Proposed expansion of Australia’s Digital ID system

The Australian Government has commenced consultation on draft legislation for a Digital ID system able to be used by both the public and private sectors, with the primary purpose of assisting in combatting fraud and cybercrime.

Context for the proposed regime

On 19 September 2023 the Australian Government published an exposure draft of the Digital ID Bill 2023 (Bill) for consultation. At the same time, it commenced consultation on the related draft Digital ID Rules and draft Digital ID Accreditation Rules.

Australians typically need to provide ID documents for identification verification purposes when applying for services, whether those are federal or state/territory government services or services provided by the private (business or not-for-profit) sector. Not only is it time consuming for individuals to continuously provide these identity documents to different entities, there are also significant data breach and loss risks associated with multiple government and private sector entities holding details of the identification documents of Australians. This risk has been highlighted by a number of high-profile data breaches over the last year involving, for example, a national health insurer and a national communications company.

To address these issues in the public sector, the Australian Government already has in place a Digital ID system (known as AGDIS), which relies on the use of myGovID. While that system is used by millions of Australians, AGDIS is limited to specific federal and state/territory government services. The Government has acknowledged that there is a need to have a broader Digital ID system.

Why is the new regime required?

The primary intent of the Bill and the associated instruments is to establish a secure form of online identity verification which may be used by both the public and private sectors and which is not limited in the same manner as the existing AGDIS, as well as to provide for the expansion of AGDIS.

Both the public and private sectors face an ongoing dilemma. These entities often need to verify the identity of individuals. This may be required to comply with particular laws. For example, telecommunications providers need to check (and retain records of) an individual’s identity prior to providing them with a mobile phone or other telecommunications services. This may also be required to minimise the risk of fraud – for example, when accessing Government payments through Services Australia or when dealing with a bank or other financial institution. At the same time, these entities also seek to protect the individuals that they interact with, including by limiting the amount of personal information that is held as a means to assist in minimising risks of loss arising from data breaches.

The proposed Digital ID system will address this dilemma, by ensuring that the Digital ID will take care of identity verification without individuals needing to directly provide sensitive personal information which must then be retained by the relevant entity. Of course, the implementation of such a system will also save time for individuals, by providing a much easier means to verify their identity.

The Government’s view is that the proposed regime will have clear economic benefits. By assisting in protecting individuals and businesses from scams and identity crime, this will reduce at least in part the annual economic impact arising from those activities, which is currently running at a cost of more than $3.1 billion each year.

The Government has been at pains to make clear that the Digital ID system will be voluntary, and individuals will not be required to use it. This reflects the need to address perennial community concerns which were first raised in connection with the controversial “Australia Card”.  The Australia Card was intended to be an identification card for all Australian citizens and residents, and was first proposed in 1985 as a means to limit tax avoidance and fraud. That proposal was widely criticised at that time as an onerous government oversight measure and legislation to implement that regime was ultimately not passed by the Australian parliament.

Core provisions of the Bill

The Bill has four pillars.

• Digital IDs will be able to be created by accredited service providers. The proposed accreditation scheme, which will be voluntary, seeks to ensure that providers meet high standards of privacy and security in respect of the personal information that they collect. User experience will be important, with providers required to meet accessibility and usability requirements.
• The AGDIS will also be expanded. The Australian Government has noted that Australians may currently use that system to access over 130 government services. In future, not only would AGDIS be able to be used for a greater range of federal or state/territory government services but it may be used by private sector entities, if they choose. In addition, forms of Digital ID other than myGovID will be able to be used within AGDIS.
• To ensure a robust governance framework, the Australian Competition and Consumer Commission (ACCC) will be appointed as the “Independent Digital ID Regulator”, tasked with overseeing the accreditation scheme, the operation of the Digital ID system more broadly and the management of the proposed “trust mark” for the providers. The Australian Information Commissioner will be the privacy regulator under the system.
• The Bill also provides for strong privacy and consumer protections. For example, there will be additional privacy protections that apply over and above the protections in the Privacy Act 1988 (Cth). To take one example, personal information collected under the system will not be able to be held outside Australia.

The role of the ACCC and the Australian Information Commissioner

The role played by each of the ACCC, as the Independent Digital ID Regulator, and the Australian Information Commissioner will be critical in ensuring that the system is trusted by Australians. Without a strong level of trust that their personal information will be protected, Australians simply will not use the system.

The ACCC will be responsible for:

• accrediting Digital ID services under the legislated Digital ID Accreditation Rules;
• approving the services that may participate in the AGDIS; and
• using its investigative and compliance powers ensure Digital ID providers and services comply with the legislation.

The Australian Information Commissioner’s role will be to regulate privacy-related aspects of the Digital ID accreditation scheme so as to protect individuals who choose to use an accredited Digital ID provider.

Consultation process

Details of the consultation process for the exposure draft may be accessed here. The Government has sought input in three ways, namely through:

• a “quick and simple survey” on key aspects of the Bill;
• submissions relating to the Bill and the associated draft Digital ID Rules; and
• submissions on the draft Accreditation Rules for Digital ID providers.

The consultation on the first two items closes on 10 October 2023, while submissions may be made on the draft Accreditation Rules up to 31 October 2023.

Conclusion

The Government is putting forward the new Digital ID system as one of the ways it is responding to the increase in data breaches – both in terms of scale and the potential for harm to Australians – and concerns by individuals regarding the use of their data. This proposal sits together with the Government’s National Strategy on Identity Resilience, the establishment of the ACCC’s National Anti-scam Centre, the introduction of an Identity Verification Services Bill, as well as proposed reforms to the Privacy Act and the soon to be announced Cyber Security Strategy 2023-2030.

This is an ambitious agenda, but the Government is to be commended for putting in train processes to protect its citizens.