Consultation moves forward with position paper release.

pdf, first round of public consultation, state governments and industry groups

The federal government has provided the most comprehensive look at planned legislation for the expansion of its federated digital identity scheme to state and territory governments and the private sector.

The Digital Transformation Agency on Thursday released a position paper [pdf] for consultation ahead of the planned introduction of the legislation, dubbed the ‘Trusted Digital Identity Bill’, to parliament in “late 2021”.

It follows a first round of public consultation last year on the development of bill, which will enshrine governance and privacy protections, including some those within the trusted digital identity framework (TDIF), in law.

The legislation is necessary for state and territory governments, as well as the private sector, to apply for accreditation. Only the Australian Taxation Office’s myGovID credential and Australia Post’s Digital iD credential are currently accredited under TDIF.

It is expected to “include subject matter that will not need to regularly change to keep pace with technical developments”, with other rules and other written guidelines and polices to be used to “outline technical information and requirements detailing how the system operates”.

The paper reveals few changes to the scheme’s planned whole-of-economy expansion since the first consultation, with privacy and consumer safeguards and plans for an independent Oversight Authority – which will assume the DTA’s interim role – the same.

While the DTA is still “considering which agency is best suited to provide staff to the Oversight Authority”, it has suggested either Treasury, the Australian Competition and Consumer Commission or the Department of Prime Minister and Cabinet.

The planned accreditation of government agencies and private sector firms also remains largely the same, through the DTA appears to have added a second tier for those wanting TDIF accreditation but not wanting – or ready – to participate in the system.

Those entities, dubbed ‘TDIF providers’, will need to meet the same privacy standards as ‘accredited providers’, though will not be subject to the liability and redress framework, charging and most civil penalties.

“This means government bodies or companies which choose to be TDIF-accredited for roles they perform in their own digital identity systems can rely on TDIF accreditation to build trust in their systems without being subject to the entirety of the legislation,” the paper states.

One key change to the proposed legislation is a planned ‘interoperability principle’ that will require “participants generating, transmitting, managing, using or re-using digital identities to provide a seamless user experience with the digital identity system”.

Under the principle, identity providers will be “expected to provide their services to any relying party”, while relying parties will need to “provide their customers with a choice of identity providers”.

The Oversight Authority is expected, however, to offer exemptions to identity providers and relying parties in “limited circumstances” such as when there are “legitimate security concerns warranting an identity provider not to be used by a relying party”.

The position paper also clarifies that participants will not be prohibited from “connecting to and participating in other digital identity systems” after some private sector stakeholders raised concerns during the first round of consultation.

But participants that choose to do so will need “put in place technical and business solutions” that “clearly delineate which digital identity activities are conducted through the digital identity system and through another digital identity system”, for instance.

On the privacy front, state and territory government agencies participating in the scheme “will now have greater ability to adhere to local privacy legislation instead of federal privacy law, where legislation exists in their jurisdiction”.

“This change is designed to provide greater flexibility and autonomy for state and territory agencies to align with other federal legislation and make it easier for state and territory government entities to participate,” the paper states.

State and territory government agencies not subject to the Privacy Act or a comparable notifiable data breaches scheme will also be required to provide a statement to the Oversight Authority if a suspected data breach has occurred.

Other additional privacy rules have also been added, including “more flexibility for the Oversight Authority to make additional rules about profiling and keeping biometric information, and new prohibitions on both speculative and behavioural profiling”.

The legislation is also expected to ensure digital identity remains voluntary for individuals, though there will be circumstances where a relying party can apply for an exemption “to the requirement of providing an alternative channel to digital identity to access their service”.

Other key features of the digital identity system will also be embedded in the legislation, including a requirement that “identity providers and credential service providers… delete biometric information when the purpose for which it was provided is completed”.

The position paper details no changes to plans to introduce a charging model to “retrospectively recover the cost of the design and build of the initial system”, despite opposition from some state governments and industry groups.

The government will not charge “users for the use of digital identity”, though the legislation is not expected to “regulate fees charged by relying parties to an individual wanting to access its service(s) using the system”.

Submission to the consultation will close on July 15.


Japan travel news, japan travel guides, japan holiday destinations and japan reviews

LATEST NEWS

NEWS RELATED

Court awards defamation damages over cosmetic surgery Instagram story

A court has awarded $82,500 in damages to the owners of a cosmetic surgery clinic in what is thought to be Australia’s first judgment involving defamation in an Instagram story. In the Brisbane District Court, Judge Reid found former Beautyfull Cosmetic Medicine Clinic employee Clare Hayes defamed the clinic’s owners…

Read more: Court awards defamation damages over cosmetic surgery Instagram story

DTA chief to leave after three years

Takes up new role leading trade taskforce.

Read more: DTA chief to leave after three years

Future NBN pricing may have more options and constraints

As ACCC reveals its own thinking ahead of roundtable today.

Read more: Future NBN pricing may have more options and constraints

SA govt appoints new CISO from within

After resignation of inaugural IT security chief.

Read more: SA govt appoints new CISO from within

Telstra tops Aussie telcos, tech companies in renewables report card

As assessed by Greenpeace Australia.

Read more: Telstra tops Aussie telcos, tech companies in renewables report card

ACSC scanning helped govt agencies avert MobileIron compromise

In one case by a matter of hours.

Read more: ACSC scanning helped govt agencies avert MobileIron compromise

AFP told to end over-reliance on network drives

After more than 90 percent of records found to be stored that way.

Read more: AFP told to end over-reliance on network drives

Fed govt cyber resilience unchanged since last year: auditor

Only one agency hits Essential Eight baseline.

Read more: Fed govt cyber resilience unchanged since last year: auditor

Govt to mandate Essential Eight cyber security controls

University of Wollongong strikes deal with OpenLearning

Melton City Council contractor handed own company over $1m of IT work

US tax chief asks Congress for authority to collect cryptocurrency transfer data

NBN Co looks to enforce 'fair use' for fixed-line users

Alleged Trickbot malware coder charged in US court

ACMA, US FCC partner to fight cross-border robocalls

Telstra finetunes virtual assistant Codi for 'async messaging' model

OTHER NEWS