Australia’s Digital ID Acts mark a significant milestone for Digital ID use across the world.
Having just received Royal Assent, the Acts aim to provide people with a secure, convenient way to prove their identity online. Here’s some of the key information you need to know.
What are Australia’s new Digital ID Acts?
Australia’s Digital ID Acts are made up of two different (but similarly named) pieces of legislation. These are the Digital ID Act 2024 and the Digital ID (Transitional and Consequential Provisions) Act 2024. Together, they are known simply as “the Digital ID Acts”.
Why has Australia passed the Digital ID Acts?
Nowadays, people are able to complete many of their everyday tasks online. This includes managing healthcare appointments, banking and accessing education. But to ensure that people are accessing the right services for them, organisations need to verify each user’s identity.
As a result, the Australian government has passed the Digital ID Acts. These sit as part of its broader digital transformation agenda. The Acts enable users to prove their identity to organisations online through the Australian Government’s Digital ID System (AGDIS).
Each user can create a digital ID which they can use to prove who they are and share specific information about themselves. The digital ID is reusable, reducing the need for people to repeatedly share their documents, such as passports and driving licences, with organisations.
The Acts aim to establish a standardised and secure identity verification system that reduces the need for manual checks and paperwork. Not only do digital IDs make transactions faster, but they lessen the need for people to carry around their physical documents. This lowers the risk of documents being lost or stolen which can, in turn, help decrease the risk of fraud and identity theft.
Who is affected by Australia’s Digital ID Acts?
Australia’s Digital ID Acts set out rules and standards for the creation, verification and use of digital IDs in Australia. As such, they’ll impact the following parties:
- state and territory governments, who will be covered by the expansion of the use of the AGDIS to verify identities, and;
- digital ID service providers who wish to be accredited under the accreditation scheme.
In doing so, it will also impact individuals by aiming to create a secure, convenient, voluntary and inclusive way of identity verification.
What’s the current state of Digital ID legislation in Australia?
In 2015, the Australian government created the Trusted Digital Identity Framework (TDIF), which allowed citizens to access government services through a government-issued digital ID called “myGovID”. The newly passed legislation now replaces the TDIF with the AGDIS.
It also established an accreditation scheme for digital ID service providers. Providers from both the public and private sector were permitted to participate in the framework, so long as digital ID service providers met minimum standards and rules outlined in the TDIF. Under the new legislation, only public sector organisations will be allowed to operate within the scheme for the initial two years.
What do Australia’s new Digital ID Acts aim to do?
The new Digital ID Acts aim to refresh and build on the existing system. Some key aims are to:
- replace the TDIF accreditation scheme with a new and different AGDIS accreditation scheme. The AGDIS will require all digital ID service providers to be compliant with high standards of privacy, security, proofing, authentication and accessibility. If providers are found to not be meeting baseline obligations, the regulator can suspend, revoke or cancel accreditation.
- strengthen privacy and consumer safeguards for people creating and using digital IDs from accredited service providers. This includes clauses which prohibit the collection of sensitive information and mandate when consent is required. These build upon the protections in the Privacy Act 1988 (Cth). It also outlines penalties for accredited providers if they fail to comply with the Acts’ obligations. This is to build trust with users, assuring them that their personal information is private, safe and secure.
- expand who can become accredited under the scheme. The AGDIS will expand in phases, initially allowing public sector organisations to participate, with private sector firms invited to join two years after its launch.
- set a minimum age for the use of digital identity in Australia, currently set to be 15, and which will align with The Office of the Australian Information Commissioner (OAIC) guidance.
- stress that participation is entirely voluntary. Businesses will not be allowed to require an individual to use a digital ID. If they do offer identity verification through the AGDIS, they must also offer alternative methods for people to prove their identity.
- appoint official regulatory enforcement for the AGDIS and the accreditation scheme.
Who will enforce the Digital ID Acts?
The Australian Competition and Consumer Commission (ACCC) will be the regulator for digital IDs. They will be responsible for overseeing and enforcing the Acts, as well as approving the digital ID service providers who want to join the AGDIS.
The Office of the Australian Information Commissioner (OAIC) will enforce all privacy-related matters.
Australia’s Digital ID Acts bring in strict requirements for digital ID service providers. Non-compliance can result in a civil penalty of between 1,000 and 1,500 penalty units (which is currently up to A$469,500).
Additionally, failure to comply with privacy protections under the Privacy Act 1988 (Cth) can result in a maximum penalty of A$2.5 million for individuals or more than A$50 million for corporations.
What does this mean for businesses?
The Acts set out a range of measures for businesses. One of the key concepts emphasised within the Digital ID Acts is consent. Businesses must ensure that they have the appropriate and express consent from individuals before disclosing certain personal information with organisations. This allows users to be in control of sharing their personal data.
Businesses should also be aware of their obligations under the Privacy Act 1988 (Cth). This piece of legislation sets out the legal framework for the handling of personal information in Australia. It governs how personal information is collected, stored, used and disclosed, alongside giving individuals certain rights and protections over their personal information. Crucially, it requires businesses to take reasonable steps to protect the personal information they hold on people. This includes implementing appropriate security measures and ensuring that personal information is only used for legitimate purposes.
Additionally, the Digital ID Acts place a strong emphasis on data security. The Acts require all digital identity service providers to adhere to strict security and fraud control standards. A robust digital ID should be built with security measures that protect personal information and prevent unauthorised access. This can include the use of encryption and authentication protocols. They must also consider risk management, technical integrity, accessibility and usability.
A huge step for Digital IDs
Australia’s Digital ID Acts are expected to commence by 1 December 2024. This would mark a significant leap forward in how Australians navigate the digital landscape, with a focus on security and privacy.
By understanding the regulatory requirements, businesses can streamline how they verify their customers. This will help them to remain competitive in an increasingly digital world.
If you’d like to know more about digital IDs, please get in touch.
Please note this blog has been prepared for information purposes only. You should always seek independent legal advice.
