OAIC wants legislation seeking to expand digital ID services to be more aligned with CDR
The DTA's proposed digital identity services Bill needs clearer consent definitions and further restrictions on law enforcement data access before it is enlivened, Australia's information commissioner says.
The Digital Transformation Agency's (DTA) Trusted Digital Identity Bill is in its final phase of development before it is introduced into Parliament. The Bill seeks to expand the application of Australia's federal digital identity system to state and territory governments and the private sector.
While the federal government already has its Trusted Digital Identity Framework in place, the framework is only applicable to federal government entities and not applicable to states and territories or the private sector. The Bill, if passed, would create another framework that allows state and territory governments and the private sector to facilitate online transactions requiring a digital identity, which the DTA hopes will reduce friction and delay in online environments.
In this final phase, the DTA has been calling for relevant stakeholders to review the Bill's exposure draft, with the Office of the Australian Information Commissioner (OAIC) calling for various privacy changes ranging from consent definitions to alignment with other government regimes to limiting law enforcement access.
On the consent front, the OAIC -- which is set to be the regulator of the legislation's privacy requirements -- said the Bill should explicitly limit the maximum duration of an enduring consent to disclosure of attributes to 12 months.
Under the exposure draft, there is currently no expiry date for a person's consent when it comes to their digital identity being accessible by an entity providing digital identity services.
The OAIC added that consent definitions contained in the Bill should align with the Consumer Data Right (CDR) in being voluntary, informed, and specific.
"Alignment between privacy obligations is essential to promote clarity for individuals and regulated entities," the OAIC said.
For instances where a cybersecurity or digital fraud incident has occurred, the OAIC also said the Bill should be amended so that only one accredited entity or participating relying party is required to notify affected individuals or businesses in relation to the particular incident. The privacy regulator said limited notifications would prevent people from having notification fatigue.
"The OAIC is concerned that the numerous notifications to individuals will lead to notification fatigue such that individuals will no longer treat notifications as serious," the regulator said.
The OAIC also strongly recommended that law enforcement access to digital identity information for non-biometric information be limited further to only permit access to address misuse or fraud within the digital identity system, or pursuant to a warrant.
The current drafting of the Bill allows law enforcement access to digital identity information so long as it has reasonable suspicion a person has committed an offence or breached a law.
The Commonwealth Bank of Australia, meanwhile, has submitted to the DTA that biometric data retention by digital identity service providers should be expanded to allow them to retain data when undertaking digital identity fraud investigations.
As the DTA prepares for the potential digital identity framework expansion, the agency's digital sourcing strategy director Ben Leech said accessibility would be at the core of any future services it builds.
"When it comes to delivering quickly, having accessibility built in to the way we build and design all of our services, means that it's not an afterthought," Leech said on Tuesday afternoon, who spoke in a panel at the Pegasystems' annual evolve for government APAC event.
"I think that's really important because backwards engineering something to add in accessible features down the track: one it doesn't work, two you're usually rushing things, and three, it slows down the process that was meant to be the quick process anyway."