The Minister for Finance released for consultation a draft Bill and Rules to establish Australia’s digital ID framework. The intent is to allow private enterprises to provide digital ID platforms and for those platforms to be able to interact with the Australian Government digital ID platform.

We welcome progress in establishing a digital ID for Australians and, in our submission, raise areas where the Bill and Rules should be strengthened.

Varying, suspending and revoking accreditation

The Bill and Rules outline how the regulator will interact with an accredited party where the regulator varies, suspends or revokes their accreditation.

The Bill and Rules are silent on the obligation of that accredited party to inform users of a change in their accreditation and the impact on their services. It is unclear if users can still rely on the service and, where accreditation is revoked, what will happen to the personal information held by the accredited party.

We call for the Bill and the Rules to require a participating party to notify its users of any change in their accreditation status, advise what will happen to the personal information held and provide contact details if an individual has further queries.

Changes in name and changes in control of corporations

Where an accredited party changes its name, or there is a change of control, the Bill and Rules require notice of that change to be provided to the Regulator.

The Bill and Rules are silent on the obligation of that accredited party to inform users of the change in name or change in control. Where there is a change of control, the incoming party simply notifies the Regulator and is not required to apply for accreditation.

It is critical that users of a service are aware of why and when a party changes its name and, where this is a result of a change of control, that the new party has been assessed against accreditation requirements before taking control of another accredited party.

Therefore, the Bill and the Rules should require a participating party to notify its users of any change in their name or a change in control and require an incoming entity to apply for accreditation prior to taking control of an accredited entity.

Compliance assessments

The Bill and Rules only require compliance assessments on request of the Regulator and allow the party being assessed to appoint their own assessor. This introduces a significant risk to the framework and raises an apparent conflict of interest.

Instead, the Bill and Rules should allow for a rolling program of compliance assessments which can only be undertaken by, or on behalf of, the Regulator.

Interaction with other laws

While the Bill and Rules aim to establish the framework for Australia’s digital ID consideration must be given to how new legislation will interact with existing legislation.

The implementation of the digital ID regime should also consider how a digital ID interacts with other regimes and seek changes to relevant legislation where using a digital ID would be beneficial.

For example, how digital IDs can satisfy customer due diligence in the anti-money laundering and counter-terrorism regime and how digital IDs can be relied on to access services using data transferred through consumer data right channels.

Conclusion

We welcome the establishment and expansion of the Australian Government Digital ID framework and will continue to work with the Government to ensure Australians can trust the framework to keep their personal information secure.