While you’re here… help us stay here.
Are you enjoying open access to policy and research published by a broad range of organisations? Please donate today so that we can continue to provide this service.
Digital identity was a key part of the Australian Government’s Digital economy strategy: a further $161 million was committed in the 2021 mid-year budget update, bringing total investment since 2015 to more than $600 million. Over that period, the government has developed the Trusted Digital Identity Framework, established the Digital Identity System and, in late 2021, published draft legislation to govern and regulate the system.
Although there’s been little apparent progress in the past 10 months, if the potential microeconomic benefits (estimated at $11 billion in the previous government’s Digital Economy Strategy) aren’t sufficient incentive, the September 2022 data breach at Optus, and the subsequent run of data breaches on companies in October should supply new impetus. This is because digital identity offers an opportunity to allow organisations to reliably validate customer identities without collecting the sort of sensitive personal information that Optus held, the loss of which has exposed more than 10 million Australians to the risk of identity theft.
Without intervention, the current scheme is on a trajectory to fail. If the government wants to revive the Digital Identity System, it will need to attract state and territory governments and commercial organisations to participate in the system as well as getting the public to sign up—aiming for a critical mass of users to create a ‘network effect’.
However, to build the trust and confidence required to achieve that outcome, the government needs to address three key areas of concern. First, governance arrangements currently give the federal government final decision-making authority on future changes to the rules of the system. Second, there are potential cybersecurity and identity-fraud risks due to gaps in the currently proposed arrangements; although the Optus data breach should help to demonstrate the need for such a system, it means that users will require reassurance of the security of any new system before they’re willing to participate in it. Third, there’s a need for better privacy protections to avoid a situation in which commercial relying parties use the Digital Identity System to build even more valuable profiles of citizens.