Louise Miller-Frost (Boothby, Australian Labor Party) Share this | Hansard source

Scams, including identity theft, cost Australians around $2.7 billion in 2023. There were more than 600,000 reports to Scamwatch, and that's probably the tip of the iceberg, because many who are victims of scams are too embarrassed to report it or may not actually realise they're being scammed yet. People over 65 make up around 25 per cent of those scam victims, and around 50 per cent were investment scams. Many, if not most, of the scams now occur online in some way—through social media, through direct emails or through SMS asking you to 'click this link'. Likely, every owner of a mobile phone or an email account has received an unsolicited approach asking you to 'click this link' or maybe asking you to update your details with your bank, your utility provider or a government service. Unfortunately, people—us—are the weak link here.

I remember doing a cybersecurity course as part of a board I sat on a number of years ago. The cyber expert told us about a criminal group that had recently been broken up in Europe. The group consisted of a couple of PhDs in computing and four PhDs in psychology, because social engineering—the psychology of tricking you, convincing you to overcome your doubts and creating a sense of urgency or opportunity—is how the majority of these scams work. Last weekend, I spoke to a constituent, Elizabeth, who told me she was so frightened about being scammed that she refused to do anything online, which is increasingly difficult in an age where so many of the activities of daily life, from paying a bill to checking your bank balance and engaging with government departments, all occur online. Each of these services requires you to confirm your identity in exactly the same way the scammers get you to confirm your identity so that they can steal it. Of course, that's not the only way your identity can be stolen and used by criminals. Many Australians have been victims of major data breaches. Some of the larger ones were the Medibank and Optus breaches that affected millions of Australians. Details of identity were released and, in some instances, put up for sale on the dark web.

Fraudulent use of identity is a major risk for us as individuals, as businesses and as government. That's where the Digital ID Bill comes in. The digital ID is a secure, convenient and voluntary way to verify who you are online against existing government-held identity documents, without having to hand over any physical information. Digital ID is not a card; it's not a unique number nor a new form of ID. This bill will help to address the challenge of identity theft. The digital IDs enabled by this bill will avoid the need for Australians to repeatedly share their documents and, very importantly, will reduce the need for government or businesses to retain those documents, because every time your data is taken and stored somewhere else by a company or organisation there is another point of vulnerability.

This bill does four things to ensure that Australians are in control of their digital IDs and that their digital IDs are safeguarded. Firstly, the bill will legislate and strengthen an existing voluntary accreditation scheme for digital ID providers. Secondly, the bill will legislate and enable the expansion of the Australian government digital ID system, so protections for digital IDs are in place across the economy. Thirdly, the bill will embed in place privacy and consumer protections additional to those in the Privacy Act. And, fourthly, the bill will strengthen the governance for an economy-wide digital ID system by establishing a Digital ID Regulator, the System Administrator and a Digital ID Data Standards Chair to ensure privacy and consumer protections in the bill will be met.

I know that some of my constituents will still be nervous about the notion of a digital identity. Some will still want to ensure that this works and is secure before they engage with it. Some, like Elizabeth, will decide that they do not want to have a digital identity and will still feel more secure engaging with entities in real life at branches and the like. Hence, importantly, this is a voluntary accreditation scheme. The voluntary accreditation scheme in the bill will enable more digital ID providers to demonstrate that they meet strong privacy protections, security safeguards and accessibility requirements. The bill will replace an existing, unlegislated policy framework for accreditation—the Trusted Digital Identity Framework—with a legislated accreditation scheme for public and private sector digital ID providers. The bill will ensure only trustworthy and reliable private and public sector entities are accredited to provide digital ID services to Australians. Accreditation rules made under the bill will set out a range of requirements for each type of service an entity can be accredited for by the Digital ID Regulator.

The bill will ensure that there are real consequences for accredited providers if they do not meet the high standards of their accreditation. The powers of the regulator set out in the bill to suspend, revoke or cancel accreditations will ensure the accreditation rules, safeguards and privacy protections in the bill are adhered to. The bill will provide for a trust mark for accredited providers to build consumer trust and awareness of the digital IDs, imposing civil penalties on entities who falsely promote their services as meeting the strict requirements of accreditation.

The accreditation scheme will give Australians who choose to create, use or reuse a digital ID issued by an accredited provider greater confidence that their personal information is being protected. Many of us are familiar with the existing myGovID system. The existing unlegislated Australian government digital ID system is well established, with more than 10.5 million myGovIDs—which can be used to access more than 130 government services. However, the current system has limitations: it is not national; myGovID can only be used to access government services; and private sector services can't currently use myGovID to verify their customers. This falls short of the vision for a national, economy-wide system.

The Digital ID Bill provides a legislative base for broader use of digital IDs via a phased expansion of the Australian government digital ID system to include state, territory and private sector entities who choose to participate. Consistent with the phased approach to expansion, the bill provides for the Digital ID Regulator to manage arrangements for other matters, including statutory contracts between participants, liability and charging for providers and connected services in the future.

The Australian government digital ID system is based on the principle that people can choose which digital ID provider they use to access any website, app or other service that is connected to the system. In the legislation, this is called the interoperability obligation. The minister will, however, have the discretion to exempt some government services from this obligation and only allow a single digital ID provider, such as the myGovID. Exemptions will only be granted in limited circumstances, such as for government services where there is potential for identity fraud to have a significant impact on the financial circumstances of individuals or businesses in Australia—for example, the tax system, the social security system and the NDIS.

Additional privacy and consumer safeguards privacy protections in the bill are designed to ensure that digital IDs meet community expectations. The bill contains a comprehensive range of privacy protections that apply to the accreditation scheme that will operate in addition to existing protections in the Commonwealth Privacy Act. If the Commonwealth Privacy Act does not apply, the bill will ensure that accredited providers are subject to equivalent privacy protections. The bill includes measures that will protect Australians' sensitive information—such as their passports, birth certificates, driver's licences, Medicare cards and biometric information that they may use to verify their identities—by requiring express consent to create a digital ID and before information about them can be collected, used or disclosed to a service they wish to access; by requiring accredited providers to deactivate a person's digital ID if they withdraw their express consent at any time; and by prohibiting accredited entities from collecting particularly sensitive types of personal information such as a person's political opinions or sexual orientation.

The bill addresses the risk of commercialisation and misuse of digital IDs in the economy by preventing data profiling or the tracking of a person's activities using a digital ID and by preventing personal information from being disclosed for marketing purposes. The bill contains safeguards over law enforcement access to digital ID information held by accredited entities. Access to this information will require a warrant, unless it is being disclosed with consent or disclosed for the purpose of an accredited entity reporting digital ID fraud and cybersecurity incidents.

The bill includes measures to ensure the Digital ID Regulator will be notified of any breaches of accredited providers under Commonwealth, state or territory data breaches to facilitate quick mitigation of the risk or remediation of the breach. If there is no state based scheme, the Digital ID Bill requires the entity to report breaches under the Commonwealth scheme. To ensure these protections are meaningfully regulated and enforced, the bill will give the Information Commissioner a full suite of investigative and compliance powers. If an accredited entity breaches any of the privacy protections, they can be liable for civil penalty.

Those less able or willing to get a digital ID should not be left behind. An essential safeguard in the bill is that digital ID will continue to be voluntary for individuals accessing government services through the Australian government digital ID system. The bill will require Australian government agencies to continue to provide alternative channels for people to access services. Where an individual is accessing Australian government services on behalf of a business or in another professional capacity, a digital ID may be required because digital IDs will address the increased fraud risk associated with some business services. The regulator will monitor and regulate the compliance of entities participating in the Australian government digital ID system and may impose civil penalties for any breaches. These safeguards will help ensure people who choose to create and reuse digital IDs they can be confident that their information is safe and secure and that their privacy will be protected.

The bill will establish the Australian Competition and Consumer Commission as an independent digital ID regulator, with the responsibility of overseeing the accreditation scheme and the Australian government digital ID scheme. The bill will also provide for the systems administrator to perform day-to-day operational matters to ensure the performance and integrity of the Australian government digital ID system. Finally, the bill establishes a data standards chair to consult with industry and issue data standards.

The bill will make sure the regulatory watchdog has teeth to enforce the safeguards, with a broad suite of monitoring, compliance and enforcement powers, including civil penalty provisions, enforceable undertakings and injunctions. The Office of the Australian Information Commissioner will advise and enforce privacy protections, provide complaint handling for breaches of the privacy safeguards and report on privacy aspects of and the exercise of its powers and functions under the legislation. Further transparency will be provided through public registers for accredited entities, including whether they have ever had their accreditations revoked or suspended. The regulator will be required to report annually to the minister for presentation to parliament on applications on approvals for accreditation or participation and fraud or cybersecurity incidents and responses.

Further, a statutory review of the bill will be required within two years of commencement. The scope of the review would include any supporting rules and standards made after the commencement of the bill.

The Digital ID Bill is about the safety and security of Australians and of their digital identity. We've all been horrified by the data breaches and the ensuing issues that come from them—with people being vulnerable to identity theft and scams. It's an entirely voluntary exercise, it has built-in security measures and it has a regulator to ensure compliance. I commend the bill to the House.

See this speech in context