Private companies are a step closer to being able to seek accreditation to join the Australian Government’s digital identity scheme, ‘GovPass’ under the latest version of the project’s governing documents, the Trusted Digital Identity Framework (TDIF) released on 4 May 2020.
Version 4 of the TDIF, which will now remain current until July 2022, was released as the Digital Transformation Agency (DTA) prepares to test the biometric component of the program and signals the potential for the Commonwealth to monetise the use of the scheme by state and territory service providers as well as private companies.
What is GovPass?
GovPass refers to the Australian Government’s digital identity initiative, a multi-departmental program of work including policy and system design as well as technology development. The project is aimed at providing ‘whole of government’ digital identity credentials to Australians for use in accessing government services.
GovPass allows individuals to choose to merge separate digital identities maintained across a patchwork of service specific identity verification systems utilised by government departments and agencies. The result is a single digital identity recognised by all accredited services and protected by the minimum security and privacy standards that participating organisations are required to meet and maintain in order to participate.
Importantly, GovPass is expressly an opt-in program. Australians who choose to participate must also consent to their identity or attributes being disclosed to another party before that information may be disclosed.
How does GovPass work?
GovPass relies on the participation of multiple organisations playing a variety of roles that together maintain a digital identity ecosystem known as the Australian Government’s “Identity Federation”. These roles include:
- Identity service providers (“verifiers”) – government departments and agencies as well as non-government organisations who are accredited to verify the identity of a person seeking to use online services. Depending on the level of security assurance required for a particular service, this may require a user to provide identity documents and biographical information to meet familiar 100-point identity checks but may also involve biometric verification where a service requires a greater amount of confidence in a user’s identity.
Currently, the Australian Taxation Office (ATO) is the only organisation accredited to act as an identity service provider through its “myGovID” digital identity service however the DTA has signalled the inclusion of Australia Post, state government agencies and eventually financial institutions as identity service providers. Nearly 1 million Australians have already created a myGovID digital ID.
- Attribute service providers – government departments and agencies as well as non-government organisations that are accredited to verify particular ‘attributes’ about an individual that a service provider may rely on to provide their services.
For instance, the ATO may verify an individual’s relationship with a business under its Relationship Authorisation Manager (RAM) system.
- Digital service providers (“relying party”) – government departments and agencies as well as non-government organisations who provide public-facing online services via systems that require a user to verify their identity or an attribute. These parties rely on identity and attribute service providers verifying that a user is who they say they are or have a certain attribute required to receive a service.
- Identity exchange manager – Services Australia has been designated as the manager of the GovPass Identity Exchange which sits between an identity service provider and a digital service provider to protect a user’s privacy by anonymising the user and the service they are accessing.
The inclusion of biometric verification in the initiative may eventually include facial recognition under the Facial Verification Service (FVS) - one of a number of identity matching systems that could be shared by the Commonwealth as well as state and territory governments under the 2017 intergovernmental information sharing agreement. The DTA signalled to the Senate estimates committee on Community Affairs in a 5 March 2020 hearing that a mid-2020 date for the public testing of the biometric capability of the initiative was set, however the timeline for the launch of the entire project remained unclear.
How can private companies gain accreditation?
The process for accreditation under GovPass is set out under the TDIF and includes requirements for specified documentation, third party evaluation, operational testing and importantly, to aid confidence in the initiative, adherence to specific privacy requirements. Accredited organisations must also continue to meet certain standards that are reassessed annually by the DTA to retain accreditation.
Among the specific privacy requirements set out under the TDIF an applicant is required to:
- comply with the obligations on organisations subject to the Privacy Act 1988 (Cth) (Privacy Act) or the relevant state or territory privacy legislation and applicable privacy code. Importantly, these obligations will apply regardless of whether an organisation is otherwise exempt from obligations under the Privacy Act or the relevant state or territory and the requirements include the mandatory reporting of data breaches;
- have a designated “Privacy Officer” who acts as the primary point of contact for advice on privacy matters, handles privacy enquiries and complaints and prepares and maintains Privacy Impact Assessments (PIAs);
- have a designated “Privacy Champion” responsible for promoting a positive privacy culture, providing strategic leadership on privacy issues, privacy reporting obligations and responsibility for the organisation’s privacy management plan;
- commission a PIA to review the privacy impact of the applicant’s identity service and all high privacy risk projects related to the identity service.
While any organisation may meet the accreditation criteria only those with a fully operational digital identity service will receive accreditation.
While no date has yet been set by the DTA for when it will begin reviewing applications for the accreditation of private companies under version 4 of the TDIF, the TDIF states that organisations seeking accreditation should expect approval to take 9 to 12 months once an application has been submitted. The DTA notes that the approval process may be substantially shorter for organisations that are aware of the accreditation requirements under the TDIF and submit a complete application accordingly.
Authors: Mitch Bennett and Lesley Sutton