The Digital Transformation Agency has been told to enshrine the privacy protections behind its Govpass digital identity platform in law to avoid function creep, particularly around the use of biometrics.
The advice was contained in a second privacy impact assessment [pdf] of the trusted digital identity framework (TDIF) governing the system, which also asked that less metadata be retained by one of the platform's identity exchange.
It comes just weeks after the government kicked off the first pilot of its myGovID digital identity credential - the other major technical component that makes up the Govpass umbrella program.
The TDIF underpins the national federal identity model that has been developed by the DTA to allow individuals to choose their identity provider and access a range of public and private sector services through a single digital identity credential.
It also provides the structure and controls to ensure all identity providers for the scheme are accredited and trustworthy.
But while this is “likely to have a positive impact on the protection of privacy”, the PIA, conducted by Galexia and published yesterday, advises that “confidence in the privacy standards would be boosted by some form of legislative backing”.
This includes better restrictions on the use of biometrics in the system, including that they must be destroyed once verification has occurred.
“The key TDIF restrictions on the use of biometrics are not set out anywhere in legislation, they are only contained in the TDIF accreditation requirements, which are policy documents that can be changed at any time,” the PIA states.
It said that legislation would help “ensure that participants are bound to the key privacy standards, and that the privacy standards will not change without public scrutiny”.
While agreeing to strengthen privacy requirements and exploring the "benefits" of legislation, the DTA stopped short of a commitment.
“The DTA is reviewing the benefits of legislation to support the TDIF, including to enshrine privacy protections,” it said in a response to the PIA.
“The DTA will explore ways to enshrine the TDIF Privacy Requirements in a ‘strong instrument’ including a legislative instrument or binding contractual rules.”
Further metadata restrictions needed
The PIA also raised concerns with one of two major platforms that make up the digital identity program – the Department of Human Services’ identity exchange infrastructure.
The gateway verifies an individual’s credentials without revealing their identity to service providers using the government’s document verification service (DVS) and face verification service (FVS).
Unlike the government digital identity provider, the Australian Taxation Office, which retains some personal data to manage identities – but not face images or identity documents, which are checked by DVS and FVS and then destroyed – the exchange is designed not to store personal identity data.
It will, however, retain some metadata a means to identity possible identity fraud and suspicious transactions, including time stamp and basic connection details of each transactions.
“The metadata identified the parties to each transaction, but does not include any other personal data that was provided during the transaction,” the PIA states.
This would be accessible to a consumer on request from the identity exchange, TDIF participants for investigation of identity fraud or suspicious transactions and law enforcement agencies.
But the PIA indicates the period that this metadata is retained “should be restricted”.
“Some concerns remain in relation to the collection, use and disclosure of metadata by the Identity Exchange – as this has a negative impact on key privacy issues (such as function creep and the potential use of TDIF data for surveillance and monitoring),” the PIA states.
It suggests that the exchange should only retain metadata for a short period such as for the “last 10-20 transactions or 12-18 months”, which the DTA said it was looking into introducing.
“We agree that we need to set a maximum period for retention of transaction data related to individual’s transactions in the Exchange,” the agency said.
However the DTA advised there was a need to retain data “for longer than 18 months”.
“There will be some data that needs to be retained indefinitely for the person to use the system such as the links to their relying party services and IDPs and consent preferences,” it said.
“The DTA needs to do more work to test the use cases against the retention period and also understand what pieces of data need to be retained under the Archives Act and under the Information Security Manual.”
The PIA also noted that identity fraud investigations could require access to a more than just metadata held by the Exchange.
“The use of data to investigate identity fraud and suspicious transactions might require access to the meta-data held by the Identity Exchange, the enrolment data and logs held by IdPs, and the transaction data and logs held by relying parties,” it said.
“In more serious or more complex investigations, data from several sources could be required. It is anticipated that investigation of identity fraud or suspicious transactions could be triggered by users, TDIF Participants or third parties.”