Digital ID laws needed before bank, state govt buy-in: DTA

The Digital Transformation Agency says the federal government will need to enshrine it's much-prized digital identity scheme GovPass in law before banks and state and territory governments can sign up.

DTA chief digital officer Peter Alexander told a senate estimates hearing last week that such legislation was necessary to formalise the standards that govern the national federated identity model under the trusted digital identity framework (TDIF).

“The main reason for that legislation requirement is as this system becomes national, for state and territory government to operate within it, but more importantly the private sector, there is a requirement for some legislation to govern the TDIF,” he said.

“We can apply a policy framework without legislation which federal government agencies need to use.

“But for state and territories and the private sector a policy isn't enough, we need legislation that would mandate, nationally, the operation of that framework.”

The confirmation that dedicated legislation for the scheme is on its way comes a year after the most recent privacy impact assessment (PIA) called on the DTA to enshrine the privacy protections behind the scheme in law in order to avoid function creep.

The PIA said legislation would help “ensure that participants are bound to the key privacy standards, and that the privacy standards will not change without public scrutiny”.

The DTA, which first issued the TDIF almost two years ago, is currently working to bed down the accreditation requirements for private sector entities join the Australian Taxation Office and Australia Post as identity providers.

This would allow banks and other regulated private sector entities, as well as state and territory government, to become identity providers – a central tenet of the decentralised model envisioned by the DTA.

The process, which will complete before the end of 2019, will lay the groundwork for commercial sector TDIF assessment and accreditation, which covers usability, accessibility, privacy, protection, security, risk management and fraud control.

This ensures that individuals have the option to choose their identity provider when accessing a range of public and private sector services through a single digital identity credential – a key point of difference between the GovPass and the much-maligned Australia Card.

Earlier this week, the Reserve Bank of Australia said it had completed the first version of its framework for a new federated identity credential known as “TrustID”, which has been based off the DTA’s TDIF.

Last week's senate estimates hearing also heard that the ATO’s credentialing application known as myGovID, which is now available to both the iOS and Android users, had been downloaded 81,000 times.

DTA chief Randall Brugeaud said that just under half  - or 46,000 people - had now created digital identities using the solution since myGovID quietly entered public beta in June.

As at the end of June, almost 7000 MyGovID digital identities had been created, according to the DTA’S 2018-19 annual report.

However this figure is expected to rapidly increase over the next year, as the credential becomes compatible with six more service, including myGov, and replaces existing authentication solutions such as AUSKey.