National Digital ID could be here by 2024

Having a Digital ID in this day and age is as ordinary as having a physical wallet to carry documents. In fact, it now may be more popular. While Australians are certainly used to having digital versions of their documents available on their phone (the Service NSW app stores driver’s licenses and other certificates), there isn’t yet a unified digital identification system on a Federal Government level.

In September, the Albanese Government released a draft of the Digital ID Bill for public consultation. It ended on 10 October.

While the Government now prepares to present the final version of the Bill to parliament, LSJ looks at the main points of the bill, how it will change the lives of Australia’s citizens and businesses, and how it addresses the concerns of cybersecurity after breaches on Medibank, Optus and HWL Ebsworth earlier in the year.

What is the Digital ID Bill?
Over 10 million people in Australia use the Digital ID system set up in 2015 to access government services, allowing them to verify their identity without having to provide their personal documents (driver’s license, passport, etc).

The proposed bill, if passed, moves the Digital ID to a nationally regulated system accessible by the public and private sectors, regulated by the ACCC, to ensure safer protections – the Australian Government Digital ID System (AGDIS).

“The current system – operating without legislation – allows people with a Digital ID to verify their identity without repeatedly providing copies of their most sensitive documents for certain online services,” said the Minister for Public Service, Katy Gallagher.

“But the current system has limitations. It is not national – the Commonwealth can only verify people biometrically against their passports, not against their driver’s licence or other ID documents issued by state and territory governments.”

The bill also provides private businesses a way to verify customers without storing data. In the wake of several significant data breaches that affected millions of Australian consumers, particularly Medibank and Optus, Gallagher believes this new system can increase security and reduce identity theft cases in Australia.

Businesses, Gallagher claims, have in this new system “a trusted, consistent, and cheaper way to protect their customer’s information.

According to figures by the Australian Bureau of Statistics released in February this year, two-thirds of Australians over 15 years old were exposed to scams in the last 12 months, including card fraud and identity theft last year. It’s believed more than $3bn was lost.

A question of security
According to a recent CoreData research, seven in 10 Australian consumers are concerned about online risks and data breaches, with over 90 per cent showing more concern about the safety of private information

The solution proposed by the Government on the bill is establishing an independent ID regulator, with the Australian Competition and Consumer Commission (ACCC) taking responsibility.

The ACCC will be responsible for accrediting Digital ID services against legislated Digital ID Accreditation rules, approving which services can participate, and ensuring providers and services keep users’ information safe. Services Australia regulates all the operational aspects of the system, including security and performance.

To guarantee security, the bill puts in place a series of safeguard and security measures, requiring all information and communication to be encrypted and all data breaches reported, limiting access so that private and public agencies can only access the system for identity verification purposes (with the consent of the individual), reinforced privacy protections, and penalties to those that do not comply with these terms.

To the Government, this intends to reduce the impact of future data breaches and deliver faster assistance to people and businesses impacted by scams.

The Australian proposal follows other countries that have been rolling out similar systems. The European Union started rolling out its ID Digital Wallet earlier this year with the intent to be adopted by over 80 per cent of the Union’s population by 2030. Trials began in Finland this year.

“EU citizens not only expect a high level of security but also convenience whether they are dealing with national administrations such as to submit a tax return or to enrol at a European university where they need official identification,” clarified EU Commissions of Internal Market, Thierry Breton

The final goal expects EU citizens to use the service to travel between countries within the Union, open bank accounts, store medical prescriptions, rent a car, or check in at a hotel.

But in Australia, where data breaches are still in consumers’ minds, the service’s potential can be outshined by the need for more confidence in storing private data.

Only one year ago, ABC reported hackers were selling ATO and MyGov log details and personal information.

There is fundamental difference between ATO/MyGov and the AGDIS. In first two, information is stored in the account, easily accessible by the user via a two-step verification process. The current proposal for the AGDIS requests a complex encryption process that can only be shared with the user’s express approval.

In the European Union, the information is stored in a wallet (called European Digital Identity Wallet, or EUDI) that, if finally approved, will be tested for security breaches before the final rollout.

Next steps
Consultation on the bill has ended, and the final version will be presented to the House of Representatives, which is expected to pass, before going to the Senate.

Gallagher believes the AGDIS will start its rollout in 2024. “Building on the vision for a Digital ID system that is secure, convenient, voluntary, and inclusive, the legislation that will be introduced into the Parliament will address trust, data protection and choice,” she said.

When the legislation passes, it will see phased expansion beyond the Commonwealth services. In Phases 1 and 2, the expansion will enable the reciprocal use of Digital ID in Commonwealth State and Territory services, Phase 3 expands it to private sector services, and a final Phase 4 allows accredited private sector Digital IDs to verify citizens when accessing government services.