Stephen Jones (Whitlam, Australian Labor Party, Assistant Treasurer) Share this | Hansard source

I present the revised explanatory memorandum to the Digital ID Bill 2024, and I move:

That this bill be now read a second time.

The Digital ID Bill will put in place the legislative framework to create an economy-wide digital ID system for Australia. Digital ID is a secure, convenient, voluntary and inclusive way to verify who you are online against existing government held identity documents without having to hand over any physical information.

Digital ID is not a card. It's not a unique number, nor a new form of ID.

Data breaches, such as Optus, Medibank and others, impacting millions of Australians show the need to protect people and their identities. This bill will help to address the challenge.

The digital IDs enabled by this bill will avoid the need for Australians to repeatedly share their ID documents, and reduce the need for government or business to retain documents that could then be at risk.

This bill does four things to ensure that Australians are in control of their digital IDs and that their digital IDs are safeguarded:

The voluntary a ccreditation s cheme

The voluntary accreditation scheme in the bill will enable more digital ID providers to demonstrate that they meet strong privacy protections, security safeguards, and accessibility requirements.

The bill will replace an existing unlegislated policy framework for accreditation—the Trusted Digital Identity Framework—with a legislated accreditation scheme for public and private sector digital ID providers.

The bill will ensure that only trustworthy and reliable private and public sector entities are accredited to provide digital ID services to Australians. Accreditation rules made under the bill will set out a range of requirements for each type of service an entity can be accredited for by the Digital ID Regulator.

The bill will ensure that there are real consequences for accredited providers if they do not meet the high standards of their accreditation. The powers of the regulator in the bill to suspend, revoke or cancel accreditations and to seek civil penalties will ensure the accreditation rules and the safeguards and privacy protections in the bill are adhered to.

The bill will provide for a trust mark for accredited providers to build consumer trust and awareness of digital IDs, imposing civil penalties on entities who falsely promote their services as meeting the strict requirements of accreditation.

The accreditation scheme will give Australians who choose to create, use or reuse a digital ID issued by an accredited provider greater confidence that their personal information is being protected.

The Australian Government Digital ID System

The existing, unlegislated Australian Government Digital ID System is well established with more than 12 million myGovIDs which can be used to access more than 140 government services.

However, the current system has limitations. It's not national—myGovID can only be used to access government services, and private sector services can't currently use myGovID to verify their customers. This falls short of the vision for a national, economy-wide system. The Digital ID Bill provides a legislative basis for broader use of digital IDs via a phased expansion the Australian Government Digital ID System.

Initially, it's expected that states and territories will be able to apply to participate in the Australian Government Digital ID System as users or providers of accredited digital ID services. Then, within two years, all state, territory and private sector entities will be able to apply to the Digital ID Regulator to participate within the Australian Government Digital ID System as providers or users of accredited digital ID services, or both.

Consistent with the phased approach to expansion, the bill provides for the Digital ID Regulator to manage arrangements for other matters, including statutory contracts between participants, liability and charging for providers and connected services, in the future. Rules to be made within 12 months of the act commencing must set out redress mechanisms to support individuals in the event of a digital ID fraud or cybersecurity incident within the Australian Government Digital ID System.

Importantly, the Australian Government Digital ID System is based on the principle that people can choose which digital ID provider they use to access any website, app or other service that is connected to the system. In the legislation this is called the interoperability obligation.

The minister will however have discretion to exempt some government services from this obligation and only allow a single digital ID provider, such as myGovID. Exemptions will only be granted in limited circumstances, such as for government services where there is potential for identity fraud to have a significant impact on the financial circumstances of individuals or businesses in Australia.

For example, services within Australia's tax and transfer system, which currently enable about $154 billion per year in tax refunds, and our social security system, which supports about $220 billion in payments per year, present prominent fraud targets where it is critical to carefully manage risk.

Additional privacy and consumer safeguards

Privacy protections in the bill are designed to ensure that digital IDs meet community expectations.

The bill contains a comprehensive range of privacy protections applying to the accreditation scheme that will operate in addition to existing protections in the Commonwealth's Privacy Act. If the Commonwealth Privacy Act does not apply, including providers that are small business operators, the bill will ensure that accredited providers are subject to equivalent privacy protections.

The bill includes measures that will protect Australians' sensitive information, such as their passports, birth certificates, drivers licences, Medicare cards and biometric information that they may use to verify their identity by:

The bill addresses the risk of commercialisation and misuse of digital IDs in the economy by:

The bill contains safeguards over law enforcement access to digital ID information held by accredited entities. Access to this information at the request of law enforcement is only permitted in very limited circumstances—where there is a warrant, where court proceedings have begun, or where a person consents to their digital ID information being disclosed to verify their identity or investigate or prosecute an offence. In addition, information on requests to access digital ID information made by law enforcement agencies and enforcement bodies will be reported to parliament on an annual basis.

The bill includes measures to ensure the Digital ID Regulator will be notified of any data breaches of accredited providers under Commonwealth, state or territory data breach schemes to facilitate quick mitigation of the risk, or remediation of the breach. If there is no state based scheme, the Digital ID Bill requires the entity to report breaches under the Commonwealth scheme.

To ensure these protections are meaningfully regulated and enforced, the bill will give the Information Commissioner a full suite of investigative and compliance powers. If an accredited entity breaches any of the privacy protections, they can be liable for a civil penalty.

Those less able, or willing, to get a digital ID will not be left behind.

An essential safeguard in the bill is that digital ID will continue to be voluntary for individuals accessing government services through the Australian Government Digital ID System. The bill will require Australian government agencies to continue to provide alternate channels for people to access services. I will repeat that: the bill will require Australian government agencies to continue to provide alternate channels for people to access services. There is an ongoing obligation that such alternative channels must be reasonably accessible and do not result in services a substantially less favourable service for Australians.

To ensure that digital IDs are inclusive by design, providers of digital ID services must take reasonable steps to ensure the services are accessible, including to individuals who may experience barriers to creating or using a digital ID. Consultation with groups that represent individuals experiencing barriers to creating or using a digital ID must be undertaken before rules are made about digital IDs.

Accredited providers of digital ID services must comply with usability and accessibility guidelines. Furthermore, any testing of biometric information must manage the risk of biometric matching disadvantaging or discriminating against any group.

Where an individual is accessing Australian government services on behalf of a business (or in another professional capacity) a digital ID may be required because digital IDs help address the increased fraud risk associated with some business services.

The regulator will monitor and regulate the compliance of entities participating in the Australian Government Digital ID System and may impose civil penalties for any breaches.

These safeguards will help ensure people who choose to create and reuse digital IDs can be confident that their information is safe and secure, and that their privacy will be protected.

S trengthened g overnance a rrangements

The bill will establish the Australian Competition and Consumer Commission as an independent digital ID regulator with responsibility for overseeing the accreditation scheme and the Australian Government Digital ID System.

The bill will also provide for the system administrator to perform day-to-day operational matters to ensure the performance and integrity of the Australian Government Digital ID System. Finally, the bill establishes a Data Standards Chair, to consult with industry and issue data standards.

The bill will make sure the regulatory watchdog has the teeth to enforce the safeguards with a broad suite of monitoring, compliance and enforcement powers, including civil penalty provisions, enforceable undertakings, and injunctions.

The Office of the Australian Information Commissioner will advise on and enforce privacy protections, provide complaint handling for breaches of the privacy safeguards, report on privacy aspects of, and the exercise of its powers and functions as well as regulate data retention, under the legislation.

Further transparency will be provided through public registers for accredited entities—including whether they have ever had their accreditation revoked or suspended—and services within the Australian Government Digital ID System.

The regulator will be required to report annually to the minister, for presentation to parliament, on applications and approvals for accreditation or participation, and fraud or cyber security incidents and responses. Further, a statutory review of the bill will be required within two years of commencement. The scope of the review would include any supporting rules and standards made after commencement of the bill.

Conclusion

In conclusion, there have been several stages of consultation over a number of years, including an inquiry by the Senate Economics Legislation Committee, eliciting feedback from all areas of the community to ensure the bill reflects community expectations.

I would like to thank the active and ongoing engagement by industry, consumer and privacy groups—as well as the contribution made by the Senate in making amendments to the bill—to the development of this important legislation.

The bill will provide Australians with the choice to use a secure, inclusive, convenient and voluntary way to verify themselves when interacting with government and businesses online. Digital ID will allow Australians to harness the advances of new technology and its benefits across the economy, if they so choose.

See this speech in context