Strengthening privacy under the TDIF

13 November 2018

Today we’re releasing the second privacy impact assessment of the Trusted Digital Identity Framework.

Digital identity will make it easier for people to prove who they are when using government services online.

The Trusted Digital Identity Framework sets out the rules and standards which must be followed by every organisation providing digital identity services.

This includes government agencies such as the Australian Taxation Office, which will operate the myGovID identity provider, the Department of Human Services, which operate the identity exchange, as well as any private sector suppliers who join the program later on.

Protection of privacy has been a key consideration at all points during the development of the program, from the first policy documents to the technology we are testing with real people and businesses.

The framework builds on, and has requirements as least as strong as the:

  • Australian Privacy Principles and the Privacy Code
  • Information Security Registered Assessors Program

  • Australian Government Protective Security Policy Framework and Information Security Manual

  • Australian Signals Directorate’s Essential 8 cyber security mitigations

It also requires participants to undertake independent security testing and assessments.

Privacy Impact Assessments (PIAs)

Another way we are making sure digital identities are safe, secure and protect the privacy of their users is through independent assessments of the framework.

We have commissioned a multi-phase PIA process to help identify, assess and minimise privacy risks in the framework.

PIAs are an important step in the protection of privacy for projects that involve the handling of personal information.

These assessments provide an opportunity to make sure projects follow privacy laws and also help to identify potential impacts and mitigations that will address the expectations of the community.

Every part of the digital identity system will undergo its own PIA including myGovID and the identity exchange.

First assessment

We commissioned an independent privacy company to run a multi-phase PIA process, involving engagements with privacy commissioners, consumer groups and privacy advocates.

The initial PIA focused on the overall concept and design of the framework and made 23 recommendations.

We published the PIA and responded to its recommendations in May 2017.

Second assessment

Today we’re releasing the second PIA along with our responses to its recommendations.

This assessment focused on strengthening the privacy requirements of the framework, ensuring data quality and making sure users have a consistent experience.

A summary of the recommendations of the second PIA and our responses are included below.

The TDIF’s privacy requirements should be mandated

We agree that the TDIF could be strengthened through legal backing and we’re looking into this.

The identity exchange should only keep metadata for a short period of time

The identity exchange needs to keep metadata related to transactions:

  1. to allow people to use the system

  2. for evidence in investigations of complaints and fraud

We agree that there needs to be a time limit on how long metadata is kept for evidence in investigations of complaints and fraud. We’re looking into use cases to work out what a reasonable time limit should be.

The identity exchange and identity providers need to develop their own privacy policies

We agree and we will make this a requirement in the next iteration of the TDIF’s privacy requirements.

The TDIF’s restrictions on the use of biometrics should be mandated

We agree that the TDIF could be strengthened through legal backing and we’re looking into this.

The TDIF should outline a time period for the validity and renewal of identity credentials

We agree and we will include a time period in a future iteration of the TDIF’s proofing requirements. 

Complaints should be responded to within 30 days

We agree that this would help to ensure a consistent experience for our users. 

A committee of key stakeholder representatives should be able to participate in the development and implementation of the TDIF

We’ve consulted across privacy and community groups in the development of the TDIF and will be releasing the next part of the framework for consultation soon. We will make sure these groups are represented in the oversight of the TDIF.

The TDIF should be reviewed after 3 years 

We’re planning to review the TDIF within 2 years after the first public beta service – issuing a tax file number using myGovID.

Moving forward

The governance and legal framework which supports digital identity will always include strong privacy protections embedded in robust rules or legislation.

Before they can join the identity federation, all identity service providers must complete their own PIAs and prove they are meeting privacy requirements.

As the digital identity pilot programs roll out, our user research continues. As part of that, we are focusing on how we can make it easier for users to understand how their identity information is used and make informed decision about how their information is used, and how we can improve privacy notices to make them more informative and effective.

For media enquiries email us at media@dta.gov.au

For other enquiries email us at info@dta.gov.au