‘Attributes’ that could determine regulatory success

Powered By

There is a fine but important distinction between how “personal information” is defined under the Privacy Act (“about an individual”) and its definition in future digital ID legislation. 

It extends the application of the Privacy Act protections regarding the use and disclosure of personal information to “attributes”.

These are defined as any information “associated with an individual” that would otherwise not be covered by the Privacy Act definition of personal information. This includes an individual’s name, address, date of birth, phone number and email.

It also includes information derived from another attribute of that individual, such as their age derived from their date of birth, or confirmation that the person is over a certain age, according to the Digital ID Act’s explanatory memorandum.

Additionally, digital ID providers can’t collect certain attributes of individuals, such as racial or ethnic origin, political opinions, beliefs, affiliations, or sexual orientation or practices, even with the consent of the individuals. Nor can they use personal information for data profiling of individuals’ internet use, or for marketing purposes.

If an organisation such as a department or authority of a state or territory isn’t covered by the Privacy Act, it would have to agree to follow the Australian Privacy Principles in the act to gain accreditation as a digital ID provider.

Alec Christie, a privacy and digital partner at law firm Clyde & Co, welcomes many of the digital ID privacy provisions, such as including entities that aren’t covered by the Privacy Act and expanding the information covered.

He also welcomes the exclusion of information such as religion, political affiliations and sexuality.

But he is concerned about how well they will be applied in practice. “Let’s be honest – we have not had a fantastic track record in this country of 100% compliance or aggressive ‘do it or else’ regulatory involvement,” he says.

The Information Commissioner will be responsible for prosecuting privacy breaches, but a new body formed by the Australian Competition & Consumer Commission will be responsible for the overall regulation of digital ID. This will include the formulation of privacy rules.

“It seems insane to me to put a general practitioner in charge of your heart unit surgery,” Christie says.

An individual wanting a digital ID from myGovID can choose how strong the identification will be, with a ‘strong’ ID requiring a selfie of the individual’s face. This biometric information used for verifying an individual’s identity would be required to be destroyed after the verification or authentication is complete, except if the individual gives express consent to the retention of their biometric information.

Even so, Christie says collecting this and other biometric information, such as fingerprints, comes with risk, albeit small.

“Once your face map is out, the genie’s out of the bottle,” he says. “What are you going to do – get plastic surgery? Once your thumbprint’s gone, are you going to change your thumbprint?”

The stakes are also high for organisations and individuals responsible for a privacy breach, following 2022 amendments to the Privacy Act. An organisation faces a fine of $50 million, three times the benefit of the benefits obtained from the breach or 30% of the organisation’s turnover during the breach period.

Digital ID legislation enables the responsible minister to allow the disclosure of biometric information when consented to by the individual. Digital Rights Watch, a group of academics, human rights lawyers and IT specialists, is concerned that this requirement isn’t sufficiently strenuous.

“We would only consider such a regime to be appropriate where additional and more onerous protections apply, including a fair and reasonable requirement and an obligation placed upon accredited entities that the sharing of a biometric credential be in the best interests of the individual,” it wrote in its submission to the senate inquiry into digital ID.

Digital Rights Watch notes that while a Digital ID Act will allow disclosure of individuals’ information to law enforcement in accordance with the Privacy Act, it strongly opposes “any repurposing of digital ID data or infrastructure for surveillance purposes”.

Individuals ought to be able to voluntarily use a digital ID without any concern that doing so may later be used to enable mass surveillance. Such concerns undermine public trust in these systems. Prohibiting the use of digital ID data from law enforcement purposes is the most effective way to prevent this.

The Office of the Australian Information Commissioner supports the digital ID’s privacy framework. “In applying to all accredited entities, the additional privacy safeguards and notifiable data breach requirements promote a consistent level of privacy protection,” the OAIC says in its submission to the senate inquiry on the bill.

The government is in the midst of introducing the biggest reforms to the 35-year-old Privacy Act in a generation. While the government has endorsed many of the findings of last year’s Privacy Act review, it hasn’t yet legislated the change.

This creates a problem, the Coalition argues in its dissenting senate economics legislation committee report. It argues the digital ID bill should only be passed once the Privacy Act reforms are introduced to Parliament to ensure that privacy, data protections and compliance requirements are consistent and coordinated across various related legislation.

“In order for a digital ID accreditation system to be viable, it must be consistent with existing legislation, particularly with respect to privacy protections and data retention requirements,” the Coalition senators write.

The Australian Banking Association agrees, saying that alignment with the proposed Privacy Act reforms is necessary to ensure the rapid and widespread take-up of the digital ID by individuals and businesses. 

“Without consequential and simultaneous privacy reform, uptake by the private sector will be challenged,” it said.