COVID-19 has propelled products and services online like never before, further accelerating the growth of Australia’s digital economy. Meanwhile, the Australian Competition & Consumer Commission's Scamwatch recently reported that Australians suffered a record $211 million in losses to scams so far in 2021, including a 234 per cent increase in losses arising from identity theft.
On 1 October 2021, amidst this acceleration in the shift to online services (and corresponding increase in scams), the Australian Government released the exposure draft of the Trusted Digital Identity Bill 2021 (the Bill) to improve the way Australians are able to verify their identity when accessing online services.
The Bill expands upon the Trusted Digital Identity Framework established by the Commonwealth Government in 2015. The release of the Bill forms a part of phase 3 of an extensive consultation process in relation to this Framework, with the opportunity for further submissions to be made.
In this article, we summarise the key elements of the Bill and analyse some issues for industry participants to consider in making submissions.
What are the key elements of the Bill?
The Bill has two main aims:
- to simplify the process of proving and verifying the identities of individuals online whilst protecting their privacy and the security of their personal information; and
- to introduce a secure and trustworthy digital identity system that will facilitate the expansion of Australia’s digital economy.
The Trusted Digital Identity System
The Bill legislates for the establishment and operation of a national Trusted Digital Identity System (TDIS). The TDIS is a single Commonwealth Government operated platform where businesses and government agencies will be able to collect, verify and exchange digital identity information in a secure place. The TDIS will be operated and maintained by an Oversight Authority appointed by the relevant Minister.
The Bill also contemplates that other digital identity services may be established, and extends the system of accreditation to those systems. However, much of the focus of the Bill is on the TDIS.
In the context of the TDIS, the Bill distinguishes between two types of participants:
- Accredited entities – these are companies and State and Territory government entities that are accredited to provide different types of digital identity services (either using the TDIS or another system). The Bill establishes the following five classes of accredited entity:
- an attribute service provider (e.g. Services Australia)
- a credential service provider (e.g. ATO);
- an identity exchange (e.g. Services Australia, eftpos);
- an identity service provider (e.g. Australia Post); or
- an entity of a kind prescribed by the TDIF accreditation rules.
- Relying parties – companies and State and Territory government entities that rely on an attribute of an individual provided by an accredited entity to provide a service to an individual end user or enable them to access a service.
As noted above, the system of accreditation will apply both to participating entities under the TDIS and to providers of alternative digital identity services.
An eligible entity, such as a company or State or Territory government entity, is only authorised to apply to be an accredited entity if the Oversight Authority is satisfied that:
- the facility the entity proposes to use to provide the services is ‘sufficiently developed’;
- the entity has ‘sufficient technical and financial resources available to it’ to become an accredited entity; and
- the entity has ‘an adequate plan for progressing to accreditation’.
- Once accredited, eligible entities can apply to the Oversight Authority to be onboarded to the TDIS. The approval to onboard as an accredited entity is subject to various conditions with which the entity must comply, including the TDIF accreditation rules, applicable technical standards and conditions imposed on it by the Oversight Authority. The TDIF accreditation rules include requirements such as privacy, security, fraud control, incident management and reporting, disaster recovery, accessibility and user experience.
In deciding whether to accredit and/or onboard an entity, the Oversight Authority:
- must be satisfied that the entity will comply with the Bill;
- must have regard to any rules created by the relevant Minister;
- may have regard to a number of matters including whether the entity is a ‘fit and proper person’. A proposed definition for ‘fit and proper person” is provided in the draft Trusted Digital Identity Rules released with the Bill. That definition requires the Oversight Authority to have regard to a number of matters including prior criminal convictions and prior adverse privacy determinations relating to the entity or associated persons.
What do providers of digital identity services need to know?
Revocation of accreditation and penalties for non-compliance
Breaches of a number of provisions may attract fines of up to $330,000 for corporations. Further, an accreditation may be revoked by the Oversight Authority on a number of grounds, including if the Authority reasonably believes that the accredited entity has contravened the legislation, that there has been a cyber security incident involving the entity or that one is imminent.
Trusted provider agreements
All accredited entities that are identity service providers will be required to enter into a trusted provider agreement with the Commonwealth in order to onboard to the TDIS. The Oversight Authority may also require other types of accredited entities to enter into such a trusted provider agreement.
A trusted provider agreement is a written agreement between an accredited entity and the Commonwealth setting out obligations with which the entity is required to comply in relation to the TDIS. A trusted provider agreement must be consistent the legislation, but may deal with additional matters such as the terms on which the entity may charge fees for the services it provides within the TDIS, the period for which the entity must provide, or offer to provide, services within the TDIS and how the agreement may be varied or terminated.
Keeping data in Australia
The draft Trusted Digital Identity Rules prohibit entities onboarded to the TDIS from holding, storing, handling or transfer of digital identity information outside of Australia unless an exemption is in force. This may pose practical challenges around where data is hosted and may even prevent some entities from being eligible to onboard on to the TDIS.
Service levels and technical standards
The Bill provides the Oversight Authority with the power to make service levels and technical standards relating to the TDIS. The service levels may relate to the availability and performance of the entity’s accredited facility, while the technical standards may cover technical integration requirements for entities onboarding to the TDIS or technical or design features that an entity must have before it can onboard. Among other things, these may relate to the format and description of how TDIS information is handled and how it is shared between entities on the TDIS.
Statutory contract and liability
The Bill provides that a contract is deemed to exist between each accredited entity and between each accredited entity and each relying party on the TDIS under which each accredited entity agrees to provide its identity services in compliance with its obligations under the Bill and applicable technical standards that relate to verifying and authenticating individuals.
The Bill also provides a statutory framework to limit liability as between accredited entities and participating relying parties, but does not specifically address liability to end users.
Under the Bill, the Oversight Authority has the power to direct a TDIS entity to maintain adequate insurance against any liabilities arising in connection with these deemed contracts.
Ability to comply with new privacy obligations and protections
The Bill aims to enhance existing privacy laws by, amongst other things, restricting the uses of biometric data, prohibiting the use of data for certain profiling, enforcement and marketing purposes and giving individuals the right to request an accredited identity service provider to deactivate their digital identity.
There are a number of actions that can only be performed using the digital identity information with the individual’s express consent.
Accredited entities on the TDIS must maintain written policies dealing with the mechanisms and procedures for the management and resolution of digital identity fraud and cyber security incidents in relation to their services, and the timeframes for managing and resolving such incidents. Accredited entities also have a number of obligations if such an incident occurs, including:
- to contact any individuals or businesses affected by it;
- to set up a publicly accessible point of contact for information and support; and
- to ‘make all reasonable efforts’ to keep affected individuals and businesses informed.
What do those relying on digital identity services to verify customers need to know?
If a relying party is not an Australian entity, it must register as a foreign company before it can be onboarded onto the TDIS.
Like accredited entities, relying parties are also required to contact any individuals or businesses affected by digital identity fraud and cyber security incidents in relation to their services.
A relying party cannot obtain sensitive information of individuals such as health information, TFNs, Medicare numbers and driver’s licence numbers unless it is expressly authorised to do so in its onboarding conditions.
The current period for submissions ends at 5pm on 27 October 2021. Following that, the Federal Government will finalise the Bill and then introduce it to Parliament, with hopes of it passing through both Houses by the end of 2021.
Submissions can be made via the Digital Identity submission form prior to 5pm on Wednesday 27 October 2021.
Authors: Lesley Sutton, Luke Standen and Jordan Czelen