The government has published an exposure draft of its long-awaited bill for the expansion of the country’s federated digital identity system to state and territory governments and the private sector.
The exposure draft, which is open for feedback until October 27, follows two previous rounds of public consultation over the last 12 months comes as the government prepares to introduce the legislation into parliament.
The Trusted Digital Identity Bill will enshrine the privacy and consumer protections behind the system, including some of those within the existing trusted digital identity framework (TDIF), in law and establish long-term governance arrangements.
New privacy protections that are in addition to those already provided through the Privacy Act will also be created through the bill, while grounds for the disclosure of personal information to law enforcement agencies will be tightened.
Since the publication of a position paper in June, the government has added a tiered system of accreditation for entities that seeks to distinguish between the “two distinct, voluntary schemes” in the bill.
The first is the “TDIF accreditation scheme”, which is for providers of identity services based on the policies and standards, while the “trusted digital identity system” refers to the government’s digital identity system.
The bill indicates that “entities may choose to participate in [the trusted digital identity system] as providers or consumers of identity services”, but they will subject to an additional set of requirements.
“Both schemes entail different benefits and levels of regulation which will affect an entity’s choice to participate in the trusted digital identity system, be accredited or neither,” a guide accompanying the bill [pdf] reads.
Applicants seeking accreditation will need to meet a number of conditions, including the trusted digital identity (TDI) rules – which exist separately to the bill – and the changing framework that is yet to be devised.
There are four types of TDIF accreditation: identity service provider, identity exchange, attribute service provider and credential service provider.
TDIF accredited providers will be subject to eight additional privacy protections not currently part of the Privacy Act, including a prohibition on data profiling and single identifiers, and restrictions on biometric information.
The bill also narrows the grounds for the disclosure of personal information to law enforcement agencies, with information only to be disclosed if the agency “reasonably suspects that a person has breached a law” or has “started proceedings against a person”.
TDIF accredited providers that operated with the government’s trusted digital identity system will be subject to addition protections, including ensuring there is no requirement for a person to use the digital identity.
Another requirements of entities participating in the trusted digital identity system is that the federal government’s identity exchange, which is operated by Services Australia, “undertake technical binding”.
The bill also broadens the definition of personal information under the Privacy Act to include “attributes, restricted attributes and biometric information” – effectively any “information that is associated with the individual” using the service.
State and territories without dedicated privacy legislation will need to enter into a contract arrangement requiring they meet the same level of privacy protections as the Australian Privacy Principles.
As previously disclosed, the legislation will establish a permanent Oversight Authority for governance, which will assess accreditation applications for both schemes and enforce some of the protections in the bill.
The Oversight Authority will have the power to suspend or revoke an entity’s accreditation, as well as fine “onboarded entities” up to $220,000 for onboarding without approval or failing to destroy, and up to $330,000 for holding digital identity information outside Australia.
While the government is still considering which agency is best placed to perform the role, the Digital Transformation Agency, Treasury and Australian Competition and Consumer Commission have previously been suggested.
Commenting on the release of the exposure draft, employment minister Stuart Robert said it was the next step in a multi-year journey to ensure the legislation is robust and fit-for-purpose.
“The draft legislation… will build on strong safeguards already in place, providing the authority for a consistent set of rules that will protect Australians and Australia businesses,” he said.
“We have been actively engaging all interest parties throughout the consultation process and this commitment to co-design and ongoing conversation continues with the opportunity to comment on the proposed legislation.”
The government is planning to introduce the bill in the spring sitting of parliament.