The Office of the Australian Information Commissioner (OAIC) is asking the country’s Digital Transformation Agency (DTA) to tighten the language in its proposed Trusted Digital Identity Bill. The Bill is intended help make Australia’s digital identity system more interoperable, so that citizens can use their federal digital identities in their online interactions with state-level government agencies and with private commercial entities alike.
The problem, according to the OAIC, is that the Bill does not do enough to protect the personal information of Australian citizens. With that in mind, the Office has responded to a request for feedback with a few specific policy requests. The feedback is based on an exposure draft of the Bill, and will be taken into account in the final draft that gets sent to Parliament for a vote.
In that regard, the OAIC is pushing for stricter rules around consent. Most notably, the agency believes that the Bill’s definition of consent should be consistent with the Consumer Data Right, which states that consent must be given voluntarily, and that consent is limited to a specific circumstance. The individual must also be informed about what consent entails.
One of the OAIC’s other recommendations concerns consent expiry dates. In the current version of the Bill, consent is given indefinitely. The OAIC wants the new Bill to limit consent to a period of 12 months, thereby forcing organizations to ask for (and receive) consent again if they want to continue accessing someone’s personal information.
The OAIC also wants the new Bill to curtail the authority of law enforcement agencies. As it stands, law enforcement can obtain someone’s digital identity information if they have any reason to suspect their involvement in some kind of crime. The OAIC is pushing for a more need-to-know approach that would force the police to obtain a warrant before accessing personal data. However, an exception would be made for cases in which authorities are investigating fraud within the digital identity system itself.
Finally, the OAIC wants the DTA to dial back its notification policy, so that only one party needs to send an alert in the event of a security breach. The goal is to minimize the number of notifications that get sent to civilians, to prevent them from being overwhelmed and to ensure that they take each notification seriously.
The OAIC will ultimately be responsible for overseeing the privacy requirements in the new Bill. For its part, the DTA wants digital identities to serve as the foundation of a better internet experience for Australian residents. The agency has already launched a federal myGovID portal, and is in the process of accrediting Yoti’s app under its Trusted Digital Identity Framework.