Senate

Explanatory Memorandum

(Circulated by authority of the Minister for Finance, Senator the Hon Katy Gallagher)

Outline

1. The Digital ID (Transitional and Consequential Provisions) Bill 2023 (Bill) will deal with matters arising from the enactment of the Digital ID Bill 2023 (principal Bill) as the Digital ID Act 2023 (principal Act). The principal Bill will:

a.

Legislate and strengthen a voluntary Accreditation Scheme for digital ID service providers that wish to demonstrate compliance with best practice privacy, security, proofing and authentication standards.

b.

Legislate and enable the expansion of an Australian Government Digital ID System (AGDIS) for use by the Commonwealth, state and territory governments and eventually, the private sector. The use of AGDIS and participation of accredited service providers will be phased.

c.

Embed strong privacy and consumer safeguards, in addition to the Privacy Act 1988 to ensure people are protected.

d.

Establish governance arrangements including the Australian Competition and Consumer Commission as the Digital ID Regulator and an expanded role for the Information Commissioner as Privacy Regulator.

2. The Australian Government has been developing and administering an unlegislated AGDIS since 2015. The Interim Oversight Authority is responsible for safety, reliability and the efficient operation of the system. The Department of Finance (Finance) and Services Australia share this role. Services Australia has responsibility for day-to-day operational matters relating to the AGDIS, including its security and fraud control capabilities. Arrangements for the existing AGDIS are facilitated by non-binding memoranda of understanding. An existing policy framework - the unlegislated Trusted Digital Identity Framework (TDIF) - sets out technical standards for entities providing services in the unlegislated AGDIS, and provides a voluntary accreditation framework for entities who are not providing services in the unlegislated AGDIS. The Bill will deal with transitional matters arising from the principal Bill.

3. The Bill will also deal with consequential matters arising from the principal Bill, including amending the:

a. Administrative Decisions (Judicial Review) Act 1977;

b.

Age Discrimination Act 2004;

c.

Australian Security Intelligence Organisation Act 1979;

d.

Competition and Consumer Act 2010;

e.

Privacy Act 1988; and

f.

Taxation Administration Act 1953,

to support the operation of the principal Bill.

FINANCIAL IMPACT

4. The analysis in the regulatory impact statement number 1801 for the principal Bill applies to the compliance measures in this Bill. The regulatory costs of this option are estimated to be $1.5 billion per year, however these are offset by benefits across the whole of economy, estimated to be up to $3.3 billion per annum.

COMPATIBILITY WITH HUMAN RIGHTS

5. The Bill is compatible with human rights, and to the extent that it may limit human rights, those limitations are reasonable, necessary and proportionate. A Statement of Compatibility with Human Rights, prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011, is attached to this Explanatory Memorandum.

Abbreviations used in the Explanatory Memorandum

Notes on clauses

Clause 1 – Short title

1. This clause provides for the short title of the Bill, upon its enactment by the Parliament, to be the Digital ID (Transitional and Consequential Provisions) Act 2023.

Clause 2 – Commencement

2. This clause provides for the commencement of each provision in the Bill, as set out in the table. The whole of this Bill will come into effect at the same time as the commencement of the principal Bill. However, the provisions of this Bill will not commence if the principal Bill does not commence.

Clause 3 – Schedules

3. This clause provides that an Act that is specified in a Schedule to this Bill is amended or repealed as set out in the Schedule, and any other item in a Schedule to this Bill has effect according to its terms.

Schedule 1 – Transitional and application provisions

4. Schedule 1 deals with transitional matters arising from the enactment of the principal Bill.

Part 1 – Introduction

Item 1 – Definitions

5. Subitem 1(1) provides definitions of certain expressions used in Schedule 1 of this Bill, and subitem 1(2) provides that expressions used in this Schedule that are defined for the purposes of the principal Act have the same meaning as in that Bill.

Part 2 – Accreditation

Item 2 – Entities taken to be accredited

6. Item 2 provides that the Digital ID Regulator will be taken, immediately after the commencement of this Bill, to have decided for the purposes of subclause 15(2) of the principal Bill to accredit the entities specified in column 1 of an item of the table in item 2, as the kind of accredited entity specified in column 2 of the table in item 2, and to have imposed the conditions (if any) on that accreditation for the purposes of subclause 17(2) of the principal Bill as specified in column 3 of the table in item 2. These are entities that have already been accredited by the Australian Government under the TDIF, as the specified kind of accredited entity and subject to the same conditions (if any).

7. In addition to any conditions specified in column 3 of an item in the table in item 2 (if any), the accreditation of these entities will be subject to the conditions set out in clause 16 of the principal Bill and the Accreditation Rules to be made under clause 168 of the principal Bill. It is expected that at the end of the period for which the Minister can make transitional rules under subitem 10(1) of this Bill, all entities that will be transitioned over into the legislated Accreditation Scheme will be compliant with the principal Act and the Accreditation Rules for the Accreditation Scheme under the principal Act.

8. Item 1 of the table in item 2 provides that the Commissioner of Taxation will be taken to have been accredited as an accredited attribute service provider in respect of the Relationship Authorisation Manager service. Accordingly, under item 1 of the table in subitem 4(1) of this Bill, the Commissioner of Taxation will be taken to have been approved to participate in the AGDIS as an accredited attribute service provider.

9. In this role, the Commissioner of Taxation will be required to verify or manage attributes associated with the persons who are authorised by a business entity to represent that business. The Relationship Authorisation Manager allows a principal authority of a business (e.g. a director) to 'claim' a business listed in the Australian Business Register. The Relationship Authorisation Manager allows a principal authority to authorise employees and other representatives (for example accountants and tax agents) to act on behalf of that business when interacting with online services. Authorisation to act on behalf of a business or businesses are the 'business authorisation attributes' of a person. The Commissioner of Taxation will be required to provide business authorisation attributes (as defined by this Bill) as part of this service.

10. Item 2 of the table in item 2 provides that the Commissioner of Taxation will be taken to have been accredited as an accredited identity service provider in respect of its myGovID service. myGovID is a reusable digital ID, allowing people to prove who they are online and use their verified ID to access online services. Accordingly, under item 2 of the table in subitem 4(1) of this Bill, the Commissioner of Taxation will be taken to have been approved to participate in the AGDIS to provide the accredited identity services.

11. When participating in the AGDIS as an accredited identity service provider, the Commissioner of Taxation will be required to provide a service that:

a.

generates, manages, maintains, or verifies information relating to the identity of an individual;

b.

generates, binds, manages or distributes authenticators to an individual; and

c.

binds, manages or distributes authenticators generated by an individual.

12. The authentication levels will be defined in the Accreditation Rules to be made under the principal Bill. Generally speaking, the higher the authentication level (AL), the more secure the digital ID. As a high-level example, it is expected that the Accreditation Rules will:

a.

require a person to re-authenticate at least once every 30 days using a password (something they remember) if they use an AL1 identity proofing service;

b.

require a person to reauthenticate at least every 12 hours, after 30 minutes of inactivity, using multifactor authentication if they use an AL2 identity provider service; and

c.

require that the authentication mechanism be resistant to common cyber-attacks.

13. The Commissioner of Taxation will be authorised to provide this service at AL2 using multi-factor cryptographic software as part of this service.

14. If a person wishes to do so, they can choose to create a digital ID using biometric technology to ensure the verified information about them is linked (or bound) to their biometric information (for example, a fingerprint or a photo of the person). Digital IDs that leverage biometric verification and binding in their creation increase the level of trust that relying parties can place in the digital ID, and are less likely to expose a person to risks of ID theft. As biometric information is sensitive information under the Privacy Act, the collection, use and disclosure of a person's biometric information needs to be appropriately protected, including appropriate destruction of that information. Accordingly, not all accredited identity service providers will be able to offer services involving biometric verification technology.

a.

As an accredited identity service provider, the Commissioner of Taxation will be authorised to offer people the ability to use facial biometric technology to verify and bind their information.

b.

The Commissioner of Taxation will be authorised to collect, use and disclose biometric information for the purposes of verifying the ID of a person using facial images to create an identity proofing (IP) level 3 (known as a 'Strong') digital ID. The Commissioner of Taxation's myGovID service collects the facial image of a person who chooses to verify their ID using biometric technology. That person's facial image (a 'selfie' photo taken by the person on their mobile phone) is checked using a technology tool to ensure the image is of a living person present at the time the image is captured. The Commissioner of Taxation's myGovID service then discloses the checked image to the Face Verification Service (FVS), which biometrically compares the facial image from that person's phone with a one-to-one match of the facial image associated with their passport. The FVS returns a yes/no answer to the myGovID service about whether the two facial images match. The conditions on the Commissioner of Taxation's IP level 3 service will require the Commissioner to use facial images only for the purposes of verifying the ID of a person and, for a limited time after collection, improving the service's fraud detection capabilities.

15. For the avoidance of doubt, the biometric matching used in the myGovID IP level 3 service does not involve "face in the crowd" recognition (also known as one-to-many matching). This is consistent with the prohibition on one-to-many matching under subclause 48(3) of the principal Bill. The conditions on the accreditation of its service require the Commissioner of Taxation to ensure the digital IDs provided by this service are reusable, and are provided through a mobile application.

16. As an accredited identity service provider, the Commissioner of Taxation will be authorised to disclose to relying parties certain restricted attributes (as defined by the principal Bill) of individuals for the purpose of verifying the ID of, or (with a person's express consent) providing information about, the individual to whom the restricted attribute relates. This will include, in respect of each of the documents containing the restricted attributes of individuals which the Commissioner of Taxation will be authorised to disclose, a document of that kind issued in the individual's current name or former name.

17. Item 3 of the table in item 2 provides that Services Australia will be taken to have been accredited as an accredited identity exchange provider. An identity exchange sits between the identity service provider and the relying party, which is the entity providing a service a person wishes to access using their digital ID. The identity exchange receives the request to authenticate the user from a relying party and passes that request to the identity service provider. Once the identity service provider passes the attributes that relate to the confirmed digital ID, the identity exchange passes the relevant attributes to the relying party allowing the user to access the desired service.

18. Accordingly, under item 4 of the table in subitem 4(1) of this Bill, Services Australia will be taken to have been approved to participate in the AGDIS as an accredited identity exchange provider, providing a service that conveys, manages and coordinates the flow of data or other information between approved participants in the AGDIS. In the AGDIS, the identity exchange of Services Australia conveys manages and coordinates authentication information and passing of attributes or other information between approved participants.

19. In addition to the accredited entities listed in the Bill, non-government entities accredited under the unlegislated TDIF may be prescribed in the transitional rules. As the Accreditation Rules will be made under the principal Bill, it would be premature for non-government accredited entities to transition to the legislated Accreditation Scheme to be established under the principal Bill. Item 4 of the table in item 2 provides a mechanism so that non-government entities could be prescribed in transitional rules, made by the Minister under subitem 10(1) of this Bill. If prescribed in the transitional rules, those non-government entities will be taken to have been accredited, as a kind of accredited entity subject to any conditions prescribed by the transitional rules made for the purposes of this item.

Item 3 – Application of accreditation provisions in Digital ID Act 2023 for entities taken to be accredited

20. Subitem 3(1) provides that the provisions of this item 3 apply in relation to an entity that will be taken to have been accredited by the Digital ID Regulator as an accredited entity because of the operation of item 2 of this Bill.

21. Subitem 3(2) provides that the Digital ID Regulator will be taken to have met the notification requirements set out in subclause 15(6)(a) of the principal Bill, in relation to the entity's accreditation. This reflects that the entities specified in column 1 of the table in item 2 have already been notified by the Interim Oversight Authority of its decision to accredit them as an accredited entity under the unlegislated TDIF.

22. Subitem 3(3) provides that for the Digital ID Regulator, the notice referred to in subitem 3(2) will be taken to have met the notification requirements set out in subclause 15(7) of the principal Bill.

23. Subitems 3(4), (5) and (6) clarify that, for the purposes of subclauses 15(7)(a), (b) and (c) of the principal Bill, the entities specified in column 1 of the table in item 2 will be taken to have been notified that:

a.

the entity is the kind of accredited entity specified in column 2 of the item of the table in item 2 that relates to the entity;

b.

the day on which such accreditation comes into force is the day that this Schedule 1 commences; and

c.

the accreditation of the entity is subject to the conditions specified in column 3 of the item of the table in item 2 that relates to the entity.

24. Subitem 3(7) provides that the decision which the Digital ID Regulator will be taken to have made under subitem 2(1)(b) of this Bill, immediately after the commencement of this Bill, to impose the conditions (if any) specified in column 3 of the table in item 2 on the accreditation of the entity specified in column 1 of each item of that table, will not be a reviewable decision for the purposes of the principal Bill. These are conditions that have already been imposed on the accreditation of these entities by the Australian Government under the unlegislated TDIF. The interests of the Commonwealth entities upon which these conditions will be deemed to be imposed on their accreditation by the Digital ID Regulator will not be affected. This is because they are already subject to substantially the same conditions on their accreditation under the unlegislated TDIF.

25. The Administrative Review Council acknowledges that merits review is not appropriate in respect of decisions that automatically follow from the happening of a set of circumstances, which leaves no room for merits review to operate. Subitem 2(1)(b) of this Bill merely replicates the existing circumstances in which Commonwealth entities have already been accredited under the unlegislated TDIF; with certain conditions imposed upon their accreditation. In this sense, the decision to impose the same conditions on their accreditation, which the Digital ID Regulator will be deemed to have made, automatically follows those existing circumstances.

Part 3 – Approval to participate in the Australian Government Digital ID System

Item 4 – Certain entities are taken to be approved to participate in the Australian Government Digital ID System

26. Subitem 4(1) provides that the Digital ID Regulator will be taken, immediately after the commencement of this Bill, to have approved for the purposes of clause 62 of the principal Bill the entities specified in column 1 of an item of the table in subitem 4(1) to participate in the AGDIS, as the kind of accredited entity specified in column 2 of the table for the item, and to have imposed conditions on that approval for the purposes of subclause 64(2) of the principal Bill as specified in column 3 of the table for the item. These are Commonwealth entities that have already been approved to participate in the existing, unlegislated AGDIS and accredited under the unlegislated TDIF, subject to the same conditions. It is expected that at the end of the period for which the transitional rules can be made, all entities that will be transitioned over into the legislated AGDIS and will be compliant with the principal Bill and the Digital ID Rules to be made under clause 168 of the principal Bill.

27. The condition(s) on the participation of each entity specified in column 3 of the table in subitem 4(1), and in column 2 of the table in subitem 4(2) of this Bill refer to a requirement for the entity to directly connect its service to a service provided by another entity participating in the AGDIS. The service being directly connected to is typically the service known as Services Australia's Identity Exchange. The effect of this condition is to ensure that entities listed in the Bill will meet the definition of 'participate' in the principal Bill, which (amongst other things) requires an entity to 'directly connect to an accredited entity that is participating in the Australian Government Digital ID System'. Only one connection needs to be listed to meet the definition, but it does not prevent an entity from being connected to more than one other participant. This is a matter of administrative convenience, as requiring the Digital ID Regulator to exhaustively list connections would be unduly burdensome and would not significantly increase the transparency and accountability of the AGDIS for the collection, use and disclosure of attributes.

28. Item 1 of the table in subitem 4(1) provides that the Commissioner of Taxation will be taken to have been approved to participate in the AGDIS as an accredited attribute service provider. The Commissioner of Taxation will be required to provide the service for which it is accredited (known as Relationship Authorisation Manager) that verifies or manages business authorisation attributes of an individual (as defined by this Bill).

29. Item 2 of the table in subitem 4(1) provides that the Commissioner of Taxation will be taken to have been approved to participate in the AGDIS as an accredited identity service provider. The Commissioner of Taxation will be required to provide the service for which it is accredited (known as myGovID). myGovID provides relying party services with an assurance that a person's ID has been verified, and they are who they say they are.

30. Item 3 of the table in subitem 4(1) provides that Services Australia will be taken to have been approved to participate in the AGDIS as an accredited identity exchange provider. In that regard, Services Australia will be required to provide the service for which it is accredited (i.e. the Identity Exchange) which conveys, manages and coordinates the flow of authentication and passing of attributes between participants in a digital ID system.

31. Item 4 of the table in subitem 4(1) provides for other entities prescribed by the transitional rules, made by the Minister under item 10(1) of this Bill, will be approved to participate in the AGDIS, subject to any conditions prescribed by the transitional rules. This would have the effect of facilitating the transition to the AGDIS any Commonwealth bodies accredited under the unlegislated TDIF that were approved to participate in the existing unlegislated AGDIS prior to the commencement of this Bill.

32. Similarly, the transitional rules listing entities in item 4 of the table in subitem 4(1) would have the effect of facilitating the transition to the legislated AGDIS a State or Territory government body accredited under the unlegislated TDIF and participating in the unlegislated AGDIS for the purposes of the Commonwealth testing its plans, systems and business processes for the future expansion of the legislated AGDIS.

33. From commencement, if any of these accredited entities are yet to complete the process of participating in the unlegislated AGDIS as a particular type of accredited entity, they could apply to the Digital ID Regulator for approval to participate in the AGDIS under subclause 61(a) of the principal Bill.

34. Subitem 4(2) provides that the Digital ID Regulator will be taken, immediately after the commencement of this Bill, to have approved for the purposes of subclause 62(b) of the principal Bill the entities specified in column 1 of an item of the table in subitem 4(2) to participate in the AGDIS, as a participating relying party, and to have imposed the conditions on that approval for the purposes of subclause 64(2) of the principal Bill specified in column 2 of the item. These are Commonwealth entities that have already been approved to participate in the unlegislated AGDIS, as participating relying parties, subject to the same conditions.

35. Item 1 of the table in subitem 4(2) provides that the Australian Communications and Media Authority (ACMA) will be taken to have been approved to participate in the AGDIS as a participating relying party in respect of its online service known as ACMA Assist.

36. Item 2 of the table in subitem 4(2) provides that the Australian Financial Security Authority (AFSA) will be taken to have been approved to participate in the AGDIS as a participating relying party in respect of its online service known as the Personal Debt Portal.

37. Item 3 of the table in subitem 4(2) provides that the Australian Sports Commission (ASC) will be taken to have been approved to participate in the AGDIS as a participating relying party in respect of its online service known as SportAUS Connect.

38. Item 4 of the table in subitem 4(2) provides that the Commissioner of Taxation will be taken to have been approved to participate in the AGDIS as a participating relying party in respect of its online services respectively known as:

a.

the online Tax File Number (TFN) service, which enables a person to apply for a TFN online, reducing the time to obtain a TFN from approximately 28 days to 30 minutes; and

b.

ATO Online Services for Individuals, which enables a person to manage their tax affairs online, including lodging tax returns and managing their super.

39. Item 5 of the table in subitem 4(2) provides that the Civil Aviation Safety Authority (CASA) will be taken to have been approved to participate in the AGDIS as a participating relying party in respect of its online service known as myCASA.

40. Item 6 of the table in subitem 4(2) provides that the Commonwealth Department of Defence (Defence) will be taken to have been approved to participate in the AGDIS as a participating relying party in respect of its online services known as myClearance and ServiceConnect respectively.

41. Item 7 of the table in subitem 4(2) provides that IP Australia will be taken to have been approved to participate in the AGDIS as a participating relying party in respect of its online service known as Online Service Portal.

42. Item 8 of the table in subitem 4(2) provides that Services Australia will be taken to have been approved to participate in the AGDIS as a participating relying party. As a participating relying party, Services Australia will be authorised to collect attributes of people for the purpose of verifying the ID of, or authenticating the digital ID of, the person to whom the attribute relates. As defined by the principal Bill, attributes include a person's current name or former name, their email address or their mobile phone number.

43. People can access Centrelink, Medicare and other member services via the myGov platform using their Digital ID (myGovID). When a person accesses a myGov member service, to enhance that person's user experience and remove the need for them to enter their information multiple times or re-authenticate themselves, the following attributes collected by Services Australia are disclosed to the relying party service either from myGov, or from a person's digital ID that is linked to their myGov account:

•

the person's myGov profile details (first name, last name and date of birth); and

•

the sign-in method the person used to access myGov in their current internet browsing session; for example, their digital ID and the strength of that digital ID (if the person has one), their myGovID connected to their myGov account.

Subitem 4(3) lists the online services to which Services Australia discloses attributes, namely:

a.

services that Services Australia operates, including Centrelink, Medicare, the Digital Identity Dashboard and the myGov platform; and

b.

some relying party services not operated by Services Australia, but which use the myGov platform to enable people to authenticate and login using a myGovID. These services are known as 'myGov member services'.

44. The following participating relying parties and relying parties collect the attributes available from Services Australia (as a participating relying party) to assist in providing a streamlined user experience and to promote efficient delivery of the following services:

a.

Apprenticeships Data Management Systems for Individuals – The Apprenticeships Data Management Systems (ADMS) is the platform that supports the delivery of Australian Apprenticeships. People can use the myGov platform to access the ADMS online services, allowing them to claim financial incentives and manage information relating to their apprenticeship.

b.

ATO Online Services for Individuals – The Australian Taxation Office (ATO) is the principal revenue collection agency of the Australian Government. ATO Online Services provides tax and super services for people and sole traders.

c.

Centrelink – A Centrelink online account allows people to claim, manage payments, manage their details and money, provide documents and report their income online.

i.

In addition to the attributes collected from myGov, or a person's digital ID linked to their myGov account, Centrelink collects restricted attributes disclosed to it by Services Australia. Restricted attributes are defined in the principal Bill, and include (amongst other things) passport numbers, Medicare card numbers and birth certificate numbers. Item 8 of the table in subitem 4(2) includes a condition on Services Australia's participation as a participating relying party – Services Australia is only approved to disclose restricted attributes to Centrelink for:

1.

Centrelink's service delivery functions, which include providing social security payments and services on behalf of the Australian Government, including Age Pension, Carer Payment, Disability Support Pension, JobSeeker Payment, Parenting Payment, Student and Youth Allowance payments (as set out in section 8A of the Human Services (Centrelink) Act 1997).

2.

Centrelink's fraud detection, investigation and reporting functions (as required by paragraphs 10(e) and (f) of the Public Governance, Performance and Accountability Rule 2014).

ii.

When making its decision to authorise Services Australia to collect these restricted attributes and attributes under the unlegislated TDIF, the Interim Oversight Authority considered that Services Australia engaged an independent privacy adviser to complete a privacy impact assessment (PIA) in relation to the attributes and restricted attributes listed in this Bill. The PIA was finalised on 22 December 2020. Services Australia implemented all recommendations in the PIA. This is consistent with the requirement in subparagraph 18(2)(f)(ii) of the principal Bill. Accordingly, paragraph 4(4)(a) provides that subclauses 65(2) and (3) of the principal Bill (requiring the Digital ID Regulator to have regard to a range of matters when deciding to impose a condition authorising the collection of restricted attributes) will not apply because those matters have already been considered by an entity performing the equivalent unlegislated function of the Digital ID Regulator.

d.

Child Support – The Child Support scheme aims to ensure that children receive an appropriate level of financial support from parents who are separated. Services Australia assists parents to apply for a child support assessment and facilitates the collection and transfer of child support payments. A Child Support online account allows people to manage their child support payments and details online.

e.

The Department of Health Application Portal – The Health Data Portal allows Health staff to exchange data and other files with authenticated individuals, businesses and other government agencies through a website. The Health Data Portal allows Health staff to exchange data and other files with authenticated individuals in external organisations.

f.

The Digital Identity Dashboard – The Digital Identity Dashboard allows people to view the transaction history of their Digital ID, including the details and attributes shared with each participating relying party and the time and date of the transaction(s). The Digital Identity Dashboard provides people with the ability to view and manage their Digital ID consent preferences.

g.

The Individual Healthcare Identifiers Service – The Individual Healthcare Identifiers Service (IHI Service) is a national system for identifying people, healthcare providers and organisations, using a healthcare identifier. Healthcare identifiers allow individuals who are not eligible for Medicare or Department of Veteran's Affairs (DVA) benefits to get a My Health Record and access proof of vaccinations and other key health information, and to apply for a Medicare entitlement statement (if applicable).

h.

Medicare Online – Medicare is Australia's universal health care system and helps Australians with the cost of their healthcare. A Medicare Online account allows people to manage details and claims, view statements and get letters online.

i.

My Aged Care Online Account – A My Aged Care Online account contains important information about a person's assessments, services and interactions with My Aged Care.

j.

myGov – myGov is the Australian Government's online portal that allows people to access government services online. myGov allows people to connect their digital ID to their account, which provides them the option of signing into the platform using their digital ID. Additionally, connecting a digital ID (in this case, the Taxation Commissioner's myGovID service) to myGov populates the person's legal name and date of birth into their myGov profile, which is leveraged when accessing linked (or linking new) member services from or to the person's myGov account.

k.

My Health Record – My Health Record is Australia's digital health record system. My Health Record provides an online summary of a person's health information that their healthcare providers can view.

l.

MyService – MyService is the DVA's online claiming platform. It provides online services for veterans and their families including lodging claims, applying for a Veterans Card and accessing support services.

m.

The National Cancer Screening Register Participant Portal – The National Cancer Screening Register Participant Portal records a person's participation in cervical and bowel screening. The National Cancer Screening Register Participant Portal allows people to update personal information and preferences, manage participation in the screening programs and access correspondence. Updates to a person's personal information flows through to their myGov account, or their Digital ID (myGovID) if linked to their myGov account.

n.

The National Disability Insurance Scheme (NDIS) myplace Participant Portal – The NDIS helps people with disability pay for supports and services. myplace is the NDIS participant portal that a person, their nominee or representative can use to access and update the person's contact details that the NDIS uses to communicate with them.

o.

The National Redress Scheme – The National Redress Scheme provides support to people who experienced institutional child sexual abuse. A person can make an application to the scheme online via this service, and their application will be pre-filled with their information from myGov or their Digital ID (myGovID) (if linked to their myGov account).

p.

Workforce Australia for Individuals – Workforce Australia connects job seekers with employers across Australia. Workforce Australia provides people with access to tools and resources, and allows them to manage participation in employment services.

45. Item 9 of the table in subitem 4(2) provides that the Student Identifiers Registrar (as defined by the Student Identifiers Act 2014) will be taken to have been approved to participate in the AGDIS as a participating relying party in respect of its online service known as the USI Student Portal.

46. Item 10 of the table in subitem 4(2) provides for entities to be prescribed in the transitional rules, made by the Minister under item 10(1) of this Bill. Entities so prescribed will be approved to participate in the AGDIS, as participating relying parties, subject to any conditions prescribed by the transitional rules. For example:

a.

Commonwealth bodies may seek approval to participate in the existing unlegislated AGDIS as relying parties prior to the commencement of this Bill. Some of these entities might be given such approval by the Australian Government. In that case, the Minister will be able to make transitional rules under subitem 10(1), to give effect to any decisions made by the Australian Government prior to commencement of this Bill, with the effect of allowing those entities to transition to participate in the legislated AGDIS, and

b.

State and territory government bodies or private sector entities may seek approval to participate in the existing unlegislated AGDIS as relying parties. Some of these entities might be given such approval by the Australian Government for the purposes of allowing the Commonwealth to test its plans, systems and business processes for the future expansion of the legislated AGDIS.

47. Entities may seek approval to participate in the unlegislated AGDIS as participating relying parties, prior to the commencement of this Bill. Some of these entities might be given such approval by the Australian Government during the period between the Royal Assent and commencement of this Bill. In that case, the Minister will be able to make transitional rules under item 10(1) of this Bill for the purposes of item 10 of the table in subitem 4(2), to give effect to any decisions made by the Australian Government, prior to commencement, to transition an entity's approval to participate in the unlegislated AGDIS into the legislated AGDIS.

48. From commencement, if any of these entities are yet to complete the process of onboarding to the unlegislated AGDIS as a participating relying party, they might apply to the Digital ID Regulator for approval to participate in the AGDIS under clause 61 of the principal Bill.

49. Subclauses 65(2) and (3) of the principal Bill will require the Digital ID Regulator to:

a.

have regard for certain matters in deciding whether to impose conditions on an entity's approval to participate in the AGDIS for the purposes of authorising the entity to collect or disclose a restricted attribute of an individual within the AGDIS; and

b.

if the Digital ID Regulator imposes the condition, to publish on the Digital ID Regulator's website a statement of reasons for giving the authorisation.

50. If, before the principal Bill commences, the Australian Government authorises an entity to collect restricted attributes and the transitional rules have the effect of including that entity in this Bill, paragraph 4(4)(b) would have the effect of not requiring the Digital ID Regulator to reconsider matters in subclauses 65(2) and (3) of the principal Bill that have already been decided.

Item 5 – Application of certain provisions in Digital ID Act 2023 for entities taken to be approved to participate

51. Subitem 5(1) provides that the provisions of this item 5 will apply in relation to an entity that will be taken to have been approved by the Digital ID Regulator to participate in the AGDIS because of the operation of subitem 4(1) or (2) of this Bill.

52. Subitem 5(2) provides that the Digital ID Regulator will be taken to have met the notification requirements set out in subclause 62(5)(a) of the principal Bill, in relation to the entity's approval to participate in the AGDIS. This will reflect that the entities specified in column 1 of the tables in subitem 4(1) and 4(2) have already been notified under the unlegislated TDIF by the Interim Oversight Authority of its decision to approve them to onboard to the unlegislated AGDIS.

53. Subitem 5(3) provides that the Digital ID Regulator will be taken to have met the notification requirements set out in subclause 62(6) of the principal Bill. This means that the entities specified in column 1 of the tables in subitem 4(1) and 4(2) will be taken to have been notified of:

a.

the day on which their approval to participate in the AGDIS comes into force;

b.

whether the entity is a participating relying party or an accredited entity and, in the latter case, the kind of accredited entity as which it is approved to participate;

c.

any conditions imposed on that approval; and

d.

the day on which the entity must first participate in the AGDIS.

54. Subitems 5(4), 5(5) and 5(6) clarify that, for the purposes of subclauses 62(6)(a), (b) and (c) of the principal Bill, the entities specified in column 1 of the tables in subitem 4(1) and (2) will be taken to have been notified that:

a.

their approval to participate in the AGDIS comes into force on the day that this Schedule 1 commences;

b.

such approval is subject to the conditions (if any) specified in column 3 of each item of the table in subitem 4(1), and column 2 of each item of the table in subitem 4(2), that relate to the entity; and

c.

the entity must first participate in the AGDIS on the day that this Schedule 1 commences.

55. A number of provisions in the principal Bill will operate in respect of an entity's participation start day (as defined by the principal Bill). For example, subclause 85(2)(a) of the principal Bill will provide that the statutory contract established under subclause 85(1) of the principal Bill comes into force on the day that the participation start day for both parties to that contract has arrived or passed. For the entities specified in column 1 of the tables in subitem 4(1) and (2) of this Bill, their participation start day will be the day that Schedule 1 commences.

56. Subitem 5(7) provides that, for the purposes of subclause 64(1)(c) of the principal Bill, the entity will be taken to have been begun participating in the AGDIS on the day that Schedule 1 commences. This means that the entities specified in column 1 of the tables in subitem 4(1) and (2) will be taken to have complied with the condition on their approval to participate in the AGDIS, specified in subclause 64(1)(c) of the principal Bill, which requires the entity to participate in the AGDIS on the entity's participation start day (being the day that Schedule 1 commences).

57. Subitem 5(8) provides that the decision which the Digital ID Regulator will be taken to have made under paragraph 4(1)(b) or 2(b) of this Bill, immediately after the commencement of this Bill, to impose the conditions (if any) specified in column 3 of each item of the table in subitem 4(1), and column 2 of each item of the table in subitem 4(2), on the approval of the entity to which the item relates to participate in the AGDIS, will not be a reviewable decision for the purposes of the primary Act. These are conditions that have already been imposed by the Australian Government on the approval of these entities to onboard to the unlegislated AGDIS. The interests of the Commonwealth entities upon which these conditions will be deemed to be imposed on their approval to participate by the Digital ID Regulator will not be affected. This is because they are already subject to substantially the same conditions on their approval to participate in the unlegislated AGDIS.

59. The Administrative Review Council acknowledges that merits review is not appropriate in respect of decisions that automatically follow from the happening of a set of circumstances, which leaves no room for merits review to operate. Paragraphs 4(1)(b) and 4(2)(b) of this Bill merely replicate the existing circumstances in which Commonwealth entities have already been approved to participate in the unlegislated AGDIS with certain conditions imposed upon their approval to participate. In this sense, the decision to impose the same conditions on their approval to participate, which the Digital ID Regulator will be deemed to have made, automatically follows those existing circumstances.

Part 4 – Other matters

Item 6 – Application of the Digital ID Act 2023 —information or documents

60. Item 6 provides that clause 133 of the principal Bill will apply to notices given after commencement, regardless of whether the information or documents came into existence before or after that commencement.

61. Clause 133 of the principal Bill will confer coercive information-gathering powers on the Digital ID Regulator. If an entity fails to comply with a written notice issued by the Digital ID Regulator under subclause 133(2), requiring the entity to provide certain information or documents to the Digital ID Regulator as specified in that notice, that entity may be liable for a civil penalty under subclause 133(5).

62. The scope of the Digital ID Regulator's coercive information-gathering powers under clause 133 of the principal Bill will extend to information and documents that are relevant to:

a.

whether an entity is complying, or has complied, with the entity's obligations under the principal Bill; and

b.

the performance of the Digital ID Regulator's functions, or the exercise of any of the Digital ID Regulator's powers, under the principal Bill.

63. While the Digital ID Regulator may only issue valid notices under subclause 133(2) of the principal Bill after commencement, relevant information and documents might have been created before commencement and may become subject to the Digital ID Regulator's information-gathering powers under clause 133 of the principal Bill (once it commences).

64. Item 6 of this Bill will clarify that an entity is required to provide relevant information or documents to the Digital ID Regulator, in response to valid notice issued by the Digital ID Regulator under subclause 133(2) of the principal Bill, even if the information or document was created before commencement.

Item 7 – Digital ID Regulator—first annual report

65. Subitem 7(1) provides that the provisions of this item 7 will apply if the principal Bill commences less than six months before the end of a financial year (the first year).

66. In that case, subitem 7(2) provides that the Digital ID Regulator will not be required to prepare and give a report to the Minister, for presentation to the Parliament, on the Digital ID Regulator's activities during the first year, in accordance with clause 154 of the principal Bill.

67. However, subitem 7(3) provides that clause 154 of the principal Bill will apply, in these circumstances, to the next financial year (the next year) as if the next year also included the period starting at commencement and ending at the end of the first year. This means that the Digital ID Regulator will be required to include in the next year's report to the Minister information on the Digital ID Regulator's activities during the first year.

Item 8 – Information Commissioner—first annual report

68. Subitem 8(1) provides that the provisions of this item 8 will apply if the principal Bill commences less than six months before the end of a reporting year (the first reporting period) (as defined by the Public Governance, Performance and Accountability Act 2013 (PGPA Act)) for the Information Commissioner.

69. In that case, subitem 8(2) provides that the Information Commissioner will not be required to include, in the annual report prepared by the Information Commissioner and given to the Minister under section 46 of the PGPA Act, information about the performance of the Information Commissioner's functions or the exercise of the Information Commissioner's powers under or in relation to Part 2 of Chapter 3 of the principal Bill during the first reporting period, in accordance with clause 155 of the principal Bill.

70. However, subitem 8(3) provides that clause 155 of the principal Bill will apply, in these circumstances, to the next reporting period (the next reporting period) as if the next reporting period also included the period starting at commencement and ending at the end of the first reporting period. This means that the Information Commissioner will be required to include in the next reporting period's report to the Minister information about Information Commissioner's performance of functions or exercise of powers under or in relation to Part 2 of Chapter 3 of the principal Bill during the first reporting period.

71. Subitem 8(4) clarifies that references to 'reporting period' in this item 8 will have the same meaning as in the PGPA Act.

Item 9 – Rules—requirement to consult

72. Item 9 provides that clause 169 of the principal Bill will not apply in relation to rules made under clause 168 of the principal Bill within 6 months of commencement. On 19 September 2023, drafts of the Digital ID Rules and the Accreditation Rules were released for public consultation, along with the exposure draft of the principal Bill. Accordingly, item 9 of this Bill will reflect that the Digital ID Rules and the Accreditation Rules have already been the subject of public consultation.

73. Clause 169 of the principal Bill will relevantly provide that rules made by the Minister, under clause 168 of the principal Bill, must ordinarily be the subject of prior consultation with the public. It is possible that unforeseen circumstances arise as transitional and administrative arrangements are implemented under the principal Bill. For this reason, the intended effect of this clause is to quickly and efficiently provide for adjustments to be made under either the Accreditation Rules or the Digital ID Rules. It is not expected that major policy changes will be made to either sets of Rules during this time and without consultation.

Item 10 – Transitional rules

74. This item will enable the Minister to make rules prescribing matters required or permitted by Schedule 1 of this Bill to be prescribed by the rules, or necessary or convenient to be prescribed for carrying out or giving effect to Schedule 1 of this Bill. This will include rules to prescribe any saving or application provisions, which may set out situations or timeframes in which a law applies or does not apply. Rules made under this item will be legislative instruments for the purposes of the Legislation Act 2003 and will be subject to Parliamentary scrutiny and disallowance through the ordinary operation of the Legislation Act 2003. Rules will be available on the Federal Register of Legislation.

75. The current unlegislated TDIF is complex, as are the arrangements that the Australian Government has made pursuant to it and the systems that have been developed and the services that are being provided under those arrangements. Additionally, the unlegislated TDIF will continue to operate until the commencement of the principal Bill. Accordingly, new arrangements, systems and services may be made or developed pursuant to the unlegislated TDIF prior to the commencement of the principal Bill.

76. Given the changing landscape and complexity of the current situation, there is the possibility that the transitional arrangements made by this Bill on commencement might not cover every potential circumstance required to be covered. There may be unintentional and unforeseen consequences that may require additional transitional arrangements being put in place to avoid placing unnecessary additional costs on people and entities.

77. It is necessary to have the flexibility to deal expeditiously with transitional matters in relation to the AGDIS without the need to amend the principle Bill. The most practical and appropriate way of dealing with such matters will be through subordinate legislation. Transitional rules made under item 10 will enable the ongoing operation of the unlegislated TDIF, up to the commencement of the principal Bill, to be smoothly transitioned to the new legislative scheme and, in doing so, minimise the impact on participants in the unlegislated AGDIS.

78. Transitional rules will be able to address any unforeseen consequences of the principal Bill and minimise the likelihood of any regulatory uncertainty during transition.

79. Subitem 10(3) provides that rules made under this item, within 12 months after commencement, may modify the effect of provisions in this Bill or the principal Bill, in relation to matters of a transitional nature. Those provisions will then have effect, in relation to the transitional matter, as if they were so modified.

80. The scope of the rule-making power to modify the operation of this Bill or the principal Bill, as set out in subitem 10(3), is limited:

c.

temporally, to the period of 12 months after commencement, as specified in subitem 10(3);

d.

by subitem 10(1), to what is required or permitted by Schedule 1 to be prescribed by rules, or what is necessary or convenient to be prescribed by rules in order to carry out or give effect to Schedule 1; and

e.

by subitem 10(4), which specifies various matters that may not be prescribed by rules.

81. Accordingly, there are appropriate safeguards in place to ensure that the rule-making power to modify the operation of this Bill or the principal Bill may only be used to deal with complex transitional arrangements requiring modifications that were not anticipated prior to commencement. This rule-making power is appropriate given the complexity of the unlegislated TDIF and the inter-dependencies in the operation of the unlegislated AGDIS which may necessitate limited modifications to the operation of this Bill and the principal Bill to establish effective transitional arrangements.

82. Subitem 10(4) clarifies that transitional rules may not:

f.

create an offence or civil penalty;

g.

provide powers of arrest or detention or entry, search of seizure;

h.

impose a tax;

i.

set an amount to be appropriated from the Consolidated Revenue Fund; or

j.

directly amend the text of this Bill or the principal Bill.

This is consistent with the rule-making power under clause 168 of the principal Bill.

83. Subitem 10(5) provides that this Bill (other than subitem 10(4)) will not limit the rules that may be made.

Schedule 2 – Consequential amendments

84. This Schedule details the amendments that will need to be made to the:

k.

ADJR Act;

l.

Age Discrimination Act;

m.

ASIO Act;

n.

Competition and Consumer Act;

o.

Privacy Act; and

p.

Taxation Administration Act,

upon enactment of the principal Bill.

Administrative Decisions (Judicial Review) Act 1977

Item 1 – At the end of Schedule 1

85. This item will insert a new paragraph (zi) at the end of Schedule 1 of the ADJR Act, which sets out classes of decisions to which that Act does not apply. Paragraph (zi) will exclude from review under the ADJR Act certain decisions made by the Minister under the principal Bill to issue directions to the Digital ID Regulator about the accreditation of entities that are not Australian entities, and their participation in the AGDIS, for reasons of security. Specifically, it excludes decisions by the Minister to issue a direction to the Digital ID Regulator to:

q.

refuse to accredit an entity as a specified kind of accredited entity, impose conditions on the accreditation of an entity or suspend or revoke an entity's accreditation; and

r.

refuse to approve an entity to participate in the AGDIS, impose conditions on an entity's approval to participate or suspend or revoke an entity's approval to participate in the AGDIS.

86. In this context, 'security' has the same meaning as section 4 of the ASIO Act. The term 'Australian entity' is defined in the principal Bill. Australian entities include Commonwealth, state and territory bodies, bodies incorporated under Australian law, as well as Australian citizens and permanent residents.

87. This amendment will work with item 3 in Schedule 2 of this Bill, and Part 4 of Chapter 9 of the principal Bill, to limit the review rights of prospective or existing accredited or participating entities that are not Australian entities. The amendment is designed to mitigate the risk of exposing classified or otherwise sensitive details about Australia's national security, or jeopardise ongoing security operations, through a review under the ADJR Act.

88. Paragraph (d) in Schedule 1 of the ADJR Act already excludes ASIO security assessments from judicial review under that Act. Accordingly, security assessments conducted in the context of the principal Bill will be excluded from judicial review under the ADJR Act. This amendment will extend the existing exclusion to cover decisions made by the Minister under the principal Bill on the basis of an ASIO security assessment ('for reasons of security').

89. All entities (including those that are not Australian) will maintain their judicial review rights, with respect to decisions made under the principal Bill, under section 75(v) of the Australian Constitution and section 39B of the Judiciary Act 1903. Judicial review rights of Australian entities will be unaffected by this Bill.

Age Discrimination Act 2014

Item 2 – Schedule 2 (at the end of the table)

90. This item will insert a new item 11 at the end of the table in Schedule 2 of the Age Discrimination Act.

91. Subsection 39(1A) of the Age Discrimination Act provides that Part 4 of that Act does not make unlawful anything done by a person in direct compliance with a provision of an Act, regulation or other instrument if the provision is covered by Schedule 2.

92. The Accreditation Rules that will be made under the principal Bill will provide that an accredited entity must not generate a digital ID for a person if the person requesting the digital ID is less than 14 years of age.

93. This amendment to Schedule 2 of the Age Discrimination Act will work with subsection 39(1A) of that Act, to ensure that Part 4 of the Age Discrimination Act does not make unlawful anything done by a person in direct compliance with the specified age requirements of the principal Bill.

Australian Security Intelligence Organisation Act 1979

Item 3 – Subsection 35(1) (after paragraph (c) of the definition of prescribed administrative action )

94. This item will insert a new paragraph (ca) into the definition of 'prescribed administrative action' in subsection 35(1) of the ASIO Act. This means the decision of the Minister to issue a direction to the Digital ID Regulator under Chapter 2 (relating to accreditation) or Chapter 4 (relating to participation in the AGDIS) of the principal Act will be a 'prescribed administrative action' for the purposes of Part IV of the ASIO Act.

95. Under the ASIO Act, a statement in writing furnished by ASIO to the Minister expressing any recommendation, opinion or advice on whether it would be consistent with the requirements of security for prescribed administrative action to be taken, or is necessary or desirable, is a security assessment.

96. Part IV of the ASIO Act regulates security assessments furnished by ASIO to Commonwealth agencies relevant to their functions and responsibilities. Subject to section 36 of the ASIO Act and item 4 below, it also ensures the person affected by the security assessment is to be notified of the advice, and also allows for review by the Administrative Appeals Tribunal.

97. The capacity to refuse to accredit an entity or impose conditions on the accreditation of an entity are important safeguards in the accreditation framework. Security advice from ASIO may assist the Minister to determine whether to issue a direction to the Digital ID Regulator in respect of the security concerns posed by an entity's accreditation.

98. Similarly, as the gateway into the AGDIS, approval to participate plays a crucial role in safeguarding the system and the digital ID information of Australians within the AGDIS. Security advice from ASIO may assist the Minister to determine whether to issue a direction to the Digital ID Regulator in respect of the security concerns posed by an entity's participation in the AGDIS.

99. This amendment will work with the principal Bill to regulate ASIO's advice (including security assessments) informing a decision of the Minister to issue a direction to the Digital ID Regulator, such as a direction to:

s.

refuse to accredit an entity as a specified kind of accredited entity, impose conditions on the accreditation of an entity or suspend or revoke an entity's accreditation; and

t.

refuse to approve an entity to participate in the AGDIS, impose conditions on an entity's approval to participate or suspend or revoke an entity's approval to participate in the AGDIS.

100. The framework for accreditation set out in Chapter 2 of the principal Bill, and the framework for approval to participate in the AGDIS set out in Chapter 4 of the principal Bill, include criteria relating to 'adverse or qualified security assessments' as defined in Part IV of the ASIO Act to regulate the provision of security advice to support the Minister's decisions comes within the scope of ASIO's functions.

Item 4 – After paragraph 36(1)(ba)

101. This item will insert a new paragraph (bb) into subsection 36(1) of the ASIO Act. This new paragraph will provide that Part IV of the ASIO does not apply to a security assessment, in respect of an entity that is not an Australian entity (as defined by the principal Bill), in relation to an exercise of a power under Chapter 2 or 4 of the principal Bill.

102. The term 'Australian entity' is defined in the principal Bill. Australian entities include Commonwealth, state and territory bodies, bodies incorporated under Australian law, as well as Australian citizens and permanent residents.

103. This amendment will exclude, from the notice requirements and review mechanisms in Part IV of the ASIO Act, any security assessments of non-Australian entities that may be relied upon by the Minister to make a decision to issue a direction to the Digital ID Regulator under Chapter 2 or 4 of the principal Bill. The scope of this exclusion will align with similar exclusions from review under Part IV of the ASIO Act.

104. This amendment will work with item 2 in Schedule 2 of this Bill, to limit the review rights of prospective or existing accredited or participating entities that are not Australian entities.

105. The underlying intent is to control the security risks associated with foreign nationals who may be affiliated with foreign powers. Disclosing knowledge of this affiliation through the review process in Part IV of the ASIO Act will risk jeopardising ongoing security operations and poses a threat to Australia's national security. This consequential amendment will be consistent with the Administrative Review Council publication, What decisions should be subject to merits review? (1999), which states that decisions concerning national security may justify exclusion from merits review (paragraph 4.23).

Competition and Consumer Act 2010

Item 5 – Subsection 19(1) and (7)

106. This item will insert a reference to the principal Bill into subsection 19(1) and 19(7) of the Competition and Consumer Act.

107. Subsection 19(1) of the Competition and Consumer Act provides that the Chairperson of the Australian Competition and Consumer Commission (ACCC) may, by written instrument, direct that the Chairperson's powers in relation to a matter shall be exercised by a Division of the Commission as specified in the direction.

108. Subsection 19(7) of the Competition and Consumer Act clarifies that a Division of the ACCC may exercise the powers of the Chairperson notwithstanding that another Division of the ACCC is exercising powers of the Chairperson at the same time.

109. Powers are conferred on the Chairperson under the Competition and Consumer Act, gas market instruments and the consumer data rules, as referred to in subsections 19(1) and 19(7) of the Competition and Consumer Act. By inserting a reference to the principal Bill into subsection 19(1) and 19(7) of the Competition and Consumer Act, this item will empower the ACCC to exercise the powers of the Digital ID Regulator under the principal Bill.

110. This amendment will work with clause 90 of the principal Bill, which provides that the Digital ID Regulator will be the ACCC.

Privacy Act 1988

Item 5 – At the end of subsection 33C(1)

111. This item will insert a new paragraph (g) into subsection 33C(1) of the Privacy Act. This new paragraph will provide that the Information Commissioner may conduct an assessment of whether accredited entities are complying with:

u.

the additional privacy requirements set out in Division 2 of Part 2 of Chapter 3 of the principal Bill, as well as the rules made for the purposes that Division; and

v.

the prohibition in APP-equivalent agreements (as defined by the principal Bill) on collecting, holding, using or disclosing personal information (as defined by the principal Bill) in any way that will breach an Australian Privacy Principle.

112. Division 2 of Part 2 of Chapter 3 of the principal Bill will impose a range of additional privacy safeguards applicable to accredited entities participating in the AGDIS.

113. Additionally, clause 34 of the principal Bill will allow the Minister, on behalf of the Commonwealth, to enter into an APP-equivalent agreement with an accredited entity that is not an APP entity (as defined by the Privacy Act).

114. An APP-equivalent agreement might prohibit the non-APP entity from collecting, holding, using or disclosing personal information in any way that will, if the entity were an organisation as defined by the Privacy Act, breach an Australian Privacy Principle. In that case, clause 37 of the principal Bill will deem a contravention of that obligation to be an interference with the privacy of a person for the purposes of the Privacy Act.

115. This amendment will ensure that the Information Commission can investigate complaints relating to contraventions of the privacy requirements set out in:

w.

Division 2 of Part 2 of Chapter 3 of the principal Bill; or

x.

an APP-equivalent agreement,

through the conduct of assessments of the entity's compliance with those requirements, under subsection 33C(1) of the Privacy Act.

Taxation Administration Act 1953

Item 7 – At the end of Part IA

116. This item will insert a new section 3J at the end of Part IA of the Taxation Administration Act, which will confer upon the Commissioner of Taxation the functions of providing services, or access to services, within digital ID systems. This may include participating in the AGDIS as one or more kinds of accredited entities.

117. Additionally, this item will confer upon the Commissioner of Taxation broad powers to do all things necessary and convenient in connection with the performance of those functions; without limiting any other functions or powers of the Commissioner of Taxation.

118. The Commissioner of Taxation currently provides services within the unlegislated AGDIS, as an:

y.

identity service provider, providing the myGovID service; and

z.

attribute service provider, providing the Relationship Authorisation Manager service.

119. The Commissioner of Taxation currently provides these services:

aa.

for Commonwealth purposes; and

bb.

to state and territory agencies, for the limited purpose of the Commonwealth testing the viability of the services to inform planning for the Digital ID program and assess the viability of a broader expansion of the AGDIS outside of the Commonwealth.

120. The effect of this amendment is that the Commissioner of Taxation can provide services, or access to services, in a digital ID system. In particular, the Commissioner of Taxation can participate as an accredited entity in the AGDIS, which may involve the participation of non-government entities, as well as state and territory agencies outside of the viability testing context.

121. When participating in the AGDIS as an accredited entity, the Commissioner of Taxation will be operating entirely under the principal Bill, and not under, or for the purposes of, a taxation law. The provision of these services as an accredited entity participating in the AGDIS does not trigger any of the Commissioner's general powers, duties or obligations under a taxation law.

122. For example, when the Commissioner is operating as an identity service provider or an attribute service provider in the AGDIS, they are doing so using powers given under the principal Bill and subject to the requirements under that law. This means that any information the Commissioner deals with as an identity service provider or attribute service provider in the AGDIS is subject to the requirements of the principal Bill and not taxation law.

123. In contrast, when the Commissioner is participating in the AGDIS as a relying party, the Commissioner will be operating under, or for the purposes of, a taxation law. For example, as a relying party, the Commissioner could provide or enable access to services that would facilitate the management of a person's taxation affairs. Information obtained for this purpose would be information obtained for the purposes of a taxation law and subject to relevant requirements under that law.

Statement of compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Digital ID (Transitional and Consequential Provisions) Bill 2023

1. The Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Bill

2. This Bill deals with transitional matters that will arise from the enactment of the principal Bill to become the principal Act, including amending the:

a.

Administrative Decisions (Judicial Review) Act 1977 (ADJR Act);

b.

Age Discrimination Act 2004 (Age Discrimination Act);

c.

Australian Security Intelligence Organisation Act 1979 (ASIO Act);

d.

Competition and Consumer Act 2010 (Competition and Consumer Act);

e.

Privacy Act 1988 (Privacy Act); and

f.

Taxation Administration Act 1953 (Taxation Administration Act),

to support the operation of the principal Bill.

3. The principal Bill will establish a voluntary accreditation scheme for governments and businesses providing digital ID services in any digital ID system in Australia. Entities choosing to be accredited will be able to demonstrate that they comply with strong privacy and security safeguards.

4. The principal Bill will also enable the expansion of the Australian Government Digital ID System (AGDIS). The AGDIS will provide individuals with a secure, convenient and voluntary way to verify their ID in online transactions with governments and businesses, while protecting their privacy and the security of their personal information.

5. The Australian Government has been developing and administering an unlegislated AGDIS since 2015. The Interim Oversight Authority is responsible for safety, reliability and the efficient operation of the system. The Department of Finance (Finance) and Services Australia share this role. Services Australia has responsibility for day-to-day operational matters relating to the AGDIS, including its security and fraud control capabilities. Arrangements for the existing AGDIS are facilitated by non-binding memoranda of understanding. An existing policy framework - the unlegislated Trusted Digital Identity Framework (TDIF) - sets out technical standards for entities providing services in the unlegislated AGDIS, and provides a voluntary accreditation framework for entities who are not providing services in the unlegislated AGDIS. The Department of Finance has policy responsibility for this existing digital ID system, and conducts accreditation, approvals, compliance and issue handling. Arrangements for the existing digital ID system are facilitated by non-binding memoranda of understanding. The unlegislated accreditation - the Trusted Digital Identity Framework (TDIF) - sets out technical standards for entities providing services in the AGDIS, and provides a voluntary accreditation framework for entities who are not providing services in the AGDIS.

6. Schedule 1 of this Bill will enable current policy arrangements to be translated in the legislated schemes for both the accreditation of entities by the Digital ID Regulator and the approval of entities to participate in the AGDIS. Entities that have already been accredited under the unlegislated TDIF policy may be deemed to be accredited under the principal Bill. Commonwealth TDIF-accredited entities and relying parties (as defined in memoranda of understanding) already approved to participate in the unlegislated AGDIS may be deemed to be approved to participate in the AGDIS as an accredited entity, participating relying party or relying party, for the purposes of the principal Bill.

7. TDIF-accredited entities and relying parties already participating in the unlegislated AGDIS may be deemed to be approved to participate in the AGDIS, for the purposes of the principal Bill.

8. To recognise existing arrangements and protections established under the unlegislated TDIF, these deemed accreditations and approvals to participate in the AGDIS will be subject to the relevant entities meeting certain key conditions that were imposed by the Australian Government under the unlegislated TDIF and operational structures upon the entities' accreditation, or approval to participate in the unlegislated AGDIS.

9. This Bill will also provide that the Minister may make rules, by legislative instrument, prescribing matters of a transitional nature relating to the enactment of Schedule 1 of this Bill or the principal Bill. This transitional rule-making power will provide the necessary flexibility in transitioning from the unlegislated TDIF to the new legislative framework established by the principal Bill.

10. Schedule 2 of this Bill will make consequential amendments to the following Acts to support the operation of the principal Bill in the ways described below:

a.

It is intended that the Accreditation Rules will lawfully allow accredited identity service providers to refuse to create a digital ID for a person who is under a specified age, to comply with the specified age requirements under the Accreditation Rules. This conduct, which would otherwise be unlawful discrimination, will be made lawful by inserting the Accreditation Rules made under the principal Bill into Schedule 2 of the Age Discrimination Act.

b.

The Minister's decision to issue a direction to the Digital ID Regulator about foreign entities, including to refuse to accredit, approve participation in the AGDIS, or to impose a condition on their accreditation or approval to participate under the principal Bill (on the basis of an adverse or qualified security assessment from ASIO) will be excluded from judicial review, by listing those decisions in Schedule 1 of the ADJR Act.

c.

ASIO may provide security assessments to the Minister in relation to decisions to issue directions to the Digital ID Regulator made under Chapter 2 or Chapter 4 of the principal Bill, and to limit the notice and review processes for foreign entities in relation to security assessments by inserting relevant provisions of the principal Bill into Part IV of the ASIO Act.

d.

As noted in clause 90 of the principal Bill, the initial Digital ID Regulator will be the Australian Competition and Consumer Commission (ACCC). Subsections 19(1) and (7) of the Competition and Consumer Act will be amended to reference the powers conferred upon the Digital ID Regulator under the principal Bill, to enable the Chairperson to direct that the powers of the ACCC under the principal Bill shall be exercised by a Division of the ACCC.

e.

The Information Commissioner will be empowered to conduct an assessment of whether accredited entities are complying with:

i.

the additional privacy safeguards set out in Division 2 of Part 2 of Chapter 3 of the principal Bill; and

ii.

obligations under an APP-equivalent agreement to comply with the Australian Privacy Principles,

by inserting a new provision into the assessment powers of the Information Commissioner in section 33C of the Privacy Act.

f.

The Commissioner of Taxation currently provides services within the unlegislated AGDIS under the unlegislated TDIF, as an:

i.

identity service provider, providing the myGovID service; and

ii.

attribute service provider, providing the Relationship Authorisation Manager service.

This Bill will confer a statutory function onto the Commissioner of Taxation to provide services, or access to services, in digital ID systems. In particular, the Commissioner will be enabled to provide services as an accredited identity service provider and an accredited attribute service provider within the AGDIS. This will be achieved through a new provision in Part IA of the Taxation Administration Act to confer a statutory function onto the Commissioner of Taxation to provide services, or access to services, within digital ID systems.

In addition, the amendments will provide broad powers for the Commissioner of Taxation to do all things necessary and convenient in connection with the performance of those functions. The Bill will make clear that the principal Bill is not a taxation law and when exercising powers and performing the new functions, the Commissioner of Taxation will be operating under the principal Bill and not under, or for the purposes of, a taxation law.

This Bill will promote rights under the International Covenant on Civil and Political Rights (ICCPR), with some reasonable, necessary and proportionate limitations to protect Australia's national security interests and key safeguards established by the principal Bill.

Human rights implications

11. This Bill will engage the following human rights:

a.

The right to equality, recognition and non-discrimination in Articles 2, 16 and 26 of the ICCPR and Article 2 of the Convention on the Rights of the Child (CROC).

b.

The prohibition from arbitrary or unlawful interference with privacy contained in Article 17 of the ICCPR, and also referred to in Article 16 of the CROC and Article 22 of the Convention on the Rights of Persons with Disabilities (CRPD).

c.

The right to a fair trial and fair hearing primarily contained in Article 14 of the ICCPR, and also referred to in Article 40(2)(iii) of the CROC.

Prohibition on Discrimination

12. The right to equality and non-discrimination before the law is enshrined in Articles 2, 16 and 26 of the ICCPR, and Article 2 of the CROC.

13. The ICCPR defines 'discrimination' as a distinction based on personal attributes, such as race, sex or religion, which has either the purpose, or the effect, of adversely affecting human rights.

14. This principle is codified in domestic law, in the Age Discrimination Act, which makes it unlawful to discriminate on the ground of age.

15. The Accreditation Rules that will be made under the principal Bill will provide that an accredited entity must not generate a digital ID for a person if the person requesting the digital ID is less than 14 years. This obligation was broadly supported by feedback on the Accreditation Rules through public consultations undertaken in September to October 2023, in support of the principle that using a digital ID should be voluntary; that is, with the person's consent (as discussed below, in respect of a child's capacity to provide consent).

16. Item 1 of Schedule 2 of this Bill will make consequential amendments to Schedule 2 of the Age Discrimination Act to ensure that, pursuant to subsection 39(1A) of that Act, Part 4 of the Age Discrimination Act does not make unlawful anything done by a person in direct compliance with the specified age requirements of the Accreditation Rules made under the principal Bill.

17. There will be an obligation on accredited identity service providers under the Accreditation Rules to be made under the principal Bill, not to create a digital ID for children under a specified age. This specified age is intended to protect children who may not have the capacity to understand the concept of consent. Consent is a central mechanism to protect against undue interference with a young person's privacy. The specified age that will be established under the Accreditation Rules will have regard to the guidance of the Office of the Australian Information Commissioner (OAIC), 1 which provides that people aged 15 years and above may be presumed to have capacity to consent where it is not practicable for an entity to assess the capacity of people aged under 18 on a case-by-case basis. This approach has been supported by the Australian Law Reform Commission in its review of Australian privacy law in 2007.

18. The specified age requirement to access a range of other government services reflects age limitations across various frameworks including privacy, passports, tax file numbers, Medicare, My Health Records, access to medical treatment and age of criminal liability. There is no universally agreed age where capacity of a young person is triggered. However, the age range of 13-16 years appears to be the most commonly used and is supported by the principle of an evolving capacity in children as reflected in the CROC. Submissions and feedback on a draft of the Accreditation Rules for public consultation indicates there is support for a specified age of 13 years. Further consultation is needed with stakeholders about the appropriate age to set the limit, particularly the Commonwealth Children's Commissioner and jurisdictional equivalent. This consultation will occur as part of the rule-making process to ensure a specified age is in place on commencement of the principal Bill.

19. For these reasons, the limitation on the prohibition against age discrimination is reasonable and proportionate to the objective of improving access to government and private sector services, and harmonises access with other frameworks of importance. It also balances these objectives with the protection of the rights of children to privacy.

Right to protection from unlawful or arbitrary interference with privacy

20. Article 17 of the ICCPR recognises the right that no one will be subjected to arbitrary or unlawful interference with their privacy. It also provides that everyone has the right to the protection of the law against such interference or attacks. Article 16 of the CROC and Article 22 of the CRPD contain similar rights. To the extent this right is engaged under the CROC and CRPD, the same analysis is relevant and is not repeated in this statement.

21. This right can be permissibly limited in order to achieve a legitimate objective, when the interference with privacy is for a reason consistent with the ICCPR, proportional to the ends sought and necessary in the circumstances of any given case.

22. Item 3 of Schedule 2 of this Bill will expand the definition of 'prescribed administrative action' in subsection 35(1) of the ASIO Act to include an exercise of power under Chapter 2 or 4 of the principal Bill. This amendment will provide that the Minister must not issue a direction to the Digital ID Regulator to do any of the following actions, on the basis of a communication from ASIO, unless the communication was provided in the form of a security assessment:

a.

refuse to accredit an entity as a specified kind of accredited entity, impose conditions on the accreditation of an entity or suspend or revoke an entity's accreditation; and

b.

refuse to approve an entity to participate in the AGDIS, impose conditions on an entity's approval to participate or suspend or revoke an entity's approval to participate in the AGDIS.

23. An entity is defined in the principal Bill as including an individual. To the extent that an individual is an entity seeking to be accredited, the measures in this Bill may engage the right to privacy.

24. Currently, ASIO's functions include communicating intelligence relevant to security, and advising Ministers in respect of matters relating to security, in so far as those matters are relevant to their functions and responsibilities. The effect of item 3 of Schedule 2 is that the communication of information or giving of advice in relation to the exercise of power under Chapter 2 or 4 of the principal Bill would be subject to the controls and safeguards included in Part IV of the ASIO Act.

25. In particular, Part IV of the ASIO Act currently provides that, subject to certain exceptions, a Commonwealth agency (which includes a Minister) cannot take, refuse to take or refrain from taking prescribed administrative action on the basis of any communication in relation to a person made by ASIO, otherwise than in the form of a security assessment. Part IV also provides that if ASIO furnishes a security assessment, then unless an exception applies, ASIO must notify the affected person of the security assessment, and that person may apply to the Administrative Appeals Tribunal (AAT) to seek merit review of the decision.

26. To the extent that an individual is affected, by including the exercise of powers under Chapter 2 or 4 of the principal Bill in the definition of prescribed administrative action, this amendment will promote the right to privacy by bringing these communications within the scope of Part IV of the ASIO Act, including the requirement to notify the affected person of an assessment and AAT review mechanisms. To the extent that these entities are individuals, their rights may be limited.

27. Item 6 of Schedule 2 of this Bill will make a consequential amendment to subsection 33C(1) of the Privacy Act, allowing the Information Commissioner to conduct an assessment of whether accredited entities are complying with the privacy requirements set out in:

a.

Division 2 of Part 2 of Chapter 3 of the principal Bill, including rules made for the purposes of that Division; or

b.

an APP-equivalent agreement (as defined by the principal Bill).

28. A compliance assessment under section 33C of the Privacy Act may engage the right to privacy through the sharing of personal information between the Information Commissioner and the Digital ID Regulator as well as the entity under assessment, about a person who holds a digital ID. Subjecting entities to compliance assessments will ensure that a person's personal information is being protected by the privacy requirements of the principal Bill and APP-equivalent agreements. Accordingly, this limitation on the right to privacy will be reasonable and necessary to achieve the legitimate objective of protecting personal privacy in respect of a digital ID system.

29. This limitation on the right to privacy will be lawful because the amendment to subsection 33C(1) of the Privacy Act will rely on established legal processes for compliance assessments to be carried out under the Privacy Act. This limitation will not be arbitrary, as it will apply to an ascertainable class of persons (accredited entities) and will only relate to the privacy requirements set out in Division 2 of Part 2 of Chapter 3 of the principal Bill or an APP-equivalent agreement.

30. For the reasons set out above, the amendments to the ASIO Act and the Privacy Act will place reasonable, necessary and proportionate limitations on the right to protection from unlawful or arbitrary interferences with privacy.

Right to a fair and public hearing

31. The ICCPR establishes rights to due judicial process and procedural fairness. Article 14 provides that all persons are equal before the law, and are entitled to a fair and public hearing before a competent, independent, and impartial tribunal established by law.

32. Items 2 and 4 of Schedule 2 of this Bill will impose reasonable, necessary and proportionate limitations on the right to a fair and public hearing. In particular, these items will limit procedural fairness for entities that are not Australian entities (as defined by the principal Bill), by excluding them from notice and review rights in certain circumstances.

33. Item 4 of Schedule 2 of this Bill will exclude from the notice requirements and review mechanism set out in Part IV of the ASIO Act, security assessments given by ASIO in respect of entities that are not Australian entities, for the Minister to considering in deciding whether to issue a direction to the Digital ID Regulator under Chapter 2 or 4 of the principal Bill. For example, directing the Digital ID Regulator to refuse to accredit an entity or approve an entity to participate in the AGDIS.

34. These exclusions will be reasonable and necessary to protect Australia's national security interests; as disclosing knowledge of any affiliation the entity might have with a foreign power, through notice and review mechanisms under Part IV of the ASIO Act, could prejudice ongoing security-related investigations, sources and capabilities.

35. The impact on procedural fairness will also be proportionate to the goal of protecting Australia's national security, as the exclusion of notice and review rights will be targeted at entities that are not Australian entities. By comparison, Australian entities will be able to rely on the notice and review provisions set out in Part IV of the ASIO Act, including in respect of a decision made under Chapter 2 or 4 of the principal Bill for reasons of security related to another entity that is not an Australian entity.

36. Item 2 of Schedule 2 of this Bill will amend Schedule 1 of the ADJR Act to exclude decisions made under the principal Bill, in relation to entities that are not Australian entities, from judicial review under the ADJR Act. As discussed above, the exclusion of judicial review in this context will be reasonable and necessary to preserve Australia's national security interests.

37. The exclusion of judicial review under the ADJR Act will also be proportionate as it will be limited to specific decisions made for reasons of security (not any reason). The judicial review rights of Australian entities will be unaffected. Additionally, all entities will maintain judicial review rights with respect to such decisions under section 75(v) of the Australian Constitution and section 39B of the Judiciary Act 1903.

Conclusion

38. This Bill is compatible with human rights because any limitations will be reasonable, necessary and proportionate to the ends sought.