The government has released an exposure draft of the Trusted Digital Identity Bill for public comment. We explore what this means and the potential benefits for individuals and the public and private sectors.

Key takeaways

• The Commonwealth Government has released an Exposure Draft of the Trusted Digital Identity Bill and is seeking submissions as part of its consultative approach.

• The bill aims to provide individuals with a simple and convenient method of verifying their identity in online transactions with government agencies and businesses, while introducing safeguards to protect the safety, privacy and security of stakeholders.

• The bill establishes permanent governance arrangements and a regulatory regime to be implemented by the Supervisory Authority.

On October 1, 2021, the Commonwealth Government released an Exposure Draft of the Trusted digital identity invoice (Law Project) for public consultation. The bill supports the widespread deployment of the digital identity system to state and territory government agencies, as well as the private sector.

After more than a year of consultation, the bill is now in phase 3 of the legislative consultation process, giving the public an opportunity to provide comments. The comments are intended to guide the further development of proposed legislation to support Australia’s expanded digital identity system.

What is the bill for?

The bill seeks to provide individuals with a simple and convenient method of verifying their identity in online transactions with Commonwealth, State and Territory levels of government, as well as with private businesses, through the National System of ‘trusted digital identity (TDIS).

It establishes guarantees intended to protect the safety, confidentiality and security of stakeholders, and establishes a supervisory authority that will accredit entities to join TDIS.

Supervisory authority

The supervisory authority is part of the governance regime of the digital identity system. He will have extensive powers to develop, operate and maintain the digital identity system.

The supervisory authority will be responsible for assessing applications for membership in the digital identity system and enforcing the protections given to stakeholders in the bill. However, the Australian Information Commissioner will remain responsible for monitoring compliance with privacy laws.

Accreditation and integration

Eligible businesses and state and territory agencies wishing to participate in TDIS or other digital identity services will need to apply for accreditation from the Supervisory Authority. The bill includes a number of factors that the supervisory authority must take into account when considering an accreditation application.

Once an entity has been accredited, it must apply to the supervisory authority to be integrated into TDIS. The bill sets out a number of conditions that the entity must comply with in order to be approved for integration.

Two types of accreditation are available:

1. Accredited entities

Under the bill, eligible businesses and state and territory governments wishing to provide digital identity services must apply to become an accredited entity. The bill introduces five categories of accredited identities: attribute service provider; identification service provider; identity exchange; identity service provider or entity as prescribed by the TDIS accreditation rules.

Accredited entities are subject to a number of obligations under the bill, including:

• enter a trusted supplier agreement with the Commonwealth government to embark on TDIS;
• holding, storage and handling digital identity information only in Australia unless an exemption applies;
• abide by TDIS service levels and technical standards as determined by the Supervisory Authority;
• abide by new confidentiality obligations and protections; and
• to keep adequate levels of assurance.

Accredited entities are also deemed to have entered into a statutory contract with other accredited entities with which they interact, agreeing to comply with their obligations under the draft law and applicable technical standards. Deemed statutory contracts also exist between each accredited entity and each relying party.

2. Relying parties

A business or government entity of a state or territory that relies on digital identity information provided by an accredited entity in order to provide a service to an individual, or to provide them with access to a service, shall apply to become a relying party. Relying parties are subject to limitations on the types of sensitive information they can obtain, unless expressly authorized by the Supervisory Authority.

Relying parties are also subject to obligations under the draft legislation, including as an Australian entity or by registering as a foreign company prior to integration.

System protections

The bill introduces safeguards in TDIS to protect the confidentiality and security of personal information. These include:

• extend protections under existing privacy lawsincluding, for example, restricting the use of biometric data and granting individuals the right to request an accredited identity service provider to deactivate their digital identity;
• prohibit the disclosure of biometric information law enforcement agencies;
• impose confidentiality obligations (including with regard to the notification of qualifying data breaches) on entities that do not currently fall under the Privacy Act 1988 (Cth) (Privacy Act), other than entities of a State or Territory if they are subject to the privacy laws of a State or Territory which require a comparable level of privacy protection;
• require accredited entities to inform the supervisory authority of “eligible data breaches” within the meaning of the Personal Information Protection Act; and
• prohibiting data profiling and the disclosure of “unique identifiers” (i.e. unique identifiers assigned by an accredited entity to an individual within a digital identity system).

It is important to note that the bill expands the definition of personal information under the Privacy Act to include “attributes, restricted attributes and biometric information”.

The bill also requires accredited entities to maintain service levels and technical standards as determined by the supervisory authority.

Liability, insurance and penalties

Under the bill, accredited entities have limited liability to each other and to relying parties if they provide or fail to provide the identity verification service in good faith, in accordance with the law and technical standards. that apply to the entity. .

Accredited entities may be required to take out and maintain adequate insurance in accordance with the instructions of the Supervisory Authority.

Companies that violate the bill can be fined up to $ 330,000 and / or have their accreditation suspended or revoked by the supervisory authority.

Potential benefits for individuals and the public and private sectors

TDIS will provide a national platform for government agencies and businesses to securely collect, verify and exchange digital identity information. It will provide individuals with a simple and convenient method of verifying their identity during online transactions.

Through the expanded deployment of TDIS, the Commonwealth Government aims to promote economic progress by building confidence in digital identity services, thereby facilitating and encouraging the use of digital identities, online services and systems interoperability. digital identity, and ultimately increasing the efficiency of the digital economy.

Submissions

Public submissions on the bill must be submitted by October 27, 2021.

We will continue to monitor the progress of the bill as it is passed by Parliament.