The federal government has provided the most comprehensive look at planned legislation for the expansion of its federated digital identity scheme to state and territory governments and the private sector to date.
The Digital Transformation Agency on Thursday released a position paper [pdf] for consultation ahead of the planned introduction of the legislation, dubbed the ‘Trusted Digital Identity Bill’, to parliament in “late 2021”.
It follows a first round of public consultation last year on the development of bill, which will enshrine governance and privacy protections, including some those within the trusted digital identity framework (TDIF), in law.
The legislation is necessary for state and territory governments, as well as the private sector, to apply for accreditation. Only the Australian Taxation Office’s myGovID credential and Australia Post’s Digital iD credential are currently accredited under TDIF.
It is expected to “include subject matter that will not need to regularly change to keep pace with technical developments”, with other rules and other written guidelines and polices to “outline technical information and requirements detailing how the system operates”.
The paper reveals few changes to the scheme's planned whole-of-economy expansion since the first consultation, with privacy and consumer safeguards and plans for an independent Oversight Authority – which will assume the DTA’s interim role – the same.
While the DTA is still “considering which agency is best suited to provide staff to the Oversight Authority”, it has suggested either Treasury, the Australian Competition and Consumer Commission or the Department of Prime Minister and Cabinet.
The planned accreditation of government agencies and private sector firms also remains largely the same, through the DTA appears to have added a second tier for those wanting TDIF accreditation but not wanting – or ready – to participate in the system.
Those entities, dubbed ‘TDIF providers’, will need to meet the same privacy standards as ‘accredited providers’, though will not be subject to the liability and redress framework, charging and most civil penalties.
“This means government bodies or companies which choose to be TDIF-accredited for roles they perform in their own digital identity systems can rely on TDIF accreditation to build trust in their systems without being subject to the entirety of the legislation,” the paper states.
One key change to the proposed legislation is a planned ‘interoperability principle’ that will require “participants generating, transmitting, managing, using or re-using digital identities to provide a seamless user experience with the digital identity system”.
Under the principle, identity providers will be “expected to provide their services to any relying party”, while relying parties will need to “provide their customers with a choice of identity providers”.
The Oversight Authority is expected, however, to offer exemptions to identity providers and relying parties in “limited circumstances” such as when there are “legitimate security concerns warranting an identity provider not to be used by a relying party”.
The position paper also clarifies that participants will not be prohibited from “connecting to and participating in other digital identity systems” after some private sector stakeholders raised concerns during the first round of consultation.
But participants that choose to do so will need “put in place technical and business solutions” that “clearly delineate which digital identity activities are conducted through the digital identity system and through another digital identity system”, for instance.
On the privacy front, state and territory government agencies participating in the scheme “will now have greater ability to adhere to local privacy legislation instead of federal privacy law, where legislation exists in their jurisdiction”.
“This change is designed to provide greater flexibility and autonomy for state and territory agencies to align with other federal legislation and make it easier for state and territory government entities to participate,” the paper states.
State and territory government agencies not subject to the Privacy Act or a comparable notifiable data breaches scheme will also be required to provide a statement to the Oversight Authority if a suspected data breach has occurred.
Other additional privacy rules have also been added, including “more flexibility for the Oversight Authority to make additional rules about profiling and keeping biometric information, and new prohibitions on both speculative and behavioural profiling”.
The legislation is also expected to ensure digital identity remains voluntary for individuals, though there will be circumstances where a relying party can apply for an exemption “to the requirement of providing an alternative channel to digital identity to access their service”.
Other key features of the digital identity system will also be embedded in the legislation, including a requirement that “identity providers and credential service providers… delete biometric information when the purpose for which it was provided is completed”.
The position paper details no changes to plans to introduce a charging model to “retrospectively recover the cost of the design and build of the initial system”, despite opposition from some state governments and industry groups.
The government will not charge “users for the use of digital identity”, though the legislation is not expected to “regulate fees charged by relying parties to an individual wanting to access its service(s) using the system”.
Submission to the consultation will close on July 15.