Commonwealth of Australia Explanatory Memoranda Commonwealth of Australia Explanatory Memoranda[Index] [Search] [Download] [Bill] [Help]
2022-2023
THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA
THE SENATE
DIGITAL ID BILL 2023
EXPLANATORY MEMORANDUM
(Circulated by authority of the
Minister for Finance, Senator the Hon Katy Gallagher)
ABBREVIATIONS USED IN THE EXPLANATORY MEMORANDUM
Acts Interpretation Act Acts Interpretation Act 1901
AAT Administrative Appeals Tribunal
ACCC Australian Competition and Consumer Commission
AIC Act Australian Information Commissioner Act 2010
AGDIS Australian Government Digital ID System
APPs Australian Privacy Principles
ASIO Australian Security Intelligence Organisation
ASIO Act Australian Security Intelligence Organisation Act 1979
Corporations Act Corporations Act 2001
Criminal Code The Schedule to the Criminal Code Act 1995
Information Commissioner Australian Information Commissioner
Legislation Act Legislation Act 2003
Privacy Act Privacy Act 1988
Regulatory Powers Act Regulatory Powers (Standard Provisions) Act 2014
TDIF Trusted Digital Identity Framework
Transitional Bill Transitional and Consequential Provisions Bill 2023
Digital ID Bill 2023 - Explanatory Memorandum: Page 2 of 319
DIGITAL ID BILL 2023
GENERAL OUTLINE
1. The Digital ID Bill 2023 (the Bill) aims to provide individuals with
secure, convenient, voluntary and inclusive ways to verify their identity for use
in online transactions with government and businesses. Promoting trust in
digital ID services, including by ensuring less data is shared and stored, and in a
more secure way, will facilitate economic benefits for, and reduce burdens on,
the Australian economy.
2. The Bill will:
• legislate and strengthen a voluntary Accreditation Scheme for digital
ID service providers that wish to demonstrate compliance with best
practice privacy, security, proofing and authentication standards;
• legislate and enable expansion of the Australian Government Digital
ID System (AGDIS) for use by the Commonwealth, State and
Territory governments and eventually private sector organisations;
• embed strong privacy and consumer safeguards, in addition to the
Privacy Act 1988 (Cth) (Privacy Act) to ensure users are protected;
and
• strengthen governance arrangements for the Accreditation Scheme
and the AGDIS, including by establishing the Australian
Competition and Consumer Commission (ACCC) as the Digital ID
Regulator, and expanding the role of the Information Commissioner
to regulate privacy protections for digital IDs. Both these regulators
will have a broad range of powers under the Bill, including to issue
civil penalties.
Context for the legislation
3. Digital ID is a major economy-wide reform with significant economic,
security and privacy benefits for individuals and businesses.
4. Digital IDs provide people with a convenient, re-usable way to verify
who they are when transacting online, without having to repeatedly provide
copies or details of their most sensitive ID documents.
5. The economic potential of digital ID was recognised in the Report of the
Financial System Inquiry (2014) (the Financial Systems Inquiry). This report
recommended the Australian Government develop a national strategy for a
Digital ID Bill 2023 - Explanatory Memorandum: Page 3 of 319
federated-style model of trusted digital identities in which public and private
sector identity service providers would compete to provide identity services,
enhancing consumer choice, privacy, innovation and system efficiency.
6. The Financial Systems Inquiry led to the establishment of the Australian
Government's Digital ID program. This program includes:
• an unlegislated Accreditation Scheme for providers of digital ID
services in the government and private sectors, based on
requirements set out in the Trusted Digital Identity Framework
(TDIF); and
• the unlegislated AGDIS which facilitates the use of government-
issued digital IDs (currently myGov IDs) by individuals accessing
government services.
7. Since the Financial Systems Inquiry, the value of digital ID as a driver
of economic benefits has been further acknowledged in the Australian
Government's Strategic Plan for Australia's Payments System (2023).
8. Digital ID can help make the delivery of government services more
efficient compared to more traditional service delivery channels. The
importance of a digital ID in reforming government service delivery was
recognised in the report of the myGov User Audit (2022) which recommended
the government accelerate development of Australia's national digital ID
ecosystem.
9. By reducing the sharing and retention of personal information used to
verify Australian's identities, expanding the use of digital IDs will help reduce
the impact of data breaches, scams and cybercrime, supporting the 2023-2030
Australia Cyber Security Strategy (2023) and the National Strategy for Identity
Resilience (2023).
10. To realise the economic, security and privacy benefits offered by digital
ID, the Australian Government is introducing this Bill to strengthen the
operation of the Accreditation Scheme and to enable the expansion of the
AGDIS to an economy-wide digital ID system.
Features of the Bill
The Accreditation Scheme
11. The Accreditation Scheme is designed to promote the growth of, and
trust in, digital ID services throughout the economy. The Accreditation Scheme
is voluntary. The Bill provides for any digital ID service providers operating
throughout the economy to apply to be accredited. But, to provide Digital ID
Digital ID Bill 2023 - Explanatory Memorandum: Page 4 of 319
services within the AGDIS, the Bill will require that digital ID service
providers must be accredited.
12. On commencement of the Bill, accreditation will be available for three
kinds of digital ID services: attribute service provider, identity exchange
provider and identity service provider. These services are found in a federated
digital ID system, which involves an identity exchange that facilitates data
flows between service providers and the organisations that use their services,
which are referred to as relying parties.
13. The Bill will provide for the Minister to make rules to regulate the
accreditation of other kinds of services in the future to account for changes in
technology and the way in which digital ID systems operate. For example,
potential future roles could be providers of digitally verifiable credentials or
Digital ID wallets.
The Australian Government Digital ID System
14. The unlegislated AGDIS is a particular digital ID system which
commenced operating prior to commencement of the Bill. Initially focused on
Australian Government services, following commencement of the Bill the
AGDIS is planned to expand over time to include other government and private
sector entities that choose to participate. Some of these entities will likely also
participate in other digital ID systems.
15. The Bill provides for additional safeguards over the operation of digital
ID services within the AGDIS. These are outlined in the privacy and other
safeguards section below.
16. The Bill will also have the effect of requiring entities participating in the
AGDIS to report certain matters (such as fraud and cyber security incidents).
The intent of these provisions is to help maintain the availability, performance
and integrity of the AGDIS. The Bill will require participants to provide these
reports to the System Administrator. The Bill's provisions that establish a
System Administrator are outlined in the governance and regulatory
mechanisms section below.
17. The Digital ID (Transitional and Consequential Provisions) Bill 2023
(the Transitional Bill) provides for transitional arrangements, with the intent of
ensuring government entities participating in the unlegislated AGDIS prior to
the commencement of the Bill will be taken to be approved by the Regulator to
participate in the system. The aim is to ensure that the legislated AGDIS can
operate seamlessly on commencement of the Bill.
18. The Bill provides for the Minister to manage the expansion of the
AGDIS to entities outside of the Commonwealth. The Bill provides for the
Digital ID Bill 2023 - Explanatory Memorandum: Page 5 of 319
AGDIS to be expanded over time to include new kinds of participants as
providers and/or users of Digital ID services. This Bill enables this to be done
via a determination made by the Minister.
Privacy and other safeguards
19. Safeguarding the privacy of personal information used in digital ID
services is a fundamental design feature of the Bill, which applies a range of
additional privacy safeguards on accredited entities that build upon existing
privacy laws.
20. The Bill will require Accredited entities to continue to comply with
existing privacy protections in the Privacy Act or, for State and Territory
entities, their local privacy law. Where a State or Territory entity is not subject
to a local privacy law, and wishes to become an accredited provider, the Bill
provides for the entity to enter into a binding agreement that would require
them to comply with the Australian Privacy Principles.
21. The Bill provides for Accredited entities to be subject to the notifiable
data breach scheme in the Privacy Act or an equivalent State/Territory data
breach scheme. Where an entity is not covered by a notifiable data breach
scheme, the Bill's provisions extend the Privacy Act's scheme to that entity.
22. The Bill will extend the definition of 'personal information' from the
term used in the Privacy Act to ensure inclusion of any attributes used by an
accredited provider that are not covered by the Privacy Act definition.
23. The Bill will build on existing privacy protections with a range of
additional privacy safeguards to enhance how personal information and digital
ID information is handled by accredited entities. These include: requirements
for express consent to share personal information with relying parties;
prohibitions on the use of single identifiers between entities; prohibitions on
data profiling and the use of information for direct marketing purposes; and
restrictions on the use and retention of biometric information, including a
prohibition on one-to-many biometric matching. The Bill will also provide
additional safeguards over law enforcement access to personal information held
by accredited entities.
24. The Bill will provide for accredited entities to be subject to financial
penalties imposed by a court, enforceable undertakings, injunctions and
infringement notices for a breach of an additional privacy safeguard.
25. The Bill aims to ensure that it remains voluntary for individuals to use a
Digital ID to access government services through the AGDIS. The Bill will
require the participating relying party to provide an alternative way for a person
to access a service without using a Digital ID, whether that be paper-based, by
Digital ID Bill 2023 - Explanatory Memorandum: Page 6 of 319
phone, at a shopfront or by other means. The Bill will provide an exception to
this 'voluntariness rule' where an individual is accessing a service while acting
on behalf of a business or in a professional capacity.
Governance and regulatory mechanisms
26. The Bill will provide a range of governance and regulatory mechanisms
to administer and promote compliance with the Act. These will include:
• a Digital ID Regulator with responsibility for administering the
Accreditation Scheme and for overseeing and maintaining the
AGDIS, including approving entities participation in the AGDIS -
the Regulator is to be the Australian Competition and Consumer
Commission (ACCC);
• an expanded role for the Information Commissioner as regulator for
the additional privacy safeguards in the Accreditation Scheme;
• a System Administrator for the AGDIS, with functions related to
providing assistance to participating entities, and managing the fraud
and cyber incident reporting in, and availability of, the AGDIS - the
System Administrator is to be the Chief Executive Centrelink;
• an independent Digital ID Data Standards Chair who would have
responsibility for making standards about various matters relating to
the AGDIS and the Accreditation Scheme.
Structure of the proposed legislative framework
27. The proposed legislative framework will comprise the Bill and a range
of disallowable and non-disallowable legislative instruments setting out
matters. The aim of providing these legislative instruments is to support the
implementation and ongoing administration of the legislation.
28. The Bill will require the Minister to make two sets of disallowable
legislative rules:
• the Accreditation Rules to prescribe a range of matters related to the
scope and operation of the Accreditation Scheme, including the
privacy, security, accessibility and other standards to apply to
accredited entities.
o These rules would be capable of including new types of Digital
ID services in future, such as verifiable credentials, to ensure
the Accreditation Scheme can keep up-to-date with
developments in digital ID technologies.
Digital ID Bill 2023 - Explanatory Memorandum: Page 7 of 319
• the Digital ID Rules would be able to prescribe a range of matters
related to the scope and operation of the AGDIS, Digital ID
trustmarks and other aspects of the legislative framework, including
the charging of fees.
29. The Bill will also provide for the Minister to make other legislative
instruments necessary for the implementation and administration of the
legislative framework. These legislative instruments would relate to matters
such as the phased expansion of the AGDIS.
30. The Bill will provide for the Digital ID Data Standards Chair to make
standards to support the implementation and operation of the Accreditation
Scheme and AGDIS. Data Standards made under the Bill would be legislative,
but not disallowable, instruments covering matters such as data standards,
design standards, and service level determinations.
FINANCIAL IMPACT STATEMENT
31. Financial impact - Progressing the Bill is anticipated to provide
financial savings for the Commonwealth, by enabling increased use of Digital
ID to verify and authenticate people's identity digitally for government services
instead of more costly identity verification such as in-person or phone-based
methods (noting these methods will remain available for government services
required to maintain alternative channels). Reflecting that Digital IDs provided
by accredited providers under this legislation can provide a high level of
confidence in a person's identity (and the associated security requirements), the
Bill may also enable reduced identity-related fraud across government services
that utilise Digital ID, thereby realising revenue savings for the Commonwealth.
32. The Commonwealth has spent $781.9 million on the Digital ID Program
over the financial years 2016-17 to 2023-24. This has included funding for
development of this Bill and delivery of regulatory functions by the Australian
Competition and Consumer Commission, the Office of the Australian
Information Commissioner (OAIC), and Services Australia's System
Administrator role. Further expenditure will be required in future.
33. Compliance cost impact - The compliance cost of this Bill is the
estimated amount it will cost entities participating in the Accreditation Scheme
or the AGDIS, and to comply with the proposed regulations, based on the time
and labor cost of undertaking required activities (i.e., it is not a 'fee' or 'charge'
to use the AGDIS). The annual economy-wide cost of compliance with the
regulatory framework under the Bill has been estimated at $1.5 million, as set
out in the Impact Analysis: Legislating the Australian Government Digital ID
Digital ID Bill 2023 - Explanatory Memorandum: Page 8 of 319
Program. However, this is more than offset by the anticipated economic
benefits. For example, the Impact Analysis conservatively estimated the indirect
whole-of-economy benefits include $3.3 billion annually related to individual
time savings alone, based on current arrangements where people can use a
Digital ID instead of manual identity verification processes.
REGULATION IMPACT STATEMENT
34. The Regulation Impact Statement appears at the end of this explanatory
memorandum.
STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS
35. The Bill is compatible with human rights, and to the extent that it may
limit human rights, those limitations are reasonable, necessary and
proportionate. A Statement of Compatibility with Human Rights, prepared in
accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011,
appears at the end of this explanatory memorandum.
Digital ID Bill 2023 - Explanatory Memorandum: Page 9 of 319
NOTES ON CLAUSES
Chapter 1 - Introduction
Part 1 - Preliminary
Clause 1 - Short title
1. This clause provides that the short title of the Bill, if enacted, would be
the Digital ID Act 2023.
Clause 2 - Commencement
2. This clause provides for the commencement of each provision in the
Bill, as set out in the table in subclause 2(1). Subclause 2(2) provides that
information in column 3 of the table in subclause 2(1) will not be part of the
Act.
3. Item 1 in the table in subclause 2(1) provides that the whole of the Bill
will commence on a day to be fixed by proclamation, but if there is no date
proclaimed within 6 months of the Act receiving Royal Assent, the Bill would
commence 6 months after Royal Assent.
4. The note to the table in subclause 2(1) provides that the table relates
only to the provisions of the Bill as originally enacted. It will not be amended to
deal with any later amendments of the Act. This provides clarity for the reader.
Clause 3 - Objects
5. This clause explains that the objects of the Bill are to provide
individuals with secure, convenient, voluntary and inclusive ways to verify their
identity in online transactions with government and businesses. Promoting trust
in digital ID services, including by ensuring less data is shared and stored, and
in a more secure way, will facilitate economic benefits for, and reduce burdens
on, the Australian economy.
6. The way this is done in the Bill is to:
• establish a voluntary Accreditation Scheme for digital ID service
providers;
• provide for an AGDIS for use by the Commonwealth, State and
Territory governments and private sector;
• embed strong privacy and consumer safeguards, in addition to the
Privacy Act; and
Digital ID Bill 2023 - Explanatory Memorandum: Page 10 of 319
• establish governance arrangements including the ACCC as the
Digital ID Regulator and an expanded role for the Information
Commissioner as Privacy Regulator.
Clause 4 - Simplified outline of this Act
7. This clause provides a simplified outline of the Bill. The simplified
outline is included to assist readers to understand the legislative framework that
will be established by the Bill. The outline is not intended to be comprehensive.
It is intended that readers will rely on the substantive clauses of the Bill. This
clause provides an overview of the Bill.
Clause 5 - Act binds the Crown
8. This clause provides that the Bill would apply to the Crown in each of
its capacities, namely the Crown in right of the Commonwealth and each of the
States and Territories.
Clause 6 - Extension to external Territories
9. This clause ensures that the Bill would apply consistently throughout
Australia's external territories.
Clause 7 - Extraterritorial operation
10. This clause extends the Bill to conduct, matters, and other things that
occur outside Australia. A note to subclause 7(1) refers to clause 160 which sets
out the geographical jurisdiction of the civil penalty provisions in the Bill.
11. Providing for things occurring outside Australia is necessary because
foreign corporations registered in Australia under the Corporations Act may be
accredited, individuals may be overseas when they use their digital ID to obtain
services in Australia and entities may also handle digital ID information outside
Australia.
12. Subclause 7(2) makes clear that any extraterritorial operation of the Bill
is subject to international law, and agreements that are binding on the
Commonwealth laws.
Clause 8 - Concurrent operation of State and Territory laws
13. This clause clarifies that the Bill and legislative rules ('this Act' is
defined to include the Act and the legislative rules (see clause 9)) would not
exclude or limit the operation of a State or Territory law where that other law is
capable of operating concurrently with the Act or rules. This includes for
Digital ID Bill 2023 - Explanatory Memorandum: Page 11 of 319
instance, State and Territory privacy laws that are comparable in protecting
personal information, monitoring compliance and providing recourse.
Part 2 - Interpretation
Clause 9 - Definitions
14. This clause defines key terms used in the Bill. Some defined terms are
signposts that refer readers to the clauses in which those terms are substantively
defined and some terms adopt definitions from other legislation such as the
Privacy Act.
15. Some key concepts in the Bill are digital ID and digital ID system,
accredited entity, attribute, accredited services, participate, participating relying
and relying party, and personal information.
16. Accredited entity will mean a kind of service provider that is accredited
to provide services (within a digital ID system). The kinds of service providers
will be defined in the Bill: identity service provider, identity exchange provider
and attribute service provider. Each kind will be defined in the Bill by reference
to the range of services that kind of provider may provide. The definitions for
each kind of service provider refer to the services 'provided' or 'proposed to be
provided' by the service provider. It is necessary to refer to services 'proposed
to be provided' by the service provider to enable applicants for accreditation to
be able to apply for accreditation before they have joined a digital ID system -
that is, before they are actually providing the services for which they intend to
be accredited. Without these words, a service provider would need to be
providing unaccredited services first, and an object of this Bill is to encourage
service providers to seek accreditation for their services.
17. Accredited services: an accredited entity is accredited to provide the
services listed in the definition for the kind of service provider it is accredited
as, or a subset of those services. The notes for the definition provide signposts
for the reader. An entity may intend to provide the full range of services
described in the definition, for the kind of accredited entity it is accredited as or
may intend to provide only some of the services described in which case a
condition of the entity's accreditation would limit, exclude or restrict some of
the services (see clause 16, accreditation is subject to conditions). This also
reflects that the assessment of an entity for accreditation will usually deal only
with the services it intends to provide, and whether its information technology
system, processes and controls meet the requirements (largely to be in the
Accreditation Rules) to the standard required for accreditation. If the entity
intends to expand the range of its accredited services in the future, it would
need to apply for a variation of its accreditation condition, specifying its
Digital ID Bill 2023 - Explanatory Memorandum: Page 12 of 319
services (and most likely a further assessment to ensure it will be able to
comply with the Act and rules if the services are expanded).
18. Biometric information of an individual will mean information about any
measurable biological characteristic relating to an individual that could be used
to identify the individual or verify the individual's identity and includes
biometric templates. Biometric information can include any features of a
person's face, fingerprints, iris, palm, signature, or voice. The Bill provides
specific obligations in respect of biometric information.
19. Digital ID of an individual would mean a distinct electronic
representation of the individual that enables the individual to be sufficiently
distinguished from other individuals when interacting online with, or obtaining
services from, a relying party.
20. Digital ID system will mean a federation of entities that facilitates or
manages the verification of an individual's identity and/or, after verifying the
identity, the authentication of that digital ID or information about the
individual.
21. Participate: references to 'participate' and 'participating' refer to
participation in the AGDIS. Entities must be approved to participate either as an
accredited entity or participating relying party. An entity 'participates 'in the
AGDIS if, at a particular time, it holds an approval and it is directly connected
to an accredited entity that is participating in the AGDIS or the entity is an
accredited entity that is directly connected to a participating relying party.
22. Participating relying party and relying party would mean an entity that
would rely on an attribute of an individual provided by an identity service
provider or attribute service provider to provide a service to an individual or
enable the individual to access a service such as using their digital ID to verify
themselves then be redirected to a particular service. A participating relying
party would mean a relying party that is approved to use the AGDIS. Relying
parties are not accredited as they receive services from accredited entities
within a digital ID system, but they do not provide any services in a system.
23. Participating relying party is used in the Bill to distinguish between a
relying party that is onboarded to the AGDIS, and a relying party that is not
onboarded. A relying party will be a participating relying party if they hold an
approval to onboard and their onboarding day has arrived or passed.
24. Personal information: this term adopts the current meaning in the
Privacy Act and extends it to cover any attributes of an individual to the extent
the attribute (see the meaning of 'attribute' under clause 10 below) is not
otherwise covered by the Privacy Act definition. While most attributes will be
personal information, the Bill defines an 'attribute' of an individual to mean
Digital ID Bill 2023 - Explanatory Memorandum: Page 13 of 319
information that is associated with the individual, including information that is
derived from another attribute. This is broader than information about an
individual as used in the Privacy Act.
25. Relying party will mean an entity that relies, or seeks to rely, on an
attribute of an individual that is provided by an identity service provider or
attribute service provider to:
• provide a service to the individual; or
• enable the individual to access a service.
Clause 10 - Meaning of attribute of an individual
26. Clause 10 sets out what information will be an 'attribute of an
individual' for the purposes of the Bill. This is broadly defined to cover any
information 'associated with' an individual (which is wider than the Privacy
Act definition of 'personal information' which refers at present to information
about an individual). 'Attribute' includes information derived from another
attribute of that individual, such as their age derived from their date of birth, or
confirmation that the person is over a certain age.
27. Subclause 10(2) provides a non-exclusive list of the kinds of
information associated with an individual that is an 'attribute':
• restricted attributes (see clause 11) and biometric information (see
the definition in clause 9), both of which are particularly sensitive
personal information;
• information considered to be a core attribute such that it is
information that is necessary for the verification of the identity of an
individual. Core attributes would include name and former name,
address and former address, date of birth, mobile phone number and
email address. Given the broadness of the meaning of 'attribute', it
also covers all personal information; and
• when the individual's digital ID was created, which is information a
relying party may require, particularly when involved with a higher
risk transaction with a customer.
28. Accredited entities will be prohibited from collecting specified
attributes, such as racial or ethnic origin or religious beliefs if that information
is solicited (see clause 44). Such information is not necessary to verify the
identity of an individual.
Digital ID Bill 2023 - Explanatory Memorandum: Page 14 of 319
Clause 11 - Meaning of restricted attribute of an individual
29. One class of 'attribute' is a 'restricted attribute' of an individual. A
restricted attribute includes health information, information about a criminal
record and an identifier of an individual contained on a document used for
identification purposes.
30. The privacy-enhancing features of the Bill include strong safeguards
involving restricted attributes, given the greater privacy impact that misuse of a
restricted attribute could have, and the criminal uses to which the information
could be put, if it is in the wrong hands. A key objective of the Accreditation
Scheme, and use of the AGDIS, is to minimise the collection of restricted
attributes by relying parties, ensuring they receive only those that are necessary
for the particular relying party service their customer is accessing. Minimising
disclosure of restricted attributes in this will help mitigate the increasing risk of
data breaches involving identity information.
31. The Bill does not absolutely prohibit an accredited entity from
collecting restricted attributes unless authorised (as is the case for biometric
information). This would be unworkable for restricted attributes, given, other
than very basic proofing levels, accredited entities will always, be required to
collect, for verification and some authentication purposes, government
documents with identifying numbers, particularly for stronger-level digital IDs.
The individual chooses what documents to provide from lists of acceptable
documents or, in some cases, will be required to provide particular documents
such as a citizenship certificate. The Accreditation Rules will detail the
requirements for identity proofing by accredited identity service providers so as
to generate a digital ID at a particular strength, including the kinds of
documents that may, or must, be provided for this purpose.
32. Imposing an obligation on an accredited entity not to collect any
restricted attribute unless authorised by an accreditation condition, would
impose an unreasonable burden on accredited entities when they have no
control over what particular document an individual gives to them. However,
the Bill includes restrictions on the disclosure of restricted attributes to relying
parties as follows:
• subclause 46(1): an accredited entity, when verifying or
authenticating an individual, can disclose a restricted attribute of the
individual to a relying party only if the individual has given express
consent for the disclosure;
• subclause 46(2): where an accredited entity is operating in a digital
ID system other than the AGDIS, the accredited entity must not
disclose a restricted attribute to a relying party unless an
Digital ID Bill 2023 - Explanatory Memorandum: Page 15 of 319
accreditation condition authorises the entity to disclose the restricted
attribute to that relying party. As relying parties using a system other
than the AGDIS are not regulated under the Bill, and not required to
be accredited under the Accreditation Scheme, it is appropriate that
the obligation is on the accredited entity;
• clause 75: participating relying parties (that is, relying parties that
hold an approval to participate in the AGDIS under Chapter 4) are
regulated under the Bill in their use of the AGDIS. Clause 75
provides that a participating relying party must not collect a
restricted attribute unless authorised by a condition of participation.
Imposing the condition on the participating relying party reflects that
the accredited entity operating in the AGDIS may not know the
identity of the participating relying party if the individual's consent
for the disclosure was obtained by another participant in the AGDIS
on behalf of the accredited entity (see the requirement in subclause
46(1).
33. In addition, the Bill enables regulation relating to restricted attributes, as
additional privacy measures, as follows:
• accreditation conditions can specify the kinds of restricted attributes
an accredited entity can collect or disclose, and restricted attributes it
must not collect or disclose (paragraphs 17(4)(c) and (d)). For
example, an accreditation condition could authorise the entity to
collect only restricted attributes of a kind specified in the condition.
Such conditions can be imposed by the Digital ID Regulator or, if it
is intended that the condition apply to all accredited entities, or a
class of accredited entity, the condition can be included in the
Accreditation Rules (see subclause 17(5));
• conditions of participation for accredited entities in the AGDIS and
participating relying parties can also specify the kinds of restricted
attributes the entity can collect or disclose, and restricted attributes it
must not collect or disclose when operating in the AGDIS (see
paragraphs 64(4)(c) and (d) referring to 'attributes' which include
restricted attributes', and paragraph 64(5) in relation to conditions in
the Digital ID Rules).
34. Given the sensitive nature of restricted attributes, there are mandatory
requirements on the Digital ID Regulator when imposing a condition, and on
the Minister when making legislative rules, that impose conditions authorising
collection or disclosure of a restricted attribute. The requirements and matters
are specified in clauses 17, 19 and 65. They include whether the entity has
demonstrated that a similar outcome cannot be achieved without its collecting
Digital ID Bill 2023 - Explanatory Memorandum: Page 16 of 319
or disclosing the particular restricted attribute, plus having regard to any
privacy impact assessment conducted for the entity.
35. Another consideration for conditions involving restricted attributes is, if
the collection or disclosure of the restricted attribute is regulated by other
legislative or regulatory requirements, whether the entity, or the entity has
demonstrated that it can comply with those requirements. This reflects the
intention that entities must comply with other laws relevant to the particular
restricted attribute.
36. The Digital ID Regulator is also required, for transparency, to publish
on its website its reasons for authorising a condition for the collection or
disclosure of a restricted attribute. This is not necessary for the Minister who is
required under the Legislation Act 2003 to provide an explanatory statement
with new legislative rules.
Clause 12 - Fit and proper person considerations
37. When exercising its powers under the Act involving accreditation and
participation decisions, the Digital ID Regulator may consider if an entity is a
fit and proper person for the purposes of the Act. If so, clause 12 requires the
Regulator to have regard to the matters (if any) specified in the Digital ID Rules
(the making of which are subject to consultation requirements under
clause 100).
38. The Digital ID Regulator may also have regard to any other matters it
considers relevant, ensuring the Regulator can consider matters which may be
specific to a particular entity or circumstances. For example, if not already a
mandatory consideration in the Digital ID Rules, they could take into account a
determination made by a State privacy commissioner dealing with breach by an
entity of that State's privacy law.
39. Applying the fit and proper person test will not be mandatory in respect
of all applications (see subparagraph 15(5)(b)(i)) for accreditation and
paragraph 62(2)(a) for participation). This is to give the Digital ID Regulator
discretion as the Regulator may not consider it necessary to consider this test
for government entities or entities that have been assessed as 'fit and proper'
under other legislation applying to the entity (for example, in relation to the
Consumer Data Right scheme established under the Competition and Consumer
Act and the Competition and Consumer (Consumer Data Right) Rules 2020).
40. However, if the Regulator is to consider the fit and proper person test,
the mandatory matters for consideration will be specified in legislative rules. It
is expected they will align where possible with the Consumer Data Right fit and
Digital ID Bill 2023 - Explanatory Memorandum: Page 17 of 319
proper person considerations for entities applying for accreditation under that
scheme.
Chapter 2 - Accreditation
Part 1 - Introduction
Clause 13 - Simplified outline of this Chapter
41. This clause provides a simplified outline of Chapter 2 which sets out
provisions relating to the accreditation framework to be administered by the
Digital ID Regulator. The outline is not intended to be comprehensive. Readers
should rely on substantive provisions of the Chapter.
Part 2 - Accreditation
Division 1 - Applying for accreditation
Clause 14 - Application for accreditation
42. Subclause 14(1) provides for entities to apply to the Digital ID
Regulator to be accredited as one of the kinds of accredited entities. The kinds
of accredited entities are:
• accredited attribute service provider, which provide services
verifying a particular attribute of an individual. For example,
whether a person is a member of a particular profession;
• accredited identity service provider, which provide services to verify
the identity of an individual so as to create the individual's digital ID
or authenticate the individual to their digital ID when they are
reusing their digital ID;
• an accredited identity exchange provider, which provides services
involving the flow of information between other entities in a digital
ID system.
43. Paragraph 14(1)(d) allows the legislative rules to prescribe new kinds of
digital ID services. This is necessary to provide for new kinds of accredited
entities and digital ID services that may emerge in the future with technological
advancements in the digital ID environment. For example, wallets holding
verifiable credentials, such as a digital licence.
44. Subclause 14(2) would provide that the kinds of entities that can apply
for accreditation are:
Digital ID Bill 2023 - Explanatory Memorandum: Page 18 of 319
• Australian public bodies;
• Australian companies; and
• foreign companies registered under the Corporations Act to carry on
business in Australia.
Division 2 - Accreditation
Clause 15 - Digital ID Regulator must decide whether to accredit an entity
45. Clause 15 sets out the requirements for the Digital ID Regulator to
accredit or refuse to accredit an entity, matters it may consider, and giving
notice of its decision on an application:
• subclause 15(3) deals with each kind of accredited entity and
requires that the Digital ID Regulator not accredit an entity unless
the entity provides or will provide if accredited all, or some, of the
services for the kind of accredited it seeks to be accredited as. The
range of services for the three kinds of service providers referred to
in the Bill are detailed in the definitions: see clause 9 for the
definitions;
• national security--under paragraph 15(4)(a) the Digital ID
Regulator must not accredit an entity if the Minister has directed that
the entity not be accredited for reasons of national security (within
the meaning of the ASIO Act): see clause 27 which sets out the
power of the Minister to give directions to the Digital ID Regulator
for reasons of national security. The direction remains in force
unless revoked by the Minister (subclause 27(3)).
• compliance with this Act--under paragraph 15(4)(b) the Digital ID
Regulator must not accredit an entity if it is not satisfied that the
entity would be able to comply with the Act and legislative rules
which would apply to the entity if accredited. To determine if an
applicant is able to comply with the Act and rules, the Digital ID
Regulator may require the entity to undergo a compliance
assessment (see clause 131) conducted by or on behalf of the Digital
ID Regulator or an independent assessor. The applicant must be able
to demonstrate that (for example) its systems and processes for
providing its services will comply with the requirements that would
apply to it if accredited in accordance with is application;
• requirements in the Accreditation Rules--under paragraph 15(4)(c),
the Digital ID Regulator must not accredit an entity if the
Digital ID Bill 2023 - Explanatory Memorandum: Page 19 of 319
Accreditation Rules specify criteria to be met and the Regulator is
not satisfied that the entity meets that criteria;
• specified matters in the Accreditation Rules--under
paragraph 15(4)(d), the Digital ID Regulator must not accredit an
entity if the Accreditation Rules require the Regulator to be satisfied
of specified matters and it is not satisfied of those matters; and
• other relevant matters--paragraph 15(5)(a) will provide that the
Digital ID Regulator, in deciding whether to accredit the entity, must
have regard to matters, if any, prescribed by the Accreditation Rules.
46. The Accreditation Rules, referred to in the above paragraphs, will be
made by the Minister (see clauses 28, 168 and 169). Clause 28 states that the
rules must provide for and in relation to matters concerning the accreditation of
entities. The matters that may be in the Accreditation Rules are detailed in
clause 28 (see discussion on this below) which sets out a non-exclusive list,
including requirements entities must meet in order to become (and remain) an
accredited entity. The matters that may be in the Accreditation Rules include:
• privacy, in addition to the additional privacy safeguards in the Bill:
see Chapter 3);
• security;
• fraud control;
• user experience and inclusion;
• conduct of assessments, including relating to the above matters; and
• testing of an entity's information technology systems and processes.
47. There is no requirement for additional application criteria, or mandatory
considerations for paragraphs 15(4)(b) and (c) and paragraph 15(5)(a).
However, it is necessary and appropriate for the Accreditation Rules to be able
to prescribe criteria that applicants must meet, and relevant matters of which the
Regulator must be satisfied when considering an application for accreditation.
This is necessary because the Bill is technologically neutral in that it does not
lock in a particular information technology architecture, digital ID systems and
service models.
48. This is different for the Accreditation Rules which, at commencement of
the legislation, would be based on the current technological environment for
digital ID systems generally. It is necessary for the rules to be able to
accommodate future states and services expected through advancements and
innovations in technology, models and services. The pace of advancements and
innovation was highlighted through a pilot program run by the Government
Digital ID Bill 2023 - Explanatory Memorandum: Page 20 of 319
since 2019 under which government and private sector providers of digital ID
services have been able to apply for and be accredited under the unlegislated
TDIF. The pilot program has enabled issues to be identified with the design and
operation of the Accreditation Scheme under the unlegislated TDIF (which will
inform the content of the Accreditation Rules).
49. The pilot program also highlighted the varied range of matters that
could be relevant to the accreditation of a particular kind of accredited entity, or
the particular services they were seeking to provide as accredited entities. For
this reason, it is necessary and appropriate that the Accreditation Rules will be
able to keep pace with changes such as where security requirements need
updating to meet emerging fraud and cybersecurity risks and threats, and be
able to deal with matters that could not have been foreshadowed prior to the Act
commencing.
50. Under paragraph 15(5)(b), the Digital ID Regulator, in considering an
application for accreditation, may have regard to whether the entity is a fit and
proper person and any other matters it considers relevant. The fit and proper
person consideration is not mandatory (see clause 12 above).
Decisions on accreditation applications
51. Subclause 15(6) will require the Digital ID Regulator to inform the
applicant in writing of its decision and to provide its reasons if it refuses the
application. Section 25D of the Acts Interpretation Act 1901, which states the
minimum content of a statement of reasons, would apply.
52. A decision to refuse to accredit an Australian entity would be a
'reviewable decision' (see clauses 137 to 140) other than decisions made for
reasons of security (within the meaning of the ASIO Act) in relation to an entity
that is not an Australian entity (for 'Australian entity' see the definition in
clause 9).
53. The notice of a decision to accredit an entity must set out the kind of
accredited entity that the entity is accredited as, the day the accreditation comes
into force, and any conditions imposed by the Digital ID Regulator on the
entity's accreditation (see subclause 15(7)).
54. Details of the accreditation, including any conditions imposed by the
Digital ID Regulator, must be entered on the Digital ID Accredited Entities
Register (see clause 120).
Clause 16 - Accreditation is subject to conditions
55. Clause 16 provides that an entity's accreditation is subject to conditions
(accreditation conditions), and that the accredited entity must comply with
Digital ID Bill 2023 - Explanatory Memorandum: Page 21 of 319
those conditions. As the note explains, failure to comply with a condition may
result in suspension or revocation of the entity's accreditation.
56. Conditions can be imposed as follows (paragraphs 16(1)(a) to (c)):
• by the Bill, as set out in subclause 17(1);
• by the Digital ID Regulator under subclause 17(2), including
conditions as varied under subclause 20(1); and
• by the Accreditation Rules under subclause 17(5).
57. Nothing in the Bill would allow conditions imposed by the Digital ID
Regulator or determined in the Accreditation Rules to be inconsistent with other
provisions in the Bill.
58. Importantly for consumers of an accredited entity's services, conditions
imposed by the Digital ID Regulator will be publicly available on the register
required to be kept by the Digital ID Regulator (see clause 120).
59. The power to impose conditions, either by the Digital ID Regulator on
individual entities or by the Accreditation Rules as standard conditions applying
to all accredited entities or classes of entities, is necessary and appropriate
because of the disparate kinds of systems, services and circumstances in the
current digital environment and the need to tailor conditions to individual
accredited entities or classes of accredited entities.
Clause 17 - Conditions on accreditation
60. Subclause 17(1) provides that a condition on all accreditations is that the
accredited entity must comply with the Act and the rules.
Conditions imposed by the Digital ID Regulator
61. Paragraph 17(2)(a) gives the Digital ID Regulator power to impose
conditions on an entity's accreditation at the time of accreditation or after the
accreditation decision, if the Digital ID Regulator considers it appropriate in the
circumstances. Importantly for consumers of an accredited entity's services,
conditions imposed by the Digital ID Regulator will be publicly available on
the register required to be kept by the Digital ID Regulator (see clause 120).
62. Paragraph 17(2)(b) requires the Digital ID Regulator to impose a
condition on an entity's accreditation if directed to do so by the Minister under
subclause ^27(1) for reasons of 'security' (as defined in the ASIO Act). The
Minister may give a direction either at the time of accreditation or after an
entity is accredited. It is appropriate that decisions involving national security
matters sit with the Minister.
Digital ID Bill 2023 - Explanatory Memorandum: Page 22 of 319
63. An applicant or accredited entity may apply to the Digital ID Regulator
for a condition to be imposed: see subclause 17(3). For example, an attribute
service provider may have been accredited to provide a service that verifies that
a person is registered to practise as a nurse. After being accredited, the entity
wants to also provide a service to verify that a registered nurse has been
endorsed as a nurse practitioner. The entity may apply to the Digital ID
Regulator for a new condition authorising it to provide the service in respect of
the nurse practitioner attribute.
64. Subclause 17(4) sets out a non-exhaustive list of matters to which
conditions imposed by the Digital ID Regulator may relate. These are:
• accredited services: any limitations, exclusions or restrictions in
relation to the entity's accredited services.
• provision of services: the circumstances or manner in which the
entity must provide its accredited services. For example, an identity
service provider may apply to provide its services to individuals
through a mobile application. A condition restricting the entity to
providing its services in this manner may be necessary as the
entity's application for accreditation would have been assessed for
compliance with requirements, including involving privacy, security
and user experience, only against its systems and processes
involving this manner of service delivery;
• restricted attributes: the kinds of restricted attributes of individuals
(if any) the accredited entity:
o can collect or disclose;
o the circumstances in which restricted attributes may be
collected or disclosed; and
o kinds of restricted attributes of individuals (if any) that the
entity must not collect;
• biometric information: the kinds of biometric information (if any)
the entity may collect, use or disclose and the circumstances in
which it may do so. For example, an accredited identity service
provider will not be able to use facial images to verify a person's
identity at a Strong level unless authorised by an accreditation
condition: see this restriction on the collection of biometric
information of an individual in paragraph 49(1)(a);
• IT systems: the entity's information technology systems through
which it would provide its accredited services, including restrictions
on changes to such systems. For example, an identity exchange may
Digital ID Bill 2023 - Explanatory Memorandum: Page 23 of 319
apply to be accredited using a particular technological platform and
would be assessed to determine if that platform has the functionality
required to comply with requirements in the Act and rules such as
consent requirements. A condition may detail that platform so the
entity could not move to a new system while the condition is in
effect;
• actions that the entity must take before the entity's accreditation is
suspended or revoked. For example, a condition for an accredited
identity service provider may be that the entity does not generate
any new digital IDs in the period from notice of the decision to
revoke or suspend its accreditation to the date that the decision takes
effect, and to notify those using its digital ID services of the decision
and alternative services available.
Conditions imposed by the Accreditation Rules
65. Subclause 17(5) authorises the Minister to specify accreditation
conditions in the Accreditation Rules applying to each accredited entity, or each
accredited entity included in a specified class. Subclause (6) clarifies that the
conditions in the rules may be on the same matters as those listed in
subclause (4). The Minister will be required to consult on proposed rules except
where urgency applies (see clause 169).
Clause 18 - Conditions relating to restricted attributes of individuals
66. Clause 18 imposes requirements on the Digital ID regulator before
imposing an accreditation condition authorising an accredited entity to collect
or disclose a restricted attribute. The meaning of 'restricted attribute' is given in
clause 11. The discussion on clause 11 above gives an overview of how the Bill
treats restricted attributes and the privacy-enhancing provisions applying to
them, including this clause.
67. Before imposing the condition, the Digital ID Regulator must have
regard to the following (see subclause (2)):
• whether the entity has provided sufficient justification for the need
to collect or disclose the restricted attribute;
• whether the entity has demonstrated that a similar outcome cannot
be achieved without collecting or disclosing the restricted attribute;
• if the collection or disclosure of the restricted attribute is regulated
by other legislative or regulatory requirements--whether the entity
has demonstrated that it can comply with those requirements;
Digital ID Bill 2023 - Explanatory Memorandum: Page 24 of 319
• the potential harm that could result if restricted attributes of that
kind were disclosed to an entity that was not authorised to collect
them;
• community expectations as to whether restricted attributes of that
kind should be handled more securely than other kinds of attributes;
• any of the following information provided by the entity seeking
authorisation to collect or disclose the restricted attribute:
o the entity's risk assessment plan as it relates to the restricted
attribute;
o the entity's privacy impact assessment as it relates to the
restricted attribute;
o the effectiveness of the entity's protective security (including
security governance, information security, personnel security
and physical security), privacy arrangements and fraud
control arrangements;
o the arrangements in place between the entity and relying
parties for the protection of the restricted attribute from
further disclosure; and
• any other matter the Digital ID Regulator considers relevant.
68. It is a matter for the entity whether to provide particular documents or
information listed in paragraph (2)(f). However, if the information is not
provided, the Digital ID Regulator may not be able to be satisfied that it is
appropriate to impose the condition in the circumstances (see
paragraph 17(2)(a) and clause 20 under which the decisions are made).
69. In relation to arrangements between the entity and relying parties for the
protection of the restricted attribute from further disclosure, this reflects that the
obligations are placed on accredited entities under the Accreditation Scheme
(relying parties are not accredited). An accredited entity may be able to
demonstrate additional protections for a restricted attribute by, for example,
having a binding agreement with the relying party that the relying party will not
disclose the restricted attribute further. This provision does not apply to
participating relying parties in the AGDIS as conditions can be imposed on
them directly about restricted attributes (see Chapter 4).
70. Subclause (3) requires the Digital ID Regulator to publish a statement of
reasons if it imposes a condition authorising collection or disclosure of a
restricted attribute so as to explain publicly why it was appropriate in the
circumstances to give the authorisation to the particular accredited entity (see
Digital ID Bill 2023 - Explanatory Memorandum: Page 25 of 319
section 25D of the Acts Interpretation Act 1901 as to the content of a statement
of reasons).
Conditions and other laws restricting attributes
71. If the Digital ID Regulator were to provide a condition authorising an
accredited service provider to disclose restricted attributes in a digital ID system
or in the AGDIS this would be subject to other specific laws regulating
restricted attributes such as healthcare identifiers or tax file numbers. For
example, if the Healthcare Identifiers Act 2010 prohibits collection, use and
disclosure of a healthcare identifier by a person that may also be an entity under
the Bill, then a condition will need to be consistent with that prohibition.
Clause 19 - Requirements before Accreditation Rules impose conditions
relating to restricted attributes or biometric information of individuals
72. Clause 19 imposes requirements on the Minister before making
Accreditation Rules that would impose an accreditation condition authorising
an accredited entity to collect or disclose a restricted attribute or biometric
information. The note refers to the obligation on the Minister to consult the
Information Commissioner (which is in addition to other consultation
requirements in clause 169).
73. For restricted attributes, see the discussion in clause 12 above.
Requirements relating to biometric information, including that biometric
information not be collected or disclosed by an accredited entity unless the
accredited entity is authorised to do so by an accreditation condition or a
provision of the Bill (see clause 48).
74. Subclause (2) sets out the mandatory matters to be considered:
• the potential harm that could result if the information were disclosed
to an entity;
• community expectations about the collection, use or disclosure of
the information;
• if the collection or disclosure of the restricted attribute is regulated
by other legislative or regulatory requirements--whether the entity
would be able to comply with those requirements if the rules were
made;
• any privacy impact assessment that has been conducted in relation to
the proposal to make the rules; and
• any other matter the Minister considers relevant.
Digital ID Bill 2023 - Explanatory Memorandum: Page 26 of 319
Clause 20 - Variation and revocation of conditions on accreditation
75. Clause 20 provides that the Digital ID Regulator may vary or revoke a
condition it has imposed on an entity's accreditation if it considers it
appropriate to do so, and that it may do so at any time on its own initiative or on
application by an accredited entity. When considering if it is appropriate to do
so, the Regulator may have regard to matters relating to the security, reliability
and stability of the AGDIS for entities that are also approved to participate in
the AGDIS.
76. Where a condition has been imposed at the direction of the Minister for
reasons of national security, subclause (2) requires that the Digital ID Regulator
also revoke the condition if the Minister revokes the direction.
Clause 21 - Applying for variation or revocation of conditions on
accreditation
77. Clause 21 provides that an accredited entity can apply for an
accreditation condition imposed by the Digital ID Regulator (under
paragraph 17(2)(a)) to be varied or revoked. If the Digital ID Regulator refuses
the application, the Digital ID Regulator must give written notice to the entity
with reasons for the refusal.
78. The note to subclause (1) refers the reader to the requirements for
applications detailed in Part 5 of Chapter 9.
Clause 22 - Notice before changes to conditions on accreditation
79. Clause 22 applies where the Digital ID Regulator proposes, on its own
initiative, to impose, vary or revoke a condition on an accredited entity and
ensures that the entity is given notice of the proposal and the opportunity to
comment on the proposal other than where the proposal is considered serious
and urgent.
80. The clause requires the Digital ID Regulator to:
• give notice to an accredited entity if the Regulator proposes, on its
own initiative, to impose an accreditation condition on the entity, or
vary or revoke an accreditation condition (other than where the
condition was imposed at the time of accreditation, or the entity has
made an application under clause 21);
• include in the notice details about the proposed condition, variation
or revocation;
Digital ID Bill 2023 - Explanatory Memorandum: Page 27 of 319
• include in the notice a request that the entity provide the Regulator a
written statement relating to the proposal, and that it does so within
a specified period;
• consider any written statement from the entity before making a
decision on the proposal.
81. Subclause 22(4) provides that the notice requirement would not apply if
the Digital ID Regulator reasonably believes that the need to impose, vary or
revoke the condition is serious and urgent. In that case, the Regulator must give
the entity a written statement of reasons, within 7 days of its decision, as to why
the Regulator reasonably believes that the need to impose, vary or revoke the
condition is serious and urgent.
82. Ousting natural justice requirements for this serious and urgent
circumstances ensures the Digital ID Regulator can act urgently. For example,
the Digital ID Regulator may reasonably believe that it is necessary to revoke a
condition authorising an entity to disclose a particular restricted attribute such
as a licence number due to risks following a security breach involving the issuer
of the restricted attribute.
Other provisions relating to decisions on conditions
83. Decisions involving accreditation conditions would be reviewable
decisions (see clauses 137 to 140), other than decisions made for reasons of
security in relation to an entity that is not an Australian entity (for 'Australian
entity' see the definition in clause 9).
84. Any changes to conditions would be publicly available on the register
required to be kept by the Digital ID Regulator (see clause 120).
Clause 23 - Notice of decision of changes to conditions on accreditation
85. Clause 23 requires the Digital ID Regulator to give an entity written
notice of a decision to impose, vary or revoke a condition on an entity's
accreditation, other than where the condition was imposed as part of a decision
to accredit an entity and notice has already been given under subclause 15(7).
The notice must state the date on which the condition, variation or revocation
takes effect.
Division 3 - Varying, suspending and revoking accreditation
Clause 24 - Varying accreditation
86. Clause 24 will allow the Digital ID Regulator to vary an accredited
entity's accreditation where there has been a change in the accredited entity's
Digital ID Bill 2023 - Explanatory Memorandum: Page 28 of 319
name. For example, a government entity may be the subject of a machinery of
government change resulting in a name change.
87. The note to the clause refers to accreditation conditions also being able
to be varied. Otherwise, the accreditation of an entity cannot be varied.
Clause 25 - Suspension of accreditation
88. Clause 25 will detail when an accredited entity's accreditation must or
may be suspended.
89. Suspension of accreditation may be for a specified period or until a
specified event occurs or specified action is taken (see paragraphs 25(10)(e)
and (f)).
Effect of suspension
90. While a suspension is in force, the entity would be taken not to be
accredited (subclause 25(11)). However, the entity will continue to be subject to
the regulatory powers of the Digital ID Regulator (see for example, the
directions power in paragraph 127(1)(f)). The suspended entity may also be
subject to compliance action for matters that occurred while the entity was
accredited, including for example, complaints and investigations by the
Information Commissioner involving breaches of the additional privacy
safeguards in the Bill (see Division 2 of Chapter 3).
91. Under subclause 25(11), if an accredited entity's accreditation is
suspended and it holds an approval to participate in the AGDIS, the entity is
taken not to hold the approval while the entity's accreditation is suspended.
Other matters involving suspension
92. Decisions involving a suspension of accreditation would be reviewable
decisions (see clauses 137 to 140), other than decisions made for reasons of
security in relation to an entity that is not an Australian entity (for 'Australian
entity' see the definition in clause 9).
93. The fact of a suspension of an entity's accreditation would be publicly
available on the register required to be kept by the Digital ID Regulator (see
clause 120).
Digital ID Regulator must suspend if directed by the Minister
94. Subclause 25(1) provides that the Digital ID Regulator must suspend an
entity's accreditation if the Minister has given a direction, for reasons of
national security, to suspend the entity's accreditation (see clause 27 dealing
with directions on national security grounds). The suspension remains in force
until revoked by the Minister (see clause 27), which has the effect that the
Digital ID Bill 2023 - Explanatory Memorandum: Page 29 of 319
Digital ID Regulator has no power to revoke the suspension itself. It is
appropriate that decisions involving national security sit with the Minister.
Digital ID Regulator may decide to suspend
95. Subclause 25(2) gives the Digital ID Regulator power to suspend an
entity's accreditation, require that the suspension be in writing, and set out the
grounds for a suspension. Subclauses 25(3) to (5) provide additional
information in respect of some of the grounds. The grounds, and the additional
information related to them, will be:
• the Digital ID Regulator reasonably believes that the accredited
entity has contravened or is contravening the Act or rules;
• the Digital ID Regulator reasonably believes that there has been a
cyber security incident involving the entity. 'Cyber security
incident' is defined in clause 9 to include unauthorised attempts to
gain access to, modify or interfere with a system, service or network,
or impair the availability, reliability, security or operation of a
system, service or network. Such attempts would not be grounds for
suspension unless the Digital ID Regulator is satisfied that the
attempts involve an unacceptable risk to the provision of the entity's
accredited services (see subclause 25(3)). This would ensure that
attempts that do not pose a risk to the accredited services cannot lead
to suspension (but could be the subject of other compliance action,
for example, a direction under clauses 127 or 128) such as requiring
a security assessment to be conducted);
• the Digital ID Regulator reasonably believes that a cyber security
incident involving the entity is imminent; or
• if the entity is a body corporate--the entity becomes a Chapter 5
body corporate (within the meaning of the Corporations Act) - that
is, a body corporate that is being wound up, in respect of its
property, a receiver, or a receiver and manager, has been appointed
(whether or not by a court) and is acting, it is under administration,
it has executed a deed of company arrangement that has not yet
terminated, or it has entered into a compromise or arrangement with
another person the administration of which has not been concluded;
• the Digital ID Regulator is satisfied that it is not appropriate for the
entity to be an accredited entity. The Regulator may have regard to
whether the entity is a fit and proper person (subclause 4) and
subclause (5) makes it clear that this reference does not limit the
matters the Digital ID Regulator may consider. The note to
subclause (4) refers to clause 12 which sets out the matters the
Digital ID Bill 2023 - Explanatory Memorandum: Page 30 of 319
Regulator must, or may, consider when considering if an entity is a
fit and proper person;
• circumstances specified in the Accreditation Rules apply in relation
to the entity. It is necessary and appropriate for the Accreditation
Rules to be able to specify additional circumstances to ensure that
the Accreditation Scheme keeps pace with emerging risks and
threats in the digital environment and to accommodate future states
and services expected through advancements and innovations in
technology, models and services.
96. The note to subclause 25(2) refers to other action the Digital ID
Regulator may take involving a suspension, namely to impose an accreditation
condition before suspending an entity's accreditation (see paragraph 17(4)(g))
and to give a direction to give effect to a decision to suspend (see
paragraph 127(1)(e)).
Show cause notice
97. Clauses 25(7) and (8) will apply (subject to subclause 9) where the
Digital ID Regulator is proposing to suspend the accreditation of an accredited
entity and require that a 'show cause' notice is given to the entity. The notice
must state the grounds for the suspension and give the entity the opportunity to
respond. The entity must be invited to give the Digital ID Regulator, within 28
days after the day the notice is given, a written statement showing cause why its
accreditation should not be suspended.
98. However, subclause 25(9) will provide that the 'show cause'
requirements will not apply where the grounds for the suspension involve a
cyber security incident as referred to in paragraphs 25(2)(b) or (c). Ousting
natural justice requirements where the Digital ID Regulator reasonably believes
that a cyber security incident has occurred or is imminent is necessary where
there is a need to immediately deal with serious risks to the security and
reliability of the entity's accredited services (and the Digital ID Regulator is not
satisfied that the circumstances may give rise to a decision to revoke the entity's
accreditation).
Accredited entity may apply for suspension
99. Subclause 25(6) provides that an accredited entity may apply for its
accreditation to be suspended, in which case the Digital ID Regulator may (but
is not required to) suspend its accreditation. The note to subclause (6) will refer
the reader to the requirements for applications detailed in Part 5 of Chapter 9.
Digital ID Bill 2023 - Explanatory Memorandum: Page 31 of 319
100. An example of circumstances in which an accredited entity may seek
suspension is where the entity is considering ending its accreditation and wants
suspension while considering its decision.
Notice where accreditation is suspended
101. Subclause 25(10) provides that if the Digital ID Regulator suspends an
entity's accreditation, either as directed by the Minister, on its own initiative or
as requested by an accredited entity, the Regulator must give a written notice to
the entity stating:
• that the entity's accreditation is suspended;
• if the entity is accredited as more than one kind of accredited entity,
the accreditation that is suspended;
• the reasons for the suspension;
• the day the suspension is to start;
• if the suspension is for a period, the period of the suspension; and
• if the suspension is until a specified event occurs or action is taken,
the event or action.
Revocation of suspension
102. Subclauses 25(12) to (14) deal with revocation of the suspension of an
entity's accreditation, other than where the suspension was on the basis of a
direction by the Minister (in which case the suspension remains in effect unless
revoked by the Minister (see clause 27)).
103. If the Digital ID Regulator decided, on its own initiative, to suspend an
entity's accreditation, the Regulator may revoke the suspension by written
notice to the entity (subclause 25(12)).
104. If the Digital ID Regulator suspends an entity's accreditation on
application by the entity and the entity requests the suspension be revoked, the
Regulator must revoke the suspension by written notice to the entity
(subclause 25(13)).
105. The notice to the entity must specify the day the revocation takes effect
(subclause 25(14)).
Clause 26 - Revocation of accreditation
106. Clause 26 details when an accredited entity's accreditation must or may
be revoked.
Digital ID Bill 2023 - Explanatory Memorandum: Page 32 of 319
107. Under subclause 26(7), if an accredited entity's accreditation is revoked
and it holds an approval to participate in AGDIS, the Digital ID Regulator must
at the same time revoke the entity's approval to participate.
108. An entity's accreditation may be revoked even if a suspension is in force
(under clause 25) and notwithstanding that the effect of suspension is that the
entity is no longer accredited (as described in paragraph 25(11)(a)).
Other matters involving revocation of accreditation
109. Decisions involving revocation of accreditation will be reviewable
decisions (see clauses 137 to 140), other than decisions made for reasons of
security in relation to an entity that is not an Australian entity (for 'Australian
entity' see the definition in clause 9).
110. The fact of a revocation of an entity's accreditation will be publicly
available on the register required to be kept by the Digital ID Regulator (see
clause 120).
Digital ID Regulator must suspend if directed by the Minister
111. Subclause 26(1) will provide that the Digital ID Regulator must revoke
an entity's accreditation if the Minister has given a direction, for reasons of
national security, to suspend the entity's accreditation (see clause 27 dealing
with directions on national security grounds). It is appropriate that decisions
involving national security sit with the Minister.
Digital ID Regulator may decide to revoke accreditation
112. Subclause 26(2) gives the Digital ID Regulator power to revoke an
entity's accreditation, require that the revocation be in writing and set out the
grounds for revocation. Revocation of accreditation will be a significant penalty
for an accredited entity and will support compliance and act as deterrent to
non-compliance with the Act or Accreditation Rules.
113. The grounds for revocation will be:
• the Digital ID Regulator reasonably believes that the accredited
entity has contravened or is contravening the Act or rules;
• the Digital ID Regulator reasonably believes that there has been a
cyber security incident involving the entity and that incident is
serious;
• if the entity is a body corporate--the entity becomes a Chapter 5
body corporate (within the meaning of the Corporations Act). A
Chapter 5 body corporate is explained at clause 25;
Digital ID Bill 2023 - Explanatory Memorandum: Page 33 of 319
• the Digital ID Regulator is satisfied that it is not appropriate for the
entity to be an accredited entity. The regulator may have regard to
whether the entity is a fit and proper person (subclause 3) but
subclause (4) makes it clear that this reference does not limit the
matters the Digital ID Regulator may consider. The note to
subclause (3) refers to clause 12 which sets out the matters the
Regulator must, or may, consider when considering if an entity is a
fit and proper person;
• circumstances specified in the Accreditation Rules apply in relation
to the entity. It is necessary and appropriate for the Accreditation
Rules to be able to specify additional circumstances to ensure that
the Accreditation Scheme keeps pace with emerging risks and
threats in the digital environment and to accommodate future states
and services expected through advancements and innovations in
technology, models and services. The rules will be able to specify
circumstances that may not have been foreshadowed prior to the Act
commencing.
114. The note to subclause 26(2) refers to other action the Digital ID
Regulator may take involving a revocation, namely imposing an accreditation
condition before revoking the entity's accreditation and to give a direction to
give effect to a decision to revoke an entity's accreditation (see
paragraph 127(1)(b)).
Show cause notice
115. Subclauses 26(8) and (9) apply (subject to subclause 10) where the
Digital ID Regulator is proposing to revoke, on its own initiative, an entity's
accreditation and require that a 'show cause' notice is given to the entity. The
notice must state the grounds for the revocation and give the entity the
opportunity to respond. The entity must be invited to give the Digital ID
Regulator, within 28 days after the day the notice is given, a written statement
showing cause why its accreditation should not be suspended.
116. However, subclause 26(10) provides that the 'show cause' requirements
would not apply where the ground for the revocation involves a serious cyber
security incident. Ousting natural justice requirements where the Digital ID
Regulator reasonably believes that a serious cyber security incident has
occurred - and it is of such a serious nature - that it is appropriate to
immediately revoke the entity's accreditation.
Accredited entity may apply for suspension
117. Subclause 26(5) provides that the Digital ID Regulator must revoke an
entity's accreditation if the entity applies for revocation. While the Regulator
Digital ID Bill 2023 - Explanatory Memorandum: Page 34 of 319
must revoke if requested by the entity, the decision as to when the revocation
takes effect is a matter for the Regulator (subclause 26(6)). The intent is to
allow the Regulator to take necessary steps before the accreditation is revoked.
This may include, for example, imposing a condition on the accredited entity to
notify its customers and offer to provide assistance to them to seek an
alternative service.
Notice where accreditation is revoked
118. Subclause 26(11) provides that if the Digital ID Regulator revokes an
entity's accreditation, either as directed by the Minister, on its own initiative or
as requested by an accredited entity, the Regulator must give a written notice to
the entity stating:
• that the entity's accreditation is to be revoked;
• if the entity is accredited as more than one kind of accredited entity,
the accreditation that is to be revoked;
• the reasons for the revocation; and
• the day the revocation is to take effect.
Division 4 - Minister's directions regarding accreditation
Clause 27 - Minister's directions regarding accreditation
119. Clause 27 will allow the Minister to direct the Digital ID Regulator in
relation to the accreditation of an entity for reasons of national security and only
for these reasons. It is appropriate that decisions involving national security sit
with the Minister.
120. Subclause 27(1) empowers the Minister to direct the Digital ID
Regulator to refuse to accredit an entity, impose accreditation conditions on an
entity and suspend or revoke an entity's accreditation, but only for reasons of
'security' (within the meaning of the ASIO Act) and including on the basis of
an adverse or qualified security assessment provided by ASIO.
121. The ASIO Act will be amended by the T&C Bill to ensure that ASIO
has the requisite functions to provide such assessments for the purposes of this
Chapter.
122. Subclause 27(2) will provide that the Digital ID Regulator must comply
with a direction given of the Minister under subclause 27(1).
123. A direction remains in force until it is revoked by the Minister, in which
case the Minister must notify the Digital ID Regulator and the entity
(subclause 27(3)). For conditions imposed at the direction of the Minister, the
Digital ID Bill 2023 - Explanatory Memorandum: Page 35 of 319
fact that a direction remains in force until revoked by the Minister means that
such a condition cannot be varied. If the Minister wants the direction varied, the
Minister must revoke the direction involving a condition and give a new
direction about conditions.
124. However, the Minister cannot revoke a direction under which an entity's
accreditation is revoked (subclause 27(4). Nothing prevents the entity from
reapplying for accreditation.
125. Subclause 27(5) clarifies that a direction given by the Minister is not a
legislative instrument within the meaning of section 8(1) of the Legislation Act
2003 (Legislation Act). An instrument made under this clause is administrative
in nature as it gives content to the law, rather than prescribes a substantive
exemption from the requirements of the Legislation Act 2003 (which applies for
legislative instruments).
126. It is not intended that the Bill will limit or exclude an entity's right to
procedural fairness in respect of the Minister's decisions on accreditation.
127. Requirements for notice of a decision of the Digital ID Regulator in
compliance with a ministerial direction are dealt with in subclause 23(1)
(imposing a condition), clause 25(1) (suspending accreditation) and
clause 26(6) (revoking accreditation).
128. Decisions of the Minister about directions involving national security
will be reviewable decisions (see clauses 137 to 140), other than decisions
made for reasons of security in relation to an entity that is not an Australian
entity (for 'Australian entity' see the definition in clause 9).
Division 5 - Accreditation Rules
Clause 28 - Accreditation Rules
129. This clause requires that the Accreditation Rules must provide for
matters concerning the accreditation of entities, and provides a non-exclusive
list of matters that may be in the Accreditation Rules. Together with the privacy
and consumer obligations in the Bill, the Accreditation Rules provide for the
content of the Accreditation Scheme. The purpose of the Accreditation Rules,
with the additional privacy safeguards in the Bill, is to provide a set of
nationally consistent standards for providers of digital ID services.
130. Having the Accreditation Rules able to set out the range of standards
that would apply to accredited entities and classes of accredited entities gives
the Minister ability to impose contemporary standards for accredited entities,
including to ensure the rules continue to provide strong protections related to
entity's accredited services.
Digital ID Bill 2023 - Explanatory Memorandum: Page 36 of 319
131. For example, the rules may require accredited entities to comply with a
recognised standard for protective security such as the Government's Protective
Security Policy Framework or the internationally recognised ISO 27000 series
security standards published by the International Standards Organisation,
security standards established by the Australian Government Information
Security Manual and the Australian Signals Directorate's Essential Eight
Maturity Model.
132. The Accreditation Rules may also provide for processes and
requirements to support the operation of the Accreditation Scheme and to
ensure they remain contemporaneous in the fast-moving digital environment.
Content of the Accreditation Rules: requirements and standards
133. Subclause (2) provides a non-exhaustive list of matters that the
Accreditation Rules may address. This includes requirements for accreditation
(including requirements for privacy, security, fraud control and the like), as
well as the carrying out of assessments (such as privacy impact assessments,
fraud assessment, and security assessments), periodic compliance reviews,
mandatory monitoring requirements, and security requirements related to the
collection, use and disclosure of attributes, restricted attributes and biometric
information.
134. Rules relating to user experience requirements will be expected to
require that an entity's information technology system (through which it
provides its accredited services and is public-facing), is designed to meet
international standards for accessibility, and that the interests of persons across
a broad section of society are considered in the design of their digital ID
systems.
135. It is expected the Accreditation Rules will include:
• the privacy, fraud and protective security requirements that entities
must meet to obtain and maintain accreditation. For example,
policies and procedures that must be in place, risk assessments that
must be completed, and requirements for key personnel (such as
privacy officer, fraud control officers and security officers). It is also
intended that the rules will require entities to implement and
maintain controls to manage fraud and cyber security risks involving
their accredited services;
• usability requirements that entities must meet in the design of their
identity facilities, including for usability testing to be undertaken;
• requirements for technical testing an entity must complete prior to
accreditation. For example, testing to ensure that an entity's fraud
Digital ID Bill 2023 - Explanatory Memorandum: Page 37 of 319
and cyber security controls are working effectively, and that audit
logs of critical events are kept:
• requirements for assessments, such as involving privacy, fraud and
security control, are conducted by external assessors to demonstrate
that an entity complies with the Act and rules;
• requirements related to identity proofing and biometric verification
that an identity service provider must implement to verify the
identity of individuals; and
• requirements for entities to undergo annual assessments to maintain
their accreditation, including annual functional assessments and
technical testing, as well as providing updated documentation to the
Digital ID Regulator relating to privacy, fraud and protective
security matters.
136. These matters are consistent with the existing unlegislated TDIF
scheme, which was first developed in 2015.
137. Additional matters may be included in the Accreditation Rules to allow
the Accreditation Scheme to evolve, for instance, to cater to changes in
technology that should be reflected in accreditation criteria or to create new
kinds of accredited entities.
138. In addition, the Accreditation Rules may refer to other documents such
as international or national standards and policies rather than the rules
attempting to duplicate their requirements: see clause 167 (Accreditation Rules
may incorporate etc. material as in force or existing from time to time) below.
Division 6 - Other matters relating to accreditation
Clause 29 - Digital IDs must be deactivated on request
139. This clause ensures that an accredited identity service provider
managing an individual's digital ID which receives a request by the individual
to deactivate their digital ID, the service provider must do so as soon as
practicable. This is a consumer protection provision which ensures that the
individual retains control as to whether to have an active digital ID.
140. Deactivation would mean that the digital ID could no longer be used by
the individual, but in the event that it is subject to a fraud incident, it would be
able to be accessed, in accordance with the Bill, to investigate that incident.
Digital ID Bill 2023 - Explanatory Memorandum: Page 38 of 319
Clause 30 - Accredited services must be accessible and inclusive
141. Clause 30 will require that the Accreditation Rules provide for and in
relation to requirements relating to the accessibility and useability of the
accredited services of accredited entities. It is intended that Accreditation Rules
will ensure important safeguards will be provided by accredited entities for the
inclusiveness, accessibility and useability of their services by individuals.
142. Subclause 30(2) provides a non-exhaustive list of matters that may be in
the Accreditation Rules relating to accessibility and useability. These are:
• requirements to comply with accessibility standards or guidelines;
• requirements relating to useability testing;
• requirements relating to device or browser access.
143. It is necessary and appropriate that obligations to be imposed on
accredited entities involving accessible and inclusive services as standards and
requirements be specified in the rules. Such standards and requirements cannot
be static and would likely be different for different kinds of accredited services.
Such obligations would need to be up to date and consistent with
contemporaneous best practice.
Clause 31 - Prohibition on holding out that an entity is accredited
144. This clause provides that an entity (as defined in clause 9) must not hold
out that the entity is an accredited entity if that is not the case. This is a civil
penalty provision, enforceable by the Digital ID Regulator under Part 6 of the
Regulatory Powers Act. The maximum penalty for a contravention is 1,000
penalty units (which is $313,000 for an individual and $1,565,000 for a
corporate or government entity, based on one penalty unit value of $313 in
November 2024). See clause 123 as to the rational for civil penalty units.
Chapter 3 - Privacy
Part 1 - Introduction
Clause 32 - Simplified outline of this Chapter
145. This clause provides a simplified outline of Chapter 3 which sets out
provisions relating to privacy safeguards. The outline is not intended to be
comprehensive. Readers should rely on substantive provisions of this Chapter.
Digital ID Bill 2023 - Explanatory Memorandum: Page 39 of 319
Clause 33 - Chapter applies to accredited entities only to extent the entity is
providing accredited services
146. This clause clarifies that this Chapter applies to an accredited entity only
to the extent the entity is providing its accredited services. The privacy
obligations will not extend to other business operations and services of an
accredited entity.
Clause 34 - APP-equivalent agreements
147. Chapter 3 requires that accredited entities are subject to a privacy law,
either the Privacy Act or a State/Territory privacy law, when providing their
accredited services (see clause 36). Where a department or authority of a State
or Territory is not covered by a privacy law, they can agree to comply with the
APPs in the Privacy Act by entering into an agreement with the
Commonwealth.
148. Clause 34 interacts with clause 37 to deem the department or authority
that is a party to an agreement to be an organisation under the Privacy Act in
respect of their accredited services and make an act or practice of the accredited
entity which contravenes a term of the agreement in relation to an individual's
personal information to be an interference with the privacy of the individual for
the purposes of the Privacy Act (see clause 37). Therefore, the Information
Commissioner will regulate, in accordance with the Privacy Act, the accredited
entity's compliance with the terms of the agreement (that is, compliance with
the APPs) when providing its accredited services. Subclause 34(3) ensures the
Information Commissioner receives a copy of a new agreement within 14 days.
Part 2 - Privacy
Division 1 - Interaction with the Privacy Act 1988
Clause 35 - Extended meaning of personal information in relation to
accredited entities
149. Clause 35 extends the meaning of 'personal information' in the Privacy
Act as it will apply to accredited entities when providing their accredited
services. This mirrors the extended definition that will apply for the Bill (see
the extended definition of 'personal information' for the Bill in clause 9)
150. As note 2 to the clause explains, this means that the requirements in the
Privacy Act about the collection, using and disclosing of personal information
under that Act would extend to attributes of individuals to the extent that
information is in the possession or control of accredited entities. The extended
definition will not generally apply to accredited entities: the clause makes clear
Digital ID Bill 2023 - Explanatory Memorandum: Page 40 of 319
that it will apply only to the extent that the information is collected, used or
disclosed when accredited entities are providing their accredited services, as
referred to in clause 33.
151. This provision, and the definition of 'personal information' as would
apply in the Bill, puts beyond doubt that any attributes (which is any
information 'associated with an individual (see clause 10)) that otherwise would
not be covered by the Privacy Act definition (which refers to information
'about' an individual) would be covered as personal information under the
Privacy Act when an accredited entity is providing its accredited services.
152. It is intended that the definition of 'personal information' (and other
relevant terms) in the Bill will be reviewed against changes to that term in the
Privacy Act following from the government's response to the Privacy Act
Review 2022 conducted by the Attorney General's Department.
Clause 36 - Privacy obligations for non-APP entities
153. Clause 36 applies to entities that are not 'APP entities' - that is, entities
that are not subject to the Privacy Act. 'APP entity' would have the same
meaning as in the Privacy Act (see the definition in clause 9). The note to this
clause explains that APP entities have obligations already under the Privacy Act
in relation to the handling of personal information (as that term is extended by
clause 35).
154. For non-APP entities, they will not be able to provide their accredited
services unless they are covered by a privacy law. Clause 36 achieves this by
requiring that non-APP entities must not do an act or practice with respect to
personal information (when providing their accredited services (see clause 33)
unless they are covered by one of the following:
• the Privacy Act applies in relation to the act or practice as if the
entity were an organisation within the meaning of that Act. For
example, a small business (within the meaning of that term in the
Privacy Act) would need to bring themselves under the Privacy Act
if they want to be an accredited entity; or
• a law of a State or Territory that is comparable to the Privacy Act; or
• for an entity not covered the Privacy Act or comparable State or
Territory privacy law, the entity has entered into an APP equivalent
agreement (see clause 34).
Digital ID Bill 2023 - Explanatory Memorandum: Page 41 of 319
Clause 37 - Contraventions of privacy obligations in APP-equivalent
agreements
155. This clause ensures that a State or Territory department or authority that
is a party to an agreement is subject to certain provisions of the Privacy Act in
respect of its accredited services: see the discussion on clause 34 above.
Clause 38 - Contraventions of Division 2 are interferences with privacy
156. Division 2 of the Bill sets out additional privacy safeguards that impose
specific privacy-enhancing obligations on accredited entities when providing
their accredited services. This includes provisions that require express consent
before disclosing an individual's attributes, prohibitions on marketing and
profiling of individuals using their personal information.
157. Clause 38 provides that an act or practice that contravenes one of the
additional privacy safeguards in Division 2 is taken to be an interference with
the privacy of the individual under the Privacy Act and ensures specified
provisions of the Privacy Act will apply. The note explains that such acts or
practices involving the additional privacy safeguards will be subject to a
complaint under section 36 of the Privacy Act. Subclause (4) provides that
'agency' and 'organisations', as referred to in this clause, will have the same
meaning as in the Privacy Act.
158. Paragraph 38(1)(b) ensures that sections 13 (interferences with privacy)
and 13G (serious and repeated interferences with privacy) of the Privacy Act
apply in respect of the additional privacy safeguards. Applying section 13G
ensures that the Information Commissioner can seek civil penalties if a
contravention by an accredited entity is a serious or repeated interference with
privacy under section 13G of the Privacy Act. Recent amendments to the
Privacy Act have significantly increased the maximum pecuniary penalty for a
serious or repeated interference with privacy. However, an accredited entity
would not be liable to a pecuniary penalty under the Bill as well as under
section 13G of the Privacy Act in relation to the same conduct (see section
84(2) of the Regulatory Powers Act).
159. The effect of clause 38 is that:
• each accredited entity, whether an APP entity or otherwise, is
subject to the Privacy Act in relation to compliance with the
additional privacy safeguards in Division 2 (subclause (1));
• the Information Commissioner regulates, under the Privacy Act,
compliance by accredited entities with the additional privacy
safeguards as interferences with the privacy of an individual. Where
an additional privacy safeguard is a civil penalty provision, the
Digital ID Bill 2023 - Explanatory Memorandum: Page 42 of 319
Information Commission also has power to enforce those provisions
under the Regulatory Powers Act (see Part 2 of Chapter 9);
• the Information Commissioner's investigation and determination
powers in Part V of the Privacy Act are enlivened in respect of the
additional privacy safeguards for non-APP entities
(subclause 38(3)).
Clause 39 - Notification of eligible data breaches--accredited entities that
are APP entities
160. Clause 39 ensures that an accredited entity that is an APP entity
(Commonwealth entities and organisations subject to the Privacy Act) gives the
Digital ID Regulator a copy of the statement it has given to the Information
Commissioner about a data breach involving the entity's accredited services.
161. Section 26WK of the Privacy Act requires that the entity give the
statement to the Information Commissioner as soon as practicable after it
becomes aware that there are reasonable grounds to believe there has been an
eligible data breach of the entity. A statement given to the Information
Commissioner must include recommendations about the steps individuals
should take in response to the relevant data breach. The accredited entity must
give the statement to the Digital ID Regulator at the same time it is given to the
Information Commissioner.
162. The intent of this clause is to ensure, without duplicating the notifiable
data breach requirements of the Privacy Act, that the Digital ID Regulator is
aware of such data breaches involving accredited services to support the
Regulator's exercise of compliance powers under the Bill. Compliance action
may include, for example, suspension of the entity's accreditation (see
subclause 25(2) of the Bill).
Clause 40 - Notification of eligible data breaches--accredited entities that
are not APP entities
163. Clause 40 applies the notifiable data scheme in Part IIIC of the Privacy
Act, and associated provisions in that Act, to an accredited entity that is not
otherwise subject to that Part or to a comparable State or Territory law when
providing its accredited services. The accredited entity would be required to
give to the Digital ID Regulator a statement given to the Information
Commissioner under section 26WK, and to do so at the same time.
164. The intent of the clause is to ensure all accredited entities are covered by
a notifiable data breach scheme and to ensure, without duplication of such
Digital ID Bill 2023 - Explanatory Memorandum: Page 43 of 319
schemes, that the Digital ID Regulator has information relevant to data breaches
involving the accredited services of an entity.
Clause 41 - Notification of corresponding data breaches--accredited State
or Territory entities that are not APP entities
165. Clause 41 requires State and Territory entities that are subject to a law
similar to section 26WK of the Privacy Act, about giving a statement to another
entity (usually the privacy authority in the relevant State or Territory) where the
accredited entity reasonably believes there has been a data breach involving the
entity's accredited services. The accredited entity must also give a copy of the
statement to the Digital ID Regulator for the same reasons as outlined for
clauses 39 and 40.
Clause 42 - Additional function of the Information Commissioner
166. Clause 42 ensures that the Information Commissioner may provide
advice on privacy matters to the Digital ID Regulator when requested to do so.
Clause 43 - Information Commissioner may share information
167. Clause 43 ensures that the Information Commissioner has the necessary
authority to share information for the purposes of this Bill. This would be
achieved by ensuring that sections 33A and 33B of the Privacy Act, dealing
with the sharing of information with specified entities, apply as if a reference in
those sections to that Act included a reference to the Digital ID Act.
168. As the note to this clause explains, those provisions in the Privacy Act
apply only to information acquired under the Privacy Act. This provision is
necessary to put beyond doubt that the Information Commissioner may share
information for the purposes of their co-regulatory role under this Bill, noting
that some accredited entities will be subject to their local privacy laws rather
than the Privacy Act when providing their accredited services, and the
Information Commissioner has enforcement powers under this Bill in relation
to breaches of the additional privacy safeguard (in addition to enforcement
powers in the Privacy Act).
Division 2 - Additional privacy safeguards
169. This Division creates additional privacy safeguards (additional to
privacy laws that will apply to the accredited entity) that will be binding on
each accredited entity when it is providing its accredited services. As discussed
at clause 38 above, each of these additional safeguards is taken to an
interference with privacy for the purposes of the Privacy Act. In addition, each
Digital ID Bill 2023 - Explanatory Memorandum: Page 44 of 319
additional privacy safeguard is also a civil penalty provision, enforceable by the
Information Commissioner.
170. The maximum penalty for a contravention of an additional privacy
safeguard that is a civil penalty provision is 1,500 penalty units (which is
$469,500 for an individual and $2,347,500 for a corporate or government
entity, based on one penalty unit value of $469.5 in November 2023). Civil
penalty provisions are enforceable under the Regulatory Powers Act, which also
sets out relevant evidentiary requirements.
171. The rationale for civil penalties and the maximum penalty amount is
discussed below.
Clause 44 - Collection of certain attributes of individuals is prohibited
172. Subclause 44(1) is a civil penalty provision. It prohibits an accredited
entity, when providing its accredited services (see clause 33), from collecting
information or an opinion about an individual's:
• racial or ethnic origin;
• political opinions;
• membership of a political association;
• beliefs or affiliations;
• philosophical beliefs; or
• sexual orientation or practices.
173. However, subclause (3) makes it clear that the prohibition does not
prevent other kinds of attributes of individuals from being collected, even if the
kind of prohibited attribute can reasonably be inferred from the other permitted
attributes. For example, as the note explains, even if an individual's racial or
ethnic origin can reasonably be inferred from the individual's name or place of
birth, this does not prevent the individual's name or place of birth from being
collected.
174. In addition, the prohibition in subclause (1) will not apply if the
accredited entity did not solicit the attribute, so long as the entity destroys the
attribute as soon as practicable after becoming aware that it has collected the
prohibited attribute (see subclause (2)). Solicits is defined in subclause (4) as
follows: an attribute if it requests another entity to provide the attribute, or to
provide information that includes the attribute.
175. The note to subclause (2) refers to a person who wishes to rely on
subclause (2) as bearing an evidential burden in relation to the matters in the
Digital ID Bill 2023 - Explanatory Memorandum: Page 45 of 319
subclause, as provided for in section 96 of the Regulatory Powers Act. This
burden is justifiable as the evidence required to prove that exception, that the
entity did not solicit the prohibited attribute, would be peculiarly within the
entity's knowledge (see the Guide to Framing Commonwealth Offences).
Clause 45 - Individuals must expressly consent to disclosure of certain
attributes of individuals to relying parties
176. Clause 45, a civil penalty provision, requires that an accredited entity,
when verifying or authenticating an individual, must not disclose certain
attributes of an individual to a relying party unless the individual has given
express consent for the disclosure. The provision applies to an accredited entity
only in respect of its accredited services (see clause 33).
177. The attributes listed in this clause are the individual's current name or
former name, address, date of birth, phone number and email address.
Requiring express consent for disclosure for these core attributes is a strong
privacy-enhancing principle. Should it become necessary to add additional
attributes which require an individual's express consent for disclosure, the
attributes can be prescribed by the Accreditation Rules.
178. The Australian Privacy Principles Guidelines published by the Office of
the Australian Information Commissioner discuss express consent as requiring
that the individual is adequately informed before giving consent and gives
consent voluntarily, that the consent is current and specific and the individual
has the capacity to understand and communicate their consent.
Clause 46 - Disclosure of restricted attributes of individuals
179. Subclause 46(1), a civil penalty provision, requires that an accredited
entity, when verifying or authenticating an individual, must not disclose a
restricted attribute of an individual to a relying party unless the individual has
given express consent for the disclosure. The provision applies to an accredited
entity only in respect of its accredited services (see clause 33).
180. The subclause is silent as to whether the individual is to give express
consent directly to the accredited entity or through another entity operating in
the same digital ID system. This reflects the different types of information
technology architectures used in digital ID systems. For example, in some
systems, express consent is obtained by the accredited identity exchange
provider which transmits the information to the accredited identity service
provider.
181. Subclause 46(2) is also a civil penalty provision. It requires that an
accredited entity must not disclose a restricted attribute of an individual to a
Digital ID Bill 2023 - Explanatory Memorandum: Page 46 of 319
relying party that is not a participating relying party if the accredited entity's
conditions on accreditation do not include an authorisation to disclose the
restricted attribute to the relying party. Subclause (2) does not apply to
participating relying parties as conditions relating to restricted attributes can be
imposed directly on their approval to participate in the AGDIS (see clause 75).
Clause 47 - Restricting disclosure of unique identifiers
182. Clause 47, a civil penalty provision, prohibits the disclosure of unique
identifiers created to enable a digital ID system to operate properly, unless one
of the specified exemptions applies. The exemptions are detailed in
subclauses (4), (5) and (6). Unique identifiers are an integral requirement of a
digital ID system, ensuring individuals using their digital ID and participants in
the system are correctly identified when transacting with each other. The
provision applies to an accredited entity only in respect of its accredited
services (see clause 33).
183. However, a unique identifier assigned to an individual can also be used
to create a single, all-encompassing profile of an individual and to track an
individual's online behaviour such as collating details of all relying party
services they have accessed. This clause ensures unique identifiers cannot be
used for such purposes.
184. Subclause 47(1) states when the clause applies, that is where an
accredited entity (the assigning entity) assigns a unique identifier to an
individual within a digital ID system and the assigning entity discloses the
unique identifier to another accredited entity or to a relying party.
185. Subclause 47(2), the civil penalty provision, prohibits the assigning
entity from disclosing the unique identifier to more than one other accredited
entity or more than one other relying party, subject to the specified exemptions.
186. Subclause 47(3), also a civil penalty provision, prohibits the accredited
entity which has received the unique identifier from disclosing it further,
subject to the specified exemptions.
187. The effect of these prohibitions is that an accredited entity must create a
different identifier for each accredited entity or relying party connection
relating to an individual. For example, an accredited identity service provider
may need to disclose a unique identifier for an individual to an accredited
identity exchange provider to allow the exchange to link the digital ID of an
individual to the accredited identity service provider the individual has used.
The unique identifier is then reused for that individual and that accredited
identity service provider in future transactions.
Digital ID Bill 2023 - Explanatory Memorandum: Page 47 of 319
188. Subclause 47(4) specifies the following exemptions, which are
necessary to allow disclosure of a unique identifier to ensure the proper
operation of digital ID systems and in relation to certain investigations and
proceedings:
• detecting, reporting or investigating a contravention, or an alleged
contravention, of a provision of the Bill or rules;
• conducting proceedings in relation to a contravention, or an alleged
contravention, of a civil penalty provision of the Bill or rules;
• detecting, reporting or investigating a fraud or cyber security
incident within a digital ID system;
• the Information Commissioner conducting an assessment under
paragraph section 33C(1)(g) of the Privacy Act in relation to the
handling and maintenance of personal information;
• detecting, reporting, investigating or prosecuting an offence against
a law of the Commonwealth, a State or a Territory.
189. Subclauses (5) and (6) provide two other exemptions:
• where a contractor of the accredited entity requires the identifier for
the purposes of providing an accredited service, or part of an
accredited service, of the accredited entity; and
• where the unique identifier is disclosed to another entity that is
facilitating access to the entity for whom the unique identifier was
created. For example, some digital ID systems require a unique
identifier (often a meaningless but unique number) to facilitate
access to a particular platform within the system.
190. The notes to subclauses (4), (5) and (6) refer to a person who wishes to
rely on one of the above exemptions as bearing an evidential burden in relation
to the matters in the subclause, as provided for in section 96 of the Regulatory
Powers Act. This burden is justifiable as the evidence required to prove the
exception would be peculiarly within the entity's knowledge (see the Guide to
Framing Commonwealth Offences).
Clause 48 - Restrictions on collecting, using and disclosing biometric
information
191. Clause 48(1), a civil penalty provision, prohibits an entity from
collecting, using or disclosing biometric of an individual:
• unless authorised to do so under clauses 49 or 50, discussed below;
and
Digital ID Bill 2023 - Explanatory Memorandum: Page 48 of 319
• the individual has given express consent, subject to some limited
exemptions, including for fraud investigations, testing involving
biometrics and disclosure under a warrant.
192. The civil penalty is 1,500 penalty units.
193. The Bill will ensure biometrics are deleted by an accredited entity
within 14 days of collection with one exception: where the individual gives
express consent for their biometric to be retained by an accredited entity for the
purpose of authenticating the individual when they are reusing their digital ID
(see subclause 51(2)).
194. Subclause (2) creates a civil penalty provision if an accredited entity
retains biometric information which is not authorised under clause 49 (retention
for testing or fraud activities but for no longer than 14 days) and clause 50
(retention to create a government identity document). The civil penalty is 1,500
penalty units.
One-to-many matching prohibited
195. Subclause (3) makes it clear that the above provisions prevent one-to-
many matching using an individual's biometric information - that is, the process
of comparing a kind of biometric information of an individual against that kind
of biometric information of individuals generally to identify the particular
individual. For example, the use of facial matching services or facilities that
compare a facial image against a gallery or database of other facial images to
identify an unknown person, often used for surveillance activities. This means
that biometric information can be used by an accredited entity only for the
purpose of verifying or authenticating the individual.
Clause 49 - Authorised collection, use and disclosure of biometric
information of an individual - general rules
196. Clause 49 sets out when an accredited entity is authorised to collect, use
or disclose biometric information. These are:
• the collection, use or disclosure is authorised by a condition on the
entity's accreditation and is for the purpose of verifying the identity
of the individual or authenticating the individual to their digital ID
(subclause (1));
• the biometric information is contained in a verifiable credential (as
defined in clause 9) that is in the control of the individual, and the
collection, use or disclosure complies with requirements in the
Accreditation Rules. This is to allow for emerging models of
verifiable credentials (such as a digital licence) which may be held,
Digital ID Bill 2023 - Explanatory Memorandum: Page 49 of 319
for example, by an individual in a digital wallet on their phone.
Standards, protocols and service models are under development.
This provision ensures that other restrictions on biometrics do not
prevent this new technology from operating where a credential is
controlled by the individual such that the individual decides when
and to whom to disclose the verifiable credential;
• disclosure to a law enforcement agency but only under a warrant;
• disclosure to a law enforcement agency if the individual gives
express consent and if the disclosure is for the purpose of verifying
the individual's identity or investigating or prosecuting an offence;
• if the disclosure is to the individual the subject of the biometric
information;
• the biometric information is retained, used or disclosed for the
purpose of undertaking testing in relation to the biometric
information and complies with any requirements in the
Accreditation Rules. Subclause (7) provides a non-exhaustive list of
matters involving testing that may be in the rules;
• the biometric information is retained, used or disclosed for the
purpose of preventing or investigating a fraud incident and the fraud
activity complies with any requirements in the Accreditation Rules.
Subclause (9) provides a non-exhaustive list of matters involving
fraud activities that may be in the rules.
Clause 50 - Accredited entities may collect etc. biometric information for
purposes of government identity documents
197. This clause enables an accredited entity that is a government entity (as
detailed in subclause (3)) that has collected biometric information of an
individual for the purpose of identifying the individual to also collect, use,
disclose or retain that biometric information, if verified as accurate by the
entity, for the purpose of the government entity issuing a document or other
credential (such as a licence that is a verifiable credential) for the individual.
However, it can only do so if the individual has given express consent
(paragraph (2)(b)).
198. This ensures that a person can provide their biometric both to verify
their identity and for use on a government credential, providing a streamlined
service for the individual. Where the biometric information is used to create the
government credential, and is held by the government entity in respect of that
credential, the other restrictions relating to biometric information do not apply
(see subclause (4)). This is consistent with the Bill's additional privacy
Digital ID Bill 2023 - Explanatory Memorandum: Page 50 of 319
safeguards applying only when the entity is providing its accredited service (see
clause 33).
199. Subclause (5) authorises an accredited entity that is not a government
entity to disclose biometric information of an individual to a government entity
for the purpose of the government entity issuing a government document or
credential, but only if the accredited entity has an agreement with the
government entity. The agreement must provide for the individual to have given
express consent for the disclosure for the purpose of having a government
document issued.
Clause 51 - Destruction of biometric information of individuals
200. Clause 51 sets out requirements for when biometric information must be
destroyed.
201. Subclause (1), a civil penalty provision, requires that if an accredited
entity has collected biometric information of an individual to verify the
individual's identity (and not also for authentication purposes), the entity must
destroy the information immediately after the verification is complete unless
one of the exemptions apply.
202. Subclause (2), a civil penalty provision, requires that if an accredited
entity has collected biometric information for the purposes of authenticating the
individual to their digital ID, even if also collected to verify the individual's
identity, and the individual has not given express consent to retain the biometric
for future verification, the entity must destroy the information immediately after
the authentication is complete.
203. Subclause (3), a civil penalty provision, requires that if an individual has
given express consent to an accredited entity to retain their biometric
information for the purposes of authentication and withdraws the consent, the
accredited entity must destroy the biometric information immediately.
204. Subclauses (4) (relating to testing) and (5) (relating to fraud activities)
create civil penalty provisions where an accredited entity has retained biometric
information for testing or fraud activities, as authorised under clause 46, and
has not destroyed the information at the earlier of:
• immediately after the activities are completed;
• 14 days after the information was completed.
205. The civil penalty for each of the civil penalty in this clause is 1,500
penalty units.
Digital ID Bill 2023 - Explanatory Memorandum: Page 51 of 319
Clause 52 - Other rules relating to biometric information
206. This clause provides that the Accreditation Rules may deal with the
collection, use, disclosure, storage or destruction of biometric information of
individuals by accredited entities, including for requirements relating to quality,
security or fraud. The rules would be expected to adopt international and
national standards relating to the quality, security or fraud, as well as annual
assessments to ensure continuing compliance.
Clause 53 - Data profiling to track online behaviour is prohibited
207. Subclause 53(1) is a civil penalty provision. It prohibits an accredited
entity from conducting data profiling of an individual by using personal
information within the entity's possession or control that is of a kind which,
when combined, would enable the entity to track the individual's online
behaviour. The provision applies to an accredited entity only in respect of its
accredited services (see clause 33). The prohibition is subject to the exemptions
in subclause (3).
208. The prohibition cannot be lifted by the accredited entity obtaining the
consent of an individual for their personal information to be used or disclosed
for data profiling. This is to ensure such personal information held, or
controlled, by accredited entities can never be used for data profiling and
thereby protect the integrity of the Accreditation Scheme under the Bill.
209. The kinds of behavioural information to which this clause relates is:
• information about services the individual has accessed or attempted
to access from the accredited entity;
• information about how or when access was obtained or attempted;
• information about the method of access or attempted access;
• the date and time the individual's identity was verified.
210. The exemptions in subclause (3) are where the use or disclosure:
• relates to the provision of the entity's accredited services. This may
include improving the performance or usability of the entity's
information technology systems through which those services are
provided;
• relates to the entity complying with the Bill or rules;
• is required or authorised by or under a law of the Commonwealth, a
State or a Territory.
Digital ID Bill 2023 - Explanatory Memorandum: Page 52 of 319
211. The note to subclause (3) refers to a person who wishes to rely on one of
the above exemptions as bearing an evidential burden in relation to the matters
in the subclause, as provided for in section 96 of the Regulatory Powers Act.
This burden is justifiable as the evidence required to prove that exception would
be peculiarly within the entity's knowledge (see the Guide to Framing
Commonwealth Offences).
Clause 54 - Certain personal information must not be used or disclosed for
prohibited enforcement purposes
212. Subclause 54(1), a civil penalty provision, prohibits an accredited entity
from using or disclosing personal information in the entity's possession or
control for the purposes of enforcement related activities conducted by, or on
behalf of, an enforcement body unless the use or disclosure is for one of the
purposes specified in paragraph (b) of this clause or if the individual has given
express consent ((b)(vi)). The provision applies to an accredited entity only in
respect of its accredited services (see clause 33).
213. This clause imposes a higher threshold for use or disclosure of personal
information related to the accredited services of an entity than under APP 6.2 in
the Privacy Act, including to prevent the use or disclosure of such information
for activities such as surveillance, intelligence gathering and monitoring.
214. This clause does not apply in relation to biometric information (see
paragraph 54(1)(a)) as clauses 48 to 51 deal comprehensively with the use and
disclosure of biometric information of an individual.
215. 'Enforcement related activity' and 'enforcement body' have the same
meaning as in the Privacy Act (see the definitions in clause 9).
216. Subclause (3) clarifies that the onus of proof in relation to the
exemptions in subparagraph (1)(b) and subclause (2) is not put on the
accredited entity (despite section 96 of the Regulatory Powers Act).
217. Subclause (4) ensures that the prohibition in this clause is not defeated
by other laws. This is achieved by providing that the clause applies despite
section 86E of the Crimes Act 1914 (about disclosure of personal information
to certain entities for integrity purposes) and any other law of the
Commonwealth, a State or a Territory, whenever enacted.
218. Personal information that can be used or disclosed for enforcement
related activities is restricted to the following (paragraph 54((1)(b):
• the accredited entity is satisfied that the enforcement body has
started proceedings against a person for an offence against a law of
the Commonwealth, State or Territory;
Digital ID Bill 2023 - Explanatory Memorandum: Page 53 of 319
• the accredited entity is satisfied that the enforcement body has
started proceedings against a person in relation to breach of a law
imposing a penalty or sanction;
• the information is used or disclosed under a warrant issued under a
law of the Commonwealth, State or Territory;
• the use or disclosure is for the purposes of reporting a suspected or
actual digital ID fraud incident or suspected or actual cyber security
incident; or
• the information is used or disclosed by the accredited entity for the
purposes of complying with this Act.
219. Subclause (2) ensures that the prohibition does not apply in relation to
enforcement related activities conducted by, or on behalf of, an enforcement
body, under, or for the purpose of, the Bill or rules, or the Privacy Act.
Clause 55 - Personal information must not be used or disclosed for
prohibited marketing purposes
220. Clause 55, a civil penalty provision, prohibits an accredited entity using
or disclosing personal information in their possession or control for marketing
activities not related to their digital ID services. The provision applies to an
accredited entity only in respect of its accredited services (see clause 33).
221. Subclause (1) details the marketing activities that are prohibited:
• offering to supply goods or services;
• advertising or promoting goods or services;
• enabling another entity to offer to supply goods or services;
• enabling another entity to advertise or promote goods or services; or
• market research.
222. However, an accredited entity may want to give to individuals using its
services information about those services such as improvements made, or how
the individual can use those services. Therefore, subclause (2) allows marketing
for these purposes as long as the disclosure is for the purposes of offering to
supply the accredited services or the entity is advertising or promoting its
accredited services. The individual must give express consent for the disclosure.
223. The note subclause (2) refers to a person who wishes to rely on this
exemption as bearing an evidential burden in relation to the matters in
subclause (2), as provided for in section 96 of the Regulatory Powers Act. This
burden is justifiable as the evidence required to prove that exception would be
Digital ID Bill 2023 - Explanatory Memorandum: Page 54 of 319
peculiarly within the entity's knowledge (see the Guide to Framing
Commonwealth Offences).
Clause 56 - Accredited identity exchange providers must not retain certain
attributes of individuals
224. Clause 56, a civil penalty provision, prohibits an accredited identity
exchange provider from retaining specified attributes of individuals. The
provision applies to the accredited entity only in respect of its accredited
services (see clause 33).
225. This clause ensures that an exchange cannot be a centralised repository
of personal information. It prohibits an exchange from retaining core attributes
of an individual, namely name, address, date of birth, phone number and email
address. It also authorises additional kinds of attributes to be prescribed by the
Accreditation Rules should it become necessary to add additional attributes and
support the intent of this clause.
226. The specified attributes are able to be used and disclosed by the
exchange as necessary for providing its accredited services, but requires that
they are not retained after the end of the authenticated session.
227. 'Authenticated session' will have the same meaning as in the
Accreditation Rules (subclause (3)). It is necessary for the meaning to be in the
Accreditation Rules as different exchange models will conduct these sessions in
different ways, and it is intended that the Bill be technology neutral so as to
accommodate future states for digital ID systems. At its simplest, and an
authenticated session will cover the period from when an individual
authenticates with their digital ID until they log out or when the session expires.
An exchange will ordinarily need to retain attributes for a period of time to
enable the individual to verify their identity to a relying party and also provide
an attribute from an attribute service provider to the relying party. However,
once that is completed, there is no reason for the exchange to retain the core
attributes.
Chapter 4 - AUSTRALIAN GOVERNMENT DIGITAL ID SYSTEM
Part 1 - INTRODUCTION
Clause 57 - Simplified outline of this Chapter
228. This clause provides a simplified outline of Chapter 4 which sets out
provisions relating to the Australian Government Digital ID System to be
overseen and maintained by the Digital ID Regulator. The outline is not
Digital ID Bill 2023 - Explanatory Memorandum: Page 55 of 319
intended to be comprehensive. Readers should rely on substantive provisions of
the Chapter.
Part 2 - Australian Government Digital ID System
Division 1 - Australian Government Digital ID System
Clause 58 - Digital ID Regulator must oversee and maintain the Australian
Government Digital ID System
229. Clause 58 provides for the Australian Government Digital ID System
(AGDIS), a system to be overseen and maintained by the Digital ID Regulator,
noting the significant role of the System Administrator in jointly overseeing the
AGDIS.
230. The Transitional Bill will enable the transition to the AGDIS of those
Commonwealth government entities which have been accredited under the
unlegislated TDIF. This includes:
• Services Australia as an accredited identity exchange provider; and
• the Australian Taxation Office as an accredited identity service
provider and attribute service provider.
231. The Transitional Bill will also enable relying parties currently
participating in the unlegislated AGDIS to transition to the AGDIS as
participating relying parties. Transition will occur on commencement of the
Bills.
232. This Transitional Bill is intended to ensure the AGDIS will be operating
at commencement in accordance with the requirements of the Bill, with
minimal disruption to existing services.
Clause 59 - Circumstances in which entities may provide or receive
services within the Australian Government Digital ID System
233. Clause 59 details the requirements for each kind of entity to be able to
provide or receive services within the AGDIS, with the requirements detailed in
the table of subclause 59(1). Participating relying parties receive, and do not
provide, services in the AGDIS.
234. Subclause 59(2) creates a civil penalty provision for an entity that is
participating in the AGDIS but is not an entity of a kind listed in the table of
subclause 59(1).
235. Subclause 59(3) ensures that the Digital ID Regulator or the System
Administrator are not subject to this clause when performing functions or
Digital ID Bill 2023 - Explanatory Memorandum: Page 56 of 319
exercising powers under the Bill. Should either use the AGDIS for their
functions or powers, they are not covered by this clause.
236. Subclause 59(5), also a civil penalty provision, prohibits an entity
mentioned in column 1 of the table of subclause 59(1) from participating in the
AGDIS if it does not meet the requirements set out in column 2 of that table
(with a penalty of 1,000 penalty units).
Division 2 - Participating in the Australian Government Digital ID System
Clause 60 - Phasing-in of participation in the Australian Government
Digital ID System
237. Clause 60 enables the Minister to manage the expansion of the AGDIS
to entities outside the Commonwealth (other than those transitioned into the
legislated AGDIS on commencement of the Act). Under subclause 60(1), the
Minister may determine the kinds of entities (other than those Commonwealth
entities specified in paragraphs 61(a) and (b)) which can apply to participate at
any time) that can apply for approval to participate in the AGDIS. This allows
the Minister to ensure the new legislated AGDIS is bedded down and operating
as necessary to allow expansion by phases. It is expected that each phase will
proceed sequentially as each preceding phase is demonstrated to be sufficiently
matured.
238. Subclause 60(2) allows the Minister to implement the phasing-in in any
way, and gives examples of how the Minister may do so by reference to kinds
of entities such as:
• whether the entities are relying parties or accredited entities;
• kinds of relying parties;
• kinds of accredited entities; or
• whether the entity belongs to the public or private sector.
239. Subclause 60(3) makes it clear that the Minister cannot revoke a
determination under this clause other than to add additional kinds of entities
that may apply for approval and to correct errors and the like. Revocation of a
determination is excluded so that once entities are accredited, they cannot lose
their accreditation by the determination being revoked. Revocation could only
occur in accordance with Division 3.
Digital ID Bill 2023 - Explanatory Memorandum: Page 57 of 319
Clause 61 - Applying for approval to participate in the Australian
Government Digital ID System
240. Clause 61 deals with the kinds of entities that may apply to the Digital
ID Regulator for approval to participate in the AGDIS.
241. Paragraphs 61(a) and (b) have the effect that certain Commonwealth
entities may apply for approval at the commencement of the legislation. This
includes an accredited entity that is a non-corporate Commonwealth entity
(departments and agencies that are characterised as non-corporate under the
PGPA Act or another Act). It also allows other Commonwealth entities, such as
a corporate Commonwealth entity, apply to be approved as a participating
relying party.
242. Paragraph 61(c) supports the intent for the gradual expansion of the
AGDIS by requiring that other kinds of entities must first be specified in a
determination by the Minister under clause 60 and must be either:
• an accredited entity;
• an entity that has applied for accreditation. This will allow an entity
to apply simultaneously for accreditation and approval to participate;
• an Australian relying party; and
• a foreign company that is registered under the Corporations Act to
carry on business in Australia.
Clause 62 - Approval to participate in the Australian Government Digital
ID System
243. Clause 62 sets out the requirements for the Digital ID Regulator to
approve or not approve an entity and for the notices it must give for its
proposed and final decisions. Requirements to approve are:
• the Digital ID Regulator being satisfied that the entity will comply
with any Digital ID Data Standards that will apply to it;
• the entity having been assessed as being able to comply with the Act
and rules if the Regulator requires the entity to undergo a
compliance assessment under paragraph 131(1)(a);
• the Digital ID Regulator being satisfied that it is appropriate to
approve the entity to participate. Subclause 62(2) sets out a
non-exhaustive list of matters that may be relevant to whether it
would be appropriate to approve the entity: whether the entity is a fit
and proper person (see clause 12 above), and whether the entity has
appropriate procedures for dealing with the identities of shielded
Digital ID Bill 2023 - Explanatory Memorandum: Page 58 of 319
persons (as defined in clause 9) such as those in a witness protection
program;
• national security--paragraph 62(4) provides that the Digital ID
Regulator not approve an entity if the Minister has directed that the
entity not be approved for reasons of national security (within the
meaning of the ASIO Act (see clause 73 which provides that the
Minister may give directions to the Digital ID Regulator for reasons
of national security and that a direction remains in force unless
revoked by the Minister);
• any requirements in the Digital ID Rules are met. Such
requirements, as stated in subclause 62(3), may relate to the security,
reliability and stability of the AGDIS.
244. It is necessary and appropriate for the Digital ID Rules to be able to
prescribe other requirements for approval, particularly those about the security,
reliability and stability of the AGDIS. This is necessary because the Bill is
technologically neutral, including in respect of the AGDIS, in that it does not
lock in a particular information technology architecture for digital ID systems
and service models. Given this, there are likely to be requirements that cannot
be foreshadowed at present.
Decisions on participation applications
245. Subclause 62(5) will require the Digital ID Regulator to inform the
applicant in writing of its decision and to provide its reasons if it refuses the
application. Section 25D of the Acts Interpretation Act, which states the
minimum content of a statement of reasons, would apply.
246. A decision not to approve an entity will be a 'reviewable decision'
(see clauses 137 to 140) other than decisions made for reasons of security
(within the meaning of the ASIO Act) in relation to an entity that is not an
Australian entity (for 'Australian entity' see the definition in clause 9).
247. Subclause 62(6) requires that the notice of a decision to approve an
entity must set out the day the approval comes into effect, the kind of entity (an
accredited entity or participating relying party) the entity is approved as, any
conditions imposed by the Digital ID Regulator on the entity's approval under
subclause 64(2), and when the entity must begin to participate. The note to
subclause 62(6) explains that as a condition of the approval, the entity must
begin to participate on the day set out in the notice (see paragraph 64(1)(c)) and
not before that day (see the requirements in the table in subclause 59(1)).
Digital ID Bill 2023 - Explanatory Memorandum: Page 59 of 319
248. Details of the approval, including any conditions imposed by the
Digital ID Regulator under paragraph 64(2)(a), must be entered on the AGDIS
Register (see clause 121).
Clause 63 - Approval to participate in the Australian Government Digital
ID System is subject to conditions
249. Clause 63 provides that the approval of an entity's participation in the
AGDIS is subject to conditions (approval conditions), and that the accredited
entity must comply with those conditions (see clauses 71 & 72). As the note
explains, failure to comply with a condition may result in suspension or
revocation of the entity's accreditation.
250. Conditions can be imposed as follows (paragraphs 63(1)(a) to (c)):
• by the Bill, as set out in subclause 64(1);
• by the Digital ID Regulator under subclause 64(2), including
conditions as varied under subclause 66(1); and
• by the Digital ID Rules made under subclause 64(5).
251. Nothing in the Bill would allow conditions imposed by the Digital ID
Regulator or determined in the Digital ID Rules to be inconsistent with other
provisions in the Bill.
252. Importantly for consumers, conditions imposed by the Digital ID
Regulator on an entity's approval under paragraph 64(2)(a) will be publicly
available on the AGDIS Register required to be kept by the Digital ID
Regulator (see clause 121).
253. The power to impose conditions, either by the Digital ID Regulator on
individual entities or by the Digital ID Rules as standard conditions applying to
all participating entities or classes of entities, is necessary and appropriate
because of the disparate kinds of systems, services and circumstances in the
current digital environment and the need to tailor conditions to individual
participating entities or classes of participating entities.
Clause 64 - Conditions on approval to participate in the Australian
Government Digital ID System
254. Subclause 64(1) provides that the approval of an entity to participate in
the AGDIS is subject to conditions, including:
• the entity must be either a relying entity or accredited entity;
• accredited entities must participate only as the kind it is accredited
as and approved to participate as, and must provide only its
Digital ID Bill 2023 - Explanatory Memorandum: Page 60 of 319
accredited services in the AGDIS (ie, they cannot provide any
unaccredited services);
• participation must begin on the entity's participation start day; and
• the entity must comply with the Act and rules.
Conditions imposed by the Digital ID Regulator
255. Paragraph 64(2)(a) gives the Digital ID Regulator power to impose
conditions on an entity's approval to participate in the AGDIS at the time of
approval or at a later time, if the Digital ID Regulator considers it appropriate to
impose the conditions in the circumstances. Importantly for consumers,
conditions imposed by the Digital ID Regulator on the entity's approval to
participate in the AGDIS will be publicly available on the AGDIS Register
required to be kept by the Digital ID Regulator (see clause 121).
256. Paragraph 64(2)(b) requires the Digital ID Regulator to impose a
condition on an entity's approval to participate in the AGDIS if directed to do
so by the Minister under subclause 73(1) for reasons of 'security' (as defined in
the ASIO Act). The Minister may give a direction either at the time of approval
or at a later time. It is appropriate that decisions involving national security
matters sit with the Minister.
257. Subclause 64(3) provides that an entity may apply to the Digital ID
Regulator for a condition to be imposed.
258. Subclause 64(4) sets out a non-exhaustive list of matters to which
conditions imposed by the Digital ID Regulator may relate. These are:
• the kind of accredited entity or participating relying party that the
entity must directly connect to in order to participate in the AGDIS;
• the kinds of attributes of individuals that the entity is authorised to
collect or disclose, and the circumstances in which such attributes
may be collected or disclosed. 'Attributes' includes biometric
information and restricted attributes (see clause 10 above);
• the kinds of attributes of individuals that the entity must not collect;
• for an accredited entity--the circumstances in which the entity may
or must not provide its accredited services within the AGDIS;
• for an accredited entity--the accredited services of the entity that the
entity must provide within the AGDIS;
• for a relying party--the services the relying party is approved to
provide, or to provide access to, within the AGDIS; and
Digital ID Bill 2023 - Explanatory Memorandum: Page 61 of 319
• actions that the entity must take before the entity's approval to
participate in the AGDIS is suspended or revoked.
Conditions imposed by the Digital ID Rules
259. Subclause 64(5) authorises the Minister to specify conditions in the
Digital ID Rules applying to each entity or class of entity. Subclause 64(6)
makes it clear that the conditions in the Digital ID Rules may be on the same
matters as those listed in subclause 64(4). The Minister would be required to
consult on proposed Digital ID Rules except where urgency applies (see clause
169).
Clause 65 - Conditions relating to restricted attributes of individuals
260. Clause 65 imposes requirements on the Digital ID Regulator before
imposing a condition on an entity's approval authorising the entity to collect or
disclose a restricted attribute. The meaning of 'restricted attribute' is given in
clause 11. The discussion on clause 11 above gives an overview of how the Bill
treats restricted attributes and the privacy-enhancing provisions applying to
them, including this clause.
261. Before imposing the condition, the Digital ID Regulator must have
regard to the following (see subclause 65(2)):
• whether the entity has provided sufficient justification for the need
to collect or disclose the restricted attribute;
• whether the entity has demonstrated that a similar outcome cannot
be achieved without collecting or disclosing the restricted attribute;
• if the collection or disclosure of the restricted attribute is regulated
by other legislative or regulatory requirements--whether the entity
would be able to comply with those requirements if the condition
was imposed;
• the potential harm that could result if restricted attributes of that
kind were disclosed to an entity that was not authorised to collect
them;
• community expectations as to whether restricted attributes of that
kind should be handled more securely than other kinds of attributes;
• any of the following information provided by the entity seeking
authorisation to collect or disclose the restricted attribute:
o the entity's risk assessment plan as it relates to the restricted
attribute;
Digital ID Bill 2023 - Explanatory Memorandum: Page 62 of 319
o the entity's privacy impact assessment as it relates to the
restricted attribute;
o the effectiveness of the entity's protective security (including
security governance, information security, personnel security
and physical security), privacy arrangements and fraud
control arrangements; and
• any other matter the Digital ID Regulator considers relevant.
262. It is a matter for the entity whether to provide particular documents or
information listed in paragraph 65(2)(f). However, if the information is not
provided, the Digital ID Regulator may not be able to be satisfied that it is
appropriate to impose the condition in the circumstances (see
paragraph 64(2)(a) and clause 64 under which the decisions are made).
263. Subclause 65(3) requires the Digital ID Regulator to publish a statement
of reasons if it imposes a condition authorising collection or disclosure of a
restricted attribute so as to explain publicly why it was appropriate in the
circumstances to give the authorisation to the particular entity (see section 25D
of the Acts Interpretation Act as to the content of a statement of reasons).
Conditions and other laws restricting attributes
264. It is intended that a condition authorising an entity to disclose restricted
attributes would be subject to other specific laws regulating restricted attributes
such as healthcare identifiers or tax file numbers. For example, if the
Healthcare Identifiers Act 2010 prohibited a disclosure of a healthcare identifier
by an entity, a condition would not override the obligation on that entity not to
disclose the healthcare identifier.
265. Subclause 65(4) imposes requirements on the Minister before making
the Digital ID Rules for the purposes of subclause 64(5) authorising some
entities or classes of entities to collect or disclose a restricted attribute, either
generally or in specified circumstances.
266. Subclause 65(5) sets out mandatory matters the Minister must consider:
• the potential harm that could result if the information were disclosed
to an entity;
• community expectations about the collection, use or disclosure of
the information;
• if the collection or disclosure of the restricted attribute is regulated
by other legislative or regulatory requirements--whether the entity
would be able to comply with those requirements;
Digital ID Bill 2023 - Explanatory Memorandum: Page 63 of 319
• any privacy impact assessment that has been conducted in relation to
the proposal to make the rules;
• any other matter the Minister considers relevant.
Clause 66 - Variation and revocation of conditions
267. Clause 66 provides that the Digital ID Regulator may vary or revoke
conditions at any time, either on the Digital ID Regulator's own initiative or on
application by an entity. When considering variation or revocation of conditions
the Digital ID Regulator may have regard to matters relating to the security,
reliability and stability of the AGDIS (subclause 66(2)).
268. Where a condition has been imposed at the direction of the Minister for
reasons of national security under paragraph 64(2)(b), subclause 66(3) requires
that the Digital ID Regulator also revoke the condition if the Minister revokes
the direction.
269. The flexibility to vary or revoke conditions on approvals to participate is
necessary due to the variety of entities involved, their specific circumstances
and requirements, and the range of services they may want to provide within or
in relation to the AGDIS.
Clause 67 - Applying for variation or revocation of conditions on approval
270. Subclause 67(1) provides that an entity may apply to the Digital ID
Regulator for a condition on its approval to be varied or revoked.
271. The note to subclause 67(1) refers the reader to the requirements for
applications detailed in Part 5 of Chapter 9.
272. If the Digital ID Regulator refuses the application, the Digital ID
Regulator must give written notice to the entity with reasons for the refusal
(subclause 67(2)).
Clause 68 - Notice before changes to conditions on approval
273. Clause 68 applies where the Digital ID Regulator proposes, on its own
initiative, to impose, vary or revoke a condition on an entity's approval and
ensures that the entity is given notice of the proposal and the opportunity to
comment on the proposal other than where the action is considered serious and
urgent.
274. The clause requires the Digital ID Regulator to:
• give notice to an entity;
Digital ID Bill 2023 - Explanatory Memorandum: Page 64 of 319
• include in the notice details about the proposed condition, variation
or revocation (paragraph 68(2)(a));
• include in the notice a request that the entity give the Digital ID
Regulator a written statement relating to the proposal, and that it
does so within a specified period (paragraph 68(2)(b));
• consider any written statement from the entity before making a
decision (subclause 68(3)).
275. Subclause 68(4) provides that the notice requirement will not apply if
the Digital ID Regulator reasonably believes that the need to impose, vary or
revoke the condition is serious and urgent. In that case, subclauses 68(5) and (6)
require that the Digital ID Regulator give the entity a written statement of
reasons, within 7 days after the condition being imposed, varied or revoked, as
to why the Regulator reasonably believes the action was serious and urgent.
276. Ousting natural justice requirements for serious and urgent
circumstances ensures the Digital ID Regulator can act urgently. For example,
the Digital ID Regulator may reasonably believe that it is necessary to revoke a
condition authorising an entity to disclose a particular restricted attribute such
as a licence number due to risks following a security breach involving the issuer
of the restricted attribute.
Other provisions relating to decisions on conditions
277. Decisions involving conditions on entities' approval to participate in
AGDIS will be reviewable decisions (see clauses 137 to 140), other than
decisions made for reasons of security in relation to an entity that is not an
Australian entity (for 'Australian entity' see the definition in clause 9). Judicial
review in the courts will be available for entities that are not Australian.
Clause 69 - Notice of decision of changes of conditions on approval
278. Clause 69 requires the Digital ID Regulator to give an entity written
notice of a decision to impose (including where directed by the Minister for
reasons of national security), vary or revoke a condition on the entity's approval
to participate in the AGDIS. The notice is to (subclause (3)):
• state the condition or the variation, or state that the condition is
revoked; and
• state the date on which the condition, variation or revocation takes
effect.
279. However, a notice of the decision is not required if notice of the
condition was given in the approval notice under subclause 62(5).
Digital ID Bill 2023 - Explanatory Memorandum: Page 65 of 319
Division 3 - Varying, suspending and revoking approval to participate
280. This Division provides the Digital ID Regulator with power to suspend
or revoke an entity's approval to participate in the AGDIS. These powers are
aimed at ensuring the integrity and security of the AGDIS is maintained, by
empowering the Digital ID Regulator to act to protect the AGDIS and its
participants, including individual users, where an entity has failed to comply
with the Act or rules or an entity is, for example, insolvent.
281. The Digital ID Regulator will be required to give natural justice to
entities when proposing to suspend an approval (other than in some cases
involving a cyber security incident), or proposing to revoke an approval with
reasons for the Digital ID Regulator's decisions. These provisions safeguard the
rights of entities.
Clause 70 - Varying approval to participate in the Australian Government
Digital ID System
282. Clause 70 allows the Digital ID Regulator to vary the approval given to
an entity under clause 62 to take account of a change in the entity's name. This
may be required where there have been machinery of government changes
involving a participating entity.
283. The note to the clause refers to conditions on an approval to participate
also being able to be varied in accordance with clause 66.
Clause 71 - Suspension of approval to participate in the Australian
Government Digital ID System
284. Clause 71 sets out the circumstances when an entity's approval to
participate in the AGDIS must or may be suspended.
Digital ID Regulator must suspend if directed by the Minister
285. Subclause 71(1) provides that the Digital ID Regulator must suspend an
entity's approval if the Minister has given a direction under subclause 73(1), for
reasons of national security, to suspend the entity's approval (see clause 73
dealing with directions on national security grounds).
286. The suspension remains in force until revoked by the Minister
(see subclause 73(3)), which has the effect that the Digital ID Regulator has no
power to revoke the suspension itself. It is appropriate that decisions involving
national security sit with the Minister.
Digital ID Bill 2023 - Explanatory Memorandum: Page 66 of 319
Digital ID Regulator may decide to suspend
287. Subclause 71(2) gives the Digital ID Regulator power to suspend an
entity's approval in other circumstances. It requires that the suspension be in
writing and set out the grounds for the suspension. Subclauses 71(3) to (5)
provide additional information in respect of some of the grounds.
288. The grounds, and the additional information related to them, will be:
• the Digital ID Regulator reasonably believes that the entity has
contravened or is contravening the Act or rules;
• the Digital ID Regulator reasonably believes that there has been a
cyber security incident involving the entity. 'Cyber security
incident' is defined in clause 9 to include unauthorised attempts to
gain access to, modify or interfere with a system, service or network,
or impair the availability, reliability, security or operation of a
system, service or network. Such attempts would not be grounds for
suspension unless the Digital ID Regulator is satisfied that the
attempts involve a risk to the operation of the AGDIS. This would
ensure that attempts that do not pose a risk to the AGDIS cannot
lead to suspension (but could be the subject of other compliance
action, for example, a direction under clauses 127 or 128, such as
requiring a security assessment to be conducted);
• if the entity is a body corporate--the entity becomes a Chapter 5
body corporate (within the meaning of the Corporations Act) - that
is, a body corporate that is being wound up, in respect of its
property, a receiver, or a receiver and manager, has been appointed
(whether or not by a court) and is acting, it is under administration,
it has executed a deed of company arrangement that has not yet
terminated, or it has entered into a compromise or arrangement with
another person the administration of which has not been concluded;
• if the entity is an individual--the entity is an insolvent under
administration;
• the Digital ID Regulator is satisfied that it is not appropriate for the
entity to participate in the AGDIS. In relation to this ground, the
Digital ID Regulator may have regard to whether the entity is a fit
and proper person (subclause 71(3)). The note to subclause 71(3)
refers to clause 12 which sets out the matters the Regulator must, or
Digital ID Bill 2023 - Explanatory Memorandum: Page 67 of 319
may, consider when considering if an entity is a fit and proper
person;
• circumstances specified in the Digital ID Rules that apply in relation
to the entity. It is necessary and appropriate for the Digital ID Rules
to be able to specify additional circumstances to ensure that the
AGDIS is keeping pace with emerging risks and threats in the digital
environment and to accommodate future states and services
expected through advancements and innovations in technology,
models and services.
289. The note to subclause 71(2) refers to the Digital ID Regulator's power
to impose conditions on an entity's approval before suspending it (see
paragraph 64(4)(g)). A condition, for example, may require the entity to notify
other participants of the suspension.
Entity may apply for suspension of approval
290. Subclause 71(5) provides that an entity may apply for its approval to be
suspended, in which case the Digital ID Regulator may (but is not required to)
suspend its approval. The note to subclause (5) refers to the requirements for
applications detailed in Part 5 of Chapter 9.
291. An example of circumstances in which an entity may seek suspension is
where the entity is considering ending its participation in the AGDIS and wants
suspension while considering its decision.
Show cause notice
292. Subclauses 71(6) and (7) will apply (other than in urgent situations)
where the Digital ID Regulator is proposing to suspend an entity's approval and
require that a 'show cause' notice is given to the entity. The notice must state
the grounds for the suspension. The entity must be invited to give the Digital ID
Regulator, within 28 days after the day the notice is given, a written statement
showing cause why its approval should not be suspended.
293. However, subclause 71(8) provides that the 'show cause' requirements
will not apply where the ground for the suspension involves a cyber security
incident. Ousting natural justice requirements where the Digital ID Regulator
reasonably believes that a cyber security incident has occurred is necessary
where there is a need to immediately deal with risks to the security and
reliability of the AGDIS (and the Digital ID Regulator is not satisfied that the
circumstances are serious enough to give rise to a decision to revoke the entity's
approval: see clause 72).
Digital ID Bill 2023 - Explanatory Memorandum: Page 68 of 319
Notice where approval is suspended
294. Subclause 71(9) provides that if the Digital ID Regulator suspends an
entity's approval, either as directed by the Minister, on its own initiative or as
requested by the entity, the Regulator must give a written notice to the entity
stating:
• that the entity's approval to participate in the AGDIS is suspended;
• the reasons for the suspension;
• the day the suspension is to start;
• if the suspension is for a period, the period of the suspension; and
• if the suspension is until a specified event occurs or action is taken,
the event or action.
Revocation of suspension
295. Subclauses 71(10) to (12) deal with revocation of the suspension of an
entity's approval, other than where the suspension was on the basis of a
direction by the Minister (in which case the suspension remains in effect unless
revoked by the Minister (see clause 73)).
296. If the Digital ID Regulator decides, on its own initiative, to suspend an
entity's approval, the Digital ID Regulator may revoke the suspension by
written notice to the entity (subclause 71(11)).
297. If the Digital ID Regulator suspends an entity's approval on application
by the entity and the entity requests the suspension be revoked, the Regulator
may revoke the suspension by written notice to the entity (subclause 71(12)).
Effect of suspension
298. While a suspension is in force, the entity will be taken not to hold the
approval (subclause 71(13)). However, the entity will continue to be subject to
some regulatory powers of the Digital ID Regulator (see for example, the
directions power under subclause 127(1)). The suspended entity may also be
subject to compliance action for matters that occurred while the entity was
participating in the AGDIS, including, for example complaints and
investigations by the Information Commissioner involving breaches of the
additional privacy safeguards in the Bill (see Part 2 of Chapter 3).
Other matters involving suspension
Digital ID Bill 2023 - Explanatory Memorandum: Page 69 of 319
299. Decisions involving suspension of approval to participate will be
reviewable decisions (see clauses 137 to 140), other than decisions made for
reasons of security in relation to an entity that is not an Australian entity (for
'Australian entity' see the definition in clause 9). Entities will have access to
the courts for judicial review of such decisions.
300. The fact of a suspension of an entity's participation will be publicly
available on the AGDIS Register required to be kept by the Digital ID
Regulator (see clause 121).
Clause 72 - Revocation of approval to participate in the Australian
Government Digital ID System
301. Clause 72 details when an entity's approval to participate in the AGDIS
must or may be revoked.
Digital ID Regulator must revoke if directed by the Minister
302. Subclause 72(1) provides that the Digital ID Regulator must revoke an
entity's approval if the Minister has given a direction, for reasons of 'security'
(as defined in the ASIO Act), to revoke the entity's approval (see clause 73
dealing with directions on national security grounds). It is appropriate that
decisions involving national security sit with the Minister.
Digital ID Regulator may decide to revoke approval
303. Subclause 72(2) gives the Digital ID Regulator power to revoke an
entity's approval, requires that the revocation be in writing, and sets out the
grounds for revocation. Revocation of approval will support compliance and act
as a deterrent to noncompliance with the Act or the rules.
304. The grounds for revocation will be:
• the Digital ID Regulator reasonably believes that the entity has
contravened or is contravening the Act or rules;
• the Digital ID Regulator reasonably believes that there has been a
cyber security incident involving the entity and that incident is
serious;
• if the entity is a body corporate--the entity becomes a Chapter 5
body corporate (within the meaning of the Corporations Act);
• if the entity is an individual--the entity is an insolvent under
administration;
Digital ID Bill 2023 - Explanatory Memorandum: Page 70 of 319
• the Digital ID Regulator is satisfied that it is not appropriate for the
entity to participate in the AGDIS. In relation to this ground, the
Digital ID Regulator may have regard to whether the entity is a fit
and proper person (subclause 72(3)), and subclause 72(4) makes it
clear that this reference does not limit the matters the Digital ID
Regulator may consider. The note to subclause 72(3) refers to
clause 12 which sets out the matters the Regulator must, or may,
have regard to when considering if an entity is a fit and proper
person;
• circumstances specified in the Digital ID Rules apply in relation to
the entity. It is necessary and appropriate for the Digital ID Rules to
be able specify additional circumstances to ensure that the AGDIS
keeps pace with emerging risks and threats in the digital
environment and to accommodate future states and services
expected through advancements and innovations in technology,
models and services. The rules will be able to specify circumstances
that may not have been foreshadowed prior to the Act commencing.
305. The note to subclause 72(2) refers to other actions the Digital ID
Regulator may take involving a revocation of approval, namely imposing
conditions on an entity's approval before revoking the approval (see
paragraph 64(4)(g)).
Entity may apply for revocation
306. Subclause 72(5) provides that the Digital ID Regulator must revoke an
entity's approval if the entity applies for revocation. While the Digital ID
Regulator must revoke if requested by the entity, the decision as to when the
revocation takes effect is a matter for the Digital ID Regulator. The intent is to
allow the Regulator to take necessary steps before the approval is revoked.
Show cause notice
307. Subclauses 72(6) and (7) apply where the Digital ID Regulator is
proposing to revoke, on its own initiative, an entity's approval and requires that
a 'show cause' notice is given to the entity. The notice must state the grounds
for the revocation and invite the entity to give the Digital ID Regulator, within
28 days after the day the notice is given, a written statement showing cause why
its approval should not be revoked.
Notice of revocation
308. Subclause 72(8) provides that if the Digital ID Regulator revokes an
entity's approval, either as directed by the Minister, on its own initiative or as
Digital ID Bill 2023 - Explanatory Memorandum: Page 71 of 319
requested by an entity, the Digital ID Regulator must give a written notice to
the entity stating:
• that the entity's approval to participate in the AGDIS is to be
revoked;
• the reasons for the revocation; and
• the day the revocation is to take effect.
Other matters involving revocation of approval
309. Subclause 72(9) provides that an entity's approval may be revoked even
if a suspension is in force under clause 71.
310. Decisions involving revocation of approval will be reviewable decisions
(see clauses 137 to 140), other than decisions made for reasons of 'security' (as
defined in the ASIO Act) in relation to an entity that is not an Australian entity
(for 'Australian entity' see the definition in clause 9). Entities will have access
to the courts for judicial review of such decisions.
311. The fact of a revocation of an entity's approval will be publicly
available on the AGDIS Register required to be kept by the Digital ID
Regulator (see clause 121).
Division 4 - Minister's directions regarding participation
Clause 73 - Minister's directions regarding participation
312. Clause 73 will allow the Minister to direct the Digital ID Regulator in
relation to participation of an entity in the AGDIS for reasons of national
security and only for those reasons. It is appropriate that decisions involving
national security sit with the Minister.
313. Subclause 73(1) empowers the Minister to direct the Digital ID
Regulator to refuse to approve an entity to participate in the AGDIS, impose
conditions on the approval of an entity, suspend the approval of an entity, or
revoke the approval of an entity, but only for reasons of 'security' (within the
meaning in the ASIO Act) and including on the basis of an adverse or qualified
security assessment provided by ASIO.
314. The ASIO Act will be amended by the Transitional Bill to ensure that
ASIO has the requisite functions to provide such assessments for the purposes
of this Chapter.
315. Subclause 73(2) will provide that the Digital ID Regulator must comply
with the direction of the Minister given under subclause 73(1).
Digital ID Bill 2023 - Explanatory Memorandum: Page 72 of 319
316. A direction remains in force until it is revoked by the Minister, in which
case the Minister must notify the Digital ID Regulator and the entity
(subclause 73(3)). For conditions imposed at the direction of the Minister, the
fact that a direction remains in force until revoked by the Minister means that
such a condition cannot be varied. If the Minister wants the direction to be
varied, the Minister must revoke the direction involving a condition and give a
new direction about conditions.
317. However, the Minister cannot revoke a direction under which an entity's
approval to participate is revoked (subclause 73(4)). Nothing prevents the entity
from re-applying for approval.
318. Subclause 73(5) clarifies that a direction given by the Minister is not a
legislative instrument within the meaning of section 8(1) of the Legislation Act.
An instrument made under this clause is administrative in nature as it gives
content to the law, rather than prescribes a substantive exemption from the
requirements of the Legislation Act (which applies for legislative instruments).
319. The Bill does not intend to limit or exclude an entity's right to
procedural fairness in respect of the Minister's decisions on participation.
Division 5 - Other matters relating to the Australian Government Digital
ID System
Clause 74 - Creating and using a digital ID is voluntary
320. Clause 74(1) provides that a participating relying party (a relying party
approved to participate in the AGDIS) must not require an individual to create
or use a digital ID as a condition of receiving a service from the relying party or
accessing a service through the relying party. This ensures that individuals
acting in their personal capacity can choose whether to use a digital ID to obtain
or access a relying party's services.
321. Subclause 74(2) provides that subclause 74(1) will not apply if a
participating relying party's service on the AGDIS is one that allows an
individual to access another service online and the individual can access that
other service without using a digital ID. This is because the individual can
choose whether to use their digital ID or can access the other service in another
way.
322. The example for subclause 74(2) relates to an individual who wishes to
open a bank account. ABC Bank requires new customers to verify their identity.
ABC Bank allows customers to do this in person at each branch of ABC Bank
or alternatively by using the bank's online application service, which requires
the use of a digital ID. Because the individual can verify their identity by going
Digital ID Bill 2023 - Explanatory Memorandum: Page 73 of 319
to the nearest branch instead of using the online application service and their
digital ID, ABC Bank does not contravene subclause (1).
323. Another example would be where a government agency requires an
individual to lodge documents to report on a program the individual is involved
in. Individuals can lodge their reports online using the agency's online
document lodgement service, which is accessed using their digital ID in the
AGDIS. The online document lodgement service also populates parts of the
document. Alternatively, the individual can email the document or lodge it at
the post office and comply with any identification requirements the agency has
in place for those methods of transmission. Because the individual can lodge
the documents at the post office or by email instead of using the online
lodgement service and their digital ID, the agency does not contravene
subclause (1).
324. The requirement to offer an alternative means of accessing a relying
party's service will not apply where the service is obtained or accessed by an
individual who is acting on behalf of another entity in a professional or business
capacity (paragraph (3)(a)). For example, a tax agent acts on behalf of a client
to lodge taxation information; or an individual must act for a company or non-
government organisation to lodge a Business Activity Statement.
325. A participating relying party may also be granted an exemption for a
particular service (paragraph (3)(b)). However, a Commonwealth entity cannot
be granted an exemption (subclause (6)). This means that for Commonwealth
services offered through use of a digital ID on the AGDIS, there must be an
alternative means of using the service where the individual is acting in their
personal capacity.
Exemptions
326. The Digital ID Regulator may, on application of a participating relying
party, grant an exemption from being subject to this clause if the Regulator is
satisfied that it is appropriate to do so (subclause (4)).
327. Matters that may satisfy the Regulator that it is appropriate to grant the
exemption are (subclause (5)):
• the relying party is a small business (as defined in the Privacy Act);
• the relying party provides services, or access to services, solely
online;
• the relying party is providing services, or access to services, in
exceptional circumstances. For example, this may apply during an
emergency situation such as flood or fire.
Digital ID Bill 2023 - Explanatory Memorandum: Page 74 of 319
328. Paragraph 74(7)(a) requires that the exemption under subclause (4) must
be granted in writing. The Digital ID Regulator may revoke an exemption if it
considers it appropriate to do so (paragraph (7)(b)).
329. The decision to refuse to grant an exemption under subclause 74(4) is a
reviewable decision (see clauses 137 to 140).
Clause 75 - Restriction on collection of restricted attributes of individuals
by participating relying parties
330. Clause 75 requires that a participating relying party must not collect a
restricted attribute unless the relying party's conditions of participation
authorise the collection of the restricted attribute. The meaning of 'restricted
attribute' is given in clause 11. The discussion on clause 11 above gives an
overview of how the Bill treats restricted attributes, including this clause.
Clause 76 - Notice before exemption is revoked
331. Clause 76 deals with notification requirements if the Digital ID
Regulator proposes to revoke an exemption granted to a participating relying
party under subclause 74(4) allowing the entity to make it a condition of
obtaining or accessing a service that an individual uses a digital ID. The
Regulator must give a written notice stating the reasons for the proposed
revocation and inviting the relying party to give a written statement within a
specified period. However, notice is not required if the Digital ID Regulator
reasonably believes the need to revoke the exemption is serious and urgent.
332. The purpose of this clause is that the Regulator must explain the
proposed action, and reasons, to the affected participating relying party, give
the entity the opportunity to make a submission within a specified period,
including as to why the exemption should not be revoked, and consider any
submissions from the entity before proceeding with a decision.
333. It is not intended that clause 76 overrides the general principles relating
to natural justice such that if the Digital ID Regulator considers any adverse
information that was not put to the entity in the notice, the Regulator would
ordinarily be required to give the entity an opportunity to respond to that
information before making a decision.
334. The Regulator does not need to comply with the above requirements if it
reasonably believes that the need to revoke the exemption is serious and urgent.
This will enable the Regulator to move quickly to withdraw an exemption
where there is an urgent need to ensure that individuals are not compelled to use
digital IDs to obtain the service provided by the participating relying party, or
access to the service.
Digital ID Bill 2023 - Explanatory Memorandum: Page 75 of 319
Clause 77 - Holding etc. information outside Australia
335. Clause 77 empowers the Minister to make legislative rules in relation to
the holding, storing, handling or transfer of information outside Australia if the
information is or was generated, collected or held by accredited entities within
the AGDIS.
336. Accredited entities that do not participate in the AGDIS will not be
covered by any rules made under this clause. Similarly, information collected,
used, disclosed or generated outside the AGDIS will not be covered by any
rules made under this clause.
Rationale for the capacity to make rules
337. It is necessary and appropriate for the Digital ID Rules to be able to
prescribe localisation requirements given the changing security environment
and given other laws may appropriately govern data sovereignty for digital IDs
at a point in time, but may not be appropriate as the identity environment
changes. Having the requirements in rules caters for the changing security
landscape.
338. The rules account for the fact that it may be necessary to take additional
steps beyond the Privacy Act to ensure the security and confidentiality of
information that will be communicated within a digital ID system developed,
operated and maintained by the Australian Government. In particular, the nature
of personal information (with its extended meaning) will be sensitive given it
will relate not just to attributes and other identifying information, and will
include biometric information, the services (including government services) a
person accesses, and other behavioural information relating to how a person
uses their digital ID (e.g. the date and time on which it is created, proofing
levels, relying parties they have authenticated to, and devices used to access
their account). Holding information overseas could be an additional risk factor
in information being compromised.
Process for making legislative rules
339. Before making legislative rules (except where urgency applies), the
Minister must consult on the rules and consider any submissions received
within period of at least 28 days.
340. When making rules about holding information about Australia it is
intended that the Minister will do so having regard to Australia's relevant
obligations under international law. This includes any relevant free trade
agreements.
Digital ID Bill 2023 - Explanatory Memorandum: Page 76 of 319
341. It is also intended that the Minister will consider, consistent with
Australia's obligations under international law, the need to avoid preferential
treatment for Australian suppliers of services, and to avoid discrimination
against foreign corporations.
Content of legislative rules
342. Without limiting the rules the Minister may make, the rules may
(subclause 77(2)):
• prohibit (either absolutely or unless particular circumstances are met
or conditions are complied with) the holding, storing, handling or
transferring of such information outside Australia; and
• empower the Digital ID Regulator to grant exemptions to entities
from any such prohibitions; and
• may be expressed to apply to all entities or entities of a specified
kind.
343. The intention is that if rules were made they could prohibit the
offshoring of identity information, and could allow the Digital ID Regulator to
make exemptions.
344. Subclause (2)(c) allows for rules to apply to entities of a specified kind
so that they could, for example, apply only to Commonwealth entities.
345. If the rules allow the Digital ID Regulator to make exemptions, the rules
will require it to give written notice of a decision to grant or deny an exemption.
Clause 78 - Reportable incidents
346. To ensure the stability, security and integrity of the AGDIS, the Digital
ID Regulator needs to be made aware, and as soon as the entity is aware, of any
incidents that may affect, are likely to affect, or have affected, the stability,
security or integrity (covering all risks) of the AGDIS. Trust in the System is
crucial to building take-up and achieving the economy-wide benefits the
AGDIS will bring.
347. It is therefore necessary that entities inform the Digital ID Regulator as
soon as they are aware that there has been an incident that could have a
detrimental effect on the AGDIS.
348. Clause 78 empowers the Minister to make rules prescribing
arrangements for the notification and management of such incidents
('reportable incidents') in connection with the AGDIS.
Digital ID Bill 2023 - Explanatory Memorandum: Page 77 of 319
349. Subclause 78(2) provides that without limiting the effect of subclause
78(1), the Digital ID Rules may make provision for the following:
(a) the entities that are covered by the arrangements;
(b) the kinds of incidents that must be notified;
(c) the information that must be included in notifications about
reportable incidents;
(d) the manner in which and period within which reportable incidents
must be notified to the Digital ID Regulator or the System
Administrator;
(e) action that must be taken in relation to reportable incidents;
(f) how the Digital ID Regulator or the System Administrator deals
with reportable incidents, including action that may be taken by the
Digital ID Regulator in dealing with a reportable incident such as:
(i) requiring an entity to do something; or
(ii) authorising the provision of information relating to
reportable incidents by the Digital ID Regulator or the
System Administrator to the Minister, the Information
Commissioner, accredited entities, participating relying
parties or other specified bodies;
(g) authorising the collection of information about reportable incidents
by the Minister, the Information Commissioner, accredited entities,
participating relying parties or other specified bodies.
350. Enabling the Digital ID Rules to authorise disclosure to the Minister is
a necessary aspect of the constitutional principle of responsible government.
The Information Commissioner may also require information about incidents so
as to exercise powers under the Privacy Act in relation to accredited entities.
Disclosure of information about incidents to accredited entities and
participating relying parties may be necessary so those entities can respond to
any incident, such as digital identity fraud, that may affect the provision of their
services. 'Other specified bodies' are included as it may be necessary for some
incidents to refer a matter to, for example, law enforcement or government
bodies affected by the incident.
351. It is intended that the legislative rules will authorise disclosure only
where necessary so that the relevant entity can properly and promptly respond
to the particular incident. The rules will be subject to prior public consultation
(see clause 169) and parliamentary oversight.
Digital ID Bill 2023 - Explanatory Memorandum: Page 78 of 319
352. The purpose of authorising the collection of information about
reportable incidents is to ensure that this information can be collected and used,
so that for example trends can be identified, and steps taken to reduce the
number of reportable incidents.
Types of reportable incidents
353. Subclause 78(3) provides that without limiting the effect of paragraph
78(2(b)), the Digital ID Rules may specify the following kinds of incidents:
(a) digital ID fraud incidents;
(b) cyber security incidents;
(c) changes in control (within the meaning of section 910B of the
Corporations Act) of entities covered by the arrangements;
(d) if an accredited entity engages contractors to provide a service, or
part of a service, for which the entity is accredited - changes in
relation to those contractors.
354. 'Cyber security incident' and 'digital ID fraud incident' are defined in
clause 9.
355. Notifying the Digital ID Regulator of digital ID fraud incidents and
cyber security incidents is essential to ensure that the Digital ID Regulator can
implement and supervise necessary and timely responses to address those
incidents. It will also be necessary so that the Digital ID Regulator and the
Information Commissioner can assess and manage the risk of contagion from
those incidents, or further incidents of a similar nature, with impacts across the
AGDIS and potentially on the privacy of individuals using other providers
within the AGDIS.
356. Notifying the Digital ID Regulator of changes in the control of an entity
participating in the AGDIS is equally important. In order for an entity to be
accredited and approved to participate, the Digital ID Regulator may consider
whether the entity is a 'fit and proper' person, and it is expected that the Digital
ID Regulator will consider this routinely in accrediting entities and approving
entities to participate in the AGDIS.
357. Changes in the control of an entity (for example resulting from changes
in ownership of the entity, or of controlling interests in an entity) may mean
that an entity no longer meets the fit and proper person test. To protect the
integrity of the AGDIS, the issue of whether an entity remains a fit and proper
person needs to be considered whenever there is a change in control of an entity
approved to participate in the AGDIS. The requirement for businesses to notify
regulators of a change in control is common across the Commonwealth, and
Digital ID Bill 2023 - Explanatory Memorandum: Page 79 of 319
entities are usually required to notify regulators of a change in control within 28
days of that event occurring.
Penalty for contravention
358. Subclause 78(4) provides that entities will be liable to civil penalties up
to 1,500 penalty units if they:
• are subject to a requirement under the Digital ID Rules made for the
purposes of subclause 78(1); and
• fail to comply with requirement.
359. The penalty is designed to ensure that a substantial incentive is created
for accredited entities and participating relying parties to comply with these
important obligations to report and manage incidents within the AGDIS.
Clause 79 - Interoperability
360. This clause empowers the Minister to make Digital ID Rules about the
interoperability obligation, which applies to participating relying parties and
accredited entities within the AGDIS. For accredited entities and relying parties
not using the AGDIS, interoperability of their service or system is a commercial
matter between them and the entities participating in the relevant digital ID
system.
361. The purpose of the rules would be to facilitate take-up by individuals of
the use of a digital IDs through the AGDIS by providing a seamless user
experience. Interoperability supports this by prohibiting participating relying
parties from limiting consumer choice and prohibiting accredited entities from
limiting their interactions with each other-unless the Minister grants an
exemption.
362. The interoperability obligation means:
• the obligation on participating relying parties to provide individuals
with a choice of accredited identity service providers when the
individual seeks to verify their identity or authenticate their digital
ID or other information; and
• the obligation on accredited entities participating in the AGDIS to
provide their accredited services to other entities participating in the
System.
363. Being able to make the rules will facilitate the individual to choose
which accredited identity service provider verifies their identity, or
Digital ID Bill 2023 - Explanatory Memorandum: Page 80 of 319
authenticates information about the individual, when the participating relying
party requests this service.
364. For example, if a participating relying party has a service that requires
Identity Proofing Level 3, and there are three identity service providers
onboarded to the System that offer that level, rules could provide that a
participating relying party must allow a user to verify their identity with any
three of the identity service providers. If a participating relying party is
connected to an exchange then the choice of provider would be facilitated by
the exchange without any other action by the participating relying party.
365. The Bill specifies the grounds on which the Minister may include in the
rules to grant exemptions, being:
• that the Minister is satisfied that a service, or access to a service,
provided by a participating relying party that is a government entity
is of a kind that should use only accredited services of a government
entity;
• that the participating relying party provides a service, or access to a
service, that the Minister is satisfied is of a kind that would promote
use of digital IDs if the service, or access to the service, was
available through the AGDIS;
• that the exemption is of a limited duration to allow for the
implementation of required business practices or technological
systems, or to facilitate the use of the AGDIS by particular kinds of
entities;
• that an entity will provide an arrangement to assist individuals who
would otherwise be at a disadvantage in accessing the AGDIS;
• the exemption is necessary to satisfy the requirements of another
legislative provision or scheme;
• that the governance arrangements of an accredited entity prohibit or
restrict the entity from interacting with a particular kind of service.
366. It is necessary and appropriate for the Digital ID Rules to be able to
prescribe interoperability requirements given the importance of such provisions
to consumers' ability to reuse their identity of choice. It is appropriate for these
provisions to be in rules given the phased nature of the AGDIS and significant
technological changes in the AGDIS will mean the need to change the rules
over time.
Digital ID Bill 2023 - Explanatory Memorandum: Page 81 of 319
Clause 80 - Service levels for accredited entities and participating relying
parties
367. Clause 80 provides for the Digital ID Standards Chair to determine in
writing service levels for entities participating in the AGDIS, and to consult
with the Digital ID Regulator before doing so. Subclause (1) sets out what
service levels for the AGDIS may relate to as follows:
• for accredited entities, the availability and performance of the
information technology systems through which the entity will
provide its accredited services in the AGDIS; and
• for participating relying parties, the availability and performance of
the services their customers may access through the AGDIS using
their digital ID.
368. Service levels are related to the proper operation of the AGDIS and
non-compliance with a service level is not taken into account in relation to an
accredited entity's compliance with the Act and rules for clause 84 (protection
from liability) or clause 85 (the statutory contract). This takes account that in a
federated system such as the AGDIS, each participant in the system is reliant to
some extent on each other participant in the system when considering
availability and performance.
369. A service level determination will be a legislative instrument but exempt
from disallowance (see section 42 of the Legislation Act). Determining of
service levels for participation will be a technical decision based on expertise in
information technology systems, digital ID services, digital ID systems and the
AGDIS in particular, as well as risk management expertise. For this reason, the
service levels will be determined by the Digital ID Standards Chair, a new
office created by the Bill, to bring expertise on such technical matters in the
setting of service levels. Subjecting the service levels to disallowance could
lead to inadequate management of day-to-day operation of the AGDIS,
particularly should no service levels be in effect.
Clause 81 - Entities may conduct testing in relation to the Australian
Government Digital ID System
370. Clause 81 enables an entity (see the definition of 'entity' in clause 9) to
conduct testing on the AGDIS without having to hold an approval to participate
on the AGDIS. Entities may wish to determine their capability or suitability to
participate in the AGDIS. At the same time, testing in the AGDIS needs to be
managed and controlled to ensure the System's security and integrity.
371. Subclause 81(1) empowers the System Administrator to authorise an
entity to conduct testing. The authorisation must be in writing, must specify the
Digital ID Bill 2023 - Explanatory Memorandum: Page 82 of 319
period for which it will be in force - which must not exceed 3 months, and may
be granted with or without conditions (subclause 81(2)).
372. The note to subclause 81(2) explains that the authorisation may be
varied or revoked in accordance with subsection 33(3) of the Acts Interpretation
Act 1901.
373. Subclause 81(3) provides that if an authorisation is granted subject to a
condition, the authorisation will cease to be in force immediately if the
condition is not met at a particular time.
Clause 82 - Use and disclosure of personal information to conduct testing
374. Clause 82 ensures that if an entity will use personal information to
conduct testing as authorised under clause 81, it may do so only if the
individual concerned has given express consent for the use or disclosure of the
information for that purpose. Subclause 82(2) provides that this clause applies
despite any other provision of the Act.
Clause 83 - Prohibition on holding out that an entity holds an approval
375. Clause 83 requires that an entity must not hold out that the entity holds
an approval to participate in the AGDIS if that is not the case. Otherwise, the
entity will face a civil penalty of 1,000 penalty units.
Part 3 - Liability and redress framework
Division 1- Liability of participating entities
Clause 84 - Accredited entities participating in the Australian Government
Digital ID System protected from liability in certain circumstances.
376. Clause 84 provides protection from liability for accredited entities when
participating in the AGDIS where the accredited entity has provided, or failed
to provide, an accredited service to another entity participating in the AGDIS.
The protection is that the accredited entity will not be liable to an action or
other proceeding, civil or criminal, in relation to the provision or non-provision
of the accredited service.
377. The protection will apply only where the accredited entity has acted in
good faith and in compliance with the Act and rules (other than the service
levels), or where:
• the accredited entity has not complied with the Act and rules (other
than the service levels) in relation to the accredited service provided,
or not provided; and
Digital ID Bill 2023 - Explanatory Memorandum: Page 83 of 319
• that non-compliance is not the ground or cause for the action or the
other proceeding. This ensures that any non-compliance cannot be a
reason for the protection being lost.
378. If an accredited entity wishes to rely on this protection from liability,
that entity will bear the evidential burden in relation to establishing the matters
required by the provision. That is, the entity seeking protection from liability
must prove the facts or matters which entitle it to that protection. This is
appropriate because these entities will have ready access to the information or
evidence necessary to prove that they have complied with the applicable
requirements under this Bill, including the technical standards, and have acted
in good faith (subclause 84(2)).
Division 2 - Statutory contract
Clause 85 - Statutory contract between entities participating in the
Australian Government Digital ID System
379. Clause 85 creates a multi-party statutory contract between participating
entities on the AGDIS. The contract is taken to be in force between:
• an accredited entity and each other accredited entity; and
• an accredited entity and each participating relying party.
380. Under the contract each accredited entity is taken to agree to provide its
accredited services in compliance with the Act and the rules (excluding the
service levels) when participating in the AGDIS levels where the relevant
provisions relate to the verification or authentication involving an individual's
identity or information about the individual. The other term of the contract is
that each accredited entity agrees to comply with any requirements in the
Digital ID Rules relating to intellectual property rights. It is expected that the
rules will deal with warranties by accredited entities in relation to the use of
intellectual property when participating in the AGDIS.
381. The statutory contract will be in force for an entity from the day when it
has started participating in the AGDIS (see the definition of 'participation start
day' in clause 9) and cease for an entity if its approval to participate has been
revoked (subclause (2)). However, in accordance with contract law, any breach
of the contract before revocation of an approval will still be actionable.
382. Entities may enforce the contract in court (in accordance with the
general law of contract) if they have suffered, or are likely to suffer loss, due to
an alleged breach by an accredited entity. Actions cannot be taken against
participating relying parties. Subclause (3) provides that an application may be
made to the Federal Circuit and Family Court of Australia.
Digital ID Bill 2023 - Explanatory Memorandum: Page 84 of 319
383. Subclause (4) provides for orders a court can make:
• giving directions about compliance with, or enforcement of, the
contract;
• directing the making of compensation, subject to any rules limiting
compensation under subclause (5);
• directing the prevention or reduction of loss or damage suffered, or
likely to be suffered;
• and any other order considered appropriate.
384. Subclause (5) enables the Digital ID Rules to prescribe conduct or
circumstances that do or do not constitute a breach of contract, any provisions
of the Act or rules that are not covered by the contract, and limits on the kinds
of losses or damages that may be compensated and amount of compensation an
accredited entity may be liable to pay for a breach of the statutory contract. For
example, by specifying a cap on compensation, or a method to work out the
maximum amount of compensation payable, or by excluding certain loss or
damages from being subject to an order for compensation (such as
consequential loss). The rules may specify different amounts of compensation
for different kinds of loss or damage and may apply differently to different
types of breaches of the statutory contract.
Clause 86 - Participating entities to maintain insurance as directed by the
Digital ID Regulator
385. Clause 86 enables the Digital ID Regulator to direct an accredited entity
participating in the AGDIS to maintain adequate insurance against liability that
may arise for breach of the statutory contact. A requirement to maintain that
insurance will protect other parties to the statutory contract should an accredited
entity breach the terms of the contact, causing loss or damage to those other
parties, by ensuring that the insured entity has the financial means to
compensate an injured party for the loss or damage it has suffered.
386. The requirement to maintain adequate insurance could be satisfied by
self-insurance of liability, where an entity is of sufficient size, scale and
financial standing to satisfy the Regulator that self-insurance is appropriate. In
deciding what insurance is adequate generally, the Regulator is expected to
have regard to the practical availability of insurance in the marketplace.
Clause 87 - Dispute resolution procedures
387. Clause 87 enables the Accreditation Rules to prescribe mandatory
dispute resolution procedures which must be complied with before an entity
Digital ID Bill 2023 - Explanatory Memorandum: Page 85 of 319
seeks an order under subclause 85(3) for alleged breach of the statutory
contract. Dispute resolution mechanisms may provide a lower cost and quicker
means of resolving disputes between accredited entities, or accredited entities
and participating relying parties, as compared to court proceedings.
388. When prescribing dispute resolution procedures, the rules may:
• require accredited entities to be a member of a recognised dispute
resolution scheme;
• detail a dispute resolution process and require entities to take
prescribed steps as part of the process.
Division 3 - Redress framework
Clause 88 - Redress framework
389. Clause 88 provides the Digital ID Regulator with power to make rules to
establish a redress framework for incidents that occur within the AGDIS in
relation to accredited services provided by accredited entities.
390. The authority to establish a redress framework recognises that
businesses and individuals may suffer loss or damage if they are affected by an
incident, including digital ID fraud incidents and cyber security incidents.
391. The redress framework will ensure that individuals and businesses are
provided with information, assistance and support by accredited entities when
incidents relating to accredited services occur within the AGDIS. Notification
and support mechanisms will ensure individuals and businesses can take steps
to protect themselves, including by having access to information about the
incident, how it is being managed, and its resolution.
392. Without limiting the extent of the rules made under subclause 88(1),
subclause 88(2) provides that the redress framework may deal with the
following matters:
• the entities that are covered by the framework;
• the kinds of incidents that are covered by the framework, which may
include digital ID fraud incidents and cyber security incidents;
• procedures for dealing with incidents that are covered by the
framework;
• requirements relating to notifying entities affected by incidents
covered by the framework;
Digital ID Bill 2023 - Explanatory Memorandum: Page 86 of 319
• the provision of information, support and assistance to entities
affected by incidents covered by the framework; and
• development and publication of policies relating to the
identification, management and resolution of incidents covered by
the framework.
393. It is necessary and appropriate for the Digital ID Rules to be able to
prescribe redress requirements given the importance of such provisions to
consumers' ability to efficiently deal with and get assistance in relation to
digital ID fraud incidents and cyber security incidents. It is appropriate for these
provisions to be in rules given the need to adapt to redress frameworks which
already exist and are available outside the AGDIS.
Chapter 5 - Digital ID Regulator
Part 1 - Introduction
Clause 89 - Simplified outline of this Chapter
394. Clause 89 provides a simplified outline of Chapter 5 which sets out
provisions relating to the functions and powers of the Digital ID Regulator. The
outline is not intended to be comprehensive. Readers should rely on substantive
provisions of the Chapter.
Part 2 - Digital ID Regulator
Clause 90 - Digital ID Regulator
395. This clause will provide that the ACCC is the Digital ID Regulator.
Clause 91 - Functions of the Digital ID Regulator
396. This clause sets out the functions of the Digital ID Regulator:
• to promote compliance with the Act and rules;
• to provide general information for guidance relating to the
Regulator's functions and powers;
• to consult with the System Administrator, the Information
Commissioner, as well as regulators, including the Australian
Securities and Investments Commission, Australian Prudential
Regulation Authority, Australian Financial Complaints Authority
and Australian Cyber Security Centre;
Digital ID Bill 2023 - Explanatory Memorandum: Page 87 of 319
• to advise the Minister, System Administrator, Information
Commissioner (on privacy matters) and Digital ID Data Standards
Chair about matters under the Act or rules;
• to share information with the Minister, System Administrator,
Digital ID Data Standards Chair and Information Commissioner to
assist them with their powers or functions under the Act or rules;
• other functions under the Act or rules, or another law of the
Commonwealth; and
• anything that is incidental or conducive to the performance of any of
the above functions.
Clause 92 - Powers of the Digital ID Regulator
397. This clause ensures the Digital ID Regulator has requisite powers to
perform its functions.
Chapter 6 - System Administrator
Part 1 - Introduction
Clause 93 - Simplified outline of this Chapter
398. Clause 93 provides a simplified outline of Chapter 6 which sets out
provisions relating to the System Administrator and their functions. The outline
is not intended to be comprehensive. Readers should rely on substantive
provisions of the Chapter.
Part 2 - System Administrator
Clause 94 - System Administrator
399. This clause provides for the Chief Executive Centrelink to be the
System Administrator for the AGDIS with responsibility for managing the
availability of the System and identifying and managing operational risks.
400. The Chief Executive Centrelink is the Chief Executive Officer of
Services Australia as defined in the Human Services (Centrelink) Act 1997.
That Act provides that the functions of the Chief Executive include any
functions conferred under any other Act (section 8) and that staff of Services
Australia may assist the Chief Executive to perform these functions
(section 16).
401. Services Australia has performed these functions for the unlegislated
AGDIS (separately to Services Australia's roles as the exchange and a
Digital ID Bill 2023 - Explanatory Memorandum: Page 88 of 319
participating relying party in the System). In particular, in managing the
availability of the System, Services Australia has managed prevention and
investigation of fraud and cyber security incidents involving System
participants and brings that expertise to the Chief Executive's new role under
this Bill.
402. Enforcement powers under the Bill involving System participants will
remain with the Digital ID Regulator.
Clause 95 - Functions of the System Administrator
403. This clause specifies the functions of the System Administrator as
follows:
• assisting entities participating in the AGDIS, including connecting
to and dealing with incidents in the System. This would include
providing resources and guidance materials such as standard
operating procedures, technical support and coordination amongst
participants;
• facilitating and monitoring testing involving the AGDIS, including
testing by potential participants who want to determine their
capability or suitability to participate in the System before being
approved to participate (see clause 81);
• monitoring the availability of the AGDIS. This may include
developing, maintaining and reporting against project plans and
participants' release schedules for software;
• identifying and managing operational risks. This may involve
project planning, war gaming exercises, decision registers and
contingency planning as well as co-ordinating with the Digital
ID Regulator about the definitions and metrics determining system
integrity;
• managing fraud and cyber security incidents involving participants
in the AGDIS. This will also involve communicating and
coordinating with cyber security advisers and integrity teams;
• providing advice, and reporting, on the operation of the AGDIS, and
sharing information with other regulators under the Bill and the Data
Standards Chair to assist them in their roles under the Bill (see
paragraphs (f), (g) and (i));
Digital ID Bill 2023 - Explanatory Memorandum: Page 89 of 319
• any other functions conferred by this Bill or another Commonwealth
law. For example, functions may be conferred on the Administrator
under the Digital ID Rules in relation to actions to be taken after a
report by a participant of a fraud or cyber security incident (see
clause 78);
• to do anything incidental or conducive to the performance of the
above functions. This ensures the Administrator can properly carry
out its specified functions.
Clause 96 - Powers of the System Administrator
404. This clause ensures the System Administrator has requisite powers to
perform its functions.
Clause 97- Directions to the System Administrator
405. This clause gives the Minister power to give directions to the System
Administrator about the performance of its functions or exercise of its powers.
Any directions must be of a general nature only (for example, the Minister
cannot therefore direct the Administrator as to a particular decision involving a
participant in the AGDIS).
406. Subclause (4) clarifies that a direction given by the Minister is not a
legislative instrument within the meaning of section 8(1) of the Legislation Act
2003 (Legislation Act). An instrument made under this clause is administrative
in nature as it gives content to the law, rather than prescribes a substantive
exemption from the requirements of the Legislation Act 2003 (which applies
for legislative instruments).
Chapter 7 - Digital ID Data Standards
Part 1 - Introduction
Clause 98 - Simplified outline of this Chapter
407. Clause 98 provides a simplified outline of Chapter 7 which sets out
provisions relating to the Digital ID Standards. The outline is not intended to be
comprehensive. Readers should rely on substantive provisions of the Chapter.
Digital ID Bill 2023 - Explanatory Memorandum: Page 90 of 319
Part 2 - Digital ID Data Standards
Clause 99 - Digital ID Data Standards
408. Clause 99 provides for the Digital ID Standards Chair, established by
clause 101, to make Digital ID Data Standards in writing. The standards will be
a legislative instrument but not subject to disallowance by a House of
Parliament (see subclause (4), discussed below).
409. The data standards may provide differently for different kinds of entities
and circumstances (subclause (2)). If a data standard is inconsistent with the
Accreditation Rules, the data standard has no effect (subclause (3)).
410. The data standards may deal with the following matters:
• technical integration requirements for entities to participate in the
AGDIS. For example, the standards may deal with technology
requirements for transmitting data among AGDIS participants;
• technical or design features that entities must have to participate in
the AGDIS. For example, this could be a design of an identity
exchange that preserves privacy;
• if the Accreditation Rules or the Digital ID Rules require the Chair
to do so - technical, data or design standards, including test
standards for an entity's information technology systems and
processes, relating to accreditation. For example, it is expected that
the Accreditation Rules would require the Chair to develop test
standards dealing with the accuracy and security of biometric
information;
• other matters prescribed by the Digital ID Rules. It is necessary and
appropriate for the Digital ID Rules to be able to prescribe other
technical and data standards requirements, given the Bill is
technologically neutral that it does not lock in particular information
technology architecture for digital ID systems and service models.
Given this, there are likely to be other kinds of data standards that
cannot be foreshadowed at present.
411. Subclause 99(4) will provide that the Digital ID Data Standards made
under subclause 99(1) are legislative instruments but exempt from disallowance
by Parliament (see section 42 of the Legislation Act 2003).
412. The data standards will be largely in the nature of specifications for
technical processes, to ensure for example there are appropriate levels of
Digital ID Bill 2023 - Explanatory Memorandum: Page 91 of 319
security protecting the AGDIS and other digital ID systems used by accredited
entities. It is expected that some data standards will be based on internationally
and nationally recognised information technology protocols and, for the
AGDIS, expanded or modified to meet technical requirements specific to the
AGDIS.
413. Determining of technical, data and design features of digital ID systems
and for accredited services will be a technical decision based on expertise in
data security, information technology systems, digital ID services, digital ID
systems and the AGDIS in particular. It will require risk management expertise.
For this reason, the service levels will be determined by the Digital ID
Standards Chair, a new office created by the Bill, to bring expertise on these
technical matters. Clause 100 imposes mandatory consultation requirements by
the Chair before data standards are made to ensure that further expert input is
provided. This includes consultation with the Information Commissioner to
ensure expert advice is provided on privacy matters and the System
Administrator for further expert advice on the effect of technical and design
standards on the operation of the AGDIS.
414. Subjecting the service levels to disallowance could lead to inadequate
management of day-to-day operation of the AGDIS, particularly should no
service levels be in effect. Technical and data standards will be made so as to
operate at the commencement of the Act, ensuring that the Accreditation
Scheme and the AGDIS can properly operate immediately.
415. Current standards and technical requirements for the AGDIS are
specified in Chapter 6 of the unlegislated TDIF (Chapter 6) and all entities
which will participate in the AGDIS from commencement have developed their
information systems based on the TDIF requirements. These will be adopted in
the data standards for the legislated AGDIS on commencement of the Act to
ensure continued operation of the AGDIS. Government and commercial
certainty will be adversely affected if the data standards can be disallowed at a
later date and will have security implications if participants are not required to
adhere to the same standards necessary for operation of the AGDIS.
416. Accredited entities operating in other digital ID systems (and which may
be transitioned as accredited entities under the Transitional Bill) have also
designed their information technology systems and processes in accordance
with the contemporaneous standards (currently in the unlegislated TDIF) which
will be adopted in the data standards to commence at the same time as the Act.
Government and commercial certainty will also be adversely affected if the data
standards for the Accreditation Scheme can be disallowed at a later date, and
will have security implications if participants are not required to adhere to
Digital ID Bill 2023 - Explanatory Memorandum: Page 92 of 319
contemporaneous standards necessary to ensure their accredited services meet
consistent standards.
Clause 100 - Requirement to consult before making
417. This clause ensures that the Digital ID Data Standards Chair consults
widely before making, amending or revoking any technical or data standards.
The Chair must publish any draft standards or amendments and invite persons
to make submissions within a specified period which must be at least 28 days
after the notice is published. The Chair must consider all submissions received
in the timeframe and may consider late submissions. However, if the Chair
believes an amendment is urgent or minor, consultation will not be required,
ensuring urgent matters can be dealt with without delay and for administrative
efficiency for minor changes.
418. The Chair must also consult with the Minister, the Digital ID Regulator,
the System Administrator and the Information Commissioner.
419. The mandatory consultation requirements do not limit the consultation
obligations in the Legislation Act 2003.
Part 3 - Digital ID Data Standards Chair
Division 1 - Establishment and functions of the Digital ID Data Standards
Chair
Clause 101 - Data Standards Chair
420. This clause provides for the role of a Digital ID Data Standards Chair.
The Digital ID Data Standards Chair is a statutory office holder.
Clause 102 - Functions of the Digital ID Data Standards Chair
421. This clause sets out the functions of the Digital ID Data Standards Chair
which are, to make Digital ID Data Standards, to review those standards
regularly, other functions conferred on the Chair by the Act and rules and to do
anything incidental or conducive for the performance of those functions.
422. The content of Digital ID Standards is detailed in clause 99. The Chair
also has the function of service levels related to the availability and
performance of the AGDIS (see clause 80).
Clause 103 - Powers of the Digital ID Data Standards Chair
423. This clause sets out the powers of the Digital ID Data Standards Chair.
Digital ID Bill 2023 - Explanatory Memorandum: Page 93 of 319
424. The Digital ID Data Standards Chair will have power to establish
committees, advisory panels and consultative groups. These bodies will provide
additional expertise when technical and data standards are being prepared for
the Accreditation Scheme or the AGDIS. The Digital ID Data Standards Chair
will also have the power to do all other things necessary to perform the Chair's
functions.
Clause 104 - Directions to the Digital ID Standards Chair
425. Subclause 104(1) provides that the Minister may give written directions
to the Digital ID Data Standards Chair about the performance of the Chair's
functions or the exercise of the Chair's powers.
426. Subclause 104(2) provides that a direction given under subclause 104(1)
must be of a general nature only.
427. Subclause 104(3) provides that the Digital ID Data Standards Chair
must comply with the Minister's direction under subclause 104(1).
428. Subclause 104(4) clarifies that the direction under subclause 104(1) is
not a legislative instrument.
Division 2 - Appointment of the Digital ID Data Standards Chair
Clause 105 - Appointment
429. Subclause 105(1) requires the Digital ID Data Standards Chair to be
appointed by the Minister by written instrument.
430. The note under subclause 105(1) states that the Minister will be the
Digital ID Data Standards Chair if an appointment is not made under subclause
105(1) in accordance with the definition of Digital ID Data Standards Chair in
clause 9.
431. Subclause 105(2) provides that the appointment is to be on a full-time or
part-time basis.
Clause 106 - Term of appointment
432. This clause provides that the Digital ID Data Standards Chair will hold
office for the period specified in the instrument of appointment and that the
specified period must not exceed 3 years.
Clause 107 - Acting appointments
433. Clause 107 allows the Minister to appoint a person to act as the Digital
ID Data Standards Chair for a specified period, or periods, when the office of
Digital ID Bill 2023 - Explanatory Memorandum: Page 94 of 319
the Digital ID Data Standards Chair is vacant, or the Chair is absent or
otherwise unable to perform their duties.
Clause 108 - Application of the finance law etc.
434. Subclause 108(1) establishes the Digital ID Data Standards Chair as an
official of the Department for the purposes of the Public Governance,
Performance and Accountability Act 2013.
435. Subclause 108(2) provides that, when preparing the Department's
annual report under the PGPA Act, the Secretary of the Department must
include information about the performance of the Digital ID Data Standards
Chair's functions and the exercise of their powers during the relevant period.
436. Subclause 108(3) provides that if, at any time, the Minister is the Digital
ID Data Standards Chair, subclauses 108(1) and (2) do not apply. If this time is
included for the relevant period, Department's annual report under the PGPA
Act for that period must include information about the performance of the
Digital ID Data Standards Chair's functions and the exercise of their powers
during the relevant period.
Division 3 - Terms and conditions for the Digital ID Data Standards Chair
Clause 109 - Remuneration
437. Clause 109 provides that the Digital ID Data Standards Chair is to be
paid remuneration as determined by the Remuneration Tribunal. The
Remuneration Tribunal is an independent tribunal established under the
Remuneration Tribunal Act 1973 to determine and advise on entitlements of
Commonwealth and other public offices.
438. Subclause 109(2) provides that the Digital ID Data Standards Chair is to
be paid allowances prescribed by legislative instrument made by the Minister.
439. Subclause 109(3) enables the Minister to set remuneration and
allowances for the Digital ID Data Standards Chair by legislative instrument.
440. Subclauses 109(1) and (2) do not apply when the Minister is the Digital
ID Data Standards Chair.
441. With the exception of subsections 7(9) and (13) of the Remuneration
Tribunal Act 1973, that Act applies to this clause. This has the effect that
remuneration or allowances of the Digital ID Data Standards Chair will be paid
out of money appropriated by an Act other than the Remuneration Tribunal Act
1973.
Digital ID Bill 2023 - Explanatory Memorandum: Page 95 of 319
Clause 110 - Leave of absence
442. Subclause 110(1) provides that the Digital ID Data Standards Chair's
recreational leave entitlements are determined by the Remuneration Tribunal if
the Chair is appointed on a full-time basis.
443. Subclause 110(2) provides that other non-recreational forms of leave,
such as personal or carer's leave, may be granted by the Minister, on conditions
determined by the Minister.
444. Subclause 110(3) provides that, if the Digital ID Data Standards Chair is
appointed on a part-time basis, the Secretary of the Department may grant leave
of absence on conditions determined by the Secretary.
Clause 111 - Outside work
445. This clause provides that the Digital ID Data Standards Chair must not
engage in paid work outside the duties of the Chair's office without the
Minister's approval.
Clause 112 - Resignation of appointment
446. This clause provides that the Digital ID Data Standards Chair may
resign their office by providing a written resignation to the Minister. The
Digital ID Data Standards Chair is not required to provide a period of notice;
their resignation takes effect on the day the Minister receives it, or on a later
date specified in the resignation.
Clause 113 - Termination of appointment
447. The Minister may terminate the appointment of the Digital ID Data
Standards Chair on grounds listed in subclauses 113(1) and (2). The grounds
cover circumstances where the Digital ID Data Standards Chair may be unable
to exercise their functions or powers independently, diligently, or is otherwise
unable to perform their duties appropriately.
448. A ground for termination includes where the Digital ID Data Standards
Chair fails, without reasonable excuse, to give the Minister notice of any
conflicts of interest with regards to the proper performance of their functions as
required by section 29 of the PGPA Act.
449. In a case where the Digital ID Data Standards Chair is appointed on a
full-time basis, an additional ground for termination is if the Digital ID Data
Standards Chair is absent for 14 consecutive days or for 28 days in any 12-
month period, and that absence is not a leave of absence under clause 110.
Digital ID Bill 2023 - Explanatory Memorandum: Page 96 of 319
Clause 114 - Other terms and conditions
450. Except while the Minister is the Digital ID Data Standards Chair, this
clause allows the Minister to determine other terms and conditions on which the
Digital ID Data Standards Chair holds office, with respect to matters not
covered by this Division of the Bill.
Division 4 - Other matters
Clause 115 - Arrangements relating to staff
451. Clause 115 that staff assisting the Digital ID Data Standards Chair are to
be APS employees in the Department made available to the Digital ID Data
Standards Chair by the Secretary of the Department, or APS employees in
another Department of the Commonwealth made available by the Secretary of
that Department.
452. Subclause 115(2) provides that staff are subject to the directions of the
Digital ID Data Standards Chair when performing services for the Digital ID
Data Standards Chair.
Chapter 8 - Trustmarks and Registers
Part 1 - Introduction
Clause 116 - Simplified outline of this Chapter
453. This clause provides a simplified outline of Chapter 8 which sets out
provisions relating to trustmarks, the Digital ID Accredited Entities Register
and the AGDIS Register. The outline is not intended to be comprehensive.
Readers should rely on substantive provisions of the Chapter.
Part 2 - Digital ID Trustmarks
Clause 117 - Digital ID trustmarks
454. This clause provides that the Digital ID Rules may specify digital ID
trustmarks that may or must be used by accredited entities and participating
relying parties, and conditions or requirements for the use and display of a
trustmarks.
455. The trustmark may be a mark, symbol, logo or design
(subclause 117(2)).
Digital ID Bill 2023 - Explanatory Memorandum: Page 97 of 319
Clause 118 - Authorised use of digital ID trustmarks etc.
456. Subclause 118(1) creates a civil penalty provision for the unauthorised
use of digital ID trustmark with a civil penalty of 1,000 penalty units. This will
apply if the Digital ID Rules set out the authorised uses for an accredited entity
or entity participating in the AGDIS as to when an entity is permitted or
required to use a trustmark and the conditions relating to its use or display.
457. Subclause 118(3) creates a civil penalty provision for use of a mark,
symbol, logo or design closely resembling a digital ID trustmark where the use
is likely to lead a reasonable person to believe that the entity is an accredited
entity or participating relying party. The civil penalty is 1,000 penalty units.
Clause 119 - Displaying digital DI trustmark
458. Clause 119 creates a civil penalty provision if an entity is required by
the Digital ID Rules to display a digital ID trustmark in circumstances specified
in the rules and the entity fails to comply with the requirement. The civil
penalty is 1,000 penalty units.
459. These civil penalty provisions are enforceable by the Digital ID
Regulator under the Regulatory Powers Act, which also sets out relevant
evidentiary requirements. Consistent with the Guide to Framing
Commonwealth Offences, in setting the maximum penalty consideration has
been given to ensuring adequate deterrence, that the penalty take into account
the cost of pursuing action in court and ensuring that the pecuniary penalty
amounts are proportionate to the seriousness of the contravention.
460. The maximum penalties are intended to be a deterrent. The use of
trustmarks gives consumers confidence when verifying their identity that they
are dealing with an entity that has chosen to adhere to the strong privacy,
consumer and security requirements of the Act and rules.
Part 3 - Registers
Clause 120 - Digital ID Accredited Entities Register
461. This clause requires the Digital ID Regulator to establish, maintain and
publish a register, the Digital ID Accredited Entities Register, listing entities
which are or have been accredited entities. The Register must also detail any
accreditation conditions imposed by the Digital ID Regulator (other than
conditions for reasons of national security), and whether the entity's
accreditation has been suspended or revoked. The Digital ID Rules may
prescribe other matters to be included in the Register and may provide for
matters relating to corrections and the administration or operation of the
Digital ID Bill 2023 - Explanatory Memorandum: Page 98 of 319
register. An example relating to administration is how the Register will be
published and updated by the Digital ID Regulator.
462. Subclause 120(4) will ensure that information about an accredited entity
remains on the register for 12 months after the entity's accreditation is revoked.
This ensures that such information is available to the public for a reasonable
period of time after revocation, while requiring the Digital ID Regulator to
update the register at the end of that period to ensure it remains current.
463. Subclause 120(7) clarifies that the Register is not a legislative
instrument.
Clause 121 - AGDIS Register
464. This clause requires the Digital ID Regulator to establish, maintain and
publish a register, the AGDIS Register, listing entities which are or have held
an approval to participate in the AGDIS. The Register must also detail any
participation conditions imposed by the Digital ID Regulator (other than
conditions for reasons of national security), and whether the entity's approval
has been suspended or revoked. The Digital ID Rules may prescribe other
matters to be included in the Register and may provide for matters relating to
corrections and the administration or operation of the register. An example
relating to administration is how the Register will be published and updated by
the Digital ID Regulator.
465. Subclause 121(4) will ensure that information about an accredited entity
remains on the register for 3 years after the entity's approval is revoked. The 3-
year time limit reflects that the entity has ongoing obligations after revocation
in relation to record-keeping, while requiring the Digital ID Regulator to update
the register at the end of that period so that it remains current.
466. Subclause 121(7) clarifies that the Register is not a legislative
instrument.
Chapter 9 - Administration
Part 1 - Introduction
Clause 122 - Simplified outline of this Chapter
467. This clause provides a simplified outline of Chapter 9 which sets out
provisions relating to administration and enforcement. The outline is not
intended to be comprehensive. Readers should rely on substantive provisions of
the Chapter.
Digital ID Bill 2023 - Explanatory Memorandum: Page 99 of 319
Part 2 - Compliance and enforcement
Division 1 - Enforcement powers
Clause 123 - Civil penalty provisions
468. This clause sets out the requirements in relation to civil penalties that
are necessary to trigger operation of Part 4 (civil penalties) of the Regulatory
Powers Act, including courts in which the penalties may be enforced. It
provides that the Information Commissioner (and specified staff) enforces the
civil penalties for additional privacy safeguards, and the Digital ID Regulator
enforces all other civil penalties.
Rationale for civil penalties
469. Existing criminal provisions in the Criminal Code Act 1995 (the
Criminal Code), together with the civil penalty regime in the Bill, and the
powers available to both the Information Commissioner and the Digital ID
Regulator, provide a strong set of sanctions aimed at deterring misuse of
personal information, while encouraging participation in the Accreditation
Scheme.
470. The decision to include civil penalties in the Bill with appropriate
penalties was made having regard to the following matters.
471. Accredited entities will handle significant amounts of personal
information of individuals when providing their accredited services. The
unauthorised collection, use or disclosure of personal information may cause
serious harm to an individual such as identity theft and fraud incidents.
472. Individuals providing their personal information to accredited entities
will reasonably expect that those entities will handle their information in
accordance with specific digital ID privacy safeguards in this Chapter, and to
face appropriate penalties for contraventions of those obligations. This will
assist to promote trust in digital ID services amongst the Australian community,
which is an object of this Bill (see clause 3).
473. Civil penalties play a key role in regulation by deterring unlawful
conduct. The civil penalties in the Bill reflect the seriousness of contraventions
of the additional privacy safeguards, and the deterrence purposes of the civil
penalties.
474. The rationale for a civil penalty regime rather than creating new
criminal offences, reflects the fact that civil penalties for breaches of the
additional privacy safeguards have several advantages over criminal penalties.
Their purpose is primarily deterrence, not punishment as with criminal
Digital ID Bill 2023 - Explanatory Memorandum: Page 100 of 319
offences, and onus of proof for civil penalty provisions is 'on the balance of
probabilities' rather than 'beyond reasonable doubt' as is the case for criminal
offences.
475. Infringement notices will supplement the civil penalty provisions by
providing an alternative to proceedings for less serious contraventions, or where
the authorised enforcement is straightforward. As infringement notices are more
convenient and efficient to address contraventions of this nature, this
encourages enforcement of obligations and compliance by accredited entities
with their obligations, without the additional time, cost and resources involved
in litigation of civil penalty proceedings.
Rationale for the maximum penalty
476. The pecuniary penalties specified in Division 2, Part 2 of Chapter 3 for
contraventions of the additional privacy safeguards - 1,500 penalty units - are
the maximum penalty a court may impose on an individual for breaches of the
additional privacy safeguards (a penalty unit is currently set by the Crimes Act
1914 as $313 (as at November 2023)). The maximum penalty for bodies
corporate is five times the amount specified for an individual in the Regulatory
Powers Act (see subsection 82(5) of that Act),and is the same for government
entities (see clause 157 of the Bill).
477. A single maximum penalty has been set considering the comparable
nature of breaches of any of the additional privacy safeguards, and to provide
certainty to accredited entities regarding the scope of their potential liability for
breaches of any of the additional privacy safeguards.
478. The maximum penalties for breaches of the additional privacy
safeguards have been set considering contemporary offences for mishandling
government and consumer data including those set out in the Privacy Act, My
Health Records Act 2012 and the Consumer Data Right in the Competition and
Consumer Act 2010. The proposed maximums balance the penalties in these
frameworks with community expectations about the handling of personal
information in a digital ID context, including the risk of harm to individuals if
their personal information is mishandled by an accredited entity, and the objects
of promoting trust in digital ID services, and encouraging the use of digital IDs
as a more secure way to verify the identity of a person rather than handing over
significant personal information to relying parties.
479. Consistent with the Guide to Framing Commonwealth Offences, in
setting the maximum penalty consideration has also been given to ensuring
adequate deterrence, that the penalty take into account the cost of pursuing
action in court and ensuring that the pecuniary penalty amounts are
proportionate to the seriousness of the contravention.
Digital ID Bill 2023 - Explanatory Memorandum: Page 101 of 319
480. The maximum penalties are intended to be a deterrent, and to take into
account the potential gains accredited entities may make through non-compliant
activity. For example, an accredited entity that discloses attributes or restricted
attributes without express consent of the individual may achieve higher
volumes on their services and the associated revenue for providing their
services within a digital ID system. Similarly, an accredited entity that fails to
destroy biometric information as required by the Bill may achieve a commercial
advantage by having access to that biometric information for purposes not
related to their accredited services.
Application of criminal laws
481. The availability of civil penalties under the Bill does not preclude the
possibility that a person may also be criminally liable under existing criminal
laws - for example, under the Criminal Code. An important element of the Bill
is that existing criminal penalties should continue to be available to reinforce
the strong privacy protections in the Bill that will apply to the handling of
personal information and other digital ID information. The Bill does not create
fresh offences which would duplicate those already available under
Commonwealth criminal law.
Clause 124 - Infringement notices
482. This clause provides that each civil penalty provision is also subject to
an infringement notice under Part 5 (infringement notices) of the Regulatory
Powers Act. It provides that the Information Commissioner is responsible for
issuing infringement notices in relation to alleged breaches of the additional
privacy safeguards, and the Digital ID Regulator is responsible for issuing
infringement notices for all other civil penalties.
Clause 125 - Enforceable undertakings
483. This clause provides that each civil penalty provision is enforceable
under Part 6 of the Regulatory Powers Act which creates a framework for
accepting and enforcing undertakings relating to civil penalty provisions. It
provides that the Information Commissioner is responsible for enforceable
undertakings in relation to the additional privacy safeguards, and the Digital ID
Regulator is responsible for enforceable undertakings for all other civil
penalties.
Clause 126 - Injunctions
484. This clause provides that each civil penalty provision is enforceable
under Part 7 of the Regulatory Powers Act which creates a framework for using
Digital ID Bill 2023 - Explanatory Memorandum: Page 102 of 319
injunctions to enforce the civil penalty provisions. It provides that the
Information Commissioner is responsible for using injunctions in relation to the
additional privacy safeguards, and the Digital ID Regulator is responsible for
injunctions for all other civil penalties.
Division 2 - Directions powers
Subdivision A - Digital ID Regulator's directions powers
Clause 127 - Digital ID Regulator's power to give directions to entities in
relation to accreditation and participation
485. This clause enables the Digital ID Regulator to issue written directions,
which must include reasons for the direction, to an entity to do a specified act or
thing, or refrain from doing a specified act or thing. It creates a civil penalty
provision if the entity does not comply with the direction.
486. Directions can be:
• giving effect to a decision to approve an entity to participate in the
AGDIS, or to suspend or revoke such an approval;
• dealing with matters arising as a result of the suspension or
revocation of an entity's approval to participate in the AGDIS;
• giving effect to a decision to accredit an entity as an accredited
entity, or suspend or revoke such an accreditation; or
• dealing with matters arising from the suspension or revocation of an
entity's accreditation as an accredited entity.
487. Subclause (2) gives a non-exhaustive list of matters that may be the
subject of a direction.
488. The first are two examples of directions that may be given to an
accredited identity exchange provider (subclause (2)(a)). First, to provide
information to an entity participating in the AGDIS. Second, to connect the
entity to the AGDIS. Directions of this nature could be issued to ensure an
entity is connected to the AGDIS on the day specified by the Digital ID
Regulator.
489. The second is a direction that could be given to an accredited entity
whose accreditation is suspended or revoked, such as requiring the entity to
notify other participants in the digital ID system in which the entity operates of
the date on which the suspension or revocation takes effect (subclause (2)(b)).
490. Subclause (4) designates non-compliance with a direction to be a civil
penalty provision with a maximum penalty of 1000 penalty units.
Digital ID Bill 2023 - Explanatory Memorandum: Page 103 of 319
491. Subclause (5) clarifies that a direction issued under this clause is not a
legislative instrument.
Clause 128 - Digital ID Regulator's power to give directions to protect the
integrity or performance of the Australian Government Digital ID System
492. This clause enables the Digital ID Regulator to give a written direction
to an accredited entity or accredited entity whose accreditation is suspended if
the Digital ID Regulator considers it necessary to protect the integrity or
performance of the AGDIS. It creates a civil penalty provision if the entity does
not comply with the direction.
493. Subclause (2) sets out a non-exhaustive list of matters that may be the
subject of a direction. These are to:
• conduct a privacy impact assessment in relation to a specified matter
and provide a copy of the assessment to the Digital ID Regulator;
• conduct a fraud assessment in relation to a specified matter and
provide a copy of the report to the Digital ID Regulator in relation to
the assessment;
• conduct a security assessment in relation to a specified matter and
provide a copy of the report to the Digital ID Regulator in relation to
the assessment;
• any act or thing specified by the Digital ID Rules.
494. Any assessments for the purposes of a direction are to comply with any
requirements in the Accreditation Rules (subclause (3)). This will ensure
consistency in the manner in which such assessments are conducted.
495. Subclause (5) clarifies that a direction issued under this clause is not a
legislative instrument.
Clause 129 - Remedial directions to accredited entities etc.
496. This clause enables the Digital ID Regulator to give a written direction
to an accredited entity, or accredited entity whose accreditation is suspended, to
take suspended action if the Regulator reasonably believes the entity has
contravened or is contravening a provision of the Act or rules. It creates a civil
penalty provision if the entity does not comply with the direction.
497. A remedial direction would require the entity to take specified action
towards ensuring it does not, or is unlikely to in the future, contravene the
provision.
Digital ID Bill 2023 - Explanatory Memorandum: Page 104 of 319
498. Subclause (4) designates non-compliance with a direction to be a civil
penalty provision with a maximum penalty of 1000 penalty units.
499. Subclause (5) clarifies that a direction issued under this clause is not a
legislative instrument.
Subdivision B--Digital ID Regulator's directions powers
Clause 130 - System Administrator's power to give directions to protect
the integrity or performance of the Australian Government Digital ID
System
500. This clause enables the System Administrator to give a written direction
to entities approved to participate in the AGDIS or whose approval has been
suspended if the Digital ID Regulator considers it necessary to protect the
integrity or performance of the AGDIS. Subclause (5) creates a civil penalty
provision if an entity does not comply with the direction with a penalty of 1,000
penalty units.
501. Subclause (2) sets out a non-exhaustive list of matters that may be the
subject of a direction. These are to:
• take, or not take, specified action related to the performance of the
AGDIS;
• conduct a fraud assessment in relation to a specified matter and
provide a copy of the assessment report to the System
Administrator;
• conduct a security assessment in relation to a specified matter and
provide a report to the System Administrator;
• any act or thing specified by the Digital ID Rules.
502. Any assessments for the purposes of a direction are to comply with any
requirements in the Accreditation Rules (subclause (3)). This will ensure
consistency in the manner in which such assessments are conducted.
503. Subclause (6) clarifies that a direction issued under this clause is not a
legislative instrument.
Division 3 - Compliance assessments
Clause 131 - Compliance assessments
504. This clause enables the Digital ID Regulator to give a written notice to
an entity to undergo a compliance assessment by or on behalf of the Regulator
Digital ID Bill 2023 - Explanatory Memorandum: Page 105 of 319
or an independent assessor arranged by the entity. A compliance assessment
may be required as follows:
• whether the entity has complied, is complying or is able to comply
with the Act or rules. For example, an accredited entity may be
required to undergo a compliance assessment to determine if it will
be able to comply with the Act and Accreditation Rules if it applies
to an accreditation condition to add a service as part of its accredited
services;
• where one of the following has, or is suspected of having, occurred:
o a cyber security incident or fraud incident;
o a serious or repeated breach of the Accreditation Rules;
o an incident that may materially impact the operation of the
entity's information technology system;
o an incident that may have a material impact on the operation of
the AGDIS;
o a change to the entity's operating environment that may have a
material impact on the entity's risk profile; or
o in circumstances specified in the Digital ID Rules (see subclause
(4) and subclause (5) which provides a non-exhaustive list of the
matters that may be dealt with in the rules including
requirements in relation to reports on an assessment.
505. Subclause (2) specifies the notice requirements where a compliance
assessment is to be undertaken.
506. An entity must comply with a notice given to them by the Digital ID
Regulator under this clause within the required time period (subclause (3)). A
failure to comply with a notice could lead to compliance action such as
suspension or revocation of the entity's accreditation or approval to participate.
507. The Digital ID Rules may prescribe rules providing for and in relation to
compliance assessments (subclause (4)). Subclause 131(5) provides a non-
exhaustive list of examples of what the Digital ID Rules may address. These
include procedural matters such as how assessments are conducted, the
requirements for reports on the outcomes of compliance assessments and what
the Digital ID Regulator may require the entity to do in response to a
compliance assessment.
508. Subclause (6) clarifies that clause 131 is not intended to limit the
Accreditation Rules which may be made under paragraph 28(2)(e) (relating to
periodic reviews of an entity's compliance with the Accreditation Rules). This
Digital ID Bill 2023 - Explanatory Memorandum: Page 106 of 319
ensures that any compliance assessment is separate to what an accredited entity
may be required to do under the Accreditation Rules, such as an annual
assessment, to maintain their accreditation.
Clause 132 - Entities must provide assistance to persons undertaking
compliance assessments
509. This clause requires an entity to cooperate in the carrying out of a
compliance assessment by providing the person who is undertaking the
assessment with any facilities and assistance that are reasonably necessary for
the conduct of the compliance assessment.
Division 4 - Power to require information or documents
Clause 133 - Digital ID Regulator's power to require information or
documents
510. This clause enables the Digital ID Regulator to give an entity a written
notice, requiring the entity to provide information or documents as specified in
the notice and in a specified timeframe not earlier than 28 days after the notice
is given. Subclause (5) creates a civil penalty for an entity that fails to comply
with a notice to produce under this clause, with a penalty of 1,000 penalty units.
511. Subclause (1) provides that the Digital ID Regulator must reasonably
believe that the entity holds relevant information or documents.
512. The information or documents requested must be related to the entity's
compliance with the Act or rules, or the Digital ID Regulator's functions or
powers.
513. Given this clause applies to any entity (not just accredited entities and
participating relying parties), the notice must inform the entity that if they fail
to comply with the notice, they may be liable to a civil penalty (subclause (4)).
514. Subclause (6) provides that an entity is not liable to a civil penalty if the
entity has a reasonable excuse for noncompliance. Consistent with section 96 of
the Regulatory Powers Act, an entity bears the evidential burden to prove that
they have a reasonable excuse for failing to comply with the notice. This is
appropriate because the question of whether the entity has a reasonable excuse
is a matter which is peculiarly within the knowledge of the entity.
515. This clause does not affect legal professional privilege, and other
privileges continue to apply such as the privilege against self-incrimination.
Digital ID Bill 2023 - Explanatory Memorandum: Page 107 of 319
Clause 134 - System Administrator's power to require information or
documents
516. This clause enables the Digital ID Regulator to give an entity a written
notice, requiring the entity to provide information or documents if the
Administrator reasonably believes that the entity has documents or information
relevant to the operation of the AGDIS. The information or documents must be
given in the timeframe specified in the notice but not earlier than 28 days after
the notice is given.
517. Subclause (5) creates a civil penalty for an entity that fails to comply
with a notice to produce under this clause, with a penalty of 1,000 penalty units.
518. Given this clause applies to any entity (not just accredited entities and
participating relying parties), the notice must inform the entity that if they fail
to comply with the notice, they may be liable to a civil penalty (subclause (4)).
519. Subclause (6) provides that an entity is not liable to a civil penalty if the
entity has a reasonable excuse for noncompliance. Consistent with section 96 of
the Regulatory Powers Act, an entity bears the evidential burden to prove that
they have a reasonable excuse for failing to comply with the notice. This is
appropriate because the question of whether the entity has a reasonable excuse
is a matter which is peculiarly within the knowledge of the entity.
Part 3 - Record Keeping
Clause 135 - Record keeping by participating entities and former
participating entities
520. This clause sets out the record keeping obligations of entities approved
to participate in the AGDIS or whose approval has been suspended or revoked,
but not to relying parties who are not service providers within the AGDIS. The
records to be kept must relate to information obtained by entities through the
AGDIS.
521. The entities subject to this provision are required to keep records of the
kind and in the manner prescribed by the Digital ID Rules. The Digital ID
Rules may also prescribe the period for which records related to the AGDIS
must be kept but this must not be longer than 7 years. It is expected that the
rules will require entities to maintain records of events within the AGDIS
including audit logs for transactions and details of consent given by individuals.
522. Subclause (3) creates a civil penalty provision for failure to keep records
as required, with a penalty of 1000 units.
Digital ID Bill 2023 - Explanatory Memorandum: Page 108 of 319
Clause 136 - Destruction or de identification of certain information
523. This clause sets out obligations of accredited entities approved to
participate in the AGDIS or whose participation has been suspended or revoked
to destroy or de-identify personal information in their possession or control
which was obtained through the AGDIS, where both:
• the entity is no longer required or authorised to retain the
information by law, or an order of a court or tribunal. An accredited
entity would, for example, be required to destroy or de-identify
personal information covered by this clause once the record keeping
period for that personal information has expired (see clause 136),
unless another law requires the information to be kept; and
• the information does not relate to any current or anticipated legal
proceedings or dispute resolution proceedings to which the entity is
a party.
524. Subclause (2) creates a civil penalty provision for failure to destroy or
de-identify records as required, with a penalty of 1000 units.
Part 4 - Review of decisions
Clause 137 - Reviewable decisions
525. This clause sets out the decisions made by Digital ID Regulator, the
Minister and the System Administrator that are reviewable on internal review
and by the AAT (reviewable decisions). Each reviewable decision is specified
in the table with details of the 'affected entity' who can seek review of the
decision.
526. The Digital ID Rules may prescribe additional reviewable decisions in
respect of administrative decisions made under those rules (subclause (2)).
527. Subclause (3) excludes as reviewable decisions any decisions made for
reasons of national security relating to entities that are not Australian entities.
Entities will have access to the courts for judicial review of such decisions.
528. These decisions are not appropriate for merits review as the review
process could relate to sensitive details about Australia's national security. The
exclusion mirrors similar exclusions in Part IV of the ASIO Act.
Clause 138 - Internal review of decisions
529. This clause establishes an internal review process for internal review of
decisions made by a delegate of the decision-maker. The affected entity may
apply to the decision-maker for review of the decision and must do so within 28
Digital ID Bill 2023 - Explanatory Memorandum: Page 109 of 319
days of the date on which the decision first came to the applicant's attention
(subclause (2)).
Clause 139 - Reconsideration by decision-maker
530. This clause sets out requirements for internal review of decisions.
531. Within 90 days of receiving the application for internal review, the
decision-maker must review the decision and affirm, vary, or revoke the
decision. If the decision is revoked, the decision-maker may make a decision
they think appropriate.
532. The decision-maker must give the entity, as soon as practicable after
making the decision, a statement of their reasons for the decision.
533. Section 27A of the Administrative Appeals Tribunal Act 1975 will apply
and requires the notice to the person of the decision to notify the person of the
right to seek review by the AAT.
534. Subclause (3) sets out the requirements for delegates when reviewing
decisions, requiring that the delegate was not involved in making the original
decision, and that they must hold a position or perform duties at the same level
as the original decision maker. This ensures appropriate separation from the
original decision-making process, while maintaining the seniority of delegates
involved.
Clause 140 - Review by the Administrative Appeals Tribunal
535. This clause provides that the affected entity may apply to the AAT for
review of internal review decisions, and decisions made by the decision-maker
personally.
Part 5 - Applications under this Act
Clause 141 - Requirements for applications
536. This clause sets out requirements for applications made under the Act. It
requires that they be given in a form and manner (for example, online through a
portal) approved by the person to whom the application is made. The approved
form, the Accreditation Rules and the Digital ID Rules may detail information
and documents that must be provided and include any fee prescribed for the
kind of application.
537. Subclause (2) enables the person receiving the application to accept any
information or document previously provided by the person in connection with
another application under the Act, thereby avoiding duplication where possible.
Digital ID Bill 2023 - Explanatory Memorandum: Page 110 of 319
Clause 142 - Powers in relation to applications
538. This clause enables the person receiving the application to give a written
notice to the applicant requiring further information or documents to be
provided as the person reasonably requires. The notice must specify a
timeframe which must not be less than 14 days.
539. The Digital ID Regulator is not required to make a decision on the
application if this subclause is not complied with (see clause 143).
540. The Digital ID Regulator may specify a period in the notice given to the
entity for the information or documents to be provided, which must not be less
than 14 days (subclause (2)).
Clause 143 - Decisions not required to be made in certain circumstances
541. This clause provides that a decision is not required to be made on an
application if it is not in the required form, does not provide the information or
documents required, the fee is not paid, or if additional information or
documents are not provided as requested.
542. A decision is also not required to be made until a compliance
assessment is conducted if required by the Digital ID Regulator (see
clause 131).
Part 6 - Fees
Division 1 - Fees charged by the Digital ID Regulator
Clause 144 - Charging of fees by the Digital ID Regulator etc.
543. This clause will provide for fees for applications and the like under the
Bill to be prescribed in the Digital ID Rules. Fees cannot be charged to an
individual for the creation or use of a digital ID by the individual
(subclause (3)).
544. Subclause (2) provides a non-exhaustive list of matters that may be dealt
with in the rules, such as setting fees payable (for example, this could be a
specific amount or calculated by a formula), specifying that the amount of the
fee is the costs incurred by the Digital ID Regulator in arranging and paying for
another person to carry out the activity, when and how fees are to be paid and
matters about refunds, remissions, waivers and penalties for late payment.
545. The amount of a fee may be nil (subclause (4)).
546. Fees charged by the Digital ID Regulator must not be such as to amount
to taxation (subclause (6)).
Digital ID Bill 2023 - Explanatory Memorandum: Page 111 of 319
547. If a fee is payable, the Digital ID Regulator does not need to provide the
particular service until the fee is paid (subclause (7)). For example, an
application does not have to be considered until the fee is paid.
Clause 145 - Review of fees
548. The Minister must ensure that periodic reviews of the charging
framework are undertaken. This will ensure that fees charged remain fair and
reflect contemporary circumstances.
549. Subclause (2) requires that the first review commence within 2 years of
the Bill commencing and be completed within 12 months. Subsequent reviews
must occur every 2 years and be completed within 12 months (subclause (3)).
550. A report about each review must be published on the Digital ID
Regulator's website (subclause (4)).
Clause 146 - Recovery of fees charged by the Digital ID Regulator
551. This clause will provide that fees charged by the Digital ID Regulator
that is due and payable to the Commonwealth may be recovered as a debt in
court.
Clause 147 - Commonwealth not liable to pay fees charged by entities that
are part of the Commonwealth
552. Clause 147 makes clear that the Commonwealth is not liable to pay a
fee to a part of the Commonwealth that is not a separate legal entity (this
reflects that the Commonwealth cannot pay itself), but that the intention is for
the Commonwealth to be notionally liable to pay such a fee. The Finance
Minister may give written directions, which are not a legislative instrument,
about notional payments by the Commonwealth and those directions must be
complied with (subclauses (2) to (4)).
Division 2 - Fees charged by accredited entities
Clause 148 - Charging of fees by accredited entities in relation to the
Australian Government Digital ID System
553. This clause requires that if any accredited entity charges fees for its
services in the AGDIS, the entity must do so in compliance with any rules in
the Digital ID Rules. It is not expected that there will be charging rules when
the Act commences. This clause, and any associated rules, will not otherwise
affect the ability of an accredited entity to charge fees for their accredited
services in the AGDIS or another digital ID system (subclause (5)).
Digital ID Bill 2023 - Explanatory Memorandum: Page 112 of 319
554. Accredited entities may charge fees to verify the identity of an
individual or authenticate information about the individual. For example, an
accredited identity service provider may charge a participating relying party
when providing attributes and other information to the participating relying
party in response to a request. Accredited entities may also charge each other
for the services they provide. For example, an accredited identity exchange
provider may charge an accredited identity service provider for managing and
conveying the flow of information between the provider and a participating
relying party.
555. Subclause (3) provides a non-exhaustive list of matters that may be dealt
with in the charging rules such as setting fees payable (for example, this could
be a specific amount or calculated by a formula), when and how fees are a
charged, periodical review of fees and other matters about fees, including
exemptions, refunds, remissions or waivers. The amount of any fee may be nil
(subclause (4)).
Chapter 10 - Other matters
Part 1 - Introduction
Clause 149 - Simplified outline of this Chapter
556. Clause 149 provides a simplified outline of Chapter 10, which provides
for various matters relevant to the operation of the digital ID scheme. This
simplified outline is intended to assist readers to understand the substantive
provisions of Chapter 10, without being comprehensive. Readers should rely on
the substantive provisions of Chapter 10.
Part 2 - Advisory committees
Clause 150 - Advisory committees
557. Clause 150(1) will provide for the Minister to establish advisory
committees made up of persons the Minister chooses, to provide advice about
matters arising under the Act. The Committees may advise the Minister,
Secretary, System Administrator and Digital ID Data Standards Chair. The
Digital ID Regulator is not included as the governance structure of the ACCC
already provides for expert advice.
558. Under subclause (3), the Minister appoints committee members on
terms and conditions determined by the Minister such as remuneration and
allowances, leave of absence, disclosure of interests and termination. The
Minister will also determine a committee's terms of reference and procedures.
Digital ID Bill 2023 - Explanatory Memorandum: Page 113 of 319
559. Subclause (4) clarifies that an instrument establishing a committee and
determining matters about the committee is not a legislative instrument.
Part 3 - Confidentiality
Clause 151 - Prohibition on entrusted persons using or disclosing certain
kinds of protected information
560. Subclause 151(1) creates a criminal offence for the use or disclosure by
an 'entrusted person' of information that was disclosed or obtained by the
person under or for the purposes of the Act or rules (called 'protected
information' and defined in subclause (4)). The offence applies to uses and
disclosures of personal information about an individual or commercially
sensitive information where there is a risk that the use or disclosure might
substantially prejudice the commercial interests of a person.
561. However, the prohibition on use and disclosure is lifted if the use or
disclosure is authorised under clause 152 (see subclause (3)). The note to
subsection (3) refers to a defendant bearing an evidential burden in relation to a
matter in this subsection because of subsection 13.3(3) of the Criminal Code.
562. This provision does not apply to accredited entities or participating
relying parties. It applies only to 'entrusted persons', listed in subclause (2) as
follows:
• the Digital ID Regulator;
• a member of the ACCC;
• an associate member of the ACCC;
• staff of the ACCC;
• consultants engaged under section 27A of the Competition and
Consumer Act;
• the System Administrator (the Chief Executive Centrelink under
section 16 of the Human Services (Centrelink) Act 1997, known as
the Chief Executive Officer of Services Australia); and
• staff of Services Australia.
563. The penalty for this offence is 2 years' imprisonment or 120 penalty
units, or both. This offence and maximum penalty is appropriate as the
entrusted persons will necessarily collect personal information and
commercially sensitive information of entities when performing functions under
the Bill. Disclosure of such information could seriously harm individuals and
the commercial affairs of entities.
Digital ID Bill 2023 - Explanatory Memorandum: Page 114 of 319
Clause 152 - Authorised uses and disclosures of protected information by
entrusted persons
564. This clause details when use or disclosure of protected information will
be authorised.
565. An entrusted person may use or disclose protected information if the
person to whom the information relates has consented to the use or disclosure,
or the use of disclosure is for the purposes of the entrusted person performing
their duties or functions or exercising a power under the Bill, or enabling
another person to do so.
566. Use or disclosure for the following purposes is also authorised:
• assisting in the administration or enforcement of Commonwealth or
Territory law. Protected information for the purpose of assisting the
administration or enforcement of a State law is authorised only if the
State law is prescribed in the Digital ID Rules;
• the information is already lawfully publicly available;
• the use or disclosure is, or is a kind of use or disclosure that is,
certified in writing by the Minister to be in the public interest.
However, the use or disclosure of such information must be made in
accordance with any requirements prescribed by the Digital ID
Rules.
567. If the Minister certifies that a particular use or disclosure is in the public
interest, subclause (2) clarifies that the certification instrument will not be a
legislative instrument. This is because the instrument is administrative in
nature.
568. However, if the Minister certifies that a kind of use or disclosure is in
the public interest, subclause (3) clarifies it will be a legislative instrument, as
the exception will apply generally.
Clause 153 - Disclosing personal or commercially sensitive information to
courts and tribunals etc. by entrusted persons
569. This clause provides that an entrusted person is not required to produce
a document containing protected information or otherwise disclose protected
information to a court, tribunal, authority or any other person having the power
to require the production of documents or the answering of questions, other
than where the disclosure is necessary for the purposes of the Act. This does not
prohibit the entrusted person from providing the information, only that it is not
required to do so.
Digital ID Bill 2023 - Explanatory Memorandum: Page 115 of 319
570. The clause applies only where the information is personal information
(other than of the entrusted person) or there is a risk that giving the information
might substantially prejudice the commercial interests of a person.
Part 4 - Other matters
Clause 154 - Annual report by Digital ID Regulator
571. This clause requires, as an accountability and transparency measure, the
Digital ID Regulator to prepare an annual report on the Regulator's activities
for the year. The report is to be given to the Minister, by 30 October following a
financial year (unless extended) for presentation to Parliament.
572. Subclause (2) details the matters that must be in the report as follows:
• the number of applications for accreditation and number granted;
• information about the AGDIS, including the number of applications
and number approved;
• the number of digital ID fraud incidents or cyber security incidents,
and the responses to them; and
• any other matters as requested by the Minister.
Clause 155 - Annual report by Information Commissioner
573. This clause requires, as an accountability and transparency measure. the
Information Commissioner to include in their annual report information about
the Commissioner's performance of functions and exercise of powers under or
in relation to the additional privacy safeguards in Chapter 3.
Clause 156 - How this Act applies in relation to non-legal persons
574. The Bill deals with participating relying parties that are not legal
entities, such as trusts, partnerships and unincorporated associations, to be
approved to participate in the AGDIS (only government and companies can be
accredited entities).
575. This clause details how:
• permissions and rights under the Bill are conferred and exercised by
non-legal entities;
• obligations and duties are imposed on them and how they are
discharged;
Digital ID Bill 2023 - Explanatory Memorandum: Page 116 of 319
• they are taken to contravene a provision of the Bill or rules,
including civil penalty provisions.
576. This is to ensure that non-legal entities are in effect subject to the
provisions of the Bill by imposing the obligations on the individuals that
operate as the non-legal entity.
577. The obligations, duties etc are imposed on each person who is an
'accountable person' for the non-legal entity at the particular time. Each of the
following is an accountable person (subclause 4)):
• for a partnership in which a partner is an individual--the individual;
• for a partnership in which a partner is a company--a director of the
company;
• for a trust in which a trustee is an individual--the individual;
• for a trust in which a trustee is a company-- a director of the
company;
• for an unincorporated association--a member of the governing body
of the association.
578. The permission or right is conferred on each person who is an
'accountable person' for the entity at the time, and may be exercised by that
person as well as another person as authorised by the accountable person
(subclause (1)).
579. Where the Bill imposes an obligation or duty on a non-legal entity, the
obligation or duty, is imposed on each accountable person, and may be
discharged by that person as well as another person as authorised by the
accountable person (subclause (2)).
580. Where a non-legal entity breaches a provision of the Act, including a
civil penalty provision, or the rules, the breach is taken to be breached by each
accountable person for the entity who did, or did not, do the relevant act, or
who aided, abetted, counselled or procured or was knowingly concerned in, or
party to, the breach (subclause (3)).
Clause 157 - Attributing conduct to the Commonwealth, States and
Territories etc.
581. This clause deals with government entities that are not legal entities in
their own right as they are part of another legal entity (for example, a
department of the Commonwealth is not a legal entity - the Commonwealth is
Digital ID Bill 2023 - Explanatory Memorandum: Page 117 of 319
the legal entity, and the department is part of that legal entity). Government
entities may be accredited entities and participating relying parties.
582. It provides that any conduct done on behalf of a government body by an
employee, agent or officer acting within scope their employment or authority is
taken to also be done by the government body and the intention of that person is
attributed to the government entity (subclause (1)).
583. The clause does not apply to government entities that are legal entities
such as a person who is a statutory office-holder and government bodies
established under a law as a body corporate. Both are legal entities in their own
right.
584. Subclause (2) provides a defence for a government entity's
contravention of a civil penalty provision where contraventions by a person that
are attributed to the entity (see paragraph (3)(a)). The defence is that the
government entity took reasonable precautions and exercised due diligence to
avoid the conduct. Examples that might come within the defence include the
entity having appropriate protective security policies, employee codes of
conduct, clear delegation instruments and training and reviews of fraud, privacy
and security practices.
585. Subclauses (3) and (4) deal with how a government entity is described
for infringement notices and proceedings.
586. Subclause (5) sets the maximum penalty for breach of a civil penalty
provision by a government entity. This is 5 times the pecuniary penalty
specified for the civil penalty provision (the same as for bodies corporate as
dealt with in the Regulatory Powers Act).
Clause 158 - Bodies corporate and due diligence
587. This clause provides a defence for a company's contravention of a civil
penalty provision where contraventions of employees and others are attributed
to the entity because of section 97 of the Regulatory Powers Act. The defence is
that the company took reasonable precautions and exercised due diligence to
avoid the conduct. Examples that might come within the defence include
protective security policies, employee codes of conduct, clear delegation
instruments and training and reviews of fraud, privacy and security practices.
Clause 159 - Protection from civil action
588. Under this clause, a specified person, including the Minister, the Digital
ID Regulator and Digital ID Data Standards Chair, and staff and delegates,
would be protected from civil actions in the performance of functions for
exercise of powers (or purporting to do so) as long as they have acted in good
Digital ID Bill 2023 - Explanatory Memorandum: Page 118 of 319
faith when doing so. This aligns with standard protections for regulators and
their staff who have acted, or not acted, in good faith.
Clause 160 - Geographical jurisdiction of civil penalty provisions
589. This clause deals with conduct alleging contravention of a civil penalty
provision that occurs outside Australia and limits such conduct from being a
contravention in certain circumstances. Clause 7 provides that the Bill extends
to acts, omissions, matters and things outside Australia. The limitations in this
clause 152 ensures the constitutionality of any action taken in relation to an
alleged contravention outside Australia.
Clause 161 - Interaction with tax file number offences
590. This clause clarifies that nothing in the Bill affects or limits the
operation of sections 8WA and 8WB of the Taxation Administration Act 1953
or rules made under section 17 of the Privacy Act.
Clause 162 - Review of operation of Act
591. This clause ensures that the operation of the Act is reviewed within two
years of commencing, with the report of the review to be tabled in Parliament
by the Minister within 15 sitting days of having received it. This review is to
allow timely consideration as to whether the Act is operating as intended. It is
expected the review would look closely at the operation of the additional
privacy safeguards, including whether they would benefit from any
amendments or additions, including to account for developments in other
legislation such as the Privacy Act.
592. A review also provides a key accountability and Parliamentary oversight
mechanism, to ensure the Act is operating in line with community expectations.
Clause 163 - Delegation - Minister
593. This clause enables the Minister to delegate functions and powers under
the Bill to the Digital ID Regulator, the Secretary or SES or acting SES
employees in the Department.
594. Subclause (2) requires delegates to comply with any written directions
given by the Minister.
Clause 164 - Delegation - Digital ID Regulator
595. This clause enables the Digital ID Regulator to delegate functions and
powers under the Bill to a member of the ACCC or to or an SES or acting SES
employee in the ACCC or the Department. Delegation is a standard regulatory
Digital ID Bill 2023 - Explanatory Memorandum: Page 119 of 319
practice that promotes efficient administration and will facilitate the practical
implementation of the Bill by allowing appropriately delegated persons to
perform functions and exercise powers of the Regulator provided for under the
Bill.
596. The delegate must comply with any directions given by the Regulator
(subclause (2)).
Clause 165 - Delegation - System Administrator
597. This clause prevents the System Administrator from delegating
functions or powers under the Bill to a person who has functions or duties that
relate to the operation or management of an information technology system
through which an accredited entity provides its accredited services. As the
System Administrator is the Chief Executive Centrelink, the delegation power
for the Chief Executive Centrelink under the Human Services (Centrelink) Act
1997 applies, as the note explains.
Clause 166 - Delegation - Digital ID Data Standards Chair
598. This clause enables the Digital ID Data Standards Chair to delegate
functions or powers under the Bill, other than making the standards, to SES
employees and acting SES employees in the Department. The delegate must
comply with any directions given by the Chair (subclause (3)).
Clause 167 - Instruments may incorporate etc. material as in force or
existing from time to time
599. This clause provides that each of the Accreditation Rules, the Digital ID
Data Standards and the Digital ID Rules (core instruments) may apply, adopt or
incorporate any matter contained in any other material (an incorporated
instrument) as in force or existing from time to time. This may include, for
example, standards or policies dealing with security of systems or an
international or national standard relating to the accessibility and inclusiveness
security of accredited entities' IT systems.
600. The rules may also set out when changes to an incorporated instrument
take effect for the purposes of the rules (subclause (3)). This is important to
enable the rules to be able to ensure that entities are given sufficient time to
comply with any changes.
601. Examples of documents that may be incorporated by reference from
time to time include Commonwealth documents relating to protective security
and cyber security (such as the Protective Security Policy Framework and the
Information Security Manual), international standards (such as those relating to
Digital ID Bill 2023 - Explanatory Memorandum: Page 120 of 319
the testing of presentation attack detection processes used in biometric
verification), and digital identity standards set by internationally recognised
organisations such as the US Department of Commerce's National Institute of
Standards and Technology.
602. It is intended that, to ensure accredited entities and others are aware
when changes in an incorporated document would take effect, the Accreditation
Rules would specify when those changes would take effect.
Clause 168 - Rules - general matters
603. This clause empowers the Minister to make legislative rules. The rules
may deal with matters required or permitted by this Bill or necessary or
convenient for carrying out or giving effect to the Bill. The Accreditation Rules
and Digital ID Rules, referred to throughout the Act are rules permitted to be
made.
604. The rules may deal with matters or things differently for different kinds
of entities, things or circumstances (subclause (2)) and may confer powers on
the Digital ID Regulator, System Administrator and the Minister but only in
relation to administrative matters (subclause (3)). In accordance with drafting
practice, subclause (4) sets out matters that must not be in the rules.
605. Dealing with matters in rules rather than regulations accords with the
Office of Parliamentary Counsel's Drafting Direction.
606. Rules made under this clause are legislative instruments for the purposes
of the Legislation Act (see subsection 8(2)). Under sections 15G, 38 and 39 of
that Act, legislative instruments and their explanatory statements must be
registered on the Federal Register of Legislation and tabled in both Houses of
the Parliament within six sitting days of registration. Once tabled, instruments
are subject to Parliamentary scrutiny and may be disallowed by a notice of
motion in either House within 15 sitting days.
Clause 169 - Rules - requirement to consult
607. This clause requires the Minister to consult before making or amending
legislative rules, subject to where rules are made urgently to deal with an
imminent threat or hazard affecting the AGDIS (subclauses (4)). Stakeholders,
including technical experts, industry, privacy regulators and consumer
advocates, will have the opportunity to comment on proposed rules.
608. Subclause (1) sets out the process to be followed before making or
amending any rules. A notice must be published on the Department's website
setting out the proposed rules or amendments and inviting people to make a
submission within 28 days. The Minister must consider any submissions
Digital ID Bill 2023 - Explanatory Memorandum: Page 121 of 319
received within the 28-day period, but may consider late submissions
(subclause (3)).
609. Subclause (2) provides for the Minister to consult with the Information
Commissioner on proposed rules that would authorise accredited entities to
collect, use or disclose restricted attributes or biometric information of
individuals.
610. If rules are made urgently and therefore without consultation, the
Secretary of the Department must review the rules, seek submissions on the
rules and compete a report on the rules within 60 days of being made. The
Minister is required to table in Parliament a copy of the Secretary's statement of
findings. Rules may need to be made urgently (subclauses (5) to (8)), for
example, where a cyber security incident may require emergency amendment to
the Digital ID Rules to require accredited entities to take action to detect or
prevent similar incidents from occurring or continuing to occur. This will
ensure that such matters can be dealt with expeditiously.
611. The validity or enforceability of any rules are not affected by a failure to
comply with this clause (subclause (9)).
612. Subclause (10) clarifies that this clause does not limit section 17 of the
Legislation Act (providing that rule-makers should consult before making a
legislative instrument).
Digital ID Bill 2023 - Explanatory Memorandum: Page 122 of 319
Statement of Compatibility with Human Rights
Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011
Digital ID Bill
This Bill is compatible with the human rights and freedoms recognised or declared in the
international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny)
Act 2011.
Overview of the Bill
The Digital ID Bill 2023 (the Bill) provides people and businesses with a secure, convenient,
voluntary and inclusive way to verify who they are when interacting with government and
businesses online. The Bill aims to promote privacy and the security of personal information
used to verify the identity of individuals. The Bill also aims to facilitate economic benefits by
encouraging the use of digital IDs, and to promote trust in digital ID services amongst the
Australian community.
The Bill will strengthen a voluntary accreditation scheme (Accreditation Scheme) and
provide a legislative basis for providers of Digital ID services to operate across the digital
economy. The Accreditation Scheme offers an opportunity for Australian businesses and
organisations to show that they can meet high standards of privacy and protective security.
The legislated Accreditation Scheme will ensure that Digital IDs will be private, safe and
secure. The Bill will provide data and consumer privacy protections, and oblige providers to
meet accessibility and usability requirements. The Bill will establish civil penalties for an
accredited provider that does not meet the standards of the Accreditation Scheme.
The Australian Government Digital ID System (AGDIS) already provides Australians with
access to government services. The Bill will establish legislative authority for expanding and
regulating the AGDIS, enabling the integration of Digital ID services across the
Commonwealth, States and Territories, and the private sector over time. The Bill embeds
additional protections and controls for entities participating in the AGDIS to ensure they
comply with the strict standards necessary to provide access to services available through the
AGDIS, or seek to rely on services provided through it.
The Bill will establish the Australian Competition and Consumer Commission (ACCC) as
the Digital ID Regulator to provide accountability for, governance over and oversight of the
Accreditation Scheme and AGDIS.
The objective of these measures is to enable people to access government and private sector
services online. They are intended to add to, and not replace, existing access.
Digital ID Bill 2023 - Explanatory Memorandum: Page 123 of 319
Human rights implications
The principal human rights that the Bill engages are:
• The prohibition from arbitrary or unlawful interference with privacy contained in
Article 17 of the International Covenant on Civil and Political Rights (ICCPR), and
also referred to in Article 16 of the Convention on the Rights of the Child (CROC)
and Article 22 of the Convention on the Rights of Persons with Disabilities (CRPD).
• The rights of parents and children, contained in Article 3 and 12 of the CROC and
Article 24(1) of the ICCPR.
• The rights of persons with disability to live independently and participate fully in all
aspects of life and to access, on an equal basis, community services and facilities and
to access information in accessible formats and technologies, consistent with Articles
9(1), 19(c) and 21 of the CRPD.
• The right to a fair trial and fair hearing primarily contained in Article 14 of the
ICCPR, and also referred to in Article 40(2)(iii) of the CROC.
• The right to equality, recognition and non-discrimination in Articles 2, 16 and 26 of
the ICCPR and Article 2 of the CROC.
• The right to be presumed innocent until proven guilty according to law in Article
14(2) of the ICCPR
• The right to an effective remedy for violations of human rights under Article 2(3) of
the ICCPR.
• The right to freedom of expression contained in Article 19 of the ICCPR.
• The right to social security contained in Article 9 of the International Covenant on
Economic, Social and Cultural Rights (ICESCR).
Protection from arbitrary or unlawful interference with
privacy
1. Article 17 of the ICCPR prohibits arbitrary or unlawful interference with privacy. It
includes the right to legal protection from such interference or attacks. Article 16 of the
CROC, and Article 22 of the CRPD contain similar rights. This statement focusses on
the ICCPR. The right to privacy under the CROC and CRPD is engaged. As the
analysis required for those conventions is substantially similar, the protection from
arbitrary or unlawful interference with privacy are not separately repeated in this
statement. The Bill proposes a layered framework of protections to prevent information
being treated in a way that would be an unlawful or arbitrary infringement of privacy,
outlined below.
First layer of protection: the voluntary Accreditation Scheme
Digital ID Bill 2023 - Explanatory Memorandum: Page 124 of 319
2. The first layer of protections are in Chapters 2 and 3 that accredited entities must
comply with when providing their services in digital ID systems (which may include
the AGDIS but is not limited to it). For an entity to use or disclose personal information
in a service relating to digital IDs, that entity may choose to be accredited as an
attribute provider, identity exchange or identity service provider. Clause 9 of the Bill
defines 'accredited entity' to include an accredited attribute service provider, an
accredited identity exchange provider and an accredited identity service provider. There
are stringent requirements about the ongoing trustworthiness of an entity and their
ability to consistently handle information securely. An entity must meet those
requirements to become accredited under clauses 14 and 15 of the Bill, and those
requirements are intended to prevent arbitrary or unlawful interference with privacy.
3. The types of information that an accredited entity may disclose will depend on the type
of accreditation they hold. For example, only an accredited identity service provider, if
authorised under the entity's conditions of accreditation, can use or disclose biometric
information. An accredited entity is only permitted to use or disclose biometric
information for the purposes of verifying or authenticating a person's identity. When
verifying that person's information the accredited entity is required to obtain the
express consent of the person. But there is a limited exception: an accredited entity is
not required to obtain a person's express consent to using their biometric information
for testing of that biometric information in accordance with the Accreditation Rules.
For example, an accredited entity might use biometric information to conduct testing of
presentation attack detection technology for the purposes of online biometric binding,
testing a biometric matching algorithm or source biometric matching systems, or testing
the liveness of a biometric. These issues are dealt with in detail at paragraphs 14.3 and
14.6.
4. The Bill permits entities to disclose a person's attributes, restricted attributes and
biometric information only with their express consent, apart from limited circumstances
if disclosure is required for the detecting, reporting or investigating of digital ID fraud
incidents and cyber security incidents. These issues are dealt with in detail at
paragraphs 14.3 to 14.11. The above information about a person, or associated with a
person, is likely to constitute personal and sensitive information under the Privacy Act
1988 (Cth) (Privacy Act). If the definition of personal information changes in the
Privacy Act, consequential legislative amendments will be introduced to ensure the Bill
remains consistent with any amended definition and additional requirements in the
Privacy Act.
5. In addition to these requirements, an entity's accreditation is subject to conditions under
clauses 17 and 18, some of which the Digital ID Regulator must impose and some
which it may decide to impose. The Digital ID Accreditation Rules (Accreditation
Rules) can also impose additional conditions on accreditation of an accredited entity or
Digital ID Bill 2023 - Explanatory Memorandum: Page 125 of 319
class of entities (cl 17(6) of the Bill). Again, the conditions on accreditation are
intended to provide a highly calibrated, measured layer of protections to enhance the
enjoyment of the right to privacy and informational privacy.
6. Further to the protection of the Digital ID Regulator's ability to impose conditions on
the accreditation of an entity or class of entities, the Minister may give directions to the
Digital ID Regulator to impose conditions on the accreditation of an entities or class of
entities. This recognises the Minister may have access to information unavailable to the
Digital ID Regulator. This directions power allows the Minister to have regard to the
broader security context relevant to the protection of information when directing the
Digital ID Regulator to accredit or refuse to accredit entities, to revoke or suspend
accreditation or to impose conditions on an accredited entity.
7. Division 1 of Part 2 of Chapter 3 is a cornerstone to protections of the right to privacy.
It provides that, when personal or sensitive information is collected, used or obtained
by accredited entities, this must be done in accordance with the standards set out in the
Privacy Act (or equivalent State or Territory laws which give effect to the right to
privacy in Article 17 of the ICCPR (cl 65)). Clause 35 of the Bill also enhances the
right to privacy, because it extends the meaning of 'personal information' to include the
type of personal information in the possession or control of accredited entities under the
Bill in the following ways:
7.1. The Bill defines 'attributes' in clause 10 to mean information that is associated
with an individual and includes information that is derived from another
attribute. For example, an individual's current or former name, date of birth and
email address. The Bill also defines what attributes of an individual may not be
collected by an accredited entity. This includes, for example, information or an
opinion about an individual's racial or ethnic origin, political opinions or sexual
orientation or practices. This information cannot be collected or stored for the
purposes of the AGDIS, or by an accredited entity when providing a service they
are accredited to provide in another digital ID system. This protection is based
on the voluntary Accreditation Scheme to be established by the Bill and the
Accreditation Rules. To be accredited, an entity must demonstrate its
compliance with stringent privacy, security and user experience standards and
safeguards. Additionally, accredited entities will be required to comply with the
privacy protections set out in the Bill. The attributes listed above warrant a level
of protection because of the potential adverse impacts for a person resulting
from misuse. The economic cost, lost time, changes to behaviour, and adverse
mental and emotional impacts of interferences with a person's privacy resulting
from misuse of personal information (such as attributes) are significant.
Digital ID Bill 2023 - Explanatory Memorandum: Page 126 of 319
7.2. The Bill defines 'restricted attributes' in clause 11 to mean health information
(as defined in the Privacy Act), Australian government and foreign government
identifier information and information about an individual's criminal record. It
also includes information or an opinion about the individual's membership of a
professional or trade association or other information prescribed by the
Accreditation Rules. This includes information like a tax file number, Medicare
number, healthcare identifier and a driver licence number. Consideration has
also been given to whether information or an opinion relating to disability
should be included as a 'restricted attribute'. Noting that there is not yet an
accepted definition of 'disability' in Australian law, the Bill has not sought to
define it and subsequently include it as a restricted attribute. This position is
mirrored by the Privacy Act, which does not define 'sensitive information' as
including information about disability, specifically. However, to the extent that
information about disability is captured by 'health information', it will be
covered as a restricted attributed. The rule making powers also provide the
flexibility to include disability information as a restricted attribute in the future,
as appropriate.
7.3. Restricted attributes warrant a higher level of protection because of the likely
adverse impacts for a person resulting from misuse. The economic cost, lost
time, changes to behaviour, and adverse mental and emotional impacts of
interferences with a person's privacy resulting from misuse of personal
information (such as restricted attributes) are significant.
7.4. The Bill defines 'biometric information' in clause 9 to mean information about
any measurable biological characteristics that could be used to identify the
individual or verify their identity, including biometric templates. Biometric
information is subject to the most stringent protections in the Bill because of the
highly sensitive nature of the information. These protections are further
discussed at paragraph 14.6.
8. Extending the coverage of the Privacy Act to include an individual's attributes within
the meaning of 'personal information' ensures that all data collected, stored and used is
protected consistently with the Privacy Act. This builds on the objects of the Bill to
promote a secure, convenient, voluntary and inclusive method for verifying a digital ID
and promoting trust in accredited digital ID services.
9. A number of the Bill's privacy safeguards are given effect through other legislative
instruments, namely the Accreditation Rules. In particular, subclause 28(2)(a)-(i) of the
Bill enables the Accreditation Rules to provide for restrictions on the collection, use
and disclosure of attributes and restricted attributes.
Digital ID Bill 2023 - Explanatory Memorandum: Page 127 of 319
Second layer of protection: the AGDIS
10. A second layer of protections in addition to the first are provided by the obligations
applying to entities participating in the AGDIS, which are contained in Chapters
4 and 8 of the Bill. These participants comprise participating accredited entities and
participating relying parties which are entities that utilise services provided by
participating accredited entities to verify a person's digital ID. The Digital ID Regulator
provides oversight of personal information collected, used by participants in the
AGDIS (cl 58 of the Bill).
11. A number of the Bill's privacy safeguards for the AGDIS are given effect through other
legislative instruments, namely the Digital ID Rules. In particular, subclauses 62(2) and
62(3) of the Bill empowers the Digital ID Rules to deal with the procedures in place to
protect persons with an assumed identity (for example protected witnesses).
The effect of the layered protections
12. When the Bill provides for the treatment of information which may have the effect of
limiting a person's protection from arbitrary or unlawful interference with privacy,
those limitations are reasonable and proportionate to achieve the positive aims of the
Bill: to provide individuals with the choice to conveniently and efficiently access to
services using a digital ID. Convenient and efficient access to services enhances
people's enjoyment of other human rights, such as the right to health contained in
article 12(1) of the International Covenant on Economic, Social and Cultural Rights.
What is reasonable and proportionate takes into account:
12.1. Arbitrariness: The United Nations Human Rights Committee (UNHRC), state
that 'the concept of arbitrariness is intended to guarantee that even interference
provided for by the law should be in accordance with the provisions, aims and
objectives of the Covenant and should be, in any event, reasonable in the
circumstances'. Any interference with the right to privacy must be reasonable in
the circumstances and authorised by a law that is consistent with the ICCPR.
12.2. Reasonableness: The UNHRC interprets 'reasonable' to mean 'any interference
with privacy must be proportional to the end sought and be necessary in the
circumstances of any given case'. See Report of the Office of the United
National High Commissioner for Human Rights, The Right to Privacy in the
Digital Age, A/HRC/27/37, 30 June 2014, p. 7, para 21 and Communication No.
488/1992, Toonan v Australia, para 8.3; see also communications Nos.
903/1999, para 7.3 and 1482/2006, paras. 10.1 and 10.2.
12.3. Proportionality: To be proportional, the objects of the Bill need to be
considered with the limitations on the right.
Digital ID Bill 2023 - Explanatory Memorandum: Page 128 of 319
13. The objects of the Bill are:
13.1. to provide individuals with secure, convenient, voluntary and inclusive ways to
verify their identity in online transactionswith government and businesses;
13.2. to promote privacy and the security of personal information used to verify the
identity or attributes of individuals;
13.3. to facilitate economic benefits for, and reduce burdens on, the Australian
economy by encouraging the use of digital IDs and online services; and
13.4. to promote trust in digital ID services amongst the Australian community (cl 3).
14. The layered safeguards and measures in the Bill minimise interference with the right to
privacy. The safeguards in the Bill engage with and support the right to privacy, or
otherwise ensure any remaining impact is reasonable, necessary and proportionate to
the above objectives. These include both positive protections, and measures to ensure
any limitations are not arbitrary, and are reasonable and proportionate to the objectives
of the Bill, outlined below.
Measures to minimise interferences with the right to privacy
14.1. Centrality of express consent: Express consent is central to the operation of the
digital ID scheme. The Bill requires an individual's express consent for the:
• disclosure of an attribute of the individual to the relying party (cl 45);
• disclosure of a restricted attribute of the individual to the relying party (cl 46);
• collection, use or disclosure of biometric information (cl 48(1)); and
• use or disclosure of personal information to conduct testing in relation to the
AGDIS pursuant to cl 81 of the Bill (cl 82)).
The Bill's requirement for an individual's express consent is intended to
minimise the risk that a person's right to privacy is interfered with because a
person has been compelled to provide consent. The reference to express consent
is intended to reduce the likelihood and scope for a person to lose autonomy or
control of personal information.
In relation to the AGDIS, the Bill also reduces the risk that consent is not
meaningful because of the unavailability of alternatives to accessing services
using digital ID, discussed further below at 14.2.
14.2. Creating and using a digital ID is voluntary to access services within the
AGDIS (cl 74): The digital ID system is underpinned by the principle of
Digital ID Bill 2023 - Explanatory Memorandum: Page 129 of 319
voluntariness. This ensures that the adoption of digital ID systems by service
providers does not impede the accessibility of services for individuals. The
choice to use a digital ID to access a service will not replace existing options.
Rather it is designed to add a secure, convenient and inclusive channel, in
addition to existing service channels. This means that existing alternative
channels (such as telephone) need to be maintained as alternatives. To give
effect to this principle, a person is not required to create or use a digital ID to
access services within the AGDIS or compelled to create a digital ID. The Bill
generally prohibits participating relying parties from requiring a person to create
or use a digital ID as a condition of accessing a service (cl 74(1)). An entity is a
participating relying party if they hold an approval under clause 62 to participate
in the AGDIS.
14.2.1. There are limited exceptions to the principle of voluntariness. First, if
there is an alternative channel available for a person to access a service
- for example via a call centre or in person - then it is permitted for the
relying party's online channel to require the use of a digital ID
(cl74(2)). Second, if an individual is acting on behalf of a business or in
another professional capacity, (cl 74(3)). This second exception is
necessary because Digital IDs help address the increased risk of fraud
associated with some business services.
14.2.2. There are confined exemptions to the voluntariness principle (cl 74(4)).
These exemptions are not automatic: a participant must apply to the
Digital ID Regulator for an exemption. Commonwealth entities are not
permitted to be granted an exemption.
14.2.3. These exceptions and exemptions have the potential to limit the right to
privacy. However, the potential limitation is balanced against the need
to ensure practicality and not to impose a disproportionate regulatory
burden on small businesses that would discourage them from
participating in the AGDIS and using Digital IDs.
14.3. Deactivation of digital ID (cl 29): The Bill states that an accredited entity must
deactivate the digital ID of an individual as soon as practicable after receiving
the individual's request. Deactivating a digital ID will not prevent the user from
accessing services in other ways without a digital ID, or unreasonably limit the
user's access to services, discussed above. The obligation to deactivate a digital
ID at the individual's request supports the central principle of consent and the
autonomy of the individual in respect of their personal information; reflecting
that, for consent to be genuine, it must be capable of being withdrawn at any
Digital ID Bill 2023 - Explanatory Memorandum: Page 130 of 319
time. Clause 29 allows for consent to be withdrawn by an individual and their
digital ID to be deactivated, accordingly.
14.4. Protection of restricted attributes
14.4.1. To restrict collection of information relating to restricted attributes,
subclause 64(5) of the Bill allows the Digital ID Regulator to impose
conditions on an entity's approval to participate in the AGDIS,
including the kinds of restricted attributes a participating entity is
permitted to collect or disclose. The Digital ID Regulator must have
regard to the matters set out in clause 65 before imposing a condition
that authorises collection, use or disclosure of restricted attributes. A
similar framework applies for accredited entities under subclause 17(5)
and allows the Digital ID Regulator to impose conditions on an
accredited entity having regard to the matters in clause 18.
14.4.2. In accordance with the principle of data minimisation, subclause 46(2)
of the Bill requires that a participating relying party must be authorised
by the Digital ID Regulator before they can collect restricted attributes.
Participating relying parties do not have access to, or the ability to
obtain and disclose, restricted attributes within the AGDIS by default.
In addition, clause 56 of the Bill mandates that certain attributes listed
in paragraphs 56(1)(b)-(g) and restricted attributes received by an
accredited identity exchange provider are not to be retained following
the end of an authenticated session (as defined in the Accreditation
Rules). This allows an accredited identity exchange provider to retain
certain non-identifying information pertaining to the identity or
credential proofing level achieved by the individual, including the date
and time an attribute was last uploaded.
14.4.3. Restricted attributes are defined in clause 11 of the Bill to include
health information (within the meaning of the Privacy Act, which may
include information about disability), Australian government and
foreign government identifier information and information about an
individual's criminal record. It also includes information or an opinion
about the individual's membership of a professional trade or association
or other information prescribed by the Accreditation Rules. This
includes information like a tax file number, Medicare number and a
driver's licence number. By specifically defining restricted attributes,
rather than leaving them to be defined by the Minister, the Bill gives
restricted attributes a greater level of protection. If required to manage
Digital ID Bill 2023 - Explanatory Memorandum: Page 131 of 319
privacy risks in the future, the Accreditation Rules may specify
particular kinds of restricted attributes.
14.4.4. Defining restricted attributes in the Bill provides a level of protection
against function creep because:
• As detailed below in this statement, the Bill cannot be changed
without Parliamentary scrutiny.
• The Digital ID Regulator has the power under the Bill to impose
conditions on an entity's approval to participate in the AGDIS.
Clause 65(5)(c) of the Bill specifically states that the conditions that
the Digital ID Regulator may impose on an entity's approval to
participate in the AGDIS may relate to the kinds of restricted
attributes (if any) that the entity is authorised to collect or disclose
and the circumstances in which such attributes may be collected or
disclosed.
• In addition, the Bill does not permit retrospective approvals by the
Digital ID Regulator. The conditions imposed on an entity's
accreditation can be changed at any time by the Digital ID Regulator
on its own initiative (clause 20(1)(a)). As a result of this, the Digital
ID Regulator can act immediately to protect against restricted
attributes being used for improper purposes. It does not need to wait
for a review period or an application to be made.
14.5. Protective treatment of biometric information: the UN High Commissioner
for Human Rights has observed that a 'person's biometric information
constitutes one of the key attributes of her or his personality as it reveals unique
characteristics distinguishing her or him from other persons' and represents a
'deep interference with the right to privacy'. The Commissioner's opinion is that
sensitive data should 'enjoy a particularly high level of protection.'1 The Bill
acknowledges the sensitivity of biometric information and biometric matching
technology. Safeguards are put in place on the use of this information by
accredited entities to prevent undue interference with privacy.
1
A/HRC/48/31, para 27. See also European Court of Human Rights, Reklos and Davourlis v. Greece, Application
No. 1234/05, Judgment of 15 April 2009, para. 40.
Digital ID Bill 2023 - Explanatory Memorandum: Page 132 of 319
14.6. The Bill contains measures to protect biometric data, such as:
14.6.1. An accredited entity must not disclose biometric information of an
individual to an enforcement body, unless exemptions apply (cl 54).
14.6.2. An accredited entity must not collect, use or disclose biometric
information of an individual for the purposes of one-to-many matching
(para 45(2)(a)). The prohibition on one-to-many matching prevents the
process of comparing biometric information of an individual against
that kind of biometric information of individuals to generally identify
the particular individuals.
14.6.3. An accredited entity must not collect, use or disclose biometric
information of an individual to determine whether the individual has
a multiple digital IDs (para 49(3)(b)).
14.6.4. A prohibition in clause 48 on the collection, use and disclosure of
biometric information by anyone other than accredited entities, that
must meet stringent requirements relating to biometrics under the
conditions of their accreditation. Accredited identity service providers
are only permitted to collect, use or disclose biometric information for
limited purposes, namely verifying the identity of the individual or
authenticating the individual to their digital ID.
14.6.5. Subclause 51(1) of the Bill requires accredited identity service
providers to destroy biometric data once verification under subclause
49(1) is complete or if the individual withdraws consent (cl 51(3)).
While there are narrow circumstances in which accredited identity
service providers may retain biometric data for testing purposes
(cl 51(4)) or to prevent, detect or investigate Digital ID fraud incidents
(cl 51(5)), the maximum retention period is 14 days. Additionally,
clause 52 of the Bill enables the Accreditation Rules to address the
collection, use, disclosure, storage or destruction of biometric
information of individuals by accredited entities.
14.6.6. Clause 50 of the Bill enables a government entity that is an accredited
entity that is authorised to collect biometric information to collect, use
or disclose this information for the purposes of issuing government
identity documents. This is a limitation on the right to privacy, however
the objects of the Bill are likely to be successfully achieved by
permitting accredited government entities to deal with biometric
information in this way.
Digital ID Bill 2023 - Explanatory Memorandum: Page 133 of 319
14.7. Certain uses and disclosures prohibited to provide consumer protections:
The Bill prohibits certain uses and disclosures of information, including:
14.7.1. The additional privacy safeguard that prevents the disclosure of a
unique identifier by an accredited entity that can be used to identify an
individual in a digital ID system (cl 47), which includes the AGDIS.
This is a deliberate protection designed to stop digital IDs from ever
being used to provide an overview of a person's activities and
interactions with government and private sector services. The Bill
includes an exemption to this provision at subclause 47(4), if the unique
identifier is provided in connection to a specific instance when there is
a contravention, or an alleged contravention, of the Bill, for the purpose
of detecting, reporting or investigating either a digital ID fraud incident
or cyber security incident, conducting an assessment of the matter
referred to in paragraph 33C(1)(g) of the Privacy Act, or in connection
with an offence against a law of the Commonwealth. These very
limited exemptions (which allow an interaction to be traced from 'end
to end' by joining up unique identifiers) are necessary to support
oversight and enforcement activities to maintain trust in accredited
services.
14.7.2. To prevent unwanted marketing, the safeguard for individuals at
clause 53 prohibits accredited entities using or disclosing information
for data profiling to track online behaviour. This safeguard applies
regardless of whether a person has consented or not, to remove any risk
of 'bundled consents' having the effect of undermining the intent of the
prohibition to prevent unwanted marketing. This prohibition will
prevent tracking an individual user's activities through any digital ID
system holding a user's information. The exceptions to this prohibition
on data profiling including if the use or disclosure of information is for
purposes relating to the provision of the entity's accredited services
(including improving the performance or useability of the entity's
information technology systems through which those services are
provided), or is for the purposes of complying the Act or is required or
authorised by or under a law of the Commonwealth, State or Territory.
14.7.3. The prohibition on accredited entities from using or disclosing personal
information for certain marketing purposes in clause 55. Exceptions
apply if the information is disclosed for the purposes of offering to
supply services or advertising to promote services that the entity is
accredited to provide, but only if the individual expressly consents (cl
55(2)(b)).
Digital ID Bill 2023 - Explanatory Memorandum: Page 134 of 319
Civil penalties apply to contraventions of each of the above, in order to deter
behaviour which could adversely affect the information privacy of a person, or
adversely affect the public's trust in the Accreditation Scheme or AGDIS.
14.8. Prohibition on the use and disclosure of certain personal information for
enforcement purposes. Additional protections for the civil rights of individuals
are set out in clause 54 of the Bill.
14.8.1. The intention of this provision is to prevent an enforcement body
collecting personal information for the purpose of identifying
individual users or their activities. Limited exceptions permit access to
an individual's personal information for enforcement purposes when:
• the personal information is in the possession or control of an
accredited entity, only to the extent the entity is providing its
accredited services;
• the personal information is not biometric information of the
individual;
• at the time the information is used or disclosed, the accredited entity
is satisfied that the enforcement body has started proceedings
against a person for an offence against a law of the Commonwealth,
State or Territory;
• at the time the information is used or disclosed, the accredited entity
is satisfied that the enforcement body has started proceedings
against a person in relation to a breach of a law imposing a penalty
or sanction;
• the disclosure of the information is required or authorised by or
under a warrant issued under a law of the Commonwealth, a State or
a Territory;
• the information is used or disclosed for the purposes of reporting a
suspected or actual digital ID fraud incident or suspected or actual
cyber security incident;
• the information is used or disclosed by the accredited entity for the
purposes of complying with the Act; or
• the information is disclosed with the express consent of the
individual to whom the information relates, or purports to relate, and
the disclosure is for the purpose of verifying the identity of the
Digital ID Bill 2023 - Explanatory Memorandum: Page 135 of 319
individual, or investigating or prosecuting an offence against a law
of the Commonwealth, a State or a Territory.
Civil penalties apply to contraventions of each of the above, in order to deter
behaviour which could adversely affect the information privacy of a person, or
adversely affect the public's trust in the Accreditation Scheme or AGDIS.
14.8.2. Subclause 54(2) clarifies that the prohibition on uses or disclosures of
personal information for the purposes of enforcement related activities
stipulated in subclause 54(1) does not apply in relation to enforcement
related activities that are conduct by, or on behalf of, an enforcement
body under or for the purposes of the Act or the Privacy Act.
14.9. Restrictions on use and disclosure by Digital ID Regulator. Given the level
of access to information the Digital ID Regulator will have in order to carry out
its functions under the Bill, a person's right to protection from undue
interferences with their privacy requires that the Digital ID Regulator handles
information appropriately.
14.9.1. Clause 151 prohibits the disclosure of personal or commercially
sensitive information by the Digital ID Regulator. As detailed below,
the Bill includes criminal penalty provision if an entrusted person
(including the Digital ID Regulator, its staff, a person whose services
are made available to the Digital ID Regulator, or a delegate or
subdelegate of the Digital ID Regulator) uses or discloses personal or
commercially sensitive information (cl 151); to deter inappropriate
disclosure or use of information. Subclause 152(1) provides limited
exceptions when the Digital ID Regulator may use and disclose
personal or commercially sensitive information. These include uses or
disclosures for the purpose of performing a duty under the Bill or if
compelled or authorised by law.
14.9.2. The exceptions under subclause 152(1) are limited to the greatest extent
possible whilst still meeting the objectives of the Bill, but may have the
potential to limit the right to privacy by allowing a level of interference
with a person's personal and sensitive information. The measures in the
Bill that interfere with privacy are balanced against recognising the
importance and utility of disclosing personal information in certain
circumstances, such as when responding to emergencies or compliance
activities to maintain the integrity of the AGDIS. The limitations on
privacy are reasonable and proportionate.
Digital ID Bill 2023 - Explanatory Memorandum: Page 136 of 319
14.10. Trustmarks: Trustmarks assist users to form a view about the entities in respect
of which they consent to share their information, and entities they choose to use
for services (cl 117 and 118). The framework for trustmarks is established in the
Bill, while the Digital ID Rules will set out the trustmarks and the requirements
around their use and display. Trustmarks indicate to prospective users that an
entity has a minimum standard of rigorous protections and compliance that meet
the protections in the Bill, the Accreditation Rules and/or the Digital ID Rules.
Clause 118 of the Bill imposes a civil penalty if an entity uses a trustmark when
it is not authorised to do so, or uses a Trustmark in a way that would lead a
reasonable person to believe the entity was accredited. Clause 119 imposes a
civil penalty when an entity is required to display a trustmark but fails to do so.
14.11. Public registers to promote transparency: Public registers will promote
transparency by containing various details relating to the accreditation scheme
and participation in the AGDIS. These details will include, for example an
entity's conditions of accreditation and conditions of approval to participate (for
the Digital ID Accredited Entities and AGDIS registers, respectively). These
public registers for conditions of accreditation or participation may include, for
example, which entities will have access to restricted attributes and the specific
types of information to which the entities will have access. Specific transparency
measures to allow a person to educate themselves about the handling of their
information are contained in the following clauses of the Bill:
• A publicly available register of entities that are, or have been, accredited
entities (cl 120); and
• A publicly available register of entities that are approved to participate in
the AGDIS (cl 121). The AGDIS Register will include a list of participating
entities and the kind of services that the entity is approved to provide. It will
also include information about suspension or revocation of an entity's
approval to participate.
• A requirement for the Digital ID Regulator to publish on its website its
statements of reasons for allowing an entity to disclose restricted attributes
by participating accredited entities and accredited entities (cl 17(3)).
14.12. Restrictions on compelled disclosure: To prevent information being made
public in proceedings that would otherwise be private and protected, subclause
153(1) of the Bill excuses the Digital ID Regulator and its staff from producing
a document containing protected information to a court, tribunal or authority if
the information is personal information of an individual or there is a risk of
substantial prejudice to the commercial interests of a person.
Digital ID Bill 2023 - Explanatory Memorandum: Page 137 of 319
14.13. Deterrence mechanisms
14.13.1. To enforce standards and act as deterrent to reduce risk of undue
interferences with privacy occurring, the Information Commissioner
will have additional powers to seek enforceable undertakings (cl 125),
injunctions (cl 126) and civil penalties (cl 123). The Bill creates civil
sanctions specific to key privacy safeguards in Chapter 3, Part 2 of
Division 2. These provisions are regulated by the Information
Commissioner (cl 123(2)(a)). The Digital ID Regulator otherwise
regulates all other civil penalty provisions of the Bill (cl 123(2)(b)).
The penalties have regard to the potential for significant harm to be
suffered by users as a result of interferences with their privacy,
upholding public trust and confidence in the way personal information
is handled within digital ID systems and acts as a deterrence. Including
such penalties promotes the objects of the Bill by building trust in
digital ID services and encourages the use of the digital ID system
overall.
14.13.2. In addition to the Information Commissioner's powers, the Digital ID
Regulator has the power to require information or documents to
determine whether an entity is complying with its obligations under the
Bill (cl 133). The Digital ID Regulator can also use this power to
monitor whether privacy safeguards have been complied with by
entities.
14.14. Powers of the Information Commissioner
14.14.1. The Information Commissioner's oversight of the Bill promotes a
consistent approach to regulating privacy concerns and issues that may
arise by utilising the Information Commissioner's broad oversight of
privacy issues in Australia. This consistent approach to regulation also
promotes trust in the Accreditation Scheme and AGDIS.
14.14.2. The Information Commissioner has the general power under the
Privacy Act to deal with complaints about interference with privacy.
Under clause 38 of the Bill, contraventions of Chapter 3, Part 2 of
Division 1 of the Bill are deemed to be an interference with privacy for
the purpose of the Privacy Act. Under Part 5 of the Privacy Act, the
Information Commissioner can investigate alleged interferences with
privacy. As a result, the Information Commissioner can make
determinations and seek civil penalties for serious or repeated
interferences with privacy under s 13G of the Privacy Act.
Digital ID Bill 2023 - Explanatory Memorandum: Page 138 of 319
14.14.3. Privacy requirements and protections in the Bill will be investigated by
the Information Commissioner under the Commissioner's existing
powers under the Privacy Act. The Information Commissioner is then
empowered under clauses 123-126, as an authorised applicant for the
Regulatory Powers Act, to take civil penalty action for contravention of
relevant provisions in Chapter 3, Part 2 of Division 2 of the Bill.
14.14.4. The Information Commissioner will have the additional function of
providing advice, on request, by the Digital ID Regulator, on matters
relating to the operation of the Bill (cl 42). The Information
Commissioner may share information in certain circumstances:
• Information or documents may be shared with State or Territory
privacy authorities for the purpose of the Information Commissioner
performing functions under the Bill or the Privacy Act, or enabling
those authorities to perform their functions and duties (cl 43).
14.14.5. The Bill will also bolster privacy protections by triggering Information
Commissioner audits under s 33C of the Privacy Act.
14.15. Powers of the Digital ID Regulator
14.15.1. The protections in the Bill will be ineffective if they are not
appropriately overseen and enforced. To ensure the protections are
implemented, the Bill ensures the independent Digital ID Regulator
provides oversight of the Accreditation Scheme and the AGDIS. The
Digital ID Regulator will be responsible for accreditation, approving
participation in the AGDIS and enforcing compliance with the Act.
14.15.2. Chapter 5 of the Bill sets out the functions and powers of the Digital ID
Regulator. Clause 92 confers on the Digital ID Regulator broad powers
to do all things necessary or convenient to be done for or in connection
with the performance of the Digital ID Regulator's functions under the
Act. Clause 91 lists the functions of the Digital ID Regulator, which
include managing digital ID fraud and cyber security incidents (cl
91(e)) and advising the Information Commissioner on privacy matters
that relate to the Act (cl 86(h)).
14.15.3. The Digital ID Regulator is also responsible for enforcing all civil
penalty provisions (cl 123(2)(b)), other than those that are the
responsibility of the Information Commissioner (as discussed at
paragraph 14.13.1).
Digital ID Bill 2023 - Explanatory Memorandum: Page 139 of 319
14.16. Transparency mechanisms: The Bill creates a number of transparency
mechanisms, including:
• The Digital ID Regulator is required to produce an annual report after the end
of each financial year to highlight the performance of the AGDIS. Amongst
other things, this report will include the number of digital ID fraud incidents or
cyber security incidents (cl 154).
• The Information Commissioner must produce an annual report containing
information about the performance of the Information Commissioner's
functions, and the exercise of its powers, under Part 2 of Chapter 3 of the Bill
that deals with privacy (cl 155).
15. Extending existing privacy protections
15.1. The Bill does not intend to duplicate or conflict with established principles in
existing legislation that protect against undue interferences with privacy. Rather,
protections already provided by the Privacy Act are leveraged to cater for the
specific circumstances relevant to digital IDs. The Bill does this in a number of
ways, such as extending the meaning of 'personal information' under the
Privacy Act to include attributes, restricted attributes and biometric information
(cl 35), imposing privacy obligations on non-Australian Privacy Principle
entities (cl 36) and deeming breaches of the additional privacy requirements in
Chapter 3, Division 2, Part 2 to be an interference with privacy. These
requirements do not remove existing Privacy Act obligations but ensure the
Privacy Act applies to the AGDIS.
15.2. The Privacy Act creates a mandatory data breach notification scheme. Clauses
40 and 41 of the Bill require entities which are not already subject to the
Commonwealth's mandatory data breach notification scheme to notify data
breaches to the Information Commissioner and the Digital ID Regulator.
16. Digital ID Rules and Accreditation Rules: A number of the Bill's privacy safeguards
will be given effect through legislative instruments, namely the Accreditation Rules or
the Digital ID Rules. In effect, the Bill establishes a legislative power under subclause
28(2) to implement legislative instruments to deal with matters such as:
16.1. Requirements that entities must meet to become and remain an accredited entity
such as privacy, security of information, fraud control over digital IDs, cyber
and security incident management, disaster recovery and user experience and
inclusion.
16.2. Requirements relating to the conduct of, and reporting on, privacy impact
assessments, fraud assessment and security assessments.
Digital ID Bill 2023 - Explanatory Memorandum: Page 140 of 319
16.3. Technical, data or design standards relating to the provision of accredited
services of accredited entities.
16.4. Standards relating to the testing of the information technology systems of
entities
16.5. The conduct of periodic reviews of an entity's compliance with specified
requirements of the Accreditation Rules.
16.6. The obligations of accredited entities in relation to monitoring their compliance
with this Act.
16.7. Requirements relating to the collection, use and disclosure personal information
of individuals.
16.8. Requirements relating to the creation, maintenance and deactivation of digital
IDs.
16.9. Requirements of restrictions relating to the generation of digital IDs for children.
16.10. Periodic reviews of compliance and obligations about monitoring of compliance
with the Act (cl 131 and 132).
17. Digital services are an emerging and rapidly changing area. This necessitates the ability
to alter the requirements for the Accreditation Scheme and participation in the AGDIS,
in line with new and emerging technology and risks. For that reason, a number of the
protections envisaged in the Bill are not wholly legislated by the Bill. Instead, the Bill
gives a power to make rules in relation to those matters (cl 168(1)). Due to the technical
nature of the safeguards, these are not included in the primary legislation. However, the
Accreditation Rules and the Digital ID Rules will be subject to review or scrutiny by
the Senate Standing Committee for the Scrutiny of Delegated Legislation, as well as
disallowance by Parliament because they are legislative instruments for the purposes of
the Legislation Act 2003 (Cth). Additionally, clause 169 requires the Minister to
publish a notice on the Department's website and consider any submissions received
within 28 days of publishing the notice, before making amendments to either of the
rules under cl 168. If the rules deal with matters that relate to privacy functions (within
the meaning of the Australian Information Commissioner Act 2010), the Minister must
also consult the Information Commissioner.
18. As digital ID systems develop, the Data Standards Chair (to be established by the Bill
under cl 101) may prescribe Digital ID Data Standards to keep pace with contemporary
technologies. If required by the Accreditation Rules or the Digital ID Rules, the Digital
ID Data Standards may relate to technical, data or design standards, including test
standards for an entity's information technology systems and processes, relating to the
Digital ID Bill 2023 - Explanatory Memorandum: Page 141 of 319
entity's accreditation. Such standards may also relate to technical integration
requirements, or the technical and design features required for entities to participate in
the AGDIS. Digital ID Data Standards made under clause 99 may enable, for example,
a voice biometric to be used by vision impaired users. Providing this rule making power
recognises that technical aspects of digital ID systems will evolve over time, and
similarly allows for data standards to evolve and meet changing user requirements. It is
considered that providing such rule making powers that allow for the alteration of the
accreditation and participation frameworks will best protect human rights, including the
right to privacy, by ensuring that the regulation of accredited and participating entities
is nimble, up to date and consistent with current best practice to prevent unlawful
access to personal information.
19. Consultation: Before Accreditation Rules are made or amended in accordance with
clause 168, there is a requirement to consult under clause 169 which prescribes a
28-day notice period for changes to legislative instruments that may have an impact on
the protection from undue interference with privacy. The Digital ID Rules and
Accreditation Rules are also disallowable legislative instruments. This ensures that
parliamentary oversight is an additional safeguard to any interferences with human
rights.
20. In addition, clause 162 of the Bill creates a mechanism of review of the operation of the
Act. This review is important to evaluate the safeguard provisions contained in the Bill
to ensure they are effective in protecting and conserving the engaged human rights.
Measures to ensure limitations on a person's privacy are not arbitrary, are
reasonable and proportionate to the objectives of the Bill
21. Appropriate limitations on exceptions to consent: There are limited circumstances
when personal information may be disclosed, without consent. Particularly in the
management of investigations of digital ID fraud incidents and cyber security incidents.
21.1. A 'cyber security incident' is defined at clause 9 as the unauthorised access or
attempt to gain unauthorised access to modify or interfere with a system, service
or network and unauthorised impairment of, or an unauthorised attempt to
impair, the availability, reliability, security or operation of a system, service or
network.
21.2. A 'Digital ID fraud incident' is defined at clause 9 as an act, event or
circumstance that occurs in connection with a service that an accredited entity is
accredited to provide or that a participating relying party is approved to provide
or provide access to, in relation to the AGDIS. This act, event or circumstance
must result in the compromise, suspected compromise, or rendering unavailable
of: the digital ID of an individual; an attribute of an individual; or an
Digital ID Bill 2023 - Explanatory Memorandum: Page 142 of 319
authenticator relating to an individual, or a representation relating to an attribute
of an individual or digital ID of an individual.
21.3. This narrow exception to the requirement for consent is put in place because an
entity has the responsibility to prevent, detect and deal with cyber security risks
and digital ID fraud in the proposed Accreditation Rules. This has the effect of
limiting the right to privacy. To ensure this limitation is reasonable and not
arbitrary, mechanisms that are put in place regarding these types of incidents and
protective measures will be implemented under the rules.
21.4. The proposed rules will contain the specific mechanisms and procedures relating
to incidents of fraud or threats to cyber security, and other reportable incidents,
including measures relating to incident management, investigations, reporting
system security and digital ID fraud control plans (cl 78). Clause 88 of the Bill
states that the Digital ID Rules may provide for a redress framework, which may
deal with assisting individuals and businesses affected by digital ID fraud
incidents and cyber security incidents.
21.5. The investigation of digital ID fraud incidents and cyber security incidents is an
important feature of the AGDIS. It will bolster the system's fraud and cyber
security management capabilities and will ensure it maintains a reputation of
being able to identify and act on fraudulent activity or cyber security threats
quickly and decisively.
21.6. Measures in the Bill to permit limited investigations of fraud and cyber security
incidents are considered proportionate to the risk of a security breach. To
investigate effectively, the entity must be able to share personal information on
cyber security incidents and digital ID fraud incidents with accredited entities,
relying parties and users. The exception assists with managing those risks and
also promotes the objects of the Bill to provide individuals with a secure method
for verifying their digital ID. The Bill's provision for fraud detection and
management activities is privacy protective, because it seeks to prevent incidents
of unlawful access to a person's information (and mitigate harm arising from
any such incidents). As such, any limitation on the right to privacy is reasonable
and proportionate in order to ensure the proper integrity of the system (which
also protects the right to privacy). The regulation of this limitation in the Digital
ID Rules rather than in the Bill is to allow for the management of fraud and
detection and management to scale with the expansion of the AGDIS, and to
ensure measures are up to date and consistent with best practice to counter
security threats.
22. Appropriate limitations on exceptions to protective treatment of biometric
information. While the Bill provides limited exceptions to the protections relating to
Digital ID Bill 2023 - Explanatory Memorandum: Page 143 of 319
biometric information, those exemptions are proportionate to the objectives of
economic advancement by building trust in digital ID services. Provisions at
subclauses 49(7) and (9) state that biometric information may be retained and used by
an accredited identity service provider to enable limited operational testing and fraud
detection activities, but only for a confined period of up to 14 days (cl 51(4) and (5)).
This minimises the period that biometric information may be retained for these
purposes. Testing will be further regulated under the Accreditation Rules to ensure that
any potential interference in privacy is proportionate to the overall risk of undermining
trust in digital IDs and the protection of personal information.
23. Appropriate limitations on exceptions to requirement to consult on Accreditation
Rules and Digital ID Data Standards. While there are exceptions to the requirement
to consult (discussed at paragraph 19 above), these are reasonable and proportionate to
the objectives of building trust in digital IDs. If there is an imminent threat or hazard to
the AGDIS and the consultation process cannot occur, the Minister must provide a copy
of a statement of findings to be tabled in each House of Parliament. The review must be
completed within 60 days after the commencement of the rules or amendments
concerned (cl 169(7)). These reports will still provide accountability to reduce the risk
that the exception would be overused to such an extent that they would amount to an
interference with privacy. Similarly, subclause 100(1)(a) requires the Digital ID Data
Standards Chair to consult the Minister, Digital ID Regulator, the System Administrator
and the Information Commissioner before making or amending Digital ID Data
Standards. The Digital ID Data Standards Chair must also publish on an Australian
government website a notice setting out the draft standards or amendments, and invite
and consider any submissions (cl 100(1)(b) and (c)).
Conclusion
24. The measures discussed above intend to minimise interference with the right to privacy
in Article 17 of the ICCPR, and also related rights for people with disability in
Article 22 of the CRPD and children in Article 16 of the CROC. They ensure that any
remaining impact is reasonable, necessary and proportionate to its objectives. The Bill
does not contain additional safeguards that are specifically targeted at protecting and
respecting the privacy of people with disability or children (except as discussed below).
However, as referred to above, it does enshrine a number of new privacy safeguards, in
addition to the protections which already exist under Australian privacy law, that are
applicable to all individuals that use Digital IDs from accredited providers, including
people with disability and children.
Digital ID Bill 2023 - Explanatory Memorandum: Page 144 of 319
The rights of parents and children
25. Article 24(1) of the ICCPR states that every child will have, without any discrimination
as to race, colour, sex, language, religion, national or social origin, property or birth, the
right to such measures of protection as are required by their status as a minor, on the
part of their family, society and the State.
26. Article 3 of the CROC states that all actions concerning children by administrative or
legislative bodies should make the best interest of the child a primary consideration.
27. Article 12 of the CROC asserts that children who are capable of forming their own
views have the right to express those views freely in all matters affecting them, and the
views of the child are given due weight in accordance with the age and maturity of the
child.
28. The Bill potentially engages human rights of children because it enables an
Accreditation Scheme wherein children may create a digital ID,.
29. Accreditation Rules to be made by the Minister may engage and promotes the rights of
children if a minimum age is specified(cl 28(2)(i)) or the rules provide for parents to
create digital IDs for their children (cl 28(2)(h). This ensures any future limitation on
the rights of children would be reasonable and proportionate to the objective of
improving access to government and private sector services.
Measures to protect children and enhance their agency
30. The Bill will enable a specified age requirement to be included in the Accreditation
Rules the Minister may make (cl 28(2)(i)). If the Accreditation Rules were to include a
specified age requirement, that requirement would be intended to protect children who
may not have the capacity to understand the concept of consent . As discussed above in
relation to privacy, consent is a central mechanism to protect against undue interference
with a child's privacy. A specified age that may be established in Accreditation Rules
that the Minister may make should refer to the guidance of the Office of the Australian
Information Commissioner (OAIC), Australian Privacy Principles Guidelines, Chapter
B (Key Concepts), which provides that individuals aged 14 years and above may be
presumed to have capacity to consent if it is not practicable for an entity to assess the
capacity of individuals aged under 18 on a case-by-case basis. This approach was
supported by the Australian Law Reform Commission in its review of Australian
privacy law in 2008 and in the Australian Governments response to the Privacy Act
Review Report.
31. If a specified age requirement was included in the Accreditation Rules, the specified
age would need to be broadly consistent with age limitations across various frameworks
Digital ID Bill 2023 - Explanatory Memorandum: Page 145 of 319
including privacy, passports, tax file numbers, Medicare, My Health Records, access to
medical treatment and age of criminal liability. There is no universally agreed age when
the capacity of a young person to provide consent is triggered. However, the age range
of 14-16 years appears to be the most commonly used and is supported by the principle
of an evolving capacity in children as reflected in the CROC. Any potential limitation
on the rights of children is reasonable and proportionate to the objective of improving
access to government and private sector services, and harmonises access by children
with other services. Any future minimum age specification would balance the
protection of the rights of children to privacy, independent and age-appropriate access
to medical treatment.
32. Paragraph 29(2)(h)) of the Bill provides that the Accreditation Rules may deal with
matters relating to representative or nominees of individuals in relation to the creation,
maintenance or deactivation of digital IDs of individuals, allowing parents or others
who have responsibility for a child to act on behalf of the child. If the Minister made
Accreditation Rules dealing with these matters, it would promote the rights conferred in
the CROC and ICCPR.
Rights of people with a disability
33. Article 9(1) of the CRPD contains the right of persons with disability to live
independently and participate fully in all aspects of life. To achieve this, Australia must
take appropriate measures to ensure that persons with disability have access, on an
equal basis with others, to information and communications technologies and systems
that are available to the public. These measures must include the identification and
elimination of obstacles and barriers to accessibility to information, communications
and other services made available to the public, such as the Accreditation Scheme and
the AGDIS established by the Bill.
34. Article 19 of the CRPD requires that Australia recognise the equal right of all persons
with disability to live in the community, with choices equal to others, and will take
effective and appropriate measures to facilitate full enjoyment by persons with
disabilities of this right. To achieve this, Australia must ensure that community services
for the general population are available on an equal basis to persons with disability and
are responsive to their needs (Article 19(c) of the CRPD).
35. Article 21 of the CRPD requires Australia to take all appropriate measures to ensure
that persons with disability can exercise their right to seek, receive and impart
information on an equal basis with others, and through all forms of communication of
their choice. This right requires Australia to take all appropriate measures to provide
information intended for the general public to persons with disabilities in accessible
formats and technologies.
Digital ID Bill 2023 - Explanatory Memorandum: Page 146 of 319
36. The Bill engages these rights by promoting Digital IDs, which are a convenient, secure,
voluntary and inclusive way for Australians to verify their identity online. Individuals
with disability (except for those under any specified age in the Accreditation Rules, and
those who are unable to generate a digital ID in their own capacity) will have access to
Digital IDs.
37. The key safeguards aimed at protecting the rights of persons with disability are
contained in clauses 74, 28 and 30 of the Bill, and are discussed below.
38. Additionally, as discussed above, to the extent that information about disability is
captured by 'health information' (within the meaning of the Privacy Act), it will be
covered as a restricted attributed and subject to the protections of the Bill against
misuse of restricted attributes.
Measures to minimise interference with the rights of people with a
disability to have equal choices
39. The Bill has the potential to limit the rights of people with disability. Lack of access to
digital technology disproportionately affects people with disability and the AGDIS may
have the undesired effect of preventing access to services that are only available with a
digital ID.
40. Clause 74 contains a prohibition on participating relying parties from requiring an
individual to create or use a digital ID in order to access services (except in the limited
circumstances discussed below). This is a central protection of the rights of people with
disability in the Bill. It ensures that people with disability are not prevented from access
to services if they do not create or use a digital ID.
41. At the same time, clause 74 of the Bill is a potential limitation on the rights of people
with disability if they choose not to create a digital ID. This is because the Bill does not
guarantee the same level of access, or that access must be as effective as the use of a
digital ID to services that are currently in existence prior to the implementation of the
framework.
42. To the extent that the Bill has the potential to limit the rights of people with disability
(through barriers to creation and use of a digital ID with an accredited identity service
provider, or the usability and accessibility of the Accreditation Scheme and AGDIS),
there are mechanisms enshrined in the Bill such as the scope for Accreditation Rules
made by the Minister to include user experience and inclusion requirements
(cl 28(2)(a)) to protect the rights of people with disability to have equal access to the
benefits of the Accreditation Scheme and the AGDIS. Any residual limitation is
reasonable and proportionate having regard to the significant benefits to people with
Digital ID Bill 2023 - Explanatory Memorandum: Page 147 of 319
disability in the availability of the Accreditation Scheme and AGDIS to facilitate
efficient access to the services available.
43. It is expected the Accreditation Scheme and AGDIS will increase the number of
services available to people with disability through the expansion and improvement of
service delivery, including online services. This is because it imposes obligations on
accredited entities even if they are operating outside the AGDIS. As highlighted above,
the Bill requires (in proscriptive terms) that the Accreditation Rules must contain
requirements relating to accessibility and useability of the digital ID systems in which
accredited entities participate (cl 30).
Measures to ensure people with a disability can participate independently
44. The AGDIS (and any digital ID system in which an accredited entity is participating) is
intended to be accessible and responsive to the needs of people with disability. This
will be managed through requirements in Accreditation Rules to be made by the
Minister, as explored in the following paragraphs.
44.1. Subclause 30(1) of the Bill requires that the Accreditation Rules must include
accessibility and useability requirements. Subclause 30(2) of the Bill states that
these measures are to deal with:
• Requirements to comply with accessibility standards or guidelines;
• Requirements relating to usability testing; and
• Requirements relating to device or browser access.
45. As detailed above in paragraph 44.1, the protections afforded to people with disability
will be implemented through separate legislative instruments, including the
Accreditation Rules. This approach is preferable, because it allows new and emerging
assistive technology to be specified, and accessibility and usability requirements to be
increased over time. This approach promotes the rights of persons with disability,
because it enables the regulation of accessibility and usability standards to be agile, up
to date and consistent with best practice. As noted above, the development of legislative
instruments will be subject to consultation. It is expected that relevant disability groups
will be consulted if the changes relate to usability or accessibility.
46. Additionally, subclause 28(2)(a)(vi) of the Bill allows for the Accreditation Rules to
contain user experience and inclusion requirements that must be met in order to become
and remain an accredited entity. User experience and inclusion covers usability and
accessibility that will enhance the digital ID experience of people with a disability.
Digital ID Bill 2023 - Explanatory Memorandum: Page 148 of 319
47. Clause 28(2)(h) of the Bill provides that the Accreditation Rules may deal with matters
relating to representative or nominees of individuals in relation to the creation,
maintenance or deactivation of digital IDs for individuals, allowing carers for people
with disability to act on their behalf, and promote the rights conferred in the CRPD.
Representatives or authorised nominees are dealt with above.
48. Clause 28(2)(h) is not intended to detract from the requirement in clause 30 of the Bill
that the digital ID services be accessible and usable for all. Rather, subclause 28(2)(h)
is a complementary mechanism that allows representatives to act on behalf of people
with disability, if this is the preferred way an individual wishes to access digital
services or for those who are unable to generate a digital ID in their own capacity.
49. To further safeguard the rights of people with disability, subclause 128(1) of the Bill
enables the Digital ID Regulator to give a direction if it considers it necessary to do so
to protect the integrity or performance of the AGDIS. A direction may seek to enforce
the user experience and inclusion requirements in the Accreditation Rules. A failure to
comply with a direction given under subclause 128(1) will result in a civil penalty
(1,000 penalty units). These powers to direct and regulate entities are appropriate and
proportionate in managing the risk of interference with the rights of persons with
disability under the CRPD that may arise from the AGDIS established by the Bill
Measures to minimise any interference with the rights of people with a
disability to participate independently
50. To ensure that any interference with this right is minimised, the Bill contains a number
of measures and safeguards developed in consultation with disability advocacy groups.
These safeguards aim to address the accessibility issues faced by people with disability
when creating a digital ID, and to improve user experience. The Bill enabling any
Accreditation Rules the Minister makes to contain requirements relating to the user
experience and inclusion requirements (see cl 28(2)(a)(vi) and 30). For example, the
Minister may make Accreditation Rules which could include the following accessibility
measures:
50.1. The application process for digital ID is to contain fewer steps with clear
instructions. In response to this recommendation, the Accreditation Rules will
require an accredited facility to be presented in a clear and concise manner,
using plain language that is easy to understand.
50.2. Plain and simple language is to be used throughout the application process.
Using less words and more visuals will assist those who find reading large
chunks of words difficult. In response to this recommendation, the Accreditation
Rules will require that information is available in multiple accessible formats,
including accessible online formats and large print format.
Digital ID Bill 2023 - Explanatory Memorandum: Page 149 of 319
50.3. Providing alternative forms of identification documentation that can be used to
create a digital ID enhances the rights of people with disability if they do not
have or need to hold driver's licences, birth certificates and passports. The
Accreditation Rules will reduce this barrier by permitting use of established
identity documents.
50.4. Providing dedicated specialist assistance for people with disability with the aim
of improving their digital ID experience. Any Accreditation Rules made could
include a requirement for an accredited entity to provide assisted digital support
to users who are unable to use technology independently and inform them of
available support. This requirement will provide broad assistance to not only
persons with disability, but also others, including persons from culturally and
linguistically diverse backgrounds, regional and remote areas, and elderly
people.
Right to a fair trial and fair hearing
51. Articles 14 and 15 of the ICCPR establish rights to due judicial process and procedural
fairness. These rights apply to both criminal and civil proceedings, in cases before both
courts and tribunals.
52. The Bill engages these rights as it contains a range of remedies and penalties for non-
compliance, from redress obligations (cl 88), to civil and criminal penalties and
injunctions imposed by a court. The Bill is not considered to limit this right, because it
provides for the appropriate and usual safeguards relating to civil and criminal penalty
processes through court processes, and if appropriate, administrative review of
decisions (enshrining procedural fairness principles).
53. Further, to a large part, criminal and civil penalties are already codified in other sources
(such as the Criminal Code, and the role of the Information Commissioner as the
infringement officer for Part 2, Chapter 8). This ensures that enforcement and treatment
of privacy issues will be consistent under the laws of Australia under the existing
privacy safeguards and frameworks. As such, the possible direct impact of the Bill on
this human right is confined to the provisions which create new penalties (which largely
focus on the conduct of entities, rather than the general public). All penalties imposed
by the Bill are considered in respect of the right to a fair trial and fair hearing, below in
this Statement of Compatibility with Human Rights.
Measures that promote the right to a fair trial and fair hearing for civil
penalties
54. The Bill creates new civil penalties for conduct that is inconsistent with its
requirements. The Bill distinguishes between civil and criminal penalties. As the term
Digital ID Bill 2023 - Explanatory Memorandum: Page 150 of 319
'criminal' has a specific meaning in international human rights law, civil penalty
provisions in domestic law may engage criminal process rights under Articles 14 and
15 of the ICCPR, and Article 40 of the CROC. However, the Bill's civil penalty
provisions should not be considered 'criminal' for the purposes of international human
rights law, as failure to pay a civil penalty will not result in a prison sentence.
55. The purpose of the civil penalty provisions in the Bill is to deter behaviour which could
adversely affect the privacy of a person, or adversely affect the public's trust in the
Accreditation Scheme or AGDIS. The civil penalties in the Bill do not apply to the
public in general. As such, any limitation on the human rights of the general public with
regard to the right to a fair trial and hearing are negligible. Rather, they apply to entities
accredited under the Act or that are participating in the AGDIS.
56. The pecuniary penalties imposed are not sufficiently severe to amount to a 'criminal
penalty' under Articles 14 and 15 of the ICCPR and Article 40 of the CROC.
57. The maximum civil penalties in the Bill range between 120 penalty units and 1500
penalty units. The maximum penalties for breaches of the additional privacy safeguards
set out in the Bill have been set considering contemporary offences for mishandling
government and consumer data including those set out in the Privacy Act 1988, the My
Health Records Act 2012 and the Consumer Data Right in the Competition and
Consumer Act 2010.
58. The penalties are fair because the seriousness of the contravention is proportionate to
the quantum of the penalty. The maximum penalties are substantially lower than the
maximum civil penalties under the Privacy Act 1988.
59. Consistent with the Guide to Framing Commonwealth Offences, the Bill sets maximum
penalties; a court will determine what is appropriate on a case-by-case basis.
60. Consistent with Article 14(1), an independent, impartial court will preside over all civil
proceedings brought under the Bill. Such proceedings will be subject to established
Australian court processes and procedures that protect the right to a fair trial, including
requirements relating to procedural fairness, evidence and sentencing.
61. The right to be considered equal before a court or tribunal is also upheld, as all parties
to proceedings under the Bill will be given reasonable opportunity to present their case
in conditions that do not disadvantage them as against other parties.
62. It is possible that the requirements relating to the destruction of certain information
collected by entities may limit the entities' right to a fair trial, because it may reduce the
availability of evidence which can be raised in defence of penalty action. However, this
is considered reasonable and proportionate when balancing this with the right to
privacy, and the protections in place to protect private and sensitive information. The
Digital ID Bill 2023 - Explanatory Memorandum: Page 151 of 319
ability to store de-identified information (discussed above in relation to subclause
136(2) of the Bill) will minimise the impact of this limitation.
Measures that promote the right to a fair trial and fair hearing for criminal
penalties
63. The Bill includes a very confined criminal penalty provision. If an 'entrusted person'
obtains protected information in the course of, or for the purposes of, performing
functions or exercising powers under the Act and uses or discloses that information (cl
151(1)), such conduct may result in a criminal conviction. This does not limit the right
to a fair trial, because it is administered under the existing Australian court system
which is protective of this right.
64. The Bill defines 'entrusted person' narrowly only to include persons responsible for the
regulation or administration of the Accreditation Scheme or the AGDIS. This includes
the Digital ID Regulator, a member or associate member of the ACCC and the ACCC's
officers or delegates, the System Administrator and their officers or delegates.
65. Under subclause 151(1), it is an offence for an entrusted person to use or disclose
protected information that they obtained in the course of, or for the purposes of,
performing functions or exercising powers under the Act, if the information is personal
information about an individual or there is a risk that the use or disclosure might
substantially prejudice the commercial interests of another person. This standalone
criminal penalty provision serves the following purposes:
65.1. addresses the inherent risk that people who are involved in the handling of
personal information or information that is potentially commercially sensitive
may misuse their position;
65.2. ensures that the integrity of Accreditation Scheme and the AGDIS is not
undermined; and
65.3. ensures that public trust and confidence in Accreditation Scheme and the
AGDIS is maintained.
66. Criminal penalty provisions are confined. Potentially serious inappropriate conduct
likely to arise within the AGDIS is already covered under other laws. This includes
identity crime under part 9.5 of the Criminal Code and criminal offences which involve
the use of computer systems under part 10.7 of the Criminal Code. Other existing
criminal offences relating to identity crime include fraud, impersonation and providing
false or misleading information to public authorities.
Digital ID Bill 2023 - Explanatory Memorandum: Page 152 of 319
Measures that promote the right to a fair trial and fair hearing for
administrative measures
67. The Bill also engages the right to a fair and public hearing through the Information
Commissioner and the Digital ID Regulator's powers to investigate breaches, and to
issue infringement notices (cl 124), seek injunctions (cl 126), and enter enforceable
undertakings (cl 125) for non-compliance with the additional privacy safeguards in the
Bill. These are administrative penalties, distinct from those imposed by a court.
However, consistent with Article 14(1) of the ICCPR and the doctrine of separation of
powers in Australia, a court will be responsible for their enforcement.
68. Consultation indicated that stakeholders support an appropriate penalty and
enforcement regime to generate public trust and confidence in the system. The
administrative penalties support the Digital ID Regulator to effectively monitor and
enforce compliance with the Act. Together, this balanced penalty regime promotes the
objects of the Bill.
69. Provisions in the Bill uphold fair hearing rights by providing court and tribunal
oversight of administrative decisions made by the Digital ID Regulator. For example,
existing pathways for judicial review will continue to be available to ensure decisions
by the Digital ID Regulator are lawful.
70. Decisions by the Digital ID Regulator and its delegates (if applicable) will also be
subject to internal merits review or review by the Administrative Appeals Tribunal
(AAT), or both. Part 4 of Chapter 9 of the Bill considers the review of decisions.
Consistent with the Guide to Framing Commonwealth Offences, there are limited,
reasonable exceptions for decisions involving national security or which are not
appropriate for merits review.
71. The Minister's decision to issue a direction to the Digital ID Regulator about foreign
entities, including to refuse to accredit, approve participation in the Accreditation
Scheme or AGDIS, or to impose a condition on their accreditation or approval to
participate under the principal Act (for example, on the basis of an adverse or qualified
security assessment from ASIO) will be excluded from judicial review, by listing those
decisions in Schedule 1 of the Administrative Decisions (Judicial Review) Act 1977
(ADJR Act). These exclusions will be reasonable and necessary to protect Australia's
national security interests; as disclosing knowledge of any affiliation the entity might
have with a foreign power could prejudice ongoing security-related investigations,
sources and capabilities. Notably, the judicial review rights of Australian entities will
be unaffected.
72. Additionally, these exclusions of judicial review under the ADJR Act will be
proportionate as it will be limited to specific decisions made for reasons of security (not
Digital ID Bill 2023 - Explanatory Memorandum: Page 153 of 319
any reason). Despite the limitation on ADJR Act review, all entities will maintain
judicial review rights with respect to such decisions under section 75(v) of the
Australian Constitution and section 39B of the Judiciary Act 1903.
73. Clause 137 refers to a list of decisions that are considered reviewable under the Bill.
For example, decisions to refuse to approve, suspend, revoke or impose conditions on
an entity's approval to participate in the AGDIS is reviewable. An application for an
internal review may be made under clause 138 causing the Digital ID Regulator to
reconsider the decision under clause 139 within 90 days. A further application can then
be made by the applicant under clause 140 to the AAT.
74. As a result, the provisions in the Bill uphold, and do not unreasonably limit the right to
a fair and public hearing with respect to administrative decisions.
Right to equality and non-discrimination
75. The right to equality and non-discrimination before the law is enshrined in Articles 2,
16 and 26 of the ICCPR, and Article 2 of the CROC.
76. The ICCPR defines 'discrimination' as a distinction based on personal attributes, such
as race, sex or religion, which has either the purpose, or the effect, of adversely
affecting human rights. This encapsulates both direct and indirect discrimination. While
the views of the UNHRC are influential, they are not binding on State Parties to the
ICCPR, the UNHRC explained in Althammer v Austria HRC 998/001 [10.2] that
indirect discrimination is 'a rule or measure that is neutral on its face or without intent
to discriminate', which exclusively or disproportionately affects people with a
particular personal attribute.
77. The Bill does not include express provisions to prevent discriminatory uses of a digital
ID. This is because existing laws provide pathways for individuals to access redress for
discrimination. For example, product liability and consumer safety, discrimination, and
competition, are technology neutral and will mitigate these risks from the use of digital
IDs in the economy.
78. The AGDIS relies on digital technology and access to that technology. Therefore, it
may indirectly discriminate against persons for the following reasons:
78.1. Elderly people may be less likely to have the skills to use or access that
technology, and as such, the scheme the Bill establishes may indirectly
discriminate on the basis of age;
78.2. As the 2023 Australian Digital Inclusion Index reveals, access to technology
such as telecommunications infrastructure and fast internet speeds is limited in
rural and remote areas of Australia. The Bill may therefore indirectly
Digital ID Bill 2023 - Explanatory Memorandum: Page 154 of 319
discriminate on the basis of a person's place of residence within Australia or
socio-economic factors;
78.3. Persons of cultural and linguistically diverse backgrounds may be indirectly
discriminated against on the basis of ethnicity if they are unable to access the
scheme in a language other than English;
78.4. Indigenous Australians may also be indirectly disadvantaged because of a range
of complex factors. Particularly relevant is the impact of remoteness on digital
inclusion, discussed in RMIT's Mapping the Digital Gap 2023 Outcomes
Report. These were identified in research conducted by the Commonwealth to
include difficulties obtaining and retaining identity information, document
preservation and storage and technological and service access barriers. This is
also inconsistent with the aims of Article 2 of the UN Declaration on the Rights
of Indigenous Peoples that Indigenous peoples are free and equal to all other
peoples and individuals and have the right to be free from any kind of
discrimination.
79. Many of these barriers identified are not specific to a digital ID per se, but rather are
amplified in a digital ID landscape. The Bill, and the AGDIS alone, cannot bridge the
digital divide as this is a broader policy issue. Government policy in other portfolios
(for example the First Nations Digital Inclusion Plan) will have the effect of reducing
indirect discriminatory effects. Rather, through its design, the AGDIS seeks to avoid
unduly limiting the right to equality through built in protections.
80. Provisions in the Bill aim to promote accessibility by improved access to government
and private services. The Regulatory Impact Statement for the Bill includes examples
of these benefits. Business owners could save up to 4 weeks and $128 when setting up a
small business. Similarly, a regional family affected by a natural disaster experienced a
benefit of $128 in avoided costs and 4 hours of time saved rather than having to apply
to replace identity documents and driving into town to apply for assistance. This will
allow them to access assistance up to 4 weeks quicker than a manual process.
81. As discussed above, an important protection of the right to equality is the prohibition in
clause 74 on participating relying parties from requiring an individual to create or use
digital IDs in order to access services (except in the limited circumstances discussed
above). This legislatively preserves the ability to access essential services without a
digital ID.
82. Additionally, requirements relating to the accessibility and useability of services dealt
with by subclause 30(1) of the Bill (discussed above) must be dealt with in the
Accreditation Rules (although it is acknowledged that the Bill does not impose specific
requirements in relation to this).
Digital ID Bill 2023 - Explanatory Memorandum: Page 155 of 319
83. These provisions allow elderly people, people in remote or rural areas and people of
cultural, linguistically diverse backgrounds and Indigenous people to continue to access
essential services via current formats if using a digital ID is not feasible, convenient or
available for them. To the extent the AGDIS may limit the right to equality and non-
discrimination, this limitation is reasonable, necessary and proportionate to the policy
objective of making access to government and private services available online in a
secure, convenient, voluntary and inclusive manner, which will improve the range and
accessibility of services to the same groups of people.
84. While the measures used in the Bill mitigate some of the potential risk for indirect
discrimination, there may still be instances when an individual is disadvantaged.
However, balanced against this potential risk of indirect discrimination, the AGDIS will
also work to enhance a person's enjoyment of their right to equality and non-
discrimination by overcoming current barriers to their participation and engagement in
society if they are able to, and choose to, use a digital ID.
Right to be presumed innocent until proven guilty
85. Article 14(2) of the ICCPR protects the right of individuals charged with a criminal
offence to be presumed innocent until proven guilty according to law. Note 1 under
subclause 151(3) clarifies that the Bill engages this right as an entrusted person bears
the evidential burden to establish that their conduct (which would otherwise constitute
an offence under subclause 151 (1)) was authorised by the Act under subclause 151(3).
This limits the right to be presumed innocent until proven guilty.
86. Section 13.3 of the Criminal Code provides that a defendant who wishes to rely on an
exception provided by the law creating an offence bears the burden of pointing to
evidence that suggests a reasonable possibility that the exception is made out. If this is
done, the prosecution must refute the exception beyond reasonable doubt (section 13.1).
87. Placing the evidential burden on the defendant in relation to the exceptions set out in
subclause 151(3) is appropriate because the facts relevant to the offence specific
exception would be peculiarly within the knowledge of the defendant. In particular, it
would be impracticable to require the prosecution to prove that the defendant had no
authorisation for the use or disclosure of the protected information under any law. For
the prosecution to prove this, it would likely need to examine a very large array of
Commonwealth, State or Territory laws in order to establish that there was no
authorising law applicable in the particular circumstances in order to meet the requisite
burden of proof. In contrast, the defendant could readily adduce evidence that suggests
a reasonable possibility that an exception is applicable, by identifying the specific law
that they claim the alleged unlawful conduct was in fact permitted under, or authorised
by.
Digital ID Bill 2023 - Explanatory Memorandum: Page 156 of 319
88. Both the Australian Federal Police and the Commonwealth Director of Public
Prosecutions (CDPP) consider the availability of any defences when considering
whether to investigate and prosecute criminal offences. In relation to prosecution
decisions, the Prosecution Policy of the Commonwealth specifically requires the CDPP
to take into account any lines of defence which are plainly open to, or have been
indicated by, the alleged offender in deciding whether there is a reasonable prospect of
a conviction being secured.
89. This reverse burden of proof is appropriate in the circumstances, when balanced against
the harm to individuals and entities that could result from unauthorised uses or
disclosures of protected information, as well as the harm to public trust and confidence
in digital ID systems including the AGDIS.
Right to an effective remedy
90. Article 2(3) of the ICCPR provides that any person whose rights or freedoms are
violated, including the right of non-discrimination under the law, are to have an
effective remedy, and any claim for such a remedy will be determined by a competent
authority that will also enforce the remedy when granted.
91. The Bill engages the right to an effective remedy to the extent that it potentially impacts
upon the rights of individuals to equality and non-discrimination before the law, as
discussed above. However, the Bill safeguards the right to an effective remedy in
respect of any such impact on human rights, by establishing appropriate avenues for
review and leveraging existing laws providing recourse to effective remedies.
92. Under Commonwealth law, the Racial Discrimination Act 1975, Sex Discrimination
Act 1984, Disability Discrimination Act 1992 and the Age Discrimination Act 2004
prohibit discrimination on the grounds set out in these Acts.
93. Complaints made under these Acts may be investigated or conciliated by the Australian
Human Rights Commission (AHRC). If the complaint is not resolved before the
AHRC, the complainant may apply to a Federal court for an enforceable remedy.
94. Remedies that may be awarded include an apology, monetary compensation,
reinstatement or promotion, provision of goods or services or a combination of these
remedies.
95. In addition to remedies being enforced by Federal courts, the AHRC also has the power
under the Australian Human Rights Commission Act 1986 to inquire into complaints of
discrimination or other breaches of human rights. If the AHRC receives such a
complaint, it must attempt conciliation, if appropriate. If conciliation is unsuccessful or
inappropriate and the AHRC finds a breach of human rights, then the AHRC prepares a
Digital ID Bill 2023 - Explanatory Memorandum: Page 157 of 319
report to the Attorney-General's Department, which may include recommendations for
action.
96. Complaints about the administrative actions of Commonwealth agencies may be made
to the Commonwealth Ombudsman under the Ombudsman Act 1976. Applications may
also be made to have a decision re-made in a merits review tribunal, for example under
the Administrative Appeals Tribunal Act 1975, or to have the legality of a decision
reviewed in a court, for example under the Administrative Decisions (Judicial Review)
Act 1977.
97. Part 4 of Chapter 8 of the Bill provides for merits review of certain decisions that may
be made under the Act. This includes internal review by the decision-maker of a
reviewable decision (cl 138 and 139), as well as review by the Administrative Appeals
Tribunal of a reviewable decision or an internal review decision (cl 140).
98. While the measures set out in the Bill mitigate some of the potential risks to the right to
equality and non-discrimination, there may still be instances when the operation of the
Act and any rules made under it discriminates against a person; on the basis of age, for
example, as discussed above. In such circumstances, a complainant may have access to
an effective remedy under the Act and other Acts as referred to above.
Right to freedom of expression
99. Article 19 of the ICCPR provides that everyone shall have the right to freedom of
expression, including the freedom to seek, receive and impart information and ideas of
all kinds.
100. Article 19(3) of the ICCPR provides that this right may be limited on grounds including
respect for the rights of others, or the protection of national security or public order.
Any limitations must be prescribed by legislation and be reasonable, necessary, and
proportionate to achieve the desired purpose.
101. The Bill engages the right to freedom of expression by making it an offence for an
entrusted person (as defined in subclause 151(2)) to use or disclose protected
information (see subclause 151(4)) in certain circumstances. An 'entrusted person'
means:
101.1. the Digital ID Regulator;
101.2. a member or associate member of the ACCC or the staff of the ACCC; and
101.3. the System Administrator or their staff
102. 'Protected information' means information that was disclosed or obtained under or for
the purposes of the Act (cl 151(4)).
Digital ID Bill 2023 - Explanatory Memorandum: Page 158 of 319
103. An entrusted person commits an offence by using or disclosing protected information in
the following circumstances:
103.1. the entrusted person obtained the protected information in the course of, or for
the purposes of, performing functions or exercising powers under the Act (i.e.
acting in their capacity as an entrusted person); and
103.2. the protected information is either:
103.2.1. personal information (with the extended meaning in the Bill) of an
individual. For example, this would include the attributes, restricted
attributes or biometric information of an individual; or
103.2.2. commercially sensitive information. This is information that, if used or
disclosed, might substantially prejudice the commercial interests of
another person. For example, information about the technical know-
how or trade secrets of an accredited entity.
104. The offence set out in clause 151 of the Bill only limits the right to freedom of
expression to the extent necessary to protect the information from unauthorised
disclosure, including by distinguishing between entrusted persons who are subject to
the offence provision (cl 151(1)), and other persons who are not. The definition of
entrusted persons is limited to officers who are working to provide oversight or
management of digital ID systems, in some capacity. Additionally, the offence only
applies in respect of protected information obtained by those officers while working in
their official capacity. This is an appropriate limitation, given such persons will have
chosen to take on official roles in respect of digital ID systems, have appropriate
security clearances, and received training and induction about the sensitivity of the
information and services that they are dealing with, and the application of the offence.
105. The offence also only applies in respect of certain kinds of protected information, as
defined in subclause 151(4). This is limited to information that was disclosed or
obtained under or for the purposes of the Act, and which is either personal information
or commercially sensitive information. Such information may, for example, be held or
generated using an approved identity verification facility, or enable access to such
facilities. This information is sensitive and needs to be protected in order to ensure the
security of digital ID systems and digital IDs, and support the privacy safeguards set
out in the Bill.
106. Clause 152 creates specific exceptions to the offence set out in subclause 88(1). These
exceptions apply in addition to the general defences available under Part 2.3 of the
Criminal Code and the authorisations set out in clause 152 of the Bill. These exceptions
ensure that an entrusted person will not be inappropriately subject to criminal liability
for their conduct if:
Digital ID Bill 2023 - Explanatory Memorandum: Page 159 of 319
106.1. they were performing their functions or duties or exercising a power related to
the Act, or enabling another person to do so, or assisting in the administration or
enforcement of another law of the Commonwealth or a Territory, or a law of a
State that is prescribed by the Digital ID Rules;
106.2. their conduct was required or authorised by a law of the Commonwealth or a
Territory, or a law of a State that is prescribed by the Digital ID Rules;
106.3. the person to whom the information relates expressly consented to the use or
disclosure; or
106.4. at the time of the use or disclosure, the protected information is already publicly
available;
107. This limitation on the right to freedom of expression is reasonable given the sensitive
nature of the protected information to which entrusted persons will have access, and the
potential implications for an individual if their personal or commercially sensitive
information is unnecessarily disclosed. The limitation is proportionate to protect the
privacy of individuals.
Right to social security
108. Article 9 of the International Covenant on Economic, Social and Cultural Rights
establishes the right to social security, including social insurance. The provision of
social security payments and other benefits is contingent on identity verification in
order to ensure social security payments are provided to the correct people and to
prevent fraud and misuse of government funds. By making identity verification more
accessible through the use of Digital IDs, this Bill will reduce the administrative burden
on those seeking services, and support the fast, secure and private provision of such
services, and have a positive impact on the right to social security.
109. As mentioned in paragraph 78.2, access to the technology required to establish and use
a digital ID may be limited based on a person's place of residence within Australia or
socio-economic factors. Accordingly, those seeking social security payment may face
challenges in realising the benefits of a digital ID in that regard. However, as discussed
above, these barriers are not specific to a digital ID per se, and the Bill alone cannot
bridge the digital divide as this is a broader policy issue. Paragraphs to outline how the
Bill and the AGDIS promote improved access to government services, including social
security.
Digital ID Bill 2023 - Explanatory Memorandum: Page 160 of 319
Conclusion on overall compatibility with human rights
The Bill is compatible with human rights because it promotes the protection of human rights
and, to the extent that it may limit human rights, those limitations are reasonable, necessary
and proportionate.
Digital ID Bill 2023 - Explanatory Memorandum: Page 161 of 319
Impact Analysis: Legislating the Australian
Government Digital ID Program
Impact Analysis: Page 1 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 162 of 319
Department of Finance
© Commonwealth of Australia (Department of Finance) 2023
With the exception of the Commonwealth Coat of Arms and where otherwise noted,
this product is provided under a Creative Commons Attribution 4.0 International
Licence. (http://creativecommons.org/licenses/by/4.0/legalcode)
The Department of Finance has tried to make the information in this product as
accurate as possible. However, it does not guarantee that the information is totally
accurate or complete. Therefore, you should not solely rely on this information when
making a commercial decision.
The Department of Finance is committed to providing web accessible content
wherever possible. If you are having difficulties with accessing this document, please
contact the Digital ID Communications team at
digitalid.communications@finance.gov.au.
Version: 1801
Impact Analysis: Page 2 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 163 of 319
Contents
1 Executive summary.............................................................................................................6
1.2 The need for Government intervention .......................................................................................... 7
1.3 The Net Benefits of Digital ID ......................................................................................................... 9
2 Introduction ...................................................................................................................... 10
2.1 Purpose of this document ............................................................................................................ 10
2.2 What is a Digital ID?..................................................................................................................... 10
2.3 Australian Government Digital ID System (AGDIS) ...................................................................... 11
2.4 Benefits and value of Australia's Digital ID System for stakeholders ........................................... 17
2.5 The case for expanding AGDIS ................................................................................................... 22
3 What is the problem? ....................................................................................................... 25
3.1 The importance of a whole-of-economy solution with global application...................................... 25
3.2 Potential barriers to realising whole-of-economy benefits ............................................................ 26
4 Requirement for government action ............................................................................... 36
4.1 Government's role in delivering Digital ID .................................................................................... 36
4.2 Government's regulatory role and capacity .................................................................................. 36
4.3 Objectives for government intervention ........................................................................................ 37
4.4 Constraints and barriers to government intervention ................................................................... 39
4.5 Potential alternatives to government action ................................................................................. 40
5 Policy options overview .................................................................................................. 41
5.1 Option 1: Status quo .................................................................................................................... 41
5.2 Option 2: Leverage existing legislative frameworks to enhance privacy safeguards ................... 42
5.3 Option 3: Dedicated legislation to establish new regulatory scheme ........................................... 43
6 Approach to determining likely net benefit of options.................................................. 48
6.1 Overview ...................................................................................................................................... 48
6.2 Overall impacts ............................................................................................................................ 48
6.3 Regulatory impacts ...................................................................................................................... 49
6.4 Impact analysis approach ............................................................................................................ 50
7 Likely net benefit of Option 1 (status quo) ..................................................................... 52
7.1 Overall impacts ............................................................................................................................ 52
7.2 Regulatory impacts ...................................................................................................................... 57
7.3 Likely net benefit .......................................................................................................................... 58
Impact Analysis: Page 3 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 164 of 319
8 Likely net benefit of Option 2 (leverage existing regulatory frameworks) ...................59
8.1 Overall impacts ............................................................................................................................ 59
8.2 Regulatory impacts ...................................................................................................................... 63
8.3 Likely net benefit .......................................................................................................................... 66
9 Likely net benefit of Option 3 (dedicated regulatory scheme) ..................................... 67
9.1 Overall impacts ............................................................................................................................ 68
9.2 Regulatory impacts ...................................................................................................................... 83
9.3 Likely net benefit .......................................................................................................................... 86
10 Consultation ................................................................................................................... 89
10.1 Purpose and objectives .............................................................................................................. 89
10.2 Consultation undertaken ............................................................................................................ 90
10.3 Outcomes and themes of consultation to date ........................................................................... 91
10.4 Ongoing consultation.................................................................................................................. 95
11 Best option from those considered .............................................................................. 96
12 Implementation and evaluation of selected option ....................................................101
12.1 Impact Analysis status at key decision points .......................................................................... 101
12.2 Implementation approach......................................................................................................... 101
12.3 Implementation challenges and risks ....................................................................................... 102
12.4 Evaluation strategy................................................................................................................... 102
12.3 Ongoing monitoring of implementation effectiveness ............................................................... 109
Appendix A - Glossary ......................................................................................................111
Appendix B - Entities, interactions and incentives within the current Digital ID System
. ...........................................................................................................................................116
Appendix C - Entities, interactions and incentives within an expanded Digital ID
System ................................................................................................................................121
Appendix D - Consultation Details ...................................................................................127
Consultation September-October 2023 ............................................................................................ 131
Details October 2021 Public Consultation Round ............................................................................ 133
Details September-October 2023 Consultation Round .................................................................... 136
Evolution of stakeholder views throughout consultation ................................................................... 141
Appendix E - Regulatory costs: Methodology and assumptions ..................................145
Methodology..................................................................................................................................... 145
Assumptions and sources ................................................................................................................ 146
Impact Analysis: Page 4 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 165 of 319
Detailed Calculations........................................................................................................................ 150
Appendix F - Figures and tables ......................................................................................157
A.1 Figures ....................................................................................................................................... 157
A.2 Tables ........................................................................................................................................ 157
Appendix G - Risk Matrix ..................................................................................................158
Impact Analysis: Page 5 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 166 of 319
1 Executive summary
A Digital ID is a safe, secure and convenient way for Australians to prove who they
are online. Digital ID allows users to verify existing issued government identity
documents online, which once created, can be reused whenever a person is asked
to prove online who they are when accessing a linked government service. When
rolled out across a variety of government entities and businesses, individuals can
securely access connected services online. Digital ID also provides efficiencies for
the public and private sector, giving small and medium enterprises more time to
manage and grow their businesses.
The Australian Government Digital ID System (AGDIS) is a federated model where
accredited entities establish and authenticate Digital IDs for people in a trusted
environment. The AGDIS is currently used by over 11 million people and over 1.5
million businesses to access more than 135 digital government services. Expansion
of the AGDIS and establishment of the permanent Accreditation Scheme will enable
state and territory governments and private sector involvement.
The Government's vision for the AGDIS is a national, economy-wide system that
provides Australians with a voluntary, secure, convenient and inclusive way of
verifying who they are when interacting with government and businesses online.
People will be able to verify their identity with their choice of identity providers to
create a Digital ID. They will be able to simply, safely and securely reuse their
chosen Digital ID to transact across all tiers of government and with private sector
services, in a way that ensures their privacy. Australia's Data and Digital Ministers
have agreed to work towards a consistent approach for Digital ID across Australia.
This means the future AGDIS will have domestic interoperability across states and
territories.
Having delivered the foundational capability and infrastructure, governing policy,
security and risk management frameworks, and underlying operational support,
Digital ID is now looking to expand in several phases. This expansion will first focus
on making the AGDIS available to more Commonwealth and state entities, before
becoming integrating further with state and territory government Digital ID services,
then finally private sector services. The end state of Digital ID being available as a
'whole-of-economy solution' would enable all individuals and businesses to have
Impact Analysis: Page 6 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 167 of 319
more secure and convenient engagement with government (including state, territory
and local) services and the private sector.
1.2 The need for Government intervention
To date, the Australian Government has built the foundations of a trusted, nationally
consistent identity verification system. However, several risks and gaps have been
identified with the potential to impact the full realisation of Digital ID's benefits,
particularly as it expands across the Australian economy. These are:
• the absence of legal authority for participation of non-Commonwealth
Government agencies in AGDIS as relying parties (providing online digital
services to people with a digital ID), and a charging framework;
• a potential lack of trust in the AGDIS's privacy and security safeguards; and
• the absence of a permanent oversight body and legislative governance
framework.
Regulatory action is required to address the above barriers to uptake of individuals
and market entry by firms, enabling non-Government participation; and legislatively
entrenching privacy, security and permanent governance arrangements to enhance
confidence and trust in the AGDIS and the Accreditation Scheme. Three options
have been considered to address these gaps:
• retaining the status quo (i.e. no regulatory action taken)
• leveraging existing regulatory schemes (primarily addressing privacy-related
issues)
• establishing a dedicated Digital ID regulatory scheme through legislation and
nominating the Australian Competition and Consumer Commission (ACCC) as
the initial regulator.
In recent years, the potential and growing demand for the AGDIS has been clearly
demonstrated, with large scale events effecting a number of Australians in some
capacity such as the private sector cyber security breaches of Optus, Medibank
Private and Latitude Financial (the recent cyber breaches). The Black Summer
bushfires of 2019-20 and COVID-19 pandemic both saw an unprecedented increase
Impact Analysis: Page 7 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 168 of 319
in the use of digital channels to access stimulus measures, closely followed by floods
in early 2022.
This Impact Analysis has been developed to examine the case for establishing a
dedicated regulatory scheme for the AGDIS and the likely impacts (regulatory and
non-regulatory) of proposed measures. It describes the problem that Government is
trying to solve and proposes options. These have been informed by wide stakeholder
consultation to validate expected impacts. The Impact Analysis recommends that
Government implement the option with the highest net benefit - a dedicated
regulatory scheme established through legislation. Each of the seven Impact
Analysis questions, and the applicable section(s) that address them, are set out in
Table 1.
Impact Analysis question Relevant document section
1 What is the policy problem you are 3 What is the problem?
trying to solve and what data are
available?
2 Why is government action needed, and 4 Requirement for government action
how will success be measured?
3 What policy options are you 5 Policy options overview
considering?
4 What is the likely net benefit of 6 Approach to determining costs and benefits of
each option? options
7 Likely net benefit of Option 1 - Status quo
8 Likely net benefit of Option 2 - Leverage existing
regulatory frameworks
9 Likely net benefit of Option 3 - Dedicated regulatory
scheme
5 Who did you consult and how did you 10 Consultation
incorporate their feedback?
6 What is the best option from those you 11 Best option from those considered
have considered and how will it be
implemented?
7 How will you implement and evaluate 12 Implementation and evaluation of selected option
your chosen option?
Table 1: Impact Analysis questions and relevant document section(s)
Benefits to the owners of a Digital ID in these events include the ability to identify
themselves immediately and help provide rapid access to government support. In
regard to the recent cyber breaches one of the underlying challenges has been the
Impact Analysis: Page 8 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 169 of 319
amount of personal information held by organisations. Digital IDs present a clear
benefit in that they limit the need for organisations to collect and store personal
information. Research on the whole-of-economy value of Digital ID and the specific
scope and parameters of this analysis, is discussed further at Section 2.5. The case
for expanding the AGDIS.
Expanding Digital ID to state, territory and local governments presents efficiency
opportunities across the multiple touchpoints between individuals and governments
(for example in driver licensing authorities; using information from registers of births,
deaths and marriages; healthcare; education; and utilities). However, even without
this expansion, the AGDIS is a viable way to deliver Australian Government digital
services more efficiently.
Another cornerstone of the proposed reforms is to establish an Accreditation
Scheme that strengthens the existing accreditation framework for Digital ID service
providers. The Accreditation Scheme will be underpinned by rigorous technical
standards and robust enforcement mechanisms. Accreditation demonstrates that
Digital ID providers meet high standards in areas such as privacy, cyber security and
user experience.
1.3 The Net Benefits of Digital ID
The Department of Finance (Finance), in collaboration with other government
entities, is leading the development of the whole-of-economy Digital ID System, also
known as the AGDIS and the Accreditation Scheme. This Regulation Impact
Statement (Impact Analysis) finds that the preferred option for Australia's Digital ID
System combines reform of the AGDIS, alongside the establishment of a voluntary
accreditation system for non-Government ID providers, as it has the highest net
benefit. This includes additional regulatory costs for newly regulated entities,
estimated to total around $1.5 million per year. However, these costs will be offset by
select indirect benefits across the whole of economy, estimated to be around $3
billion per year. These impacts have been consulted on and are discussed in this
document.
Impact Analysis: Page 9 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 170 of 319
2 Introduction
2.1 Purpose of this document
This document examines the case for regulating the AGDIS, including the relative
costs and benefits of all viable options considered. It assesses the estimated
regulatory impact of all options, with particular focus on the recommended option
(Option 3: Dedicated legislation to establish new regulatory scheme).
Consistent with Australian Government guidance, the Impact Analysis has been
developed iteratively alongside the policy development process. An earlier version
was released publicly for consultation in October 2021 to test and validate the
impacts of options on stakeholders, with feedback received used to inform the most
recent Draft Bill. Additional public consultation as well as a submission and survey
process commenced in September 2023, and have informed advice to the Minister
on the development of legislation.
2.2 What is a Digital ID?
A Digital ID is a safe, secure and convenient way for Australians to prove who they
are online. The user will create a Digital ID by using existing issued government
identity documents which are verified online with the issuing source (for example -
verifying a driver licence with the issuing road authority and a birth certificate with the
relevant Birth, Deaths and Marriages Registry). It only needs to be created once,
then can be reused whenever a person is asked to prove online who they are when
accessing a linked service. When rolled out across a variety of government entities
and businesses, individuals can securely access connected services online. Digital
ID also provides efficiencies for the public and private sector, giving small and
medium enterprises more time to manage and grow their businesses.
While it can be reused once created, a Digital ID is not a single, universal or
mandatory number, identifier or an online profile. Personal information remains
private and protected. People must provide consent before their details are shared
with the service they wish to access. A Digital ID does not replace physical
identification documents such as a birth certificate, visa or driver's licence and still
remains voluntary in most cases. For Government services, there is an explicit
Impact Analysis: Page 10 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 171 of 319
provision in the Bill (s71(1)) relating to the (AGDIS that requires an entity who is
relying on a person's attributes (a "participating relying party") not to require an
individual to create a Digital ID. This provision is designed to ensure that Digital ID
does not change existing service requirements, and that it doesn't impede services
being available to individuals. The choice to use a Digital ID to access these services
will not replace existing options and is instead designed to add a secure and
convenient channel, in addition to existing channels. This means existing alternate
channels (such as telephone) need to be maintained as alternatives. There are two
exceptions to voluntariness for an individual adopting a Digital ID, outlined in s71(3).
For non-Commonwealth Government services, there are no explicit voluntariness
requirements in the legislation where services are operating outside of AGDIS.
Voluntariness is intended to be achieved through competition and the ability for an
individual to choose alternative service offerings.
There are multiple identity proofing levels offering different degrees of proofing rigour
and identity confidence which can be used for differing purposes (and can offer cost
efficiencies, as lower standards of identity proofing require less information from the
user and can be undertaken at lesser cost). Importantly, Australians will retain their
choice to use a Digital ID, must consent to each transaction, and will be able to close
their account at any time they wish.
2.3 Australian Government Digital ID System (AGDIS)
2.3.1 Background
Australia's current identity infrastructure is fragmented, consisting of a largely
uncoordinated network of identity credentials. The System has developed
organically, driven by different standards, policies, and legislative
requirements.
(Source: Commonwealth Treasury 2014, Financial System Inquiry).
The 2014 Financial System Inquiry (Murray inquiry) found that Australia's current
identity environment is fragmented and uncoordinated. In the past, government
entities have largely operated in silos, developing bespoke identity initiatives to
manage internal fraud risks or to deliver specific policy outcomes. As described in
the Murray inquiry, this has resulted in duplicated investment, wasted resources, a
Impact Analysis: Page 11 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 172 of 319
fragmented identity environment and poor customer experiences. People and
businesses wanting to engage with government often do so at high cost, leading to
frustration and reduced confidence in government. This has the potential to result in
a reluctance to trust and use government digital services. The Murray inquiry
recommended a national identity strategy that would improve efficiency and security
across the digital economy.
Through the Digital ID Program, the Australian Government is working to deliver
better outcomes for all Australians by making it easier for them to access the
services they need. The Program is building a trusted Digital ID system - the AGDIS,
for the entire Australian economy, with the potential to transform the way people and
businesses access services online. Already, significant progress has been made
towards building a nationally consistent identity verification system, alleviating pain
points, and narrowing the difference between customer experience offered by
government and the private sector.
To date, the Program has delivered the core foundations for the platform and is
currently used by nearly half the population aged over 15 years (approximately
11 million people and over 1.5 million businesses) to access more than 135 digital
government services.
2.3.2 Digital ID System governance: Trusted Digital Identity
Framework (TDIF)
The TDIF, developed in collaboration with government entities, peak industry bodies,
privacy commissioners and other stakeholders, is how the AGIDS is governed and
protected. It mandates strict operational standards by defining a complete set of
requirements, roles and operating responsibilities for participants, that establish a
nationally consistent approach to accredit the Digital ID System in Australia.
The TDIF is built around eight guiding principles: user centric, voluntary and
transparent, service delivery focused, privacy enhancing, collaborative,
interoperable, adaptable, and secure and resilient. These principles work to ensure
that privacy and the security of personal information remain central to the Digital ID
System. An individual may have multiple Digital IDs, but the TDIF ensures
consistency in how they are established and managed.
Impact Analysis: Page 12 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 173 of 319
Accreditation and onboarding
Accreditation and onboarding are key concepts within the TDIF, ensuring that the
AGDIS remains secure and trustworthy. Entities are accredited as one or multiple
roles specified within the TDIF (e.g. attribute provider or identity provider).
Accredited entities may choose one of three ways to participate in the
Commonwealth's ecosystem:
• Achieve accreditation to be recognised as meeting the Commonwealth
Government's high standards in providing identity services.
• Achieve accreditation to participate in the AGDIS. The accreditation process
is rigorous and involves undertaking various activities and providing
documentation to the accreditor (i.e., the Interim Oversight Authority,
discussed further below), third party evaluations and operational testing.
• Entities that are accredited may or may not also be 'onboarded' to AGDIS,
referring to establishing the physical technical connection of the entity's
system to AGDIS. Onboarding may occur 'indirectly' in some cases
(particularly for credential service providers, which may connect only to an
identity provider).
The key roles within and related to the AGDIS are described further in Section 2.3.3
Entities, interactions and incentives within the current System. In summary, roles in
the ecosystem fall into the following primary categories:
• user - an individual seeking to use Digital ID. Does not need to be accredited
nor onboarded
• onboarded accredited (participating) entities - entities that are accredited
and onboarded to AGDIS. Roles which require accreditation are attribute
provider (AP), credential service provider (CSP), identity exchange (IDX) and
identity provider (IDP)
• relying parties (services) - a party that relies upon verified information
provided through the AGDIS to provide a digital service. Must be onboarded,
but not accredited.
Impact Analysis: Page 13 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 174 of 319
In addition to the above, entities may choose to be accredited under the TDIF but not
onboarded to the AGDIS for several reasons, including to enhance the perceived
assurance of their identity system (accredited entities). Once accredited or
onboarded, entities need to continually demonstrate they meet their TDIF obligations
as relevant to their role and prove this through annual assessments.
Interim Oversight Authority
The Interim Oversight Authority is responsible for the administration and oversight of
the AGDIS. Its functions are shared by Finance and Services Australia and are
performed independently from their broader agency responsibilities. Effective
governance is essential to the efficient operation of, and instilling public trust and
confidence in, the Digital ID System. Accordingly, the Interim Oversight Authority
holds a broad range of powers established through the AGDIS Governance
Agreement that enable it to carry out its governance and operational responsibilities.
These include:
• applicant accreditation and annual assessment
• approval of participants and management of the participant register
• onboarding participants to the AGDIS
• monitoring participant compliance in accordance with the TDIF and operating
rules
• inquiries, investigations and coordination (but not limited to) of AGDIS
incidents, change and release, fraud and security events
• service level reporting and management
• suspension and termination of participants
• complaints and issue handling, including complaints from one participant about
another participant
• preparing and coordinating all public statements and communications in
relation to the AGDIS.
Impact Analysis: Page 14 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 175 of 319
2.3.3 Entities, interactions and incentives within the current AGDIS
Figure 1 portrays the entities currently involved in the AGDIS and explains their
interactions and likely incentives. A more detailed description of these for each type
of entity is at Appendix B Detailed entities, interactions and incentives within the
current System. These key entities are onboarded accredited entities (various types),
relying parties, the Interim Oversight Authority, and users.
Onboarded accredited entities are accredited under the TDIF to fulfil particular roles
within the System and can be conceptualised as the providers of the different
components required to deliver the AGDIS. To achieve accreditation, these entities
must undergo a series of rigorous evaluations across all aspects of their operations.
This includes demonstrating how their service(s) meet strict requirements for
usability, accessibility, privacy protection, security, risk management, fraud control
and more. Accredited roles include Identity Exchange (IDX), Attribute Service
Provider (AP), Credential Service Provider (CSP) and Identity Provider (IDP). There
are also key entities within the AGDIS which are not accredited under the TDIF.
These are:
• relying parties - approved entities (including hubs and portals) providing
online services to people with a digital ID. (Hubs and portals are relying parties
that provide attributes to services downstream. Through a hub, a user may be
able to access multiple services or service brands, without linking. Through a
portal, a user may be able to link and access multiple services or service
brands.)
• Interim Oversight Authority - the governing body for the AGDIS
• users - who create one or more digital identities and use these to access
services via relying parties.
Impact Analysis: Page 15 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 176 of 319
Figure 1: Entities, interactions and incentives within the current AGDIS
Impact Analysis: Page 16 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 177 of 319
2.4 Benefits and value of Australia's Digital ID System for
stakeholders
Digital ID offers the potential to assist individuals, businesses, government, and the
overall economy in many different ways. The key benefits available from a whole-of-
economy Digital ID system, which will also help to drive uptake, include:
• For individuals (users):
− reduced risk of information or data loss, data spill and identity fraud,
encouraging greater confidence in Digital ID
− improved speed of interaction with a wider range of Australian
Government, state, territory and local government entities, as well as
private sector businesses
− greater choice and flexibility in interactions with identity providers,
appealing to individuals' varying preferences
− strong levels of autonomy and control compared with other emerging
'de facto' identity solutions which are increasingly used to transact with
private companies online.
The benefits available to individuals and families are illustrated through the
examples below.
Impact Analysis: Page 17 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 178 of 319
Case study: Regional families affected by natural disaster
Henry is a farmer who has been reluctant to
use online government services in the past,
preferring to make an hour-long drive to visit
a Services Australia service centre or an
Australia Post shop front instead.
After battling extreme drought, Henry decides
it is time to use government services online
and create his Digital ID so he can quickly set
up new online accounts. He can no longer
afford to lose hours on the road when he
needs to be on the farm.
When a bushfire tears through the family property and destroys his family's birth
certificates and passports, Henry realises the value of his Digital ID. With his
Digital ID, he doesn't need to wait for replacement documents, and he can still
access all the government services he needs.
Case study: Onboarding new employees
Jenny is an engineer who has recently
secured a new job at a large Australian
engineering company. Due to the number
of sensitive and government projects they
deliver, the company requires all new
starters to complete a National Police
Check (NPC).
Having completed an NPC previously,
Jenny knows that this process requires
her to provide 100 points of ID and can
take up to 2 hours due to the number of
steps including physically gathering,
verifying, digitally scanning and uploading
all relevant documentation.
Impact Analysis: Page 18 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 179 of 319
Jenny already has a Digital ID account and finds that by consenting for her
Identity Service Provider to share some information from her (already provided
and verified) identity documents for the purposes of obtaining a NPC, the
process takes significantly less time than it otherwise would have. Using the
System saves her 1 hour 55 minutes and $69 in avoided costs.
Note - the benefits in this case study are available under an expanded System
only.
• For businesses
− time, cost savings and enhanced productivity, as a result of the increased
speed of transacting with multiple government agencies or businesses
− improved efficiency of customer operations and reduced manual handling
− reduced instances of customer fraud, which is particularly beneficial for
banking and financial service providers, as well as any entity with 'Know
Your Customer' obligations. (Reporting entities under the Anti-Money
Laundering and Counter-Terrorism Financing Act 2006 (Cth) have
obligations to apply customer identification procedures to all customers,
and alter their procedures based upon the level of money
laundering/counter-terrorism financing risk that different customers pose)
− provides the same means of accessing personal and business services
saving time and effort
− greater opportunities for growth in domestic markets, particularly in sectors
such as financial technology (FinTech) and regulatory technology
(RegTech), and the broader Australian economy through realising the
efficiencies above.
The efficiencies and benefits available to businesses and business owners are
illustrated by the examples below.
Impact Analysis: Page 19 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 180 of 319
Case study: Starting a new business
Alex is an IT specialist who decides to fulfill
his long-term ambition of starting his own
small business. He wants to get his new
business off the ground as quickly as
possible, particularly because he is the
primary earner in his family.
Alex has a number of steps to complete
including applying for an ABN and registering
his business name.
A former colleague urges Alex to try using
Digital ID. Alex finds the process takes a quarter of the time it otherwise would
have, and he also saves $128 in avoided costs.
Case study: Applying for a business loan
Having started his new IT business, Alex is
now seeking a loan to cover up-front costs,
such as purchasing equipment and leasing
office space.
Typically, there would be several steps for
Alex to apply for the loan, including
gathering identity and other documentation,
completing information collection and
application processes, and potentially
visiting the bank in person.
Alex's bank offers the option of using his
Digital ID to complete the information
collection and application process. Alex
finds the process takes significantly less
time than it otherwise would have, saving
him $140 in avoided costs. Alex is able to start operating his business sooner by
spending less time applying for the loan and verifying his identity.
Impact Analysis: Page 20 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 181 of 319
Note - the benefits in this case study are available under an expanded Digital ID
system only.
• For governments of all levels:
− reduced time and demand for government services to verify an identity,
and people may engage in end-to-end digital transactions, which further
reduces transaction times
− reduced need to maintain agency-specific identity and access
management systems and associated support systems
− increased security of people's information, reduction in the cost of fraud
and improved detection, monitoring and response
− improved integrity of service provision, contributing to improved user
experience, knowledge and public trust.
• For the economy:
− increased productivity with the use of AGDIS and associated increased in
digital service consumption, saving people and businesses time and
money
− efficiency benefits flowing from the opportunity for financial institutions to
reuse customer data stored in Digital ID
− reduced costs to the economy, linked to reduced rates of fraud and identity
theft
− increased productivity as people and businesses can complete essential
transactions with government and other organisations more quickly.
With a fundamental design principle of the AGDIS being that people, businesses and
agencies choose to become a part of the AGDIS, a broad range of stakeholder
expectations have been consistently considered to ensure AGDIS provides a service
that benefits all that use it.
Impact Analysis: Page 21 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 182 of 319
2.5 The case for expanding AGDIS
2.5.1 Benefits of expansion
The Australian Governments Digital ID System's value was clearly demonstrated
during Australia's response to the COVID--19 pandemic, which has seen an
unprecedented increase in the use of digital channels. Rather than being a tactical
solution designed to address the immediate issues faced as a result of COVID-19,
AGDIS provides a more strategic and longer-term whole-of-economy solution.
While Digital ID's value is ongoing, events such as the pandemic and the 2019--20
bushfires have reinforced the critical role technology plays in enabling people and
businesses to deliver and receive trusted services in times of crisis. Australian
Bureau of Statistics (ABS) data reinforces the expectation that increased demand for
government services will continue, with small, medium and regional businesses, in
particular, urgently needing a simple, safe and secure way to access critical
services, payments and support to assist their ongoing recovery. Recent ABS
statistics indicate there are 539,700 unemployed Australians as of August 2023,
most of whom would be accessing some type of government support. However, in
more extreme cases, This includes the ability to access services in times of
increased need, more quickly, such as black swan events (COVID-19) that lead to
people needing to access welfare services. The expansion of AGDIS also presents
opportunities to modernise public services at a state, territory and local government
level. The extent and frequency of individuals' touchpoints with state, territory and
local government-provided services means AGDIS can generate significant
administrative efficiency, by enabling reduced paperwork, faster transactions and
improved convenience. These benefits are expected to support state and territory
government services, including the registration of births, deaths and marriages;
licensing; utilities; healthcare; and education. These levels of government would also
realise other benefits described above, including reduced identity fraud.
Digital ID is essential for the growth of the digital economy more broadly. It has a
pivotal role to play in rebooting the global economy in the aftermath of the COVID-19
pandemic and beyond through digital and physical engagement with public and
private sector services.
Impact Analysis: Page 22 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 183 of 319
This assessment of the commercial opportunities available is supported by analysis
commissioned in 2016 by the Digital Transformation Agency (DTA) (then the 'Digital
Transformation Office') from Deloitte Access Economics, which found that System
expansion presented expanded market opportunities across several integrated
service offerings. These included in design, maintenance and operation of
credentials and tokens, identity provision and disruptive emerging models for
financial transactions and online communications, as well as for identity providers in
general (for example, vendors may potentially sell other services to individuals as
part of a verification 'one-stop shop'). The commercial appeal of these opportunities
was recently validated with Australian payment network eftpos achieving the first
private sector exchange accreditation under the TDIF in September 2021.
2.5.2 Entities, interactions and incentives within an expanded
AGDIS
Figure 2 below depicts the entities that would be able to participate in an expanded
AGDIS, including their likely interactions and incentives. A more detailed description
of these can be found at Appendix C: Detailed entities, interactions and incentives
within an expanded system. One of the primary points of difference between the
below and Section 2.3.3 Entities, interactions and incentives within the current
AGDIS , is the inclusion of non-Australian Government agencies as relying parties
and the expansion of onboarded accredited entities that would be enabled by a
legislative charging framework. Unless otherwise stated, the nature of the roles for
each type of entity remains broadly the same.
Non-Commonwealth agencies can currently participate in AGDIS as onboarded
accredited entities, and as relying parties in a test (beta) capacity. However, as
discussed below, they face reduced incentives to do so compared with an expanded
scheme with a legislative charging framework. Under an expanded AGDIS with
appropriate statutory basis, non-Commonwealth agencies would be better
incentivised to participate as onboarded accredited entities and legally enabled to
participate as relying parties.
Impact Analysis: Page 23 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 184 of 319
Figure 2: Entities, interactions and incentives within an expanded AGDIS
Impact Analysis: Page 24 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 185 of 319
3 What is the problem?
3.1 The importance of a whole-of-economy solution with
global application
The foundations of a trusted, nationally consistent Digital ID system have been
established. However, full realisation of its long-term benefits will only be achieved
through adoption of Digital ID across the economy, eventually connecting state,
territory and private sector services as well as Australian Government services.
Successfully delivering the expansion of AGDIS will further change the way online
verification occurs, unlock value across the broader economy, and transform service
delivery across Australia. Legal and regulatory foundations play an important role in
building strong governance for AGDIS, and are essential in building confidence for
the service providers connected and citizens choosing to use their Digital ID.
Numerous studies have recognised the global potential of digital ID. McKinsey Global
Institute's 2019 research paper 'Digital identification: A key to inclusive growth' found
that extending full digital ID coverage could unlock economic value equivalent to
3-13% of GDP in 2030, reduce institutional customer onboarding costs and payroll
fraud, saving up to US$1.6 trillion globally, and save approximately 100 billion hours
through streamlined e-government services.
Estimates of the benefits to the Australian economy vary in scale and scope,
however it is difficult to verify these. Irrespective, it is clear that Digital ID has
potential for real benefits across the economy.
Research has also identified those sectors of the domestic economy which would
particularly benefit from a full expansion of AGDIS capability. For example, enabling
private sector participation in the AGDIS would expand local opportunities for
Australian RegTech and FinTech businesses, supporting growth of a homegrown
market and economy. In 2020, Australia had the third-highest number of RegTech
companies globally, with more than 80 headquartered in the country. However, a
recent study by BCG and the RegTech Association found that this strong position is
under threat, with investment in local RegTech declining 50% since 2018, while a
corresponding increase to record investment levels has occurred globally. Research
from BCG and the RegTech Association highlights regulatory reform as critical to
addressing this trend, identifying that enhancements to regulatory and policy
Impact Analysis: Page 25 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 186 of 319
frameworks must 'encourage innovation'. AGDIS provides an opportunity for
government to invest in a whole-of-economy business tool, which can contribute to
retaining and developing a vibrant Australian RegTech sector, while supporting the
export of Australian solutions into overseas markets.
With global spending on RegTech expected to more than double by 2025 to
USD $50-$75 billion, this is an area of pronounced opportunity for growth in the
Australian economy and the creation of new jobs (source: Parliament of Australia
2020, Submission to the Senate Select Committee for Financial Technology and
Regulatory Technology). RegTech firm HooYu reported in 2016, "with 61% of
individuals surveyed saying they would not trust other parties in a peer-to-peer
transaction, good digital ID will enable the creation of new marketplaces and
business models based on trusted interactions, and through them, new revenue
streams".
Additionally, expanding Digital ID could deliver time savings and economic benefits
for the FinTech sector. Currently, the FinTech sector experiences significant financial
loss through identity fraud, with global financial authorities having fined businesses a
record $8.1 billion for improper identity verification processes. Out of 94 Australian
FinTech companies surveyed in 2020, 59 per cent believed that digital IDs would
deliver cost savings at a projected average of $124,700 per annum. These savings
would be attributable to time saved from internal identity verification processes and
fraud reduction (source: Ernst & Young, 2020, Fintech Australia Census 2020:
Profiling and defining the FinTech sector). This translates to potential savings of
between $50-$100 million per annum for the sector, which currently has around 800
active companies (source: KPMG, 2020, More than 100 FinTechs added to the
FinTech landscape). This data has led to a prevalent view within this sector that
where FinTech companies seek to capitalise on digital ID solutions, Australians'
traditional interactions with financial and banking services can be improved (source:
Stellar, D 2021, Digital identity the next frontier for FinTech innovation).
3.2 Potential barriers to realising whole-of-economy
benefits
There are several barriers which have the potential to impact the expansion of
AGDIS across the Australian economy, and the full realisation of benefits described
above. These are:
Impact Analysis: Page 26 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 187 of 319
• no legal basis for participation of non-Commonwealth agencies as relying
parties, nor for a charging framework
• lack of trust in privacy and security safeguards of Digital ID
• interim, non-legislative governance framework.
There are also additional competition and market concentration risks that may reduce
the realisation of benefits. These will be continually assessed as future phases of
AGDIS are developed.
3.2.1 No legal basis for participation of non-Commonwealth
agencies as relying parties, nor for a charging framework
The eventual participation of non-Australian Government agencies, such as state,
territory and local governments, private sector and community organisations, and
foreign governments, is critical to unlocking Digital ID's whole-of-economy value.
While non-Commonwealth agencies can currently become onboarded accredited
entities (for example, Australia Post's Digital iD solution - which is accredited but not
onboarded), legislative authority is required to include non--Commonwealth agencies
as relying parties (except in limited circumstances).
Without the legal authority for participation of these entities as relying parties, AGDIS
could be used to transact with Australian Government agency services only. This
represents a missed opportunity for the Australian economy as it would deprive the
private sector and a large share of the public sector efficiency benefits and limit the
growth and innovation of industry segments such as FinTech and RegTech. It would
also not address the Murray inquiry's conclusion that a whole--of-economy solution is
necessary, where public and private sector identity providers compete to supply
trusted digital IDs to individuals and businesses.
Additionally, there is currently no legal basis for a charging framework to be
established for the AGDIS. The absence of a permanent, transparent, consistent
charging framework limits the incentives for non-Commonwealth agencies to become
onboarded accredited entities. Unlike relying parties, there is no legal impediment to
non-Commonwealth agencies choosing to become accredited and deliver services.
However, from a practical perspective, it is not expected that non-Commonwealth
agencies would be adequately incentivised to do so without a charging framework
underpinned by legislation.
Impact Analysis: Page 27 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 188 of 319
This problem presents a fundamental obstacle to Digital ID expansion across the
economy, and therefore impacts a broad range of stakeholders who would potentially
benefit from such expansion, including current and potential participants, relying
parties and users. It also has a broader impact on the economy and community at
large, due to the foregone benefits of an expansion beyond AGDIS.
3.2.2 Lack of trust in privacy and security safeguards
AGDIS has been designed and built with a central focus on privacy, security and
consumer protection. Notwithstanding this, an expanded Digital ID market may
render certain aspects of privacy and security more difficult to enforce if not backed
by legislation, with potential adverse impacts upon the level of trust and confidence
Australians have in using Digital ID.
Privacy and security by design
Digital ID under AGDIS is designed to ensure the privacy of individuals is protected
and strong safeguards are in place to protect data and personal information. While
using Digital ID, personal information is securely encrypted and protected by strict
Australian Government security protocols. Additionally, the TDIF framework
governing the use of the Digital ID currently includes a range of AGDIS-specific
privacy and consumer protections for individuals. These include:
• restrictions on the creation and use of a single identifier
• restrictions on data profiling
• restrictions on the collection and use of biometric information
• requiring express consent before enabling user authentication to a service.
Onboarded accredited entities are bound to comply with these requirements, which
are established by the Interim Oversight Authority. A breach may result in a
participant losing its accreditation status. However, the TDIF is not law, and the
Interim Oversight Authority has no legal or regulatory enforcement powers outside
the established governance arrangements. As a result, the Interim Oversight
Authority has limited ability to enforce existing requirements unless they are also
contained in other applicable legislation or regulations. This is a manageable state of
affairs when all participants are Australian Government entities but is not sustainable
if Digital ID were to expand to encompass other accredited entities.
Impact Analysis: Page 28 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 189 of 319
Existing privacy safeguards
This existing framework of legal and other requirements, which also may apply to the
activities of onboarded accredited entities, includes the Privacy Act 1988 (Cth)
(Privacy Act), Australian Privacy Principles, Australian Government Agencies Privacy
Code, Information Security Registered Assessors Program, Australian Government
Protective Security Policy Framework and Information Security Manual and
Australian Signals Directorate's Essential Eight cyber security mitigations.
The Privacy Act is Australia's principal piece of legislation for the protection of
personal information, including its handling, collection, use, storage and disclosures
(source: Commonwealth Attorney-General's Department 2021, Privacy). There are
various circumstances in which an entity may be excluded from compliance with the
Privacy Act. For example, in many cases, the acts and practices of state and territory
agencies, private individuals, universities, and small business operators are not
covered by the Privacy Act (source: Office of the Australian Information
Commissioner 2021, Rights and responsibilities). In the absence of AGDIS-specific
legislative requirements, the legal obligations applying to a participant's activities
within the AGDIS are dependent upon whether they are bound by the Privacy Act.
Currently, where an entity is captured by the Privacy Act's provisions, the Notifiable
Data Breaches Scheme (NDB Scheme) mandates reporting to both the affected
person/s and the Office of the Australian Information Commissioner (OAIC), when a
data breach occurs. However, if an entity is exempt from or has only security
obligations under the Privacy Act (such as a small business operator's obligation to
secure Tax File Number information), such reporting requirements will not apply
(source: OAIC 2019, Part 4: Notifiable Data Breaches Scheme).
The OAIC is the national privacy regulator, responsible for upholding Australia's
privacy legislation and initiatives. The OAIC is allocated various powers and
responsibilities under the Australian Information Commissioner Act 2010 (Cth) ('AIC
Act'), including investigating potential acts or practices which breach privacy
legislation, conducting privacy assessments on entities' handling of personal
information, and compelling entities to develop enforceable privacy codes.
Impact Analysis: Page 29 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 190 of 319
Potential inconsistencies in legal obligations applying to participants
Whilst the above privacy and security protections have provided appropriate
coverage for the limited use and participants to date, expansion to
non--Commonwealth agencies may result in inconsistent legal coverage. Expanding
to a whole-of-economy Digital ID, including AGDIS and the accreditation scheme,
under existing privacy and security settings, may surface the below potential gaps
across Australian Government, state and territory level legislation:
• Individuals may not be able to seek redress about the actions or practices of
IDPs, IDXs and APs that breach the Privacy Act, where onboarded accredited
entities are state or territory agencies.
• Australian Government agencies must conduct Privacy Impact Assessments
(PIAs) for high privacy risk projects under the Australian Government Agencies
Privacy Code and Privacy Act. This identifies a project's impact on the privacy
of individuals and ensures that they have a plan in place to safeguard it.
However, this is not an explicit requirement for private sector organisations
covered by the Privacy Act, nor for organisations not covered by the Act.
• Legislative penalties and sanctions for prohibited disclosure of sensitive and
other personal information currently apply to participants as a result of the
Privacy Act. However, the Act currently only applies to 'APP entities' - primarily
Australian Government entities and private sector organisations with a turnover
of more than $3 million. Under these arrangements, there would be no legal
recourse for breach of the Privacy Act by an onboarded accredited entity that is
a small business or start-up with less than $3 million turnover, nor a state or
territory agency.
The interaction between Australian Government, state and territory privacy laws is
particularly important to provide a uniform level of protection for information used in
connection with Digital ID. Privacy legislation operates in most states and territories.
However, even for jurisdictions without privacy legislation, there are common
guidance documents and non-binding policies which seek to regulate the approach to
privacy. These requirements and enforcement mechanisms vary across jurisdictions
to varying degrees. To instil confidence and trust amongst individuals and
prospective AGDIS participants, it is preferable that privacy protections apply as
uniformly as possible.
Impact Analysis: Page 30 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 191 of 319
This problem particularly affects individuals impacted by a data breach or misuse of
their personal information through, for example, not being able to seek redress from
the OAIC. Apparent inconsistencies in privacy protection (potentially affected by
variables such as onboarded accredited entity type and jurisdiction) also impacts
broader community confidence with potential impacts on uptake, as discussed further
below.
Instilling greater trust through consistent safeguards
The importance of strong, consistent privacy and security safeguards was highlighted
in September 2018, by the second PIA. Consulting with stakeholders, this
assessment reported a strong prevailing view that a single set of legally enforceable
rules would provide participants with consistency, and the broader Australian
community with trust and confidence in using Digital ID. Of particular significance, it
noted, was the fact that incorporating key privacy protections into law would ensure
"they cannot be removed or weakened without scrutiny".
There is evidence to indicate that, at a community-wide level, Australian attitudes and
views about privacy are rapidly evolving. Research shows the increasing importance
of data security to individuals and potential participants, with protection of personal
information cited as a paramount consideration in business' and individual's digital
activities (source: McKinsey Global Institute, 2019, Digital Identification: A key to
inclusive growth). Polling by the OAIC in 2020 found that 97 per cent of Australians
consider privacy important when choosing a digital service and 87 per cent of
Australians want more control and choice over the collection and use of their
personal information. A majority (66 per cent) of Australians were found to be
reluctant to provide biometric information to a business, organisation or government
agency. This wariness is not limited to potential commercialisation of personal data.
OAIC's survey also found that only 36 per cent of Australians are comfortable with
their personal information being shared between government entities, and only 13
per cent are comfortable with businesses sharing their information with other
organisations.
This increasing level of concern is driven, in part, by the growing prevalence of
identity crime, which is now one of the most common forms of criminal activity in
Australia and was estimated to cost $3.1 billion (including direct and indirect costs) in
2018-19 (source: Franks, C & Smith R 2020, Identity crime and misuse in Australia:
Impact Analysis: Page 31 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 192 of 319
Results of the 2019 online survey). The risk posed by this criminal behaviour has
increased during the COVID-19 pandemic, with figures released from the Australian
Consumer and Competition (ACCC) in August 2020 showing identity theft was up 55
per cent on the same period in 2019. In this context, Australia's growing concern with
privacy and the security of personal data could significantly impact the uptake of
Digital ID, which requires sharing of personal data, including biometrics. (Internal
Program research has validated the high priority that individuals place on
reassurance that their information is safe and secure, and proactive security
monitoring.) If AGDIS is to retain public trust whilst it expands across the economy,
realising whole-of-economy benefits, public concerns over data privacy and security
need to be decisively and permanently addressed.
3.2.3 Interim, non-legislative governance framework
Effective governance of the Digital ID is essential for its efficient operation, to instil
public trust and confidence and promote individual uptake. While the interim
governance structure has proven effective to date, there is a risk that the current
arrangements may not sufficiently enable AGDIS to expand beyond non-
Commonwealth agencies, while maintaining high standards of integrity.
What could be improved in the current governance framework?
The interim arrangements have, to date, proven to be an effective governance
model. However, an expansion of Digital ID is likely to encourage greater
participation from private sector onboarded accredited entities and, for the first time,
support the participation of non-Commonwealth relying parties. Without making
corresponding amendments to the current governance framework, greater
participation could result in several problems occurring, as described below:
• Certainty - the current governance arrangements are interim and not
underpinned by legislation. The absence of an established, permanent structure
to govern the AGDIS may lead potential non-Commonwealth participants (in
their capacity as onboarded accredited entities or relying parties) to doubt its
long-term viability, and therefore impair uptake.
• Enforceability - the AGDIS Governance Agreement, which sets the role and
powers of the Interim Oversight Authority, provides contractual and policy
Impact Analysis: Page 32 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 193 of 319
powers, but not regulatory ones. Specifically, the Interim Oversight Authority
does not have the regulatory power to:
− where justified, initiate enforcement action against participants to ensure
rules are upheld and breaches addressed
− take certain investigatory actions, such as compelling or directing
participants to undertake an action or provide certain information in the
course of making inquiries and undertaking investigations into the activities
of participants
− administer charging for authentication, to varying degrees of identity
proofing, once the AGDIS is sufficiently mature
− impose civil penalties.
• Transparency - as the arrangements governing the Interim Oversight Authority
are not publicly accessible, they are not as transparent as having a permanent
Oversight Authority, with a legislated role. While TDIF rules do currently require
some transparency measures for onboarded accredited entities (e.g., that IDXs
publish Annual Transparency Reports), a permanent governance authority
could also enforce and comply with publicly accessible legislative provisions
and rules that are put in place to ensure transparency in the operation of the
Digital ID.
• Independence - the Interim Oversight Authority is structurally independent
from other participants in AGDIS but comprises officials from two Australian
Government agencies who have policy and operational roles. To ensure trust in
the Digital ID and its governance model as expansion occurs, it is important that
independence of the oversight body increases commensurately with the scale
in a way that makes it independent from other government functions and
entities participating. The independence of the Interim Oversight Authority is
also not clearly entrenched within and guaranteed by law, which may impact
public trust in the governance integrity as it expands beyond Australian
Government agencies.
• Accountability - while the AGDIS Governance Agreement imposes reporting
requirements on participants and the Digital ID Program reports to Parliament
(e.g., through Senate Estimates), the oversight body would benefit from clear,
legislated lines of public and Parliamentary accountability specifically tailored to
Impact Analysis: Page 33 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 194 of 319
AGDIS and accredited entities, as well as any additional reporting requirements
considered suitable (such as periodic and ad hoc reporting).
This presents an opportunity to improve governance for a broad range of
stakeholders, including current participants, operating under non-legally enforceable
rules, and future participants, by increasing their incentive to provide Digital ID
services. The impact of not having a trusted, robust governance framework is
described further below.
Impact of not having a trusted, robust governance framework
The importance of a strong, trusted and independent governance framework has
been recognised since before the commencement of the Program. The 2014 Murray
inquiry specifically identified fragmented governance arrangements as a contributor
to the initial problem, observing that "although government has some existing
governance mechanisms, the lack of clear ownership of identity policy is impeding
progress". There is a risk that an interim governance framework, whilst appropriate to
cover the limited participants and activities to date, may not meet community and
prospective participant expectations for its future expansion.
Confidence in the robustness of governance mechanisms is equally important as
having privacy, security and consumer protections. Governance is relied upon to put
mechanisms in place to ensure compliance with the rules and take enforcement
action when breaches occur. Without a strong governance framework there is
heightened risk that Digital ID will not operate as intended, resulting in potential low
levels of public trust and a resultant reduction in uptake of digital identification and
online services.
The Program's achievement of whole-of-economy outcomes, stimulation of
innovation and economic development is reliant upon broad participation in the
market - from individuals, onboarded accredited entities and relying parties - among
other key actors. Expanding the AGDIS without making corresponding amendments
to strengthen its governance framework could jeopardise this participation. A
permanent Oversight Authority, maintaining and establishing a set of operating rules,
would provide a greater level of certainty to all participants. This certainty is essential
in persuading prospective participants to make the required investments and
participate.
Impact Analysis: Page 34 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 195 of 319
Stakeholder consultation conducted over a number of years has reinforced the
importance of a robust governance framework entrenched, ideally, through
legislation. The Program's PIA process in relation to AGDIS commenced in 2016,
and saw numerous stakeholders raise concerns about the lack of underlying legal
authority for the establishment of the TDIF. The PIA observed that:
It is possible the low expectations of success for the TDIF
accreditation/revocation proposal are linked to the absence of any legislative
basis or national agreement (such as Council of Australian Governments
(COAG) directive) for the TDIF. If stakeholders could see a firm commitment
backed by powers in legislation, some of the doubts regarding enforcement
may lessen.
Since 2016, progress has been made between states, territories and the Australian
Government towards establishing a National Digital Identity Roadmap. One of the
aims of this is to understand the customer experience across the range of potential
digital ID systems and what will be needed from a governance and oversight
perspective to ensure the systems and any customer transactions are proactively
managed from a customer-focused perspective. However, stakeholder views on the
absence of legislation remain relevant. To address this issue, government regulatory
action would need to establish a permanent, clear and nationally-applicable legal
framework for AGDIS which applies consistently across all potential future
participants - including Australian Government, state, territory governments, private
sector and community entities.
Impact Analysis: Page 35 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 196 of 319
4 Requirement for government action
4.1 Government's role in delivering Digital ID
The leading role taken by the Australian Government in delivering an economy-wide
Digital ID solution is legitimate, as government is best-placed to facilitate public-
private sector collaboration in this area. The Murray inquiry observed that previous
industry-only attempts to manage and innovate on issues of identity have shown little
success, and cited digital ID as:
... a significant current example of an area where network benefits can be
harnessed more effectively through public-private sector collaboration, and
government facilitating industry action.
Importantly, the Murray inquiry did not recommend government action at the
exclusion of the private sector. Rather, it recommended that government intervention
should focus on facilitating industry action and enabling private-public sector
collaboration, through the right policy settings and risk-based regulation. (Currently,
countries like the UK, Belgium and Germany offer comparable private-public sector
model use cases, with Belgium having achieved greater than 30 per cent adoption of
their digital ID initiative within 5 years. Source: Internal Program research, 2021).
Governments can also lead and coordinate investment in the underlying
infrastructure, systems and processes which enable an effective national approach to
Digital ID, as the Australian Government has done in recent years.
In addition, the inherent sensitivities surrounding the collection of data and personal
information have led many to conclude that governments -- rather than the private
sector -- are best placed to manage and mitigate these concerns. For example, the
McKinsey Digital Identification Report focused upon the importance of government
action, in its capacity as a regulator and policy maker, for the development of policies
and legal frameworks that enable acceptance of digital ID technology, while
prioritising the protection of individuals' privacy.
4.2 Government's regulatory role and capacity
Having delivered AGDIS, it is reasonable for the community, businesses and other
actual and prospective users to expect that the Australian Government regulates and
Impact Analysis: Page 36 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 197 of 319
controls it. In relation to the problem areas of legal authority for expansion, privacy
and security safeguards and governance, it is not appropriate for the Government to
step back and allow 'the market' to deal with this. In this instance, the Government
has created the market (noting that there are other private markets also currently
operating in Australia) and therefore, should appropriately ensure it operates in a
manner that enables the full, whole-of-economy benefits to be realised.
The Australian Government also has the capacity to intervene successfully. Given
the leading role it has played to date in delivering Digital ID, and the regulatory
options it has available, the Government is well positioned to ensure any expansion
of the use of AGDIS meets the expectations of all Australians and promotes
confidence in its integrity. Research from McKinsey concluded that governments are
well-placed to address both the technical and legal components of Digital ID, while
ensuring accessibility and positive user experiences for all citizens. Comparable
international examples where governments have introduced digital ID regulation
further demonstrate the viability of government intervention in this space. (For
example, in Denmark, the issuance, revocation and suspension of 'NemID' is
regulated by two legislative instruments. In Finland, 'FINeID' is administered by the
government's Population Register Centre and regulated through a special, specific
legislative scheme. The United Kingdom's Department for Digital, Culture, Media and
Sport has shared plans for a UK digital ID and 'attributes trust framework' including
the introduction of a new legal framework.)
The Australian Government's Data and Digital Strategy notes the use of a robust
Digital ID framework will enable simpler and safer ways for people to access public
services and provide more secure ways to share data across jurisdictions. This
alignment suggests government intervention has already commenced and can be
sustained and enhanced to support expansion.
4.3 Objectives for government intervention
There are several specific objectives for government action, aligned with the
identified problem areas. These are outlined in Table 2:
Impact Analysis: Page 37 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 198 of 319
Identified problem area Objectives for government action
1 No legal basis for Government action enables expansion of the AGDIS to include
participation of non- non-Commonwealth agencies as relying parties, and providing
Commonwealth agencies a legal basis for charging by onboarded accredited entities
as relying parties, nor for a (Commonwealth and non-Commonwealth), maximising the
charging framework. benefits.
2 Inconsistent privacy and Government action enhances community confidence, trust and
security safeguards may clarity regarding the Program's privacy and security safeguards.
become increasingly
problematic as AGDIS
expands.
3 Interim, non-legislative Government action to elevate existing protections into
governance framework not regulation enhances community confidence, trust and clarity in
sufficiently robust. the integrity, permanence and rigor of governance.
Table 2: Objectives for Government action
In addition to the above, it is expected that any government intervention will maintain
or enhance the principles upon which the AGDIS and the accreditation system is
based. These are:
• Voluntariness - ensuring that creation and use of a digital ID is voluntary at
whatever identity proofing level a person chooses to have, and that individuals
also have the option to select from multiple identity providers
• Consent - requiring consent at multiple occasions when an individual interacts,
and the ability for that individual to withdraw consent at any time through an
easily-understood process
• Privacy - safeguarding the personal information of individuals is the single
most important design feature, with privacy-enhancing principles embedded in
its design and architecture
• Security - including specific security requirements which participants must
comply with to become and remain accredited, and otherwise embedding
security protocols in AGDIS design
• Integrity - ensuring that an appropriate governance structure is in place, with
an Oversight Authority responsible for operational assurance, as well as safety,
reliability and efficient operation.
Impact Analysis: Page 38 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 199 of 319
Considering these objectives for government intervention, a number of policy options
have been formulated, discussed below in Section 5 Policy options overview.
4.4 Constraints and barriers to government intervention
Any potential government intervention must be undertaken with an awareness of
constraints and barriers (either actual or potential). An inherent constraint upon any
government action in digital ID is the complexity of this subject matter and the low
familiarity and exposure of the community to this concept and AGDIS to date. This
apparent low level of public understanding could lead to any Australian Government
regulation in this area to be misconstrued or viewed with hesitation and distrust.
Internal research undertaken by the Australian Government indicates that most
Australians do not have a strong understanding of Digital ID. In February 2019, a 12-
month assessment of user insights found that most individuals did not understand the
concept or value of digital ID and were seeking more information regarding learning
and trusting the AGDIS itself. More recent public consultation undertaken has also
elicited expectations including that the Australian Government "take advantage of
lessons learned from earlier 'trust the government' initiatives with the proposed
Digital ID System legislation" (source: Digital Transformation Agency 2020,
Submission by the Northern Territory Government) and that "government ... must
take responsibility for the impact and accuracy of their Systems" (source: Digital
Transformation Agency 2020, Submission by Access Now).
This low level of understanding and public confidence may also stem from previous
Australian Government activity in national multi-use identity schemes (source:
Hanson, F 2018, Preventing another Australia Card fail). As the New Payments
Platform chairman Bob McKinnon observed in 2019, AGDIS stands at risk "of getting
tied up to a whole lot of politics around what used to be the Australia Card", as well
as other projects of a similar nature that were not ultimately pursued, such as the
2006-07 Access Card initiative. (See, for example, Bajkowski, J 2019, How NPP
chairman Bob McKinnon beats banktech delaying tactics, and Jordan, R 2010,
Identity cards and the Access Card.)
Successful regulatory intervention in this area will depend on clear and strategic
communication to the broader Australian community on exactly what digital ID is and
is not. Under the proposed approach, a digital ID is not a single, universal or
Impact Analysis: Page 39 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 200 of 319
mandatory number, nor an online profile, and it will be important that this distinction is
consistently conveyed. The Program has recognised this issue and has embedded
this messaging within its public and stakeholder engagement efforts to date. As
described further in Section 10 Consultation, future engagement will continue to
address this misconception specifically as it relates to regulatory action.
4.5 Potential alternatives to government action
Alternatives to government action are considered in Section 5, namely within the
'status quo' option. This alternative would not support the AGDIS expansion to non-
Australian Government relying parties and legislatively enable charging by
onboarded accredited entities, and would not address the privacy, security, and
governance problem areas identified in this document.
Impact Analysis: Page 40 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 201 of 319
5 Policy options overview
Three options have been considered in response to the identified problems:
• Option 1 - Maintain the status quo.
• Option 2 - Leverage existing legislative frameworks to enhance privacy
safeguards.
• Option 3 - Dedicated legislation to establish a new regulatory scheme for
Digital ID, enabling its expansion, entrenching privacy and other consumer
protections, and establishing permanent governance arrangements. This would
be regulated an independent Australian Digital ID Regulator (initially the
ACCC).
Each option is described below, including applicable implementation considerations.
5.1 Option 1: Status quo
As Option 1 involves no regulatory action, it would see the existing AGDIS entities,
interactions and incentives described in Section 2.3.3 Entities, interactions and
incentives within the current AGDIS continue. This would entail ongoing application
of TDIF policy to onboarded accredited entities and continued oversight by an interim
governance body. This would remain fully accessible by Australian Government
relying parties only, with involvement continuing to be managed through System
Governance Agreements/Memoranda of Understanding (MoUs) between Australian
Government agencies. Onboarded accredited entities using Digital ID would continue
to be subject to existing legislative requirements which apply to them, including the
Privacy Act.
Under the status quo, individuals can currently use Digital ID through an identity
provider: the Australian Government identity solution, myGovID. Individuals can
continue to transact with a select range of Government services and entities. As
described above, it is not legally permitted for non-Commonwealth agencies -
including businesses or community organisations - to become fully operational
relying parties (except in limited circumstances). Nor is there a legislative framework
for charging outside the Australian Government, practically limiting the incentives for
non-Commonwealth agencies to become onboarded accredited entities.
Impact Analysis: Page 41 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 202 of 319
Under the status quo option, no discrete implementation activity would be required
from the Australian Government. However, it would be expected that the Government
would continue to serve its existing role leading delivery. That is, continue to provide
oversight, make incremental adjustments as needed to the TDIF governance
framework, and manage the entry of new participants. The entry of non-
Commonwealth participants, and further expansion, would be limited by the absence
of legislative authority for non-Commonwealth relying parties and charging by
onboarded accredited entities.
5.2 Option 2: Leverage existing legislative frameworks to
enhance privacy safeguards
Option 2 involves leveraging existing regulatory frameworks to issue new instruments
which address, to the greatest extent possible, the identified problems. The specific
existing legislative framework which has been explored under this option are
enforceable Registered Codes issued under the Privacy Act. While subordinate to
primary legislation, Registered Codes are legally binding and will impose additional
regulatory measures, including a bespoke enforcement regime.
Under this option, private individuals would continue to be able to use the services
offered by identity providers and other onboarded accredited entities operating Digital
ID. Participating entities would be accountable to a designated entity - such as the
OAIC or a nominated Code administrator.
Part IIIB of the Privacy Act allows the Information Commissioner to approve and
register enforceable Codes developed by entities on their own initiative, on request
by the Information Commissioner or by the Commissioner directly. A Code developed
for Digital ID would operate in addition to the requirements of the Privacy Act, and
could address some of the shortcomings described in Section 3.2.2 Lack of trust in
system's privacy and security safeguards as well as providing an enforcement
regime. As Codes under the Privacy Act are disallowable legislative instruments, this
approach may address, to a certain extent, the identified problems relating to scrutiny
and transparency of privacy rules and requirements.
As it leverages existing regulatory arrangements, Option 2 would not be capable of
providing legal authority for expansion of Digital ID to private sector relying parties,
implement a charging framework, nor establishing a permanent Oversight Authority.
Impact Analysis: Page 42 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 203 of 319
Therefore, it would see a continuation of the current governance arrangement,
featuring joint oversight by Services Australia and the DTA, unless an alternative
non-permanent, non-legislated governance arrangement is made.
5.3 Option 3: Dedicated legislation to establish new
regulatory scheme
Option 3 involves establishment of a dedicated regulatory scheme for AGDIS and an
accreditation scheme, including an established role for the ACCC as the initial
Australian Digital ID Regulator. The regulatory scheme will be established through a
package of instruments including the Digital ID Bill 2023 and associated rules (the
Bill), as well as further legislation covering transitional and consequential matters.
Both pieces of primary legislation would become law upon Parliamentary approval,
whereas the Digital ID Accreditation Rules and Digital ID Rules are legally binding
instruments which must be tabled in, and can be 'disallowed' by, Parliament. Various
other documents will give operational effect to the regulatory scheme, including
technical standards which will be legislative instruments not subject to disallowance.
Option 3 supports an expansion of Digital ID, by providing both the legislative
authority to involve non-Commonwealth relying parties, and the ability for onboarded
accredited entities to be subject to a legislated charging framework. In addition to
other measures described below, this new regulatory scheme would only apply to
AGDIS and accredited providers (not digital ID systems in general, though other
digital ID systems may choose to join the Government's System) and would ensure
that it remains voluntary. Should individuals choose to participate, they will be able to
select from a wider range of onboarded accredited and relying parties, with economic
incentives in place for private sector engagement, beyond the current pool of
Australian Government-only entities.
5.3.1 Key elements of dedicated regulatory scheme
Key measures proposed to be included in the regulatory scheme, which align with
and address the identified problem areas, are listed below. As described in
Section 10 Consultation, the Australian Government's position on each of these
areas has been informed by ongoing analysis and consultation inside and outside the
Government, including release of an exposure draft Bill. The most recent consultation
Impact Analysis: Page 43 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 204 of 319
sought direct feedback on the Digital ID Bill and the Digital ID Rules which outline the
proposed regulatory framework and regulator establishment.
Application of regulatory scheme
Under Option 3, legislation would enable Australian Government, state and territory
entities (including local governments) and private entities to connect to AGDIS to
offer or use digital ID services in accordance with embedded privacy and security
safeguards. It would not apply to digital identities in Australia generally and would
ensure that use of the government Digital ID remains voluntary. Additionally, in most
circumstances (such as where restricted attributes are not involved) the scheme
would not regulate services provided by a relying party in reliance upon a digital ID -
regulation stops once the relying party has received verification of the person's digital
ID.
The Bill's provisions apply primarily to the activities of onboarded accredited entities,
relying parties and accredited entities, with regulatory powers and authority granted
to Services Australia as the system administrator, the ACCC as the initial
independent regulator, and the OAIC. The extent to which regulatory requirements
apply is dependent upon what is appropriate given the role and interactions of the
entity. For example, the integrity requirements dealing mainly with privacy obligations
will not apply to relying parties (unless otherwise stated). This is because relying
parties represent a low risk by obtaining limited information through AGDIS, usually
only the 'core attributes' for a digital ID.
Features of regulatory scheme
As set out in the Bill, it is proposed that under this dedicated regulatory scheme, the
implementation and operation would become a legislated function of the ACCC,
supported by a system administrator being Services Australia. Once enacted, the
new regulatory scheme would impose its own enforcement regime, including in some
cases civil penalties for breaches of requirements. It would also cover the following:
• A legislative definition of digital ID (the set of information about attributes of a
user which, taken together, allow an individual to be distinguished from another
person), recognising that a person may have more than one digital ID. (Where
the term "digital ID" is used in the context of Option 3, it can be assumed that
this refers to the term as defined in legislation. In other sections of the
Impact Analysis: Page 44 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 205 of 319
document, "digital ID" has the meaning set out in the Glossary at Attachment
A).
• Establishment of an Establishment of a Regulator to oversee AGDIS and the
accreditation scheme. There is also a role for a system administrator and the
Information Commissioner
• to oversee AGDIS and the accreditation scheme - the Oversight Authority.
• Obligations for accredited entities (i.e., entities not using the AGDIS).
• The ability of the Minister to appoint advisory committees.
• Applications for accreditation and onboarding and related matters.
• Notice of decisions.
• Internal and Administrative Appeal Tribunal review of decisions.
• Registers to show entities that are participating or are accredited .
• Privacy and other consumer safeguards, security and fraud-prevention
requirements applying to participants in a digital ID system.
• Compliance powers.
• For participants:
− the ability to establish a charging framework
− a liability framework
− enforcement including triggering of some parts of the Regulatory Powers
(Standard Provisions) Act 2014 ('Regulatory Powers Act'), namely the civil
penalty provisions, enforceable undertakings and injunctions.
• A trust mark framework with a civil penalty for unauthorised use by a person.
The primary legislation itself is not prescriptive, but establishes powers to regulate in
several areas, with further specific details to be set through subordinate legislation.
Some aspects of the expected regulatory impacts will be determined by the specifics
of this subordinate legislation.
Further detail on the regulatory measures contained within Option 3 and their impact
on regulated entities, is set out in Section 9 Likely net benefit of Option 3 (dedicated
regulatory scheme).
Impact Analysis: Page 45 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 206 of 319
Charging framework
As outlined above, proposed legislation under Option 3 would enable the introduction
of a charging framework. Whilst the details of this framework remain under
development and the subject of ongoing consultation, it is expected to follow the
broad principles below.
The charging framework may provide for:
• fees for the assessments necessary to consider an application for accreditation,
reaccreditation and annual accreditations
• charges for use of AGDIS by participants.
The framework will not directly impose charges on individuals using Digital ID but
also will not regulate fees charged by relying parties wanting access to provide a
service to an individual. The Bill will allow the Australian Government to charge and
set out criteria for government charging, and secondary legislation (likely rules) will
provide the amount of the charge, and/or any formula for determining the charge, as
well as charging arrangements. The charging framework will be developed in
compliance with Australian Government charging framework and related
requirements and guidelines.
Development of the charging framework has continued throughout 2023, through
consultation with key stakeholders including state and territory governments, the
private sector and a range of Australian Government departments and entities. This
and other Program consultation conducted is described in more detail at Section 10
Consultation.
Mitigating regulatory impact
A key feature of Option 3, reflected in the Bill, is a focus on mitigating complexity and
regulatory burden for Australian businesses, individuals and government. To that
end, it seeks to leverage existing laws, definitions and concepts wherever possible
instead of creating a unique set of arrangements.
Key examples of this include:
• existing definitions and terminology from the Privacy Act used within the Bill
(such as personal information). This enhances consistency and also mitigates
Impact Analysis: Page 46 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 207 of 319
regulatory impact, as many entities should have an existing level of familiarity
with these concepts and the regulatory framework will leverage known
processes and mechanisms
• continued use of specific terminology and concepts that are already established
within sources such as the TDIF and National Identity Proofing Guidelines,
under the accreditation system. This will be of particular benefit for entities
which are already participating or interacting prior to the legislation being
passed
• the adoption of terms and processes from other legislation (and pending
legislation) as relevant, for example, 'cyber security incident' from the Security
Legislation Amendment (Critical Infrastructure) Bill 2020 and the 'adverse
assessment and recommendations' process from the Data Availability and
Transparency Bill 2020.
Impact Analysis: Page 47 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 208 of 319
6 Approach to determining likely net benefit of
options
6.1 Overview
The following sections outline the impacts (both positive and negative) of each option
on relevant stakeholder groups, in order to determine the likely net benefit of each
option. This impact assessment is conducted at two levels:
• Overall impacts - including economic, competition, social, environmental or
other.
• Regulatory impacts - a subset of the overall impacts, specifically focused upon
the regulatory impacts of each option and the burden on regulated entities.
Each level of analysis takes a different approach, and focuses on different
stakeholder groups, as set out in further detail below.
6.2 Overall impacts
This Impact Analysis considers the overall impacts (both costs and benefits) of each
option across the broad stakeholder groups that are likely to be affected -
individuals, businesses, government and the community. These impacts may be
economic, competition, social, environment or other. For the purposes of this
assessment, the stakeholder groups have been defined as follows:
• Individuals - refers to private individuals, specifically those who choose to
participate, by selecting an identity provider and using their Digital ID to transact
with available services online. Individuals who are potential users are also
considered.
• Businesses - refers to private sector entities who may wish to be accredited or
participate. The impacts of each policy option will differ depending on
businesses' intended form of participation, their level of digital maturity, as well
as business size/type/sector.
• Government - includes the Australian Government, as well as state, territory
and local governments. The impact analysis specifies the levels of government
to which a particular cost or benefit applies, as the impacts of each policy option
Impact Analysis: Page 48 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 209 of 319
may vary. This reflects the fact that the Government's current involvement
exceeds that of state, territory and local governments. Where the context
specifies, this category also includes Government Business Enterprises
(GBEs).
• Community - involves consideration of impacts on both the community as a
whole - being a collective of individuals - and community sector organisations.
6.3 Regulatory impacts
Regulatory costs form a subset of the overall impacts (costs and benefits) of Digital
ID. It is an Australian Government requirement that any proposed new or changed
regulation must include quantification of the increase or decrease in regulatory costs
imposed on businesses, community organisations and individuals. The identification
and quantification of regulatory costs must be conducted in accordance with the
Regulatory Burden Measurement Framework.
In accordance with government requirements, this Impact Analysis calculates the
estimated regulatory burden for Options 2 and 3 (noting that Option 1, as the status
quo, presents no regulatory burden). The approach to determine this is set out below
with further information on the costing methodology provided at Appendix E.
6.3.1 Regulatory costs
Under the Regulatory Burden Measurement Framework, only certain costs
associated with the Digital ID are categorised as 'regulatory'. The primary categories
of regulatory costs are:
• Administrative compliance costs - costs incurred by regulated entities
primarily to demonstrate compliance with the regulation. For example, the time
and costs associated with keeping records, making an application and notifying
government of certain activities.
• Substantive compliance costs - costs incurred to deliver the regulated
outcomes being sought. Examples: costs of training employees on regulatory
requirements, professional services required to meet regulatory requirements.
• Delay costs - the expenses and loss of income incurred by a regulated income
as a result of an application delay, or an approval delay.
Impact Analysis: Page 49 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 210 of 319
There are several types of costs specifically excluded from the Regulatory Burden
Measurement Framework. These include, for example, opportunity costs,
business--as-usual costs, enforcement/compliance costs (such as fines for failing to
comply with regulation), and government-to-government regulation. Importantly, fees
for services (such as any charges payable under a future charging framework) are
not categorised as regulatory costs, and therefore are not quantified under this
Impact Analysis.
6.3.2 Regulated entities
The overall impacts consider flow-on impacts of the regulation on a broad range of
stakeholders across the Australian community. However, as the regulatory impact
assessment focuses only on regulatory costs, by definition it focuses on regulated
entities only. Stakeholders to which regulation would apply, and therefore the focus
of this regulatory cost analysis, are:
• Accredited entities - Entities accredited for a particular role which have not
been onboarded.
• Participating (onboarded) entities - Entities that are accredited and
onboarded to the Digital ID System as either Aps, CSPs, IDXs and/or IDPs.
• Relying parties - Rely upon verified information provided through AGDIS or an
accredited provider to provide a digital service. Must be onboarded, but not
accredited.
The regulatory costs and impacts have been considered through the lens of these
specific stakeholder groups. Although governments of all levels can participate in the
above roles, government-to-government regulation is excluded from the Framework.
This exclusion does not, however, apply to GBEs and public universities. Noting the
important role that GBEs such as Australia Post may play in the future (with Australia
Post's identity solution already accredited), these types of entities are included in the
regulatory burden measurement.
6.4 Impact analysis approach
The impact analysis has been progressed iteratively alongside the policy
development process, and reflects feedback received as recently as October 2023.
Impact Analysis: Page 50 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 211 of 319
Initially, it focused upon identifying broad categories of anticipated costs and benefits
arising from the proposed policy options. A comprehensive scan was conducted of
available literature and evidence on the impacts Digital ID - both its potential benefits
(for individuals, businesses, government, community, and the economy), and
potential regulatory costs of the policy positions.
There are a range of digital ID programs in operation or under development around
the world, including in Canada, New Zealand, Sweden, India, the United Kingdom
and Estonia. The impacts of digital ID programs in these different country contexts
were examined, with analysis then considering their applicability to the Australian
context. In some instances, this process identified costs or benefits which are unlikely
to be realised through the AGDIS, which were then excluded from analysis. For
example, in India one of the most significant benefits of digital ID's expansion has
been a major reduction in corruption, due to the reduced influence of local
government officials in verifying and endorsing identity. This was not assessed as
relevant in the Australian context because of significantly lower levels of government
corruption risk.
Further, consultation conducted by the Program also supported the identification of
potential costs and benefits arising from this proposed regulation. Submissions to
public consultation processes were particularly examined to identify any areas which
had not already been identified internally. Consultation with Program subject matter
experts also supported identification of areas where the costs and benefits of
Australia's proposed approach may diverge from those observed internationally. This
highlighted the differential impacts expected for onboarded accredited entities
compared with relying parties (as detailed in Section 9 Likely net benefit of Option 3
regulatory scheme).
In October 2021, the identified impacts of all options (both qualitative and quantitative
regulatory cost estimates) were validated through public release of the Consultation
Impact Analysis. The outcomes of this and other consultation activities are discussed
in more detail in Section 10 Consultation.
The following three sections describe the costs, benefits and overall likely net benefit
for each option, in accordance with the methodology described above.
Impact Analysis: Page 51 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 212 of 319
7 Likely net benefit of Option 1 (status quo)
Option 1 involves continued existence AGDIS as it currently operates, with no
regulatory action. As such, there are no changes to the costs and benefits currently
experienced by each stakeholder group. For completeness, these costs and benefits
are described below.
7.1 Overall impacts
7.1.1 Individuals
Under the status quo arrangement, individuals can access AGDIS through myGovID
(the Australian Government's digital ID provider), and transactions within it continue
to be limited to Commonwealth (and select state and territory) services and entities.
In their interactions with participating Australian Government services, individuals
benefit from improved speed and convenience across a range of transactions - with
over 135 digital government services currently accessible. However, the exclusion of
non-Commonwealth agencies as relying parties (except in limited circumstances) and
charging onboarded accredited entities under the status quo constrains the places
and contexts in which individuals can use AGDIS.
The implications of the status quo arrangement for individuals are two-fold. First,
whilst individuals have protections under the TDIF in areas such as privacy,
collection and use of data, and storage of biometric information, this only applies in
relation to accredited services available in AGDIS currently (primarily Australian
Government). Second, the full efficiency benefits for individuals cannot be realised
due to ongoing inability to expand to the private sector. Legislation is required to
bring non-Commonwealth relying parties and charging onboarded accredited entities,
allowing full access to both government and private sector verification.
Under the status quo, where private sector entities are not able to participate in the
AGDIS as relying parties nor as onboarded accredited entities with a legislative
ability to charge, future growth in the number of participants entering as onboarded
accredited entities (for example, as IDPs or Aps), may also be inhibited. While
AGDIS currently facilitates transactions with a number of Australian Government
agencies, the ongoing benefits of scale and potential market uptake would be greatly
Impact Analysis: Page 52 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 213 of 319
reduced if the pool of relying party participants remains restricted to such entities.
Individuals will continue to face limitations in their choice of identity provider, being
the existing myGovID, and Digital ID services.
Individuals who use the AGDIS incur no direct costs, as their use of the two identity
products listed above remains free. There is no regulatory burden on this stakeholder
group. If the status quo were maintained, individuals would retain access to the
current benefits with available Government services. However, they would forego the
additional or compounded benefits that would arise from the expansion to non-
Commonwealth relying parties and charging onboarded accredited entities.
These foregone benefits are discussed in greater detail under Option 3, but include:
• improved speed and convenience in interactions with a wider range of entities -
particularly as individuals typically interact regularly with private sector
providers, such as banks, utilities and telecommunications providers
• reduced risk of identity fraud and associated financial loss - as financial
services providers and other entities (which are the most common sites for this
type of fraud) cannot participate as relying parties
• increased choice and control in how they engage with Digital ID - as they will
likely be limited to using government and quasi-government identity solutions
• strengthened consumer protections enabled both by the conversion of voluntary
TDIF requirements into law and their expansion to all participants - as these
will not apply.
Assessment of net expected benefits: Under the status quo, individuals continue
to benefit from the significant efficiency gains arising in interactions with Australian
Government services currently participating in Digital ID. This leads to an overall net
positive benefit for individuals, compared to a situation where AGDIS is not available.
However, considered in relative terms the net benefits of the status quo for current
and potential individual users are lesser than those available under other options that
may enable expansion.
Impact Analysis: Page 53 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 214 of 319
7.1.2 Businesses
Under the status quo, small, medium and large enterprises face no regulatory costs
because their participation in AGDIS is generally not supported. As with individuals,
this results in considerable foregone benefits for this major segment of Australia's
economy. These foregone benefits differ according to the potential role that
businesses would seek to enter the market - either as onboarded accredited entities
or relying parties.
Onboarded accredited entities
Whilst there are no legal impediments to businesses becoming onboarded accredited
entities under the status quo arrangements, there is no legislative basis for charging
for services. This practicality is likely to deter most potential onboarded accredited
entities, particularly small to medium enterprises.
Similarly, potential large enterprise onboarded accredited entities would have no
legislated ability to charge for their services. This would result in foregone benefits in
relation to new business opportunities, and those expected to accrue through
innovation and expansion of existing identity products or solutions.
Under the status quo, all potential onboarded accredited entity businesses would
forego the legal protections associated with a dedicated regulatory scheme.
Specifically, the proposed legislation includes a liability regime, enabling the
Australian Government to indemnify onboarded accredited entities from civil
proceedings and liability if they have provided the service in good faith and in
compliance with the regulatory scheme (whilst requiring them to assist users where
there has been an inappropriate disclosure of information, identity theft, or cyber
security incident). The benefits of this indemnity would significantly reduce
onboarded accredited entity businesses' exposure to financial loss and the risk of
civil litigation.
Relying parties
The status quo does not allow private sector entities to participate as relying parties.
The legal rationale for this is outlined in Section 3.2.1 No legal basis for participation
of non-Australian Government agencies as relying parties, nor for a charging
framework. As a result, small, medium and large enterprises, who would otherwise
Impact Analysis: Page 54 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 215 of 319
seek to participate, forego all benefits expected to accrue under a dedicated
regulatory scheme. These include:
• Efficiency and potential for productivity improvements associated with reduced
manual handling of customer identification documents, reduced staff resourcing
requirements associated with identity verification and increased speed of
verification with other participating entities. These foregone benefits are
potentially significant for many small and medium enterprises that are heavily
reliant on manual handling and staff resourcing to conduct business activities.
• New business opportunities available because of easy and cost-efficient access
to verified attributes.
• Reduced instances of financial loss associated with customer fraud, as well as
efficiencies gained through reduced investigation and prosecution of fraud
events.
These foregone benefits are expected to represent the most significant share of
indirect costs associated with maintaining the status quo.
Assessment of net expected benefits: Under the status quo, there are ongoing
positive direct and indirect benefits for business users in terms of the efficiency and
productivity gains. However, under this option, a significant number of businesses
are unable to participate as relying parties or onboarded accredited entities. Those
which may, in theory, participate lack the incentives to do so. If the status quo is
maintained, the indirect costs for businesses are likely to be significant when
comparing the status quo arrangement with the benefits available under a dedicated
regulatory scheme. This means that on a relative comparison, the net expected
benefits for business of the status quo are likely to be less than under other options.
7.1.3 Government
While continuing the regulatory status quo arrangement may offer some certainty for
government stakeholders, potential benefits may not be fully realised. In particular,
the status quo may jeopardise the Australian Government's commitment to 'choice'
as a fundamental principle of its approach to Digital ID expansion. Access to a pool
of Australian Government-only services and a low number of identity providers
Impact Analysis: Page 55 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 216 of 319
means Australians' ability to choose where and how they engage is inherently
limited.
Currently, Australian Government entities participating in AGDIS benefit from
increased efficiency of customer operations and productivity gains, arising from
reduced manual handling. These benefits will endure for Government agencies if the
status quo arrangement were maintained.
However, under the status quo, these benefits do not extend to state, territory or local
governments. As such, with the exception of current Government participants, other
levels of government forego similar benefits to private sector businesses, including:
• improved efficiency of customer operations
• reduced manual handling, resulting in time and cost savings
• reduced time and effort undertaking 'de-duplication' - reducing the instances of
duplicated entries within alternative identity systems (as this de-duplication
would be automatically done by the identity exchange under an expanded
approach to Digital ID)
• reduced instances of identity fraud resulting in the payment of benefits or
supply of services to which people are not entitled.
As government services increasingly move online, there is a growing need for digital
options to verify identity. A lack of such options undermines the service experience
and efficiency gains associated with digital delivery of Government services. If state,
territory and local governments are unable to participate, it is likely that alternative
solutions will need to be developed by individual jurisdictions - at significant time and
cost impost. Therefore, the status quo imposes potential indirect costs on these
levels of government, by requiring them to establish and invest in alternative identity
verification solutions.
Assessment of net expected benefits: The benefits currently conferred on
Australian Government agencies are expected to offset the foregone benefits and
indirect costs associated with the status quo option for state, territory and local
governments. However, the larger number of sub-national government entities and
higher combined volume of transactions means the foregone benefits of an option
that does not allow system expansion are still considered significant.
Impact Analysis: Page 56 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 217 of 319
7.1.4 Community
Under the status quo, community stakeholders derive limited benefits, as they are
largely excluded from participation. As with businesses and government entities that
may participate as relying parties, community sector organisations face foregone
benefits, including:
• improved efficiency of customer operations and reduced manual handling.
• reduced instances of identity fraud resulting in the supply of services or goods
to which people are not entitled.
As entities engaged in charitable or not-for-profit activities, community organisations
may in fact benefit more significantly from the above efficiencies than their
counterparts in the for-profit sector, and conversely are more adversely impacted by
foregoing these benefits.
The benefits accruing to the broader Australian community largely relate to trust and
confidence. If Australians collectively trust AGDIS and have confidence that it will
support their privacy, autonomy and control, they are more likely to participate as
users, leading to collective economy-wide benefits. Under the status quo, the
protections and provisions of the TDIF are not legislatively enforceable, nor are they
overseen by a permanent governance authority with legislative functions and powers.
This arrangement is less likely to support strong community trust and confidence in
integrity and safeguards, than (by comparison) the dedicated regulatory scheme
option. Option 3 also offers enhanced protections beyond those currently included in
the TDIF and existing privacy legislation (for example, in relation to biometrics and
commercialisation of data). These are entirely foregone under the status quo.
Assessment of net expected benefits: Compared to an expanded AGDIS
underpinned by regulation, community organisations and the community as a whole
incur substantial foregone benefits (such as efficiencies for community organisations
seeking to become relying parties, as well as strengthened trust and confidence).
7.2 Regulatory impacts
As the status quo envisages that AGDIS continues operating with no dedicated
legislative or regulatory framework, it presents no regulatory impact. Even if there
Impact Analysis: Page 57 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 218 of 319
were, the ongoing restrictions on non-Commonwealth involvement under this option
means that such regulation would not be imposed upon the private sector (business,
community or individuals). In the following sections, this current state is treated as the
'baseline' against which the potential regulatory impact of Options 2 and 3 are
expressed.
7.3 Likely net benefit
As described in Section 2.4 Benefits and value of Digital ID System for stakeholders,
the status quo arrangement continues to confer notable benefits on current
Australian Government agency participants, some businesses, and Australians -
insofar as access and the broader Australian Government framework would be
ongoing, in its current form. However, these benefits accrue only to a subset of those
entities and businesses capable of participating through other options canvassed in
this Impact Analysis. Under the status quo, there are no additional or changed
regulatory costs incurred by any stakeholders.
Despite the many proven benefits of AGDIS, and the absence of regulatory costs,
under Option 1 individuals, businesses, governments and the community will incur
substantial foregone benefits relative to other options. The full potential can only be
realised through its expansion to a far wider range of entities and service contexts -
an expansion which cannot be achieved through the status quo arrangements.
Impact Analysis: Page 58 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 219 of 319
8 Likely net benefit of Option 2 (leverage
existing regulatory frameworks)
As with Option 1, Option 2 supports involvement from Australian Government agency
participants only and Australian individuals. However, this option will not support an
expansion of to non-Commonwealth relying parties, nor provide a legislative charging
framework for use by non-Commonwealth onboarded accredited entities. With this in
mind, Option 2's impacts on each stakeholder group are addressed below.
8.1 Overall impacts
8.1.1 Individuals
Under Option 2, individuals would continue to enjoy the efficiency benefits gained
from interactions with current Australian Government agency participants. Further,
individuals will benefit from the strengthening of some privacy and consumer
safeguards, which currently apply in a non-legally enforceable manner to participants
within the TDIF. This option would make existing protections legally enforceable,
likely with reviews, monitoring and reporting conducted by a nominated APP Code
Administrator. (The OAIC's guidelines for developing codes, issued under Part IIIB of
the Privacy Act, outline a range of recommended powers and functions of the Code
administrator.) However, Option 2 would not deliver new or additional consumer
protections for individuals using Digital ID. While any new protections would remain
subordinate to primary legislation, this benefit represents a strengthened position on
privacy and security, compared with the status quo's non-legislative model of
compliance with the TDIF.
As private individuals can continue to use AGDIS services, they would continue to
benefit from the indirect time savings attributable through reduced time required to
present identity documents, set up multiple identity profiles across diverse service
providers and verify their identity with service providers. Economic modelling has
indicated that, on a per transaction basis, this can be quantified as 115 minutes of
time saved from completing a transaction using digital id compared to without,
equivalent to $61.00 per transaction (using the default value for an individual's
leisure time per the Regulatory Burden Measurement Framework), noting that this
figure does not represent a cost saving as it is not directly attributable to Option 2.
Impact Analysis: Page 59 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 220 of 319
Extrapolating this per-transaction benefit across the economy, using the estimated
transactions through myGovID in 2021-22 as a basis, the whole-of-economy
transaction savings are estimated at $3.312 billion across 54 million transactions.
These figures are conservative estimations that account only for government
transactions and do not incorporate any increase in volume across the years. It is
possible that AGDIS accompanied by legislative privacy protections, enhanced trust
and confidence as a result of this option would increase uptake by individuals, and
thereby increase the volume and significance of time savings benefits to individuals
across the economy.
However, Option 2 is not expected to substantially increase the range of agencies or
entities participating because it does not address the barriers to participation by
private sector entities or state, territory and local governments. As a result,
individuals are expected to forego the compounded efficiency benefits, reduced risk
of identity fraud and increased choice, which would be available under a dedicated
regulatory arrangement.
Assessment of net expected benefits: Under this option, individuals are expected
to experience increased benefits through stronger enforceability of existing consumer
protections, when compared with the status quo arrangement. However, because
this option does not enable the expansion to more participants beyond the status
quo, individuals will continue to forego the additional benefits available under a
dedicated regulatory scheme. These costs are expected to outweigh the benefits
available under Option 2, meaning the net expected benefit for individuals, compared
with Option 3, is likely significantly less.
8.1.2 Businesses
Option 2 would not alter any of the existing legal barriers preventing participation by
businesses. Businesses would continue to be eligible to participate in the scheme as
onboarded accredited entities (for example, by becoming an identity provider), but
are unlikely to do so given the legal inability to charge for these services. Nor would
businesses be able to do so as relying parties (for example by using myGovID to
verify customer identities). This leads to slightly different benefits and costs for these
two categories of potential participants, as outlined below.
Impact Analysis: Page 60 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 221 of 319
Onboarded accredited entities
Under Option 2, onboarded accredited entities would be expected to face increased
regulatory costs compared with Option 1, but lower regulatory costs than under
Option 3. This is because the provisions of the TDIF would take on the status of an
enforceable Code, rather than being written into primary law.
While onboarded accredited entities may incur reduced compliance costs under
Option 2 than would be the case under Option 3, they would also see fewer benefits.
This is primarily because the Code would not encompass the proposed indemnity
arrangements against loss arising from the provision of a fraudulent identity. As
identified under Option 1, this is a significant potential benefit for businesses which
would be foregone under all options except the legislative approach.
As with Option 1, businesses would notionally be able to join as identity providers
and therefore expand their service offerings or market presence. In practice,
however, the incentive to do so would continue to be limited (particularly for small
and many medium-sized businesses) because this option does not enable them to
charge for services provided.
Relying parties
Option 2 does not address the existing restrictions on businesses participating in the
as relying parties. Businesses which are potential participants would therefore not
experience regulatory costs due to being excluded from participation. These
businesses would also incur the same foregone benefits outlined under Option 1,
which have been noted to be the largest potential source of economic and
productivity gains.
Assessment of net expected benefits: The major potential benefits for business
arise from its expansion to a broader range of entities beyond government entities.
This would both increase the productivity and efficiency gains for relying party
businesses and incentivise the entry into the market of more onboarded accredited
entities, which can then pursue new market opportunities. Option 2 does not address
the existing barriers to participation by business in either of these capacities,
meaning foregone benefits would remain. As a result, the net expected benefit is
likely to be comparatively less for businesses than under Option 3.
Impact Analysis: Page 61 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 222 of 319
8.1.3 Government
Option 2 does not affect the range of government entities which can participate. It is
expected that uptake by Australian Government entities would continue to increase,
with a Code providing somewhat improved clarity and transparency in relation to the
obligations of participating entities. The benefits accruing to participating Government
entities under the status quo arrangements would also continue to apply, including
increased efficiency (through reduced manual processes and the reduced need for
de-duplication), productivity and reduced instances of identity theft or fraud.
However, existing restrictions on the participation of state, territory and local
governments would remain, limiting the opportunity for these benefits to flow to
entities outside the Australian Government.
In line with the above discussion of business impacts, government entities which are
already fully complying with the TDIF would not be expected to incur additional costs
as a result of leveraging existing regulatory frameworks. This should be most
Australian Government participants currently operating a service. However, given
that a Code would impose additional obligations over and above those within the
Privacy Act, some new entities or departments may need to upgrade their practices,
infrastructure or procedures to comply with the Code ahead of joining.
Compared with Option 3, this option is expected to result in less costs to the
Australian Government in relation to implementation and ongoing oversight of
AGDIS. The approach may introduce added complexity for implementation and
operation on an ongoing basis. The source of AGDIS' legislative authority would
reside in legislation administered by a separate department and portfolio. While this
may introduce some added complexity and potential administrative and governance
burdens, Option 2 does not involve the establishment of a permanent Oversight
Authority. This means cost savings arise from associated investments in governance,
assurance, compliance and enforcement that would be required to support the
dedicated regulatory scheme option. The specific extent of these cost savings would
depend on Government decisions about the reasonable resourcing required to give
effect to Option 3. While these potential savings may be considered a benefit in the
specific context of the Australian Government's budget, they would come at the
expense of significant foregone benefits for state, territory and local governments,
businesses and individuals, as outlined in this section.
Impact Analysis: Page 62 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 223 of 319
Assessment of net expected benefits: The benefits accruing to the Australian
Government under Option 2 are notable, but broadly equivalent to those available
under the status quo, with the addition of some regulatory cost savings. However, the
foregone benefits for state, territory and local governments incurred from their
exclusion from the market are also expected to remain significant. Taking these
different impacts across levels of government into account, and the potential benefits
available under a dedicated regulatory scheme, the net expected benefit of Option 2
is likely to be less than that available under Option 3.
8.1.4 Community
Option 2 does not address the existing restrictions on community organisations'
participation as relying parties or as onboarded accredited entities with a legislative
ability to charge. As such, community organisations that would otherwise wish to
participate would experience no added costs under Option 2. However, these
organisations also forego the same benefits as outlined under Option 1, including
substantial productivity and efficiency gains which would be particularly valuable to
the community sector.
Leveraging existing regulatory frameworks may serve to increase the Australian
community understanding of Digital ID, and trust and confidence in its protections.
However, the consequential impacts on increased uptake would remain inherently
limited, with the exclusion of some government and all private sector entities.
Assessment of net expected benefits: The Australian community's levels of trust
and confidence may be slightly improved by Option 2, due to increased privacy and
security protections. However, trust and confidence would be substantially better
supported under Option 3. For community organisations, the costs of Option 2 are
likely to outweigh the benefits, as such organisations' participation as relying parties
is not supported by Option 2.
8.2 Regulatory impacts
Option 2 involves leveraging existing regulatory systems to provide protections in key
areas such as privacy. However, this option does not address the existing legal
restrictions on involvement of non-Commonwealth relying parties, and would not
Impact Analysis: Page 63 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 224 of 319
establish a legislative basis for onboarded accredited entities to be able to charge. As
a result, private sector or community organisations would not be considered
'regulated entities' under this option. The primary participants (both relying parties
and onboarded accredited entities), would continue to be Australian Government
agencies, which are not within the scope of the Regulatory Burden Measurement
Framework.
One exception to the above, is GBEs such as Australia Post, which are within the
Framework's scope. Under Option 2, GBEs would be required to comply with the
provisions of a Code registered under the Privacy Act. As set out in Section 3.2.2
Lack of trust in Digital ID System's privacy and security safeguards, the primary
shortcoming that Option 2 would be seeking to address is the inconsistency in
privacy obligations across APP and non-APP entities. The code envisaged in Option
2 would apply universally, consistent obligations across all using entities, up to a
minimum standard consistent with Australian Government privacy legislation.
As GBEs are already bound by the Privacy Act, including the NDB Scheme, the
additional regulatory cost of complying with any privacy code under Option 2 is
expected to be negligible. As participation is voluntary for GBEs and other
participants, it would be expected that GBEs only would only provide services if these
regulatory costs were offset by broader economic and commercial benefits available.
The regulatory cost for Option 2 is the estimated total amount it would cost impacted
entities to comply with leveraging existing regulatory systems to enhance privacy
safeguards, based on time and labour costs to undertake required activities (i.e. it is
not a 'fee' or 'charge'). This figure has been developed in accordance with the
Australian Government's Regulatory Burden Measurement Framework, and relies on
a range of assumptions described in further detail in Appendix E Regulatory costs:
Methodology and assumptions. The annual economy-wide regulatory cost of Option
2 has been estimated at $23,502, as set out in Table 3 below. For contextual
purposes, the select indirect benefits estimated at a whole-of-economy level from
individual time savings are also presented below in Table 4.
Impact Analysis: Page 64 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 225 of 319
Option 2 Average Annual Compliance Costs (from business as usual)
Costs ($m)* GBE** Business Community Individuals Total Cost
Organisations
Relying Parties $23,502 $23,502
Total by Sector + $23,502 N/A N/A N/A + $23,502
Table 3: Option 2 Regulatory burden estimate (RBE) table
* Costs ($m) are average annualised economy-wide costs calculated over the default 10 years of
regulation required by the Regulatory Burden Measurement Framework.
** This assumes that all GBEs will onboard as relying parties over the first four years until all (currently
nine) are onboarded. As such, the compliance costs increase each year before plateauing from years
five to 10.
Option 2 Select Indirect Benefits^ (from business as usual)
Community
Number of Total change in
Benefits* Business organisation Individuals
transactions** benefit
s
Individual
1 115 minutes 115 minutes
time saving
Individual
transaction 1 $61.00 $61.00
saving
Whole-of-
economy -
54,000,000** - $3,312,000,000
transaction $3,312,000,000
savings
Table 4: Option 2 Select indirect benefits table
^ Indirect benefits may be realised by individuals, businesses and community organisations as
regulation fosters additional service offerings and options for verifying identity. It is expected that an
individual could save 115 minutes of time (source: KPMG, 2021, Economic Benefits of Digital Identity)
by completing a transaction with a digital ID compared to without. Based on the default value for an
individual's leisure time ($32 per hour per the Regulatory Burden Measurement Framework), this
would equate to an individual benefit of $61.00 per transaction. Similarly, for a small business it is
expected that setting up an ABN and registering a business name would take a quarter of the time it
would otherwise. Estimated to save the business $128 in this transaction. However, these are time
Impact Analysis: Page 65 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 226 of 319
savings not cost savings and are not directly attributable to the regulation. Rather, they are a result of
an additional identity verification option becoming available.
* Please note, the savings quantified in the above table are not comprehensive as there are other
benefits to businesses, community organisations and governments as described in Section 8.1. The
savings detailed in the above table have been calculated as follows:
Individual saving per transaction ($61.00) x number of transactions
** The number of transactions used in this calculation is based on estimated transactions through
myGovID in 2021-22 used in the Digital ID Charging Framework. This is based on government
transactions only and is a conservative estimate as it does not incorporate any increase in volume
across the years and does not include transactions that may occur through uptake of private sector
services. Private sector take-up impacting the volume of transactions cannot be accurately forecast as
it is dependent on a number of factors, including the future charging framework.
8.3 Likely net benefit
The above analysis concludes that Option 2 may offer some efficiency and
productivity benefits for select stakeholder groups that already have legislative
authority to use Digital ID under existing arrangements - notably, individuals
(primarily in the form of time savings) and governments. This is offset by minor
regulatory costs incurred by a very narrow category of users (specifically GBEs)
which are expected to be minimal given these entities' existing obligations to comply
with Privacy Act regulations. Further, individuals and the Australian community may
benefit from slightly enhanced privacy and security mechanisms. However, all
stakeholders are expected to experience significant foregone benefits which would
be realised through expansion to include non-Commonwealth relying parties, under a
dedicated regulatory arrangement.
Impact Analysis: Page 66 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 227 of 319
9 Likely net benefit of Option 3 (dedicated
regulatory scheme)
As described in Section 5.3 Option 3: Dedicated legislation to establish new
regulatory scheme, Option 3 involves establishing a dedicated regulatory scheme
that would support an expansion of AGDIS to include an accreditation scheme. This
option would, through the Bill, provide legislative authority to involve non-
Commonwealth relying parties, and the ability for onboarded accredited entities to be
subject to a legislated charging framework.
The regulatory framework has three core functions in its structure; the establishment
of the accreditation system and AGDIS, the ability for the Minister to make
accreditation rules and rules for governance of AGDIS, and data standards made by
a data chair. This provides not only the legal basis for operation, but the ability to
respond to regulatory concerns, and shape the market as it grows and evolves.
Impact Analysis: Page 67 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 228 of 319
9.1 Overall impacts
9.1.1 Individuals
The benefits to individuals of Option 3 can be articulated at two levels, those arising:
• indirectly from the expansion enabled by the legislation.
• directly from the protections and safeguards offered by the regulatory scheme
itself.
(a) Expected benefits of expansion
This legislation will provide the foundations for a much wider range of private sector
and state, territory and local government entities to use Digital ID to verify their
customers. For individuals, this means being able to interact and transact with
greater speed and efficiency with a wider range of organisations and businesses.
Internationally, digital ID has been taken up by providers in a number of sectors that
Australians interact with regularly, particularly:
• banks and financial institutions
• utilities and telecommunications providers
• social care service providers (for example, healthcare and childcare)
• state and local government authorities.
Interest in accreditation has also been received from international IDPs wanting to
offer digital ID services in Australia. Enabling the participation of such an expanded
range of organisations and businesses within Australia is an expressed policy
objective of this regulatory action, as discussed above in Section 4.3 Objectives for
government intervention.
By removing the need to present physical identity documents and set up multiple
identity profiles across these diverse service providers, the time required for
individuals to verify their identity with service providers can be reduced from hours to
minutes. Economic modelling has indicated that an individual could save 115 minutes
of time just by completing a transaction with a digital ID compared to without (source:
KPMG, 2021, Economic Benefits of Digital Identity). This would amount to an
individual time savings benefit of $61.00 per transaction (using the default value for
Impact Analysis: Page 68 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 229 of 319
an individual's leisure time per the Regulatory Burden Measurement Framework),
noting that this figure does not represent a cost saving as it is not directly attributable
to the regulatory scheme but, rather, is an indirect benefit.
Extrapolating this per-transaction benefit across the economy, using the estimated
transactions through myGovID in 2021-22 as a basis, the whole-of-economy
transaction arrive at approximately $3.312 billion across 54 million transactions.
These figures are conservative estimations that account only for government
transactions and do not incorporate any increase in volume across the years or
potential uptake of private sector services (which cannot be accurately forecast at
this stage, being dependent on several factors). However, it may be assumed that an
expansion of Digital ID supported by a regulatory scheme would only allow for an
increased volume in these transactions across additional service offerings and
options for identity verification, which would thereby increase the significance of time
savings benefits to individuals across the economy. Consultation and consistent
engagement with the Australian public would be a crucial factor in allowing for
optimal realisation of these benefits for individuals, an insight that can be drawn from
the UK digital ID experience. Research indicates that a key challenge to private
sector and broader uptake of GOV.UK was that the public did not feel well informed
about digital ID and biometrics, with consultation revealing that more than half of
those engaged felt that they were either not well informed or knew nothing about the
issues surrounding the UK program. (Source: Biometric Update.com, 2021,
Government Digital Identity Plans Advance Amid Scepticism, Lack of Awareness)
These select time savings would be expected to grow as the range of places
individuals can use Digital ID expands.
The accreditation system to allow private sector participants is also expected to
confer benefits for individuals in relation to the avoided costs of data spills and
associated identity theft and fraud. The World Bank previously estimated worldwide
identity theft costs to be at least $307 billion per annum, with $8.3 billion resulting
from credit and debit card fraud. It noted that a robust identification system with
efficient query mechanisms, customer identification, and high levels of integration
could help significantly combat these figures (source: World Bank, 2018, Private
Sector Economic Impacts from Identification Systems). An expanded program offers
such a solution, providing for a higher standard of secure verification and reducing
the need for physical identity documents.
Impact Analysis: Page 69 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 230 of 319
With a significant amount of identity fraud occurring in relation to transactions with
banks and other financial services providers, the expansion to these providers
presents a meaningful opportunity to reduce the individual costs of this kind of crime.
As with the time savings benefits, the avoided costs of identity fraud and data spills
would be expected to grow as the number of private sector providers adopting Digital
ID increases. The costs of identity fraud to an individual can be both financial,
(through lost funds) and personal (through, for example, the time taken to
rectify/mitigate the fraud and reputational or other personal damage inflicted).
(b) Expected benefits of regulatory scheme
The legislation's mandate that Digital ID remain voluntary for individuals offers a
considerable benefit, particularly for individuals who, for various reasons, may prefer
not to engage with government-provided identity products. Legislation will also
ensure that relying parties may not compel individuals to use Digital ID to access
services and, with some exceptions, must continue to provide alternative options for
identity verification (e.g., telephone, in-person and paper-based options). This means
user choice will be strong and formally embedded through the legislation.
The regulatory scheme will enhance privacy protections for individuals. The proposed
protections would represent a strengthening of those currently by virtue of existing
privacy legislation, including the Privacy Act, because they would:
• restrict the creation and use of single identifier
• impose strong conditions upon the use of biometric information
• impose data breach action and reporting requirements which are currently not
in place
• restrict the capacity for aggregation and on-use of personal data.
Additionally, the legislation would establish a permanent Oversight Authority with the
ability to make and enforce security and integrity rules on AGDIS and Accreditation
Scheme participants, further strengthening protections for individuals compared with
current arrangements that lack legal enforceability. As a result, individuals will benefit
from strengthened, legally entrenched privacy protections, and improved avenues for
recourse, in the event of the misuse of personal information, data breaches or
identity fraud.
Impact Analysis: Page 70 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 231 of 319
The requirement that positive consent be sought from individuals on each occasion
prior to the provision of a service, will ensure individuals enjoy strong levels of
autonomy and control over how and when they interact with Digital ID. This is in
contrast with other de facto identity solutions made available by private companies,
which are increasingly being used to transact with companies and services online.
(c) Expected costs of regulatory scheme
The policy intent underpinning the proposed regulatory scheme is that individuals will
not be directly charged for using Digital ID, however it will not regulate fees charged
by relying parties accessing the system to provide a service to an individual. This
means individuals interacting with Digital ID may be charged to do so by a relying
party. Given the voluntariness approach, and the requirement that alternatives
remain available, relying parties would need to ensure that such charges are set at a
level which incentivises individuals to use Digital ID, rather than the alternatives
available. In relation to regulatory costs, the specific provisions of the regulatory
scheme would apply primarily to onboarded accredited entities and - in some
instances - relying parties. As a result, there are not expected to be any regulatory
costs to individuals arising from this option.
There is a small risk that the expansion-related benefits outlined above become
foregone benefits for individuals if the regulatory burden was so great as to prevent
private sector providers participating in Digital ID. However, this does not appear to
be a significant risk considering the balance of costs and benefits for these
participants, discussed below.
Assessment of net expected benefits: Considering the significant expected
benefits for individuals - direct and indirect - enabled by this dedicated regulatory
scheme, and the minimal individual costs associated with it, the balance of net
benefits under Option 3 is expected to be strongly positive for individual Australians.
9.1.2 Businesses
Option 3 provides the legal authority for businesses to engage with, and participate in
several different contexts. Under the status quo, businesses can already become an
onboarded accredited entity (but are unlikely to be active due to the absence of a
charging framework), to play a role as one or more of the following:
Impact Analysis: Page 71 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 232 of 319
• IDP - for example, a consortium of banks may choose to develop a private
sector identity verification product offering parallel services to myGovID.
• AP - for example, universities may choose to participate to provide verification
services relating to qualifications.
Businesses participating as onboarded accredited entities are expected to be larger
corporations and entities. This is because of the infrastructure and investment costs
associated with delivering identity and attribute services.
However, under Option 3, businesses could also engage as accredited entities that
choose not to be onboarded, or as relying parties. For example, utilities providers
may connect with one or more IDPs to undertake identity verification on new
customer accounts. Businesses participating as relying parties are expected to span
a diversity of sizes, potentially including small businesses and sole traders which are
currently exempt from the Privacy Act and other data handling and security regimes.
As noted throughout this assessment, the provisions of the proposed regulatory
scheme primarily apply to onboarded accredited entities. For this reason, the
expected benefits and costs for business have been assessed separately depending
on whether they are onboarded accredited entities, accredited entities or relying
parties. As accreditation and participation is voluntary for businesses, it is expected
that only those organisations which perceive a net positive benefit will choose to
participate.
Onboarded accredited entities
(a) Expected benefits of regulatory scheme
Currently, private sector entities wishing to participate as onboarded accredited
entities are not supported by a robust system of regulatory safeguards and
frameworks. For businesses considering making investments necessary to
participate, Option 3's regulatory scheme (and the governance structure it
establishes) provides a clear basis upon which to assess the expected long-term
benefits, risks and costs of doing so.
Under Option 3, legislation also establishes the framework and principles for a
charging scheme associated with use of Digital ID. The details of this scheme will be
determined in secondary legislation but are expected to facilitate charging by
onboarded accredited entities for the use of their services (e.g., identity service
Impact Analysis: Page 72 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 233 of 319
products or attribute verification). The establishment of the charging scheme provides
a basis for onboarded accredited entities to generate significant commercial benefits
through the aggregation of fees received as a service provider. The exact quantum of
these benefits will be determined by the regulatory scheme's charging framework.
The regulatory scheme will strengthen safeguards for non-Commonwealth agencies
participating. Specifically, proposed liability provisions will enable the Commonwealth
to indemnify onboarded accredited entities from any loss that results from, for
example, the provision of a fraudulent identity, provided the entity has acted in good
faith and demonstrated compliance with all rules and regulations. This would
significantly mitigate the risks of service provision, compared with the status quo in
which such protections are not available to non-Commonwealth agencies.
Further, private entities that currently provide digital ID services as part of their
commercial offering, such as credit and background checking agencies will benefit
from the possible evolution of their service offering - supported by the new regulatory
scheme. This demonstrates Option 3's capability to not only facilitate the creation of
new digital ID products, but to create opportunities for innovation in existing private
sector forms of identity verification.
(b) Expected costs of regulatory scheme
The legislation will require potential onboarded accredited entity businesses to
comply with the requirements of the Privacy Act (as applicable to their Digital
ID--related activities). Where businesses do not already operate in alignment with the
Privacy Act's requirements, the costs of compliance are potentially significant.
The Privacy Act mandates a range of measures for data collection, storage and
destruction, among others, which are unlikely to be standard practice for smaller
businesses or private firms. This potential cost is mitigated by the fact that entities
engaging as onboarded accredited entities are anticipated to be larger private sector
businesses. As previously noted within this Impact Analysis, all businesses with
annual revenue above $3 million are already subject to the provisions of the Privacy
Act. These businesses would therefore not incur additional compliance costs related
to this requirement, where they are already subject to the Act's provisions.
Impact Analysis: Page 73 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 234 of 319
Businesses wishing to become onboarded accredited entities are also likely to incur
costs associated with other non-privacy related requirements mandated by the
regulatory scheme. These are expected to include:
• administrative costs associated with reporting requirements to the future
Oversight Authority
• AGDIS and infrastructure security requirements established to meet the
standards of accreditation
• compliance monitoring to ensure use and access is provided in line with
authorised uses
• oversight, restrictions and associated requirements of managing biometric
identifiers, and the creation and use of single identifiers
• monitoring and compliance for data breach notification processes
• compliance with any other rules imposed by the Oversight Authority, to address
security.
It should be noted that some of these costs would be incurred in the development of
any private sector digital ID product or solution, regardless of whether it is regulated
by the Government. It should also be noted that joining as an onboarded accredited
entity is entirely voluntary, so businesses that assess the costs of compliance as
outweighing the specific benefits for their organisation can choose not to participate.
Businesses may also incur opportunity costs associated with losing access to, or
ownership over, customer data. For private sector businesses, the aggregation and
sale of customer data may present a meaningful commercial opportunity. The
proposed regulatory scheme may affect an organisation's practical or legal ability to
capitalise on such opportunities. This is because providers may no longer collect or
hold some information about individuals, and the regulatory scheme contains specific
restrictions on the on-selling or use of customer data collected through Digital ID. The
extent of this potential opportunity cost would vary significantly depending on the
extent to which companies who seek to become onboarded accredited entities
currently engage in commercial activity associated with data aggregation and on
selling-, and therefore cannot be reliably estimated.
Impact Analysis: Page 74 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 235 of 319
Accredited entities
(a) Expected benefits of regulatory scheme
For entities seeking accreditation under the TDIF but not onboarding, the benefits
and costs are slightly different. As with onboarded accredited entities, private sector
entities wishing to participate as accredited entities are not currently supported by a
regulatory scheme. Option 3 will establish a nationally consistent and recognised
approach to accreditation by mandating strict standards and validating all entities that
have been accredited with a Trustmark.
The key benefits to accredited entities come not through participation but through
commercial opportunities generated and enhanced by the Trustmark. This allows an
accredited entity to convey to a potential service provider or citizen that they meet the
trusted and high standards set by the Australian Government, assuring the security
and trustworthiness of their digital ID services (notwithstanding that they are not
provided through AGDIS). This would be a particular advantage for small, medium or
regional businesses, who could indicate to the digital ID market, including entities
onboarded with which they may still transact with, that they meet the same standards
as their larger and more mature market competitors, offering them an economic
advantage.
(b) Expected costs of regulatory scheme
The legislation will require accredited entities to adhere to several requirements in
order to achieve and maintain accreditation. Some of these align with those
described above for onboarded accredited entities, including privacy and consumer
safeguards and rules around the use of Trustmarks. However, as accredited entities
are not onboarded, they are not required to comply with additional requirements that
relate to engaging with Digital ID-related activities or measures.
Importantly, accredited entities would not be able to directly benefit from the
establishment of a charging regime, unless/until they decide to onboard. The scope
of legislation under Option 3 only establishes a charging framework for those
onboarded. As noted above, entities may assess the costs of compliance against the
specific benefits for their organisation and choose whether or not to join at any time.
Accredited entities may find that the opportunity cost associated with not
participating, incurring the benefits determined by the charging framework, may lead
businesses to eventually choose to onboard and participate.
Impact Analysis: Page 75 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 236 of 319
Relying parties
(a) Expected benefits of regulatory scheme
Legislation under Option 3 will enable private sector entities to participate in the
Program as relying parties for the first time. This will improve speed of interaction
across a wider range of government and private sector entities, where multiple
entities or businesses are involved in conducting a transaction. The resulting time
and cost savings will generate significant productivity gains for organisations which
frequently need to verify the identity of their customers. Relying parties will also
benefit from reduced instances of financial loss associated with customer fraud, due
to the high standard of secure verification offered AGDIS and accredited providers.
This will result in greater efficiencies, through reduced time and costs associated with
investigation and prosecution of fraud events.
Businesses participating as relying parties will also enjoy greater efficiency across
their front-end operations and will be able to provide an improved customer
experience, due to reduced manual handling and wait times. This is likely to benefit a
wide range of companies that require customer identity verification, and who are
unable to participate as relying parties under the status quo arrangements, such as
utility providers, telecommunications companies, banks, insurance providers and
more. Economic modelling indicates that new Australian businesses may achieve
time savings worth between $22.6 million and $45.3 million a year, simply by using
Digital ID to complete business set-up tasks with government entities. The
productivity benefits associated with expanded access for all kinds of transactions
across multiple sectors, including verification of customer identities, could therefore
be expected to be many times greater (source: Economic Benefits of Digital Identity
2020, KPMG).
(b) Expected costs of regulatory scheme
The proposed regulatory scheme prohibits mandating use, including by relying
parties. This means that businesses which seek to use Digital ID solutions will still
have to provide alternative options such as paper-based and face-to-face identity
verification. The requirement to provide alternative options may mean that
businesses are not able to fully realise the potential productivity benefits/time savings
discussed above. The scheme would allow, however, for exceptions to this
requirement in narrow, clearly defined circumstances (for example, entities which
Impact Analysis: Page 76 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 237 of 319
only offer fully online services). It is expected that alternative channels will be chosen
by customers for a minority of transactions, due to the predominant and growing
popularity of digital channels to interact with services. This means that while existing
manual channels will still be available, their lower volume of use will drive costs down
compared to having no Digital ID enabled option at all.
It is not expected that relying parties will be brought within the provisions of the
Privacy Act by this legislation if they are not already required to comply with it - these
provisions only apply to onboarded accredited entities. However, when particularly
sensitive types of individual data are involved, the regulatory scheme establishes
increased requirements for relying parties in relation to data handling and user
safeguards, including obligations to report to the Oversight Authority any breach that
affects the integrity, such as a suspected fraud or cyber security incident.
The extent of costs imposed on relying parties by these requirements will depend on
the extent to which they differ from practices and systems already in place within
individual businesses. For example, businesses which engage in significant data
handling may have established practices and processes to comply with these
requirements and would therefore not incur additional costs. Furthermore, as with
onboarded accredited entities, becoming a relying party is entirely voluntary so
businesses which do not expect to gain net benefits from the Digital ID System are
free to not participate.
As is the case for onboarded accredited entity businesses, relying party businesses
may also forego access to or ownership over some customer data. For private sector
businesses, the aggregation and sale of customer data may present a meaningful
commercial opportunity. Entering the Digital ID market may affect an organisation's
practical or legal ability to capitalise on such an opportunity. However, as noted
above, the extent to which these opportunity costs are experienced by an individual
business would be highly dependent on their prior commercial arrangements and
service offerings.
As this legislation establishes the framework for a charging regime, an indirect
consequence is that relying parties will face future charges for using services
provided by onboarded accredited entities. This would occur in circumstances where
these entities seek to recover costs imposed under the charging regime by levying
processing or other fees on relying parties. The extent and value of these potential
Impact Analysis: Page 77 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 238 of 319
fees will not be prescribed in the primary legislation, but legislation will set a
framework within which onboarded accredited entities will operate in a competitive
market context. Because of this, it is anticipated that any charges for relying parties
will be set at a level that incentivises (or at least does not create a significant barrier
to) uptake of services. Charging practices by onboarded accredited entities would be
subject to the standard safeguards applying under relevant competition law (including
prohibitions on cartel conduct and coordinated price-setting). This is expected to
ensure relying parties can enter into cost-competitive arrangements with onboarded
accredited entities and seek out the most cost-effective arrangements through
standard market competition mechanisms. In providing a mechanism for the
establishment and detail of the charging regime, the legislation creates the potential
for further regulation to be enacted in relation to charging practices between
onboarded accredited entities and relying parties.
Overall, the cost implications of this regulatory scheme for businesses wishing to
participate in the Program as relying parties are expected to be significantly lower
than for onboarded accredited entities because of the lesser regulatory requirements
imposed on these participants.
Assessment of net expected benefits
The benefits and costs accruing to businesses because of this dedicated regulatory
scheme are expected to vary significantly depending on:
• whether a business intends to seek accreditation or participate as an
onboarded accredited entity or as a relying party.
• whether a business is already subject to the provisions of the Privacy Act and
has processes and infrastructure in place to meet the data handling and
security requirements of this regulatory scheme.
• the frequency and volume of a business' customer verification requirements in
delivering services.
• the extent to which a business has already adopted digital options for
processing identity verification requests.
Because of these multiple variables, it is challenging to reach a single assessment of
the net expected benefits accruing to businesses from this regulatory scheme.
However, because accreditation and participation are voluntary for businesses, it is
Impact Analysis: Page 78 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 239 of 319
expected that only those organisations which perceive a net positive benefit -
financially and operationally - will do so. In general, it is also expected that the
significant benefits accruing to relying parties from increased productivity, faster
speed of processing and improved client experience will outweigh the costs
associated with the limited regulatory requirements imposed. Similarly, where an
organisation which seeks to become an onboarded accredited entity is already
subject to the existing provisions of the Privacy Act and the NDB Scheme, it is
expected that the additional benefits accruing through improved efficiency, additional
revenue streams and reduced legal risk will outweigh the costs of regulatory
compliance.
9.1.3 Government
(a) Expected benefits of regulatory scheme
Option 3 entails the Australian Government playing an ongoing role in delivering the
Program, as well as in drafting and enacting legislation and subordinate regulations
supporting its expansion.
All levels of government will enjoy greater efficiency and reduced manual handling in
customer operations. This has the potential to benefit a wide range of government
entities that frequently require customer identification to provide services. These
potential applications are likely to support opportunities for productivity improvements
and cost efficiencies at all levels of government.
However, the expansion especially presents an opportunity for the modernisation of
public services at a state, territory and local government level. The extent and
frequency of individuals' touchpoints with state, territory and local government-
provided services means AGDIS- by enabling reduced paperwork, faster
transactions and improved convenience - will generate significant gains in
administrative efficiency. Digital ID offers a consistent, central mechanism for identity
proofing, which will reduce the need for multiple entities to verify an individual's
identity. Cost savings will be garnered from a substantially reduced requirement for
agency-specific identity, access management services and subsequent support
systems.
Impact Analysis: Page 79 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 240 of 319
The use of the AGDIS is expected to support state and territory government services
across:
• the registration of births, deaths and marriages
• state and local government licensing regimes
• school, vocational education, and training and higher education enrolment
• healthcare, including hospital and ambulance services
• utility services, such as water, gas and power, from state corporations
• collection of state taxes and revenue - for example, payroll tax and property
rates
Further, in interacting with businesses, state and territory governments can
streamline the provision of services relating to business registrations, economic
support, authorisations and permits, leading to even greater opportunities for cost
reductions. These efficiency gains, cost savings and service enhancements would
also be available to local governments and their management of various community
services. The significant annual volume of transactions requiring identity verification
in these areas is expected to generate significant efficiencies for state and local
governments which can use Digital ID in place of paper-based and face-to-face
identity verification.
Governments will also benefit from a reduction in identity fraud in an expanded
Digital ID, through fewer instances of paying benefits or supplying services to people
who are not entitled. In 2018-19, the Department of Social Services reported that its
Investigations section had assessed 40 instances of suspected internal and external
fraud. The costs associated with such investigations and subsequent action, where
that fraud relates to identity, may be mitigated by use of AGDIS.
Additionally, as legislation will support an expansion to all levels of government,
state, territory, local governments and individual Australian Government agencies will
save time and costs, as they can reduce investment in their own digital ID platforms
or may no longer need to develop their own solutions. The automatic de-duplication
processes would also present a significant time and cost saving for these additional
government entities, which may be required to undertake these data integrity
measures manually or using other systems. The extent of this saving for each
government entity is difficult to quantify, as it depends on the impact of multiple
Impact Analysis: Page 80 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 241 of 319
identity accounts linked to one individual (which varies depending on the particular
system).
(b) Expected costs of regulatory scheme
Australian Government agencies and governments of all levels may incur costs due
to a need to transition from or decommission existing digital ID investments and
services, where such platforms are under development. However, as Digital ID
remains voluntary, this regulatory scheme would not directly drive the decision that
leads to these costs - rather, each agency would need to determine whether these
costs are outweighed by the benefits of use.
Australian Government agencies and state and territory governments may incur
some costs associated with updating existing legislation, regulation or policies, to
ensure alignment with the new regulatory scheme. This may include costs associated
with updates for new privacy or security requirements, as well as the flow-on costs of
complying with any increased privacy standards. These costs are expected to be
limited for most jurisdictions which already have standalone privacy legislation in
place, and nil for Government entities since they are already subject to the national
privacy regime. They are likely to be greater for South Australia and Western
Australia which currently do not have established state-based privacy regimes.
The regulatory scheme's intended leveraging of certain requirements under the NDB
Scheme to apply to all participants (including state and territory governments, which
currently are not subject to the NDB Scheme), will require entities to monitor data
breaches and report these to the Oversight Authority and their own regulator. This
new requirement may impose significant regulatory costs for state and territory levels
of government, where the NDB Scheme or comparable obligations do not currently
operate. Further, states and territories will be subject to the charging regime, which
presents a further potential cost. However, it should be noted that states and
territories will be permitted to recover some costs through relying parties who seek to
transact with state and territory government onboarded accredited entities.
Assessment of net expected benefits: The expansion to a wider range of
Australian Government entities and state, territory and local governments creates the
potential for very large efficiency gains in relation to identity verification. In addition to
reducing manual handling of paperwork and freeing up resources to focus on more
complex/meaningful service delivery work, Digital ID also allows government entities
Impact Analysis: Page 81 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 242 of 319
to offer citizens a better service experience. This is expected to generate intangible
benefits in terms of citizen satisfaction, staff experience and attachment which cannot
be costed but will contribute to the overall benefits delivered by Option 3.
As with businesses, the expected costs of government compliance with this
regulatory scheme will vary depending on the baseline state of entities in relation to
their current privacy, data reporting and other information-handling practices. Given
that most government entities are already subject to these obligations in some form,
the transition costs and ongoing compliance costs are not anticipated to differ
significantly from the status quo at this time. However, any state and territory
governments participating as onboarded accredited entities, will face new regulatory
requirements equivalent to those imposed by the NDB Scheme. Non-Commonwealth
agencies will also be subject to the charging regime, the details of which are still
under development, however, will impact governments acting both as relying parties
and onboarded accredited entities.
Overall, these factors are expected to amount to strongly positive net benefits for all
levels of government from the expanded agency participation, increased citizen
uptake and improved trust enabled by this regulatory scheme.
9.1.4 Community
With legislation facilitating an expansion, this is expected to lead to enhanced uptake
and therefore familiarity with digital ID by individuals and businesses. As a result, the
community may experience an increase in trust and greater confidence in digital ID
and related services. Such trust and confidence are only likely to grow as community
exposure to the Program increases, and individuals are able to use Digital ID more
frequently on a day-to-day basis.
Legislation will enable community organisations to interact with Digital ID, most likely
as relying parties. As such, improvements to the speed with which they interact with a
wider range of government and private sector entities will result in time and cost
savings, as well as increased productivity. Further, community organisations will
enjoy greater efficiency in their customer operations and reduced manual handling
where, for example, a housing service provider is required to interact with multiple
entities to verify a customer's identity. These time and cost savings are particularly
significant where such organisations have access to limited resources.
Impact Analysis: Page 82 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 243 of 319
There are likely very limited cost implications for the community from enshrining
principles, governance and requirements in the proposed new regulatory regime.
Benefits to the community, including enhanced trust and confidence, will flow from
individuals' largely free participation in Digital ID.
Similarly, where community organisations participate as relying parties, the costs
incurred will be limited, as regulatory measures are predominantly focused on
onboarded accredited entities. However, it should be noted that decisions
surrounding the extent to which costs levied under the charging regime will be
passed on are relevant for community organisations. If such organisations are
charged for their participation (as relying parties), this may have cost implications for
community providers.
Assessment of net expected benefits: There are strongly positive benefits for the
community, emerging from the introduction of the regulatory scheme. These include
enhanced feelings of trust and confidence across the community and services -
which, although unable to be quantified, contribute to the overall benefit to the
community under Option 3. Further, community organisations in particular stand to
benefit from efficiency gains and reduced manual handling.
While community organisations choosing to participate will be subject to costs levied
under the charging scheme, costs to community organisations as relying parties, and
to the overall community, are likely very limited.
9.2 Regulatory impacts
9.2.1 Overview
Of all options, Option 3 involves the most significant regulatory costs for the
categories of regulated entities, being relying parties, accredited entities and
onboarded accredited entities. These estimated regulatory costs have been informed
through the Consultation RIS, which provided a detailed list of regulatory impacts
within the Bill for each stakeholder group and tested the accuracy of estimates. The
regulatory impacts of Option 3 can be summarised into the categories below.
• Applications: The application/s that various entities would need to submit under
Option 3. Depending on the type of entity, these may include applications for
Impact Analysis: Page 83 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 244 of 319
accreditation and/or onboarding. The Bill provides high-level requirements for
when applications must be made, with the rules outlining relevant content
requirements.
• Privacy and security obligations: Positive obligations on entities in relation to
privacy and security aspects of this option. These range from positive reporting
obligations (e.g., in the event of a data breach), to implementing processes to
ensure user consent is obtained at required points. Special requirements attach to
some types of regulated entities, such as relying parties that have been approved
to receive restricted attributes, and those dealing with biometric information.
• Ongoing obligations: The ongoing obligations an entity is subject to because of
either use of the system, or their accreditation status. This may include, for
example, annual assessments and reaccreditation-related requirements (if
directed by the Oversight Authority).
• Administrative: Various administrative requirements of regulated entities under
the regulatory scheme, including recordkeeping and data retention requirements.
These obligations vary given the involvement and likely data accessed and used
by an entity. It is expected that some administrative requirements included in the
regulatory scheme (e.g., compliance with payment terms) would already be a part
of an entity's business-as-usual activities, and therefore would impose no
additional regulatory cost.
9.2.1 Assumptions and parameters
The regulatory cost calculated for Option 3 is the estimated amount it would cost
impacted entities to comply with the proposed regulations, based on the time and
labour cost of undertaking required activities (i.e., it is not a 'fee' or 'charge' to use).
The methodology by which this figure has been developed is consistent with the
Australian Government's Regulatory Burden Measurement Framework, and relies on
a range of assumptions described in further detail in Appendix E Regulatory costs:
Methodology and assumptions.
An important assumption made in calculating the regulatory burden was that the
entities seeking to participate in this regulatory scheme would already have a
baseline level of familiarity with the digital ID market and a corresponding level of
Impact Analysis: Page 84 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 245 of 319
maturity in their corporate systems, processes and standards. This provided a more
realistic view of the additional activities required to meet regulatory requirements,
than by considering entities with minimal/low digital ID maturity. In the case of such
low-maturity entities, significant uplifts and changes to business practices would be
required in preparation to engage with any digital ID system - whether it was
regulated by government or not.
9.2.2 Regulatory Burden Estimate (RBE)
The estimated annual economy-wide regulatory cost of Option 3 is $1,498,652, as
set out in Table 5 below. For contextual purposes, the select indirect benefits
estimated at a whole-of-economy level from individual time savings are also
presented below in Table 6.
Option 3 Total Annual Compliance Costs (from business as usual)
Average Community
Total change in
Costs ($m)* number of Business organisatio Individuals
cost***
entities** ns
Relying party
(non- 215 $703,577.00 + $703,577.00
government)
Accredited
entity (non- 28 $484,732.00 + $484,732.00
government)
Onboarded
accredited
22 $310,342.00 + $310,342.00
entity (non-
government)
Total by
+ $1,498,652.00 + $1,498,652.00
sector
Table 5: Option 3 Regulatory burden estimate (RBE) table
* Costs ($m) are average annualised economy-wide costs calculated over the default 10-years of
regulation required by the Regulatory Burden Measurement Framework.
** Assumes an uptake of relying parties and accredited entities increasing each year over the 10-year
timeframe (see Appendix E for further details), before plateauing from year four onwards. The table
above provides the average number of affected entities over the 10-year timeframe of regulation
calculated. The total costs for each entity type are impacted by the number of entities.
*** Please note, this is not a per entity cost, rather an economy-wide cost based on the number of
entities impacted.
Impact Analysis: Page 85 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 246 of 319
Option 3 Select Indirect Benefits^ (from business as usual)
Number of Community Total change in
Benefits* Business Individuals
transactions** organisations benefit
Individual time
1 115 minutes 115 minutes
saving
Individual
transaction 1 $61.00 $61.00
saving
Whole of
Economy
54,000,000** - $3,312,000,000 - $3,312,000,000
transaction
savings
Table 6: Option 3 Select indirect benefits table
^ Indirect benefits may be realised by individuals, businesses and community organisations as
regulation fosters additional service offerings and options for verifying identity. It is expected that an
individual could save 115 minutes of time (source: KPMG, 2021, Economic Benefits of Digital Identity)
by completing a transaction with a digital ID compared to without. Based on the default value for an
individual's leisure time ($32 per hour per the Regulatory Burden Measurement Framework), this
would equate to an individual benefit of $61.00 per transaction. Similarly, for a small business it is
expected that setting up an ABN and registering a business name would take a quarter of the time it
would otherwise. Estimated to save the business $128 in this transaction. However, these are time
savings not cost savings and are not directly attributable to the regulation. Rather, they are a result of
an additional identity verification option becoming available.
* Please note, the savings quantified in the above table are not comprehensive as there are other
benefits to businesses, community organisations and governments as described in Section 9.1. The
savings detailed in the above Table have been calculated as follows:
Individual saving per transaction ($61.00) x number of transactions
** The number of transactions used in this calculation is based on estimated transactions through
myGovID in 2021-22 used in the Digital ID Charging Framework. This is based on government
transactions only and is a conservative estimate as it does not incorporate any increase in volume
across the years and does not include transactions that may occur through uptake of private sector
services. Private sector take-up impacting the volume of transactions cannot be accurately forecast as
it is dependent on a number of factors, including the future charging framework.
9.3 Likely net benefit
The overall likely net benefit of Option 3 can be determined with reference to the
costs and benefits identified for each stakeholder group - individuals, businesses (as
Impact Analysis: Page 86 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 247 of 319
onboarded accredited entities, accredited entities and relying parties), government
and community.
For individuals, there are significant direct and indirect benefits that will flow from the
establishment of a dedicated regulatory scheme through legislation, including time
and cost savings, and a reduced risk of identity fraud and misuse of personal
information. Considering, for example, that an individual's time savings benefit under
the status quo, has been calculated for some transactions at $61.00 per transaction,
which, when extrapolated to a whole-of-economy estimation under the current
arrangements only, is conservatively around $3.312 billion, the significance of
potential time savings benefits that may become available under an expanded
system supported by a regulatory scheme is evident. Given the minimal costs to be
borne by individuals under this option, the balance of net benefits for individual
Australians is expected to be strongly positive.
For businesses, the impacts will vary depending on various factors, including
intended involvement as an onboarded accredited entity, accredited entity or relying
party, and extent of existing compliance with the Privacy Act, data handling and
security procedures. These variables make it difficult to assess the net expected
benefits for businesses in aggregate under Option 3. However, voluntary participation
means it is likely that only those organisations which perceive a net positive benefit
will choose to participate. Further, participation as a relying party will see businesses
benefit from increased productivity, faster speed of processing and improved client
experience. For onboarded accredited entity businesses whose practices already
demonstrate alignment with the regulatory scheme's requirements, it is expected that
the 87 additional benefits of improved efficiency, additional revenue streams and
reduced legal risk will be accrued.
The annual average economy-wide regulatory cost of Option 3 has been estimated at
$1,498,652, capturing a range of expected compliance costs under the proposed
regulatory scheme. These costs are expected to be borne by the small proportion of
businesses perceiving benefits in choosing to engage with, and participate in, under
Option 3. These costs will also be offset by the extent of a business's existing
maturity level (i.e., how established technical systems/processes, privacy and
security arrangements and resources are) and the effect of expected benefits per
entity type. Overall, the net effect of regulatory change for businesses under Option 3
Impact Analysis: Page 87 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 248 of 319
will likely see the benefits of involvement outweigh the costs of regulatory
compliance.
Australian Government agencies, state, territory and local governments are likely to
benefit from significant productivity and efficiency gains across their identity
verification practices, allowing them to offer Australians a more positive service
experience. While citizen satisfaction, staff experience and attachment cannot be
quantified, these factors will contribute to the overall benefits of Option 3. While the
expected costs of government compliance will vary across entities, the transition and
ongoing compliance costs of Option 3 are not anticipated to differ significantly from
the status quo. These factors indicate strongly positive net benefits for government
from the expanded agency participation, increased citizen uptake and improved trust
enabled by the proposed regulatory scheme.
The community will benefit from Option 3, including through enhanced feelings of
trust and confidence in Digital ID services. Community organisations which are
enabled to participate are also likely to see improvements in their productivity,
potentially offset slightly by costs levied under the charging regime.
Overall, there are significant anticipated benefits to individuals, businesses,
governments and the broader economy expansion enabled by this legislation. The
policy decision to limit the focus of the regulatory scheme to onboarded accredited
entities, accredited entities and relying parties means regulation impacts will be felt
only by a subset of those who are expected receive these benefits. Entities can
assess the benefits and associated costs of participation in the framework as an
onboarded accredited entity, and voluntarily choose to undergo the accreditation
process if this balance of costs and benefits is considered favourable.
Establishing a dedicated regulatory scheme through legislation is the only option
which supports expansion to a wider range of public and private sector services,
particularly non-Commonwealth relying parties and onboarded accredited entities
able to charge under a legislative framework. The economy-wide benefits of time
saved (individuals), productivity (businesses, government and community) and
security (all stakeholders) are expected to continue to grow as more entities can
access Digital ID services.
Impact Analysis: Page 88 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 249 of 319
10 Consultation
10.1 Purpose and objectives
Since the Program's commencement, a continuous and broad-based consultation
approach has engaged stakeholders at all levels, on topics from technical design to
operation to governance. Stakeholders consulted to date include government,
regulatory entities, jurisdictions, privacy advocates, compliance scheme
representatives, corporate Australia, small business, peak bodies representing end-
users and the general public.
Australia also engages heavily with international stakeholders and counterparts in
digital ID and is recognised as a leader in this space. The Australian Government is
involved in trade negotiations with several countries to achieve mutual recognition of
identity systems. A Memorandum of Understanding has been established with the
Smart Nation and Digital Government Office of Singapore, with a roadmap to the
goal of system interoperability with Singapore's national digital ID system. Australia
signed a mutual recognition agreement and roadmap with New Zealand in 2020, and
is closely collaborating to ensure future policy and system interoperability as both
countries develop legislation. Negotiations are also in progress with the UK and
Canada. Finance continues to work with the Australian Government and with similar
agencies around the world to identify future opportunities for digital ID interoperability
and mutual recognition with other countries.
As Digital ID expands, supported by appropriate regulation, this domestic and
international engagement will continue and increase. This consultation approach to
date, and future activities described in this section, seek to fulfil two primary
objectives:
• Ensuring stakeholder views are sought and considered throughout the
regulatory development and assessment process.
• Validating the impacts (financial and otherwise) of any proposed regulatory
action on affected stakeholders.
The consultation approach recognises that digital ID is a complex concept, some
aspects of which may not be well understood by the community, and involves highly
sensitive topics such as privacy and information security. As regulatory options were
Impact Analysis: Page 89 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 250 of 319
explored, the plan flexibly ensured that the broad range of perspectives we received
informed the development of policy positions, and allowed any unintended
consequences to be identified.
10.2 Consultation undertaken
Consultation has been a key focus since the Program commenced, to ensure the
design, operation and governance considers and accommodates stakeholder views.
Since 2015, the Australian Government has engaged with the public to build a Digital
ID system that is aligned with community expectations. The broad range of
consultations conducted by the Program are listed at Appendix D. This consultation
has occurred through a range of channels (including in person, through interactive
webinars, surveys, and public submissions). Further consultation has been
undertaken in late 2023 to inform the Bill, with changes made to reflect community
and business expectations and feedback.
These program-wide consultations have been supplemented by targeted
engagement on matters that are particularly sensitive or complex, such as privacy
and consumer safeguards, conducted both by Government directly and (in the case
of Privacy Impact Assessments, for example) by independent firms. Various
stakeholders have been specifically engaged on privacy and consumer-related
matters, including private sector representatives (i.e. payments, banks), academics
and advocacy groups, state and territory ombudsman entities and privacy
commissioners. This iterative consultation strategy has served to validate the
identified problems, gauge stakeholder views on areas for potential regulation and
lay the foundation for broader public consultations.
In November 2020, a public consultation paper was released on Digital ID legislation.
This paper sought government, community, industry, and individual views on the
scope, nature and extent of possible government regulation of the Digital ID System.
Supporting the release of the public consultation paper were five webinars conducted
to ensure full understanding of the Program's context, and to encourage
submissions. These webinars were attended by 110 stakeholders. 44 submissions
were received through this process - 16 of which were from state and territory
governments, 20 from the private sector (including industry associations) and eight
from individuals and consumer groups. On 12 February 2021, we published a
Impact Analysis: Page 90 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 251 of 319
consultation synthesis report that summarised key messages, themes and outcomes
of this public consultation process. The synthesis report outlined near-uniform
agreement on the immense value, and on some level of legislation to govern Digital
ID. However, there were differing views on the content and scope of legislation,
including which measures should be legally entrenched and which should remain as
policy or operational guidance.
The next stage of legislation-specific consultation occurred in June 2021, with the
release of a Digital ID legislation position paper providing updated assessments of
key policy positions and the nature of potential regulation. The position paper
remained open for comment for five weeks, with a total of 62 submissions received. It
was supplemented by a series of targeted events, including two roundtables held on
1 July 2021 for the Australian Information Industry Association (AIIA), and 13 July
2021 for the Australian Society for Computers and the Law (AUSCL). A total of
around 120 stakeholders participated in these roundtables. Other targeted
consultation events that occurred during July included a series of Q&A sessions held
for the banking and government sectors, at which around 21 stakeholders
participated. The 2021 Trusted Digital Identity Bill exposure draft consultation was
open for 4 weeks.
In late 2023, an exposure draft package, which will include the updated draft Digital
ID Bill, draft Digital ID Rules, draft Accreditation Rules, was released for broad-
reaching consultation. The Digital ID Bill and Rules package was open for comment
for a three-week period, and the Accreditation Rules open for a six-week period
concluding in October 2023. This also included public webinars, targeted industry
association roundtables, and broad engagement across state, territory, and
Commonwealth agencies. 112 submissions were received in addition to attendees at
roundtables, and the 1346 responses to a public survey.
The consultation paper released alongside the Bill on 19 September 2023 can be
accessed here.
10.3 Outcomes and themes of consultation to date
This section provides a summary of outcomes and themes of consultation feedback,
by stakeholder segment and consultation round. The below draws out broad themes
for discussion and analysis purposes, however it is important to understand that the
Impact Analysis: Page 91 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 252 of 319
Program has received a significant quantity of diverse feedback over many years
across a spectrum of stakeholders. Whilst best efforts have been made to accurately
describe this feedback at a broad level, there are inherent limitations in generalising
or attributing discrete sentiments or themes to what has consistently been very
nuanced feedback on a complex issue.
Each stage of consultation has directly influenced and shaped Program activity -
both substantive decisions and planning the future consultation roadmap. For
example, November - December 2020's public consultation paper round elicited
several high-level outcomes and themes across different stakeholder groups. These
outcomes formed the focus of targeted consultations with critical stakeholders that
occurred in early 2021. The subsequent position paper highlighted areas where
stakeholder input led to reconsideration of policy and regulatory positions. These
changes in policy positions and other considerations were incorporated into the
exposure draft package, the outcomes of which helped shape final policy positions in
the Bill.
A Consultation RIS accompanied substantial public consultation, which occurred over
October 2021 and received seventy submissions which engaged deeply with one or
more provisions of the legislative instruments, lodged by various industry and
government stakeholders as well as by individuals. Of these seventy submissions,
internal sentiment analysis by the Australian Government assessed 34 per cent of
responses to be broadly positive, 40 per cent neutral and 26 per cent negative. The
key stakeholder groups driving the 34 per cent of positive responses were private
sector entities and industry associations, both expressing strong support for the
introduction of the Bill, particularly the strengthened privacy and consumer
protections. Some responses viewed the Bill (and Program more broadly) as a
fundamental enabler of Australia's digital economy and expressed interest in future
participation in the Digital ID system.
The key stakeholder groups driving the 26 per cent of negative responses were
industry associations, consumer groups, individuals and some private sector entities.
These submissions brought forth questions particularly around the scope and
complexity of the Bill, governance, law enforcement access and charging. These key
themes and issues specific to the October 2021 exposure draft package public
consultation, have been further detailed in Appendix D, along with details of the
Programs' actions in response to each issue.
Impact Analysis: Page 92 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 253 of 319
Over time, common themes have emerged in the feedback received from individuals,
businesses, government and the broader community. Examples of these themes,
and how they have been actively addressed by the Program, are summarised below.
These are further described in table form in Appendix D, with detail on how
stakeholders' positions have evolved over time.
• Individuals - Input provided by informed individuals on regulation has generally
indicated tentative positivity towards the Digital ID System and its potential
benefits, with expressed hesitation on matters including privacy, safety, security
and other consumer impacts. Over time, this has informed the regulatory
approach of including more detailed, rather than lesser, safeguards and
protections in the Bill (compared to earlier regulatory approaches explored that
would address the barriers to legal authority to use the Digital ID System, without
legally entrenching additional privacy, consumer and security concerns). The
airing of concerns from individuals has also led to certain safeguards being built
into legislation, rather than being delegated to subordinate instruments - such as
a legislative guarantee of the system's voluntariness.
• Businesses - Whilst broadly supportive of a whole-of-economy Digital ID system,
feedback from the business community initially focused upon seeking clarity on
the scope and application of a Digital ID system, as well as its interoperability with
other existing (current and future) systems and regulation. The decision to
enshrine two alternative forms of participation in the legislation with different
levels of regulation (accreditation and system onboarding) was taken in direct
response to this feedback. The private sector now has two options for
involvement with appropriately tailored regulatory requirements. Dialogue
between the Program and the business community, particularly those in relatively
highly regulated sectors such as financial services and telecommunications, has
also focused on alignment with other existing regulatory schemes in areas
including privacy and anti-money laundering and counter-terrorism financing
regulation. This has been considered and incorporated in the regulatory scheme's
leveraging of existing regulatory schemes where possible to mitigate regulatory
impact, as discussed above in Section 5.3.1. Another common theme amongst
the business community since early consultations on potential regulation of the
system has been in relation to the charging framework. This feedback, and
business' emphasizing the need for certainty yet flexibility, informed the regulatory
Impact Analysis: Page 93 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 254 of 319
approach of including principles in the Bill setting broad parameters for the
framework's operation (for example, ensuring legislative enshrinement of
important principles such as the citizen not having to pay to participate), but
leaving specific details to be determined through subordinate instruments.
• Government - Dialogue with state, territory and Australian Government agencies
has occurred in various contexts and on a range of topics including participation
in AGDIS and proposed regulation. At all levels of government, common themes
that have emerged in this dialogue concern alignment with existing regulatory
regimes, particularly those at a state or territory level, with the legislation being
modified to contain appropriate exemptions for state / territory entities which
already meet a similar level of privacy protection to Commonwealth privacy
standards. In addition, for agencies with a law enforcement function, another
consistent theme has been the extent to which law enforcement agencies can
access and use information within AGDIS. The final policy positions on this issue,
as reflected in the Bill, seek to achieve a balance between providing access to
law enforcement in narrow, clearly defined circumstances, and recognising the
importance of restricting the use of particularly sensitive information, in order to
protect user privacy (for example, biometric information may only be disclosed to
law enforcement with consent or a warrant)
• Community - Community feedback received by the Program has been received
both from non-government organisations, as well as various special interest and
consumer representative groups. Through these groups, concerns regarding the
practicalities of enforcing this voluntariness protection have been raised. The
Program continues to liaise closely with the Australian Human Rights Commission
(AHRC), the National Children Commissioner and the Attorney-General's
Department, in order to address these concerns.
In addition to the above actions taken in response to specific feedback themes raised
by individuals, business, government and the community, the Program has also used
feedback received across all sectors to identify common areas of misunderstanding
regarding Australia's Digital ID System and its regulation. This will continue to inform
the Program's ongoing communications and education strategy in relation to
Australia's Digital ID System, which will run alongside and supplement the ongoing
consultation on future regulation described below.
Impact Analysis: Page 94 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 255 of 319
The consultation held in late 2023 has led to changes to the Bill, and the associated
rules to reflect privacy, to reflect changes to governance and a range of smaller
changes to improve the Bill.
10.4 Ongoing consultation
Even after the Bill becomes law, it is not envisaged that consultation and its
regulation would cease. The Bill mandates consultation for any legislative
instruments issued in the future (beyond the baseline level of consultation on any
legislative instrument required by the Legislation Act 2003 (Cth)). Additional
consultation obligations, including a public notice process, are also mandated before
additional TDIF accreditation rules and data standards are made. These proposed
legislative measures ensure stakeholder views will continue to be considered and
incorporated into the regulatory regime as it evolves in the future and will take allow
changes to be made to reflect outcomes of future evaluation activity, and
recommendations from regulators and stakeholders.
Impact Analysis: Page 95 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 256 of 319
11 Best option from those considered
The preceding analysis demonstrates that 5.3 Option 3: Dedicated legislation to
establish new regulatory scheme is the most suitable of those considered.
The Murray inquiry identified the need for a whole-of-economy digital ID solution,
which would help transform service delivery in Australia and generate significant
opportunities for the creation of new economic value. As this Impact Analysis has
outlined, a whole-of-economy solution cannot be realised unless Digital ID is able to
facilitate connections between state, territory and private sector services, driving
significantly expanded uptake. Option 3 is the only option capable of facilitating this
expansion.
Section 4 of this Impact Analysis identified the objectives of government action in
relation to Digital ID. These objectives align with, and seek to address, the problem
areas discussed in Section 3, which currently inhibit Digital ID ability to operate as a
whole-of-economy solution. As demonstrated by the table below, establishing a
dedicated regulatory scheme supports each of these policy objectives and, in turn,
comprehensively addresses the problems identified through this Impact Analysis.
Problem area Policy objective Why Option 3?
1 Government action The introduction of a dedicated regulatory scheme
No legal basis for enables expansion of under Option 3 will directly address this issue by
participation of the Digital ID System to providing the requisite statutory authority for the
non-Australian include non-Australian Digital ID System's expansion and for charging,
Government Government agencies enabling full uptake by non-Australian Government
agencies as as relying parties, and relying parties and onboarded accredited entities.
relying parties, providing a legal basis Options 1 and 2 cannot address existing barriers to
nor for a charging for charging by non-Australian Government participation, as they
framework onboarded accredited do not entail the passing of primary legislation
entities (Australian providing legislative authority to enable expansion.
Government and non- Therefore, only under Option 3 can the Digital ID
Australian Government), System's whole-of-economy benefits be realised.
maximising the benefits.
2 Government action Option 3 addresses this problem in several ways:
Lack of trust in enhances community A dedicated regulatory scheme will offer a
the Digital ID confidence, trust and consistent approach to privacy and consumer
System's privacy clarity regarding the protections, across all jurisdictions, including some
and security Program's privacy and not currently covered by the Privacy Act.
safeguards. security safeguards.
The regulatory scheme can be used to supplement
current privacy and consumer protections with
Digital ID System-specific laws, for example
Impact Analysis: Page 96 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 257 of 319
Problem area Policy objective Why Option 3?
prohibitions on data commercialisation and relating
to biometrics.
The implementation of a legislative governance
framework will also support enforcement practices.
Stakeholder consultation has highlighted
Australians' desire for a consistent set of privacy
and security safeguards, which can only be offered
by a dedicated regulatory scheme.
Option 1 offers no avenue for improved clarity and
greater public confidence in the Digital ID System.
While Option 2 may, to some degree, improve trust
in the Digital ID System's privacy and security
safeguards, it can only do so within the existing
general legislative framework and cannot address
any identified gaps.
3 Government action The introduction of a permanent Oversight Authority
Interim, non- enhances community through Option 3 will legally enshrine the Digital ID
legislative confidence, trust and System's enforceability, transparency,
governance clarity in the integrity, independence and accountability, providing greater
framework. permanence and rigor of certainty for all participants. With legislated powers
the Digital ID System's and functions, the Oversight Authority will
governance. strengthen protections for participants in the Digital
ID System, support the Digital ID System's integrity
and longevity, and substantially increase the overall
rigour offered by current governance arrangement.
Under Options 1 and 2, the Digital ID System would
continue to operate under an interim, non-legislative
governance framework, which may lead to low
levels of trust and confidence. Therefore, only
Option 3 can address the government's policy
objectives by enhancing trust and reliance.
Table 7: Option 3 alignment with policy objectives and problem areas
Option 3 also presents the strongest opportunity for enhancing alignment with the
five guiding principles, discussed in Section 3.2.3: choice, consent, privacy, security
and integrity. For example:
• Choice and consent: A dedicated regulatory scheme will ensure participation
remains voluntary, making certain that individuals consent to their information
being collected in connection Digital ID. For those who wish to participate,
Option 3 will enable and incentivise the participation of a wider range of both
public and private sector identity providers as well as a more diverse range of
Impact Analysis: Page 97 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 258 of 319
relying parties. As a result, user choice will be both legally enshrined and
strengthened in practice as a central component.
• Privacy, security and integrity: Option 3 offers a consistent approach to
privacy protections across all jurisdictions, supported by the legally enshrined
enforcement and compliance powers of the Oversight Authority. This
permanent governance arrangement will afford individuals avenues for
recourse where data breaches occur, as well as ensuring enduring compliance
with transparency and accountability mechanisms. Further, security safeguards
embedded in the dedicated regulatory scheme will instil greater user trust and
confidence in AGDIS, with the likely outcome of increasing uptake.
Option 1 will continue to secure the significant benefits currently available to
individuals and businesses. However, by not addressing the obstacles to expansion,
it represents a foregone opportunity to maximise these benefits and further enhance
the five principles of Digital ID. Individuals would be deprived of the additional choice
that would come with expansion, and legally enshrined accountability, independence
and transparency mechanisms. Similarly, Option 2 offers limited opportunity for
furthering these principles. Consent and integrity may benefit from slightly
strengthened accountability and transparency mechanisms, but without the force of
government regulation. Safeguards and avenues for recourse would not be
supported by a consistent dedicated regulatory framework established through
primary legislation.
As described in Section 9.2 Regulatory impacts, the regulatory scheme's focus on
onboarded accredited entities, accredited entities and relying parties means
regulatory costs will be borne by a small subset of stakeholders. These regulatory
costs (estimated at a whole-of-economy annual average cost of $1,498,652) are
offset by both the voluntary nature of Digital ID, and the many benefits available to
those who choose to participate or be accredited. For contextual purposes, economic
analysis estimates $3.312 billion whole-of-economy indirect benefit related to
individual time savings alone, under current arrangements. Entities can assess their
ability to meet the regulatory costs of participation and voluntarily choose to undergo
the accreditation or onboarding process if this is expected to lead to positive revenue
outcomes through the delivery of new or expanded services.
Impact Analysis: Page 98 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 259 of 319
Additionally, the outcomes of the Program's continuous and broad-based
consultation strategy, engaging stakeholders at all levels, has informed the selection
of Option 3 as the preferred option. The table below details how stakeholders have
viewed the three regulatory options across the span of consultations conducted.
Regulatory options How stakeholders viewed option throughout consultation
Option 1: Status quo The Australian Government has been engaging with the public to build a
Digital ID system aligned with community expectations since 2015. Early
in 2020, the Program sought stakeholder views on potential expansion
and how protections could be ensured. The Program shared an initial
Scoping Paper with the Digital Identity Legislation Working Group
(DILWG) and with thirteen Australian Government agencies. The
Program then engaged in broad public consultation between November
and December 2020, through the release of the Digital Identity
Consultation Paper and Background Paper, testing views on regulatory
options. Both the Scoping Paper and Consultation Paper drew strong
support for the expansion of Digital ID, which is only possible through
legislation. Importantly, stakeholders were in near-uniform agreement on
the need for legislation to govern Digital ID. This has not altered over the
course of subsequent consultations.
Option 1 does not address the obstacles to expansion that stakeholder
feedback has consistently shown support for, nor does it entrench
privacy and security in legislation.
Option 2: Leverage As described above, stakeholder feedback from the Program's early
existing legislative consultation testing views on potential regulatory options to support
expansion, saw support for a whole-of-economy Program with privacy
frameworks to and security protections entrenched in legislation. While Option 2 offers
enhance privacy strengthened privacy safeguards when compared to Option 1,
safeguards and avenues for recourse would not be supported by a
safeguards consistent dedicated regulatory framework established through
legislation. As a key rationale from the November and December 2020
Consultation Paper round pointed to legislation as an opportunity to
enshrine these key privacy and consumer safeguards in law in order to
ensure these standards cannot change without public scrutiny, this
option was also ruled out by the Program as it failed to meet this
important threshold for protection set by a strong majority of those
engaged.
Option 3: Dedicated The outcomes of continuous legislation-specific Program consultation
legislation to establish have solidified stakeholder support for Option 3. Option 3 offers to
establish a new regulatory scheme that directly addresses stakeholder
new regulatory concerns, and is the only option able to support whole-of-economy
scheme expansion. Submissions received in response to the October 2021
Consultation RIS, were able to validate this conclusion and confirm
Option 3 as the preferred option for a wide range of stakeholders.
Consultations since the November and December 2020 Consultation
Paper round were focused on engaging with stakeholders to
collaboratively and transparently designing a regulatory scheme that
reflected the expectations and views of the broader Australian
community.
Impact Analysis: Page 99 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 260 of 319
Table 8: Stakeholder views on regulatory options throughout consultation
Overall, without a dedicated regulatory scheme, the identified problem areas cannot
be addressed; the policy objectives cannot be met; and stakeholders will not
experience, to the full extent, the benefits described. Beyond this, the Australian
economy's realisation of the significant economic value of an expansion would be
constrained and compromised.
Although it is the best option from those considered, Option 3 is not, however,
without risks. As discussed in Section 4.4 Constraints and barriers to government
intervention, there is a risk that Australian Government regulatory action in this space
may be misconstrued or viewed with suspicion and mistrust. The Program is well
equipped to monitor and manage this risk, through its established communication
forums and its consultation approach. The regulatory regime does address all key
issues addressed through consultation - however given the rapid pace of
technological change and challenges in regulating emerging markets, there will be an
ongoing need to monitor and establish new Rules as required. The risk profile
associated with this preferred Option 3, and mitigations, are summarised in the
following section.
Impact Analysis: Page 100 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 261 of 319
12 Implementation and evaluation of selected
option
12.1 Impact Analysis status at key decision points
The RIS has followed best practice and has informed policy development, and
advice, at each key decision point. The previous Consultation RIS was released in
late 2022 and informed the consultation on the previous draft Bill (The Trusted Digital
Identity Bill 2021). The Regulatory Burden Estimate was considered as part of this
consultation and revised according to feedback from stakeholders.
Feedback from that consultation was incorporated into the First Pass Assessment,
assessed by the Office of Impact Analysis (formerly Office of Best Practice
Regulation) in late 2021. No final decision was made and therefore the RIS did not
progress to Second-Pass Final Assessment.
A draft of an earlier version of this RIS was provided to the Minister, and
subsequently Cabinet, to inform an interim decision on whether to progress with
consultation on a revised Digital ID Bill. Since then, as outlined in Attachment D, the
Department of Finance has undertaken additional extensive consultation to inform
the development of this Second Pass Final RIS. This version of the RIS was provided
to the Minister for Finance as part of the final briefing process seeking agreement to
table to Digital ID Bill in Parliament. It has been developed in tandem with the
consultation process, which has informed the final Bill expected to be tabled in
Parliament in late 2023.
Each key decision point has been informed by a version of the impact analysis,
reflecting consultation outcomes, and final analysis of the costs and benefits of each
option. The final decision point will be informed by this document.
12.2 Implementation approach
Effective implementation of the dedicated regulatory scheme will be critical to
realising Option 3's full benefits. Implementation planning has been underway in the
Program for some time, ensuring the dedicated regulatory scheme can be
established efficiently and effectively. Implementation of these regulatory measures
Impact Analysis: Page 101 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 262 of 319
will not occur in a silo but will be delivered alongside other streams of ongoing
Program implementation effort, including strategy, customer experience, architecture,
policy, communications and engagement.
Whilst the proposed legislation provides broad parameters, the Program is operating
flexibly within these parameters to ensure the implementation solution is designed to
meet user and other stakeholder needs. Continuing focus areas for implementation
planning and engagement on future phases of Australia's Digital ID System include:
• cross-Australian Government engagement on the establishment, structure and
operating model of the permanent Oversight Authority.
• engaging with bodies, such as the Information Commissioner and state/territory
privacy commissioners, on the legislation's potential impact on their activities
(including identifying and addressing any unintended consequences).
• further developing the additional instruments, rules, policy documents and other
artefacts that will form part of the regulatory ecosystem. These are expected to
cover subject matter including the charging framework.
12.3 Implementation challenges and risks
Whilst Option 3 has been determined the most suitable from those considered, it is
not without challenges and risks. These are outlined in Table 12 below, including an
explanation of how they are being monitored and accommodated within the
Program's implementation approach, and relevant stakeholders' roles and
responsibilities. For detail on the risk framework and ratings used, refer to Appendix
G.
12.4 Evaluation strategy
The phased approach to Australia's Digital ID allows for natural touchpoints to
assess the effectiveness of the program. The Legislation is structured to allow the
Minister to make Accreditation Rules and Digital ID rules allows for future regulation
to be added if new or unforeseen issues arise, or if the Program is not working as
intended. The establishment of the ACCC as the initial Regulator gives it information
collection powers to undertake its role, in addition to requiring a review of accredited
Impact Analysis: Page 102 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 263 of 319
entities' suitability annually. These issues will be revisited, and additional impact
analyses done to inform major changes to the regulatory regime, where necessary.
A key part of the work being undertaken by the Department of Finance relates to
benefits realisation. This work is being led by the Digital ID Taskforce, with oversight
of the Digital ID Project Board, which includes representatives from Services
Australia, the Attorney-General's Department, and the Australian Taxation Office.
Benefits Realisation is an ongoing function of the Digital ID Program to identify, track
and provide transparency to the benefits derived. Regular reporting to Government
and its stakeholders has been implemented to provide visibility of the Digital ID
Program ensuring that it's meeting its intended objectives.
The Bill also includes a requirement for a statutory review two years after
commencement, which will draw from data collected from the regulators, and the
above cross-agency Project Board.
Impact Analysis: Page 103 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 264 of 319
Challenge/risk Likelihood Consequence Management Residual Relevant stakeholder(s) and roles /
risk responsibilities
rating
• Potential for regulation Likely Severe Clear and strategic communication Minor Finance (Legislation and
to be misunderstood or to the Australian community about Communication Functions) -
distrusted, leading to the regulatory scheme's purpose Throughout implementation, Finance
low confidence levels and safeguards (including prohibition will continue to manage the risks of
and low uptake of on single identifier and in-built public misunderstanding through
Digital ID. consent requirements). multi-channel engagement (including
The Program's ongoing consultation in-person, through social media, and
process and transparency about the Digital ID website). The website
decisions, their impacts and will continue to serve as a user-
implementation will not cease with friendly, authoritative source of truth
the passage of legislation. on the Digital ID System and its
regulation, and will be maintained
during and post-implementation.
Public, industry, community and user
sentiment will continue to be
monitored through feedback received
via these channels and engagement
approaches tailored accordingly.
Successful risk management also
requires other stakeholders
(businesses, individuals and
community) to engage with these
channels and continue participation in
Government communication forums
(both informal / ad hoc and formal
structured forums - such as statutory
advisory committees).
Impact Analysis: Page 104 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 265 of 319
Challenge/risk Likelihood Consequence Management Residual Relevant stakeholder(s) and roles /
risk responsibilities
rating
• The compliance/ Likely Major Whilst Finance is ultimately Minor Finance - ultimately accountable for
enforcement/ responsible for design and delivery, the governance, strategy, policy, and
governance aspects of the Program adopted an agency administration of the system.
Option 3 may partnership model from
significantly impact commencement, drawing on senior
ATO, Services Australia, and The
other Government executives within partner agencies
Attorney-Generals Department -
entities, including to seek alignment and agreement on
responsible for the delivery and
unintended the priorities and vision. This
operation of key government
consequences. approach continues, supplemented
components of the system, including
by targeted engagement on matters
myGovID, the Digital Identity
such as the establishment of the
exchange, Document Verification
Oversight Authority, and impacts on
Service and Face Verification Service.
other entities fulfilling a specific role
Senior executives will engage with
under the proposed legislation such
Finance on governance and delivery
as the Information Commissioner.
matters, ensure alignment across
implementation priorities and delivery.
Information Commissioner - Has
regulatory functions in relation to
additional privacy protections in the
Bill including biometric safeguard and
limits on data profiling. Close
engagement with Finance and OA will
continue through implementation to
operationalise these functions.
Impact Analysis: Page 105 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 266 of 319
Challenge/risk Likelihood Consequence Management Residual Relevant stakeholder(s) and roles /
risk responsibilities
rating
• There are divergent Likely Major It is acknowledged that the Bill is Moderate Finance (Legislation,
views on Digital ID and unlikely to be acceptable to all Communications and Engagement
the nature/scope of stakeholders. At every stage, the Functions) - Throughout
proposed regulation, Program has been fully transparent implementation, Finance will manage
meaning not all with stakeholders on its policy ongoing engagement on
stakeholders will be positions and reasoning and has operationalisation of the regulatory
satisfied with the final amended many positions as a direct scheme and will continue to display
positions taken. result of stakeholder feedback. transparency regarding feedback
Whilst not all stakeholders may be received and reasons for final policy
satisfied with the final position, the decisions taken. This is a continuation
impact of this can be mitigated by of the Program's existing consultation
continuing to demonstrate approach (which has entailed multiple
transparency regarding decision- rounds of public consultation, with
making, and a genuine willingness to outcomes of consultation published on
consult. Additionally, as set out in the Digital ID website).
Section 10 Consultation above, Successful risk management also
consultation does not cease when requires other stakeholders
the regulatory scheme commences, (businesses, individuals and
with stakeholders still able to inform community) to engage with these
future development of the regulatory channels, take opportunities to
framework. understand the reasons for certain
policy decisions, and continue
participation in Government
communication forums (both informal /
ad hoc and formal structured forums -
such as statutory advisory boards).
Impact Analysis: Page 106 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 267 of 319
Challenge/risk Likelihood Consequence Management Residual Relevant stakeholder(s) and roles /
risk responsibilities
rating
• Even after the Possible Major The dedicated regulatory scheme in Minor Finance (Legislation, Policy and
regulatory scheme Option 3 envisages a structure Strategy Functions) - As the agency
commences, some where principles and content unlikely accountable for governance, strategy,
detail may not be to change is contained in primary policy and administration of the Digital
available due to the legislation, whereas other detail, Id System, Finance will continue to
ongoing development of including technical and charging manage the development of further
supplementary information (which needs to evolve details related to the regulatory
legislative instruments, over time) is set out in regime through implementation. It will
rules and policies. supplementary instruments and use the established consultation,
artefacts. This means the regulatory policy development and
scheme at the point of communication approaches that have
commencement may not contain all been developed and deployed not just
details impacting Digital ID System in recent regulation-specific
participants. Whilst this is a consultation rounds, but on TDIF
necessary structure to 'future-proof' consultations over the past 4-5 years
the regulatory regime, it can lead to of the Program.
uncertainty about the impact of Successful risk management also
future changes. requires other stakeholders
This is mitigated by the Bill including (businesses, individuals and
two sets of rules (both released for community) to continue to take
public consultation). In addition, the opportunities to participate in these
legislation mandates consultation on ongoing consultations on future
all future legislative instruments and regulation, the TDIF and other
key TDIF artefacts to ensure the matters. This includes continued
potential impacts (intended and participation in Government
unintended) are identified before communication forums (both informal /
introducing any change. ad hoc and formal structured forums -
such as statutory advisory boards).
Impact Analysis: Page 107 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 268 of 319
Challenge/risk Likelihood Consequence Management Residual Relevant stakeholder(s) and roles /
risk responsibilities
rating
• Management of Possible Major Ongoing Australian Government Minor Finance (Legislation, Policy and
dependencies such as regulatory initiatives such as the Strategy Functions) - continue
the Australian Privacy Act review have the potential engagement and monitoring of the
Government's ongoing to impact this proposed regulatory impact of other related Government
Privacy Act review. structure. Close consultation has initiatives (including the Privacy Act
occurred and will continue with this review) through the implementation
review to leverage outcomes and period. Use established cross-
ensure no conflicts in regulatory Government forums and channels to
measures or objectives. raise any concerns or unintended
impacts on the Digital ID regulatory
scheme directly with AGD.
Table 9: Challenges and risks of implementation of Option 3
Impact Analysis: Page 108 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 269 of 319
Whilst the above accurately describes the status of implementation risks as at the
date of finalisation of this Impact Analysis, it is important to note that the Program has
a dynamic risk management framework in place which is continuously evolving as
planning progresses and the future state evolves, and if Government decides to roll
out additional phases of its policy. Appropriate adjustments to the management
activities, roles and accountabilities will continue to be made through the
implementation period of this regulatory scheme. Risk management and other
implementation activities will be regularly reviewed, including a formal legislative
post-implementation review 2 years following the commencement of the Bill. This
ongoing monitoring is discussed further below.
12.3 Ongoing monitoring of implementation effectiveness
Various measures built into the Bill provide for regular monitoring of the
implementation of a dedicated regulatory scheme, and its ongoing effectiveness.
These include:
• Requiring that the Information Commissioner include information on its
functions and powers in relation to Digital ID as part of its annual report tabled
under s46 of the Public Governance, Performance and Accountability Act 2013
(Cth).
• Requiring the Oversight Authority to prepare an Annual Report to be tabled in
Parliament, for transparency and further enshrining independence. The report
will report separately on the operation and the accreditation scheme, with - at a
minimum - details of number of applications, approvals and fraud and cyber
security incidents (and responses to these), as well as other matters as notified
by the Minister to the Oversight Authority.
• Providing for a review of the Bill /Act in two years from the date of its
commencement.
Additionally, as discussed above, the legislation includes mandated consultation on
proposed changes to regulations, including the issuance of new legislative
instruments. This will provide an effective way of monitoring the effectiveness of
Option 3 as the regulatory ecosystem evolves over time.
Impact Analysis: Page 109 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 270 of 319
Overall, the above measures provide a legislative guarantee that the effectiveness of
Option 3 will continue to be monitored and evaluated against its objectives, even
after the conclusion of any formal transition or implementation period.
Impact Analysis: Page 110 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 271 of 319
Appendix A - Glossary
This glossary highlights key terms, acronyms, and their definitions, as used in this
document.
Term Definition
Access Card The Australian Government provided details of a health and social services
initiative Access Card in the 2006-07 budget. The project is more formally known as the
'Health and Social Services Smart Card initiative'. The Access Card was a
proposed Australian Government non-compulsory electronic identity card. The
scheme was to be phased in over two years, beginning in 2008, but the project
was terminated in November 2007.
APP entities The Privacy Act imposes obligations on 'APP entities'. An APP entity is,
generally speaking: an agency (largely referring to a federal government entity
and/or office holder) or an organisation (which includes an individual, body
corporate, partnership, unincorporated association, or trust).
Australian An independent Commonwealth statutory authority whose role is to enforce the
Consumer and Competition and Consumer Act 2010 and a range of additional legislation,
Competition promoting competition, fair trading and regulating national infrastructure for the
Commission benefit of all Australians.
(ACCC)
Australian Registered on 27 October 2017 and commenced on 1 July 2018. The Code
Government applies to all Australian Government agencies subject to the Privacy Act (except
Agencies for Ministers. It is a binding legislative instrument under the Act.
Privacy Code The Code sets out specific requirements and key practical steps that agencies
must take as part of complying with Australian Privacy Principle 1.2 (APP 1.2). It
requires agencies to move towards a best practice approach to privacy
governance to help build a consistent, high standard of personal information
management across all Australian Government agencies.
Australian The cornerstone of the privacy protection framework in the Privacy Act. They
Privacy apply to any organisation or agency the Privacy Act covers. There are 13 APPs
Principles and they govern standards, rights and obligations around: the collection, use and
(APPs) disclosure of personal information, an organisation or agency's governance and
accountability, integrity and correction of personal information, and the rights of
individuals to access their personal information.
Biometric Information about any measurable biological or behavioural characteristics of a
information natural person that can be used to identify them or verify their identity, such as
(biometrics) face, fingerprints and voice. (Under the Privacy Act, biometric information is
considered as sensitive information, which provides additional obligations on
organisations.)
Council of The peak intergovernmental forum in Australia. It initiates, develops and
Australian monitors policy reforms of national significance which require co-operative action
Governments by Australian governments.
(COAG)
Impact Analysis: Page 111 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 272 of 319
Term Definition
COVID-19 Coronavirus disease 2019 (COVID-19) is a contagious disease caused by
severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2). The first case
was identified in Wuhan, China, in December 2019. It has since spread
worldwide, leading to an ongoing pandemic.
Digital Events held for international public sector leaders with deep interest in the use of
Government Smart Technologies in delivering government services to citizens and
Exchange businesses. It sees attendees from leading digital governments of Denmark,
(DGX) Estonia, Israel, Korea and New Zealand among others, coming together for
discussions on issues facing Smart Cities and opportunities for growth through
technology.
digital ID Unless otherwise stated*, 'digital ID' (non-capitalised term) as used in this
document may refer to:
• an individual's digital ID - that is, an electronic representation of an
individual or entity which enables that entity to be sufficiently distinguished
when interacting online (refer Section 2.2)
• the generic concept of digital ID; and/or
• general/existing digital ID systems, activities and services (not specific to
the Australian Government Digital ID System).
*Not to be confused with other usages in this document - i.e. "Digital ID
System" (see below), or the proposed legislative definition of "digital ID"
(described in Section 5.3).
Digital ID Delivered by Finance, in partnership with other government entities, it will, over
Program time, allow individuals and government services to do more online at any time
(Program) and place they choose. The Program will give Australian citizens and permanent
residents a single and secure way to create a Digital ID that can be used to
access online government services.
Digital ID Generally, a group of participants that work together to ensure identity-related
System information can be relied on by services/relying parties to make risk-based
(System) decisions. When capitalised in this document, refers specifically to the Australian
Government Digital ID System, as delivered by the Program and proposed to be
regulated through the exposure draft Bill and rules, as distinct from other digital
ID systems.
Digital An agency of the Australian Government tasked with improving the accessibility
Transformation and availability of government services online by helping government 'transform
Agency (DTA) services to be simple, clear and fast'.
Digital Sets the direction for the DTA's work from 2018-25. The accompanying
Transformation roadmap describes a rolling two-year window of work that has been planned.
Strategy (DTS)
Essential Eight The Australian Signals Directorate (ASD) has developed prioritised mitigation
strategies to help technical cyber security professionals mitigate cyber security
incidents caused by various threats. The Essential Eight is a series of baseline
mitigation strategies taken from the Strategies to Mitigate Cyber Security
Incidents recommended for organisations. Implementing these strategies as a
minimum makes it much harder for adversaries to compromise Digital ID
Systems.
Impact Analysis: Page 112 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 273 of 319
Term Definition
Financial Released on 7 December 2014, this report responded to the objective in the
System Inquiry Inquiry's Terms of Reference to best position Australia's financial system to meet
Report (Murray Australia's evolving needs and support economic growth. It offered a blueprint for
inquiry) an efficient and resilient financial system over the next 10-20 years
characterised by the fair treatment of individuals.
The Inquiry made 44 recommendations relating to the Australian financial
system.
Government An Australian Government entity or Australian Government company that is
Business prescribed by the rules (section 8 of the PGPA Act). Section 5 of the PGPA Rule
Enterprises prescribes nine GBEs: two corporate Australian Government entities, and seven
(GBE) Australian Government companies.
Identity Different levels of identity strength defined by the TDIF, which can be used for
proofing (IP) differing purposes and when different levels of identity confidence are needed.
levels These range from Level 1 (when no or a very low level of confidence is needed;
supports self-assured identity), up to Level 4 (when a very high level of
confidence is needed; requires in-person attendance of person claiming identity
as well as three or more identity documents and biometric verification).
Information The standard that governs the security of government ICT Systems, produced by
Security the Australian Signals Directorate (ASD). It comprises three documents targeting
Manual (ISM) different levels: Executive Companion, Principles and Controls.
Information The Australian Signals Directorate (ASD) supports higher standards of cyber
Security security assessment and training through the enhanced Information Security
Registered Registered Assessor Program (IRAP). IRAP endorses individuals from the
Assessors private and public sectors to provide cyber security assessment services to
Program Australian Governments. Endorsed IRAP assessors assist in securing ICT
(IRAP) networks by independently assessing security compliance, suggesting
mitigations and highlighting residual risks.
Interim The body currently regulating the Digital ID System, with support from Services
Oversight Australia.
Authority
JobSeeker; An income support payment set up in response to the economic impacts of the
JobKeeper COVID-19 pandemic, JobSeeker supports those between 22 and Age Pension
age and looking for work.
As part of its COVID-19 economic response, the Australian Taxation Office paid
JobKeeper payments to employers. Eligible employers then paid JobKeeper
payments to employees as part of their usual wages.
Know Your The Know Your Customer (KYC) guidelines in financial services require that
Customer professionals make an effort to verify the identity, suitability and risks involved
(KYC) with maintaining a business relationship. The producers fit within the broader
obligations scope of a bank's Anti-Money Laundering (AML) policy.
Memoranda of Unless otherwise indicated, refers to agreements or arrangements put in place
Understanding between government entities, such as the System Governance Interim MoU
(MoU) between Services Australia and the DTA.
Impact Analysis: Page 113 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 274 of 319
Term Definition
New Payments Launched in February 2018, it is open access infrastructure for fast payments in
Platform (NPP) Australia. The NPP was developed via industry collaboration to enable
households, businesses and government entities to make simply addressed
payments, with near real-time funds availability to the recipient, on a 24/7 basis.
Notifiable Data Established in February 2018 to improve consumer protection and drive better
Breach security standards for protecting personal information. It applies to entities and
Scheme (NDB organisations who are covered by the Privacy Act and are required to take
Scheme) reasonable steps to secure personal information.
Office of the An independent Australian Government agency, acting as the national data
Australian protection authority for Australia, established by the Australian Information
Information Commissioner Act 2010 headed by the Australian Information Commissioner.
Commissioner
(OAIC)
Organisation Produces independent analysis and statistics to promote policies to improve
for Economic economic and social wellbeing across the globe.
Co-operation
Development
(OECD)
Operating Set out the legal framework for the operation of the identity federation, including
Rules key rights, obligations and liabilities of participants.
Oversight The entity responsible for the administration and oversight of the identity
Authority federation in accordance with the Operating Rules and TDIF.
Privacy Act Promotes and protects the privacy of individuals and regulates how Australian
1988 (Cth) Government entities and organisations with an annual turnover of more than $3
(Privacy Act) million, and some other organisations, handle personal information.
It includes 13 Australian Privacy Principles (APPs), which apply to some private
sector organisations, as well as most Australian Government entities.
Privacy Impact Assessment that identifies the impact that a project might have on the privacy of
Assessment individuals, and sets out recommendations for managing, minimising or
(PIA) eliminating that impact.
Private sector The part of the economy that is run by individuals and companies for profit and is
not state controlled. For the purposes of this Impact Analysis, it encompasses all
for-profit businesses that are not owned or operated by the government.
Regulatory Management of regulatory processes in the financial industry through
Technology technology. Its main functions include regulatory monitoring, reporting and
(RegTech) compliance.
Trusted Digital Contains the tools, rules and accreditation criteria to govern an identity
Identity federation. It provides the required structure and controls to deliver confidence to
Framework participants that all accredited providers in an identity federation have met their
(TDIF) accreditation obligations and as such may be considered trustworthy.
World International NGO founded in 1971, the WEF's mission is stated as ''committed
Economic to improving the state of the world by engaging business, political, academic,
Forum (WEF) and other leaders of society to shape global, regional, and industry agendas".
Impact Analysis: Page 114 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 275 of 319
Impact Analysis: Page 115 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 276 of 319
Appendix B - Entities, interactions and
incentives within the current Digital ID System
Table 8 provides a more detailed description of the specific interactions and likely
incentives of each type of entity currently involved in the Digital ID System, as
described and depicted in Section 2.3.3 Entities, interactions and incentives within
the current Digital ID System.
Entity type Role, interactions and incentives within current Digital Example participants
ID System
Onboarded
accredited
entity
Identity Role: Provides the platform for verifying the identity of an myGovID
provider individual online. IDPs undertake primary verification of an Australia Post's Digital
(IDP) individual when a Digital ID is established, and act as a iD (accredited but not
conduit for the verification of additional information about on-boarded and
individuals held by different participants. That is, providing a available as an IDP
response to the query: 'Is this person Jane Doe?' choice)
Consistent with the 'choice' principle, was designed to
include multiple IDPs, both government and non-
government. If they choose to, people can switch to a
different IDP while maintaining access to identity services.
One non-Australian Government IDPs (Australia Post's
Digital iD) have been accredited but are not onboarded and
available for individuals to select.
Interactions: IDPs are the key contact point between the
'external' and 'internal' components. They interact directly
with people through the creation of Digital IDs, and seek
consent from people each time a relying party seeks
confirmation of their identity. They also interact directly with
relying parties to receive and action requests for identity
verification.
Within the TDIF, IDPs then interact with an IDX to confirm
an individual's identity details. The arrangements are
designed to ensure that IDPs do not have access to
information about the services individuals' access.
Incentives: The existing IDP is an Australian Government
agency. It is incentivised to generate ongoing growth in
uptake of Digital ID because this will support expanded
adoption and use, justifying investment to date. At present
there is no legislative mechanism by which IDPs can
recover costs or charge other Digital ID System participants
for their services within the TDIF.
Impact Analysis: Page 116 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 277 of 319
Entity type Role, interactions and incentives within current Digital Example participants
ID System
While it is theoretically possible for non-government entities
to become IDPs, in practice there are limited incentives to
do so because only Australian Government agencies can
currently become relying parties and there is no legislative
mechanism for charging. This limits both the potential
customer pool and the potential for revenue generation for
identity services.
Attribute Role: Supplies additional information about an individual to ATO Relationship
service support verification of their identity and other attributes. APs Authorisation Manager
provider provide authoritative information about entitlements, (RAM)
(AP) relationships or other characteristics - e.g. information on MyGov (currently
whether an individual is currently receiving a specific undergoing
government payment or is authorised to act on behalf of a accreditation process)
particular entity. That is, an AP can provide a positive or
negative response to queries like: 'Is Jane Doe entitled to
Family Tax Benefit?' or 'Is Jane Doe an authorised
representative of Company A?'
Interactions: An AP interacts directly only with the IDX.
When a relying party requests verification of specific
attributes about an individual via an IDP, this request is
relayed to the IDX. The IDX then contacts the AP for
confirmation of the attribute information being sought.
Typically, an AP will be integrated with a registry that
manages particular attributes. For example, the Australian
Taxation Office's (ATO) Relationship Authorisation Manager
(RAM) system can verify relationships between an individual
and a business. If a business wanted to authorise a
particular individual to manage their taxes, this relationship
could be verified by the RAM system acting as an AP.
Incentives: Under the current Digital ID System
arrangements, APs are exclusively Australian Government
agencies such as the ATO. These entities are resourced to
participate in the Digital ID System because their
involvement supports the ongoing expansion of Digital ID by
diversifying the range of possible use cases.
Credential Role: support the safety and security of the Digital ID myGovID
service System. CSPs are accredited to undertake the functions of Australia Post's Digital
provider authentication credential management and take care of all iD (accredited but not
(CSP) credentials (i.e. passwords and other forms of access on-boarded and
restrictions). That is, a CSP can provide a positive or available in the Digital
negative response to queries of the nature: 'Does this ID System as a CSP
person's password match the password for the account held choice)
by Jane Doe?' or 'Does the biometric information provided
match that previously provided by Jane Doe?'
At present, the only accredited CSPs are also accredited as
IDPs, providing an integrated solution for an individual to
Impact Analysis: Page 117 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 278 of 319
Entity type Role, interactions and incentives within current Digital Example participants
ID System
authenticate themselves when establishing a Digital ID or
authorising verification by a relying party.
Interactions: CSPs interact with IDPs as part of the process
for identity verification. Current CSPs are also IDPs,
meaning this interaction occurs within a single system
process.
Incentives: Credentials management is an essential
component of effective functioning of identity services. For
this reason, there is a strong incentive for IDPs to also
become accredited as CSPs. It is theoretically possible for
an entity which is not an IDP to establish itself as a CSP, for
example by providing specialised and high-security
biometric credentials management. However, there are
limited incentives to do so in the current system given the
relying parties are exclusively Australian Government
entities.
Identity Role: provides the infrastructure for interactions between Services Australia
exchange other Digital ID System participants to occur in a way that is
(IDX) secure and respects the privacy of individuals. With
individual consent, IDX functions like a switchboard,
transferring information between relying parties, IDPs and
Aps. That is, the IDX is the conduit by which answers to all
queries addressed by the previous three participants are
communicated. The IDX only passes on the specific
information that an individual has authorised to be provided.
Interactions: The IDX is the centrepiece of the Digital ID
System, managing interactions between all onboarded
accredited entities operating within the TDIF
.
Incentives: The IDX is a crucial Digital ID System role
currently fulfilled by the Australian Government. The primary
incentive for the IDX is to ensure efficient and secure
transferral of information to support effective functioning of
the overall Digital ID System.
Relying
parties
Government Role: rely on verified identity information, attributes or Various, including:
relying assertions provided by IDPs, Aps and CSP through the IDX Centrelink
parties to enable the provision of a digital service. That is, relying
ATO
parties are the entities that make Digital ID System queries
such as 'Is this person Jane Doe?', 'Is Jane Doe entitled to State and territory
Family Tax Benefit?' and 'Does this person's password revenue agencies
match the password for the account held by Jane Doe?'. (currently being tested
Relying parties can be considered one of two 'end users' for under pilot conditions)
Impact Analysis: Page 118 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 279 of 319
Entity type Role, interactions and incentives within current Digital Example participants
ID System
Digital ID, along with individuals. Participation in the Digital
ID System is fully voluntary for relying parties.
Interactions: Relying parties interact exclusively with IDXs.
Incentives: Under current Digital ID System arrangements,
only government entities can legally become relying parties.
Entities have a strong incentive to do so because the use of
Digital ID can significantly reduce the need for face-to-face
or paper-based identity verification by citizens, delivering
benefits such as:
Reduced processing times for transactions requiring identity
verification
Improved customer experience by removing the need to
visit a shopfront or provide certified copies of documents
Reduced manual handling of paperwork and ability to re-
direct associated resources to alternative tasks.
Governance Role: responsible for the administration and oversight of the Finance and Services
body Digital ID System, including ensuring the TDIF requirements Australia
are met by all onboarded accredited entities. The Interim
Oversight Authority's functions are currently shared by
Finance and Services Australia.
Interactions: The Interim Oversight Authority acts as the
TDIF accreditation body, accrediting entities to act as IDPs,
Aps and CSPs within the Digital ID System. It then provides
ongoing oversight of how entities behave within the Digital
ID System, ensuring compliance with the TDIF. In these
roles, it interacts closely with all onboarded accredited
entities. The Interim Oversight Authority may also interact
with relying parties and Individuals in some limited cases
where it receives complaints about onboarded accredited
entity conduct.
The Oversight Authority's role as Digital ID System regulator
means that nature of these interactions is different from that
between other System participants. Specifically, it does not
play a role in the day-to-day delivery of the Digital ID
System, instead having a higher-level oversight and
governance role.
Incentives: The Interim Oversight Authority is a
Commonwealth government entity. Its primary incentives
are to promote the efficient, safe and transparent operation
of the Digital ID System.
User Role: establish and use a Digital ID - through one or more Individual citizens in
providers - to verify their identity when accessing a range of private capacity
digital services. That is, people are the subject of queries Individuals in capacity
such as 'Is this person Jane Doe?', 'Is Jane Doe entitled to as business owners
Family Tax Benefit?' and 'Does this person's password
Impact Analysis: Page 119 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 280 of 319
Entity type Role, interactions and incentives within current Digital Example participants
ID System
match the password for the account held by Jane Doe?'.
Participation in the Digital ID System is fully voluntary for
individuals using either in their business (e.g. applying for
an ABN) or personal capacity.
Interactions: As the other 'end user' of digital ID (along with
relying parties) individuals interact exclusively with IDPs.
They establish a Digital ID presence with an IDP and
provide consent through it for the verification of their identity
on each occasion this is sought by a relying party. While the
range of interactions detailed above take place on behalf of
individuals, this does not require direct contact between
these people and any entity other than their chosen IDP.
It should be noted that people are likely to interact directly
with onboarded accredited entities through other channels -
e.g. lodging tax returns with the ATO or applying for benefits
through Services Australia. These interactions form the
basis for Participants holding individuals' information which
can subsequently be used to verify their identity /attributes.
However, these interactions occur outside the Digital ID
System and would do so if it were not in place.
Incentives: Users have a range of incentives to participate in
the Digital ID System, including:
• improved convenience and speed of processing
when interacting with Australian Government
agencies
• strengthened autonomy and control over which
entities will hold information on their identity and
attributes
• reduced risk of identity theft due to strong levels of
security built into the Digital ID System.
However, it should be noted that several factors may also
incentivise against individual participation, including:
• concern over government centralisation or control of
information on their identity and attributes
• lack of a robust legal framework for protecting
privacy, and ensuring compliance with the TDIF
• limited useability of digital ID outside of interaction
with Australian Government entities.
Table 10: Details of entities, interactions and incentives within the current Digital ID System
Impact Analysis: Page 120 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 281 of 319
Appendix C - Entities, interactions and
incentives within an expanded Digital ID
System
Table 9 provides a more detailed description of the specific interactions and likely
incentives of each type of entity that would be able to participate in an expanded
Digital ID System, as described and visually depicted in Section 2.5.2 Entities,
interactions and incentives within an expanded .
Entity type Potential role, interactions and incentives in Example participants
an expanded System
Onboarded
accredited
entities
Identity provider Role: As in 'Current' table above. Under an In addition to current:
(IDP) expanded scenario it is anticipated that private Private sector (e.g. financial
sector entities would be more likely to seek to services institutions, identity
participate as IDPs, due to the below management agencies)
incentives.
Interactions: As in 'Current' table above.
Regardless of which entities choose to become
IDPs, the nature of their interactions with other
components will remain the same. This is
intended to ensure competitive neutrality
between government IDPs and other
participants.
Incentives: An expansion will pave the way for
a significantly larger number of organisations
and individuals to participate, as relying parties
and individuals. This is because non-
government entities will be able to become
relying parties for the first time, thereby
expanding the range of Digital ID use cases for
individuals.
Under this expansion, there are expected to be
significantly stronger incentives for new, non-
government IDPs to enter the market and
compete with existing government/quasi-
government IDPs. An increased number of
relying parties creates a larger potential
customer pool for IDPs, beyond government
entities. As more entities seek to become
relying parties, this also increases the range of
services and contexts in which individuals can
use Digital ID, creating a self-reinforcing loop of
more relying parties generating more individual
Impact Analysis: Page 121 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 282 of 319
Entity type Potential role, interactions and incentives in Example participants
an expanded System
participants, and more individuals supporting
increased uptake by relying parties.
Private sector IDPs will face different financial
incentives than existing IDPs. It is anticipated
that these entities will only participate where
there is an opportunity for them to gain
financially from doing so. The Australian
Government has acknowledged this and
initiated design work on an appropriate
charging regime as part of its expansion
planning. Within the bounds of this framework,
private sector IDPs would be expected to seek
to recover the costs of participation through
fee-for-service arrangements. Service
efficiency principles suggest it would be easier
to recover these costs through relying parties
on a contract basis than from people on an
individual transaction basis. Any steps by the
Commonwealth to regulate IDP behaviour
through the charging regime would also affect
the specific incentives for IDPs.
As participation is entirely voluntary, private
sector IDPs would only be expected to
participate where charging arrangements do
not impose unreasonably high costs, or where
such costs can be recouped through other
participants (e.g. relying parties) at a level and
in a manner which does not inhibit uptake by
those participants.
Attribute service Role: As in 'Current' table above. There are a In addition to existing Australian
provider (AP) wide range of entities outside of the Australian Government entities:
Government holding information on individuals' State, territory and local
attributes. For example, a relying party may governments
need to verify whether a particular individual Universities
holds a specific university qualification, or is a Professional bodies
member of a compulsory professional body.
Credit ratings agencies
Under an expansion scenario, a wider range of
these entities would be able to participate as
APs. This would result in both efficiency
benefits and revenue opportunities for
participating entities.
Interactions: As in 'Current' table above.
Regardless of which entities choose to become
APs, the nature of their interactions with other
components will remain the same.
Incentives: As with IDPs, under an expansion
scenario it would be possible for APs to
Impact Analysis: Page 122 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 283 of 319
Entity type Potential role, interactions and incentives in Example participants
an expanded System
generate revenue through the provision of
attribute verification services. For example, an
AP may charge an IDP a small fee for each
attribute verified, with this fee then being
reflected in the aggregate fee a relying party is
charged for the IDP's services. APs and IDPs
are likely to be incentivised to enter into
volume-based arrangements within such a
charging framework.
It should also be noted that the expansion has
the potential to lead to significant efficiencies
for entities which are enabled to become APs.
For example, professional bodies may already
handle a volume of requests to confirm an
individual's accreditation. Where entities
already deal with such requests by manual
/paper-based means, considerable efficiencies
may be achieved by becoming an AP and
processing requests within the System instead.
Credential Role: As in 'Current' table above. In addition to existing Australian
service provider Interactions: As in 'Current' table above. Government CSPs:
(CSP) However, the expansion creates the Private sector IDPs
opportunity for entities to participate as Private sector security solution
standalone CSPs, rather than this function providers
being combined with that of an IDP.
Incentives: The expansion would potentially
create incentives for new entities to participate
as standalone CSPs where they are able to
provide bespoke or niche credentialing
services. For example, private security
companies may seek to provide highly secure
credentialing services based on advanced
biometrics, for use by private sector IDPs and
relying parties which need very high levels of
reliability in identity verification.
As with private sector IDPs, entities are only
expected to participate in the system as
standalone CSPs where there is a market
opportunity to do so, given such participation is
voluntary.
Identity Role: As in 'Current' table above. Whilst there Anticipated the Commonwealth
exchange (IDX) is no legal barrier to a non-government IDX, it government will remain the sole
is not anticipated that this function would be provider of the IDX for the
transferred to entities beyond the Australian foreseeable future.
Government in the medium term.
Interactions: As above.
Incentives: As above.
Impact Analysis: Page 123 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 284 of 319
Entity type Potential role, interactions and incentives in Example participants
an expanded System
Relying parties
Non-Australian Role: As in 'Current' table above. A key feature In addition to Australian
Government of an expansion scenario is the capacity for Government entities:
relying party entities beyond the Australian Government to State, territory and local
become relying parties. However, participation government entities
as a relying party would remain entirely Financial services providers
voluntary. Utilities and telecommunications
Interactions: As in 'Current' table above. Under providers
an expansion scenario, relying parties would Recruitment agencies
likely have a greater choice of IDPs to transact
with, due to the entry of private sector IDPs in
competition with myGovID.
Incentives: As with government relying parties,
other government and private sector entities
would be expected to experience the following
benefits from participation:
• Improved processing times for
transactions requiring identity verification
• Improved customer experience by
removing the need for people to attend
venues in person or provide physical
documents
• Reduced manual handling of paperwork
and ability to re-direct associated
resources to alternative tasks.
These are likely to incentivise strong uptake by
non-government relying parties under an
expansion scenario. In this instance, non-
government relying parties would be expected
to seek the most cost-efficient commercial
arrangements possible with IDPs for the
provision of identity verification services.
Increased competition through the entry of
more IDPs would be expected to put downward
pressure on pricing for such services.
These relying parties may also seek to
undertake cost recovery through the pricing of
services provided to Users. Their capacity to do
so directly would be determined by any specific
provisions within the charging regime when
determined. However, this would not
necessarily prohibit indirect cost recovery - for
example through charging higher overall prices
for services.
Under an expansion scenario, it is anticipated
that participation by private sector relying
parties will be influenced to a greater degree by
Impact Analysis: Page 124 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 285 of 319
Entity type Potential role, interactions and incentives in Example participants
an expanded System
these financial and commercial considerations
than is currently the case for government
relying parties.
Permanent Role: As in 'Current' table above. The A new or existing government
governance permanent governance body could be a agency given regulatory
body legislated function of a new or existing functions in an expansion
government agency. scenario
Interactions: Similar interactions as above,
continuing to oversee the accreditation process
and operating rules governing how these
entities act. However, unlike the status quo, it
would be expected that a governance body
may have increased interaction with relying
parties, particularly relating to any new
charging framework which would impact relying
parties (but not Users).
Incentives: As an Australian Government entity,
the permanent governance body's primary
incentive would remain promoting the efficient,
safe and transparent operation. It may have
other stated objectives set out in any
establishing legislation, for example
accountability and independence.
User Role: As in 'Current' table above. The role of Individual citizens in private
users is expected to remain constant capacity
regardless of which IDPs they choose to use. Individuals in capacity as
Participation would remain fully voluntary. business owners
Interactions: Under an expansion scenario,
users would be expected to have a wider range
of IDPs to choose from because of the
incentives discussed above for the entities.
Users would also be able to access Digital ID
to verify themselves with a much wider range of
relying parties, as non-government entities are
enabled to join for the first time.
Incentives: Expansion offers increased
incentives for participation by users, including:
• improved convenience and speed of
processing when interacting with a wide
range of government and private sector
entities
• strengthened autonomy and control over
which entities will hold information on
their identity and attributes
• reduced risk of identity theft due to
strong levels of security built into.
Impact Analysis: Page 125 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 286 of 319
Entity type Potential role, interactions and incentives in Example participants
an expanded System
Expansion also addresses several of the
potential disincentives for users discussed in
'Current' table above, further strengthening the
incentive to participate:
• Reduced concern over government
centralisation or control of information on
their identity and attributes because of
increased choice of IDPs
• Strengthened legal framework for
protecting user privacy, and ensuring the
requirements of the TDIF are met
• Strengthened useability of digital ID
outside of interaction with government
entities.
As direct charging of users is not anticipated
within an expansion scenario, these
participants would not generally be incentivised
to 'shop around' between IDPs. However, there
is likely to be a positive feedback loop between
the range of services (relying parties) a user
can access with their chosen IDP and ongoing
uptake of that IDP's services. These indirect
competitive dynamics can be observed in other
digital service delivery contexts, such as food
delivery and ride-sharing apps.
Table 11: Details of potential entities, interactions and incentives in an expanded Digital ID System
Impact Analysis: Page 126 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 287 of 319
Appendix D - Consultation Details
This Appendix provides further detail of consultation feedback considered by round of
feedback or stakeholder segment, supplementing the discussion in Section 10 of the
Impact Analysis. The below draws out broad themes for discussion and analysis
purposes, however it is important to understand that the Program has received a
significant quantity of diverse feedback over many years across a spectrum of
stakeholders. Whilst best efforts have been made to accurately describe this
feedback at a broad level, there are inherent limitations in generalising or attributing
discrete sentiments or themes to what has consistently been very nuanced feedback
on a complex issue.
Previous consultations
Table 15 below details the Program's schedule of consultations.
Consultation Details Timeframe occurred No. of stakeholders
engaged
PIAs There have been multiple PIAs Initial PIA for the TDIF Refer to Privacy and
conducted on Digital ID, all of Alpha - December security | Digital
which have involved 2016 through to Identity for full copies
engagement with a variety of present and details of
stakeholders on privacy, stakeholder
consumer protection and engagement.
security issues.
TDIF public There have been four releases Four TDIF releases - Broad consultations
consultations of public consultation on the respectively February with government,
TDIF to date. These 2018, August 2018, privacy experts and
consultations are designed to April 2019 and May industry associations.
elicit stakeholder views on all 2020 More than 2450
elements of the TDIF to ensure a comments received
consistent approach is taken to over 3 rounds of
usability, accessibility, privacy consultation.
protection, security and more.
Targeted Relevant Australian Government Scoping Paper phase Scoping Paper phase
consultation agencies were consulted for their - March 2020 - 23 Australian
with input on an initial Scoping Paper Government agencies
Australian and a draft Consultation Paper Draft Consultation
Government prior to their respective public phase - August 2020. Draft Consultation
agencies releases. This occurred through phase - 17 Australian
the Digital ID Legislation Government agencies
Working Group (DILWG), a
forum with representation from
Impact Analysis: Page 127 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 288 of 319
Consultation Details Timeframe occurred No. of stakeholders
engaged
thirteen Australian Government
agencies.
Targeted States and territories were Throughout 2020 8 states and territories
consultation initially engaged for commentary in Australia
with states at the early stages of policy
and territories development. This consultation Themed workshop
occurred through the Digital invitations sent to all
Identity Cross Jurisdictional Australian jurisdictions
Working Group (DICJWG), a
forum with representation from
all eight states and territories in
Australia. The DICJWG
conducted four themed
workshops inviting engagement
in formulation of the three policy
options.
Targeted The Program met with twelve Throughout 2020 12 financial institutions
consultation key financial institutions across
with financial 2020, some numerous times, to
institutions discuss issues related to
potential regulation.
Public The public consultation paper on Public Consultation Supporting webinars -
consultation legislation sought government, Paper - November to attended by 110
paper community, industry and December 2020 stakeholders
individual views on the scope,
nature and extent of possible Consultation Synthesis Public consultation
government regulation of the Report - published 12 paper - received 44
Digital ID System. Five webinars February 2021 submissions (16 state
supported the release of the and territory
paper, aimed at academics, Position Paper - government, 20 private
advocacy groups, private sector, published 10 June sector, 8 individuals
state and territory privacy 2021 and consumer groups)
commissioners and the public.
Position paper -
A consultation synthesis report
received 62
was subsequently published
submissions
online, and summarised key
messages, themes and
outcomes of the public
consultation paper process.
Finally, a position paper was
released online for further public
consultation and provided
updated assessments of key
policy positions and the nature of
potential regulation.
Impact Analysis: Page 128 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 289 of 319
Consultation Details Timeframe occurred No. of stakeholders
engaged
Targeted Further targeted consultation Early months of 2021 23 submissions
consultations occurred across key areas from received
with critical the synthesis report, in the form
stakeholders of one-on-one engagements,
Q&A sessions and webinars.
Stakeholders engaged include
the Privacy Information
Commissioner's group, state and
territory governments, the
Australian Government Digital
Identity Working Group, private
sector groups, non-for-profit
sector groups and various
programs/status groups.
Feedback was incorporated into
the position paper.
Targeted Following release of the position Roundtables: Roundtables:
events with paper, targeted events with key • Australian Institute • AIIA - attended by
key industry industry and government of International over 50
and associations occurred, to Affairs (AIIA) - 1 stakeholders
government facilitate open conversation and July 2021 • AUSCL - attended
associations consideration of broad-ranging
• Australian Society by around 70
perspectives prior to the release
for Computers and stakeholders
of the Exposure Draft package.
the Law (AUSCL) - Q&A sessions:
Targeted events included
13 July 2021
roundtables and Q&A sessions. • Banking sector -
Q&A sessions: attended by around
• Banking sector - 6 stakeholders
July 2021 • Government sector
• Government sector - attended by
- July 2021 around 15
stakeholders
Targeted Relevant Australian Government 6 to 12 August 2021 • DILWG - 11
consultation agencies were consulted once Australian
with again for their input on the Bill Government
Australian prior to the release of the draft agencies
Government legislation as part of the • Steering and
agencies Exposure Draft package. This Portfolio Board - 4
occurred through multiple forums Australian
including the DILWG, the Government
Steering and Portfolio Board, agencies
one-on-one consultations, and a
• 7 other Australian
webinar.
Government
agencies
Impact Analysis: Page 129 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 290 of 319
Consultation Details Timeframe occurred No. of stakeholders
engaged
Exposure The Program's most recent 1 to 27 October 2021 • 69 submissions
draft package legislation-specific consultation received from
saw the release of the exposure industry and
draft package. The package government
invited public views on the draft stakeholders
Bill, TDIF accreditation rules, TDI • Over 109,000
rules and (separately) pieces of feedback,
Consultation RIS. Feedback as well as over
received from previous 6,200 emails,
consultation (including position received from the
papers) informed the draft Bill Australian public,
and supporting materials. In turn, including
the outcomes of consultation on individuals and
the exposure draft have shaped small businesses
the final policy positions taken in
the Bill. The outcomes of
consultation on the Consultation
RIS validated and supported
consideration of regulatory
impacts and costs in the final
Decision Impact Analysis.
Targeted Concurrent to the Program's One-on-one • One-on-one
consultations exposure draft consultations, key consultations - 14 to consultations - 5
on the Australian Government agencies 21 October 2021 Australian
Transition and were consulted on the T&C Bill, Government
Consequential to support the transition of agencies
Briefings to the DILWG • Briefings to the
Provisions Bill existing Digital ID System
- 6 and 20 October DILWG - 11
(T&C Bill) participants to the new Digital ID
2021 Australian
System (following
implementation of the Bill). Government
agencies
Table 12: Program's previous and relevant consultations held to ahead of October 2021 Exposure Draft
Impact Analysis: Page 130 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 291 of 319
Consultation September-October 2023
Details Date
Australian Information Industry Association Tuesday 19 September
(AIIA) Canberra Manager's Forum
AIIA Roundtable
Targeted Bilateral discussions Wednesday 20 Sept
Roundtable - Small Business Sector
Digital Identity Working Group (State and Thursday 21 September
Territory Governments)
Public Webinar - Digital ID Legislation overview Friday 22 September
Banking and Payments Sector Roundtable Monday 25 September
FinTech / RegTech / Telcos roundtable
Business Organisations Roundtable Tuesday 26 September
Legal, Human Rights and Consumer Advocates
Roundtable #1
Inclusion Roundtable (Services Australia
Advisory Groups)
Bilateral - Privacy Commissioners Roundtable Wednesday 27 September
Tech Council of Australia Roundtable
Public Webinar - Deep Dive and Q&As Thursday 28 September
Inclusion Roundtable
Legal, Human Rights and Consumer Advocates Tuesday 3 October
Roundtable #2
Reserved for additional requested meetings
(ANZ)
Youth Steering Committee
Insurance, Retail, HR and Real Estate
Roundtable
State and Territory Chief Information Officers Wednesday 4 October
Impact Analysis: Page 131 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 292 of 319
Privacy Advocate Bilaterals
Impact Analysis: Page 132 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 293 of 319
Details October 2021 Public Consultation Round
The Table below details the key themes and issues drawn from the Program's earlier exposure draft package public consultation
that occurred over October 2021.
Key finding / theme Details of response Impact on Program activity
Regulatory costs understated Whilst most RIS submissions agreed that the impacts of The estimated regulatory costs for Option 3 were re-
Options 1 and 2 were accurately described, the view was visited, with increased resource burden and a higher
expressed that Option 3 regulatory costs were under- contingency applied to certain activities to account for
stated, particularly for large entities operating across additional variables raised by respondents to the
multiple lines of business. Consultation RIS.
Scope of the Bill Stakeholders raised questions on various definitions in the Dialogue between the Program and the public has been
Bill, requested clarification on the extent of the Bill's revisited and strengthened, to provide further information
powers in specific situations and queried whether the Bill and guidance clarifying the extent of the Bill's powers,
may inadvertently regulate entities or services not the voluntary nature of participation and alignment with
intended to be regulated from a policy perspective. other regulatory schemes (re-iterating that the Bill
leverages overarching principles from various existing
definitions and regimes).
Complexity of the Bill Some responses raised concerns around the inherent Dialogue between the Program and the public has been
complexity of having two regulatory schemes (one around revisited and strengthened, to provide further information
accreditation and the other around Digital ID System and guidance around the two schemes under the Bill
participation), as opposed to one combined scheme. and their respective purposes. In particular, education
These submissions queried on the effect this may have on on the two regulatory schemes will form a core
public trust and understanding in the Digital ID System. component of the implementation plan for the Program
moving forwards. The Program has specifically designed
Impact Analysis: Page 133 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 294 of 319
Key finding / theme Details of response Impact on Program activity
the Bill to enable private sector participants different
options for involvement with appropriately tailored
regulatory requirements - in direct response to earlier
feedback provided by the private sector in particular.
Governance Feedback received included queries about the Since the beginning of consultation, the Program has
opportunities available for industry and cross-government ensured that industry and Australian Government
(including state, territory and cross-jurisdictional) representatives have had an active platform to voice
involvement in the Digital ID System's proposed opinions and perspectives. The Program has
governance arrangements. Some stakeholders also established advisory committees to enable these
provided feedback on the Minister's power to make stakeholders to support the OA in governance of the
decisions with respect to the Rules, without the Digital ID System, and the Minister's ability to establish
requirement of prior consultation. advisory committees is now entrenched in the Bill.
The Program has also been continuously engaging with
stakeholders on the issue of the scope of the Minister's
powers to make decisions, and has directly addressed
questions around what issues fall within and outside this
scope. Overall, the Program has moved towards limiting
the number of instances where the Minister is enabled
absolute decision-making power in the legislation to
narrow circumstances, for example national security
reasons leveraging existing regulatory models and
definitions.
An example of a stakeholder response acknowledging
the Program's active efforts in ensuring final policy
positions related to governance issues reflect views
expressed through ongoing consultation follows:
We appreciate the efforts made by the
[Australian Government] to respond to the
concerns raised by many stakeholders
Impact Analysis: Page 134 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 295 of 319
Key finding / theme Details of response Impact on Program activity
regarding the proposed amount of delegated
legislation and rulemaking that was described in
the first consultation paper.
(Source: Access Now input to Australia Digital ID
Position Paper for proposed Trusted Digital Identity Bill
(July 2021) (digitalidentity.gov.au))
Law enforcement access Submissions saw divergent views on this issue, with some The final policy positions on this issue, as reflected in
entities opposed to any form of law enforcement access, the Bill, seek to achieve a balance between providing
and others believing the current framework should be access to law enforcement in narrow, clearly defined
extended to allow for more access. Law enforcement circumstances, and recognizing the importance of
agencies that responded voiced queries around how their restricting the use of particularly sensitive information, in
current operations may be affected by the Bill. order to achieve the goal of a citizen-centric system (for
example, the legislation specifically prohibits disclosure
of biometric information to law enforcement).
Charging Most submissions received supported the idea that This feedback has informed the regulatory approach of
Australian citizens will not have to pay to participate in the including principles in the Bill that set broad parameters
Digital ID System. However, views were voiced around for the charging framework's operation (for example,
requiring further clarity on the details of the charging ensuring legislative enshrinement of important principles
framework. such as the citizen not having to pay to participate), but
leaving specific details to be determined through
subordinate instruments. The Program's response
effectively addresses the need for certainty as
expressed through submissions, while also allowing for
flexibility.
Impact Analysis: Page 135 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 296 of 319
Details September-October 2023 Consultation Round
The Table below details the key themes and issues drawn from the Program's most recent exposure draft package public
consultation that occurred across September and October 2023.
Impact Analysis: Page 136 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 297 of 319
Key finding Details of response Impact on Program activity
There is strong support Business and industry support the rollout of Positive support from business and industry will assist
for Digital ID from Digital ID the proposed Digital ID legislation. Increasing cyber
business and industry breach events have emphasised the need for individuals
transacting online to have a safe, secure and convenient
way to prove who they are.
Enshrining in legislation, privacy safeguards and
enforceable penalties for breaches will build trust in the
AGDIS and Accreditation Scheme.
Business wants to The Digital ID Taskforce is developing an The Digital ID Taskforce recognises that those that stand
maximise inclusion and Inclusion strategy which has a strong focus to benefit the most from a Digital ID will most likely be our
stronger branding on accessibility, affordability and digital most vulnerable members of society.
ability
The development of the Inclusion Strategy is underway
The passing of legislation will enable the and seeks to ensure that both the AGDIS and the
development and use of a Trustmark for Accreditation Scheme will provide best practice for
accredited services and AGDIS various Inclusion aspects, but focussing on accessibility,
participants. The Trustmark will develop affordability and digital ability. These policies will be
trust in the AGDIS and the Accreditation developed with support from all levels of governments
Scheme for providing a safe, secure option and privates sector input.
for transacting online.
Impact to the Taskforce is expected to be minimal.
Impact Analysis: Page 137 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 298 of 319
Phasing and The expansion of the AGDIS will be done in Phasing the expansion of the AGDIS is required to lay
interoperability needs phases to ensure foundational elements of foundation components, specifically the establishment of
more consideration for the AGDIS and Accreditation scheme are Governance for the AGDIS, the associated roles and
private sector established before enabling private sector responsibilities and successful introduction of the draft
participation participation. legislation, enabling state and territory governments and
private sector participation.
Introduction of each phase will be a
consideration for Government. The subsequent phasing will be enabled by Government
where further consideration will be given to enabling
private sector participation within the AGDIS.
Interoperability with other The AGDIS has been built utilising a Earlier research focussed on the operation of digital ID
digital identity systems federated model allowing public and private systems across other international examples. This
and digital wallets sector identity providers to supply trusted research led to inclusion of an interoperability obligation,
digital identities to individuals and clarifying the expectation of how entities would interact.
businesses.
The federated model allows interoperability There is zero to minimal impact expected to the program
with the various developing digital identity on the policy development for use of digital wallets.
ecosystems outside of the AGDIS.
Policy development for digital wallets is
underway
Alignment with other The Taskforce are working across There is a potential impact pending outcomes of the
Commonwealth reviews, Commonwealth agencies to align Privacy Review.
legislative instruments developing legislation which seek to provide
and processes is stronger cyber security protections and
required minimise duplication of regulatory
requirements.
Impact Analysis: Page 138 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 299 of 319
What will be the Government will not charge for Finance will develop an approach for charging, which will
associated charging and accreditation and participation during the include public consultation, for Government consideration
costs with participation first two phases of expansion ahead of implementation of phases where the private
and accreditation be? sector can join the Australian Government Digital ID
System.
Users will not be charged for creating and
using a Digital ID
Policy development and charging work to inform this
process and future charging arrangements.
Accreditation and service provider charges
are still being considered by Government
Impact Analysis: Page 139 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 300 of 319
Strong support for:
Digital ID to remain The Government's key policy decision is Impacts of the Voluntariness rule will be monitored to
voluntary for Government that creation and use of a Digital ID by an ensure Inclusion standards are met within the
services; and individual to access Government services AGDIS. Further consultation is proposed through the
for an individual within the AGDIS will be Parliamentary process before legislation is passed.
voluntary.
Government services
continue to provide non The Voluntariness principle may be reviewed again at the
digital options for Services can seek an exemption from the two year Review point and may also consider potential
individuals who cannot, Regulator to this requirement, such that impacts of Voluntariness in the private sector.
or choose not to obtain a they can require use of a Digital ID to
Digital ID access the service.
This voluntariness principle does not apply
to services where an individual is acting on
behalf of another entity in a professional or
business capacity
The voluntariness principle does not apply
for services operating outside of the
AGDIS, including services provided outside
the AGDIS by an accredited Digital ID
provider
Impact Analysis: Page 140 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 301 of 319
Evolution of stakeholder views throughout consultation
The table below provides an overview of how the views of individuals, businesses,
communities and governments on the Program and its regulation have evolved
throughout consultation.
Stakeholder Initial views / Evolution of views and Program Final views /
group positions on Program over consultation positions on
preferred Option
Individuals • Generally • Over time, informed the Informed individual
indicated Program's regulatory stakeholders
tentative approach of including more continue to indicate
positivity about detailed, rather than lesser, tentative positivity
Digital ID and safeguards and protections in towards the Digital
its potential the Bill ID System and
benefit • Airing of certain concerns from regulation under
• Expressed individuals led to certain Option 3. The
hesitation on safeguards being built into Program has
matters legislation, rather than being actively addressed
including delegated to subordinate concerns raised
privacy, safety, instruments - such as a throughout
security and legislative guarantee of the consultation and
other consumer system's voluntariness. reflected changes in
impacts the Bill. The
Program continues
• Governance
to consult with this
was raised as a
group through
substantial
communication and
issue, with
education pieces to
Governments
support their
having too
understanding.
much power
being a
concern. Governance
concerns have been
• Law
addressed through a
enforcement
new regulatory
access to
approach with the
Digital ID data
ACCC as initial
was cited as a
regulator, and the
concern.
Data Standards
Chair being
contained in the
legislation.
Changes Law
enforcement access
Impact Analysis: Page 141 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 302 of 319
Stakeholder Initial views / Evolution of views and Program Final views /
group positions on Program over consultation positions on
preferred Option
to Digital ID data
has been changed
in the legislation to
achieve balance
between security,
safety, reducing
fraud, and privacy
concerns.
Businesses 1. Broadly supportive 4. Dialogue between the Program Businesses continue
of a whole-of- and the business community, to be broadly
economy Digital particularly those in relatively supportive of
ID System highly regulated sectors such as regulation of an
2. Sought clarity on financial services and expansion scenario
the scope and telecommunications, focused on under Option 3.
application Digital alignment with other existing Many private sector
ID regulatory schemes in areas entities see the Bill
including privacy, anti-money and the Program as
3. Queries around
laundering a fundamental
interoperability
5. Communication from the enabler of
with other existing
Program focused on explaining Australia's digital
(current and
the legislative entrenchment of economy and have
future) systems
two distinct ways to be involved expressed interest
(accreditation and system in future
participation), and the flexibility participation (whilst
this allows for businesses emphasizing the
specifically importance of
charging framework
6. Feedback from business'
details to their
emphasized the need for
ultimate decision to
certainty yet flexibility, which
participate). The
informed the inclusion of
Program has
principles in the Bill setting broad
actively consulted
parameters for the framework's
with this stakeholder
operation, while leaving specific
group through public
details to be determined through
and targeted
subordinate instruments
forums, and have
adjusted several
policy positions in
response to
feedback. The
Program continues
to consult with this
group through
communication and
education pieces to
Impact Analysis: Page 142 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 303 of 319
Stakeholder Initial views / Evolution of views and Program Final views /
group positions on Program over consultation positions on
preferred Option
support their
understanding.
Government 7. Broadly supportive 10. Supportive of modifications to As early adopters of
of a whole-of- contain appropriate exemptions the System,
economy Digital for state / territory entities already government
ID System meeting a similar level of privacy agencies have been
8. Raised concerns protection to Commonwealth broadly supportive
around the privacy standards of the Digital ID
alignment with 11. Opinions from government led to System for the
existing regulatory revised policy positions seeking longest period. Key
regimes, to achieve a balance between agencies have been
particularly State providing access to law continuously
and Territory enforcement in narrow, clearly consulted with since
privacy authorities defined circumstances, and the Program's
recognizing the importance of commencement.
9. Queries around
restricting the use of particularly This stakeholder
the extent to which
sensitive information group has not
law enforcement
shown opposition to
agencies can
regulation of the
access and use
Digital ID System
information within
under Option 3.
the Digital ID
Concerns raised by
System
government
stakeholders, e.g.
regarding alignment
of regulatory
regimes and law
enforcement
agencies, have
resulted in revisions
to policy positions
and the Bill. The
Program plans to
continue to consult
with this group,
especially
throughout its
implementation
plan.
Community • Concerns • The Program continues to While community
raised liaise closely with the stakeholders are
regarding the Australian Human Rights broadly supportive
practicalities of Commission (AHRC), the of Option 3 as the
enforcing this National Children preferred option, the
Commissioner, and the Program continues
Impact Analysis: Page 143 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 304 of 319
Stakeholder Initial views / Evolution of views and Program Final views /
group positions on Program over consultation positions on
preferred Option
voluntary Attorney-General's to liaise with these
mandate Department in order to stakeholders to
address concerns address voiced
concerns. This was
a key theme raised
in the consultation
process in 2023.
Table 13: Evolution of stakeholder views on the Program over consultation
Impact Analysis: Page 144 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 305 of 319
Appendix E - Regulatory costs: Methodology
and assumptions
This Appendix outlines the approach taken to estimate net regulatory burden in the
Impact Analysis. The Impact Analysis provides economy-wide, annualised regulatory
burden estimates for each relevant Option, in accordance with the Regulatory Burden
Measurement Framework. These costs reflect data derived from multiple data
sources, including internal Australian Government analysis and external research,
validated through direct consultation with potentially impacted entities through the
Consultation RIS.
Methodology
The regulatory cost estimates included in this document have been developed in
accordance with the below approach:
• Identifying activities that would influence regulatory costs of a regulated entity
under the relevant Option as either application, privacy and security obligation,
ongoing obligation or administrative.
• Categorising the frequency of the activity as either start-up (i.e., a mobilisation or
initial cost incurring in Initial Year only), ad hoc (occurring less predictably and
frequently more than once) or ongoing (if occurrence is known and frequent
more than once, e.g., ongoing maintenance/monitoring obligations).
• For post start-up ad hoc activities, making assumptions on the expected annual
frequency of each activity. These assumptions were informed by Government's
experience working to date, internally tested and validated through public
consultation.
• Estimating the resource effort (time taken) to comply with that requirement,
taking the average-level scenario for each activity (see Assumptions below).
• Estimating labour costs associated with a regulatory task, by multiplying time
taken to complete the required compliance activity (average-level scenario) by
expected annual frequency of each activity and by hourly cost for relevant staff.
• This provides the annual cost of complying with the regulatory requirements for
each activity per Option and entity group as relevant, and produces a yearly per-
entity regulatory cost.
Impact Analysis: Page 145 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 306 of 319
• Validating yearly per-entity regulatory costs through broad consultation with
potentially impacted entities through the Consultation RIS, and adjusting data
estimations and assumptions in accordance with responses received.
• Multiplying each yearly per-entity regulatory cost by expected economy-wide
uptake rate (see Assumptions) for the entity group. This was calculated over the
default 10 years of regulation considered by the Regulatory Burden
Measurement Framework.
• Dividing the sum of all yearly, economy-wide costs for each entity group over the
10 years (per Option) by 10, to derive average annualised regulatory burden for
each Option.
Note - the above approach was followed for all entity groups for Option 3.
As Option 2 involves fewer regulatory measures than Option 3 (mainly privacy-
related), this was costed for GBEs by focusing on relevant privacy activities required
by the legislation. Option 2 calculations have assumed that all 9 GBEs currently in
existence in Australia would gradually seek to participate over the 10-year duration of
regulation calculated (per the Regulatory Burden Measurement Framework). Option
2 does not distinguish between start-up and ongoing costs, because there are limited
'initial' regulatory requirements involved.
Assumptions and sources
The key assumptions and sources used for regulatory cost estimates are:
• Start-up or ongoing costs - these classifications were derived from analysis
of the nature of the regulatory activities prescribed to businesses, and further
broken down per individual regulated entity for each considered Option.
Start-up costs (Initial Year activities) were assumed to occur once in the first
year of Option adoption, and generally included onboarding or initial
accreditation activities. Other ad-hoc or ongoing compliance activities
undertaken during the Initial Year were estimated based on the assumed
frequency of undertaking the activities. The frequency of ongoing costs (Post
Initial- Year ongoing activities) were considered based upon the nature of the
activity (e.g., whether an ongoing monitoring/maintenance obligation, or a one-
off activity that may be needed throughout the year). Ongoing costs maintained
constant prices and were not inflated to take account of inflation over the
Impact Analysis: Page 146 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 307 of 319
default 10-year duration of regulation calculated (per the Regulatory Burden
Measurement Framework). These assumptions have been internally tested and
were further validated through the public consultation process.
• Year on year uptake - based on internal Digital ID use case demand
modelling, estimating the rate of potential uptake and adoption on an economy-
wide basis over the next 10 years. Uptake estimates were based on publicly
available data sourced through desktop research and a range of assumptions
where no reliable data could be sourced (for example, the number of
onboarded accredited participants was limited based on the assumptions of the
total number of participating entities that would be commercially viable to
support. From that saturation point, all further onboardings would only be as
accredited entities).
Year on year uptake included a yearly estimate of newly participating entities
and of entities seeking to continue participation. Standard uptake rates, without
yearly uplifts, were applied across Year 1 estimates (2022-23) though to Year
10 (2031-32).
As a proportion of the total year on year uptake rate, the percentage of entities
estimated to apply for and (separately) be approved for restricted attributes
(incurring greater application and privacy and security obligations) was
assumed to be 90% and 60% respectively. The percentage of entities
(excluding the relying party entity group) estimated to be approved for IP3
(similarly incurring greater privacy and security obligations) was assumed to be
100% of the entities applying for restricted attributes. These assumed
proportions were applied to the yearly per-entity regulatory costs of each entity
group under Option 3, allowing for further nuance in the economy-wide figures
derived.
• Resource efforts - estimated based on analysis of regulatory activities
prescribed per individual regulated entity (within the 'business' sector) for each
considered Option. This analysis was informed by Government's current
understanding of the potential future regulatory activities, as detailed in the Bill
(and where activities were considered within the scope of the Regulatory
Burden Measurement Framework).
To accommodate variations across size and maturity levels of potentially
impacted private business entities when deriving resource effort estimations, a
Impact Analysis: Page 147 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 308 of 319
'maturity spectrum' applying three ranging resource effort scenarios was used
to cost regulatory activities. The scenarios underpinning the maturity spectrum
were drawn from experiences shared by a range of entities encountered
through internal and external consultation. These consultation sessions
revealed that entities and their facilities needed to meet, at a minimum, a
'baseline' level of maturity (outside of the regulatory requirements) to seek entry
into the digital ID market. Accordingly, all scenarios within the maturity
spectrum assumed entities met, at a minimum, this baseline level required for
market entry. The estimated resource efforts required by low maturity entities
were not considered within the maturity spectrum, as these entities were
considered still premature for market entry.
The scenarios considered within the maturity spectrum included:
− Low-level scenario - estimating resource effort required by a high
maturity entity, usually with established technical systems/processes,
mature privacy and security arrangements and available experienced
resources
− High-level scenario - estimating resource effort required by a medium
maturity entity* meeting the minimum facility and resource thresholds of
accreditation, usually with less established technical systems / processes,
few privacy & security arrangements and few available experienced
resources
− Average-level scenario - average of the low-level and high-level resource
effort calculations.
*The minimum entity maturity considered by the maturity spectrum was a
medium maturity entity (within high-level scenario). The maturity spectrum
assumed that low maturity entities did not, at a minimum, meet the 'baseline'
level of maturity required for entry into the digital ID market, and thus their
corresponding estimated resource efforts were excluded from calculations.
• Contingency costs - Included as an approximate 10% flat rate allocation
within the three resource impost scenarios (low, average and high).
• Labour rates - In accordance with Australian Government guidance, the
default hourly labour rate contained in the Regulatory Burden Measurement
Framework was used. This was based on average weekly earnings, adjusted to
Impact Analysis: Page 148 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 309 of 319
include income tax. This provided an economy-wide value for employees of
$41.74 per hour. This value was then scaled up using a multiplier of 1.75 (or 75
per cent as per the Regulatory Burden Measure) to account for non-wage
labour on-costs (for example, payroll tax and superannuation) and overhead
costs (for example, rent, telephone, electricity and information technology
equipment expenses). This resulted in a scaled-up rate of $73.05 per hour
($41.74 multiplied by 1.75). Australian Government guidance is that this default
rate should be used where regulation cuts across a number of sectors, as is the
case for regulation. Note: rates in the Regulatory Burden Measurement
Framework latest version (March 2020) were escalated to FY21/22 dollars
using the Australian Bureau of Statistics' Wage Price Index (WPI) average
indexation of 1.5 % per year.
• Technology and System uplifts - Regulatory burden estimates produced by
the methodology described above are based on the most relevant information
available at time of calculation. They are subject to change based on potential
future technological uplifts to existing systems and enabling infrastructure
facilitating participation in the Australian Government Digital ID ecosystem.
• General - This Impact Analysis over-estimates, rather than under-estimates,
potential regulatory costs. This has been a guiding principle through this
costing, including in making assumptions. For example, it has been assumed
that all entities applying for initial accreditation will seek to maintain
accreditation, incurring corresponding re-accreditation regulatory burdens, over
the 10-year default duration of the regulation (per the Regulatory Burden
Measurement Framework). This may not be the case once regulation is in
place.
Only regulatory measures which necessitated some positive action from
regulated entities were included within calculations (not, for example,
prohibitions on the entity doing something they are unlikely to already be
doing). Additionally, regulatory measures such as the Interoperability Obligation
(requiring each onboarded entity to interact with all other entities) were not
included, being planned to be enabled by design and not requiring positive
activity by regulated entities. Many regulatory requirements included provision
for exemptions based upon defined criteria, however to ensure completeness
for regulatory costing purposes it was assumed that exemptions would not be
granted.
Impact Analysis: Page 149 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 310 of 319
Detailed Calculations
This section includes detailed calculations that underpin the RBE tables included in
Section 8.2 and Section 9.2.2 of the RIS.
Option 2
As described in the methodology above, Option 2 involves fewer regulatory
measures than Option 3 (mainly privacy-related) and was costed for GBEs by
focusing on relevant privacy and security obligation activities required by the
legislation. In calculating Option 2 regulatory costs, relevant privacy and security
obligation activities were identified from the legislation and assumptions around the
expected resource effort required (time taken) and annual frequency of each activity
(per the methodology and assumptions described above) were validated with
stakeholders. Option 2 does not distinguish between start-up and ongoing costs,
because there are no 'initial' regulatory requirements involved. Table 11 below shows
the per annum cost,10-year average with a 10% contingency incorporated (see
assumptions).
The annual costs were calculated as follows:
estimated time taken (average-level scenario) x expected annual frequency x
estimated labour cost ($73.05 per hour) = annual regulatory cost
Noting that the expected annual frequency is based on the number of entities
expected to be undertaking the activity and the frequency that the activity would be
required to be undertaken each year by these entities. The assumptions regarding
onboarding of entities can be found in Table 12 below. It is assumed that all nine
GBEs in existence in Australia would gradually seek to participate over the first four
years of regulation calculated.
Impact Analysis: Page 150 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 311 of 319
Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Year 7 Year 8 Year 9 Year 10 10-year Contingency
average applied
Total
Relying
party (non-
government)
Privacy
& Security $9,039.32 $15,065.53 $21,091.74 $27,117.96 $27,117.96 $27,117.96 $27,117.96 $27,117.96 $27,117.96 $27,117.96 $235,022.29 $23,502.23 $2,136.57
Obligations
Accredited
entity (non-
government)
Privacy
& Security $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 $0.00
Obligations
Onboarded
accredited
entity (non-
government)
Privacy
& Security $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 $0.00 $0.00
Obligations
Table 14: Option 2 estimated per-entity annual regulatory costs across 10-years of regulation (per the Regulatory Burden Measurement Framework)
Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Year 7 Year 8 Year 9 Year 10
New GBE relying parties 2 2 2 2 0 0 0 0 0 0
Ongoing GBE relying parties 3 5 7 9 9 9 9 9 9 9
Table 15: Option 2 expected year on year Digital ID System uptake of GBE relying parties
Impact Analysis: Page 151 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 312 of 319
Option 3
Option 3 involves the most significant regulatory measures for the categories of
regulated entities, being relying parties, accredited entities and onboarded accredited
entities. The regulatory impacts of Option 3 fall into the broader groups of application-
related activities, privacy and security obligations, ongoing obligations and
administrative activities required by the legislation (see Section 9.2 for further detail),
which were validated through the Consultation RIS. In calculating Option 3 regulatory
costs, relevant activities were identified from the legislation and grouped accordingly.
Assumptions around the resource effort required (time taken) and annual frequency
of each activity (per the methodology and assumptions described above) were drawn
and further validated with stakeholders. Option 3 does distinguish between start-up
and ongoing costs, with 'initial' regulatory requirements required, and these were
accordingly considered as part of calculations. Table 13 below shows the per annum,
10-year average with a 10% contingency incorporated (see assumptions).
The annual costs were calculated as follows:
estimated time taken (average-level scenario) x expected annual frequency x
estimated labour cost ($73.05 per hour) = annual regulatory cost
Noting that the expected annual frequency is based on the number of entities
expected to be undertaking the activity and the frequency that the activity would be
required to be undertaken each year by these entities. The assumptions regarding
onboarding of entities can be found in Tables 14, 15 and 16 below. These
assumptions have been based on internal Digital ID use case demand modelling,
estimating the rate of potential uptake and adoption on an economy-wide basis over
the next 10 years (per the Regulatory Burden Measurement Framework).
Impact Analysis: Page 152 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 313 of 319
Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Year 7 Year 8 Year 9 Year 10 10-year Contingency
average applied
Total
Relying Party
(non-government) 489,594 533,453 575,384 625,884 676,384 726,883 776,298 826,798 877,298 927,797 7,035,773 703,577 639,616
Application
177,797 169,229 160,660 160,660 160,660 160,660 160,660 160,660 160,660 160,660 1,632,310 163,231 148,392
Privacy &
Security 311,796 364,224 414,724 465,224 515,723 566,223 615,638 666,138 716,637 767,137 5,403,464 540,346 491,224
Obligations
Ongoing
Obligations - - - - - - - - - - - - -
Administrative
212,551 248,548 282,830 317,113 351,395 385,678 419,960 454,243 488,525 522,807 3,683,650 368,365 334,877
Accredited Entity
(non-government) 268,689 345,824 260,975 327,183 446,743 511,023 575,302 639,582 703,862 768,141 4,847,325 484,732 440,666
Application
165,841 165,841 55,280 82,921 138,201 138,201 138,201 138,201 138,201 138,201 1,299,091 129,909 118,099
Privacy &
Security - - - - - - - - - - - - -
Obligations
Ongoing
Obligations 102,847 179,983 205,695 244,262 308,542 372,822 437,101 501,381 565,660 629,940 3,548,234 354,823 322,567
Administrative
- - - - - - - - - - - - -
Accredited
Participant (non- 285,401 323,969 362,537 357,395 295,686 295,686 295,686 295,686 295,686 295,686 3,103,419 310,342 282,129
government)
Application
92,563 92,563 92,563 61,708 - - - - - - 339,396 33,940 30,854
Privacy &
Security - - - - - - - - - - - - -
Obligations
Ongoing
Obligations 192,839 231,407 269,974 295,686 295,686 295,686 295,686 295,686 295,686 295,686 2,764,023 276,402 251,275
Administrative
- - - - - - - - - - - - -
Total regulatory
cost for non- 1,043,684 1,203,247 1,198,896 1,310,462 1,418,813 1,533,592 1,647,287 1,762,066 1,876,845 1,991,625 14,986,517 1,498,652 1,362,411
Impact Analysis: Page 153 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 314 of 319
government
entities
Application
436,201 427,633 308,504 305,290 298,862 298,862 298,862 298,862 298,862 298,862 3,270,797 327,080 297,345
Privacy &
Security 311,796 364,224 414,724 465,224 515,723 566,223 615,638 666,138 716,637 767,137 5,403,464 540,346 491,224
Obligations
Ongoing
Obligations 295,686 411,389 475,669 539,949 604,228 668,508 732,787 797,067 861,347 925,626 6,312,257 631,226 573,842
Administrative
212,551 248,548 282,830 317,113 351,395 385,678 419,960 454,243 488,525 522,807 3,683,650 368,365 334,877
Table 16: Option 3 estimated per-entity annual regulatory costs across 10-years of regulation (per the Regulatory Burden Measurement Framework)
New 22 21 20 20 20 20 20 20 20 20
relying
parties
Ongoing 124 145 165 185 205 225 245 265 285 305
relying
parties
Proportio
n*
Entities 20 19 18 18 18 18 18 18 18 18 90%
applying
for
restricted
attributes
Proportio 12 11 11 11 11 11 11 11 11 11 60%
n of
entities
approved
for
restricted
attributes
Proportio 12 11 11 11 11 11 11 11 11 11 100%
n of
Impact Analysis: Page 154 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 315 of 319
entities
approved
for IP3
Table 17: Option 3 expected year on year Digital ID System uptake of relying parties
* Proportion (percentage) of new relying parties estimated to apply for and (separately) be approved for restricted attributes and IP3. These entities are
expected to incur greater application and privacy and security obligations as a result.
New 6 6 2 3 5 5 5 5 5 5
accredite
d entities
Ongoing 8 14 16 19 24 29 34 39 44 49
accredite
d entities
Proportion
*
Entities 5 5 2 3 5 5 5 5 5 5 90%
applying
for
restricted
attributes
Proportio 3 3 1 2 3 3 3 3 3 3 60%
n of
entities
approved
for
restricted
attributes
Proportio 3 3 1 2 3 3 3 3 3 3 100%
n of
entities
approved
for IP3
Impact Analysis: Page 155 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 316 of 319
Table 18: Option 3 expected year on year Digital ID System uptake of accredited entities
* Proportion (percentage) of new accredited entities estimated to apply for and (separately) be approved for restricted attributes and IP3. These entities are
expected to incur greater application and privacy and security obligations as a result.
New 3 3 3 2 0 0 0 0 0 0
onboarde
d
accredite
d entities
Ongoing 15 18 21 23 23 23 23 23 23 23
onboarde
d
accredite
d entities
Proportion
*
Entities 8 8 5 5 5 5 5 5 5 5 90%
applying
for
Restricted
Attributes
(RA)
Entities 5 5 3 3 3 3 3 3 3 3 60%
approved
for
Restricted
Attributes
Entities 5 5 3 3 3 3 3 3 3 3 100%
approved
for IP3
Table 19: Option 3 expected year on year system uptake for onboarded accredited entities
* Proportion (percentage) of new onboarded accredited entities estimated to apply for and (separately) be approved for restricted attributes and IP3. These
entities are expected to incur greater application and privacy and security obligations as a result.
Impact Analysis: Page 156 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 317 of 319
Appendix F - Figures and tables
A.1 Figures
Figure 1: Entities, interactions and incentives within the current AGDIS ............................................... 16
Figure 2: Entities, interactions and incentives within an expanded AGDIS ............................................ 24
A.2 Tables
Table 1: Impact Analysis questions and relevant document section(s).....................................................8
Table 2: Objectives for Government action ............................................................................................ 38
Table 3: Option 2 Regulatory burden estimate (RBE) table ................................................................... 65
Table 4: Option 2 Select indirect benefits table ...................................................................................... 65
Table 5: Option 3 Regulatory burden estimate (RBE) table ................................................................... 85
Table 6: Option 3 Select indirect benefits table ...................................................................................... 86
Table 7: Option 3 alignment with policy objectives and problem areas ................................................ 97
Table 8: Stakeholder views on regulatory options throughout consultation ........................................ 100
Table 9: Challenges and risks of implementation of Option 3............................................................. 108
Table 10: Details of entities, interactions and incentives within the current Digital ID System.............. 120
Table 11: Details of potential entities, interactions and incentives in an expanded Digital ID System 126
Table 12: Program's previous and relevant consultations held to ahead of October 2021 Exposure
Draft ..................................................................................................................................................... 130
Table 13: Evolution of stakeholder views on the Program over consultation........................................ 144
Table 14: Option 2 estimated per-entity annual regulatory costs across 10-years of regulation (per the
Regulatory Burden Measurement Framework) .................................................................................... 151
Table 15: Option 2 expected year on year Digital ID System uptake of GBE relying parties................ 151
Table 16: Option 3 estimated per-entity annual regulatory costs across 10-years of regulation (per the
Regulatory Burden Measurement Framework) .................................................................................... 154
Table 17: Option 3 expected year on year Digital ID System uptake of relying parties ........................ 155
Table 18: Option 3 expected year on year Digital ID System uptake of accredited entities.................. 156
Table 19: Option 3 expected year on year system uptake for onboarded accredited entities .............. 156
Impact Analysis: Page 157 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 318 of 319
Appendix G - Risk Matrix
The Risk Matrix used for assessing implementation risks (both untreated and
residual) in Section 12 is set out below.
Consequence
Insignificant Minimal Medium Major Severe
A risk event that if it A risk event that is it A risk event that if A risk event that if A risk event that if
eventuates, the eventuates, the it eventuates, the it eventuates, the it eventuates, the
consequence will consequence will consequence will consequence will consequence will
have little or no have a minor impact have a moderate have a significant have a severe
impact on on achieving impact on impact on impact on
achieving objectives, to the achieving achieving achieving
objectives. extent that one or objectives, to the objectives, to the objectives, to the
more agreed extent that one or extent that one or extent that one or
outcomes will fall more agreed more agreed more agreed
below expected but outcomes will fall outcomes will fall outcomes are
well above minimum below expected below acceptable unlikely to be
acceptable levels. but above levels. achieved.
minimum
acceptable levels.
Expected in most Minor Moderate High Very High Very High
Almost
circumstances - 80%
certain or greater possibility
Will probably occur in Low Minor Moderate High Very High
Likely most circumstances -
50% to 80%
probability
Might occur at some Low Minor Moderate High High
Possible time - 20% - 50%
probability
Could occur at some Low Minor Minor Moderate High
Unlikely time - 5% to 20%
probability
May only occur in Low Low Minor Moderate Moderate
Rare exceptional
circumstances - less
than 5% probability
Impact Analysis: Page 158 of 158 Digital ID Bill 2023 - Explanatory Memorandum: Page 319 of 319