front.
Much like any other online service or digital system today, data is held by the identity provider that you choose to set up your Digital Identity with. This means it will be faster and more convenient the next time you access an online service because you have already verified your identity. Without Digital Identity, you will be required to supply the same information time and time again each time you access a service.
Where are Digital Identities stored?
Information used to create your Digital Identity is not stored on DTA servers. Digital Identity is what we call a federated system, which means there is no one place where Digital Identity is managed.
The Digital Identity system is underpinned by the Trusted Digital Identity Framework (TDIF), which sets out strong rules around privacy, security and accessibility to make sure that Digital Identity works for everyone.
Currently, the only identity provider is myGovID, which is managed by the Australian Taxation Office. It is subject to TDIF and has very stringent rules on security.
Is Digital Identity voluntary or will it be a requirement for individuals?
Digital Identity is opt-in. The system will not be mandatory, and it will not create a single identifier for people. Digital Identity is simply about providing people with a safe, secure, and easy way to access online services.
Will the concept of giving consent be easy to understand? Can people opt out or withdraw their consent?
The system is designed so there is transparency and control over what information you share. The system is constantly being tested with real people to ensure that concepts like consent and sharing of information are well understood.
You will always have the right to revoke consent to share information and you can stop using Digital Identity at any time.
Is the legislation changing how biometrics are used on people’s devices and how biometrics are governed more generally?
No. The legislation is designed to provide targeted and additional safeguards that are tailored to protect how biometric information is used within the Digital Identity system.
Biometric information that is stored on your phone – that allows you to log in to your phone or access apps with your face or thumbprint – is not part of the Digital Identity system and therefore isn’t covered by the Digital Identity bill. The Privacy Act also includes specific protections for biometric information.
What is the benefit of the Exchange?
The Exchange enhances privacy as identity providers won’t see what services you are accessing, and services won’t know which identity provider you have used.
The Exchange also benefits relying party services as they only need to connect to one service and not multiple identity or attribute providers. It can also be a central place for people to provide consent and authorise the passing of attributes.
Will a centralised log of the services the Digital Identity interacts with be created?
The Exchange stores information about which services your Digital Identity has interacted with. This means it knows if you have already provided information to a service and, therefore, has a record of transaction in case of fraud. However, this data is separate from the identity details that are retained by the identity providers – this information is not stored on the Exchange.
One of the future features of the system includes the ability for you to view a dashboard that displays access logs of which services your Digital Identity has been used to access.
Developing the dashboard was recommended in a Privacy Impact Assessment undertaken on the system. The dashboard will provide transparency over how and where your information has been shared, and help provide assurance that your Digital Identity has only been used for transactions you have authorised.
Are there any circumstances in which personal information can be disclosed to another party?
You are in control of what personal information you provide to the service you are using. You will always be asked to provide consent to share your personal information with a service.
Will the legislation guarantee that personal information won’t be used for commercial reasons including data profiling or marketing?
Privacy is a key design feature of the Digital Identity system. For example, the identity provider you choose to create your Digital Identity is bound by strict rules set out by the TDIF. This means your data can only be used for the purpose you have consented to. It is proposed that the Digital Identity legislation will limit data profiling, including prohibiting the use of this data for direct marketing.
The proposed Digital Identity legislation will play a key role in ensuring current security and privacy standards remain in place and continue to be applied as the system expands to include state, territory and private sector services.
This will ensure all Australians can be confident their personal information will remain safe and secure. You are in charge of your identity. It belongs to you, and you alone. It’s valuable and most importantly, it’s worth protecting.
Does the TDIF need specific safeguards around biometrics?
The biometric safeguards being considered for the proposed Digital Identity legislation will apply to the use of biometrics within the scope of the Digital Identity system. There are already safeguards under the Privacy Act on how biometric information is used more generally.
The proposed Digital Identity legislation is designed to give Australians assurance around how biometrics will be used though within the context of the Digital Identity system.
Why should a person share their personal details?
Services will need to know something about you depending on what kind of service you're requesting from them. The system will only provide the information you have consented to share. If additional attributes are requested by the service, you will be asked to provide consent and have visibility of what information is being shared.
It is also important to acknowledge in today's world when you're accessing a service, sometimes you're providing more information than you actually need to. For example, if you're proving who you are using physical identity documents, you're showing everyone all the information included on your birth certificate. While the service might need to know that you're over 18, it may not need to know the date of your birth. In this way, Digital Identity is privacy enhancing and minimises the amount of data being shared.
What prevents the private sector from establishing their own (competing) digital identity ecosystem in Australia?
Nothing. The Government’s Digital Identity system is not and will not be mandatory.
There are likely to be several private sector digital identity systems in place over the next few years. The TDIF supports private sector use and people will be able to choose who they create their identity with and what system they use to access services.
Is it proposed that a government Digital Identity be the only type of digital identity in Australia or will there be private sector digital identity options as well?
The Government is not planning on limiting the number of digital identity systems in operation in Australia.
The TDIF allows for multiple identity providers to operate within the Government’s Digital Identity system. People might choose their identity providers based on the type of service they’re trying to access or choose to create a digital identity with a different identity provider for work or personal use.
How will the Australian Government’s myGovID work with other private sector identity providers in the market? Will there be difficulties in private sector companies operating under a government/private system?
myGovID is the Government’s identity provider operated by the Australian Taxation Office. As the Digital Identity system expands it will include additional identity providers, including those operated by the private sector. A charging framework is under development and will be needed to support the introduction of additional private sector identity providers.
The Digital Identity system is designed as a whole-of-economy solution. The TDIF, and the proposed legislation, create common, transparent standards in relation to technical operability, proofing and other common issues that allow the private sector to join in the system. This will ensure that everyone is operating to the same requirements.
If an entity is an identity provider accredited under TDIF, but also operates in another system, (i.e. outside the Digital Identity system), is it anticipated that the proposed legislation would apply in all cases?
The proposed Digital Identity legislation is intended to apply to participants operating within the Government’s Digital Identity system. Accreditation under TDIF doesn't automatically mean that the identity provider is operating within the Government’s Digital Identity system. Entities can go through the TDIF accreditation process, but not necessarily connect to the Digital Identity system.
How will people feel about using a government credential for a private sector service?
They won’t have to. Choice is fundamental to the design of the Digital Identity system. The plan is to onboard a mix of public and private sector identity providers. You will have the choice of whether you set up your Digital Identity with public or private providers (or both).
Why is further legislation required when Australia has a Privacy Act and other laws?
There are 3 main reasons for exploring further legislation:
- To allow the expansion of the system to state, territory and private sector services.
- To enshrine strict Digital Identity specific privacy and consumer safeguards into law, so those standards can’t change without public scrutiny. This will give Digital Identity an extra level of integrity Australians have come to expect.
- To enshrine in law more permanent governance arrangements to best protect individuals who choose to create and use a Digital Identity and agencies and businesses relying on the system.
It is important that the Digital Identity system is bound by high privacy, consumer and governance standards to give all Australians trust and confidence in the system and its capabilities.
How will privacy be protected in South Australia and Western Australia where there isn’t currently state legislation in place?
There are already high privacy and governance standards set by the Australian Government.
Accredited participants in the Digital Identity system will be required to comply with the federal Privacy Act or equivalent state legislation. Where there is no equivalent state legislation, accredited participants such as identity providers, will be expected to be bound by federal laws.
Each state and territory is responsible for the decision to introduce additional privacy laws for their own jurisdictions. Most states have already done so.
Will individuals have to pay to use Digital Identity? And if so, who will be charged?
It is intended that individuals won’t be directly charged to prove their identity or to use the system to access online services.
Charging principles will be developed as part of the development of the Digital Identity legislation.
What if a Digital Identity is used in a criminal activity?
In the event your Digital Identity is used in a criminal activity, the same rules will apply as for any criminal investigation in Australia.
News
Have you upgraded your mobile device recently?
March 31 2023
eftpos accreditation annual assessment a success
January 9 2023
Report: Digital Identity in response to COVID-19
February 18 2022
Another first for Digital Identity with eftpos TDIF accreditation
September 27 2021
