The Digital ID Bill 2024 passed Parliament last week. 

In the coming months, the associated Digital ID Act 2024 (the Act) will establish an Australia-wide framework for digital ID which allows for both government and private sector participation. Against the backdrop of ever-increasing cyber threats, the government has said that the legislation will give individuals greater control over their information and the way they transact with government and private entities and provide assurance to consumers that their privacy and security is protected while streamlining and simplifying identity-related processes for business and government.

How did we get here?

This milestone has been years in the making. The Australian government has been exploring frameworks for strengthening online trust and identity management since as early as 2010. The most recent and comprehensive of these, the Trusted Digital Identity Framework (TDIF), was introduced by the Coalition government and developed over several years, starting in 2015. TDIF was a key part of supporting the government’s digital transformation agenda and the result of a government commitment to develop a “national strategy for a federated-style model of trusted digital identities”, in consultation with the private sector. 

TDIF established: 

• the rules for the Australian Government’s Digital Identity System (AGDIS), which facilitates the use of government-issued digital IDs (currently myGovIDs) by individuals accessing government services; and
• an accreditation scheme for providers of digital ID services in the government and private sectors. 

AGDIS is now a well-established system, with over 12 million myGovIDs in use. The accreditation system is already operational: accredited entities operating within AGDIS are the Australian Tax Office (which has operated myGovID since launching it in 2019 and is the government’s digital ID provider) and Services Australia (which operates the ID exchange which facilitates the use of digital IDs); while private entities have been accredited as identity and credential providers and to operate identity exchanges that securely transfer information (Australia Post (which operates the Digital iD service), IDVerse (IDKit), Mastercard (ID), Australian Payments Plus (which operates ConnectID) and Makesure Consulting (RatifyID)).

What’s changing?

Legislated Accreditation Scheme

A new scheme will replace and build on the current TDIF scheme for accreditation, in particular by strengthening enforcement mechanisms and establishing civil penalties for non-compliance. The scheme will continue to be voluntary and will allow for accreditation of identity service providers, attribute service providers and identity exchange providers. However, once an entity is accredited, it will be subject to the additional privacy safeguards established by the Act (with the Information Commissioner empowered to penalise breaches, as discussed below). 

Phased expansion of AGDIS

A phased expansion of AGDIS will see states and territories initially able to apply to participate in AGDIS as users or providers of accredited digital ID services, with expansion to private sector entities within two years. Phase 1 and 2 will enable the reciprocal use of digital ID and attribute providers in Commonwealth, state and territory services. Phase 3 will allow the use of government digital ID and attribute providers in private sector services and, in Phase 4, the use of private sector digital ID and attribute providers will be enabled in some government services.

Privacy protections

The Act provides several protections for personal information, which are in addition to, and build on, the safeguards already contained in the Privacy Act. They include:

• establishing a regime that effectively requires any accredited entities not subject to the Australian Privacy Principles in the Privacy Act (APPs) to nevertheless comply with its requirements, by prohibiting them from handling personal information unless comparable protections apply or they have entered into an agreement with the Minister prohibiting them from any conduct that would breach the APPs (with any contravention of that agreement deemed to be an interference with the relevant individual’s privacy, under the Privacy Act);
• specifying that accredited entities must comply with the eligible data breach notification requirements in the Privacy Act, regardless of whether that act applies to them, and requiring notification of data breaches to the Digital ID Regulator (see below) in addition to the Information Commissioner;
• prohibiting or restricting the way certain types of information can be handled, including certain personal information, health information and government-issued identifiers (requires the individual’s consent); certain sensitive information (must not be collected, with a subset of sensitive information able to be collected with consent); biometric information (specific rules apply, including about destruction of such information) and unique identifiers assigned by the accredited entity (certain requirements must be met, which effectively require accredited entities to create different identifiers when disclosing to different accredited entities, to prevent identifiers from being distributed to more than one entity, which could enable individuals to be tracked across services or encompassing profiles collated for them);
• providing that a digital ID that has been deactivated at the request of the individual must not be used by the accredited identity service provider or reactivated without their express consent; and
• imposing reporting requirements on law enforcement agencies and enforcement bodies, that request or require an accredited entity to disclose the biometric information or other personal information of an individual.

Role of the ACCC and the OAIC as Digital ID Regulator

The Act will establish the Australian Competition and Consumer Commission (ACCC) as the Digital ID Regulator to provide accountability for, governance over and oversight of the accreditation scheme and AGDIS. The Act confers broad powers on the Digital ID Regulator to manage digital ID fraud and cyber security incidents, advise the Information Commissioner on privacy matters that relate to the Act and enforce civil penalties that do not fall under the remit of the Information Commissioner.

The Information Commissioner will have oversight to promote a consistent approach to regulating privacy concerns. In addition to the Commissioner’s general powers to handle complaints and investigate interferences with privacy under the Privacy Act, the Commissioner is empowered to take civil penalty action for contravention of the privacy provisions in the Act. 

The penalties for contraventions range from 1,000 to 1,500 penalty units, i.e. up to $469,500.

Both the Digital ID Regulator and Information Commissioner must produce annual reports as transparency mechanisms, covering matters such as the number of digital ID fraud incidents or cyber security incidents (for the Digital ID Regulator) and the performance of functions and exercise of powers that relate to privacy (for the Information Commissioner).

What’s next for the Digital ID Bill 2024

The Digital ID Bill 2024 is expected to receive Royal Assent in the coming weeks and commence by November. Its passage through Parliament came in the same week that the government announced an allocation of $288.1 million in the federal budget to support the delivery of the Digital ID system – an 11 fold increase on the previous budget allocation. This includes significant funding for operators of the current system (the Australian Tax Office and Services Australia) as it expands, funding for pilots of government digital wallets and verifiable credentials, and allocations for the Information Commissioner to fund its privacy oversight under the Act.

A bill outlining transitional arrangements passed Parliament at the same time as the Digital ID Bill 2024. It aims to minimise disruption caused by the legislated changes, including by deeming the Commonwealth government entities currently accredited under the TDIF regime to be accredited under the new regime (but not making the same allowances for any private sector entities). AGDIS expansion will be phased, as described above, and the transitional bill provides for the phasing-in of participation by state, territory and private entities to occur in line with determinations made by the Minister, over two years. In the meantime, private sector digital-identity providers are expected to continue with their investment and expansion of their own solutions.