Legal development

Managing cyber risk digital identity comes back into focus in Australia

18 April 2023

Share Share
Insight Hero Image
Share

     Australia’s Digital ID Act 2024 has been passed – read more at Australia’s Digital ID Act and a new Trusted Exchange (TEx) – an update and a deep dive (16 August 2024).

    What you need to know 

    • Digital identity is a game-changer for cyber-security and cyber-resilience, and aims to enable the consumer trust required for the evolution of our digital economy.
    • Identity information collected by Australian businesses is particularly valuable to cyber attackers, who can exploit it for identity fraud.
    • A trusted and secure digital identity system could reliably verify the identity of a person without your business having to collect that person's government identifiers or a copy of that person's identity document.
    • On the back of a series of high profile data breaches in Australia, there is significant momentum to accelerate the development of Australia's national digital identity ecosystem. This momentum is supported by:

    - the consultation on the2023-2030 Australian Cyber Security Strategy;

    the recommendations of the final report of a panel of independent experts commissioned to oversee an audit of the Commonwealth's myGov online portal released in January 2023 (myGov Audit Report); and 

    the recommendations of the Productivity Commission's 5-year Productivity Inquiry Report published in March 2023 (Productivity Commission Report). 

    • As a key priority of the Federal and state and territory governments, we can expect reforms to expand the Australian Government's Trusted Digital Identity System to state and territory government services as well as the private sector.  We can also expect the reforms to focus on privacy, human rights and security safeguards.
    • Digital identity will not fully replace existing processes and systems used for identity verification and will not be made mandatory – people will still be able to use traditional identity documents.
    • To reach high levels of adoption, digital identity will need to be accepted and trusted by the private sector, individuals and government and be agnostic to the jurisdiction that originates and manages identity information.  You can read more about the Commonwealth's 2021 consultation on expanding the Commonwealth Trusted Digital Identity Framework in our article.
    • To accelerate the development of Australia's national digital identity ecosystem, the myGov Audit Report has recommended, amongst other things, that:

    - the Government rapidly progress legislation for a national digital identity system and a regulator with independent oversight to put privacy, human rights and security safeguards in place for Australians to participate in the national system (including as an digital identity services provider) by mid-2023;

    deliver a national framework for the interoperability of credentials across jurisdictions and the economy and require all federal government digital services to use the Australian Government identity exchange by the end of 2023; and

    with user consent, use digital identity 'attribute providers' to make linking to services easier and give users the choice to store extra attributes in myGov by mid-2024.

    What you need to do 

    Digital identity is going to come sooner rather than later with recent momentum pushing the implementation of an expanded national digital identity system. 

    In the meantime, you can:

    • Understand the types of data you hold - and how secure your data is - Conduct an audit of the types of personal information that your organisation collects and stores and understand the information which may be most valuable to a cyber attacker. Is your organisation holding identity information, such as government identifiers? Is it essential to hold that information? Is it appropriately secured?
    • Limit collection of identity information where possible - Consider if you are able to collect less data that could be used for identity theft and the potential for identity theft in your privacy and security risk analysis.
    • Focus on your retention and deletion practices - If you must collect identity information, make sure it is collected lawfully, properly secured and that it is only used for permitted purposes. If your organisation no longer has a need to retain this identity information, you organisation should delete it. 
    • Start planning - Consider whether your organisation's current IT roadmaps and information security strategies account for the future adoption of digital identity. 

    The value of digital identity 

    A national digital identity system could reliably verify a person's identity against the records of the issuing agency without the need for businesses to collect and store that person's government identifier or a copy of their identity document. 

    Identity information can be collected by organisations from the largest corporates to the smallest businesses, with varying cyber security capabilities and obligations under privacy laws.  Often this collection is driven by know-your-customer  requirements or the need to manage other business risks.  Individuals are used to providing identity data to enable us to do anything from opening a bank, telecommunications or electricity account to renting a house.  

    Collecting and storing identity information, particularly sensitive government identifiers, such as passport and drivers licence numbers, can heighten the risk that a cyberattack could cause impacted individuals serious harm through identity fraud – for example using stolen identity credentials to fraudulently borrow money, or access accounts.

    The unauthorised disclosure or loss of identity information is more likely trigger obligations to notify the privacy regulator and impacted individuals under the Australian Privacy Act Notifiable Data Breaches scheme. Guidance from Australia's privacy regulator lists theft and financial loss through fraud as examples of "serious harm" that could trigger these obligations.  

    The widespread adoption of digital identity technology should reduce the need to reproduce, collect, store and secure identity information.  This would in turn would reduce the value of the information and data stored by businesses to cyber attackers.

    Digital identity adoption can also support compliance with existing principles of data minimisation underpinning key obligations under the Privacy Act 1988 (Cth) (and proposed reforms to the Act) and equivalent legislation in other jurisdictions. For example, the Australian Privacy Principles require organisations only collect personal information that is reasonably necessary for one or more of the organisation's functions or activities, and take reasonable steps to destroy or de-identify personal information when no longer required for the purpose for which it was collected. 

    From a business perspective, digital identity can make simpler and safer interactions with customers, such as onboarding, know-your-customer, and sign-on processes. 

    Digital Identity is a national priority

    Following recent large-scale data breaches, the development of Australia's national digital identity ecosystem is a key priority for the Australian Government. 

    Expanding our digital identity ecosystem has been on the radar for some time. An exposure draft of the Trusted Digital Identity Bill 2021 (Cth) was released for consultation in 2021 by the former Coalition Government which proposed to:

    • expand the Australian Government's Trusted Digital Identity System  to allow private sector and state and territory bodies to rely on digital identities provided by the system; and
    • establish a voluntary accreditation scheme for digital identity service providers which would set out minimum standards and rules for providers of digital identity services. An accredited service provider would be able to deliver digital identity services as part of the Australian Government's Trusted Digital Identity System or can supply services using a different system.

    The Bill was not introduced to Parliament. You can read more about the Bill here.

    In our current cybersecurity climate, there is a renewed push to expand and harmonise digital identity. 

    The enabling legislation may not be passed exactly as proposed in the exposure draft - there are strong indications that it will be reconsidered with a greater focus on security, privacy, safety and other human rights.  The myGov Audit Report recommended the acceleration of the development of Australia's national digital identity ecosystem, whilst prioritising these rights.

    The myGov Audit Report recommended, amongst other things, the following actions and timeframes to give effect to this recommendation:

    • the Government rapidly progress legislation for a national digital identity system and a regulator with independent oversight to put privacy, human rights and security safeguards in place for Australians to participate in the national system (including as an digital identity services provider) by mid-2023;
    • deliver a national framework for the interoperability of credentials across jurisdictions and the economy and require all federal government digital services to use the Australian Government identity exchange by the end of 2023; and
    • with user consent, use digital identity 'attribute providers' to make linking to services easier and give users the choice to store extra attributes in myGov by mid-2024.

    The Federal and state and territory Data and Digital Ministers welcomed this recommendation at a Data and Digital Ministers Meeting convened on 24 February 2023. The Federal Government intends to provide a full response to the recommendations of the myGov Audit Report later in the year. 

    In the meantime, the Data and Digital Ministers have endorsed in-principle a draft National Strategy for Identity Resilience which will set out principles and government initiatives to make Australian identities difficult to steal and if compromised, easy to restore. The final strategy will also be considered by the Data and Digital Ministers later this year with a view that it will complement the development of the Australian Cyber Security Strategy announced by the Minister for Home Affairs and Minister for Cybersecurity in December 2022.

    High-value use cases are required to promote adoption and usage

    A digital identity system is unlikely to achieve the high adoption and usage levels required to achieve meaningful long term benefits unless there are high-value use cases across government and private sector services generating the network effects to create demand. 

    Some national digital identity systems in other jurisdictions have been able to achieve high adoption and usage levels: 

    • Sweden, Finland, Norway and Denmark have successful digital identity systems used by more than 70% of their populations; and
    • India successfully onboarded over one billion people onto its biometric identity system which is used by 95% of adults in the population on average once a month.

    The Productivity Commission reported that there has been a recent increase in the uptake of the Australian Government's Trusted Digital Identity System with 8.7 million individuals on the system as at July 2022 which is an increase from 6 million individuals as at December 2021. 

    However, the myGov Audit Report found that 'despite the potential benefits of digital identities, fewer than 1% of people signing in to myGov use a digital identity'. 

    The number of individuals on the Australian Government's Digital Identity System does not necessarily translate into habitual usage by individuals to access government services. 

    The Productivity Commission identified the current limited use cases for digital identity as a key barrier to further uptake. The Australian Government's digital identity is currently only used as a way for individuals to verify their identity for selected government services, such as applying for a tax file number and director identification number, or updating business details on the Australian Business Register.

    The Productivity Commission recommended that the Australian Government, working with the Council on Federal Financial Relations, expand the use cases for the Australian Government Trusted Digital Identity System to state and territory government services and private sector services. 

    Beyond the legislative framework for the expanded Trusted Digital Identity System consulted on by the previous Government, further amendments to existing regulations are required to support high-value use cases and entrench the use of digital identity, such as giving digital identity the same legal status as hard copy identity documents. For example, the NSW Government amended the Births, Deaths and Marriages Registration Regulation 2017 (NSW) in November 2022 to enable a digital birth certificate to be validly issued by the Registrar of the NSW Registry of Births, Deaths and Marriages, giving digital birth certificates the same legal status as a paper-based birth certificate. 

    Financial services is likely to be one of the sectors to lead the adoption of digital identity given the number of high-value use cases stemming from regulatory requirements to conduct anti-money laundering and know-your-customer identity checks imposed by financial services regulators. The growing use of FinTech applications (e.g. buy now pay later) and cryptocurrencies will also create further use cases for digital identity, as regulators extend identity check requirements to more nascent areas of the sector. 

    Some financial services entities have already developed digital identity solutions but may be waiting for legislation to provide certainty around liability protection in case of any errors or failures. 

    Interoperability will be a measure of progress

    A long term measure of the progress of a national digital identity system will be the degree of interoperability of digital identities between the public and private sectors, and across jurisdictions. Will systems communicate with each other, and will credentials be portable or visible between solutions?

    There have been some efforts made to ensure interoperability and mutual recognition of digital identities across jurisdictions through high-level principles to support the development of mutually recognised and interoperable digital identity systems. For example, Australia and New Zealand have committed to mutual recognition of digital identity services under the Single Economic Market agenda.

    Global push to implement digital identities

    This renewed focus on Australia's national digital identity system is part of a global push to implement digital identities driven by our current cybersecurity climate and the experiences of many jurisdictions during the COVID-19 pandemic rolling out digital vaccination certificates which highlighted the need for access to critical services online.

    Some recent key developments include:

    Authors: Rebecca Cope, Partner; Andrew Hilton, Expertise Counsel; Kerry Liang, Lawyer.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts