On 19 September 2023 the government released an exposure draft of a Digital ID Bill alongside draft Digital ID Rules and Digital ID Accreditation Rules, and a range of fact sheets, explanatory documents and consultation questions.
This material was released onto the digitalidentity.gov.au website via a consultation webpage, which is accepting input in 3 separate ways:
- a ‘quick and simple survey’ to understand sentiment on Digital ID in general (closes 10 October)
- submissions on the Digital ID Bill and Digital ID Rules (closes 10 October)
- submissions on Accreditation Rules for Digital ID providers (closes 31 October)
Finance Minister Katy Gallagher foreshadowed the consultation process at the Government Services Summit on 25 July 2023, when she announced that the Australian Competition and Consumer Commission (ACCC) would be the interim regulator for Digital ID because of its experience dealing with consumer issues across the economy.
Minister Gallagher stated that if the government moved swiftly it ‘could have legislation in place, mid-year next year’, noting it was a ‘tight timeframe’. The 19 September 2023 press release announcing the consultation process reinforced this timeline, with the minister outlining that the ‘short exposure draft period will allow … the feedback of interested stakeholders … to happen and ensure we stay on track to introduce the final Bill by the end of this year’.
Digital Identity system
The Digital Identity system being proposed by the government builds on the Trusted Digital Identity Framework (TDIF), ‘an accreditation framework for digital ID services’ developed by the Digital Transformation Agency (DTA). Work began on Digital Identity in 2014 under the Coalition Government, which foreshadowed a legislated Digital Identity system via the Trusted Digital Identity Bill, an exposure draft for which was released in October 2021.
Entities accredited under the TDIF that interface with government systems (page 16 of the agenda papers of an inter-departmental leadership group) are collectively known as the Australian Government Digital Identity System (AGDIS). This currently only includes government services, but the TDIF accreditation program has also accredited private entities in anticipation of expanding the digital identity system beyond government. The government has indicated that under its proposed system, phases 3 and 4 of the AGDIS expansion will extend to private sector services and providers.
Current Bills related to the AGDIS
The Digital Identity consultation process follows the introduction earlier in September 2023 of 3 Bills related to the AGDIS:
- The Statutory Declarations Amendment Bill 2023, introduced on 7 September 2023, allows for the execution of statutory declarations using an approved identity service prescribed in regulations. The explanatory memorandum states that ‘safeguards that will be prescribed include a requirement for the digital identity service to be an accredited entity under the Trusted Digital Identity Framework (TDIF) and that both the online platform and identity provider operate within the Australian Government Digital ID System (AGDIS)’.
- The Identity Verification Services Bill 2023 and Identity Verification Services (Consequential Amendments) Bill 2023, both introduced on 13 September 2023, implement in legislation the arrangements already in place under the 2017 Intergovernmental Agreement on Identity Matching Services, which allows for biometric verification using drivers licence images (the system currently only supports passports). The explanatory memorandum cites verifying identity using myGovIDas an a example of a current use of the Document Verification Service and the Face Verification Service, which will be enhanced by integrating state licences. As part of its Digital Identity initiative, the Coalition Government had proposed similar Bills, the Identity Matching Services Bill 2019 and the Australian Passports Amendment (Identity-matching Services) Bill 2019. A report by the Parliamentary Joint Committee on Intelligence and Security was highly critical, and recommended that the Bills be re-drafted. The Bills lapsed upon dissolution prior to the 2022 election.
Government Services Minister Bill Shorten has previously highlighted Digital Identity initiatives as key to improving digital service delivery. At July’s Government Services Summit, Minister Shorten previewed statutory declaration execution using Digital Identity, and suggested it would deliver significant savings, outlining that ‘for a $2.5 million outlay, the return would be around $150 million’. At the August 2023 Tech in Government conference, Minister Shorten stated that using a drivers licence for the highest level of identity proofing would expand the accessibility of digital identity to cover 80% of the population. The myGov user audit released in early 2023 also emphasised the benefits of digital identity uplift, with Finding 7 and Recommendation 6 calling for accelerated development of the Digital ID ecosystem.
Agencies involved in the AGDIS
Responsibility for the Digital Identity program was moved from the DTA to the Department of Finance on 6 July 2023. A number of other government entities also have roles in the AGDIS. Currently, the AGDIS incorporates an Identity Exchange administered by Services Australia and the user-facing Identity Provider myGovID run by the Australian Taxation Office. The Office of the Australian Information Commissioner (OAIC) was funded in the 2023–24 Budget ‘to provide ongoing privacy assurance for the Digital ID program’ and the TDIF’s security accreditation standards make reference to the Information Security Manual and Information Security Registered Assessors Program, which are both administered by the Australian Cyber Security Centre. Home Affairs also has a role in identity resilience and cybersecurity coordination.
Relevance of the AGDIS to cybersecurity
Digital ID reform supports the government’s cybersecurity efforts. The National Strategy for Identity Resilience released in June 2023 highlighted the role of Digital ID systems in reducing the amount of information shared to prove identity online. Industry news site ITNews reported on 18 September 2023 that business submissions to the 2023–2030 Australian Cyber Security Strategy Discussion Paper showed a ‘clear industry consensus in favour of government-backed digital ID’ to help reduce information potentially exposed in data breaches, although submissions stated the ‘current regime is not yet fit for purpose’.