Australia | Publication | May 2022
On 4 February 2022 Commonwealth and State Ministers announced agreement on progressing of the national Trusted Digital Identity (TDI ) System.1 The TDI system is a digital identity management model for the establishment of a verifiable digital record of individuals based on voluntary participation. The program is intended to enable people and businesses to prove who they are and allow them to access government and other services.
The announcement follows on from the close of the public consultation period on the Australian Government’s TDI Bill in late October 2021. The TDI Bill sets out a draft legislative framework to support the expansion of the TDI Framework. The Digital Transformation Agency is the lead Commonwealth agency for this whole-of-government initiative.
The Australian Government has been developing a Digital Identity system and TDI Framework since 2015, following a finding by the Financial System Inquiry2 that the identity infrastructure was fragmented and lacked a clear strategic vision for digital identity management. The Inquiry recommended the development of a national identity strategy based on a federated‑style model and supported by a trust framework.
The national TDI system forms part of the Australian Government’s Digital Government Strategy3 which aims to drive digital transformation in the Australian Public Service and make all government services available digitally by 2025.
The purpose of the draft legislation is to provide the legislative authority to expand the TDI Framework by enabling greater participation from State and Territory governments as well as the private sector. The draft legislation also aims to provide various privacy and consumer protections, and establish a governance and regulatory framework to assure the public that their personal information is safe and secure.
A person can currently create a digital identity to access Commonwealth services through myGovID. The Australian Government intends to expand the TDI Framework beyond providing access to Commonwealth government services, into a whole-of-economy solution that connects local, State, Territory, and private sector services.
A key element of the draft legislation is the outsourcing of the identity verification process to accredited Australian businesses which offer digital identity services – the intent is that these accredited providers will have access to an individual’s personal information (including biometric information) in order to authenticate that individual’s digital identity. The Australian Government has accredited some identity verification businesses under the existing TDI Framework to test the system’s capacity to include non-Commonwealth entities.4
An accredited provider will need to retain some personal information for as long as a digital identity is active in order to enable that digital identity to be linked to an individual’s request for a digital service. However, strict rules will apply to the retention of biometric information. An accredited provider will only be able to retain an individual’s biometric information while their digital identity is being authenticated. The individual’s biometric information must be deleted when the authentication process is complete or 14 days after the biometric information was collected, whichever occurs first. An individual’s biometric information must also be deleted immediately if they no longer consent to the authentication of their digital identity.
The Office of the Australian Information Commissioner’s submission on the draft TDI legislation also highlighted the need for the TDI legislation to align with the existing Consumer Data Right regime, including a limit on the maximum duration of any enduring consent by an individual to the disclosure of their personal information in the context of their digital identity.
Government agencies and Australian businesses can become an accredited provider for the purpose of providing digital identity services as part of the TDI Framework. Some Commonwealth government agencies are already accredited through the Trusted Digital Accreditation Framework, which forms the basis for the accreditation scheme that will be introduced in the draft legislation. These agencies will be transitioned through to the new accreditation scheme.
Any government agency or Australian business which is seeking to become an accredited provider must agree to be bound by the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles if they are not already subject to Commonwealth privacy legislation. This requirement extends to include State and Territory government agencies which are not subject to comparable privacy laws within their jurisdictions.
The process to participate in the TDI Framework as an accredited provider has two stages:
The draft legislation also builds on existing privacy‑related protections in the Privacy Act to further safeguard an individual’s personal information which has been provided to an accredited entity.
Commonwealth government agencies are already required to comply with the Privacy Act, but they will need to be aware of the expanded privacy-related protections in the proposed legislation, which includes a broader definition of personal information to include attributes, restricted attributes and biometric information (to the extent these are not already covered by the definition of personal information in the Privacy Act).5
Most Commonwealth government agencies will not be providers of digital identity services, but will instead rely on the verified identity information from accredited providers about an individual in order to provide that individual with a digital service.
Australia’s digital economy is expanding significantly as more Australians use digital services in their daily activities, especially during (and likely after) the COVID pandemic. If implemented, the expanded TDI Framework promises to simplify the process for anyone who needs to verify their identity in order to access a digital service offered by a business or government agency.
Publication
The US Supreme Court has ruled that a “pure omission” under Item 303 of Securities and Exchange Commission Regulation S–K cannot give rise to a private action for securities fraud under Section 10(b) and Rule 10b-5(b) of the Securities Exchange Act of 1934.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023
