Understanding Australia’s Digital ID Acts

profile picture Amba Karsondas 7 min read
A woman smiling whilst sitting down and using a laptop.

Australia’s Digital ID Acts mark a significant milestone for Digital ID use across the world.

Having just received Royal Assent, the Acts aim to provide people with a secure, convenient way to prove their identity online. Here’s some of the key information you need to know.

 

What are Australia’s new Digital ID Acts?

Australia’s Digital ID Acts are made up of two different (but similarly named) pieces of legislation. These are the Digital ID Act 2024 and the Digital ID (Transitional and Consequential Provisions) Act 2024. Together, they are known simply as “the Digital ID Acts”.

 

Why has Australia passed the Digital ID Acts?

Nowadays, people are able to complete many of their everyday tasks online. This includes managing healthcare appointments, banking and accessing education. But to ensure that people are accessing the right services for them, organisations need to verify each user’s identity.

As a result, the Australian government has passed the Digital ID Acts. These sit as part of its broader digital transformation agenda. The Acts enable users to prove their identity to organisations online through the Australian Government’s Digital ID System (AGDIS).

Each user can create a digital ID which they can use to prove who they are and share specific information about themselves. The digital ID is reusable, reducing the need for people to repeatedly share their documents, such as passports and driving licences, with organisations.

The Acts aim to establish a standardised and secure identity verification system that reduces the need for manual checks and paperwork. Not only do digital IDs make transactions faster, but they lessen the need for people to carry around their physical documents. This lowers the risk of documents being lost or stolen which can, in turn, help decrease the risk of fraud and identity theft.

 

Who is affected by Australia’s Digital ID Acts?

Australia’s Digital ID Acts set out rules and standards for the creation, verification and use of digital IDs in Australia. As such, they’ll impact the following parties:

  • state and territory governments, who will be covered by the expansion of the use of the AGDIS to verify identities, and; 
  • digital ID service providers who wish to be accredited under the accreditation scheme.

In doing so, it will also impact individuals by aiming to create a secure, convenient, voluntary and inclusive way of identity verification. 

 

What’s the current state of Digital ID legislation in Australia?

In 2015, the Australian government created the Trusted Digital Identity Framework (TDIF), which allowed citizens to access government services through a government-issued digital ID called “myGovID”. The newly passed legislation now replaces the TDIF with the AGDIS.

It also established an accreditation scheme for digital ID service providers. Providers from both the public and private sector were permitted to participate in the framework, so long as digital ID service providers met minimum standards and rules outlined in the TDIF. Under the new legislation, only public sector organisations will be allowed to operate within the scheme for the initial two years. 

 

What do Australia’s new Digital ID Acts aim to do?

The new Digital ID Acts aim to refresh and build on the existing system. Some key aims are to:

  • replace the TDIF accreditation scheme with a new and different AGDIS accreditation scheme. The AGDIS will require all digital ID service providers to be compliant with high standards of privacy, security, proofing, authentication and accessibility. If providers are found to not be meeting baseline obligations, the regulator can suspend, revoke or cancel accreditation.
  • strengthen privacy and consumer safeguards for people creating and using digital IDs from accredited service providers. This includes clauses which prohibit the collection of sensitive information and mandate when consent is required. These build upon the protections in the Privacy Act 1988 (Cth). It also outlines penalties for accredited providers if they fail to comply with the Acts’ obligations. This is to build trust with users, assuring them that their personal information is private, safe and secure.
  • expand who can become accredited under the scheme. The AGDIS will expand in phases, initially allowing public sector organisations to participate, with private sector firms invited to join two years after its launch.
  • set a minimum age for the use of digital identity in Australia, currently set to be 15, and which will align with The Office of the Australian Information Commissioner (OAIC) guidance.
  • stress that participation is entirely voluntary. Businesses will not be allowed to require an individual to use a digital ID. If they do offer identity verification through the AGDIS, they must also offer alternative methods for people to prove their identity.
  • appoint official regulatory enforcement for the AGDIS and the accreditation scheme.

 

Who will enforce the Digital ID Acts?

The Australian Competition and Consumer Commission (ACCC) will be the regulator for digital IDs. They will be responsible for overseeing and enforcing the Acts, as well as approving the digital ID service providers who want to join the AGDIS.

The Office of the Australian Information Commissioner (OAIC) will enforce all privacy-related matters.

Australia’s Digital ID Acts bring in strict requirements for digital ID service providers. Non-compliance can result in a civil penalty of between 1,000 and 1,500 penalty units (which is currently up to A$469,500).

Additionally, failure to comply with privacy protections under the Privacy Act 1988 (Cth) can result in a maximum penalty of A$2.5 million for individuals or more than A$50 million for corporations.

 

What does this mean for businesses?

The Acts set out a range of measures for businesses. One of the key concepts emphasised within the Digital ID Acts is consent. Businesses must ensure that they have the appropriate and express consent from individuals before disclosing certain personal information with organisations. This allows users to be in control of sharing their personal data.

Businesses should also be aware of their obligations under the Privacy Act 1988 (Cth). This piece of legislation sets out the legal framework for the handling of personal information in Australia. It governs how personal information is collected, stored, used and disclosed, alongside giving individuals certain rights and protections over their personal information. Crucially, it requires businesses to take reasonable steps to protect the personal information they hold on people. This includes implementing appropriate security measures and ensuring that personal information is only used for legitimate purposes.

Additionally, the Digital ID Acts place a strong emphasis on data security. The Acts require all digital identity service providers to adhere to strict security and fraud control standards. A robust digital ID should be built with security measures that protect personal information and prevent unauthorised access. This can include the use of encryption and authentication protocols. They must also consider risk management, technical integrity, accessibility and usability.

 

A huge step for Digital IDs

Australia’s Digital ID Acts are expected to commence by 1 December 2024. This would mark a significant leap forward in how Australians navigate the digital landscape, with a focus on security and privacy.

By understanding the regulatory requirements, businesses can streamline how they verify their customers. This will help them to remain competitive in an increasingly digital world.

If you’d like to know more about digital IDs, please get in touch.

Please note this blog has been prepared for information purposes only. You should always seek independent legal advice. 

Keep reading

Man sat on sofa using laptop and smartphone at the same time

Understanding the Digital Information and Smart Data Bill

This blog was updated in July 2024, following the General Election and the King’s Speech which announced the new Digital Information and Smart Data Bill (DISD). The government has committed to introducing the Bill, which aims to harness the power of data for economic growth, including setting up a regulatory framework for digital identities in the UK.  We will update this blog once the government has shared further information about this new Bill. Below is a summary of what we know so far.  For now, we have also included the previous blog content on the former Data Protection and

9 min read

How age assurance builds trust and safety on gaming platforms

There is a growing agreement that more needs to be done to improve online safety. Regulators around the world are introducing new laws to make the digital world safer and ensure young people have an age-appropriate experience online.  With legislation such as the Age Appropriate Design Code, the UK’s Online Safety Act, and the EU’s Digital Services Act reshaping the industry, gaming companies are facing a new era of accountability and responsibility. From implementing age assurance measures to ensuring age-appropriate content and experiences, gaming companies must navigate the regulatory landscape while prioritising user safety and privacy.  This blog explores some

9 min read
An image of a woman looking at a computer screen.

Preparing for the EU’s new AI Act

Artificial intelligence (AI) is changing our world at a speed that, just a decade ago, we never could’ve anticipated. As AI finds its way into our everyday lives, regulators are racing to catch up with its development. In response, last month, the EU voted to bring in the Artificial Intelligence Act, also known as the AI Act. The Act is expected to enter into force in May or June 2024. This blog looks at what the legislation means for businesses and how they can comply.   Why is there an AI Act? In recent years, it seems as though AI

7 min read