The TDI Bill was tipped to be tabled earlier this year, having largely slipped under the radar. NSWCCL has concerns that this Bill lacks some important privacy safeguards.
Background
The Australian government recently consulted the community on the draft Trusted Digital Identity Bill 2021 (Bill), a package consisting of a Trusted Digital Identity System (TDIS) and the Trusted Digital Identity Framework (TDIF). The draft Bill encompasses a federal accreditation framework for Digital Identity services which will enable the States and Territories and the public and private sector to use the TDIF and TDIS to verify the identities of people and businesses they deal with online. It also sets out the requirements that applicants need to meet to achieve accreditation.
Currently, Australia Post, the ATO and OCR labs have been granted accreditation. The Australian Government is accrediting a number of other businesses under the TDIF as a part of testing the readiness of the Australian Government Digital Identity System to expand beyond the Australian Government. As of this post, the Bill is yet to be introduced into parliament.
What does the Bill do?
The TDIF allows individuals to choose their accredited, identity provider and access a range of public and private sector services through a single digital identity credential. It purports to provide Australians with a simple, safe and secure way of verifying their identity. It is voluntary.
What are NSWCCL's concerns?
- Alternatives to digital access - There should be equity in the use of the system and a digital identity must not be a precondition to access basic services and rights. Analogue pathways (non-digital systems for identity verification) should be maintained.
- Valid Consent - To be valid under privacy law, consent must be voluntary, informed, current and specific, and given by a person with capacity. Australasian privacy regulators have cautioned against an over-reliance on informed consent. This ‘notice and consent’ model puts the burden of protecting privacy on an individual and limits their choice to ‘all or nothing’. Furthermore the TDIF does not give the individual the option to control what is disclosed.
- Opt-out Mechanism - NSWCCL agrees with the Privacy Commissioner Samantha Gavel that “a specific mechanism enabling an individual to opt-out of the system after they have created a Digital Identity should be included in the legislation”.
- Centralised Model - In a centralised model, Identity Providers consolidate information in one place and risk becoming a single point of failure. There is the potential for ‘function creep’ where an agency uses the data for something other than its original purpose (e.g., for surveillance and monitoring).
- Biometric Technology - The key TDIF restrictions on the use of biometrics are not set out anywhere in the legislation. NSWCCL calls for a moratorium on the collection and use of biometrics (including facial recognition) for authentication purposes, until appropriate privacy safeguards are in place.
- Data Retention and Destruction - NSWCCL recommends incorporating additional safeguards regarding retention and/or disposal of personal information by an identity provider.
- Third Parties - NSWCCL has concerns regarding the requirements of privacy compliance in jurisdictions outside Australia and recommends that there should be independent oversight of third-party compliance with the same strong privacy and integrity safeguards as those that apply to the TDIS.
- Authorisation Process - NSWCCL agrees with the OAIC’s recommendation to provide further detail about the authorisation process for identity service providers. There needs to be additional protections around authorisations for participating relying parties.
- Data profiling - Safeguards need to be introduced to prevent the connection of identifying attributes which may lead to individual profiling and the commercialisation of information.
- Independent Oversight Authority - The Oversight Authority should be independent and appropriately resourced alongside the OAIC as independent privacy regulator of the TDIF and TDIS.
- Onboarding - NSWCCL submits that it should be a mandatory requirement that all onboarded applicants enter into a trusted provider agreement with the Commonwealth.
More information:
- NSWCCL Submission: Digital Identity Legislation Position Paper 16 July 2021
- Exposure draft: Trusted Digital Identity Bill 2021
- About digital identity (the government explainer)
- The government wants to expand the ‘digital identity’ system that lets Australians access services. There are many potential pitfalls The Conversation 26 Oct 2021
By Susan Murray