The future of digital identity in Australia

By Dr Rajiv Shah

What’s the problem?

Digital identity was a key part of the Australian Government’s Digital Economy Strategy: a further $161 million was committed in the 2021 mid-year budget update, bringing total investment since 2015 to more than $600 million. Over that period, the government has developed the Trusted Digital Identity Framework, established the Digital Identity System and, in late 2021, published draft legislation to govern and regulate the system. Although there’s been little apparent progress in the past 10 months, if the potential microeconomic benefits (estimated at $11 billion in the previous government’s Digital Economy Strategy) aren’t sufficient incentive, the September 2022 data breach at Optus, and the subsequent run of data breaches on companies in October should supply new impetus. This is because digital identity offers an opportunity to allow organisations to reliably validate customer identities without collecting the sort of sensitive personal information that Optus held, the loss of which has exposed more than 10 million Australians to the risk of identity theft.

Download report

Without intervention, the current scheme is on a trajectory to fail. If the government wants to revive the Digital Identity System, it will need to attract state and territory governments and commercial organisations to participate in the system as well as getting the public to sign up—aiming for a critical mass of users to create a ‘network effect’.

However, to build the trust and confidence required to achieve that outcome, the government needs to address three key areas of concern. First, governance arrangements currently give the federal government final decision-making authority on future changes to the rules of the system. Second, there are potential cybersecurity and identity-fraud risks due to gaps in the currently proposed arrangements; although the Optus data breach should help to demonstrate the need for such a system, it means that users will require reassurance of the security of any new system before they’re willing to participate in it. Third, there’s a need for better privacy protections to avoid a situation in which commercial relying parties use the Digital Identity System to build even more valuable profiles of citizens.

What’s the solution?

The Australian Government should recognise that, although its Digital Identity System is only one of many possible digital identity systems in Australia, it could become the dominant system due to network effects, spanning both the government and the private sectors. The current proposals give final decision-making authority, including over detailed technical specifications, to the relevant government minister. This report instead recommends a formal independent oversight authority governed by a board that includes representatives from all groups—the federal government, civil society, the states and territories and the private sector. The oversight authority should also create a formal public reporting mechanism for potential vulnerabilities, and transparency on how such reports have been assessed and acted on, to improve the actual and perceived security of the system.

Security measures should be mandated, the oversight authority should be funded to put in place key controls, and the Digital Transformation Agency (DTA) should work with the Department of Home Affairs to secure some of the vulnerabilities in existing non-digital identity systems upon which the digital systems will rely. Other recommended safeguards include centralised security monitoring and robust management of multiple identity risks.

Finally, privacy will be the key to public acceptance of the system, and a stronger regime is needed to ensure true informed consent to the use of digital identity data by commercial relying parties when building up and monetising profiles of their customers.