Trusted Digital Identity legislation: Exposure draft webinar
Fleur Anderson: Hello everyone. I'm Fleur Anderson, your host for the Digital Transformation Agency's Digital Identity Exposure Draft webinar. I'm here today with Jonathon Thorpe, DTA's General Manager of Digital Identity, and Juleigh Cook, the DTA's Head of Digital Identity.
Before we go any further, in the spirit of reconciliation, we acknowledge the traditional custodians of the country throughout Australia and their connections to land, sea and community.
We pay our respect to their elders, past, present, and future, and extend that respect to all Aboriginal and Torres Strait Islander peoples today.
This webinar follows a long consultation process on Digital Identity. This involves the release of a consultation paper last year that sought views on key concepts and principles. The DTA also released a position paper earlier this year to provide more details on the policies that have informed the development of the Digital Identity legislation.
Most recently, the DTA released an exposure draft to continue this consultation process regarding Digital Identity legislation, which will be introduced to parliament later this year. This webinar is an opportunity to learn more about the concept of Digital Identity, the progress of the legislation, and how to get involved in providing further feedback about the Digital Identity legislation before it's introduced to Parliament later this year.
Let's begin with Jonathon Thorpe, who is the DTA's General Manager of Digital Identity. Jonathon, can you give us a brief overview of what Digital Identity is and how it came about?
Jonathon Thorpe: Thanks Fleur. Digital Identity is a simple, safe, and convenient way for Australians and Australian businesses to prove who they are online. It's opt-in, so absolutely voluntary, which leaves the choice up to the individual as to whether or not they want to create and use a Digital Identity. It allows people to verify their identity, much like a digital version of a 100 point ID check.
You only need to set up your Digital Identity once, and then you can reuse it to access a range of online services, currently government services, without having to constantly prove who you are. Since 2015, the Digital Transformation Agency has been developing the Australian Government's Digital Identity System and the policies that sit behind it.
The System's already familiar to more than 4 million Australians who currently use it through myGovID, which is the Australian Government's Digital Identity provider. At the moment, Australians can use their Digital Identity to access more than 80 different government services. Today, 1.3 million businesses are already using Digital Identity, as I mentioned, and more than 4 million Australians have created their Digital Identity through myGovID.
So it's very clear that Australians want and need this System, and the timing's right to expand it beyond government services. To do so, legislation's needed to allow more state and territory services, as well as those across the private sector, to participate in this System. At the same time, it's vital we enshrine in law, the necessary consumer safeguards to ensure everyday Australians and Australian businesses can use this system Safely, even as it expands.
Consumer privacy and security protections introduced through the legislation, will mean Australians can have confidence in the System as it expands and know their personal information is safe and secure. Permanent governance arrangements and strong regulatory requirements will protect the system and the people that choose to use it.
We know that many Australians find that proving their identity over and over again can be time-consuming, so we want to change that to save people time and money.
Fleur, for example, a small business owner can not only use their Digital Identity to interact with government, but also reuse it safely to access Medicare for their family, complete their tax return, or apply for government payments, such as paid parental leave. For students, Digital Identity opens up a range of important services too. With a Digital Identity, a student can create a Unique Student Identifier or USI, and manage it. They can also apply for government support, defer university payments using their tax file number and access any other services that are relevant to them as a student.
Fleur Anderson: What other kinds of benefits are we already seeing for businesses and individuals who have chosen to create and used their Digital Identity?
Jonathon Thorpe: First of all, Fleur, we know that Digital Identity saves people time and money because there are millions of people already using it through myGovID. One great example is when we look at the requirements to apply for a tax file number, or TFN, for short. Without a Digital Identity, you'd have to get a paper form from the ATO, download it, print it, complete it, and then visit a government shopfront or Australia Post outlet to certify your identity documents in person. After that, you'd have to wait up to 28 days to receive a letter in the post advising of your new TFN. Now, with a Digital Identity, it's a much shorter and simpler process. You can apply for a TFN online securely, conveniently, prove your identity using your Digital Identity and get your TFN instantly. With a Digital Identity, the whole process takes you less than 10 minutes. That's compared to the current 28-day service standard. Thousands of Australians are already taking advantage of this shorter process with 6,500 TFNs issued using myGovID in just a few weeks.
Another example is when people need government support and are asked to apply for a CRN or Customer Reference Number. Over 2,000 CRNs have been issued using myGovID in just the first week of this service being available. Doing so online is now possible using myGov. The process is fully digital and certified under the Trusted Digital Identity Framework, otherwise known as TDIF. Instead of having to visit a Services Australia's service centre in person, you can now safely prove who you are using your Digital Identity. The process is very simple. It asks for you to consent, to take a selfie, and it matches that selfie against your photo ID that you've provided.
Applying for a CRN online cuts down significant time for people navigating through government payments. This is exactly what Digital Identity is about. Saving people time and money. Fleur, as you can see, Digital Identity has a wide range of benefits. It's also a key aspect of the Australian Government's Digital Economy Strategy. It allows Australian businesses, in particular, small businesses to capitalise on the opportunities that digital technologies are creating.
This will allow them to grow and create jobs as part of Australia's economic recovery post-COVID. Making the most of systems like Digital Identity is critical to that recovery, as well as our longer-term economic and social development.
Fleur Anderson: Juleigh, we'll come to you now. You are the head of the Digital Identity program. Could you take us through the legislation in more detail, and why is it needed and who is it for?
Juleigh Cook: Put simply, Fleur, the legislation is essential for three main reasons. Firstly, the legislation will enshrine in law, a range of privacy and consumer protections. This means that any privacy and security safeguards won't be able to change without public scrutiny and that Australians will know that their personal information is securely protected by law.
Secondly, it'll allow the system to expand beyond just Commonwealth Government services to cover services across state and territory governments, as well as the private sector.
Lastly, the legislation will provide the governance arrangements necessary to ensure public trust and confidence in the system, through a permanent Oversight Authority that will be independent, transparent, and accountable. It'll also harness the Office of the Australian Information Commissioner.
This will make sure that any privacy aspects of the Trusted Digital Identity system or its accreditation scheme, is managed by Australia's independent national privacy regulator. Overall, legislation will give Digital Identity the extra level of integrity the community has come to expect. It's about making sure the high standards we enjoy today are still in place in the future as we use Digital Identity to access a greater range of online services.
Fleur Anderson: As we have mentioned, the DTA has recently released an exposure draft on the legislation. Juleigh, can you tell us, what does the legislation cover? What's in it and what isn't?
Juleigh Cook: Firstly, Fleur, to make sure we get this right, we consulted widely with everyday Australians, businesses, different levels of government and the private sector, as well as privacy, security and industry specialists. They've all helped us to get to this point.
The legislation itself is essentially a package made up of three levels of legislative instruments that will govern how the Digital Identity system will work. They include the Trusted Digital Identity Bill, the TDIF rules and Trusted Digital Identity or TDI rules and the technical specifications. The Trusted Digital Identity Bill will enshrine in law, the Australian Digital Identity System and a Digital Identity accreditation scheme. It contains the privacy and consumer safeguards that will keep Australians safe. It will create an enforcement and penalties regime to accompany those protections. It also covers the Minister's ability to appoint an independent Oversight Authority.
The TDIF accreditation and TDI rules provide additional legally-binding rules. The TDIF accreditation rules provide the requirements for entities onboarding and maintaining accreditation under the TDIF, whereas the TDI rules provide more detail around matters such as record keeping, reporting and applications for onboarding.
Lastly, the technical specifications or standards will outline technical information, features and requirements for entities to onboard to the system. Please note that these are not included in the exposure draft package that was recently released. This is because of the rapid pace of technological change. However, these technical details are already covered in TDIF so there'll be no surprises. We'll also continue to leverage best practice and international standards.
This approach allows the Digital Identity system to keep up with innovation and technological changes well into the future. These inclusions in the legislation mean that any organisation offering services in the Digital Identity system has to meet strict standards through audits each year. What is important here is that we're not operating alone. The TDIF is based on a range of well-known international industry standards.
As I've mentioned, we've been consulting widely over the past few years. Our consultation includes Commonwealth agencies, the states and territories, the Office of the National Data Commissioner, privacy commissioners, privacy and consumer groups, industry peak bodies, and the broader community. All of this has helped inform the development of the system and the TDIF.
I urge all of you joining us today to take a look at the exposure draft that we've released. We'll provide all the details on how you can find it closer to the end of our session.
Fleur Anderson: Juleigh, our discussion today follows a long consultation process on Digital Identity. What changes have you made as a result of the previous consultations?
Juleigh Cook: Over a number of years now, we've consulted broadly to help inform and shape this legislation and our policy positions. Thanks again to everyone who made submission to the first consultation paper in 2020 and the position paper that was released earlier this year. Along the way, we've engaged with individuals, governments, regulatory entities, privacy advocates, compliance scheme representatives, corporate Australia, small business, peak bodies, and our international counterparts.
We've listened and made sure to consider all of your feedback. It's been crucial in providing us with different viewpoints that we've worked very hard to balance to ensure that this legislation reflects the Australian Government's position, but also integrates the important feedback we've received from you, the community. These insights will help us expand the Digital Identity system and make sure it meets the needs and expectations of the community as more and more Australians and Australian businesses use it.
Part of taking on this feedback has involved balancing divergent views on issues such as law enforcement access. In this case, we've considered submissions from federal, state and territory agencies, as well as privacy advocates who've all put their views forward on the level of access law enforcement should have in relation to this system.
Given the scale and sensitivity of the information within the Digital Identity system, our legislation raises the threshold for law enforcement access, and contains additional privacy safeguards, such as in relation to biometric information. These safeguards all add to the protection already provided by the federal Privacy Act. We think this is the right balance to make sure people have trust and confidence in the system and transparency on how their information is being used.
I'd like to point out some other key changes that have been made since the release of the position paper. Firstly, we've clarified that onboarded accredited entities, such as identity providers must help consumers impacted by a cyber security incident or fraud, in addition to the assistance provided by the Oversight Authority. We've added and strengthened consumer protections around how important information such as your TFN and Medicare details are shared on the system. These are now on the list of restricted attributes in the legislation so they're subject to additional protections.
We've clarified the obligations of accredited entities when operating within the Digital Identity system versus those entities that choose to be accredited and not operate in the Australian Government's Digital Identity System.
We've refined certain definitions to provide further clarity. For example, certain types of information such as ethnic or racial origin and political opinion have been excluded from the definition of an attribute. This will mean that accredited entities can't include this type of information in the creation or use of a Digital Identity under any circumstances. We've ensured that the entities that are offboarded from the system will now only be required to keep records for three years, a reduction from our previous policy position of seven years.
Lastly, as Jonathon mentioned, we've introduced new restrictions relating to access to and storing of data outside of Australia.
Fleur Anderson: Juleigh, can you walk us through how the legislation will allow the Digital Identity system to be interoperable? What exactly does interoperability mean?
Juleigh Cook: Absolutely, Fleur. As I've mentioned, the legislation is essential to giving Australians confidence in using the system and knowing that their personal information is safe and secure. It's also vital for the system to expand to provide access to services across all levels of government and the private sector. Interoperability means that in the future, the Australian Government's Digital Identity System can operate together with other identity systems, both here and overseas.
We know that interoperability is important for business as well. It gives them the assurance that regardless of which digital identity system their customers use, they'll operate, wherever possible, within the same rules, regulations, and experience for users. Fleur, as you can see, interoperability is vital to ensure that as the Australian Government's Digital Identity System evolves, we are operating under the same rail gauge. Meaning consumers can be confident of high standards across the board.
Fleur Anderson: Juleigh, you mentioned that the Trusted Digital Identity Bill will include high level rules to allow the system to be expanded, maintained, and regulated. Also that the Minister can appoint an independent Oversight Authority. Can you tell us a little bit more about this?
Juleigh Cook: The Oversight Authority is responsible for governing the Digital Identity system. It'll be independent, transparent, and accountable. An interim Oversight Authority is already in place with the DTA and Services Australia playing some of those key roles today. The IOA assists users in the event of a fraud, managing the onboarding of new participants, and the day-to-day operation of the system.
When the legislation is passed, the Oversight Authority will be appointed by the Minister for up to five years and will have a dedicated staff to assist them. They'll also take on new functions, such as enforcing some of the new protections in the legislation. We want to make it clear that the Information Commissioner will of course continue to play an important role in ensuring the Digital Identity system is properly regulated to make sure it's safe and secure for everyone who chooses to use it.
Regulation on privacy matters will still be the role of the Information Commissioner, whereas regulation on non-privacy matters will fall to the Oversight Authority.
Fleur Anderson: Juleigh, does the legislation make sure that onboarded accredited service providers, for example, who do the wrong thing within the system, are held to account and liable for their actions?
Juleigh Cook: Absolutely, Fleur. We've made sure of that because we know how important this is to uphold the high standards expected with a system like this, the legislation action leverages a statutory contract model, which is used in the Consumer Data Right legislation that some of you may already be familiar with. This contract means that every accredited entity, such as an identity service provider that onboards to the system has to contractually agree to comply with obligations under the Trusted Digital Identity Bill and the technical standards required to operate within the system. In the event of a breach of that statutory contract this allows other parties to apply to the federal court for remedies, including compensation and legal compliance orders.
Redress is there to provide support for people and businesses if they're affected by a cyber security or Digital Identity fraud incident. The legislation requires onboarded entities to take steps to assist people and business if such things happen. There's an extra layer of protection and support provided by the Oversight Authority too.
We've been very measured in our approach on this. As such, onboarded accredited entities will have no civil or criminal liability in relation to the services that they provide as long as they have complied with all of their obligations and have acted in good faith.
Fleur Anderson: Now let's take a closer look at security. Jonathon, returning to you now. How does the system protect the privacy of consumers and businesses?
Jonathon Thorpe: We know how important it is for people to have trust in the Government system. People want to know who they're sharing their information with and be confident their privacy is protected. With the Digital Identity system, your information is shared with chosen service providers and only with your consent, protected by strict security protocols set by the Australian Government, including requiring all accredited entities to adhere to additional privacy safeguards.
Digital Identity uses technology along with the security features already on your device to protect an individual's identity and stop other people accessing your personal information. This technology includes things like touch ID, face ID and passwords. These security features already on your device are used for your convenience. Many people are already using these same features every day to do things like banking.
Importantly, the legislation contains a protection, specifically designed to prevent profiling, which significantly restricts providers from disclosing any information about an individual's access and use of the system. It also contains a separate protection designed to stop the system being used to support a single identifier of any kind. This means personal information remains private and protected.
Fleur Anderson: The legislation will ensure our Digital Identities are protected and used only with our consent. However, there is an important question for users: will law enforcement agencies be able to access our Digital Identities?
Jonathon Thorpe: Well, the legislation sets out extra protections around consumers' Digital Identities, especially biometric information. For example, a person's photo used to create their Digital Identity cannot be disclosed to law enforcement under any circumstances. Much the same as any other digital system in Australia, lawful access to other non-biometric personal information is protected.
Law enforcement agencies can only be granted access if they have a warrant, have started proceedings against a person, or reasonably suspect that a person has committed an offence, or breached a law imposing a penalty or sanction. These provisions are designed to prevent law enforcement agencies from using the system for surveillance or intelligence gathering where a suspect or an offence has not been identified. It's also referred to as speculative profiling.
Fleur Anderson: Juleigh, it's quite clear to me that the Digital Identity system will continue to evolve and develop in the months and years ahead. What does that road before us look like?
Juleigh Cook: Fleur, as you know, we're at the exposure draft stage of this legislative consultation process. There's still more work to be done. We'll continue to consult on Digital Identity to give everyday Australians further opportunities to have their say, particularly when it comes to the finer details and design of this system.
The legislation needs to address the changing needs of the community and technological advances over the longer term. On elements like its ongoing financial sustainability, we'll be consulting with you further before the legislation is enacted.
Fleur Anderson: On that, Juleigh, one thing that we're yet to cover is, who pays for the Digital Identity system? Is this covered in legislation?
Juleigh Cook: The Australian Government has made significant investments in what is a world-class Trusted Digital Identity system. I'll reiterate what I've said in previous consultations, and that is that we will not be seeking to retrospectively recover the costs of the design and build of the Digital Identity system. What we would like to see over the long term is a Digital Identity system that is financially sustainable without the need for ongoing government funds.
To support this outcome, we're developing a Charging Framework following the Australian Cost Recovery Guidelines, as produced by the Department of Finance. We are only in the early stages, but we believe charging should be fair, simple, and transparent. It should encourage the adoption of the system, be scalable and adaptable over time, and as I mentioned, eventually ensure the financial sustainability of the system.
The important thing to note is that consumers will not be charged for using Digital Identity to prove who they are. Before the legislation is enacted, we'll continue to consult with Commonwealth agencies, states and territories and the private sector to test, co-design and refine our preliminary view on a Charging Framework. This will help develop the services, charging components and mechanisms required to support a Digital Identity system that can be used across the whole of the economy.
This future framework will ensure organisations will be charged fairly, aligned to market-based pricing and set according to the value and complexity of the services they provide. Charging arrangements will be subject to ongoing consultation, regular review, and independent oversight. Additional domestic and global research will inform and support the development of the Charging Framework.
We've started working on broad consultation in relation to this, and we'll continue calling on the community for its views in the months ahead.
Fleur Anderson: Juleigh, another concept worth mentioning is the trustmark in relation to the accreditation of the Australian Government's Digital Identity System. What is a trustmark and why is it important for Digital Identity and the legislation?
Juleigh Cook: A trustmark is important for building confidence, but also for helping consumers to clearly and easily identify when they are using identity verification services that are covered by this legislation and when they're not. There are two types of trustmarks. One is for accredited entities proving that they are accredited under the Trusted Digital Identity Framework, and one is for participating or relying parties operating within the Australian Government's Digital Identity System.
We expect that over time, it will become a valuable asset to accredited service providers. The legislation sets out penalties for any unauthorised use of the trustmark. This is about consumer confidence. We want to ensure that Australians and Australian businesses have the confidence to use their Digital Identity and feel reassured that they're using a system that is safe and secure.
Fleur Anderson: Juleigh, in terms of legislation, what can we expect to see next?
Juleigh Cook: As we move towards the legislation entering the parliament later this year, we're now seeking feedback on the exposure draft. Today's webinar is an opportunity to ask questions during this final consultation phase, before the draft legislation is considered by Parliament.
We appreciate that with a program like this, there will be a number of issues raised where there are different views in the community and amongst our stakeholders. It's for this reason that we wanted to meet with you, to provide visibility of some of those sensitivities. We strongly encourage your feedback within the next few weeks. The consultation period is open until 5:00pm on Wednesday, October 27th. It will help shape one of the most important transformations in the Australian digital landscape, a transformation that will offer a system that is tested and trialed with real people.
Fleur Anderson: Thanks, Juleigh and Jonathon, for such a comprehensive overview of Digital Identity. We hope these insights have been valuable for all of you and given you a better understanding of the Digital Identity system and the Trusted Digital Identity legislation, which will be introduced to Parliament later this year.
For more information about the development of Digital Identity in Australia, please go to the Digital Identity website, or contact the DTA by sending an email to email@example.com.