The federal government has unveiled an exposure draft of planned digital identity legislation, with the ACCC named in it as the preferred digital ID regulator.
In a speech to the Australian Information Industries Association yesterday, finance minister Katy Gallagher announced an exposure draft [pdf] of the Digital ID Bill 2023, as well as a consultation lasting until October 10.
Gallagher said the government has “thought long and hard about the principles that should guide an Australian Digital ID system,” and decided “it should be secure, convenient, voluntary, and inclusive.”
The aim of the legislation, Gallagher said, is to overcome various limitations of the current system, which has come into being without legislation.
“It is not national – the Commonwealth can only verify people biometrically against their passports, not against their driver licence or other ID documents issued by state and territory governments,” Gallagher said.
“MyGovID can only be used to access government services, limiting the choice that people may have.
“And private sector providers can't currently verify people biometrically against their government-issued ID documents.”
Gallagher outlined a four-phase process for the digital ID rollout, with phase one being establishing the ID in legislation that also provides for regulation and accreditation of public and private providers.
In the second phase, Gallagher said, state and territory digital IDs will be recognised for accessing commonwealth government services.
In phase three, myGovID will be recognised by the private sector – for example, when opening a bank account; while in phase four, the government will begin recognising private sector digital IDs.
The ACCC’s regulatory role will cover accrediting digital ID services; approving which services can take part in the Australian government digital ID service, and enforcing legislative compliance for providers and services.
Privacy aspects of the scheme will be regulated by the Information Commissioner.
The proposed Digital ID rules [pdf] accompanying the legislation also impose cyber security incident reporting obligations on digital ID providers and services.
Security breaches would have to be reported to authorities within 24 hours of the provider or service becoming aware of them.
The same reporting period would apply if a digital ID participant became aware of someone’s credentials being fraudulently accessed.
Providers would also have to provide risk assessments to the government for the IT systems they use for digital ID services.
The previous government offered an exposure draft of a Trusted Digital Identity Bill in 2021, but it never progressed passed the draft phase.