Senate

Digital ID (Transitional and Consequential Provisions) Bill 2023

Second Reading Speech

Senator GALLAGHER (Australian Capital Territory - Minister for the Public Service, Minister for Finance, Minister for Women, Manager of Government Business in the Senate and Vice-President of the Executive Council)

I table the explanatory memoranda relating to the bills and move:

That these bills be now read a second time.

I seek leave to have the second reading speeches incorporated in Hansard.

Leave granted.

The speeches read as follows -

DIGITAL ID BILL 2023

Today, the Government is introducing the Digital ID Bill. This Digital ID Bill will put in place the legislative framework to create an economy-wide Digital ID system in Australia.

Digital ID is a secure, convenient and voluntary way to verify who you are online against existing government-held identity documents without having to hand over any physical information. Digital ID is not a card, it's not a unique number, nor a new form of ID.

Data breaches, such as Optus and Medibank, impacting millions of Australians shows the need to protect people and their identities. This Bill will help to address this challenge. The Digital IDs enabled by this Bill will avoid the need for Australians to repeatedly share their ID documents, and reduce the need for government or business to retain documents that could then be at risk.

This Bill does four things to ensure Australians are in control of their Digital IDs and their Digital IDs are safeguarded:

First, the Bill will legislate and strengthen an existing voluntary accreditation scheme for digital ID providers

Second, the Bill will legislate and enable the expansion of the Australian Government Digital ID System so protections for Digital IDs are in place across the economy

Third, the Bill will embed in place privacy and consumer protections additional to those in the Privacy Act, and

Fourth, the Bill will strengthen the governance for an economy-wide Digital ID system by establishing a Digital ID Regulator, Systems Administrator and Data Standards Chair to ensure privacy and consumer protections in the Bill will be met.

The voluntary Accreditation Scheme

The voluntary Accreditation Scheme in the Bill will enable more Digital ID providers to demonstrate that they meet strong privacy protections, security safeguards, and accessibility requirements.

The Bill will replace an existing unlegislated policy framework for accreditation -the Trusted Digital Identity Framework -with a legislated Accreditation Scheme for public and private sector Digital ID providers.

The Bill will ensure only trustworthy and reliable private and public sector entities are accredited to provide Digital ID services to Australians. Accreditation Rules made under the Bill will set out a range of requirements for each type of service an entity can be accredited for by the Digital ID Regulator.

The Bill will ensure there are real consequences for accredited providers if they do not meet the high standards of their accreditation. The powers of the Regulator in the Bill to suspend, revoke or cancel accreditations will ensure the Accreditation Rules and the safeguards and privacy protections in the Bill are adhered to.

The Bill will provide for a Trustmark for accredited providers to build consumer trust and awareness of Digital IDs, imposing civil penalties on entities who falsely promote their services as meeting the strict requirements of accreditation.

The Accreditation Scheme will give Australians who choose to create, use or reuse a Digital ID issued by an accredited provider, greater confidence that their personal information is being protected.

The Australian Government Digital ID System

The existing, unlegislated Australian Government Digital ID System is well established with more than 10.5 million myGovIDs which can be used to access more than 130 government services.

However, the current system has limitations. It is not national - myGovID can only be used to access government services, and private sector services can't currently use myGovID to verify their customers. This falls short of the vision for a national, economy-wide system. The Digital ID Bill provides a legislative basis for broader use of Digital IDs via a phased expansion of the Australian Government Digital ID System to include state, territory and private sector entities who choose to participate.

Consistent with the phased approach to expansion, the Bill provides for the Digital ID Regulator to manage arrangements for other matters including statutory contracts between participants, liability and charging for providers and connected services, in the future.

The Australian Government Digital ID System is based on the principle that people can choose which Digital ID provider they use to access any website, app or other service that is connected to the system. In the legislation ·this is called the interoperability obligation.

The Minister will however have discretion to exempt some government services from this obligation and only allow a single Digital ID provider, such as myGovID. Exemptions will only be granted in limited circumstances, such as for government services where there is potential for identity fraud to have a significant impact on the financial circumstances of individuals or businesses in Australia.

For example, services within Australia's tax and transfer system, which currently enable about $154 billion per year in tax refunds, and our social security system, which supports about $220 billion in payments per year, present prominent fraud targets where it is critical to carefully manage risk.

Additional Privacy and Consumer Safeguards

Privacy protections in the Bill are designed to ensure that Digital IDs meet community expectations.

The Bill contains a comprehensive range of privacy protections applying to the Accreditation Scheme that will operate in addition to existing protections in the Commonwealth's Privacy Act. If the Commonwealth Privacy Act does not apply, the Bill will ensure that accredited providers are subject to equivalent privacy protections.

The Bill includes measures that will protect Australians' sensitive information, such as their passports, birth certificates, driver licences, Medicare cards and biometric information that they may use to verify their identity, by:

requiring express consent to create a Digital ID and before information about them can be collected, used or disclosed to a service they wish to access;
requiring accredited providers to deactivate a person's Digital ID if they withdraw their express consent at any time; and
prohibiting accredited entities from collecting particularly sensitive types of personal information, such as a person's political opinions or sexual orientation.

The Bill addresses the risk of commercialisation and misuse of Digital IDs in the economy by:

preventing data profiling or tracking of a person's activities using a Digital ID; and
preventing personal information from being disclosed for marketing purposes.

The Bill contains safeguards over law enforcement access to Digital ID information held by accredited entities. Access to this information will require a warrant, unless it is being disclosed with consent, or disclosed for the purpose of an accredited entity reporting Digital ID fraud and cyber security incidents.

The Bill includes measures to ensure the Digital ID Regulator will be notified of any data breaches of accredited providers under Commonwealth, state or territory data breach schemes to facilitate quick mitigation of the risk, or remediation of the breach. If there is no state-based scheme, the Digital ID Bill requires the entity to report breaches under the Commonwealth scheme.

To ensure these protections are meaningfully regulated and enforced, the Bill will give the Information Commissioner a full suite of investigative and compliance powers. If an accredited entity breaches any of the privacy protections, they can be liable for a civil penalty.

Those less able, or willing, to get a Digital ID should not be left behind. An essential safeguard in the Bill is that Digital ID will continue to be voluntary for individuals accessing government services through the Australian Government Digital ID System. The Bill will require Australian Government agencies to continue to provide alternate channels for people to access services.

Where an individual is accessing Australian Government services on behalf of a business (or in another professional capacity) a Digital ID may be required because Digital IDs help address the increased fraud risk associated with some business services.

The Regulator will monitor and regulate the compliance of entities participating in the Australian Government Digital ID System and may impose civil penalties for any breaches.

These safeguards will help ensure people who choose to create and reuse Digital IDs can be confident that their information is safe and secure, and that their privacy will be protected.

Strengthened Governance Arrangements

The Bill will establish the Australian Competition and Consumer Commission as an independent Digital ID Regulator with responsibility for overseeing the Accreditation Scheme and the Australian Government Digital ID System.

The Bill will also provide for the System Administrator to perform day-to-day operational matters to ensure the performance and integrity of the Australian Government Digital ID System. Finally, the Bill establishes a Data Standards Chair, to consult with industry and issue data standards.

The Bill will make sure the regulatory watchdog has the teeth to enforce the safeguards with a broad suite of monitoring, compliance and enforcement powers including civil penalty provisions, enforceable undertakings, and injunctions.

The Office of the Australian Information Commissioner will advise on and enforce privacy protections, provide complaint handling for breaches of the privacy safeguards, and report on privacy aspects of, and the exercise of its powers and functions, under the legislation.

Further transparency will be provided through public registers for accredited entities-including whether they have ever had their accreditation revoked or suspended-and services Within the Australian Government Digital ID System.

The Regulator will be required to report annually to the Minister, for presentation to Parliament, on applications and approvals for accreditation or participation, and fraud or cyber security incidents and responses. Further, a statutory review of the Bill will be required within two years of commencement. The scope of the review would include any supporting rules and standards made after commencement of the Bill.

Conclusion

I would like to thank the active and ongoing engagement by industry, consumer and privacy groups in the development of this Bill. There have been several stages of consultation over a number of years eliciting feedback from all areas of the community to ensure the Bill reflects community expectations.

This Bill will provide Australians with the choice to use a secure, convenient and voluntary way to verify themselves when interacting with government and businesses online. Digital ID will allow Australia to harness the advances of new technology and its benefits across the economy.

DIGITAL ID (TRANSITIONAL AND CONSEQUENTIAL PROVISIONS) BILL 2023

The Digital ID (Transitional and Consequential Provisions) Bill 2023 operates in conjunction with the Digital ID Bill 2023 (the principal Bill) and supports the principal Bill in two ways.

Transitional arrangements

First, this Bill provides for a smooth transition from the unlegislated Trusted Digital Identity Framework {TDIF) for accreditation of digital ID services to the Digital ID Accreditation Rules under the Digital ID Bill. Second, the Bill clarifies the arrangements for transitioning participants in the unlegislated Australian Government Digital ID System (AGDIS) to the legislated AGDIS set out in the principal Bill.

Specifically, it provides that certain Commonwealth entities which are already accredited under the Government's existing unlegislated TDIF policy framework will be taken to be accredited under the Accreditation Scheme established by the principal Bill. This avoids those entities needing to re-apply for accreditation to the new Digital ID Regulator when they have already achieved accreditation against substantially the same requirements.

In addition, certain Commonwealth entities which are currently participating in the unlegislated AGDIS will be taken to be participating in the AGDIS that is regulated by the principal Digital ID Bill. This avoids those entities needing to re-apply to the new Regulator to participate in the AGDIS under the Bill. This will help ensure these entities can continue providing uninterrupted services to the Australian community upon the commencement of the principal Bill, which will apply additional privacy and other safeguards.

To further support these transitional arrangements, this Bill also provides that the Minister may make certain rules by legislative instrument-allowing prescription of matters of a transitional nature for up to 12 months to address any unforeseen circumstances arising after the commencement of the principal Bill. However, rules cannot be made that accredit an entity under the Bill or approve an entity to participate in the AGDIS once the Bill has commenced.

Rules can be made, after commencement of the Bill, to provide for entities that are accredited under the current unlegislated arrangements, or achieve accreditation under those arrangements before the Bill commences, to be taken to be accredited under the principal Bill. The rules can also provide for entities participating in the unlegislated AGDIS to be taken to be participating in the AGDIS under the principal Bill. This rule making power is provided to manage the transition to the Accreditation Rules to be made under the principal Bill, and complex information technology infrastructure changes (in terms of participation) that are not known at the time of the Bill's introduction.

Consequential amendments

The second key function of this Bill is to amend relevant Commonwealth legislation to ensure that the principal Bill operates as intended.

This Bill amends six Acts:

First, this Bill makes a consequential amendment to Schedule 1 of Administrative Decisions (Judicial Review) Act 1977 to exclude from judicial review under that Act decisions made by the Digital ID Regulator under the principal Bill on the basis of security assessment of foreign entities provided by the Australian Security Intelligence Organisation (ASIO). This will mean that decisions made to protect Australia's national security cannot be challenged by foreign entities under that Act.
Second, this Bill makes a consequential amendment to Schedule 2 of the Age Discrimination Act 2004 to exclude from the operation of Part 4 of that Act anything done by a person in direct compliance with the minimum age requirements of the Accreditation Rules to be made under the principal Bill. This will mean that obligations on accredited entities about the minimum age at which they can facilitate a child create a digital ID will be lawful.
Third, this Bill makes consequential amendments to the Part IV of the Australian Security Intelligence Organisation Act 1979 to allow ASIO to provide security assessments to the Minister in relation to decisions the Minister may make under the principal Bill, and to limit the notice and review processes for foreign entities in relation to security assessments. Again, these amendments protect Australia's national interest.
Fourth, this Bill makes consequential amendments to the Competition and Consumer Act 2010 to establish the Australian Competition and Consumer Commission as the Digital ID Regulator.
Fifth, this Bill makes a consequential amendment to the Privacy Act 1988 to give the Information Commissioner, as regulator of the additional privacy safeguards in the principal Bill, power to conduct certain assessments. These are assessments as to whether personal information is being maintained and handled by accredited entities in accordance with the additional privacy protections provided in Chapter 2 of the principal Bill; and assessments as to whether a state or territory which has agreed to comply with the Australian Privacy Principles in the Privacy Act is complying with those Principles.
Sixth, this Bill makes consequential amendments to the Taxation Administration Act 1953 to give the Taxation Commissioner functions that allow the Commissioner to offer accredited identity provider services and accredited attribute provider services to non-Commonwealth participants in the AGDIS.

Conclusion

The Bill that the Government is introducing today sets out transitional and consequential arrangements that, together, ensure an orderly, efficient and fair transition to the new statutory framework under the Digital ID Bill 2023.

The PRESIDENT: In accordance with standing order 115(3), further consideration of these bills is now adjourned to 28 February 2024.