Whole-of-economy Digital ID laws by the end of the year

Australia’s Digital ID Act 2024 has been passed – read more at Australia’s Digital ID Act and a new Trusted Exchange (TEx) – an update and a deep dive (16 August 2024).

Watch the webinar: Our panel of legal and risk experts took a deep dive into Digital ID. A recording of the webinar is available here.

What you need to know

• The Australian Government is consulting on draft legislation and rules to deliver the regulatory framework for "whole-of-economy" Digital ID. We explain the "what, why and how" below. In our follow-up article we will take a deeper dive into the legislation and its implications.
• The legislation lays the groundwork to expand the Australian Government Digital ID System (AGDIS) with more state, territory and private sector participation. The AGDIS is currently limited to the myGovID Digital ID, used to access government services.
• The AGDIS will enable individuals to interact with business and governments and enable identity verification and potentially attribute (such as age) and credential (such as licence or skills) verification, and potentially to authenticate parties when entering into agreements online. By the end of the year, we should be able to sign Commonwealth statutory declarations using Digital ID.
• It also legislates an accreditation scheme for Digital ID service providers – an evolution of the current Trusted Digital Identity Framework accreditation. Accreditation is mandatory to supply services in the AGDIS, but may be obtained voluntarily, including for other Digital ID systems which are not part of the AGDIS.
• The Government will expand the AGDIS in phases, with an initial focus on maturing digital identity within government, followed by integration of state and territory Digital IDs, culminating in economy-wide Digital ID – enabling use of government Digital IDs for private sector services (such as opening a bank account and age verification), and private sector Digital IDs for government services.
• Digital ID is an essential part of Australia’s National Strategy for Identity Resilience and will be a key pillar of the upcoming 2023-2030 Cybersecurity Strategy to build Australia's resilience to cyber threats and identity fraud at an ecosystem level.
• The consultation period is deliberately tight, aiming to introduce legislation by the end of the year and to integrate of state and territory systems next year. Consultation on the Digital ID Bill and Rules closes Tuesday, 10 October, and consultation on the Accreditation Rules closes Tuesday, 31 October.

What you need to do

• Engage in the consultation – With a short consultation period and an ambitious legislative agenda, to have the most impact, prioritise your key issues with a particular focus on the use cases that matter for you and your customers.
• Have a long-term engagement plan – Similar to the Consumer Data Right, Digital ID will involve an ongoing dialogue with the Australian Government, with important matters dealt with under further amendments, rule-making powers or data standards. Implementing the Consumer Data Right while engaging on regulatory expansion and development was a significant challenge for participants – we expect similar challenges as Digital ID evolves and grows.
• Factor Digital ID into your future state – Expanding Digital ID across public and private sectors has been bipartisan policy of successive governments. Understand how you can participate now and in the future, and how Digital ID can benefit your organisation – including by participating in the AGDIS or leveraging private sector solutions.
• Continue to manage identity data risks – A phased expansion means the AGDIS will not immediately be ready for the private sector. In the meantime, continue to look at data collection, handling and retention practices through a cyber-risk lens, and engage with regulators and law-makers on mandatory data collection. Consider if private sector Digital ID solutions can help manage risks.

Australia’s vision for a “whole-of-economy" Digital ID

A strong Digital ID ecosystem has been recognised by successive governments and industry as essential to Australia’s digital future – making access to government and private sector services simpler and safer, combatting identity-based fraud, and improving Australia’s resilience to cyber threats.

The Commonwealth Government is currently consulting on a draft Digital ID Bill and Rules and Accreditation Rules that set the framework to develop a "whole-of-economy" Digital ID ecosystem.

Four principles guide Australia’s Digital ID strategy – Digital ID must be secure, convenient, voluntary and inclusive. These principles inform proposed legislative protections, and will no doubt guide underlying standards over time.

The legislation sets the ground rules for:

• an accreditation scheme – a voluntary scheme to accredit providers of Digital ID services. To become accredited, Digital ID service providers will need to demonstrate compliance with a range of privacy, security and other requirements, and can be liable for compliance failures. The accreditation framework is an evolution of the currently operating but unlegislated Trusted Digital Identity Framework – mandatory to participate in the AGDIS, but may be voluntary for other Digital ID systems. Participants accredited in the current scheme will transition into the new regime (Services Australia and the Australian Taxation Service as part of the AGDIS, as well as private sector participants Australia Post, OCR Labs, Mastercard, and eftpos Digital Identity).
• an expanded Australian Government Digital Identity System (AGDIS) – Australians will recognise the AGDIS as the myGovID used in the myGov app to access government services, with over 10.5 million users accessing 130 services from 40 government agencies. The draft legislation is intended to expand the AGDIS by enabling greater participation by state and territory government bodies and the private sector.

The regime will be overseen by a Digital ID Regulator. The draft bill identifies the Australian Competition and Consumer Commission (ACCC) as the regulator but notes that the division of duties between the ACCC as regulator and Services Australia to be determined. Services Australia is likely to take on some of the more operational aspects – which may include the security, integrity and performance. As with the Consumer Data Right, privacy issues (including additional privacy safeguards) will be regulated by the Australian Information Commissioner and there will be a Data Standards Chair to develop technical standards.

What is Digital ID, and why does it matter?

Digital ID is a secure way for organisations to verify an individual's identity online, without needing to collect or store any documents. Instead, a trusted service provider who verifies an individual’s identity confirms they are who they say they are.

While early moves in Digital ID focussed on streamlining interactions with government, Australia’s recent history of high profile cyber attacks has brought renewed urgency to driving economy-wide Digital ID to help build Australia’s cyber resilience. Digital ID reduces the need for business and government to collect, share and store information that is most valuable to hackers, reduces the risk that stolen identity information can be used for identity fraud, and makes revoking and re-issuing stolen credentials simpler and more effective.

The private sector is also focussed on Digital ID opportunities, with various Digital ID solutions already in the market. Some, like ConnectID, Australia Post’s Digital iD, and Mastercard’s ID are underpinned by government accreditation.

The Government’s ultimate objective is to build an economy-wide, federated system – over time integrating the Commonwealth, states, territories, and the private sector into a common interoperable system – with government and private sector credentials and systems in Australia and overseas interoperable under common standards.

The plan to expand – in four phases

The Government’s plan to expand Digital ID economy-wide focuses initially on government, before a broader economy-wide integration. While the framework proposed is not specific to myGovID, improving myGovID, rolling it out across more Commonwealth services, and making it interoperable with state and territory and private sector services is a key short term priority.

Expansion will occur over four phases – which will likely overlap.

• Phase 1 lays the legislation groundwork for Digital ID, and expands the government services accessible using Digital ID. The Government is also aiming to accredit more public and private service providers within the scheme.
• Phase 2 integrates state and territory systems, allowing state and territory Digital IDs to be used to access Commonwealth services.
• Phase 3 allows myGovID to be used in the private sector – for example, myGovID could be used to verify identity to open a new bank account, sign up for an electricity or telco service, or sign a lease.
• Phase 4 will allow approved private sector Digital IDs to be used to verify users accessing some government services.

While the proposed legislation sets a framework for the Government’s vision, we expect it will need to change over time to facilitate these phases. Significant flexibility has been built in through exemptions, conditions and rule-making powers, similar to the approach adopted in the Consumer Data Right legislation – meaning the regime may be more easily tailored to deal with specific issues as they arise.

The Government has not committed to particular “go live” target dates for each phase – as with the Consumer Data Right, we expect the Government will need to carefully balance driving expansion of the regime with allowing the market to organically mature.

But, how does it all work?

Australia's Digital ID model takes a federated approach in which various accredited providers help a relying party provide services to an end user.

(* roles accredited under the accreditation scheme)

A service provider might be accredited to perform multiple roles.

Although currently the AGDIS and other accredited Digital ID services do not have a lot of service providers to choose from, as more accredited providers participate, strict standards will ensure that services are interoperable and contestable. In the AGDIS, relying parties and end users have a choice of providers under a federated model which requires interoperability (subject to some exceptions).

This is how a Digital ID transaction might look to a user:

Behind the scenes, various participants cooperate to deliver this streamlined and secure user experience.

• To set up their Digital ID, the end user will verify their identity with an identity service provider. To achieve this, the identity service provider might collect and verify identity documents or attributes (like a driver's licence number, or potentially biometric information), and may use an identity verification service, such as the Australian Government’s Document Verification Service or Face Verification Service (which are not accredited service providers or part of the AGDIS). Identity document information will not be collected or transferred in subsequent steps.
• End user wants to use a relying party’s service – for example by accessing a relying party’s website or app.
• Relying party needs to verify that the end user is who they say they are, and that they are 18+ (additional information, known as an attribute).
• End user is redirected to the identity exchange, and selects their preferred identity service provider.
• Identity exchange sends an authentication request to the identity service provider, who authenticates the user (eg by logging into an account, perhaps using facial recognition or thumbprint to unlock an app).
• Some attributes might be confirmed by the identity service provider (potentially using an identity verification service outside the AGDIS). For other attributes, the identity exchange might request confirmation from an accredited attribute service provider.
• Identity exchange confirms the end user's consent to sharing the fact that they are 18+, and then provides confirmation of identity and any consented attributes to the relying party.
• End user obtains service from the relying party.

How might we use Digital ID in the future?

Australians can already use myGovID to easily and securely access a range of government services. There are also a range of private sector solutions to simplify secure access to other services.

The Government is actively expanding the services that can be accessed using myGovID, and is investigating ways of making myGovID more useful – for example, the Statutory Declarations Amendment Bill 2023 is expected to be passed by the end of the year, allowing Commonwealth statutory declarations to be signed using the AGDIS, with the digital identity service provider acting as a virtual "witness".

Digital ID can be a gateway to more secure, innovative services and collaboration, allowing personal data to flow more freely and securely between organisations.

An important capability of Digital ID lies in what is known as "zero knowledge proofs" – at the moment, to confirm a person is over 18 years of age, an organisation might need to collect and store identity documentation such as a driver's licence – which contains a range of information valuable to an attacker. Zero knowledge proof with Digital ID would allow an organisation to rely on confirmation that a person is over 18 without collecting a driver's licence or even a date of birth (and potentially without knowing who the end user is at all).

Other uses might include:

• Consumer Data Right: Authenticating customers and managing consents to sharing data has been a key stumbling block for broader uptake of Australia’s Consumer Data Right – and in particular banks and others have raised concerns about managing security and fraud risks of new functions under action initiation laws currently before the Senate. By integrating Digital ID into Consumer Data Right processes, we may see a safer, frictionless customer experience that will drive uptake and innovation.
• Know-your-customer checks and verification of identity: We may see simplified processes for verifying identity, particularly with broader access to the Commonwealth Document Verification Service and Facial Verification Service proposed in the Identity Verification Services Bill 2023 (currently being considered by a Senate Committee, accepting submissions until 2 October 2023). Identity verification services are not part of the AGDIS, but are used by identity service providers to verify an individual's identity when setting up a Digital ID. Proposed reforms will allow more people to use (and more identity service providers to offer) face recognition to create the "strong" Digital IDs required to access more sensitive services, like creating a tax file number.
• Payments: Simple and secure authentication could massively simplify payments. Card issuers are looking to reduce collection of credit card numbers, expiry dates and CCV codes throughout the economy, and to make this information less useful when compromised. A trusted national Digital ID will go a long way to making this an economy-wide reality.
• Age verification: Endeavour Group is working with accredited services ConnectID and OCR Labs to deliver online age verification for alcohol delivery. While the eSafety Commissioner's Roadmap for Age Verification recognised that the market was not sufficiently mature to mandate age verification technology for access to age-restricted online content, it recommended that future age assurance technologies be subject to accreditation and oversight equivalent to Digital ID accreditation.
• Credentials and qualifications: Nationally interoperable Digital ID might make it easier for employers to find and vet the staff they need and reduce the risk of fraudulent qualifications. The Business Council of Australia has recently called for digital tracking of formal qualifications and micro-credentials, other training and recognition of prior learning.

The possibilities go much further, with the potential to simplify and secure a broad range of personal and business transactions. For example, the European Union is progressing an updated framework for a European Digital Identity (eID) to improve cross-border recognition of Digital ID services. The updated framework includes an expanded range of trust tools, including electronic signatures, company seals, time stamps, documents, registered delivery services, certificate services for website authentication, and archiving and attestation (such as medical certificates and professional qualifications). Many of these tools are already available in EU member states, driving broader uptake and use of Digital ID.

Want to know more?

In our follow-up piece, we will take a deeper dive into the draft legislation, and explore some important implications for users and providers of digital ID services.

You can also catch up on our past publications:

• Identity Resilience and digital identity – key defences against cyber threats (23 August 2023)
• Australian digital identity gains traction – a new national strategy, and legislation on its way (7 August 2023)
• Managing cyber risk – digital identity comes back into focus in Australia (18 April 2023)
• Ashurst's submission to Australia's 2023-2030 Cybersecurity Strategy highlighted the importance of ecosystem-level responses (such as Digital ID) to mitigate the impact and scale of cyber incidents and strengthen cyber resilience. Recently published industry submissions, particularly from the banking sector, also emphasised the transformative impact of economy-wide Digital ID. (April 2023)
• A trusted digital identity framework for Australia (13 October 2021)

Authors: Tim Brookes, Partner; Rebecca Cope, Partner; Anthony Lloyd, Partner; Clare Doneley, Counsel; Sashini Walpola, Senior Associate; and Andrew Hilton, Expertise Counsel.