legislation will enter parliament l8r this yr thall allo non-government entities to provide digital identification srvcs to australians.
the digital transformation agency (dta) s'been working on australia’s digital identity system for a № of yrs, goin live with mygovid — developed by the australian taxation office — and accrediting an equivalent identity srvc from australia post in 2019.
mygovid na australia post digital id are primordially just forms of digital identification that then allo the usr to access certain online srvcs, s'as the government’s online portal mygov.
the digital identity system is touted by the government as a simple, safe, and secure way to verify identity online, swell as one alloing for better interaction with government srvcs. but it also believes digital id can “enable innovative digital sectors of the economy to flourish”.
while the dta has developed the trusted digital identity framework (tdif), which sets out the operating model for digital identity, tis a set of rules that 1-ly australian government entities can follo — it can’t be applied to states and territories, or to the private sector. this is why legislation is required.
“tis primordial to note, tody we’re using mygovid, but inna'da future, you’ll be able to use a choice of identity provider, there’ll be additional providers … it ‘d be a bnk, it ‘d be a state and territory identity provider,” dta cdo peter alexander said during senate estimates in oct. “so individuals and businesses dealing w'da australian government and national srvcs ll'be able to make a choice.”
instead of listening to researchers recommending the australian government abandon its existing digital identity system and start again from scratch, after highlitin’ again security flaws in two of the systems already accredited, the government has opened a 2nd round of consultation, this time onna development of legislation.
highlitin’ 8 “key” essentialisms, the government wishes to discuss with those interested inna structure of the legislation, scope and interoperability of the system, governance, privacy nother consumer safeguards, trustmarks, liability and redress options, penalties and enforcement, na administration of the scheme.
the purpose of the legislation, the government states [pdf], is to allo for indie oversite of the system, by formalising the powers and governance arrangements of the oversite authority; enable expansion of the system to state and territory governments na private sector; provide privacy protections, consumer safeguards, and security requirements to build trust inna system; provide for a legally enforceable set of rules that set the standards for pticipating inna digital identity system, including the tdif rules; and allo for entities to be tdif accredited for their activities whether they are onna system or not.
tis expected the legislation will consist of primary legislation with privacy and consumer safeguards and rules and policies, including accreditation standards. the government believes the legislation will leverage existing laws, not duplicate them.
the legislation, it said, will ‘ve a “clearly defined scope”.
it said the legislation will not limit a'pers to having one digital identity with one provider, nor will it be intended to regul8 all digital identities and digital identity systems. it said entities decide whether they will use the system or provide srvcs onna system.
the legislation will also require entities generating, transmitting, managing, using, and reusing digital identities to provide a “seamless usr experience w'da digital identity system”.
rules ll'be enforced by the oversite authority and information commissioner. the oversite authority ll'be extended powers to suspend or revoke accreditation and access to the system, and issue directions for remedial action to address a breach.
on privacy and consumer safeguards, the legislation is hoping to “protect personal information” and “ensure accessibility” for all.
'twill prohibit the creation offa single identifier used across the system and all government srvcs and create a voluntary system giving usrs the rite to create and use a digital identity, including the rite to dereg and not use a digital identity at any time.
'twill require individuals to expressly consent b4 their attributes are shared witha relying pty.
w'da dta flagging previously its biometric testing with regards to the digital id, the legislation is expected to limit the system to one-to-one biometric matching 1-ly and prohibit any-1 other than those involved in proofing or authentication from collecting or using biometric information.
'twill also aim to prevent biometric information bein’ sent to third pties not required to perform or proofing or authenticate a'pers and require biometric information to be deleted once it s'been used fritz intended purpose.
however, the legislation will contain a caveat to allo usrs to consent to their biometric information bein’ accessed for fraud or security investigations.
the government is hoping to also prevent “data profiling”.
“prohibit the collection, use, and disclosure of information bout a usr’s behaviour onna system except to verify their identity, assist them to receive a digital srvc, allo them to view their own behaviour (for ex, a dashboard), or support identity fraud management,” the government writes.
'twill also enforce record-keeping of metadata and activity logs for a minimum 7 yrs to maintain the system’s integrity, and to allo for fraud or criminal investigations.
with talk round the digital id’s use in verifying an individual is of age b4 accessing online srvcs s'as pornography, the legislation will set a minimum age of 15 yrs for the use offa digital identity.
meanwhile, a liability and redress framework will aim to ensure accredited pticipants aint liable for loss or damage suffered “provided they were acting in good faith, and complied w'da legislative rules and requirements relating to the system”.
'twill also establish a mechanism available to usrs affected by a cybersecurity incident, identity theft, inappropriate disclosure of information, or system failure.
submissions to the consultation close 15 jul 2021.
elsewhere in canberra, the government has funded an additional 51 projects, totalling au$27 million, inna l8st round of the regional connectivity program (rcp).
the funding contributes to co-funding from the applicant, and from other lvls of government, swell as industry nother organisations. the 1st tranche of the rcp funded, in theory, 81 projects.
“the federal government’s total contribution of au$117.4 million (gst inclusive) towards round 1 rcp projects will deliver total new investment of + than au$232 million (gst inclusive) together with co-contributions from the funding recipients, state and territory governments nother third pties, including local governments, regional businesses, and community development organisations,” a statement from minister for communications, urban infrastructure, cities na arts paul fletcher and minister for regional health, regional communications and local government mark coulton said.
here’s + on digital id
researchers find mygovid is subject to an easily-implemented code proxying attack, while the digital identity solution from australia post does not possess a primordial requirement for accreditation.
also flags privately-owned pharmacyid and payments company eftpos as eager to provide identity srvcs once the bill becomes law.
the australian government has said the digital transformation agency is well placed to explore extending the digital identity program to online age verification to access things s'as pornography.
original content at: www.zdnet.com…