On 1 October 2021, the Commonwealth government released an exposure draft of the Trusted Digital Identity Bill (Draft Legislation) for public consultation. The Draft Legislation supports the expanded roll out of the Digital Identity System to State and Territory government agencies, as well as the private sector.
After over a year of consultation, the Draft Legislation is now in Phase 3 of the legislation consultation process, which provides an opportunity for the public to provide feedback. The feedback is intended to guide the further development of the proposed legislation to support the expanded Digital Identity System in Australia.
What does the Draft Legislation do?
The Draft Legislation aims to provide individuals with a simple and convenient method for verifying their identity in online transactions with Commonwealth, State and Territory levels of government, as well as with private businesses, through the national Trusted Digital Identity System (TDIS).
It enshrines safeguards intended to protect the safety, privacy and security of stakeholders, and establishes an Oversight Authority that will accredit entities to join the TDIS.
Oversight Authority
The Oversight Authority is part of the governance regime for the Digital Identity System. It will have broad powers to develop, operate and maintain the Digital Identity System.
The Oversight Authority will be responsible for evaluating applications to join the Digital Identity System and enforce the protections afforded to stakeholders in the Draft Legislation. However, the Australian Information Commissioner will remain responsible for oversight of compliance with privacy laws.
Accreditation and onboarding
Eligible companies and State and Territory agencies wishing to participate in the TDIS or alternative digital identity services will need to apply for accreditation to the Oversight Authority. The Draft Legislation includes a number of factors that the Oversight Authority must consider when reviewing an application for accreditation.
Once an entity has been accredited they must apply to the Oversight Authority to be onboarded to the TDIS. The Draft Legislation sets out a number of conditions that the entity must comply with in order to be approved for onboarding.
There are two types of accreditation available:
1. Accredited entities
Under the Draft Legislation, eligible companies and State and Territory governments wishing to provide digital identity services must apply to become an accredited entity. The Draft Legislation introduces five classes of accredited identities: attribute service provider; credential service provider; identity exchange; identity service provider or an entity as prescribed by the TDIS accreditation rules.
Accredited entities are subject to a number of obligations under the Draft Legislation, including:
- entering into a trusted provider agreement with the Commonwealth government in order to onboard to the TDIS;
- holding, storing, and handling digital identity information only within Australia unless an exemption applies;
- complying with TDIS service levels and technical standards as determined by the Oversight Authority;
- complying with new privacy obligations and protections; and
- maintaining adequate levels of insurance.
Accredited entities are also deemed to have entered into a statutory contract with each other accredited entity with whom they interact, agreeing to comply with its obligations under the Draft Legislation and applicable technical standards. Deemed statutory contracts also exist between each accredited entity and each relying party.
2. Relying parties
A company or State or Territory government entity that relies on digital identity information provided by an accredited entity in order to provide a service to an individual, or grant them access to a service, will need to apply to become a relying party. Relying parties are subject to limitations on the types of sensitive information they can obtain, unless express authority is given by the Oversight Authority.
Relying parties are also subject to obligations under the Draft Legislation, including being an Australian entity or registering as a foreign company prior to onboarding.
System safeguards
The Draft Legislation introduces safeguards to the TDIS intended to protect the privacy and security of personal information. These include:
- expanding protections under existing privacy laws, including for example by restricting uses of biometric data and providing individuals with the right to request an accredited identity service provider to deactivate their digital identity;
- prohibiting the disclosure of biometric information to law enforcement agencies;
- imposing privacy obligations (including regarding notification of eligible data breaches) on entities that do not currently fall under the Privacy Act 1988 (Cth) (Privacy Act), other than State and Territory entities if they are subject to State or Territory privacy laws that require a comparable level of privacy protection;
- requiring accredited entities to also notify the Oversight Authority of 'eligible data breaches' within the meaning of the Privacy Act; and
- prohibiting data profiling and the disclosure of 'single identifiers' (ie unique identifiers assigned by an accredited entity to an individual within a digital identity system).
Importantly, the Draft Legislation expands the definition of personal information under the Privacy Act to include 'attributes, restricted attributes and biometric information'.
The Draft Legislation also requires accredited entities maintain service levels and technical standards as determined by the Oversight Authority.
Liability, insurance and penalties
Under the Draft Legislation, accredited entities have limited liability to each other and to relying parties if they provide, or fail to provide, the identity verification service in good faith, in compliance with the Act, and with the technical standards that apply to the entity.
Accredited entities may have to take out and maintain adequate insurance as directed by the Oversight Authority.
Corporations that breach the Draft Legislation can be fined up to $330,000 and/or have their accreditation suspended or revoked by the Oversight Authority.
Potential benefits for individuals, and the public and private sectors
The TDIS will provide a national platform allowing government agencies and businesses to securely collect, verify and exchange digital identity information. It will provide individuals with a simple and convenient method for verifying their identity in online transactions.
Through the expanded rollout of the TDIS, the Commonwealth government aims to promote economic advancement by building trust in digital identity services, thereby facilitating and encouraging the use of digital identities, online services and the interoperability of digital identity systems, and ultimately increasing the efficiency of the digital economy.
Submissions
Public submissions regarding the Draft Legislation are due by 27 October 2021.
We will continue to monitor the development of the Draft Legislation as it passes through Parliament.
MinterEllison provides full-service IT legal and consultancy services with extensive experience in privacy, data protection and software and IT service procurement. Please contact us if you would like assistance in understanding the Draft Legislation, and the impact it will have for you, or you would like to make a submission.