Senate

Explanatory Memorandum

(Circulated by authority of the Minister for Finance, Senator the Hon Katy Gallagher)

Statement of compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Digital ID (Transitional and Consequential Provisions) Bill 2023

1. The Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Bill

2. This Bill deals with transitional matters that will arise from the enactment of the principal Bill to become the principal Act, including amending the:

a.

Administrative Decisions (Judicial Review) Act 1977 (ADJR Act);

b.

Age Discrimination Act 2004 (Age Discrimination Act);

c.

Australian Security Intelligence Organisation Act 1979 (ASIO Act);

d.

Competition and Consumer Act 2010 (Competition and Consumer Act);

e.

Privacy Act 1988 (Privacy Act); and

f.

Taxation Administration Act 1953 (Taxation Administration Act),

to support the operation of the principal Bill.

3. The principal Bill will establish a voluntary accreditation scheme for governments and businesses providing digital ID services in any digital ID system in Australia. Entities choosing to be accredited will be able to demonstrate that they comply with strong privacy and security safeguards.

4. The principal Bill will also enable the expansion of the Australian Government Digital ID System (AGDIS). The AGDIS will provide individuals with a secure, convenient and voluntary way to verify their ID in online transactions with governments and businesses, while protecting their privacy and the security of their personal information.

5. The Australian Government has been developing and administering an unlegislated AGDIS since 2015. The Interim Oversight Authority is responsible for safety, reliability and the efficient operation of the system. The Department of Finance (Finance) and Services Australia share this role. Services Australia has responsibility for day-to-day operational matters relating to the AGDIS, including its security and fraud control capabilities. Arrangements for the existing AGDIS are facilitated by non-binding memoranda of understanding. An existing policy framework - the unlegislated Trusted Digital Identity Framework (TDIF) - sets out technical standards for entities providing services in the unlegislated AGDIS, and provides a voluntary accreditation framework for entities who are not providing services in the unlegislated AGDIS. The Department of Finance has policy responsibility for this existing digital ID system, and conducts accreditation, approvals, compliance and issue handling. Arrangements for the existing digital ID system are facilitated by non-binding memoranda of understanding. The unlegislated accreditation - the Trusted Digital Identity Framework (TDIF) - sets out technical standards for entities providing services in the AGDIS, and provides a voluntary accreditation framework for entities who are not providing services in the AGDIS.

6. Schedule 1 of this Bill will enable current policy arrangements to be translated in the legislated schemes for both the accreditation of entities by the Digital ID Regulator and the approval of entities to participate in the AGDIS. Entities that have already been accredited under the unlegislated TDIF policy may be deemed to be accredited under the principal Bill. Commonwealth TDIF-accredited entities and relying parties (as defined in memoranda of understanding) already approved to participate in the unlegislated AGDIS may be deemed to be approved to participate in the AGDIS as an accredited entity, participating relying party or relying party, for the purposes of the principal Bill.

7. TDIF-accredited entities and relying parties already participating in the unlegislated AGDIS may be deemed to be approved to participate in the AGDIS, for the purposes of the principal Bill.

8. To recognise existing arrangements and protections established under the unlegislated TDIF, these deemed accreditations and approvals to participate in the AGDIS will be subject to the relevant entities meeting certain key conditions that were imposed by the Australian Government under the unlegislated TDIF and operational structures upon the entities' accreditation, or approval to participate in the unlegislated AGDIS.

9. This Bill will also provide that the Minister may make rules, by legislative instrument, prescribing matters of a transitional nature relating to the enactment of Schedule 1 of this Bill or the principal Bill. This transitional rule-making power will provide the necessary flexibility in transitioning from the unlegislated TDIF to the new legislative framework established by the principal Bill.

10. Schedule 2 of this Bill will make consequential amendments to the following Acts to support the operation of the principal Bill in the ways described below:

a.

It is intended that the Accreditation Rules will lawfully allow accredited identity service providers to refuse to create a digital ID for a person who is under a specified age, to comply with the specified age requirements under the Accreditation Rules. This conduct, which would otherwise be unlawful discrimination, will be made lawful by inserting the Accreditation Rules made under the principal Bill into Schedule 2 of the Age Discrimination Act.

b.

The Minister's decision to issue a direction to the Digital ID Regulator about foreign entities, including to refuse to accredit, approve participation in the AGDIS, or to impose a condition on their accreditation or approval to participate under the principal Bill (on the basis of an adverse or qualified security assessment from ASIO) will be excluded from judicial review, by listing those decisions in Schedule 1 of the ADJR Act.

c.

ASIO may provide security assessments to the Minister in relation to decisions to issue directions to the Digital ID Regulator made under Chapter 2 or Chapter 4 of the principal Bill, and to limit the notice and review processes for foreign entities in relation to security assessments by inserting relevant provisions of the principal Bill into Part IV of the ASIO Act.

d.

As noted in clause 90 of the principal Bill, the initial Digital ID Regulator will be the Australian Competition and Consumer Commission (ACCC). Subsections 19(1) and (7) of the Competition and Consumer Act will be amended to reference the powers conferred upon the Digital ID Regulator under the principal Bill, to enable the Chairperson to direct that the powers of the ACCC under the principal Bill shall be exercised by a Division of the ACCC.

e.

The Information Commissioner will be empowered to conduct an assessment of whether accredited entities are complying with:

i.

the additional privacy safeguards set out in Division 2 of Part 2 of Chapter 3 of the principal Bill; and

ii.

obligations under an APP-equivalent agreement to comply with the Australian Privacy Principles,

by inserting a new provision into the assessment powers of the Information Commissioner in section 33C of the Privacy Act.

f.

The Commissioner of Taxation currently provides services within the unlegislated AGDIS under the unlegislated TDIF, as an:

i.

identity service provider, providing the myGovID service; and

ii.

attribute service provider, providing the Relationship Authorisation Manager service.

This Bill will confer a statutory function onto the Commissioner of Taxation to provide services, or access to services, in digital ID systems. In particular, the Commissioner will be enabled to provide services as an accredited identity service provider and an accredited attribute service provider within the AGDIS. This will be achieved through a new provision in Part IA of the Taxation Administration Act to confer a statutory function onto the Commissioner of Taxation to provide services, or access to services, within digital ID systems.

In addition, the amendments will provide broad powers for the Commissioner of Taxation to do all things necessary and convenient in connection with the performance of those functions. The Bill will make clear that the principal Bill is not a taxation law and when exercising powers and performing the new functions, the Commissioner of Taxation will be operating under the principal Bill and not under, or for the purposes of, a taxation law.

This Bill will promote rights under the International Covenant on Civil and Political Rights (ICCPR), with some reasonable, necessary and proportionate limitations to protect Australia's national security interests and key safeguards established by the principal Bill.

Human rights implications

11. This Bill will engage the following human rights:

a.

The right to equality, recognition and non-discrimination in Articles 2, 16 and 26 of the ICCPR and Article 2 of the Convention on the Rights of the Child (CROC).

b.

The prohibition from arbitrary or unlawful interference with privacy contained in Article 17 of the ICCPR, and also referred to in Article 16 of the CROC and Article 22 of the Convention on the Rights of Persons with Disabilities (CRPD).

c.

The right to a fair trial and fair hearing primarily contained in Article 14 of the ICCPR, and also referred to in Article 40(2)(iii) of the CROC.

Prohibition on Discrimination

12. The right to equality and non-discrimination before the law is enshrined in Articles 2, 16 and 26 of the ICCPR, and Article 2 of the CROC.

13. The ICCPR defines 'discrimination' as a distinction based on personal attributes, such as race, sex or religion, which has either the purpose, or the effect, of adversely affecting human rights.

14. This principle is codified in domestic law, in the Age Discrimination Act, which makes it unlawful to discriminate on the ground of age.

15. The Accreditation Rules that will be made under the principal Bill will provide that an accredited entity must not generate a digital ID for a person if the person requesting the digital ID is less than 14 years. This obligation was broadly supported by feedback on the Accreditation Rules through public consultations undertaken in September to October 2023, in support of the principle that using a digital ID should be voluntary; that is, with the person's consent (as discussed below, in respect of a child's capacity to provide consent).

16. Item 1 of Schedule 2 of this Bill will make consequential amendments to Schedule 2 of the Age Discrimination Act to ensure that, pursuant to subsection 39(1A) of that Act, Part 4 of the Age Discrimination Act does not make unlawful anything done by a person in direct compliance with the specified age requirements of the Accreditation Rules made under the principal Bill.

17. There will be an obligation on accredited identity service providers under the Accreditation Rules to be made under the principal Bill, not to create a digital ID for children under a specified age. This specified age is intended to protect children who may not have the capacity to understand the concept of consent. Consent is a central mechanism to protect against undue interference with a young person's privacy. The specified age that will be established under the Accreditation Rules will have regard to the guidance of the Office of the Australian Information Commissioner (OAIC), 1 which provides that people aged 15 years and above may be presumed to have capacity to consent where it is not practicable for an entity to assess the capacity of people aged under 18 on a case-by-case basis. This approach has been supported by the Australian Law Reform Commission in its review of Australian privacy law in 2007.

18. The specified age requirement to access a range of other government services reflects age limitations across various frameworks including privacy, passports, tax file numbers, Medicare, My Health Records, access to medical treatment and age of criminal liability. There is no universally agreed age where capacity of a young person is triggered. However, the age range of 13-16 years appears to be the most commonly used and is supported by the principle of an evolving capacity in children as reflected in the CROC. Submissions and feedback on a draft of the Accreditation Rules for public consultation indicates there is support for a specified age of 13 years. Further consultation is needed with stakeholders about the appropriate age to set the limit, particularly the Commonwealth Children's Commissioner and jurisdictional equivalent. This consultation will occur as part of the rule-making process to ensure a specified age is in place on commencement of the principal Bill.

19. For these reasons, the limitation on the prohibition against age discrimination is reasonable and proportionate to the objective of improving access to government and private sector services, and harmonises access with other frameworks of importance. It also balances these objectives with the protection of the rights of children to privacy.

Right to protection from unlawful or arbitrary interference with privacy

20. Article 17 of the ICCPR recognises the right that no one will be subjected to arbitrary or unlawful interference with their privacy. It also provides that everyone has the right to the protection of the law against such interference or attacks. Article 16 of the CROC and Article 22 of the CRPD contain similar rights. To the extent this right is engaged under the CROC and CRPD, the same analysis is relevant and is not repeated in this statement.

21. This right can be permissibly limited in order to achieve a legitimate objective, when the interference with privacy is for a reason consistent with the ICCPR, proportional to the ends sought and necessary in the circumstances of any given case.

22. Item 3 of Schedule 2 of this Bill will expand the definition of 'prescribed administrative action' in subsection 35(1) of the ASIO Act to include an exercise of power under Chapter 2 or 4 of the principal Bill. This amendment will provide that the Minister must not issue a direction to the Digital ID Regulator to do any of the following actions, on the basis of a communication from ASIO, unless the communication was provided in the form of a security assessment:

a.

refuse to accredit an entity as a specified kind of accredited entity, impose conditions on the accreditation of an entity or suspend or revoke an entity's accreditation; and

b.

refuse to approve an entity to participate in the AGDIS, impose conditions on an entity's approval to participate or suspend or revoke an entity's approval to participate in the AGDIS.

23. An entity is defined in the principal Bill as including an individual. To the extent that an individual is an entity seeking to be accredited, the measures in this Bill may engage the right to privacy.

24. Currently, ASIO's functions include communicating intelligence relevant to security, and advising Ministers in respect of matters relating to security, in so far as those matters are relevant to their functions and responsibilities. The effect of item 3 of Schedule 2 is that the communication of information or giving of advice in relation to the exercise of power under Chapter 2 or 4 of the principal Bill would be subject to the controls and safeguards included in Part IV of the ASIO Act.

25. In particular, Part IV of the ASIO Act currently provides that, subject to certain exceptions, a Commonwealth agency (which includes a Minister) cannot take, refuse to take or refrain from taking prescribed administrative action on the basis of any communication in relation to a person made by ASIO, otherwise than in the form of a security assessment. Part IV also provides that if ASIO furnishes a security assessment, then unless an exception applies, ASIO must notify the affected person of the security assessment, and that person may apply to the Administrative Appeals Tribunal (AAT) to seek merit review of the decision.

26. To the extent that an individual is affected, by including the exercise of powers under Chapter 2 or 4 of the principal Bill in the definition of prescribed administrative action, this amendment will promote the right to privacy by bringing these communications within the scope of Part IV of the ASIO Act, including the requirement to notify the affected person of an assessment and AAT review mechanisms. To the extent that these entities are individuals, their rights may be limited.

27. Item 6 of Schedule 2 of this Bill will make a consequential amendment to subsection 33C(1) of the Privacy Act, allowing the Information Commissioner to conduct an assessment of whether accredited entities are complying with the privacy requirements set out in:

a.

Division 2 of Part 2 of Chapter 3 of the principal Bill, including rules made for the purposes of that Division; or

b.

an APP-equivalent agreement (as defined by the principal Bill).

28. A compliance assessment under section 33C of the Privacy Act may engage the right to privacy through the sharing of personal information between the Information Commissioner and the Digital ID Regulator as well as the entity under assessment, about a person who holds a digital ID. Subjecting entities to compliance assessments will ensure that a person's personal information is being protected by the privacy requirements of the principal Bill and APP-equivalent agreements. Accordingly, this limitation on the right to privacy will be reasonable and necessary to achieve the legitimate objective of protecting personal privacy in respect of a digital ID system.

29. This limitation on the right to privacy will be lawful because the amendment to subsection 33C(1) of the Privacy Act will rely on established legal processes for compliance assessments to be carried out under the Privacy Act. This limitation will not be arbitrary, as it will apply to an ascertainable class of persons (accredited entities) and will only relate to the privacy requirements set out in Division 2 of Part 2 of Chapter 3 of the principal Bill or an APP-equivalent agreement.

30. For the reasons set out above, the amendments to the ASIO Act and the Privacy Act will place reasonable, necessary and proportionate limitations on the right to protection from unlawful or arbitrary interferences with privacy.

Right to a fair and public hearing

31. The ICCPR establishes rights to due judicial process and procedural fairness. Article 14 provides that all persons are equal before the law, and are entitled to a fair and public hearing before a competent, independent, and impartial tribunal established by law.

32. Items 2 and 4 of Schedule 2 of this Bill will impose reasonable, necessary and proportionate limitations on the right to a fair and public hearing. In particular, these items will limit procedural fairness for entities that are not Australian entities (as defined by the principal Bill), by excluding them from notice and review rights in certain circumstances.

33. Item 4 of Schedule 2 of this Bill will exclude from the notice requirements and review mechanism set out in Part IV of the ASIO Act, security assessments given by ASIO in respect of entities that are not Australian entities, for the Minister to considering in deciding whether to issue a direction to the Digital ID Regulator under Chapter 2 or 4 of the principal Bill. For example, directing the Digital ID Regulator to refuse to accredit an entity or approve an entity to participate in the AGDIS.

34. These exclusions will be reasonable and necessary to protect Australia's national security interests; as disclosing knowledge of any affiliation the entity might have with a foreign power, through notice and review mechanisms under Part IV of the ASIO Act, could prejudice ongoing security-related investigations, sources and capabilities.

35. The impact on procedural fairness will also be proportionate to the goal of protecting Australia's national security, as the exclusion of notice and review rights will be targeted at entities that are not Australian entities. By comparison, Australian entities will be able to rely on the notice and review provisions set out in Part IV of the ASIO Act, including in respect of a decision made under Chapter 2 or 4 of the principal Bill for reasons of security related to another entity that is not an Australian entity.

36. Item 2 of Schedule 2 of this Bill will amend Schedule 1 of the ADJR Act to exclude decisions made under the principal Bill, in relation to entities that are not Australian entities, from judicial review under the ADJR Act. As discussed above, the exclusion of judicial review in this context will be reasonable and necessary to preserve Australia's national security interests.

37. The exclusion of judicial review under the ADJR Act will also be proportionate as it will be limited to specific decisions made for reasons of security (not any reason). The judicial review rights of Australian entities will be unaffected. Additionally, all entities will maintain judicial review rights with respect to such decisions under section 75(v) of the Australian Constitution and section 39B of the Judiciary Act 1903.

Conclusion

38. This Bill is compatible with human rights because any limitations will be reasonable, necessary and proportionate to the ends sought.