Digital ID Rules, Digital ID Accreditation Rules and Accreditation Data Standards

17 June 2024

 

 

Department of Finance

One Canberra Avenue

FORREST ACT 2603

 

By elodgment

 

Dear Minister,

 

RE: Digital ID Rules, Digital ID Accreditation Rules and Accreditation Data Standards

 

1.    The Queensland Council for Civil Liberties (“the QCCL”) is a not-for-profit organisation that promotes civil liberties and receives queries from members of the public regarding their civil liberties and individual rights.

 

2.    We make this submission in response to the Digital ID Rules, Digital ID Accreditation Rules and Accreditation Data Standards consultation (“the Standards”).

 

https://docs.google.com/document/d/1ibJNIY-dJ70nqk4imbN-r8eD6iiHzScRG72vAhZotso/edit

 

3.    We appreciate the ongoing inclusion in consultation and roundtables in relation to the development of digital identity and the Standards, particularly the recent Privacy and Consumer Roundtable held on 14 June 2024.

 

4.    We make these submissions in a generalized response to the Standards.

 

5.    We firstly and respectfully repeat our previous submission that:

 

a. the implementation of a digital identity scheme in Australia is a significant step and it is imperative that this is approached in a way that is measured, transparent, comprehensively safeguarded and that the Australian community is fully informed as to all potential consequences of this path; and

 

b. there are benefits that may be derived from a digital identity system in Australia; however, those benefits must be couched with clear and enforceable safeguards.

 

6.    We also reiterate that the Standards ought to be progressed in conjunction with:

 

a. an enforceable Federal human rights framework has passed into Australian law and the response to the Privacy Act Review have been implemented;

 

b. further consultation is undertaken as to the operation of the Act and the impact on Australians; and

 

c. public awareness campaigning to ensure that the Standards and their operation is understood by the Australian community.

 

7.    We make the following two (2) submissions in relation to the operationality of the Standards, specifically in the context of Chapter 4 of the Digital ID (Accreditation) Rules 2024.

 

8.    Firstly, inherent to the operation of a digital identity scheme in Australia is trust. We consider that this is reliant upon the consent of participants. In this regard, we agree that consent should not be indefinite. We support the inclusion of Rule 4.41 in the Digital ID (Accreditation) Rules 2024 and agree that enduring consent ought to expire after twelve (12) months in line with the Consumer Data Right.

 

9.    Secondly, we note that Rule 4.29 provides that advice must be provided to individuals about how to safeguard their digital ID and that, if an accredited entity is aware of a fraud risk or digital ID fraud incident in the digital ID system, they must make the individual aware of the risk or incident. We make the following submissions about this rule:

 

a. there is a typographical error in the drafting of Rule 4.29(3) – “if an accredited entity is aware of a fraud risk or digital ID fraud incident in the digital ID system in which it operates and which is likely to cause serious harm to an individual, the entity must promptly after becoming aware of the risk or incident”.

 

b. it is important that the system operated by the accredited entity (being the target of this rule) is widely defined such that the accredited entity is responsible for procured or third party contracted systems in meeting this obligation.

 

c. the obligation to make individuals aware of fraud risks or digital ID fraud incident(s) in the digital ID system is appropriately disjunctive and should remain so.

 

d. there should be a requirement that accredited providers are required to directly make individuals aware of fraud risks or digital ID fraud incident(s) in the digital ID system in an informed manner. Namely, this rule should not be left open in a manner where it may constitute enable accredited providers to simply rely on a website page that provides information about fraud risks to assert compliance with the ongoing requirements prescribed in Chapter 4 of the Digital ID (Accreditation) Rules 2024.

 

e. there is no legislated definition of “serious harm” and we assume that this threshold is imported from the data breach notification requirements expressed in section 26WG of the Privacy Act 1988. We submit that the threshold of serious harm should be widely defined within the rules and expressly referrable to a minimum standard of compliance with data breach notification obligations. More specifically, the requirement in Rule 4.29 should go beyond data breach notification obligations and should be specifically and clearly articulated in the rules.

 

10.  We trust that these submissions assist the consultation and the Standards generally and we confirm that we are willing to assist further with any public hearing(s) associated with this process.

 

11.  Please do not hesitate to contact us should you require any further information.

 

 

Angus Murray, Vice-President

For and on behalf of the Queensland Council for Civil Liberties