Digital identity legislation up for consultation

The Digital Transformation Agency has kicked off public consultation on proposed laws for the government’s Govpass digital identity platform ahead of a planned “whole-of-economy” expansion.

The agency today released a consultation paper [pdf] seeking views on the development of the legislation, which will enshrine the platform’s privacy safeguards and governance structures in law.

It follows record funding in 2020-21 for the DTA – and its partner agencies, Services Australia and the Tax Office – to continue developing the opt-in system, including its own myGovID credential.

The legislation, which was first recommended in a privacy impact assessment (PIA) back in 2018, is necessary to allow state and territory governments, as well as the private sector, to use the system.

Only the ATO’s myGovID credential and Australia Post’s Digital iD credential are currently accredited under the Trusted Digital Identity Framework (TDIF) that sits behind the national federated identity model.

For such an expansion to occur, however, the government requires that the existing privacy and consumer safeguards in the TDIF be enshrined in law to regulate the operation of the system beyond the federal government.

The TDIF contains restrictions on data profiling and the collection and use of biometric information, as well as requiring “express consent before enabling user authentication to a service”.

Under the proposed legislation, the government will limit the collection of biometric information to “accredited participants who do proofing or authentication using biometric information”.

It will also require that “identity providers or credential service providers to delete biometric information once it has been used for the purpose for which it was provided” in line with the TDIF.

Identity providers or credential providers will similarly be prevented from sending biometric information to “any third parties not required to perform biometric matching or authentication”.

The proposed legislation will see biometric matching on the system limited to “one to one”, which is a key design feature of the decentralised model adopted by the government.

“This means biometric information collected through the system could not be used by identity providers or credential service providers to match against databases or digital galleries containing more than one person’s biometric template,” the paper states.

Other proposed features include a strict consent regime each time a user’s biometric information is used, and “penalties for misuse of biometric information obtained through the system”.

Penalties will be imposed for the “misuse or abuse of information used by the system”, with the legislation to set out the specific personal information that this will extend to, as well as “restrictions on the purposes for which information can be used”.

In a bid to ensure all organisations can be penalised for the misuse of data, the legislation proposes extending the Privacy Act to “private sector entities offering services as accredited participants” who earn under the $3 million revenue threshold.

“It is proposed that the legislation or operating rules would incorporate current TDIF accreditation requirements for small businesses to be subject to equivalent protections in the Privacy Act,” the paper states.

The legislation will require that private sector organisations or those organisations not covered by the Privacy Act seeking TDIF accreditation to submit a PIA, whereas at present there is no explicit requirement to do so.

A number of “permanent governance structures” will be established as a result of the proposed legislation such as an Oversight Authority consisting of the DTA and Services Australia.

The pair currently share responsibility for administration and oversight as the system’s interim Oversight Authority, though the consultation paper makes it clear that this is open for change.

Under the proposed legislation, the Oversight Authority will have the “power to set and maintain the operating rules for the system" such as accreditation of entities and approval of relying parties.

The Oversight Authority will also be tasked with determining the charging framework, which the government intends to determine “after consideration of stakeholder comments and relevant legal and policy issues”.

“A single charge will cover all participants’ activities, including the Oversight Authority’s activities where appropriate. They may include, for example, the activities an identity provider undertakes to create a digital identity,” the paper states.

“Given the overarching structure of the system, it is likely that a central organisation, such as the Oversight Authority, will need to set the charging framework and distribute funds to participants, as appropriate.

The charging framework will be developed in consultation with relevant parties.”

Submissions to the consulation - the first of many proposed by the DTA before the final legislation is released - will close on December 18.