KSGH Security Update on the Digital ID Bill 2024

Last week, Parliament passed the Digital ID Bill 2024. In the coming months, the associated Digital ID Act 2024 (the Act) will establish a nationwide framework for digital identification, encompassing both government and private sector participation. Amid rising cyber threats, the government asserts that this legislation will grant individuals greater control over their information and transactions with government and private entities. It aims to provide consumers with confidence in their privacy and security while simplifying identity-related processes for both business and government.

The Journey to Digital ID

This milestone has been years in the making. The Australian government has been exploring frameworks to enhance online trust and identity management since 2010. The most recent effort, the Trusted Digital Identity Framework (TDIF), was introduced by the Coalition government in 2015. TDIF supported the government’s digital transformation agenda and was developed in consultation with the private sector to create a “national strategy for a federated-style model of trusted digital identities.”

TDIF established:

  • The rules for the Australian Government’s Digital Identity System (AGDIS), facilitating the use of government-issued digital IDs (currently myGovIDs) for accessing government services.
  • An accreditation scheme for digital ID service providers in both the government and private sectors.

AGDIS now supports over 12 million myGovIDs. Accredited entities include the Australian Tax Office and Services Australia, while private entities such as Australia Post, IDVerse, Mastercard, Australian Payments Plus, and Makesure Consulting have also been accredited.

What’s Changing?

Legislated Accreditation Scheme

A new scheme will replace and enhance the current TDIF accreditation, introducing stronger enforcement mechanisms and civil penalties for non-compliance. The scheme remains voluntary but will impose additional privacy safeguards, enforceable by the Information Commissioner, on accredited entities.

Phased Expansion of AGDIS

AGDIS will expand in phases:

  1. States and territories can apply to participate as users or providers of accredited digital ID services.
  2. Reciprocal use of digital ID and attribute providers in Commonwealth, state, and territory services.
  3. Use of government digital ID and attribute providers in private sector services.
  4. Use of private sector digital ID and attribute providers in some government services.

Privacy Protections

The Act introduces several privacy protections:

  • Accredited entities not subject to the Australian Privacy Principles (APPs) must comply with comparable protections or agreements with the Minister.
  • Accredited entities must comply with data breach notification requirements and report breaches to the Digital ID Regulator and Information Commissioner.
  • Restrictions on handling certain types of information, including personal, health, sensitive, biometric information, and government-issued identifiers.
  • Digital IDs deactivated at an individual’s request cannot be used or reactivated without consent.
  • Reporting requirements for law enforcement agencies requesting biometric or personal information from accredited entities.

Role of the ACCC and the OAIC as Digital ID Regulator

The Act designates the Australian Competition and Consumer Commission (ACCC) as the Digital ID Regulator, responsible for overseeing the accreditation scheme and AGDIS. The Information Commissioner will handle privacy concerns, enforce civil penalties for privacy breaches, and produce annual reports on digital ID fraud and cybersecurity incidents.

Next Steps for the Digital ID Bill 2024

The Digital ID Bill 2024 is expected to receive Royal Assent soon and commence by November. The federal budget allocates $288.1 million to support the Digital ID system’s expansion, funding current operators, pilot programs for digital wallets and verifiable credentials, and the Information Commissioner’s oversight.

A transitional bill also passed, ensuring minimal disruption by deeming Commonwealth entities accredited under TDIF as accredited under the new regime. The AGDIS expansion will be phased, with state, territory, and private entity participation determined by the Minister over two years. Meanwhile, private sector digital identity providers will continue to invest in and expand their solutions. Contact KSGH Security to help you remove your Digital ID. www.ksghsecurity.com