Commonwealth of Australia Bills Commonwealth of Australia Bills[Index] [Search] [Download] [Related Items] [Help]
This is a Bill, not an Act. For current law, see the Acts databases.
2022-2023
The Parliament of the
Commonwealth of Australia
THE SENATE
Presented and read a first time
Digital ID Bill 2023
No. , 2023
(Finance)
A Bill for an Act to provide for the accreditation of
entities in relation to digital IDs and to establish the
Australian Government Digital ID System, and for
related purposes
No. , 2023
Digital ID Bill 2023
i
Contents
Chapter
1--Introduction
2
Part 1
--
Preliminary
2
1
Short title ................................................................................................ 2
2
Commencement ..................................................................................... 2
3
Objects.................................................................................................... 2
4
Simplified outline of this Act ............................................................... 3
5
Act binds the Crown.............................................................................. 5
6
Extension to external Territories .......................................................... 5
7
Extraterritorial operation ....................................................................... 5
8
Concurrent operation of State and Territory laws ............................... 6
Part 2
--
Interpretation
7
9
Definitions.............................................................................................. 7
10
Meaning of
attribute
of an individual ................................................ 14
11
Meaning of
restricted attribute
of an individual ............................... 15
12
Fit and proper person considerations ................................................. 16
Chapter
2--Accreditation
17
Part 1
--
Introduction
17
13
Simplified outline of this Chapter ...................................................... 17
Part 2
--
Accreditation
18
Division 1
--
Applying for accreditation
18
14
Application for accreditation .............................................................. 18
Division 2
--
Accreditation
19
15
Digital ID Regulator must decide whether to accredit an
entity ..................................................................................................... 19
16
Accreditation is subject to conditions ................................................ 20
17
Conditions on accreditation ................................................................ 21
18
Conditions relating to restricted attributes of individuals ................. 22
19
Requirements before Accreditation Rules impose conditions
relating to restricted attributes or biometric information of
individuals ............................................................................................ 23
20
Variation and revocation of conditions on accreditation .................. 24
21
Applying for variation or revocation of conditions on
accreditation ......................................................................................... 25
22
Notice before changes to conditions on accreditation....................... 25
23
Notice of decision of changes to conditions on accreditation .......... 26
ii
Digital ID Bill 2023
No. , 2023
Division 3
--
Varying, suspending and revoking accreditation
27
24
Varying accreditation .......................................................................... 27
25
Suspension of accreditation ................................................................ 27
26
Revocation of accreditation ................................................................ 30
Division 4
--Minister's directions regarding accreditation
33
27
Minister's directions regarding accreditation
.................................... 33
Division 5
--
Accreditation Rules
34
28
Accreditation Rules ............................................................................. 34
Division 6
--
Other matters relating to accreditation
36
29
Digital IDs must be deactivated on request ....................................... 36
30
Accredited services must be accessible and inclusive ...................... 36
31
Prohibition on holding out that an entity is accredited ..................... 36
Chapter
3--Privacy
37
Part 1
--
Introduction
37
32
Simplified outline of this Chapter ...................................................... 37
33
Chapter applies to accredited entities only to extent entity is
providing accredited services ............................................................. 37
34
APP-equivalent agreements ................................................................ 37
Part 2
--
Privacy
39
Division 1
--
Interaction with the Privacy Act 1988
39
35
Extended meaning of
personal information
in relation to
accredited entities ................................................................................ 39
36
Privacy obligations for non-APP entities ........................................... 39
37
Contraventions of privacy obligations in APP-equivalent
agreements ........................................................................................... 40
38
Contraventions of Division 2 are interferences with privacy ........... 41
39
Notification of eligible data breaches
--
accredited entities
that are APP entities ............................................................................ 42
40
Notification of eligible data breaches
--
accredited entities
that are not APP entities ...................................................................... 42
41
Notification of corresponding data breaches
--
accredited
State or Territory entities that are not APP entities ........................... 43
42
Additional function of the Information Commissioner..................... 43
43
Information Commissioner may share information .......................... 44
Division 2
--
Additional privacy safeguards
45
44
Collection of certain attributes of individuals is prohibited ............. 45
45
Individuals must expressly consent to disclosure of certain
attributes of individuals to relying parties ......................................... 46
No. , 2023
Digital ID Bill 2023
iii
46
Disclosure of restricted attributes of individuals ............................... 46
47
Restricting disclosure of unique identifiers ....................................... 47
48
Restrictions on collecting, using and disclosing biometric
information........................................................................................... 48
49
Authorised collection, use and disclosure of biometric
information of individuals
--
general rules ......................................... 49
50
Accredited entities may collect etc. biometric information for
purposes of government identity documents ..................................... 51
51
Destruction of biometric information of individuals......................... 53
52
Other rules relating to biometric information .................................... 54
53
Data profiling to track online behaviour is prohibited ...................... 54
54
Certain personal information must not be used or disclosed
for prohibited enforcement purposes.................................................. 55
55
Personal information must not be used or disclosed for
prohibited marketing purposes ........................................................... 57
56
Accredited identity exchange providers must not retain
certain attributes of individuals .......................................................... 57
Chapter
4--Australian Government Digital ID
System
59
Part 1
--
Introduction
59
57
Simplified outline of this Chapter ...................................................... 59
Part 2
--
Australian Government Digital ID System
61
Division 1
--
Australian Government Digital ID System
61
58
Digital ID Regulator must oversee and maintain the
Australian Government Digital ID System ........................................ 61
59
Circumstances in which entities may provide or receive
services within the Australian Government Digital ID
System .................................................................................................. 61
Division 2
--
Participating in the Australian Government Digital
ID System
64
60
Phasing-in of participation in the Australian Government
Digital ID System ................................................................................ 64
61
Applying for approval to participate in the Australian
Government Digital ID System .......................................................... 64
62
Approval to participate in the Australian Government Digital
ID System............................................................................................. 65
63
Approval to participate in the Australian Government Digital
ID System is subject to conditions ..................................................... 67
64
Conditions on approval to participate in the Australian
Government Digital ID System .......................................................... 67
iv
Digital ID Bill 2023
No. , 2023
65
Conditions relating to restricted attributes of individuals ................. 70
66
Variation and revocation of conditions .............................................. 72
67
Applying for variation or revocation of conditions on
approval ................................................................................................ 72
68
Notice before changes to conditions on approval.............................. 72
69
Notice of decision of changes of conditions on approval ................. 73
Division 3
--
Varying, suspending and revoking approval to
participate
75
70
Varying approval to participate in the Australian
Government Digital ID System .......................................................... 75
71
Suspension of approval to participate in the Australian
Government Digital ID System .......................................................... 75
72
Revocation of approval to participate in the Australian
Government Digital ID System .......................................................... 78
Division 4
--Minister's directions regarding participation
81
73
Minister's directions regarding participation
..................................... 81
Division 5
--
Other matters relating to the Australian
Government Digital ID System
82
74
Creating and using a digital ID is voluntary ...................................... 82
75
Restriction on collection of restricted attributes of
individuals by participating relying parties ....................................... 83
76
Notice before exemption is revoked................................................... 84
77
Holding etc. information outside Australia........................................ 84
78
Reportable incidents ............................................................................ 85
79
Interoperability .................................................................................... 86
80
Service levels for accredited entities and participating
relying parties ...................................................................................... 88
81
Entities may conduct testing in relation to the Australian
Government Digital ID System .......................................................... 88
82
Use and disclosure of personal information to conduct
testing ................................................................................................... 89
83
Prohibition on holding out that an entity holds an approval ............. 89
Part 3
--
Liability and redress framework
90
Division 1
--
Liability of participating entities
90
84
Accredited entities participating in the Australian
Government Digital ID System protected from liability in
certain circumstances .......................................................................... 90
Division 2
--
Statutory contract
91
85
Statutory contract between entities participating in the
Australian Government Digital ID System ........................................ 91
No. , 2023
Digital ID Bill 2023
v
86
Participating entities to maintain insurance as directed by the
Digital ID Regulator ............................................................................ 92
87
Dispute resolution procedures ............................................................ 93
Division 3
--
Redress framework
94
88
Redress framework .............................................................................. 94
Chapter
5--Digital ID Regulator
95
Part 1
--
Introduction
95
89
Simplified outline of this Chapter ...................................................... 95
Part 2
--
Digital ID Regulator
96
90
Digital ID Regulator ............................................................................ 96
91
Functions of the Digital ID Regulator................................................ 96
92
Powers of the Digital ID Regulator .................................................... 97
Chapter
6--System Administrator
98
Part 1
--
Introduction
98
93
Simplified outline of this Chapter ...................................................... 98
Part 2
--
System Administrator
99
94
System Administrator.......................................................................... 99
95
Functions of the System Administrator ............................................. 99
96
Powers of the System Administrator................................................ 100
97
Directions to the System Administrator ........................................... 100
Chapter
7--Digital ID Data Standards
101
Part 1
--
Introduction
101
98
Simplified outline of this Chapter .................................................... 101
Part 2
--
Digital ID Data Standards
102
99
Digital ID Data Standards ................................................................. 102
100
Requirement to consult before making ............................................ 102
Part 3
--
Digital ID Data Standards Chair
104
Division 1
--
Establishment and functions of the Digital ID Data
Standards Chair
104
101
Digital ID Data Standards Chair....................................................... 104
102
Functions of the Digital ID Data Standards Chair .......................... 104
103
Powers of the Digital ID Data Standards Chair............................... 104
104
Directions to the Digital ID Data Standards Chair .......................... 104
vi
Digital ID Bill 2023
No. , 2023
Division 2
--
Appointment of the Digital ID Data Standards
Chair
106
105
Appointment ...................................................................................... 106
106
Term of appointment ......................................................................... 106
107
Acting appointments ......................................................................... 106
108
Application of the finance law etc.................................................... 107
Division 3
--
Terms and conditions for the Digital ID Data
Standards Chair
108
109
Remuneration..................................................................................... 108
110
Leave of absence ............................................................................... 108
111
Outside work ...................................................................................... 109
112
Resignation of appointment .............................................................. 109
113
Termination of appointment ............................................................. 109
114
Other terms and conditions ............................................................... 110
Division 4
--
Other matters
111
115
Arrangements relating to staff .......................................................... 111
Chapter
8--Trustmarks and registers
112
Part 1
--
Introduction
112
116
Simplified outline of this Chapter .................................................... 112
Part 2
--
Digital ID trustmarks
113
117
Digital ID trustmarks......................................................................... 113
118
Authorised use of digital ID trustmarks etc. .................................... 113
119
Displaying digital ID trustmark ........................................................ 114
Part 3
--
Registers
115
120
Digital ID Accredited Entities Register ........................................... 115
121
AGDIS Register................................................................................. 116
Chapter
9--Administration
118
Part 1
--
Introduction
118
122
Simplified outline of this Chapter .................................................... 118
Part 2
--
Compliance and enforcement
120
Division 1
--
Enforcement powers
120
123
Civil penalty provisions .................................................................... 120
124
Infringement notices.......................................................................... 121
125
Enforceable undertakings.................................................................. 121
126
Injunctions.......................................................................................... 122
No. , 2023
Digital ID Bill 2023
vii
Division 2
--
Directions powers
124
Subdivision A
--Digital ID Regulator's directions powers
124
127
Digital ID Regulator's power to give directions to entities in
relation to accreditation and participation........................................ 124
128
Digital ID Regulator's power to give directions to protect the
integrity or performance of the Australian Government
Digital ID System .............................................................................. 125
129
Remedial directions to accredited entities etc. ................................ 126
Subdivision B
--System Administrator's directions powers
127
130
System Administrator's power to give directions to protect
the integrity or performance of the Australian Government
Digital ID System .............................................................................. 127
Division 3
--
Compliance assessments
129
131
Compliance assessments ................................................................... 129
132
Entities must provide assistance to persons undertaking
compliance assessments .................................................................... 130
Division 4
--
Power to require information or documents
131
133
Digital ID Regulator's power to require information or
documents .......................................................................................... 131
134
System Administrator's power to require information or
documents .......................................................................................... 132
Part 3
--
Record keeping
133
135
Record keeping by participating entities and former
participating entities .......................................................................... 133
136
Destruction or de-identification of certain information .................. 133
Part 4
--
Review of decisions
135
137
Reviewable decisions ........................................................................ 135
138
Internal review of decisions .............................................................. 138
139
Reconsideration by decision-maker ................................................. 139
140
Review by the Administrative Appeals Tribunal ............................ 139
Part 5
--
Applications under this Act
140
141
Requirements for applications .......................................................... 140
142
Powers in relation to applications .................................................... 140
143
Decisions not required to be made in certain circumstances .......... 141
Part 6
--
Fees
142
Division 1
--
Fees charged by the Digital ID Regulator
142
144
Charging of fees by Digital ID Regulator etc. ................................. 142
145
Review of fees ................................................................................... 143
viii
Digital ID Bill 2023
No. , 2023
146
Recovery of fees charged by the Digital ID Regulator ................... 143
147
Commonwealth not liable to pay fees charged by entities that
are part of the Commonwealth ......................................................... 143
Division 2
--
Fees charged by accredited entities
145
148
Charging of fees by accredited entities in relation to the
Australian Government Digital ID System ...................................... 145
Chapter
10--Other matters
146
Part 1
--
Introduction
146
149
Simplified outline of this Chapter .................................................... 146
Part 2
--
Advisory committees
147
150
Advisory committees ........................................................................ 147
Part 3
--
Confidentiality
148
151
Prohibition on entrusted persons using or disclosing certain
kinds of protected information ......................................................... 148
152
Authorised uses and disclosures of protected information by
entrusted persons ............................................................................... 149
153
Disclosing personal or commercially sensitive information to
courts and tribunals etc. by entrusted persons ................................. 150
Part 4
--
Other matters
151
154
Annual report by the Digital ID Regulator ...................................... 151
155
Annual report by Information Commissioner.................................. 151
156
How this Act applies in relation to non-legal persons .................... 152
157
Attributing conduct to the Commonwealth, States and
Territories etc. .................................................................................... 153
158
Bodies corporate and due diligence ................................................. 154
159
Protection from civil action .............................................................. 155
160
Geographical jurisdiction of civil penalty provisions ..................... 155
161
Interaction with tax file number offences ........................................ 158
162
Review of operation of Act ............................................................... 158
163
Delegation
--
Minister ........................................................................ 159
164
Delegation
--
Digital ID Regulator ................................................... 159
165
Delegation
--
System Administrator ................................................. 160
166
Delegation
--
Digital ID Data Standards Chair ................................ 160
167
Instruments may incorporate etc. material as in force or
existing from time to time ................................................................. 160
168
Rules
--
general matters ..................................................................... 161
169
Rules
--
requirement to consult ......................................................... 162
No. , 2023
Digital ID Bill 2023
1
A Bill for an Act to provide for the accreditation of
1
entities in relation to digital IDs and to establish the
2
Australian Government Digital ID System, and for
3
related purposes
4
The Parliament of Australia enacts:
5
Chapter 1
Introduction
Part 1
Preliminary
Section 1
2
Digital ID Bill 2023
No. , 2023
Chapter
1--Introduction
1
Part
1--Preliminary
2
3
1 Short title
4
This Act is the
Digital ID Act 2023
.
5
2 Commencement
6
(1) Each provision of this Act specified in column 1 of the table
7
commences, or is taken to have commenced, in accordance with
8
column 2 of the table. Any other statement in column 2 has effect
9
according to its terms.
10
11
Commencement information
Column 1
Column 2
Column 3
Provisions
Commencement
Date/Details
1. The whole of
the Act
A single day to be fixed by Proclamation.
However, if the provisions do not commence
within the period of 6 months beginning on
the day this Act receives the Royal Assent,
they commence on the day after the end of
that period.
Note:
This table relates only to the provisions of this Act as originally
12
enacted. It will not be amended to deal with any later amendments of
13
this Act.
14
(2) Any information in column 3 of the table is not part of this Act.
15
Information may be inserted in this column, or information in it
16
may be edited, in any published version of this Act.
17
3 Objects
18
(1) The objects of this Act are as follows:
19
Introduction
Chapter 1
Preliminary
Part 1
Section 4
No. , 2023
Digital ID Bill 2023
3
(a) to provide individuals with secure, convenient, voluntary and
1
inclusive ways to verify their identity in online transactions
2
with government and businesses;
3
(b) to promote privacy and the security of personal information
4
used to verify the identity or attributes of individuals;
5
(c) to facilitate economic benefits for, and reduce burdens on, the
6
Australian economy by encouraging the use of digital IDs
7
and online services;
8
(d) to promote trust in digital ID services amongst the Australian
9
community.
10
(2) These objects are to be achieved by:
11
(a) establishing an accreditation scheme for entities providing
12
digital ID services; and
13
(b) providing additional privacy safeguards for the provision of
14
accredited digital ID services; and
15
(c) establishing an Australian Government Digital ID System
16
that is secure, easy to use, voluntary, accessible, inclusive
17
and reliable; and
18
(d) strengthening the oversight and regulation of:
19
(i) accredited digital ID service providers; and
20
(ii) entities participating in the Australian Government
21
Digital ID System; and
22
(iii) the integrity and performance of the Australian
23
Government Digital ID System.
24
4 Simplified outline of this Act
25
This Act establishes an accreditation scheme for entities providing
26
digital ID services. The Digital ID Regulator (which is the
27
Australian Competition and Consumer Commission) may, on
28
application, accredit certain kinds of entities as accredited attribute
29
service providers, accredited identity exchange providers,
30
accredited identity service providers or entities that provide, or
31
propose to provide, services of a kind prescribed by the
32
Accreditation Rules.
33
Chapter 1
Introduction
Part 1
Preliminary
Section 4
4
Digital ID Bill 2023
No. , 2023
When providing accredited services, accredited entities must
1
comply with certain privacy safeguards. These safeguards are in
2
addition to, and build on, the safeguards contained in the
Privacy
3
Act 1988
. An accredited entity may be liable to a civil penalty if
4
certain privacy safeguards are breached.
5
The Digital ID Regulator oversees and maintains the Australian
6
Government Digital ID System. Certain kinds of accredited entities
7
can apply to the Digital ID Regulator to participate in the system.
8
Certain kinds of relying parties can also apply for approval to
9
participate in the system. If a relying party holds an approval, it is
10
known as a participating relying party.
11
There is a System Administrator whose functions include
12
providing assistance to entities participating in the Australian
13
Government Digital ID System and managing the availability of
14
the Australian Government Digital ID System.
15
The Digital ID Standards Chair may make Digital ID Data
16
Standards about various matters, including technical integration
17
requirements for entities to participate in the Australian
18
Government Digital ID System and, if required to do so by the
19
Accreditation Rules or the Digital ID Rules, technical, data or
20
design standards relating to accreditation.
21
The Digital ID Rules may set out marks, symbols, logos or designs
22
(called digital ID trustmarks) that may or must be used by
23
accredited entities and participating relying parties.
24
The Digital ID Regulator must establish and maintain the Digital
25
ID Accredited Entities Register and the AGDIS Register.
26
The Digital ID Regulator and the Information Commissioner may
27
take enforcement action against accredited entities and other
28
entities. The Digital ID Regulator can give directions regarding
29
accreditation and participation in the Australian Government
30
Digital ID System or require entities to undergo compliance
31
assessments or produce information or documents. The System
32
Administrator can also give directions to entities regarding
33
Introduction
Chapter 1
Preliminary
Part 1
Section 5
No. , 2023
Digital ID Bill 2023
5
participation in the Australian Government Digital ID System and
1
require entities to produce information or documents.
2
Accredited entities that hold or held an approval to participate in
3
the Australian Government Digital ID System have certain
4
record-keeping responsibilities and are required to destroy or
5
de-identify certain information in the possession or control of the
6
entity.
7
Entities can apply for merits review of certain decisions made
8
under this Act.
9
This Act also deals with other administrative matters such as
10
annual reports and delegations.
11
5 Act binds the Crown
12
This Act binds the Crown in each of its capacities.
13
6 Extension to external Territories
14
This Act extends to every external Territory.
15
7 Extraterritorial operation
16
(1) This Act extends to acts, omissions, matters and things outside
17
Australia.
18
Note:
Geographical jurisdiction for civil penalty provisions is dealt with in
19
section 160.
20
(2) This Act has effect in relation to acts, omissions, matters and
21
things outside Australia subject to:
22
(a) the obligations of Australia under international law, including
23
obligations under any international agreement binding on
24
Australia; and
25
(b) any law of the Commonwealth giving effect to such an
26
agreement.
27
Chapter 1
Introduction
Part 1
Preliminary
Section 8
6
Digital ID Bill 2023
No. , 2023
8 Concurrent operation of State and Territory laws
1
This Act is not intended to exclude or limit the operation of a law
2
of a State or Territory that is capable of operating concurrently
3
with this Act.
4
Introduction
Chapter 1
Interpretation
Part 2
Section 9
No. , 2023
Digital ID Bill 2023
7
Part
2--Interpretation
1
2
9 Definitions
3
In this Act:
4
Accreditation Rules
means rules made under section 168 for the
5
purposes of the provisions in which the term occurs.
6
accredited attribute service provider
means an attribute service
7
provider that is accredited under section 15 as an accredited
8
attribute service provider.
9
accredited entity
: each of the following is an accredited entity:
10
(a) an accredited attribute service provider;
11
(b) an accredited identity exchange provider;
12
(c) an accredited identity service provider;
13
(d) if Accreditation Rules are made for the purposes of
14
paragraph 14(1)(d)
--
an entity that is accredited to provide
15
services of a kind prescribed by the Accreditation Rules for
16
the purposes of that paragraph.
17
accredited identity exchange provider
means an identity exchange
18
provider that is accredited under section 15 as an accredited
19
identity exchange provider.
20
accredited identity service provider
means an identity service
21
provider that is accredited under section 15 as an accredited
22
identity service provider.
23
accredited service
, of an accredited entity, means the services
24
provided, or proposed to be provided, by the entity in the entity's
25
capacity as a particular kind of accredited entity.
26
Note:
Conditions may be imposed on an entity's accredited service
s,
27
including specifying the manner in which such services must be
28
provided or excluding specific services from the entity's accreditation
29
altogether (see section 17).
30
Example: Acme Co is an accredited identity service provider. Under its
31
conditions of accreditation, its accredited service is generating,
32
Chapter 1
Introduction
Part 2
Interpretation
Section 9
8
Digital ID Bill 2023
No. , 2023
managing, maintaining and verifying information relating to the
1
identity of an individual. Its conditions exclude from its accreditation
2
the provision of the following services:
3
(a) generating, binding, managing and distributing authenticators to
4
an individual;
5
(b) binding, managing and distributing authenticators generated by
6
an individual.
7
adverse or qualified security assessment
means an adverse
8
security assessment, or a qualified security assessment, within the
9
meaning of Part IV of the
Australian Security Intelligence
10
Organisation Act 1979
.
11
affected entity
: see section 137.
12
AGDIS Register
means the register kept under section 121.
13
APP entity
has the same meaning as in the
Privacy Act 1988
.
14
APP-equivalent agreement
: see section 34.
15
attribute
of an individual: see section 10.
16
attribute service provider
means an entity that provides, or
17
proposes to provide, a service that verifies and manages an
18
attribute of an individual.
19
Australia
when used in a geographical sense, includes the external
20
Territories.
21
Australian entity
means any of the following:
22
(a) an Australian citizen or a permanent resident of Australia;
23
(b) a body corporate incorporated by or under a law of the
24
Commonwealth or a State or Territory;
25
(c) a Commonwealth entity, or a Commonwealth company,
26
within the meaning of the
Public Governance, Performance
27
and Accountability Act 2013
;
28
(d) a person or body that is an agency within the meaning of the
29
Freedom of Information Act 1982
;
30
(e) a body specified, or the person holding an office specified, in
31
Part I of Schedule 2 to the
Freedom of Information Act 1982
;
32
(f) a department or authority of a State;
33
Introduction
Chapter 1
Interpretation
Part 2
Section 9
No. , 2023
Digital ID Bill 2023
9
(g) a department or authority of a Territory;
1
(h) a partnership formed in Australia;
2
(i) a trust created in Australia;
3
(j) an unincorporated association that:
4
(i) has a governing body; and
5
(ii) has its central management or control in Australia.
6
Australian Government Digital ID System
: see subsection 58(2).
7
authenticator
means the technology for authenticating an
8
individual's
digital ID.
9
Note:
Passwords and cryptographic keys are examples of authenticators.
10
biometric information
of an individual:
11
(a) means information about any measurable biological
12
characteristic relating to an individual that could be used to
13
identify the individual or verify the individual's identity; and
14
(b) includes biometric templates.
15
civil penalty provision
has the same meaning as in the Regulatory
16
Powers Act.
17
compliance assessment
: see section 131.
18
cyber security incident
means one or more acts, events or
19
circumstances that involve:
20
(a) unauthorised access to, modification of or interference with a
21
system, service or network; or
22
(b) an unauthorised attempt to gain access to, modify or interfere
23
with a system, service or network; or
24
(c) unauthorised impairment of the availability, reliability,
25
security or operation of a system, service or network; or
26
(d) an unauthorised attempt to impair the availability, reliability,
27
security or operation of a system, service or network.
28
decision-maker
for a reviewable decision means:
29
(a) for a decision under section 27 or 73
--
the Minister; or
30
(b) for a decision under section 130
--
the System Administrator;
31
or
32
Chapter 1
Introduction
Part 2
Interpretation
Section 9
10
Digital ID Bill 2023
No. , 2023
(c) otherwise
--
the Digital ID Regulator.
1
digital ID
of an individual means a distinct electronic
2
representation of the individual that enables the individual to be
3
sufficiently distinguished when interacting online with services.
4
Digital ID Accredited Entities Register
means the register kept
5
under section 120.
6
Digital ID Data Standards
means the standards made under
7
section 99.
8
Digital ID Data Standards Chair
means:
9
(a) if a person holds an appointment under section 105
--
that
10
person; or
11
(b) otherwise
--
the Minister.
12
digital ID fraud incident
means an act, event or circumstance that:
13
(a) occurs in connection with:
14
(i) an accredited service of an accredited entity; or
15
(ii) a service that a participating relying party is approved to
16
provide, or provide access to, within the Australian
17
Government Digital ID System; and
18
(b) results in any of the following being, or suspected of being,
19
compromised or rendered unreliable:
20
(i) a digital ID of an individual;
21
(ii) an attribute of an individual;
22
(iii) an authenticator relating to an individual;
23
(iv) a representation relating to an attribute of an individual;
24
(v) a representation relating to a digital ID of an individual.
25
Digital ID Regulator
: see section 90.
26
Digital ID Rules
means the rules made under section 168 for the
27
purposes of the provisions in which the term occurs.
28
digital ID system
means a federation of entities that facilitates,
29
manages or relies on services that provide for either or both of the
30
following in an online environment:
31
(a) the verification of the identity of individuals;
32
Introduction
Chapter 1
Interpretation
Part 2
Section 9
No. , 2023
Digital ID Bill 2023
11
(b) the authentication of a digital ID of, or information
1
associated with, individuals.
2
Note:
Entities in the federation may include one or more relying parties,
3
identity exchanges, identity service providers, attribute service
4
providers and other kinds of service providers.
5
digital ID trustmark
: see subsection 117(2).
6
enforcement body
has the same meaning as in the
Privacy Act
7
1988
.
8
enforcement related activity
has the same meaning as in the
9
Privacy Act 1988
.
10
entity
means any of the following:
11
(a) an individual;
12
(b) a body corporate;
13
(c) a Commonwealth entity, or a Commonwealth company,
14
within the meaning of the
Public Governance, Performance
15
and Accountability Act 2013
;
16
(d) a person or body that is an agency within the meaning of the
17
Freedom of Information Act 1982
;
18
(e) a body specified, or the person holding an office specified, in
19
Part I of Schedule 2 to the
Freedom of Information Act 1982
;
20
(f) a department or authority of a State;
21
(g) a department or authority of a Territory;
22
(h) a partnership;
23
(i) an unincorporated association that has a governing body;
24
(j) a trust.
25
entrusted person
: see subsection 151(2).
26
identity exchange provider
means an entity that provides, or
27
proposes to provide, a service that conveys, manages and
28
coordinates the flow of data or other information between
29
participants in a digital ID system.
30
identity service provider
means an entity that provides, or proposes
31
to provide, a service that:
32
Chapter 1
Introduction
Part 2
Interpretation
Section 9
12
Digital ID Bill 2023
No. , 2023
(a) generates, manages, maintains or verifies information
1
relating to the identity of an individual; and
2
(b) generates, binds, manages or distributes authenticators to an
3
individual; and
4
(c) binds, manages or distributes authenticators generated by an
5
individual.
6
one-to-many matching
: see subsection 48(4).
7
paid work
means work for financial gain or reward (whether as an
8
employee, a self-employed person or otherwise).
9
participate
: an entity
participates
in the Australian Government
10
Digital ID System at a particular time if, at that time:
11
(a) the entity holds an approval under section 62 to participate in
12
the system; and
13
(b) either:
14
(i) the entity is directly connected to an accredited entity
15
that is participating in the Australian Government
16
Digital ID System; or
17
(ii) the entity is an accredited entity that is directly
18
connected to a participating relying party.
19
participating relying party
: a relying party is a
participating
20
relying party
if:
21
(a) the relying party holds an approval under section 62 to
22
participate in the Australian Government Digital ID System;
23
and
24
(b) the participation start day for the relying party has arrived or
25
passed.
26
participation start day
for an entity means the day notified to the
27
entity by the Digital ID Regulator for the purposes of
28
paragraph 62(6)(d) as the day on which the entity must begin to
29
participate in the Australian Government Digital ID System.
30
personal information
:
31
(a) means information or an opinion about an identified
32
individual, or an individual who is reasonably identifiable:
33
(i) whether the information or opinion is true or not; and
34
Introduction
Chapter 1
Interpretation
Part 2
Section 9
No. , 2023
Digital ID Bill 2023
13
(ii) whether the information or opinion is recorded in a
1
material form or not; and
2
(b) to the extent not already covered by paragraph (a), includes
3
an attribute of an individual.
4
privacy impact assessment
has the meaning given by
5
subsection 33D(3) of the
Privacy Act 1988
.
6
protected information
: see subsection 151(4).
7
Regulatory Powers Act
means the
Regulatory Powers (Standard
8
Provisions) Act 2014
.
9
relying party
means an entity that relies, or seeks to rely, on an
10
attribute of an individual that is provided by an accredited entity to:
11
(a) provide a service to the individual; or
12
(b) enable the individual to access a service.
13
restricted attribute
of an individual: see section 11.
14
reviewable decision
: see section 137.
15
Secretary
means the Secretary of the Department.
16
security
, other than in the following provisions, has its ordinary
17
meaning:
18
(a) subsection 27(1);
19
(b) subsection 73(1);
20
(c) subsection 137(3).
21
shielded person
means a person to whom one or more of the
22
following paragraphs apply:
23
(a) the person has acquired or used an assumed identity under
24
Part IAC of the
Crimes Act 1914
or a corresponding assumed
25
identity law within the meaning of that Part;
26
(b) an authority for the person to acquire or use an assumed
27
identity has been granted under that Part or such a law;
28
(c) a witness identity protection certificate has been given for the
29
person under Part IACA of the
Crimes Act 1914
;
30
(d) a corresponding witness identity protection certificate has
31
been given for the person under a corresponding witness
32
Chapter 1
Introduction
Part 2
Interpretation
Section 10
14
Digital ID Bill 2023
No. , 2023
identity protection law within the meaning of Part IACA of
1
the
Crimes Act 1914
;
2
(e) the person is a participant as defined in the
Witness
3
Protection Act 1994
;
4
(f) the person is or was on a witness protection program
5
conducted by a State or Territory in which a complementary
6
witness protection law (as defined in the
Witness Protection
7
Act 1994
) is in force;
8
(g) the person is involved in administering such a program under
9
such a law and the person has acquired an identity under that
10
law.
11
State or Territory privacy authority
means a State or Territory
12
authority (within the meaning of the
Privacy Act 1988
) that has
13
functions to protect the privacy of individuals (whether or not the
14
authority has other functions).
15
System Administrator
: see section 94.
16
this Act
includes:
17
(a) the Accreditation Rules; and
18
(b) the Digital ID Data Standards; and
19
(c) the Digital ID Rules; and
20
(d) the service levels determined under section 80; and
21
(e) the Regulatory Powers Act as it applies in relation to this
22
Act.
23
verifiable credential
means a tamper-evident credential with
24
authorship that can be cryptographically verified.
25
10 Meaning of
attribute
of an individual
26
(1) An
attribute
of an individual means information that is associated
27
with the individual, and includes information that is derived from
28
another attribute.
29
(2) Without limiting subsection (1), an
attribute
of an individual
30
includes the following:
31
(a)
the individual's current or former name;
32
Introduction
Chapter 1
Interpretation
Part 2
Section 11
No. , 2023
Digital ID Bill 2023
15
(b)
the individual's current or former
address;
1
(c)
the individual's date of birth;
2
(d) information about whether the individual is alive or dead;
3
(e)
the individual's phone number;
4
(f)
the individual's email address;
5
(g) if the individual has a digital ID
--
the time and date the
6
digital ID was created;
7
(h) biometric information of the individual;
8
(i) a restricted attribute of the individual;
9
(j)
information or an opinion about the individual's:
10
(i) racial or ethnic origin; or
11
(ii) political opinions; or
12
(iii) membership of a political association; or
13
(iv) religious beliefs or affiliations; or
14
(v) philosophical beliefs; or
15
(vi) sexual orientation or practices.
16
11 Meaning of
restricted attribute
of an individual
17
(1) A
restricted attribute
of an individual means:
18
(a) health information (within the meaning of the
Privacy Act
19
1988
) about the individual; or
20
(b) an identifier of the individual that has been issued or assigned
21
by or on behalf of:
22
(i) the Commonwealth, a State or a Territory; or
23
(ii) an authority or agency of the Commonwealth, a State or
24
a Territory; or
25
(iii) a government of a foreign country; or
26
(c) information or an opinion about the individual
'
s criminal
27
record; or
28
(d) information or an opinion about the
individual's membership
29
of a professional or trade association; or
30
(e) information or an opinion about the
individual's membership
31
of a trade union; or
32
(f) other information or opinion that is associated with an
33
individual and is prescribed by the Accreditation Rules.
34
Chapter 1
Introduction
Part 2
Interpretation
Section 12
16
Digital ID Bill 2023
No. , 2023
(2) Without limiting paragraph (1)(b), an identifier of an individual
1
includes the following:
2
(a)
the individual's tax file number (within the meaning of
3
section 202A of the
Income Tax Assessment Act 1936
);
4
(b)
the individual's medicare number (within the meaning of
5
Part VII of the
National Health Act 1953
);
6
(c)
the individual's healthcare identifier (within the meaning of
7
the
Healthcare Identifiers Act 2010
);
8
(d)
if the person holds a driver's licence issued under the law of
9
a State or Territory
--the number of that driver's licence.
10
12 Fit and proper person considerations
11
In having regard to whether an entity is a fit and proper person for
12
the purposes of this Act, the Digital ID Regulator:
13
(a) must have regard to the matters (if any) specified in the
14
Digital ID Rules; and
15
(b) may have regard to any other matters the Digital ID
16
Regulator considers relevant.
17
Accreditation
Chapter 2
Introduction
Part 1
Section 13
No. , 2023
Digital ID Bill 2023
17
Chapter
2--Accreditation
1
Part
1--Introduction
2
3
13 Simplified outline of this Chapter
4
The Digital ID Regulator may, on application, accredit certain
5
kinds of entities as accredited attribute service providers,
6
accredited identity exchange providers, accredited identity service
7
providers or entities that provide, or propose to provide, services of
8
a kind prescribed by the Accreditation Rules.
9
An
entity's accreditation is subject to conditions.
Some conditions
10
are imposed by the Act and others may be imposed by the Digital
11
ID Regulator or the Accreditation Rules. Conditions may include
12
restrictions relating to the services an entity is accredited to
13
provide, the manner in which those services must be provided and
14
the kinds of restricted attributes of individuals an entity is
15
authorised to collect or disclose.
16
The conditions imposed by the Digital ID Regulator on an entity's
17
accreditation, and the entity's accreditation itself, can be varied or
18
revoked. Accreditation can also be suspended.
19
The Minister may give directions to the Digital ID Regulator
20
regarding the accreditation of an entity if, for reasons of security,
21
the Minister considers it appropriate to do so. The Digital ID
22
Regulator must comply with such directions.
23
An accredited entity must deactivate a digital ID of an individual if
24
requested to do so, and must comply with requirements relating to
25
the accessibility and useability of accredited services that are
26
prescribed by the Accreditation Rules.
27
Chapter 2
Accreditation
Part 2
Accreditation
Division 1
Applying for accreditation
Section 14
18
Digital ID Bill 2023
No. , 2023
Part
2--Accreditation
1
Division
1--Applying for accreditation
2
14 Application for accreditation
3
(1) An entity covered by subsection (2) may apply to the Digital ID
4
Regulator for accreditation as one or more of the following kinds
5
of accredited entities:
6
(a) an accredited attribute service provider;
7
(b) an accredited identity exchange provider;
8
(c) an accredited identity service provider;
9
(d) an entity that provides, or proposes to provide, a service of a
10
kind prescribed by the Accreditation Rules.
11
(2) An entity is covered by this section if the entity is one of the
12
following:
13
(a) a body corporate incorporated by or under a law of the
14
Commonwealth or a State or Territory;
15
(b) a registered foreign company within the meaning of the
16
Corporations Act 2001
;
17
(c) a Commonwealth entity, or a Commonwealth company,
18
within the meaning of the
Public Governance, Performance
19
and Accountability Act 2013
;
20
(d) a person or body that is an agency within the meaning of the
21
Freedom of Information Act 1982
;
22
(e) a body specified, or the person holding an office specified, in
23
Part I of Schedule 2 to the
Freedom of Information Act 1982
;
24
(f) a department or authority of a State;
25
(g) a department or authority of a Territory.
26
Accreditation
Chapter 2
Accreditation
Part 2
Accreditation
Division 2
Section 15
No. , 2023
Digital ID Bill 2023
19
Division
2--Accreditation
1
15 Digital ID Regulator must decide whether to accredit an entity
2
(1) This section applies if an entity has made an application under
3
section 14 for accreditation as an accredited entity.
4
(2) The Digital ID Regulator must decide:
5
(a) to accredit the entity; or
6
(b) to refuse to accredit the entity.
7
(3) The Digital ID Regulator must not accredit an entity:
8
(a) as an accredited attribute service provider unless the entity
9
provides, or will provide, some or all of the services
10
described in the definition of attribute service provider; or
11
(b) as an accredited identity exchange provider unless the entity
12
provides, or will provide, some or all of the services
13
described in the definition of identity exchange provider; or
14
(c) as an accredited identity service provider unless the entity
15
provides, or will provide, some or all of the services
16
described in the definition of identity service provider; or
17
(d) if Accreditation Rules made for the purposes of
18
paragraph 14(1)(d) prescribe services
--
as an entity that
19
provides services of the kind prescribed unless the entity
20
provides, or will provide, some or all of the services of that
21
kind.
22
(4) The Digital ID Regulator must not accredit an entity if:
23
(a) a direction under subsection 27(1) (about security) directing
24
the Digital ID Regulator to refuse to accredit the entity is in
25
force; or
26
(b) the Digital ID Regulator is not satisfied that the entity is able
27
to comply with this Act; or
28
(c) Accreditation Rules made for the purposes of section 28
29
require specified criteria to be met and the entity does not
30
meet the criteria; or
31
(d) Accreditation Rules made for the purposes of section 28
32
require the Digital ID Regulator to be satisfied of specified
33
Chapter 2
Accreditation
Part 2
Accreditation
Division 2
Accreditation
Section 16
20
Digital ID Bill 2023
No. , 2023
matters and the Digital ID Regulator is not satisfied of those
1
matters.
2
(5) In deciding whether to accredit the entity, the Digital ID Regulator:
3
(a) must have regard to the matters (if any) prescribed by the
4
Accreditation Rules; and
5
(b) may have regard to the following:
6
(i) whether the entity is a fit and proper person;
7
(ii) any other matters the Digital ID Regulator considers
8
relevant.
9
Note:
In having regard to whether an entity is a fit and proper person for the
10
purposes of subparagraph (b)(i), the Digital ID Regulator must have
11
regard to any matters specified in the Digital ID Rules and may have
12
regard to any other matters considered relevant (see section 12).
13
(6) The Digital ID Regulator must:
14
(a) give written notice of a decision to accredit, or to refuse to
15
accredit, the entity; and
16
(b) if the decision is to refuse to accredit the entity
--
give reasons
17
for the decision to the entity.
18
(7) If the Digital ID Regulator decides to accredit the entity, the notice
19
must also set out the following:
20
(a) the kind or kinds of accredited entity that the entity is
21
accredited as;
22
(b) the day the accreditation comes into force;
23
(c)
any conditions imposed on the entity's accreditation under
24
subsection 17(2).
25
16 Accreditation is subject to conditions
26
(1) The accreditation of an entity as an accredited entity is subject to
27
the following conditions (the
accreditation conditions
):
28
(a) the conditions set out in subsection 17(1);
29
(b) the conditions (if any) imposed by the Digital ID Regulator
30
under subsection 17(2), including as varied under
31
subsection 20(1);
32
(c) the conditions (if any) determined by the Accreditation Rules
33
under subsection 17(5).
34
Accreditation
Chapter 2
Accreditation
Part 2
Accreditation
Division 2
Section 17
No. , 2023
Digital ID Bill 2023
21
(2) An accredited entity must comply with the accreditation conditions
1
that apply to the entity.
2
Note:
Failure to comply with an accreditation condition may result in a
3
suspension or revocation of the entity'
s accreditation (see sections 25
4
and 26).
5
17 Conditions on accreditation
6
Conditions imposed by the Act
7
(1) The accreditation of an entity as an accredited entity is subject to
8
the condition that the accredited entity must comply with this Act.
9
Conditions imposed by the Digital ID Regulator
10
(2) The Digital ID Regulator:
11
(a) may impose conditions on the accreditation of an entity,
12
either at the time of accreditation or at a later time, if the
13
Digital ID Regulator considers that doing so is appropriate in
14
the circumstances; and
15
(b) must impose conditions on the accreditation of an entity,
16
either at the time of accreditation or at a later time, if directed
17
to do so under subsection 27(1).
18
(3) Conditions may be imposed under paragraph (2)(a) on application
19
by the entity or on the Digital ID Regulator's own initiative.
20
(4) Without limiting paragraph (2)(a), the Digital ID Regulator may
21
impose conditions relating to the following:
22
(a) any limitations, exclusions or restrictions in relation to the
23
accredited services of the entity;
24
(b) the circumstances or manner in which the accredited services
25
of the entity must be provided;
26
(c) the kinds of restricted attributes of individuals (if any) that
27
the entity is authorised to collect or disclose and the
28
circumstances in which such attributes may be collected or
29
disclosed;
30
(d) the kinds of restricted attributes of individuals (if any) that
31
the entity must not collect;
32
Chapter 2
Accreditation
Part 2
Accreditation
Division 2
Accreditation
Section 18
22
Digital ID Bill 2023
No. , 2023
(e) the kinds of biometric information (if any) of an individual
1
the entity is authorised to collect, use or disclose and the
2
circumstances in which such information may be collected,
3
used or disclosed;
4
(f)
the entity's information technology systems
through which
5
the entity's accredited services are provided
, including
6
restrictions on changes to such systems;
7
(g)
actions that the entity must take before the entity's
8
accreditation is suspended or revoked.
9
Conditions imposed by the Accreditation Rules
10
(5) The Accreditation Rules may determine that the accreditation of
11
each accredited entity, or each accredited entity included in a
12
specified class, is subject to specified conditions.
13
(6) Without limiting subsection (5), the Accreditation Rules may
14
impose conditions relating to the matters in subsection (4).
15
18 Conditions relating to restricted attributes of individuals
16
Matters to which the Digital ID Regulator must have regard before
17
authorising disclosure etc. of restricted attributes
18
(1) Subsection (2) applies if the Digital ID Regulator proposes to
19
impose a condition on an entity's
accreditation authorising the
20
entity to collect or disclose a restricted attribute of an individual.
21
(2) In deciding whether to impose the condition, the Digital ID
22
Regulator must have regard to the following matters:
23
(a) whether the entity has provided sufficient justification for the
24
need to collect or disclose the restricted attribute;
25
(b) whether the entity has demonstrated that a similar outcome
26
cannot be achieved without collecting or disclosing the
27
restricted attribute;
28
(c) if the collection or disclosure of the restricted attribute is
29
regulated by other legislative or regulatory requirements
--
30
whether the entity would be able to comply with those
31
requirements if the condition were imposed;
32
Accreditation
Chapter 2
Accreditation
Part 2
Accreditation
Division 2
Section 19
No. , 2023
Digital ID Bill 2023
23
(d) the potential harm that could result if restricted attributes of
1
that kind were disclosed to an entity that was not authorised
2
to collect them;
3
(e) community expectations as to whether restricted attributes of
4
that kind should be handled more securely than other kinds of
5
attributes;
6
(f) any of the following information provided by the entity
7
seeking authorisation to collect or disclose the restricted
8
attribute:
9
(i)
the entity's risk assessment plan as it relates to the
10
restricted attribute;
11
(ii)
the entity's privacy impact assessment as it relates to the
12
restricted attribute;
13
(iii)
the effectiveness of the entity's protective security
14
(including security governance, information security,
15
personnel security and physical security), privacy
16
arrangements and fraud control arrangements;
17
(iv) if the entity is not a participating relying party
--
the
18
arrangements in place between the entity and relying
19
parties for the protection of the restricted attribute from
20
further disclosure;
21
(g) any other matter the Digital ID Regulator considers relevant.
22
Requirement to give statement of reasons if authorisation given
23
(3) If the Digital ID Regulator imposes the condition authorising the
24
entity to collect or disclose a restricted attribute of an individual,
25
the Digital ID Regulator must publish on the Digital ID
26
Regulator's website a state
ment of reasons for giving the
27
authorisation.
28
19 Requirements before Accreditation Rules impose conditions
29
relating to restricted attributes or biometric information
30
of individuals
31
(1) Subsection (2) applies if the Minister proposes to make
32
Accreditation Rules for the purposes of subsection 17(5) providing
33
that accredited entities, or specified kinds of accredited entities, are
34
authorised to:
35
Chapter 2
Accreditation
Part 2
Accreditation
Division 2
Accreditation
Section 20
24
Digital ID Bill 2023
No. , 2023
(a) collect or disclose restricted attributes of individuals; or
1
(b) collect, use or disclose biometric information of individuals.
2
Note:
The Minister must also consult the Information Commissioner before
3
making such rules (see paragraph 169(1)(b)).
4
(2) In deciding whether to make the rules, the Minister must have
5
regard to the following matters:
6
(a) the potential harm that could result if the information were
7
disclosed to an entity;
8
(b) community expectations about the collection, use or
9
disclosure of the information;
10
(c) if the collection or disclosure of the restricted attribute is
11
regulated by other legislative or regulatory requirements
--
12
whether the entities would be able to comply with those
13
requirements if the rules were made;
14
(d) any privacy impact assessment that has been conducted in
15
relation to the proposal to make the rules;
16
(e) any other matter the Minister considers relevant.
17
20 Variation and revocation of conditions on accreditation
18
(1) The Digital ID Regulator may vary or revoke a condition imposed
19
on an entity's accreditation under
paragraph 17(2)(a):
20
(a) at any time, on the Digital ID Regulato
r's own initiative; or
21
(b) on application by the entity under section 21;
22
if the Digital ID Regulator considers it is appropriate to do so.
23
(2) Without limiting subsection (1), the Digital ID Regulator may have
24
regard to matters relating to the security, reliability and stability of
25
the Australian Government Digital ID System when considering
26
whether it is appropriate to vary or revoke a condition.
27
(3) The Digital ID Regulator must revoke a condition imposed under
28
paragraph 17(2)(b) if the direction to impose the condition is
29
revoked.
30
Accreditation
Chapter 2
Accreditation
Part 2
Accreditation
Division 2
Section 21
No. , 2023
Digital ID Bill 2023
25
21 Applying for variation or revocation of conditions on
1
accreditation
2
(1) An accredited entity may apply for a condition imposed on the
3
entity's
accreditation under paragraph 17(2)(a) to be varied or
4
revoked.
5
Note:
See Part 5 of Chapter 9 for matters relating to applications.
6
(2) If, after receiving an application under subsection (1), the Digital
7
ID Regulator refuses to vary or revoke a condition, the Digital ID
8
Regulator must give to the entity written notice of the refusal,
9
including reasons for the refusal.
10
22 Notice before changes to conditions on accreditation
11
(1)
The Digital ID Regulator must not, on the Digital ID Regulator's
12
own initiative:
13
(a) impose a condition under paragraph 17(2)(a)
on an entity's
14
accreditation after the entity has been accredited; or
15
(b) vary or revoke a condition under subsection 20(1);
16
unless the Digital ID Regulator has given the entity a written notice
17
in accordance with subsection (2) of this section.
18
(2) The notice must:
19
(a) state the proposed condition, variation or revocation; and
20
(b) request the entity to give the Digital ID Regulator, within the
21
period specified in the notice, a written statement relating to
22
the proposed condition, variation or revocation.
23
(3) The Digital ID Regulator must consider any written statement
24
given within the period specified in the notice before making a
25
decision to:
26
(a) impose a condition under paragraph 17(2)(a)
on an entity's
27
accreditation; or
28
(b) vary or revoke a condition under subsection 20(1) on an
29
entity's accreditation.
30
Chapter 2
Accreditation
Part 2
Accreditation
Division 2
Accreditation
Section 23
26
Digital ID Bill 2023
No. , 2023
(4) This section does not apply if the Digital ID Regulator reasonably
1
believes that the need to impose, vary or revoke the condition is
2
serious and urgent.
3
(5) If this section does not apply to an entity because of subsection (4),
4
the Digital ID Regulator must give a written statement of reasons
5
to the entity as to why the Digital ID Regulator reasonably believes
6
that the need to impose, vary or revoke the condition is serious and
7
urgent.
8
(6) The statement of reasons under subsection (5) must be given within
9
7 days after the condition is imposed, varied or revoked.
10
23 Notice of decision of changes to conditions on accreditation
11
(1) Subject to subsection (2), the Digital ID Regulator must give an
12
entity written notice of a decision to impose, vary or revoke a
13
condition on an entity's accreditation.
14
(2) The Digital ID Regulator is not required to give an entity notice of
15
the decision if notice of the condition was given in a notice under
16
subsection 15(7).
17
(3) The notice must:
18
(a) state the condition or the variation, or state that the condition
19
is revoked; and
20
(b) state the day on which the condition, variation or revocation
21
takes effect.
22
Accreditation
Chapter 2
Accreditation
Part 2
Varying, suspending and revoking accreditation
Division 3
Section 24
No. , 2023
Digital ID Bill 2023
27
Division
3--Varying, suspending and revoking
1
accreditation
2
24 Varying accreditation
3
The Digital ID Regulator may vary the accreditation of an
4
accredited entity to take account of a change in the accredited
5
entity's name.
6
Note:
The Digital ID Regulator can also vary conditions on accreditation
7
(see section 20).
8
25 Suspension of accreditation
9
Digital ID Regulator must suspend accreditation
if Minister's
10
direction about suspension is in force
11
(1) The Digital ID Regulator must, in writing, suspend the
12
accreditation of an accredited entity if a direction under
13
subsection 27(1) directing the Digital ID Regulator to do so is in
14
force in relation to the entity.
15
Digital ID Regulator may decide to suspend accreditation in other
16
circumstances
17
(2) The Digital ID Regulator may, in writing, suspend the
18
accreditation of an accredited entity if:
19
(a) the Digital ID Regulator reasonably believes that the
20
accredited entity has contravened or is contravening this Act;
21
or
22
(b) the Digital ID Regulator reasonably believes that there has
23
been a cyber security incident involving the entity; or
24
(c) the Digital ID Regulator reasonably believes that a cyber
25
security incident involving the entity is imminent; or
26
(d) if the entity is a body corporate
--
the entity becomes a
27
Chapter 5 body corporate (within the meaning of the
28
Corporations Act 2001
); or
29
(e) the Digital ID Regulator is satisfied that it is not appropriate
30
for the entity to be an accredited entity; or
31
Chapter 2
Accreditation
Part 2
Accreditation
Division 3
Varying, suspending and revoking accreditation
Section 25
28
Digital ID Bill 2023
No. , 2023
(f) circumstances specified in the Accreditation Rules apply in
1
relation to the entity.
2
Note:
The Digital ID Regulator may impose conditions on an enti
ty's
3
accreditation before suspending it (see paragraph 17(4)(g)) and can
4
give directions to give effect to a decision to suspend an entity's
5
accreditation (see paragraph 127(1)(b)).
6
(3) The reference to cyber security incident in paragraph (2)(b) does
7
not include acts, events or circumstances covered by paragraph (b)
8
or (d) of the definition of that term unless the Digital ID Regulator
9
is satisfied that the attempts referred to in those paragraphs involve
10
an unacceptable risk to the provision of the entit
y's accredited
11
services.
12
(4) In determining whether the Digital ID Regulator is satisfied of the
13
matter in paragraph (2)(e), regard may be had to whether the entity
14
is a fit and proper person.
15
Note:
In having regard to whether an entity is a fit and proper person, the
16
Digital ID Regulator must have regard to any matters specified in the
17
Digital ID Rules and may have regard to any other matters considered
18
relevant (see section 12).
19
(5) Subsection (4) does not limit paragraph (2)(e).
20
Digital ID Regulator may suspend accreditation on application
21
(6) The Digital ID Regulator may, on application by an accredited
22
entity, suspend the accreditation of the entity.
23
Note:
See Part 5 of Chapter 9 for matters relating to applications.
24
Show cause notice must generally be given before decision to
25
suspend
26
(7) Before suspending the accreditation of an entity under
27
subsection (2), the Digital ID Regulator must give a written notice
28
(a
show cause notice
) to the entity.
29
(8) The show cause notice must:
30
(a) state the grounds on which the Digital ID Regulator proposes
31
to suspend the entity's accreditation; and
32
Accreditation
Chapter 2
Accreditation
Part 2
Varying, suspending and revoking accreditation
Division 3
Section 25
No. , 2023
Digital ID Bill 2023
29
(b) invite the entity to give the Digital ID Regulator, within 28
1
days after the day the notice is given, a written statement
2
showing cause why the Digital ID Regulator should not
3
suspend the accreditation.
4
Exception
--
cyber security incident
5
(9) Subsection (7) does not apply if the suspension is on a ground
6
mentioned in paragraph (2)(b) or (c).
7
Notice of suspension
8
(10) If the Digital ID Regulator suspends
an entity's a
ccreditation under
9
subsection (1), (2) or (6), the Digital ID Regulator must give the
10
entity a written notice stating the following:
11
(a)
that the entity's accreditation is suspended;
12
(b) if the entity is accredited as more than one kind of accredited
13
entity
--
the accreditation that is suspended;
14
(c) the reasons for the suspension;
15
(d) the day the suspension is to start;
16
(e) if the accreditation is suspended for a period
--
the period of
17
the suspension;
18
(f) if the accreditation is suspended until a specified event
19
occurs or action is taken
--
the event or action.
20
Effect of suspension
21
(11)
If an entity's accreditation is suspended under
this section:
22
(a) the entity is taken not to be accredited while the suspension is
23
in force; and
24
(b) if the entity holds an approval to participate in the Australian
25
Government Digital ID System as an accredited entity
--
the
26
entity is taken not to hold that
approval while the entity's
27
accreditation is suspended.
28
Revocation of suspension
29
(12) If the Digital ID Regulator suspends
an entity's accreditation under
30
subsection (2), the Regulator may revoke the suspension by written
31
notice to the entity.
32
Chapter 2
Accreditation
Part 2
Accreditation
Division 3
Varying, suspending and revoking accreditation
Section 26
30
Digital ID Bill 2023
No. , 2023
(13)
If the Digital ID Regulator suspends an entity's accreditation under
1
subsection (6), the Regulator must revoke the suspension by
2
written notice to the entity if the entity requests the suspension be
3
revoked.
4
(14) A notice given under subsection (12) or (13) must specify the day
5
the revocation takes effect.
6
26 Revocation of accreditation
7
Digital ID Regulator must revoke accreditation if Minister gives a
8
direction to do so
9
(1) The Digital ID Regulator must, in writing, revoke the accreditation
10
of an accredited entity if the Minister gives a direction under
11
subsection 27(1) to do so.
12
Revocation on Digital ID Regulator's own initiativ
e
13
(2)
The Digital ID Regulator may, in writing, revoke an entity's
14
accreditation if:
15
(a) the Digital ID Regulator reasonably believes that the
16
accredited entity has contravened or is contravening this Act;
17
or
18
(b) the Digital ID Regulator reasonably believes that:
19
(i) there has been a cyber security incident involving the
20
entity; and
21
(ii) the cyber security incident is serious; or
22
(c) if the entity is a body corporate
--
the entity becomes a
23
Chapter 5 body corporate (within the meaning of the
24
Corporations Act 2001
); or
25
(d) the Digital ID Regulator is satisfied that it is not appropriate
26
for the entity to be an accredited entity; or
27
(e) circumstances specified in the Accreditation Rules apply in
28
relation to the entity.
29
Note:
The Digital ID Regulator may i
mpose conditions on an entity's
30
accreditation before revoking it (see paragraph 17(4)(g)) and can give
31
directions to give effect to a decision to revoke an entity's
32
accreditation (see paragraph 127(1)(b)).
33
Accreditation
Chapter 2
Accreditation
Part 2
Varying, suspending and revoking accreditation
Division 3
Section 26
No. , 2023
Digital ID Bill 2023
31
(3) In determining whether the Digital ID Regulator is satisfied of the
1
matter in paragraph (2)(d), regard may be had to whether the entity
2
is a fit and proper person.
3
Note:
In having regard to whether an entity is a fit and proper person, the
4
Digital ID Regulator must have regard to any matters specified in the
5
Digital ID Rules and may have regard to any other matters considered
6
relevant (see section 12).
7
(4) Subsection (3) does not limit paragraph (2)(d).
8
Revocation on application
9
(5) The Digital ID Regulator must, on application by an entity, revoke
10
the entity's accreditation.
11
Note:
See Part 5 of Chapter 9 for matters relating to applications.
12
Date of effect
13
(6) The revocation takes effect on the day determined by the Digital
14
ID Regulator.
15
Approval must also be revoked
16
(7) If:
17
(a)
an entity's accre
ditation is revoked under subsection (1), (2)
18
or (5); and
19
(b) the entity holds an approval to participate in the Australian
20
Government Digital ID System;
21
the Digital ID Regulator must at the same time revoke the entity's
22
approval to participate as an accredited entity.
23
Show cause notice must generally be given before decision to
24
revoke
25
(8) Before revoking the accreditation of an entity under subsection (2),
26
the Digital ID Regulator must give a written notice (a
show cause
27
notice
) to the entity.
28
(9) The show cause notice must:
29
(a) state the grounds on which the Digital ID Regulator proposes
30
to revoke the entity's accreditation; and
31
Chapter 2
Accreditation
Part 2
Accreditation
Division 3
Varying, suspending and revoking accreditation
Section 26
32
Digital ID Bill 2023
No. , 2023
(b) invite the entity to give the Digital ID Regulator, within 28
1
days after the day the notice is given, a written statement
2
showing cause why the Digital ID Regulator should not
3
revoke the accreditation.
4
Exception
--
cyber security incident
5
(10) Subsection (8) does not apply if the revocation is on a ground
6
mentioned in paragraph (2)(b).
7
Notice of revocation
8
(11) If the Digital ID Regulator is to revoke
an entity's accreditation
9
under subsection (1), (2) or (5), the Digital ID Regulator must give
10
the entity a written notice stating the following:
11
(a)
that the entity's accreditation is to be revoked;
12
(b) if the entity is accredited as more than one kind of accredited
13
entity
--
the accreditation that is to be revoked;
14
(c) the reasons for the revocation;
15
(d) the day the revocation is to take effect.
16
Accreditation can be revoked even while suspended
17
(12) Despite paragraph 25(11)(a), the Digital ID Regulator may revoke
18
an entity's accreditation under this
section even if a suspension is
19
in force under section 25 in relation to the entity.
20
Accreditation
Chapter 2
Accreditation
Part 2
Minister's directions regarding accreditation
Division 4
Section 27
No. , 2023
Digital ID Bill 2023
33
Division
4--Minister's directions regarding accreditation
1
27
Minister's directions regarding ac
creditation
2
(1) The Minister may, in writing, direct the Digital ID Regulator to do
3
any of the following if, for reasons of security (within the meaning
4
of the
Australian Security Intelligence Organisation Act 1979
),
5
including on the basis of an adverse or qualified security
6
assessment in respect of a person, the Minister considers it
7
appropriate to do so:
8
(a) refuse to accredit an entity;
9
(b) impose conditions on the accreditation of an entity;
10
(c) suspend the accreditation of an accredited entity;
11
(d) revoke the accreditation of an accredited entity.
12
(2) If the Minister gives a direction under subsection (1), the Digital
13
ID Regulator must comply with the direction.
14
(3) The direction remains in force unless it is revoked by the Minister.
15
The Minister must notify the Digital ID Regulator and the entity if
16
the Minister revokes the direction.
17
(4) Despite subsection (3), a direction given under subsection (1) to
18
revoke the accreditation of an accredited entity cannot be revoked.
19
(5) A direction given under this section is not a legislative instrument.
20
Chapter 2
Accreditation
Part 2
Accreditation
Division 5
Accreditation Rules
Section 28
34
Digital ID Bill 2023
No. , 2023
Division
5--Accreditation Rules
1
28 Accreditation Rules
2
(1) The Accreditation Rules must provide for and in relation to matters
3
concerning the accreditation of entities.
4
(2) Without limiting subsection (1), the Accreditation Rules may deal
5
with the following matters:
6
(a) requirements that entities must meet in order to become and
7
remain an accredited entity, including requirements relating
8
to the following:
9
(i) privacy;
10
(ii) security;
11
(iii) fraud control;
12
(iv) incident management and reporting;
13
(v) disaster recovery;
14
(vi) user experience and inclusion;
15
(b) without limiting paragraph (a), requirements relating to the
16
conduct of, and reporting on, privacy impact assessments,
17
fraud assessments and security assessments;
18
(c) technical, data or design standards relating to the provision of
19
accredited services of accredited entities;
20
(d) without limiting paragraph (c), standards relating to the
21
testing of the information technology systems of entities;
22
(e)
the conduct of periodic reviews of an entity's compliance
23
with specified requirements of the Accreditation Rules,
24
including the timing of such reviews, who is to conduct such
25
reviews and the provision of reports about such reviews to
26
the Digital ID Regulator;
27
(f) the obligations of accredited entities in relation to monitoring
28
their compliance with this Act;
29
(g) requirements relating to the collection, holding, use and
30
disclosure of personal information of individuals;
31
Accreditation
Chapter 2
Accreditation
Part 2
Accreditation Rules
Division 5
Section 28
No. , 2023
Digital ID Bill 2023
35
(h) matters relating to representatives or nominees of individuals
1
in relation to the creation, maintenance or deactivation of
2
digital IDs of individuals;
3
(i) requirements or restrictions relating to the generation of
4
digital IDs for children.
5
Note:
In relation to subparagraph (2)(a)(iv), the Digital ID Rules may also
6
provide for such arrangements in relation to incidents that occur
7
within the Australian Government Digital ID System (see
8
subsection 78(1)).
9
Chapter 2
Accreditation
Part 2
Accreditation
Division 6
Other matters relating to accreditation
Section 29
36
Digital ID Bill 2023
No. , 2023
Division
6--Other matters relating to accreditation
1
29 Digital IDs must be deactivated on request
2
(1) This section applies if an accredited identity service provider
3
generates a digital ID of an individual.
4
(2) The accredited identity service provider must, if requested to do so
5
by the individual, deactivate the digital ID of the individual as soon
6
as practicable after receiving the request.
7
30 Accredited services must be accessible and inclusive
8
(1) The Accreditation Rules must provide for and in relation to
9
requirements relating to the accessibility and useability of the
10
accredited services of accredited entities.
11
(2) Without limiting subsection (1), the Accreditation Rules may deal
12
with the following matters:
13
(a) requirements to comply with accessibility standards or
14
guidelines;
15
(b) requirements relating to useability testing;
16
(c) requirements relating to device or browser access.
17
31 Prohibition on holding out that an entity is accredited
18
An entity must not hold out that the entity is an accredited entity if
19
that is not the case.
20
Civil penalty:
1,000 penalty units.
21
Privacy
Chapter 3
Introduction
Part 1
Section 32
No. , 2023
Digital ID Bill 2023
37
Chapter
3--Privacy
1
Part
1--Introduction
2
3
32 Simplified outline of this Chapter
4
When providing accredited services, accredited entities must
5
comply with certain privacy safeguards. These safeguards are in
6
addition to, and build on, the safeguards contained in the
Privacy
7
Act 1988
.
8
An accredited entity may be liable to a civil penalty if certain
9
privacy safeguards are breached, such as collecting certain
10
attributes of individuals such as their political opinions or racial
11
origin. There are restrictions on collecting, using or disclosing
12
biometric information of individuals and on data profiling to track
13
online behaviour is prohibited.
14
33 Chapter applies to accredited entities only to extent entity is
15
providing accredited services
16
This Chapter applies to an accredited entity only to the extent the
17
entity is providing its accredited services.
18
34 APP-equivalent agreements
19
(1) The Minister may, on behalf of the Commonwealth, enter into an
20
agreement (an
APP-equivalent agreement
) with an entity covered
21
by subsection (2) that prohibits the entity from collecting, holding,
22
using or disclosing personal information in any way that would, if
23
the entity were an organisation within the meaning of the
Privacy
24
Act 1988
, breach an Australian Privacy Principle.
25
(2) The entities are as follows:
26
(a) a department or authority of a State;
27
(b) a department or authority of a Territory.
28
Chapter 3
Privacy
Part 1
Introduction
Section 34
38
Digital ID Bill 2023
No. , 2023
(3) The Minister must provide the Information Commissioner with a
1
copy of an APP-equivalent agreement within 14 days after it is
2
entered into.
3
Privacy
Chapter 3
Privacy
Part 2
Interaction with the Privacy Act 1988
Division 1
Section 35
No. , 2023
Digital ID Bill 2023
39
Part
2--Privacy
1
Division
1--Interaction with the Privacy Act 1988
2
35 Extended meaning of
personal information
in relation to
3
accredited entities
4
To the extent not already covered by the definition of
personal
5
information
within the
Privacy Act 1988
, attributes of individuals,
6
to the extent that they are in the possession or control of accredited
7
entities, are taken, for the purposes of that Act, to be personal
8
information about an individual.
9
Note 1:
This section has the effect of extending the meaning of personal
10
information in the
Privacy Act 1988
as it applies to accredited entities
11
to mirror the meaning of that term as it is used in this Act (see
12
section 9).
13
Note 2:
This means that the requirements in the
Privacy Act 1988
about
14
collecting, using and disclosing personal information under that Act
15
extend to attributes of individuals to the extent that information is in
16
the possession or control of accredited entities. However, this applies
17
only to the extent the information is collected, used or disclosed when
18
those entities are providing their accredited services (see section 33).
19
36 Privacy obligations for non-APP entities
20
(1) This section applies to an accredited entity that is not an APP
21
entity.
22
Note:
The obligations of accredited entities that are APP entities in relation
23
to the handling of personal information are set out in the
Privacy Act
24
1988
.
25
(2) The accredited entity must not do an act or engage in a practice
26
with respect to personal information unless:
27
(a) the
Privacy Act 1988
applies in relation to the act or practice
28
as if the entity were an organisation within the meaning of
29
that Act; or
30
(b) a law of a State or Territory that provides for all of the
31
following applies in relation to the act or practice:
32
Chapter 3
Privacy
Part 2
Privacy
Division 1
Interaction with the Privacy Act 1988
Section 37
40
Digital ID Bill 2023
No. , 2023
(i) protection of personal information comparable to that
1
provided by the Australian Privacy Principles;
2
(ii) monitoring of compliance with the law;
3
(iii) a means for an individual to seek recourse if the
4
individual's personal information is dealt with in a way
5
contrary to the law; or
6
(c) all of the following apply:
7
(i) neither paragraph (a) nor (b) apply to the acts or
8
practices of the entity;
9
(ii) the entity has an APP-equivalent agreement with the
10
Commonwealth;
11
(iii) the agreement includes a term that prohibits the entity
12
from collecting, holding, using or disclosing personal
13
information in any way that would, if the entity were an
14
organisation within the meaning of the
Privacy Act
15
1988
, breach an Australian Privacy Principle.
16
37 Contraventions of privacy obligations in APP-equivalent
17
agreements
18
(1) This section applies to an entity if the entity has an APP-equivalent
19
agreement with the Commonwealth.
20
(2) An act or practice of the entity that contravenes a term of the
21
agreement in relation to an individual and collecting, holding,
22
using or disclosing their personal information is taken to be:
23
(a) an interference with the privacy of the individual for the
24
purposes of the
Privacy Act 1988
; and
25
(b) covered by sections 13 and 13G of that Act.
26
Note:
An act or practice that is, or may be, an interference with privacy may
27
be the subject of a complaint under section 36 of the
Privacy Act
28
1988
.
29
(3) The entity is taken, for the purposes of Part V of the
Privacy Act
30
1988
and any other provision of that Act that relates to that Part, to
31
be an organisation (within the meaning of that Act) if:
32
(a) an act or practice of the entity has contravened, or may have
33
contravened, the term of the agreement in relation to an
34
individual; and
35
Privacy
Chapter 3
Privacy
Part 2
Interaction with the Privacy Act 1988
Division 1
Section 38
No. , 2023
Digital ID Bill 2023
41
(b) the act or practice is the subject of a complaint to, or an
1
investigation by, the Information Commissioner under Part V
2
of the
Privacy Act 1988
.
3
(4) Sections 80V and 80W of the
Privacy Act 1988
apply in relation to
4
the term of the agreement as if the term were a provision of that
5
Act.
6
38 Contraventions of Division 2 are interferences with privacy
7
(1) An act or practice of an accredited entity that contravenes a
8
provision of Division 2 of this Part in relation to personal
9
information about an individual is taken to be:
10
(a) an interference with the privacy of the individual for the
11
purposes of the
Privacy Act 1988
; and
12
(b) covered by sections 13 and 13G of that Act.
13
Note:
An act or practice that is, or may be, an interference with privacy may
14
be the subject of a complaint under section 36 of the
Privacy Act
15
1988
.
16
(2) The respondent to a complaint under the
Privacy Act 1988
about
17
the act or practice, other than an act or practice of an agency or
18
organisation, is the entity that engaged in the act or practice.
19
(3) The entity is taken, for the purposes of Part V of the
Privacy Act
20
1988
and any other provision of that Act that relates to that Part, to
21
be an organisation if:
22
(a) the act or practice of the entity that contravenes a provision
23
of Division 2 of this Part is the subject of a complaint to, or
24
an investigation by, the Information Commissioner under
25
Part V of the
Privacy Act 1988
; and
26
(b) the entity is not an agency or organisation.
27
(4) In this section:
28
agency
has the same meaning as in the
Privacy Act 1988
.
29
organisation
has the same meaning as in the
Privacy Act 1988
.
30
Chapter 3
Privacy
Part 2
Privacy
Division 1
Interaction with the Privacy Act 1988
Section 39
42
Digital ID Bill 2023
No. , 2023
39 Notification of eligible data breaches
--
accredited entities that are
1
APP entities
2
(1) This section applies to an accredited entity if the entity:
3
(a) is an APP entity; and
4
(b) is aware that there are reasonable grounds to believe that
5
there has been an eligible data breach (within the meaning of
6
the
Privacy Act 1988
) of the entity relating to the
entity's
7
accredited services; and
8
(c) is required under section 26WK of the
Privacy Act 1988
to
9
give the Information Commissioner a statement that complies
10
with subsection 26WK(3) of that Act.
11
(2) The entity must also give a copy of the statement to the Digital ID
12
Regulator at the same time as the statement is given to the
13
Information Commissioner.
14
40 Notification of eligible data breaches
--
accredited entities that are
15
not APP entities
16
(1) This section applies to an accredited entity that is not an APP
17
entity.
18
(2) Despite subsection (1), this section does not apply to an accredited
19
entity if:
20
(a) the entity is a department or authority of a State or Territory;
21
and
22
(b) a law of the State or Territory provides for a scheme for the
23
notification of data breaches that:
24
(i) covers the entity; and
25
(ii) is comparable to the scheme provided for in Part IIIC of
26
the
Privacy Act 1988
.
27
Note:
See section 41 for requirements in relation to these entities.
28
(3) Part IIIC of the
Privacy Act 1988
, and any other provision of that
29
Act that relates to that Part, apply in relation to the accredited
30
entity as if the entity were an APP entity.
31
(4) If:
32
Privacy
Chapter 3
Privacy
Part 2
Interaction with the Privacy Act 1988
Division 1
Section 41
No. , 2023
Digital ID Bill 2023
43
(a) the accredited entity is aware that there are reasonable
1
grounds to believe that there has been an eligible data breach
2
(within the meaning of the
Privacy Act 1988
) of the entity
3
relating to the
entity's accredited services
; and
4
(b) because of the operation of subsection (3) of this section, the
5
entity is required under section 26WK of that Act to give the
6
Information Commissioner a statement that complies with
7
subsection 26WK(3) of that Act;
8
the entity must also give a copy of the statement to the Digital ID
9
Regulator at the same time as the statement is given to the
10
Information Commissioner.
11
41 Notification of corresponding data breaches
--
accredited State or
12
Territory entities that are not APP entities
13
(1) This section applies to an accredited entity if:
14
(a) the entity is not an APP entity; and
15
(b) the entity is a department or authority of a State or Territory;
16
and
17
(c) the entity is required under a law of the State or Territory to
18
give a statement (however described) that corresponds to
19
section 26WK of the
Privacy Act 1988
to another entity (the
20
notified entity
); and
21
(d) the statement relates to the accredited services of the entity.
22
(2) The entity must also give a copy of the statement to the Digital ID
23
Regulator and the Information Commissioner at the same time as
24
the statement is given to the notified entity.
25
42 Additional function of the Information Commissioner
26
In addition to the Information Commissioner's functions under the
27
Privacy Act 1988
, the Information Commissioner has the function
28
of providing advice, on request by the Digital ID Regulator, on
29
matters relating to the operation of this Act.
30
Chapter 3
Privacy
Part 2
Privacy
Division 1
Interaction with the Privacy Act 1988
Section 43
44
Digital ID Bill 2023
No. , 2023
43 Information Commissioner may share information
1
Sections 33A and 33B of the
Privacy Act 1988
apply as if a
2
reference in those sections to that Act included a reference to this
3
Act.
4
Note:
Sections 33A and 33B of the
Privacy Act 1988
allow the Information
5
Commissioner to share information acquired in the course of
6
exercising powers, or performing functions or duties, under that Act in
7
certain circumstances.
8
Privacy
Chapter 3
Privacy
Part 2
Additional privacy safeguards
Division 2
Section 44
No. , 2023
Digital ID Bill 2023
45
Division
2--Additional privacy safeguards
1
44 Collection of certain attributes of individuals is prohibited
2
(1) An accredited entity must not collect any of the following
3
attributes of an individual:
4
(a)
information or an opinion about an individual's racial or
5
ethnic origin;
6
(b) information or an opinion
about an individual's political
7
opinions;
8
(c) information or an opinion
about an individual's membership
9
of a political association;
10
(d) information or an opinion
about an individual's religious
11
beliefs or affiliations;
12
(e) information or an opinion
about an individual's philosophical
13
beliefs;
14
(f) information or an opinion
about an individual's sexual
15
orientation or practices.
16
Civil penalty:
1,500 penalty units.
17
(2) Subsection (1) does not apply if the accredited entity:
18
(a) did not solicit the attribute of the individual; and
19
(b) destroys the attribute, as soon as practicable, after becoming
20
aware the accredited entity has collected the attribute.
21
Note:
A person who wishes to rely on this subsection bears an evidential
22
burden in relation to the matters in this subsection (see section 96 of
23
the Regulatory Powers Act).
24
(3) Subsection (1) does not prevent other kinds of attributes (
permitted
25
attributes
) of individuals from being collected if the permitted
26
attributes are not primarily of the kind described in subsection (1),
27
even if attributes of the kind described in that subsection can
28
reasonably be inferred from the permitted attributes.
29
Example:
Even if an individual's racial or ethnic origin can reasonably be
30
inferred from the individual's name or place of birth, this does not
31
prevent the individual's name or place of birth from being
collected.
32
Chapter 3
Privacy
Part 2
Privacy
Division 2
Additional privacy safeguards
Section 45
46
Digital ID Bill 2023
No. , 2023
(4) In this section:
1
solicits
: an accredited entity
solicits
an attribute of an individual if
2
the accredited entity requests another entity to provide the attribute,
3
or to provide information that includes the attribute.
4
45 Individuals must expressly consent to disclosure of certain
5
attributes of individuals to relying parties
6
When verifying the identity of an individual or authenticating a
7
digital ID of, or information about, an individual to a relying party,
8
an accredited entity must not disclose any of the following
9
attributes of the individual to the relying party without the express
10
consent of the individual:
11
(a)
the individual's
current name or former name;
12
(b)
the individual's address;
13
(c)
the individual's date of birth;
14
(d)
the individual's phone number;
15
(e)
the individual's email address;
16
(f) an attribute of a kind prescribed by the Accreditation Rules.
17
Civil penalty:
1,500 penalty units.
18
46 Disclosure of restricted attributes of individuals
19
(1) When verifying the identity of an individual or authenticating a
20
digital ID of, or information about, an individual to a relying party,
21
an accredited entity must not disclose a restricted attribute of the
22
individual to the relying party without the express consent of the
23
individual.
24
Civil penalty:
1,500 penalty units.
25
(2) An accredited entity must not disclose a restricted attribute of an
26
individual to a relying party that is not a participating relying party
27
i
f the accredited entity's conditions o
n accreditation do not include
28
an authorisation to disclose the restricted attribute to the relying
29
party.
30
Civil penalty:
1,500 penalty units.
31
Privacy
Chapter 3
Privacy
Part 2
Additional privacy safeguards
Division 2
Section 47
No. , 2023
Digital ID Bill 2023
47
47 Restricting disclosure of unique identifiers
1
(1) This section applies if:
2
(a) an accredited entity (the
assigning entity
) assigns a unique
3
identifier to an individual within a digital ID system; and
4
(b) the assigning entity discloses the unique identifier to another
5
accredited entity or to a relying party.
6
(2) The assigning entity must not disclose the unique identifier to any
7
other entity other than:
8
(a) if the unique identifier was disclosed to another accredited
9
entity
--
the other accredited entity; or
10
(b) if the unique identifier was disclosed to a relying party
--
the
11
relying party.
12
Civil penalty:
1,500 penalty units.
13
(3) The accredited entity to whom the unique identifier is disclosed
14
must not disclose the unique identifier to any other entity.
15
Civil penalty:
1,500 penalty units.
16
(4) Subsections (2) and (3) do not apply if the disclosure of the unique
17
identifier is for one or more of the following purposes:
18
(a) detecting, reporting or investigating a contravention, or an
19
alleged contravention, of a provision of this Act;
20
(b) conducting proceedings in relation to a contravention, or an
21
alleged contravention, of a civil penalty provision of this Act;
22
(c) detecting, reporting or investigating either of the following
23
within a digital ID system:
24
(i) a digital ID fraud incident;
25
(ii) a cyber security incident:
26
(d) conducting an assessment of the matter referred to in
27
paragraph 33C(1)(g) of the
Privacy Act 1988
(about
28
assessments by the Information Commissioner in relation to
29
the handling and maintenance of personal information in
30
accordance with certain aspects of this Act);
31
(e) detecting, reporting, investigating or prosecuting an offence
32
against a law of the Commonwealth, a State or a Territory.
33
Chapter 3
Privacy
Part 2
Privacy
Division 2
Additional privacy safeguards
Section 48
48
Digital ID Bill 2023
No. , 2023
Note:
A person who wishes to rely on this subsection bears an evidential
1
burden in relation to the matter mentioned in this subsection (see
2
section 96 of the Regulatory Powers Act).
3
(5) Subsections (2) and (3) also do not apply if the disclosure of the
4
unique identifier is:
5
(a) to a contractor engaged by the accredited entity; and
6
(b) for the purposes of the contractor providing an accredited
7
service, or part of an accredited service, of the accredited
8
entity.
9
Note:
A person who wishes to rely on this subsection bears an evidential
10
burden in relation to the matter mentioned in this subsection (see
11
section 96 of the Regulatory Powers Act).
12
(6) Subsections (2) and (3) also do not apply if the unique identifier is
13
disclosed to another entity if the other entity is facilitating access to
14
the entity for whom the unique identifier was created.
15
Note:
A person who wishes to rely on this subsection bears an evidential
16
burden in relation to the matter mentioned in this subsection (see
17
section 96 of the Regulatory Powers Act).
18
48 Restrictions on collecting, using and disclosing biometric
19
information
20
(1) An accredited entity may collect, use or disclose biometric
21
information of an individual only if:
22
(a) the collection, use or disclosure is authorised under
23
section 49 or 50; and
24
(b) unless the collection, use or disclosure is authorised under
25
paragraph 49(3)(a) or subsection 49(5), (6) or (8)
--
the
26
individual to whom the information relates has expressly
27
consented to the collection, use or disclosure of the biometric
28
information.
29
Civil penalty:
1,500 penalty units.
30
(2) An accredited entity may retain biometric information of an
31
individual only if the retention is authorised under section 49 or 50.
32
Note:
Section 51 contains rules about destruction of biometric information
33
that has been retained under section 49.
34
Privacy
Chapter 3
Privacy
Part 2
Additional privacy safeguards
Division 2
Section 49
No. , 2023
Digital ID Bill 2023
49
Civil penalty:
1,500 penalty units.
1
(3) To avoid doubt, and without limiting subsection (1), an accredited
2
entity must not:
3
(a) collect, use or disclose biometric information of an individual
4
for the purpose of one-to-many matching of the individual; or
5
(b) collect, use or disclose biometric information of an individual
6
to determine whether the individual has multiple digital IDs.
7
(4)
One-to-many matching
means the process of comparing a kind of
8
biometric information of an individual against that kind of
9
biometric information of individuals generally to identify the
10
particular individual.
11
49 Authorised collection, use and disclosure of biometric
12
information of individuals
--
general rules
13
(1) An accredited entity is authorised to collect, use or disclose
14
biometric information of an individual if:
15
(a) the accredited
entity's conditions on accreditation authorise
16
the collection, use, or disclosure of the biometric
17
information; and
18
(b) the biometric information of the individual is collected, used
19
or disclosed for the purposes of the accredited entity doing
20
either or both of the following:
21
(i) verifying the identity of the individual;
22
(ii) authenticating the individual to their digital ID.
23
(2) An accredited entity is authorised to collect, use or disclose
24
biometric information of an individual if:
25
(a) the biometric information is contained in a verifiable
26
credential that is in control of the individual; and
27
(b) the Accreditation Rules prescribe requirements relating to the
28
collection, use or disclosure of the biometric information;
29
and
30
(c) the collection, use or disclosure complies with those
31
requirements.
32
Chapter 3
Privacy
Part 2
Privacy
Division 2
Additional privacy safeguards
Section 49
50
Digital ID Bill 2023
No. , 2023
(3) An accredited entity is authorised to disclose biometric information
1
of an individual to a law enforcement agency (within the meaning
2
of the
Australian Crime Commission Act 2002
) only if:
3
(a) the disclosure of the information is required or authorised by
4
or under a warrant issued under a law of the Commonwealth,
5
a State or a Territory; or
6
(b) the information is disclosed with the express consent of the
7
individual to whom the biometric information relates, or
8
purports to relate, and the disclosure is for the purpose of:
9
(i) verifying the identity of the individual; or
10
(ii) investigating or prosecuting an offence against a law of
11
the Commonwealth, a State or a Territory.
12
(4) Subsection (3) applies despite:
13
(a) any law of the Commonwealth, a State or a Territory
14
(whether enacted or made before or after this subsection); or
15
(b) a warrant (other than a warrant of a kind mentioned in
16
paragraph (3)(a)), authorisation or order issued under such a
17
law.
18
(5) An accredited entity is authorised to disclose biometric information
19
of an individual if the disclosure is to the individual to whom the
20
biometric information relates.
21
(6) An accredited entity is authorised to retain, use or disclose
22
biometric information of an individual if:
23
(a) the accredited entity collected the information in accordance
24
with subsection (1); and
25
(b) the information is retained, used or disclosed for the purposes
26
of undertaking testing in relation to the information; and
27
(c) the entity complies with any requirements prescribed by the
28
Accreditation Rules.
29
(7) Without limiting paragraph (6)(c), Accreditation Rules made for
30
the purposes of that paragraph may prescribe requirements in
31
relation to the following matters:
32
(a) the purposes for which testing may be undertaken;
33
(b) the kinds of testing that may be undertaken using biometric
34
information;
35
Privacy
Chapter 3
Privacy
Part 2
Additional privacy safeguards
Division 2
Section 50
No. , 2023
Digital ID Bill 2023
51
(c) the circumstances in which testing of the biometric
1
information may be undertaken;
2
(d) the manner in which the biometric information that has been
3
retained for testing must be destroyed;
4
(e) the preparation, content, approval and implementation of
5
ethics plans relating to the testing of the biometric
6
information;
7
(f) obtaining express consent of individuals to whom the
8
biometric information relates;
9
(g) reporting of testing results to the Digital ID Regulator.
10
(8) An accredited entity is authorised to retain, use or disclose
11
biometric information of an individual if:
12
(a) the entity collected the information in accordance with
13
subsection (1); and
14
(b) the information is retained, used or disclosed for the purposes
15
of preventing or investigating a digital ID fraud incident; and
16
(c) the entity complies with any requirements prescribed by the
17
Accreditation Rules.
18
(9) Without limiting paragraph (8)(c), Accreditation Rules made for
19
the purposes of that paragraph may prescribe requirements in
20
relation to the following matters:
21
(a) the manner in which biometric information that has been
22
retained for preventing or investigating digital ID fraud
23
incidents must be destroyed;
24
(b) the reporting of fraud prevention or investigation activities to
25
the Digital ID Regulator.
26
50 Accredited entities may collect etc. biometric information for
27
purposes of government identity documents
28
(1) This section applies if:
29
(a) an accredited entity collects biometric information of an
30
individual under subparagraph 49(1)(b)(i) for the purpose of
31
verifying the identity of the individual; and
32
(b) the accredited entity has verified that the biometric
33
information is legitimate.
34
Chapter 3
Privacy
Part 2
Privacy
Division 2
Additional privacy safeguards
Section 50
52
Digital ID Bill 2023
No. , 2023
Note:
Because this Chapter applies to an entity only to the extent that the
1
entity is providing accredited services (see section 33), this
2
section does not affect information collected, held etc. by the entity in
3
its capacity as the issuer of the document or other credential.
4
(2) If the entity is covered by subsection (3), the entity may collect,
5
use, disclose or retain the biometric information for the purposes of
6
issuing a document or other credential that:
7
(a) contains personal information about the individual; and
8
(b) the individual has expressly consented to the issue of; and
9
(c)
can be used to assist the individual to prove the individual's
10
age or identity or a permission or authorisation that the
11
individual holds; and
12
(d) is issued by or on behalf of the entity.
13
(3) The entities covered by this subsection are as follows:
14
(a) a body corporate incorporated by or under a law of the
15
Commonwealth or a State or Territory;
16
(b) a Commonwealth entity, or a Commonwealth company,
17
within the meaning of the
Public Governance, Performance
18
and Accountability Act 2013
;
19
(c) a person or body that is an agency within the meaning of the
20
Freedom of Information Act 1982
;
21
(d) a body specified, or the person holding an office specified, in
22
Part I of Schedule 2 to the
Freedom of Information Act 1982
;
23
(e) a department or authority of a State;
24
(f) a department or authority of a Territory.
25
(4) Subsection (2) applies despite anything else in this Division.
26
(5) If:
27
(a) the entity (the
first entity
) is not covered by subsection (3);
28
and
29
(b) the first entity has a written agreement with another entity
30
(the
government entity
) that is covered by that subsection;
31
and
32
(c) the agreement provides for the first entity to disclose the
33
biometric information of the individual to the government
34
Privacy
Chapter 3
Privacy
Part 2
Additional privacy safeguards
Division 2
Section 51
No. , 2023
Digital ID Bill 2023
53
entity for the purposes of issuing a document or other
1
credential that:
2
(i) contains personal information about the individual; and
3
(ii) the individual has expressly consented to the issue of;
4
and
5
(iii) can be used to assist the individual to prove the
6
individual's age or identity or a permission or
7
authorisation that the individual holds; and
8
(iv) is issued by or on behalf of the entity;
9
the entity may disclose the biometric information in accordance
10
with the agreement if the disclosure occurs within 14 days after the
11
biometric information is collected.
12
51 Destruction of biometric information of individuals
13
(1) Subject to subsections (2), (3), (4) and (5), if an accredited entity
14
collects biometric information of an individual for the purposes of
15
verifying an individual's identity
only, the provider must destroy
16
the information immediately after the verification is complete.
17
Civil penalty:
1,500 penalty units.
18
(2) Subject to subsections (3), (4) and (5), if:
19
(a) an accredited entity collects biometric information of an
20
individual; and
21
(b) the information is collected for the purposes of authenticating
22
the individual to their digital ID (regardless of whether that
23
information is also collected for the purposes of verifying the
24
individual's identity
); and
25
(c) the individual has not given express consent for that
26
information to be retained for the purposes of further
27
authenticating of the individual to their digital ID;
28
the provider must destroy the information immediately after the
29
authentication is complete.
30
Civil penalty:
1,500 penalty units.
31
(3) Subject to subsections (4) and (5), if:
32
Chapter 3
Privacy
Part 2
Privacy
Division 2
Additional privacy safeguards
Section 52
54
Digital ID Bill 2023
No. , 2023
(a) an accredited entity collects biometric information of an
1
individual with the express consent of the individual to
2
whom the information relates; and
3
(b) the information is collected for the purposes of authenticating
4
the individual to their digital ID; and
5
(c) the individual withdraws their consent;
6
the accredited entity must destroy the information immediately
7
after the consent is withdrawn.
8
(4) If an accredited entity retains biometric information of an
9
individual in accordance with subsection 49(6) (about testing), the
10
accredited entity must destroy the information at the earlier of:
11
(a) the completion of testing the information; and
12
(b) 14 days after the entity collects the information.
13
Civil penalty:
1,500 penalty units.
14
(5) If an accredited entity retains biometric information of an
15
individual in accordance with subsection 49(8) (about preventing
16
investigating digital ID fraud incidents), the accredited entity must
17
destroy the information at the earlier of:
18
(a) immediately after the completion of activities relating to the
19
prevention or investigation of the digital ID fraud incident (as
20
the case may be); and
21
(b) 14 days after the entity collects the information.
22
Civil penalty:
1,500 penalty units.
23
52 Other rules relating to biometric information
24
(1) The Accreditation Rules may provide for and in relation to the
25
collection, use, disclosure, storage or destruction of biometric
26
information of individuals by accredited entities.
27
(2) Without limiting subsection (1), the Accreditation Rules may
28
provide for requirements relating to quality, security or fraud.
29
53 Data profiling to track online behaviour is prohibited
30
(1) An accredited entity must not use or disclose information if:
31
Privacy
Chapter 3
Privacy
Part 2
Additional privacy safeguards
Division 2
Section 54
No. , 2023
Digital ID Bill 2023
55
(a) the information is personal information about an individual
1
that is in the entity's possession or control; and
2
(b) the information is any of the following:
3
(i) information about the services provided by the entity
4
that the individual has accessed, or attempted to access;
5
(ii) information relating to how or when access was
6
obtained or attempted to be obtained by the individual;
7
(iii) information relating to the method of access or
8
attempted access by the individual;
9
(iv)
the date and time the individual's identity was verified.
10
Civil penalty:
1,500 penalty units.
11
(2) Subsection (1) applies even if the individual has consented to the
12
use or disclosure.
13
(3) However, subsection (1) does not apply if the use or disclosure:
14
(a) is for purposes relating to the provision the
entity's
15
accredited services (including improving the performance or
16
useability of the entity's information technology systems
17
through which those services are provided); or
18
(b) is for the purposes of the entity complying with this Act; or
19
(c) is required or authorised by or under a law of the
20
Commonwealth, a State or a Territory.
21
Note:
A person who wishes to rely on this subsection bears an evidential
22
burden in relation to the matter mentioned in this subsection (see
23
section 96 of the Regulatory Powers Act).
24
54 Certain personal information must not be used or disclosed for
25
prohibited enforcement purposes
26
(1) An accredited entity must not use or disclose personal information
27
of an individual t
hat is in the entity's possession or control
for the
28
purposes of enforcement related activities conducted by, or on
29
behalf of, an enforcement body unless:
30
(a) the personal information is not biometric information of the
31
individual; and
32
(b) any of the following apply:
33
Chapter 3
Privacy
Part 2
Privacy
Division 2
Additional privacy safeguards
Section 54
56
Digital ID Bill 2023
No. , 2023
(i) at the time the information is used or disclosed, the
1
accredited entity is satisfied that the enforcement body
2
has started proceedings against a person for an offence
3
against a law of the Commonwealth, a State or a
4
Territory;
5
(ii) at the time the information is used or disclosed, the
6
accredited entity is satisfied that the enforcement body
7
has started proceedings against a person in relation to a
8
breach of a law imposing a penalty or sanction;
9
(iii) the disclosure of the information is required or
10
authorised by or under a warrant issued under a law of
11
the Commonwealth, a State or a Territory;
12
(iv) the information is used or disclosed for the purposes of
13
reporting a suspected or actual digital ID fraud incident
14
or suspected or actual cyber security incident;
15
(v) the information is used or disclosed by the accredited
16
entity for the purposes of complying with this Act;
17
(vi) the information is disclosed with the express consent of
18
the individual to whom the personal information relates,
19
or purports to relate, and the disclosure is for the
20
purpose of verifying the identity of the individual, or
21
investigating or prosecuting an offence against a law of
22
the Commonwealth, a State or a Territory.
23
Civil penalty:
1,500 penalty units.
24
(2) Subsection (1) does not apply in relation to enforcement related
25
activities conducted by, or on behalf of, an enforcement body
26
under, or for the purpose of, this Act or the
Privacy Act 1988
.
27
(3) Despite section 96 of the Regulatory Powers Act, in proceedings
28
for a civil penalty order against a person for a contravention of
29
subsection (1), the person does not bear an evidential burden in
30
relation to the matter in subparagraphs (1)(b)(i) to (vi) or
31
subsection (2).
32
(4) This section applies despite:
33
(a) section 86E of the
Crimes Act 1914
(about disclosure of
34
personal information to certain entities for integrity
35
purposes); and
36
Privacy
Chapter 3
Privacy
Part 2
Additional privacy safeguards
Division 2
Section 55
No. , 2023
Digital ID Bill 2023
57
(b) any other law of the Commonwealth, a State or a Territory,
1
whether enacted or made before or after the commencement
2
of this section.
3
55 Personal information must not be used or disclosed for
4
prohibited marketing purposes
5
(1) An accredited entity must not use or disclose personal information
6
about an individual
that is in the entity's possession or cont
rol for
7
any of the following purposes:
8
(a) offering to supply goods or services;
9
(b) advertising or promoting goods or services;
10
(c) enabling another entity to offer to supply goods or services;
11
(d) enabling another entity to advertise or promote goods or
12
services;
13
(e) market research.
14
Civil penalty:
1,500 penalty units.
15
(2) Subsection (1) does not apply to the disclosure of personal
16
information about an individual if:
17
(a) the information is disclosed to an individual for the purposes
18
of:
19
(i) offering to supply
the entity's accredited
services; or
20
(ii) advertising or promoting
the entity's accredited
21
services; and
22
(b) the information is disclosed to the individual with the
23
individual's express consent.
24
Note:
A person who wishes to rely on this subsection bears an evidential
25
burden in relation to the matter mentioned in this subsection (see
26
section 96 of the Regulatory Powers Act).
27
56 Accredited identity exchange providers must not retain certain
28
attributes of individuals
29
(1) This section applies if, during an authenticated session, an
30
accredited identity exchange provider receives any of the following
31
attributes of an individual:
32
(a) a restricted attribute of the individual;
33
Chapter 3
Privacy
Part 2
Privacy
Division 2
Additional privacy safeguards
Section 56
58
Digital ID Bill 2023
No. , 2023
(b)
the individual's name;
1
(c)
the individual's address;
2
(d) the indiv
idual's date of birth;
3
(e)
the individual's phone number;
4
(f)
the individual's email address;
5
(g) an attribute of a kind prescribed by the Accreditation Rules.
6
(2) The accredited identity exchange provider must not retain the
7
attribute of the individual after the end of the authenticated session.
8
Civil penalty:
1,500 penalty units.
9
(3) In this section:
10
authenticated session
has the meaning given by the Accreditation
11
Rules.
12
Australian Government Digital ID System
Chapter 4
Introduction
Part 1
Section 57
No. , 2023
Digital ID Bill 2023
59
Chapter
4--Australian Government Digital
1
ID System
2
Part
1--Introduction
3
4
57 Simplified outline of this Chapter
5
The Australian Government Digital ID System is overseen and
6
maintained by the Digital ID Regulator. To participate in the
7
Australian Government Digital ID System, an entity must meet
8
certain criteria, including being either an accredited entity or a
9
relying party and holding an approval from the Digital ID
10
Regulator to participate.
11
Only certain kinds of accredited entities and relying parties can
12
apply to the Digital ID Regulator to participate, and specified
13
criteria must be met before the Digital ID Regulator gives an
14
approval. If a relying party holds an approval, it is known as a
15
participating relying party.
16
An entity's approval to participate in the Australian Government
17
Digital ID System is subject to conditions. Some conditions are
18
imposed by the Act and others may be imposed by the Digital ID
19
Regulator or the Digital ID Rules. Conditions may include
20
requirements relating to the kinds of attributes of individuals an
21
entity is authorised to collect or disclose, or that it must not collect.
22
The conditions imposed by the Digital ID Regulator on an entity's
23
approval to participate, and the entity's approval itself, can be
24
varied or revoked. An entity's approval to participate in the
25
Australian Government Digital ID System can also be suspended.
26
The Minister may give directions to the Digital ID Regulator
27
regarding the approval of an entity to participate in the Australian
28
Government Digital ID System if, for reasons of security, the
29
Minister considers it appropriate to do so. The Digital ID Regulator
30
must comply with such directions.
31
Chapter 4
Australian Government Digital ID System
Part 1
Introduction
Section 57
60
Digital ID Bill 2023
No. , 2023
A participating relying party must not, as a condition of providing
1
a service or access to a service, require an individual to create or
2
use a digital ID. There are some exceptions to this, including if the
3
relying party holds an exemption granted by the Digital ID
4
Regulator.
5
The Digital ID Rules may make provision in relation to the
6
following:
7
(a) notifying and managing incidents that have occurred, or
8
are reasonably suspected of having occurred, in relation
9
to the Australian Government Digital ID System;
10
(b) requirements relating to interoperability;
11
(c) a redress framework for incidents that occur in relation
12
to accredited services of accredited entities that are
13
provided within the Australian Government Digital ID
14
System.
15
A statutory contract is taken to be in force between entities
16
participating in the Australian Government Digital ID System. An
17
entity that is party to the contract may apply to the Federal Circuit
18
and Family Court of Australia (Division 2) if the entity has
19
suffered, or is likely to suffer, loss or damage as a result of a
20
breach of this statutory contract.
21
Australian Government Digital ID System
Chapter 4
Australian Government Digital ID System
Part 2
Australian Government Digital ID System
Division 1
Section 58
No. , 2023
Digital ID Bill 2023
61
Part
2--Australian Government Digital ID System
1
Division
1--Australian Government Digital ID System
2
58 Digital ID Regulator must oversee and maintain the Australian
3
Government Digital ID System
4
(1) The Digital ID Regulator must oversee and maintain a digital ID
5
system.
6
(2) The
Australian Government Digital ID System
means the digital
7
ID system overseen and maintained by the Digital ID Regulator
8
under subsection (1).
9
59 Circumstances in which entities may provide or receive services
10
within the Australian Government Digital ID System
11
(1) An entity mentioned in column 1 of an item in the following table
12
may provide or receive services within the Australian Government
13
Digital ID System if the entity satisfies the requirements set out in
14
column 2 of that item.
15
16
Services provided or received within the Australian Government Digital ID
System
Item
Column 1
Entity
Column 2
Requirements
1
Attribute service provider
(a) the attribute service provider:
(i) must be an accredited attribute
service provider; and
(ii) must hold an approval under
section 62 to participate in the
system; and
(b) the participation start day for the
attribute service provider must have
arrived or passed
2
Identity exchange provider
(a) the identity exchange provider:
(i) must be an accredited identity
Chapter 4
Australian Government Digital ID System
Part 2
Australian Government Digital ID System
Division 1
Australian Government Digital ID System
Section 59
62
Digital ID Bill 2023
No. , 2023
Services provided or received within the Australian Government Digital ID
System
Item
Column 1
Entity
Column 2
Requirements
exchange provider; and
(ii) must hold an approval under
section 62 to participate in the
system; and
(b) the participation start day for the
identity exchange provider must have
arrived or passed
3
Identity service provider
(a) the identity service provider:
(i) must be an accredited identity
service provider; and
(ii) must hold an approval under
section 62 to participate in the
system; and
(b) the participation start day for the
identity service provider must have
arrived or passed
4
Relying party
(a) the relying party:
(i) must be an Australian entity or
registered foreign company
(within the meaning of the
Corporations Act 2001
); and
(ii) must hold an approval under
section 62 to participate in the
system; and
(b) the participation start day for the
relying party must have arrived or
passed
5
An entity that provides, or
proposes to provide, services
of a kind prescribed by the
Accreditation Rules for the
purposes of
paragraph 14(1)(d)
(a) the entity:
(i) must be accredited to provide
services of that kind; and
(ii) must hold an approval under
section 62 to participate in the
system; and
(iii) must meet any other
requirements prescribed by the
Australian Government Digital ID System
Chapter 4
Australian Government Digital ID System
Part 2
Australian Government Digital ID System
Division 1
Section 59
No. , 2023
Digital ID Bill 2023
63
Services provided or received within the Australian Government Digital ID
System
Item
Column 1
Entity
Column 2
Requirements
Digital ID Rules; and
(b) the participation start day for the entity
must have arrived or passed
(2) An entity contravenes this subsection if:
1
(a) the entity provides or receives services within the Australian
2
Government Digital ID System; and
3
(b) the entity is not an entity mentioned in column 1 of an item
4
in the table in subsection (1).
5
Civil penalty:
1,000 penalty units.
6
(3) Subsection (2) does not apply to the following when performing
7
functions or exercising powers under this Act:
8
(a) the Digital ID Regulator;
9
(b) the System Administrator.
10
(4) Despite section 96 of the Regulatory Powers Act, in proceedings
11
for a civil penalty order against a person for a contravention of
12
subsection (2), the person does not bear an evidential burden in
13
relation to the matter in subsection (3).
14
(5) An entity contravenes this subsection if:
15
(a) the entity provides or receives services within the Australian
16
Government Digital ID System; and
17
(b) the entity is an entity mentioned in column 1 of an item in the
18
table in subsection (1); and
19
(c) the entity does not satisfy one or more requirements set out in
20
column 2 of that item.
21
Civil penalty:
1,000 penalty units.
22
Chapter 4
Australian Government Digital ID System
Part 2
Australian Government Digital ID System
Division 2
Participating in the Australian Government Digital ID System
Section 60
64
Digital ID Bill 2023
No. , 2023
Division
2--Participating in the Australian Government
1
Digital ID System
2
60 Phasing-in of participation in the Australian Government Digital
3
ID System
4
(1) The Minister may, by legislative instrument, determine the entities
5
that may apply to the Digital ID Regulator for approval to
6
participate in the Australian Government Digital ID System.
7
Note:
The determination may specify entities by class (see
8
subsection 33(3A) of the
Acts Interpretation Act 1901
).
9
(2) The determination may specify entities in any way, including by
10
reference to:
11
(a) whether the entities are relying parties or accredited entities;
12
or
13
(b) kinds of relying parties; or
14
(c) kinds of accredited entities; or
15
(d) whether the entity belongs to the public or private sector.
16
(3) The Minister:
17
(a) must not revoke the determination; and
18
(b) may vary the determination only to:
19
(i) specify additional kinds of entities that may apply; or
20
(ii) correct an error, defect or irregularity in the
21
determination.
22
61 Applying for approval to participate in the Australian
23
Government Digital ID System
24
An entity may apply to the Digital ID Regulator for approval to
25
participate in the Australian Government Digital ID System if:
26
(a) the entity is an accredited entity that is a non-corporate
27
Commonwealth entity, within the meaning of the
Public
28
Governance, Performance and Accountability Act 2013
; or
29
(b) the entity is a relying party that is:
30
Australian Government Digital ID System
Chapter 4
Australian Government Digital ID System
Part 2
Participating in the Australian Government Digital ID System
Division 2
Section 62
No. , 2023
Digital ID Bill 2023
65
(i) a Commonwealth entity, or a Commonwealth company,
1
within the meaning of the
Public Governance,
2
Performance and Accountability Act 2013
; or
3
(ii) a person or body that is an agency within the meaning
4
of the
Freedom of Information Act 1982
; or
5
(iii) a body specified, or the person holding an office
6
specified, in Part I of Schedule 2 to the
Freedom of
7
Information Act 1982
; or
8
(c) the entity is covered by a determination made under
9
section 60 and is:
10
(i) an accredited entity; or
11
(ii) an entity that has applied for accreditation under
12
section 14; or
13
(iii) a relying party that is an Australian entity; or
14
(iv) a relying party that is a registered foreign company
15
(within the meaning of the
Corporations Act 2001
).
16
Note 1:
Only entities of particular kinds can be, or apply to be, an accredited
17
entity (see subsection 14(2)).
18
Note 2:
See Part 5 of Chapter 9 for matters relating to applications.
19
62 Approval to participate in the Australian Government Digital ID
20
System
21
(1) The Digital ID Regulator may approve an entity to participate in
22
the Australian Government Digital ID System if:
23
(a) the entity has made an application under section 61; and
24
(b) unless the entity is a relying party
--
the entity is an accredited
25
entity; and
26
(c) the Digital ID Regulator is satisfied that the entity will
27
comply with the Digital ID Data Standards that apply in
28
relation to the entity and that relate to participation in the
29
Australian Government Digital ID System; and
30
(d) if the Digital ID Regulator makes a requirement under
31
paragraph 131(1)(a) in relation to the entity
--
the entity has
32
been assessed as being able to comply with this Act; and
33
(e) the Digital ID Regulator is satisfied that it is appropriate to
34
approve the entity to participate in the system; and
35
Chapter 4
Australian Government Digital ID System
Part 2
Australian Government Digital ID System
Division 2
Participating in the Australian Government Digital ID System
Section 62
66
Digital ID Bill 2023
No. , 2023
(f) any other requirements prescribed by the Digital ID Rules are
1
met.
2
(2) Without limiting paragraph (1)(e), the Digital ID Regulator may
3
have regard to the following matters when considering whether it is
4
appropriate to approve the entity:
5
(a) whether the entity is a fit and proper person;
6
(b) whether the entity has appropriate procedures for dealing
7
with the identities (whether real or not, and whether assumed
8
or not) of shielded persons.
9
Note:
In having regard to whether an entity is a fit and proper person for the
10
purposes of paragraph (a), the Digital ID Regulator must have regard
11
to any matters specified in the Digital ID Rules and may have regard
12
to any other matters considered relevant (see section 12).
13
(3) Without limiting paragraph (1)(f), the Digital ID Rules may
14
prescribe requirements relating to the security, reliability and
15
stability of the Australian Government Digital ID System.
16
(4) However, the Digital ID Regulator must not approve an entity to
17
participate in the Australian Government Digital ID System if a
18
direction under subsection 73(1) (about security) directing the
19
Digital ID Regulator to refuse to approve the entity is in force.
20
(5) The Digital ID Regulator must:
21
(a) give written notice of a decision to approve, or to refuse to
22
approve, an entity to participate in the Australian
23
Government Digital ID System; and
24
(b) if the decision is to refuse to approve the entity
--
give
25
reasons for the decision to the entity.
26
(6) If the Digital ID Regulator approves an entity to participate in the
27
Australian Government Digital ID System, the notice must set out:
28
(a) the day the approval comes into force; and
29
(b) whether the entity is a participating relying party or an
30
accredited entity and, if the entity is an accredited entity, the
31
kind of accredited entity it is accredited as; and
32
(c) any conditions imposed on the approval under
33
subsection 64(2); and
34
Australian Government Digital ID System
Chapter 4
Australian Government Digital ID System
Part 2
Participating in the Australian Government Digital ID System
Division 2
Section 63
No. , 2023
Digital ID Bill 2023
67
(d) the day on which the entity must begin to participate in the
1
Australian Government Digital ID System.
2
Note:
It is a condition of the entity's approval that the entity
begin to
3
participate on the day referred to in paragraph (d) (see
4
paragraph 64(1)(c)). An entity must not begin to participate before
5
that day (see the requirements in column 2 of the table in
6
subsection 59(1)).
7
63 Approval to participate in the Australian Government Digital ID
8
System is subject to conditions
9
(1) The approval of an entity to participate in the Australian
10
Government Digital ID System is subject to the following
11
conditions (the
approval conditions
):
12
(a) the conditions set out in subsection 64(1);
13
(b) the conditions (if any) imposed by the Digital ID Regulator
14
under subsection 64(2), including as varied under
15
subsection 66(1);
16
(c) the conditions (if any) determined by the Digital ID Rules for
17
the purposes of subsection 64(5).
18
(2) An entity that holds an approval to participate in the Australian
19
Government Digital ID System must comply with the approval
20
conditions that apply to the entity.
21
Note:
Failure to comply with an approval condition may result in a
22
suspension or revocation of the entity's approval to
participate (see
23
sections 71 and 72).
24
64 Conditions on approval to participate in the Australian
25
Government Digital ID System
26
Conditions imposed by the Act
27
(1) The approval of an entity to participate in the Australian
28
Government Digital ID System is subject to the following
29
conditions:
30
(a) unless the entity is a relying party
--
the entity must be an
31
accredited entity;
32
(b) if the entity is an accredited entity:
33
Chapter 4
Australian Government Digital ID System
Part 2
Australian Government Digital ID System
Division 2
Participating in the Australian Government Digital ID System
Section 64
68
Digital ID Bill 2023
No. , 2023
(i) the entity must participate in the Australian Government
1
Digital ID System only as the kind of accredited entity it
2
is accredited as and approved to participate as; and
3
(ii) the entity must provide only its accredited services in
4
the Australian Government Digital ID System;
5
(c) the entity must begin to participate in the Australian
6
Government Digital ID System
on the entity's
participation
7
start day;
8
(d) the entity must comply with this Act.
9
Conditions imposed by the Digital ID Regulator
10
(2) The Digital ID Regulator:
11
(a) may impose conditions on the approval of an entity to
12
participate in the Australian Government Digital ID System,
13
either at the time of approval or at a later time, if the Digital
14
ID Regulator considers that doing so is appropriate in the
15
circumstances; and
16
(b) must impose conditions on the approval of an entity to
17
participate in the Australian Government Digital ID System,
18
either at the time of approval or at a later time, if directed to
19
do so under subsection 73(1).
20
(3) Conditions may be imposed under paragraph (2)(a) on application
21
by the entity or on the Digital ID Regulator's own initiative.
22
(4) Without limiting paragraph (2)(a), the Digital ID Regulator may
23
impose conditions that relate to any of the following:
24
(a) the kind of accredited entity or participating relying party
25
that the entity must directly connect to in order to participate
26
in the Australian Government Digital ID System;
27
(b) the kinds of attributes of individuals that the entity is
28
authorised to collect or disclose and the circumstances in
29
which such attributes may be collected or disclosed;
30
(c) the kinds of attributes of individuals that the entity must not
31
collect;
32
(d) for an accredited entity
--
the circumstances in which the
33
entity may or must not provide its accredited services within
34
the Australian Government Digital ID System;
35
Australian Government Digital ID System
Chapter 4
Australian Government Digital ID System
Part 2
Participating in the Australian Government Digital ID System
Division 2
Section 64
No. , 2023
Digital ID Bill 2023
69
(e) for an accredited entity
--
the accredited services of the entity
1
that the entity must provide within the Australian
2
Government Digital ID System;
3
(f) for a relying party
--
the services the relying party is approved
4
to provide, or to provide access to, within the Australian
5
Government Digital ID System;
6
(g)
actions that the entity must take before the entity's approval
7
to participate in the Australian Government Digital ID
8
System is suspended or revoked.
9
Note 1:
For the purposes of paragraph (b), the Digital ID Regulator must have
10
regard to the matters in subsection 65(2) before authorising an entity
11
to collect or disclose restricted attributes of individuals within the
12
Australian Government Digital ID System. If the Digital ID Regulator
13
gives such an authorisation, the Digital ID Regulator must publish a
14
statement of reasons (see subsection 65(3)).
15
Note 2:
An accredited entity may contravene a civil penalty provision of this
16
Act if it discloses a restricted attribute of an individual and the
17
accredited
entity's conditions on accreditation do not authorise the
18
disclosure (see subsection 46(2)).
19
Conditions imposed by the Digital ID Rules
20
(5) The Digital ID Rules may determine that the approval of each
21
entity, or of each entity included in a specified class, to participate
22
in the Australian Government Digital ID System is subject to one
23
or more specified conditions.
24
(6) Without limiting subsection (5), the Digital ID Rules may impose
25
conditions that relate to the matters mentioned in subsection (4).
26
Note:
The Minister must have regard to the matters in subsection 65(5)
27
before making Digital ID Rules that authorise participating relying
28
parties to collect or disclose restricted attributes of individuals within
29
the Australian Government Digital ID System.
30
Chapter 4
Australian Government Digital ID System
Part 2
Australian Government Digital ID System
Division 2
Participating in the Australian Government Digital ID System
Section 65
70
Digital ID Bill 2023
No. , 2023
65 Conditions relating to restricted attributes of individuals
1
Matters to which the Digital ID Regulator must have regard before
2
authorising disclosure etc. of restricted attributes
3
(1) Subsection (2) applies if the Digital ID Regulator proposes to
4
impose a condition on an entity's approval to
participate in the
5
Australian Government Digital ID System authorising the entity:
6
(a) to collect or disclose a restricted attribute of an individual
7
within the Australian Government Digital ID System; or
8
(b) to disclose a restricted attribute of an individual that is
9
collected by the entity within the Australian Government
10
Digital ID System to an entity outside the system.
11
(2) In deciding whether to impose the condition, the Digital ID
12
Regulator must have regard to the following matters:
13
(a) whether the entity has provided sufficient justification for the
14
need to collect or disclose the restricted attribute;
15
(b) whether the entity has demonstrated that a similar outcome
16
cannot be achieved without collecting or disclosing the
17
restricted attribute;
18
(c) if the collection or disclosure of the restricted attribute is
19
regulated by other legislative or regulatory requirements
--
20
whether the entity would be able to comply with those
21
requirements if the condition were imposed;
22
(d) the potential harm that could result if restricted attributes of
23
that kind were disclosed to an entity that was not authorised
24
to collect them;
25
(e) community expectations as to whether restricted attributes of
26
that kind should be handled more securely than other kinds of
27
attributes;
28
(f) any of the following information provided by the entity
29
seeking authorisation to collect or disclose the restricted
30
attribute:
31
(i)
the entity'
s risk assessment plan as it relates to the
32
restricted attribute;
33
(ii)
the entity's privacy impact assessment as it relates to the
34
restricted attribute;
35
Australian Government Digital ID System
Chapter 4
Australian Government Digital ID System
Part 2
Participating in the Australian Government Digital ID System
Division 2
Section 65
No. , 2023
Digital ID Bill 2023
71
(iii)
the effectiveness of the entity's protective security
1
(including security governance, information security,
2
personnel security and physical security), privacy
3
arrangements and fraud control arrangements;
4
(g) any other matter the Digital ID Regulator considers relevant.
5
Requirement to give statement of reasons if authorisation given
6
(3) If the Digital ID Regulator imposes the condition authorising the
7
entity to collect or disclose a restricted attribute of an individual,
8
the Digital ID Regulator must publish on the Digital ID
9
Regulator's website a statement of reasons for giving the
10
authorisation.
11
Matters to which the Minister must have regard before authorising
12
disclosure etc. of restricted attributes
13
(4) Subsection (5) applies if the Minister proposes to make Digital ID
14
Rules for the purposes of subsection 64(5) providing that specified
15
kinds of entities are authorised to collect or disclose specified kinds
16
of restricted attributes of individuals, either generally or in
17
specified circumstances.
18
(5) In deciding whether to make the Digital ID Rules, the Minister
19
must have regard to the following matters:
20
(a) the potential harm that could result if restricted attributes of
21
that kind were disclosed to an entity;
22
(b) community expectations as to whether restricted attributes of
23
that kind should be handled more securely than other kinds of
24
attributes;
25
(c) if the collection or disclosure of the restricted attribute is
26
regulated by other legislative or regulatory requirements
--
27
whether the entities would be able to comply with those
28
requirements if the rules were made;
29
(d) any privacy impact assessment that has been conducted in
30
relation to the proposal to make the rules;
31
(e) any other matter the Minister considers relevant.
32
Chapter 4
Australian Government Digital ID System
Part 2
Australian Government Digital ID System
Division 2
Participating in the Australian Government Digital ID System
Section 66
72
Digital ID Bill 2023
No. , 2023
66 Variation and revocation of conditions
1
(1) The Digital ID Regulator may vary or revoke a condition imposed
2
on an entity's appro
val under paragraph 64(2)(a):
3
(a)
at any time, on the Digital ID Regulator's own initiative; or
4
(b) on application by the entity under section 67;
5
if the Digital ID Regulator considers it is appropriate to do so.
6
(2) Without limiting subsection (1), the Digital ID Regulator may have
7
regard to matters relating to the security, reliability and stability of
8
the Australian Government Digital ID System when considering
9
whether it is appropriate to vary or revoke a condition.
10
(3) The Digital ID Regulator must revoke a condition imposed under
11
paragraph 64(2)(b) if the direction to impose the condition is
12
revoked.
13
67 Applying for variation or revocation of conditions on approval
14
(1) An entity that holds an approval to participate in the Australian
15
Government Digital ID System may apply for a condition imposed
16
on the approval under paragraph 64(2)(a) to be varied or revoked.
17
Note:
See Part 5 of Chapter 9 for matters relating to applications.
18
(2) If, after receiving an application under subsection (1), the Digital
19
ID Regulator refuses to vary or revoke a condition, the Digital ID
20
Regulator must give to the entity written notice of the refusal,
21
including reasons for the refusal.
22
68 Notice before changes to conditions on approval
23
(1) The Digital ID Regulator must
not, on the Digital ID Regulator's
24
own initiative:
25
(a) impose a condition under paragraph 64(2)(a)
on an entity's
26
approval to participate in the Australian Government Digital
27
ID System after the approval has been given; or
28
(b) vary or revoke a condition imposed under subsection 66(1);
29
unless the Digital ID Regulator has given the entity a written notice
30
in accordance with subsection (2) of this section.
31
Australian Government Digital ID System
Chapter 4
Australian Government Digital ID System
Part 2
Participating in the Australian Government Digital ID System
Division 2
Section 69
No. , 2023
Digital ID Bill 2023
73
(2) The notice must:
1
(a) state the proposed condition, variation or revocation; and
2
(b) request the entity to give the Digital ID Regulator, within the
3
period specified in the notice, a written statement relating to
4
the proposed condition, variation or revocation.
5
(3) The Digital ID Regulator must consider any written statement
6
given within the period specified in the notice before making a
7
decision to:
8
(a) impose a condition under paragraph 64(2)(a)
on an entity's
9
approval to participate in the Australian Government Digital
10
ID System; or
11
(b) vary or revoke a condition under subsection 66(1) on an
12
ent
ity's approval to
participate in the Australian Government
13
Digital ID System.
14
(4) This section does not apply if the Digital ID Regulator reasonably
15
believes that the need to impose, vary or revoke the condition is
16
serious and urgent.
17
(5) If this section does not apply to an entity because of subsection (4),
18
the Digital ID Regulator must give a written statement of reasons
19
to the entity as to why the Digital ID Regulator reasonably believes
20
that the need to impose, vary or revoke the condition is serious and
21
urgent.
22
(6) The statement of reasons under subsection (5) must be given within
23
7 days after the condition is imposed, varied or revoked.
24
69 Notice of decision of changes of conditions on approval
25
(1) Subject to subsection (2), the Digital ID Regulator must give an
26
entity written notice of a decision to impose, vary or revoke a
27
condition on an entity's approval to
participate in the Australian
28
Government Digital ID System.
29
(2) The Digital ID Regulator is not required to give an entity notice of
30
the decision if notice of the condition was given in a notice under
31
subsection 62(5).
32
(3) The notice must:
33
Chapter 4
Australian Government Digital ID System
Part 2
Australian Government Digital ID System
Division 2
Participating in the Australian Government Digital ID System
Section 69
74
Digital ID Bill 2023
No. , 2023
(a) state the condition or the variation, or state that the condition
1
is revoked; and
2
(b) state the day on which the condition, variation or revocation
3
takes effect.
4
Australian Government Digital ID System
Chapter 4
Australian Government Digital ID System
Part 2
Varying, suspending and revoking approval to participate
Division 3
Section 70
No. , 2023
Digital ID Bill 2023
75
Division
3--Varying, suspending and revoking approval to
1
participate
2
70 Varying approval to participate in the Australian Government
3
Digital ID System
4
The Digital ID Regulator may vary an approval given to an entity
5
under section 62 to tak
e account of a change in the entity's name.
6
Note:
The Digital ID Regulator can also vary conditions on an approval to
7
participate (see section 66).
8
71 Suspension of approval to participate in the Australian
9
Government Digital ID System
10
Digital ID Regulato
r must suspend approval if Minister's direction
11
about suspension is in force
12
(1) The Digital ID Regulator must, in writing, suspend an approval
13
given to an entity under section 62 if a direction under
14
subsection 73(1) directing the Digital ID Regulator to do so is in
15
force in relation to the entity.
16
Digital ID Regulator may suspend approval in other circumstances
17
(2) The Digital ID Regulator may, in writing, suspend an approval
18
given to an entity under section 62 if:
19
(a) the Digital ID Regulator reasonably believes that the entity
20
has contravened or is contravening this Act; or
21
(b) the Digital ID Regulator reasonably believes that:
22
(i) there has been a cyber security incident involving the
23
entity; and
24
(ii) the incident involves a risk to the operation of the
25
Australian Government Digital ID System; or
26
(c) if the entity is a body corporate
--
the entity is a Chapter 5
27
body corporate (within the meaning of the
Corporations Act
28
2001
); or
29
Chapter 4
Australian Government Digital ID System
Part 2
Australian Government Digital ID System
Division 3
Varying, suspending and revoking approval to participate
Section 71
76
Digital ID Bill 2023
No. , 2023
(d) if the entity is an individual
--
the entity is an insolvent under
1
administration; or
2
(e) the Digital ID Regulator is satisfied that it is not appropriate
3
for the entity to participate in the Australian Government
4
Digital ID System; or
5
(f) circumstances specified in the Digital ID Rules apply in
6
relation to the entity.
7
Note:
The Digital ID Regulator may impose conditions on an entity's
8
approval before suspending it (see paragraph 64(4)(g)).
9
(3) In determining whether the Digital ID Regulator is satisfied of the
10
matter in paragraph (2)(e), regard may be had to whether the entity
11
is a fit and proper person.
12
Note:
In having regard to whether an entity is a fit and proper person, the
13
Digital ID Regulator must have regard to any matters specified in the
14
Digital ID Rules and may have regard to any other matters considered
15
relevant (see section 12).
16
(4) Subsection (3) does not limit paragraph (2)(e).
17
Digital ID Regulator may suspend approval on application
18
(5) The Digital ID Regulator may, on application by an entity, suspend
19
an approval given to the entity under section 62.
20
Note:
See Part 5 of Chapter 9 for matters relating to applications.
21
Show cause notice must generally be given before decision to
22
suspend
23
(6) Before suspending the approval of an entity under subsection (2),
24
the Digital ID Regulator must give a written notice (a
show cause
25
notice
) to the entity.
26
(7) The show cause notice must:
27
(a) state the grounds on which the Digital ID Regulator proposes
28
to suspend the entity's approval; and
29
(b) invite the entity to give the Digital ID Regulator, within 28
30
days after the day the notice is given, a written statement
31
showing cause why the Digital ID Regulator should not
32
suspend the approval.
33
Australian Government Digital ID System
Chapter 4
Australian Government Digital ID System
Part 2
Varying, suspending and revoking approval to participate
Division 3
Section 71
No. , 2023
Digital ID Bill 2023
77
Exception
--
cyber security incident or security
1
(8) Subsection (6) does not apply if the suspension is on a ground
2
mentioned in paragraph (2)(b).
3
Notice of suspension
4
(9)
If the Digital ID Regulator suspends an entity's approval under
5
subsection (1), (2) or (5), the Digital ID Regulator must give the
6
entity a written notice stating the following:
7
(a)
that the entity's approval to
participate in the Australian
8
Government Digital ID System is suspended;
9
(b) the reasons for the suspension;
10
(c) the day the suspension is to start;
11
(d) if the approval is suspended for a period
--
the period of the
12
suspension;
13
(e) if the approval is suspended until a specified event occurs or
14
action is taken
--
the event or action.
15
Note:
An entity whose approval to participate is suspended remains subject
16
to certain obligations under this Act, including in relation to record
17
keeping (see section 135) and the destruction or de-identification of
18
personal information (see section 136). Such entities may also be
19
subject to directions from the System Administrator (see section 130).
20
Revocation of suspension
21
(10) If the approval of an entity is suspended under subsection (1), the
22
suspension is revoked if the direction referred to in that
23
subsection is revoked.
24
(11) The Digital ID Regulator may revoke a suspension of an approval
25
of an entity under subsection (2) by written notice to the entity.
26
(12) The Digital ID Regulator may revoke a suspension of an approval
27
of an entity under subsection (5) by written notice to the entity, if
28
the entity requests the suspension be revoked.
29
Effect of suspension
30
(13) If the approval of an entity to participate in the Australian
31
Government Digital ID System is suspended under subsection (1),
32
Chapter 4
Australian Government Digital ID System
Part 2
Australian Government Digital ID System
Division 3
Varying, suspending and revoking approval to participate
Section 72
78
Digital ID Bill 2023
No. , 2023
(2) or (5), the entity is taken not to hold the approval while it is
1
suspended.
2
72 Revocation of approval to participate in the Australian
3
Government Digital ID System
4
Digital ID Regulator must revoke approval if Minister gives a
5
direction to do so
6
(1) The Digital ID Regulator must, in writing, revoke an approval
7
given to an entity under section 62 if the Minister gives a direction
8
under subsection 73(1) to do so.
9
Digital ID Regulator may revoke approval
10
(2) The Digital ID Regulator may, in writing, revoke an approval
11
given to an entity under section 62 if:
12
(a) the Digital ID Regulator reasonably believes that the entity
13
has contravened or is contravening this Act; or
14
(b) the Digital ID Regulator reasonably believes that:
15
(i) there has been a cyber security incident involving the
16
entity; and
17
(ii) the cyber security incident is serious; or
18
(c) if the entity is a body corporate
--
the entity is a Chapter 5
19
body corporate (within the meaning of the
Corporations Act
20
2001
); or
21
(d) if the entity is an individual
--
the entity is an insolvent under
22
administration; or
23
(e) the Digital ID Regulator is satisfied that it is not appropriate
24
for the entity to participate in the Australian Government
25
Digital ID System; or
26
(f) circumstances specified in the Digital ID Rules apply in
27
relation to the entity.
28
Note:
The Digital ID Regulator may impose conditions on an entity's
29
approval before revoking it (see paragraph 64(4)(g)).
30
(3) In determining whether the Digital ID Regulator is satisfied of the
31
matter in paragraph (2)(e), regard may be had to whether the entity
32
is a fit and proper person.
33
Australian Government Digital ID System
Chapter 4
Australian Government Digital ID System
Part 2
Varying, suspending and revoking approval to participate
Division 3
Section 72
No. , 2023
Digital ID Bill 2023
79
Note:
In having regard to whether an entity is a fit and proper person, the
1
Digital ID Regulator must have regard to any matters specified in the
2
Digital ID Rules and may have regard to any other matters considered
3
relevant (see section 12).
4
(4) Subsection (3) does not limit paragraph (2)(e).
5
Revocation on application
6
(5) The Digital ID Regulator must, on application by an entity, revoke
7
an approval given to the entity under section 62. The revocation
8
takes effect on the day determined by the Digital ID Regulator.
9
Note:
See Part 5 of Chapter 9 for matters relating to applications.
10
Show cause notice must generally be given before decision to
11
revoke
12
(6) Before revoking the approval of an entity under subsection (2), the
13
Digital ID Regulator must give a written notice (a
show cause
14
notice
) to the entity.
15
(7) The show cause notice must:
16
(a) state the grounds on which the Digital ID Regulator proposes
17
to revoke the entity's approval; and
18
(b) invite the entity to give the Digital ID Regulator, within 28
19
days after the day the notice is given, a written statement
20
showing cause why the Digital ID Regulator should not
21
revoke the approval.
22
Notice of revocation
23
(8) If the Digital ID Regulator is to
revoke an entity's approval under
24
subsection (1), (2) or (5), the Digital ID Regulator must give the
25
entity a written notice stating the following:
26
(a)
that the entity's approval to
participate in the Australian
27
Government Digital ID System is to be revoked;
28
(b) the reasons for the revocation;
29
(c) the day the revocation is to take effect.
30
Note:
An entity whose approval to participate has been revoked remains
31
subject to certain obligations under this Act, including in relation to
32
Chapter 4
Australian Government Digital ID System
Part 2
Australian Government Digital ID System
Division 3
Varying, suspending and revoking approval to participate
Section 72
80
Digital ID Bill 2023
No. , 2023
record keeping (see section 135) and the destruction or
1
de-identification of personal information (see section 136).
2
Approval can be revoked even while suspended
3
(9) Despite subsection 71(13), the Digital ID Regulator may revoke an
4
entity's approval to
participate in the Australian Government
5
Digital ID System under this section even if a suspension is in
6
force under section 71 in relation to the entity.
7
Australian Government Digital ID System
Chapter 4
Australian Government Digital ID System
Part 2
Minister's directions regarding participation
Division 4
Section 73
No. , 2023
Digital ID Bill 2023
81
Division
4--Minister's directions regarding participation
1
73 Min
ister's directions regarding participation
2
(1) The Minister may, in writing, direct the Digital ID Regulator to do
3
any of the following if, for reasons of security (within the meaning
4
of the
Australian Security Intelligence Organisation Act 1979
),
5
including on the basis of an adverse or qualified security
6
assessment in respect of a person, the Minister considers it
7
appropriate to do so:
8
(a) refuse to approve an entity to participate in the Australian
9
Government Digital ID System;
10
(b) impose conditions on the approval of an entity to participate
11
in the Australian Government Digital ID System;
12
(c) suspend the approval of an entity to participate in the
13
Australian Government Digital ID System;
14
(d) revoke the approval of an entity to participate in the
15
Australian Government Digital ID System.
16
(2) If the Minister gives a direction under subsection (1), the Digital
17
ID Regulator must comply with the direction.
18
(3) The direction remains in force unless it is revoked by the Minister.
19
The Minister must notify the Digital ID Regulator and the entity if
20
the Minister revokes the direction.
21
(4) Despite subsection (3), a direction given under subsection (1) to
22
revoke the approval of an entity to participate in the Australian
23
Government Digital ID System cannot be revoked.
24
(5) A direction given under this section is not a legislative instrument.
25
Chapter 4
Australian Government Digital ID System
Part 2
Australian Government Digital ID System
Division 5
Other matters relating to the Australian Government Digital ID System
Section 74
82
Digital ID Bill 2023
No. , 2023
Division
5--Other matters relating to the Australian
1
Government Digital ID System
2
74 Creating and using a digital ID is voluntary
3
Creating and using a digital ID is voluntary
4
(1) A participating relying party must not, as a condition of providing
5
a service or access to a service, require an individual to create or
6
use a digital ID.
7
Exceptions
8
(2) Subsection (1) does not apply to a service of a participating relying
9
party if:
10
(a) the service provides access to another service; and
11
(b) the individual can access the other service without creating or
12
using a digital ID through the Australian Government Digital
13
ID System.
14
Example: To open a bank account, ABC Bank requires new customers to verify
15
their identity. ABC Bank allows customers to do this in person at each
16
branch of ABC Bank or alternatively by using the bank's online
17
application service, which requires the use of a digital ID. Jacob wants
18
to open a bank account with ABC Bank but he does not wish to use
19
his digital ID to do so. Because Jacob can verify his identity by going
20
to his nearest branch instead, ABC Bank does not contravene
21
subsection (1).
22
(3) Subsection (1) does not apply if:
23
(a) the participating relying party is providing a service, or
24
access to a service, to an individual who is acting on behalf
25
of another entity in a professional or business capacity; or
26
(b) the participating relying party holds an exemption under
27
subsection (4).
28
Exemptions
29
(4) Subject to subsection (6), the Digital ID Regulator may, on
30
application by a participating relying party, grant an exemption
31
Australian Government Digital ID System
Chapter 4
Australian Government Digital ID System
Part 2
Other matters relating to the Australian Government Digital ID System
Division 5
Section 75
No. , 2023
Digital ID Bill 2023
83
under this subsection to the participating relying party if the Digital
1
ID Regulator is satisfied that it is appropriate to do so.
2
Note:
See Part 5 of Chapter 9 for matters relating to applications.
3
(5) Without limiting subsection (4), the Digital ID Regulator may be
4
satisfied that it is appropriate to grant an exemption if:
5
(a) the participating relying party is a small business (within the
6
meaning of the
Privacy Act 1988
); or
7
(b) the participating relying party provides services, or access to
8
services, solely online; or
9
(c) the participating relying party is providing services, or access
10
to services, in exceptional circumstances.
11
(6) However, the Digital ID Regulator must not grant an exemption
12
under subsection (4) to a participating relying party that is:
13
(a) a Commonwealth entity, or a Commonwealth company,
14
within the meaning of the
Public Governance, Performance
15
and Accountability Act 2013
; or
16
(b) a person or body that is an agency within the meaning of the
17
Freedom of Information Act 1982
; or
18
(c) a body specified, or the person holding an office specified, in
19
Part I of Schedule 2 to the
Freedom of Information Act 1982
.
20
(7) An exemption under subsection (4):
21
(a) must be in writing; and
22
(b) may be revoked by the Digital ID Regulator if the Digital ID
23
Regulator considers it appropriate to do so.
24
(8) The Digital ID Regulator must:
25
(a) give written notice of a decision to grant, or to refuse to
26
grant, the exemption to the participating relying party; and
27
(b) if the decision is to refuse to grant the exemption
--
give
28
reasons for the decision to the participating relying party.
29
75 Restriction on collection of restricted attributes of individuals by
30
participating relying parties
31
A participating relying party must not, while participating in the
32
Australian Government Digital ID System, collect a restricted
33
Chapter 4
Australian Government Digital ID System
Part 2
Australian Government Digital ID System
Division 5
Other matters relating to the Australian Government Digital ID System
Section 76
84
Digital ID Bill 2023
No. , 2023
attribute of an individual if the relying party's approval to
1
participate in the system does not include a condition that
2
authorises the relying party to collect the restricted attribute.
3
76 Notice before exemption is revoked
4
(1) The Digital ID Regulator must not revoke an exemption granted to
5
an entity under subsection 74(4) unless the Digital ID Regulator
6
has given the entity a written notice in accordance with
7
subsection (2) of this section.
8
(2) The notice must:
9
(a) state that the Digital ID Regulator proposes to revoke the
10
exemption; and
11
(b) give reasons for the proposed revocation; and
12
(c) request the entity to give the Digital ID Regulator, within the
13
period specified in the notice, a written statement relating to
14
the proposed revocation.
15
(3) The Digital ID Regulator must consider any written statement
16
given within the period specified in the notice before making a
17
decision to revoke the exemption.
18
(4) This section does not apply if the Digital ID Regulator reasonably
19
believes that the need to revoke the exemption is serious and
20
urgent.
21
77 Holding etc. information outside Australia
22
(1) The Digital ID Rules may make provision in relation to the
23
holding, storing, handling or transfer of information outside
24
Australia if the information is or was generated, collected, held or
25
stored by accredited entities within the Australian Government
26
Digital ID System.
27
(2) Without limiting subsection (1), the Digital ID Rules may:
28
(a) prohibit (either absolutely or unless particular circumstances
29
are met or conditions are complied with) the holding, storing,
30
handling or transferring of such information outside
31
Australia; and
32
Australian Government Digital ID System
Chapter 4
Australian Government Digital ID System
Part 2
Other matters relating to the Australian Government Digital ID System
Division 5
Section 78
No. , 2023
Digital ID Bill 2023
85
(b) empower the Digital ID Regulator to grant exemptions to
1
entities from any such prohibitions; and
2
(c) be expressed to apply to all entities or entities of a specified
3
kind.
4
(3) An entity is liable to a civil penalty if:
5
(a) the entity is subject to a requirement under the Digital ID
6
Rules made for the purposes of subsection (1); and
7
(b) the entity fails to comply with the requirement.
8
Civil penalty:
1,500 penalty units.
9
78 Reportable incidents
10
(1) The Digital ID Rules may prescribe arrangements relating to the
11
notification and management of incidents (
reportable incidents
)
12
that have occurred, or are reasonably suspected of having occurred,
13
in relation to the Australian Government Digital ID System.
14
Note:
The Accreditation Rules may also provide for such arrangements in
15
relation to incidents that occur outside the Australian Government
16
Digital ID System (see subparagraph 28(2)(a)(iv)).
17
(2) Without limiting subsection (1), the Digital ID Rules may make
18
provision in relation to the following matters:
19
(a) the entities that are covered by the arrangements;
20
(b) the kinds of incidents that must be notified;
21
(c) the information that must be included in notification about
22
reportable incidents;
23
(d) the manner in which and period within which reportable
24
incidents must be notified to the Digital ID Regulator or the
25
System Administrator;
26
(e) action that must be taken in relation to reportable incidents;
27
(f) how the Digital ID Regulator or System Administrator deals
28
with reportable incidents, including action that may be taken
29
by the Digital ID Regulator or System Administrator in
30
dealing with a reportable incident such as:
31
(i) requiring an entity to do something; or
32
(ii) authorising the provision of information relating to
33
reportable incidents by the Digital ID Regulator or
34
Chapter 4
Australian Government Digital ID System
Part 2
Australian Government Digital ID System
Division 5
Other matters relating to the Australian Government Digital ID System
Section 79
86
Digital ID Bill 2023
No. , 2023
System Administrator to the Minister, the Information
1
Commissioner, accredited entities, participating relying
2
parties or other specified bodies;
3
(g) authorising the collection of information relating to
4
reportable incidents by the Minister, the Information
5
Commissioner, accredited entities, participating relying
6
parties or other specified bodies.
7
(3) Without limiting paragraph (2)(b), the Digital ID Rules may
8
specify the following kinds of incidents:
9
(a) digital ID fraud incidents;
10
(b) cyber security incidents;
11
(c) changes in control (within the meaning of section 910B of
12
the
Corporations Act 2001
) of entities covered by the
13
arrangements;
14
(d) if an accredited entity engages contractors to provide an
15
accredited service, or part of an accredited service, of the
16
entity
--
changes in relation to such contractors.
17
(4) An entity is liable to a civil penalty if:
18
(a) the entity is subject to a requirement under the Digital ID
19
Rules made for the purposes of subsection (1); and
20
(b) the entity fails to comply with the requirement.
21
Civil penalty:
1,500 penalty units.
22
79 Interoperability
23
(1) The Digital ID Rules may provide for or in relation to requirements
24
relating to the interoperability obligation within the Australian
25
Government Digital ID System.
26
(2) For the purposes of subsection (1), the
interoperability obligation
27
means:
28
(a) the obligation on participating relying parties to provide
29
individuals with a choice of accredited identity service
30
providers when the individual seeks to verify their identity or
31
authenticate their digital ID or other information; and
32
Australian Government Digital ID System
Chapter 4
Australian Government Digital ID System
Part 2
Other matters relating to the Australian Government Digital ID System
Division 5
Section 79
No. , 2023
Digital ID Bill 2023
87
(b) the obligation on accredited entities participating in the
1
Australian Government Digital ID System to provide their
2
accredited services to other entities participating in the
3
system.
4
(3) Without limiting subsection (1), the Digital ID Rules may do any
5
of the following:
6
(a) specify the circumstances in which the interoperability
7
obligation applies to participating relying parties and
8
accredited entities;
9
(b) provide for the Minister, on application, to grant exemptions
10
from the interoperability obligation;
11
(c) specify the grounds on which the Minister may grant
12
exemptions, which may include the following:
13
(i) that the Minister is satisfied that a service, or access to a
14
service, provided by a participating relying party that is
15
a government entity is of a kind that should use only
16
accredited services of a government entity;
17
(ii) that the participating relying party provides a service, or
18
access to a service, that the Minister is satisfied is of a
19
kind that would promote use of digital IDs if the
20
service, or access to the service, was available through
21
the Australian Government Digital ID System;
22
(iii) that the exemption is of a limited duration to allow for
23
the implementation of required business practices or
24
technological systems, or to facilitate the use of the
25
Australian Government Digital ID System by particular
26
kinds of entities;
27
(iv) that an entity will provide an arrangement to assist
28
individuals who would otherwise be at a disadvantage in
29
accessing the Australian Government Digital ID
30
System;
31
(v) the exemption is necessary to satisfy the requirements of
32
another legislative provision or scheme;
33
(vi) that the governance arrangements of an accredited entity
34
prohibit or restrict the entity from interacting with a
35
particular kind of service.
36
Chapter 4
Australian Government Digital ID System
Part 2
Australian Government Digital ID System
Division 5
Other matters relating to the Australian Government Digital ID System
Section 80
88
Digital ID Bill 2023
No. , 2023
80 Service levels for accredited entities and participating relying
1
parties
2
(1) The Digital ID Data Standards Chair may, in writing, determine
3
either or both of the following:
4
(a) service levels relating to the availability and performance of
5
the information technology systems through which accredited
6
entities that hold an approval to participate in the Australian
7
Government Digital ID System will provide their accredited
8
services;
9
(b) service levels relating to the availability and performance of
10
the services participating relying parties are approved to
11
provide, or provide access to, within the Australian
12
Government Digital ID System.
13
(2) Before making, amending or revoking a determination under
14
subsection (1), the Digital ID Data Standards Chair must consult
15
the System Administrator.
16
(3) A determination made under subsection (1) is a legislative
17
instrument, but section 42 (disallowance) of the
Legislation Act
18
2003
does not apply to the instrument.
19
81 Entities may conduct testing in relation to the Australian
20
Government Digital ID System
21
(1) The System Administrator may authorise an entity to conduct
22
testing in relation to the Australian Government Digital ID System
23
for the purposes of determining the entity's capability or suitability
24
to participate in the system.
25
(2) The authorisation:
26
(a) must be in writing; and
27
(b) must specify the period for which it is in force, which must
28
not exceed 3 months; and
29
(c) may be granted unconditionally or subject to conditions.
30
Note:
The System Administrator may vary or revoke the authorisation: see
31
subsection 33(3) of the
Acts Interpretation Act 1901
.
32
Australian Government Digital ID System
Chapter 4
Australian Government Digital ID System
Part 2
Other matters relating to the Australian Government Digital ID System
Division 5
Section 82
No. , 2023
Digital ID Bill 2023
89
(3) If an authorisation under this section is given subject to a condition
1
and the condition is not met at a particular time, the authorisation
2
ceases to be in force at that time.
3
82 Use and disclosure of personal information to conduct testing
4
(1) An accredited entity may use or disclose personal information of
5
an individual if:
6
(a) the accredited entity uses or discloses the information for the
7
purposes of conducting testing in relation to the Australian
8
Government Digital ID System; and
9
(b) the accredited entity or another entity is authorised under
10
section 81 to conduct the testing using the information; and
11
(c) the individual to whom the information relates has expressly
12
consented to the use or disclosure of the information for that
13
purpose.
14
(2) This section applies despite anything else in this Act.
15
83 Prohibition on holding out that an entity holds an approval
16
An entity must not hold out that the entity holds an approval to
17
participate in the Australian Government Digital ID System if that
18
is not the case.
19
Civil penalty:
1,000 penalty units.
20
Chapter 4
Australian Government Digital ID System
Part 3
Liability and redress framework
Division 1
Liability of participating entities
Section 84
90
Digital ID Bill 2023
No. , 2023
Part
3--Liability and redress framework
1
Division
1--Liability of participating entities
2
84 Accredited entities participating in the Australian Government
3
Digital ID System protected from liability in certain
4
circumstances
5
(1) An accredited entity is not liable to an action or other proceeding,
6
whether civil or criminal, for or in relation to the provision or
7
non-provision of an accredited service of the entity to another
8
accredited entity participating in the Australian Government
9
Digital ID System, or to a participating relying party, if:
10
(a) the accredited entity provides or does not provide the
11
accredited service, in good faith, in compliance with this Act
12
(other than the service levels determined under section 80);
13
or
14
(b) both of the following apply:
15
(i) the accredited entity does not comply with this Act
16
(other than the service levels determined under
17
section 80) in relation to the accredited service;
18
(ii) the non-compliance is not the ground or cause for the
19
action or the other proceeding.
20
(2) An entity that wishes to rely on subsection (1) in relation to an
21
action or other proceeding bears an evidential burden (within the
22
meaning of the Regulatory Powers Act) in relation to that matter.
23
Australian Government Digital ID System
Chapter 4
Liability and redress framework
Part 3
Statutory contract
Division 2
Section 85
No. , 2023
Digital ID Bill 2023
91
Division
2--Statutory contract
1
85 Statutory contract between entities participating in the
2
Australian Government Digital ID System
3
(1) A contract is taken to be in force between:
4
(a) an accredited entity that holds an approval to participate in
5
the Australian Government Digital ID System and each other
6
accredited entity that also holds such an approval; and
7
(b) an accredited entity and each participating relying party;
8
under which each accredited entity agrees to:
9
(c) provide the
entity's accredited
services while participating in
10
the Australian Government Digital ID System in compliance
11
with this Act (other than the service levels determined under
12
section 80), to the extent it relates to verifying the identity of
13
an individual or authenticating a digital ID of, or information
14
about, an individual; and
15
(d) comply with requirements in relation to intellectual property
16
rights that are prescribed by the Digital ID Rules for the
17
purposes of this paragraph.
18
Note 1:
This means an accredited entity will be taken to have a separate
19
contract with each other accredited entity and with each participating
20
relying party.
21
Note 2:
The Digital ID Rules may provide that some provisions of this Act
22
(which is defined to include the Digital ID Data Standards and other
23
legislative instruments) are not covered by the contract (see
24
subsection (5)).
25
(2) The contract is taken to be in force during the period:
26
(a) starting on the day that the participation start day for both
27
entities has arrived or passed; and
28
(b) ending on the day on which the approval to participate in the
29
Australian Government Digital ID System has been revoked
30
for one or both of the entities.
31
(3) If an accredited entity breaches the contract, an application to the
32
Federal Circuit and Family Court of Australia (Division 2) may be
33
Chapter 4
Australian Government Digital ID System
Part 3
Liability and redress framework
Division 2
Statutory contract
Section 86
92
Digital ID Bill 2023
No. , 2023
made by the party to the contract that has suffered, or is likely to
1
suffer, loss or damage as a result of the breach.
2
(4) After giving an opportunity to be heard to the applicant and the
3
entity (the
respondent
) against whom the order is sought, the
4
Federal Circuit and Family Court of Australia (Division 2) may
5
make any or all of the following orders:
6
(a) an order giving directions to the respondent about
7
compliance with, or enforcement of, the contract;
8
(b) an order directing the respondent to compensate the entity
9
that has suffered loss or damage as a result of the breach;
10
(c) an order directing the respondent to prevent or reduce loss or
11
damage suffered, or likely to be suffered;
12
(d) any other order that the Court considers appropriate.
13
(5) The Digital ID Rules may make provision in relation to the
14
following matters:
15
(a) conduct or circumstances that do, or do not, constitute
16
breaches of contract;
17
(b) provision of this Act that are not covered by the contract;
18
(c) limits on the kinds of losses or damages for which
19
compensation may be payable;
20
(d) limits on the amount of compensation that an accredited
21
entity may be liable to pay.
22
86 Participating entities to maintain insurance as directed by the
23
Digital ID Regulator
24
(1) The Digital ID Regulator may, in writing, direct an accredited
25
entity that is participating in the Australian Government Digital ID
26
System to maintain adequate insurance against any liabilities
27
arising in connection with the obligations under section 85.
28
(2) If the Digital ID Regulator gives a direction to an entity under
29
subsection (1), the direction is taken to be a condition imposed
30
under paragraph 64(2)(a)
on the entity's approval to
participate in
31
the Australian Government Digital ID System.
32
(3) A direction given under this section is not a legislative instrument.
33
Australian Government Digital ID System
Chapter 4
Liability and redress framework
Part 3
Statutory contract
Division 2
Section 87
No. , 2023
Digital ID Bill 2023
93
87 Dispute resolution procedures
1
The Digital ID Rules may make provision for and in relation to
2
dispute resolution procedures that must be complied with before an
3
entity can apply for an order under subsection 85(3).
4
Chapter 4
Australian Government Digital ID System
Part 3
Liability and redress framework
Division 3
Redress framework
Section 88
94
Digital ID Bill 2023
No. , 2023
Division
3--Redress framework
1
88 Redress framework
2
(1) The Digital ID Rules may provide for or in relation to a redress
3
framework for incidents that occur in relation to accredited
4
services of accredited entities that are provided within the
5
Australian Government Digital ID System.
6
(2) Without limiting subsection (1), the redress framework may deal
7
with the following matters:
8
(a) the entities that are covered by the framework;
9
(b) the kinds of incidents that are covered by the framework,
10
which may include digital ID fraud incidents and cyber
11
security incidents;
12
(c) procedures for dealing with incidents that are covered by the
13
framework;
14
(d) requirements relating to notifying entities affected by
15
incidents covered by the framework;
16
(e) the provision of information, support and assistance to
17
entities affected by incidents covered by the framework;
18
(f) development and publication of policies relating to the
19
identification, management and resolution of incidents
20
covered by the framework.
21
Digital ID Regulator
Chapter 5
Introduction
Part 1
Section 89
No. , 2023
Digital ID Bill 2023
95
Chapter
5--Digital ID Regulator
1
Part
1--Introduction
2
3
89 Simplified outline of this Chapter
4
The Digital ID Regulator is the Australian Competition and
5
Consumer Commission.
6
The Digital ID Regulator has certain functions, including to
7
promote compliance with this Act and to advise the Information
8
Commissioner on privacy matters that relate to this Act.
9
Chapter 5
Digital ID Regulator
Part 2
Digital ID Regulator
Section 90
96
Digital ID Bill 2023
No. , 2023
Part
2--Digital ID Regulator
1
2
90 Digital ID Regulator
3
The Digital ID Regulator is the Australian Competition and
4
Consumer Commission.
5
Note:
The Australian Competition and Consumer Commission is established
6
by Part II of the
Competition and Consumer Act 2010
.
7
91 Functions of the Digital ID Regulator
8
The Digital ID Regulator has the following functions:
9
(a) to promote compliance with this Act;
10
(b) to make available general information for guidance in
11
relation to the carrying out of the functions, or the exercise of
12
the powers, of the Digital ID Regulator under this Act;
13
(c) to consult with the following as required in relation to
14
performing functions and exercising powers of the Digital ID
15
Regulator under this Act:
16
(i) the System Administrator;
17
(ii) the Information Commissioner;
18
(iii) the Australian Securities and Investments Commission;
19
(iv) the Australian Prudential Regulation Authority;
20
(v) the Australian Financial Complaints Authority;
21
(vi) the part of the Australian Signals Directorate known as
22
the Australian Cyber Security Centre;
23
(vii) any other body the Digital ID Regulator considers
24
appropriate;
25
(d) to advise the following, either on its own initiative or on
26
request, on matters relating to this Act:
27
(i) the Minister;
28
(ii) the System Administrator;
29
(iii) the Digital ID Data Standards Chair;
30
Digital ID Regulator
Chapter 5
Digital ID Regulator
Part 2
Section 92
No. , 2023
Digital ID Bill 2023
97
(e) to advise the Information Commissioner, either on its own
1
initiative or on request, on privacy matters that relate to this
2
Act;
3
(f) to share information with the following, to assist them to
4
exercise their powers or perform their functions under this
5
Act:
6
(i) the Minister;
7
(ii) the System Administrator;
8
(iii) the Digital ID Data Standards Chair;
9
(iv) the Information Commissioner;
10
(g) such other functions as are conferred on the Digital ID
11
Regulator by this Act or any other law of the
12
Commonwealth;
13
(h) to do anything that is incidental or conducive to the
14
performance of any of the above functions.
15
92 Powers of the Digital ID Regulator
16
The Digital ID Regulator has power to do all things necessary or
17
convenient to be done for or in connection with the performance of
18
the Regulator's
functions under this Act.
19
Chapter 6
System Administrator
Part 1
Introduction
Section 93
98
Digital ID Bill 2023
No. , 2023
Chapter
6--System Administrator
1
Part
1--Introduction
2
3
93 Simplified outline of this Chapter
4
There is a System Administrator whose functions include
5
providing assistance to entities participating in the Australian
6
Government Digital ID System and managing the availability of
7
the Australian Government Digital ID System.
8
The Minister may give general directions to the System
9
Administrator about the performance of the System
10
Administrator's functions or the exercise of the System
11
Administrator's powers.
12
System Administrator
Chapter 6
System Administrator
Part 2
Section 94
No. , 2023
Digital ID Bill 2023
99
Part
2--System Administrator
1
2
94 System Administrator
3
The Chief Executive Centrelink (within the meaning of the
Human
4
Services (Centrelink) Act 1997
) is the System Administrator.
5
95 Functions of the System Administrator
6
The System Administrator has the following functions:
7
(a) to provide assistance to entities participating in the Australian
8
Government Digital ID System, including in relation to
9
connecting to, and dealing with incidents involving, the
10
system;
11
(b) to facilitate and monitor the use of the Australian Digital ID
12
System for testing purposes, in accordance with any
13
requirements specified in the Digital ID Rules;
14
(c) to monitor and manage the availability of the Australian
15
Government Digital ID System, including by coordinating
16
system changes and outages and by ensuring that changes
17
made by entities that are participating in the Australian
18
Government Digital ID System do not adversely affect the
19
system as a whole;
20
(d) to identify and manage operational risks relating to the
21
performance and integrity of the Australian Digital ID
22
System;
23
(e) to manage digital ID fraud incidents and cyber security
24
incidents involving entities participating in the Australian
25
Government Digital ID System;
26
(f) to advise the following, either on its own initiative or on
27
request, on matters relating to the operation of the Australian
28
Government Digital ID System:
29
(i) the Minister;
30
(ii) the Digital ID Regulator;
31
(iii) the Digital ID Data Standards Chair;
32
Chapter 6
System Administrator
Part 2
System Administrator
Section 96
100
Digital ID Bill 2023
No. , 2023
(g) to advise the Information Commissioner, either on its own
1
initiative or on request, on privacy matters that relate to the
2
Australian Government Digital ID System;
3
(h) to report to the Minister, on request, on the performance of
4
the System Administrator's functions, and the exercise of the
5
System Administrator's powers, under this Act;
6
(i) to share information with the following, to assist them to
7
exercise their powers or perform their functions under this
8
Act:
9
(i) the Minister;
10
(ii) the Digital ID Regulator;
11
(iii) the Digital ID Data Standards Chair;
12
(iv) the Information Commissioner;
13
(j) such other functions as are conferred on the System
14
Administrator by this Act or any other law of the
15
Commonwealth;
16
(k) to do anything that is incidental or conducive to the
17
performance of any of the above functions.
18
96 Powers of the System Administrator
19
The System Administrator has power to do all things necessary or
20
convenient to be done for or in connection with the performance of
21
the System Administrator's functions under this Act.
22
97 Directions to the System Administrator
23
(1) The Minister may give written directions to the System
24
Administrator about the performance of the System
25
Administrator's functions or the exercise of the System
26
Administrator's powers.
27
(2) A direction under subsection (1) must be of a general nature only.
28
(3) The System Administrator must comply with a direction under
29
subsection (1).
30
(4) A direction under subsection (1) is not a legislative instrument.
31
Digital ID Data Standards
Chapter 7
Introduction
Part 1
Section 98
No. , 2023
Digital ID Bill 2023
101
Chapter
7--Digital ID Data Standards
1
Part
1--Introduction
2
3
98 Simplified outline of this Chapter
4
The Digital ID Data Standards Chair may make Digital ID Data
5
Standards about various matters, including technical integration
6
requirements for entities to participate in the Australian
7
Government Digital ID System and, if required to do so by the
8
Accreditation Rules or the Digital ID Rules, technical, data or
9
design standards relating to accreditation.
10
Before making, amending or revoking Digital ID Data Standards,
11
the Digital ID Data Standards Chair must consult the Minister and
12
others and invite public comments.
13
The Minister may give general directions to the Digital ID Data
14
Standards Chair ab
out the performance of the Chair's functions or
15
the exercise of the Chair's powers.
16
Chapter 7
Digital ID Data Standards
Part 2
Digital ID Data Standards
Section 99
102
Digital ID Bill 2023
No. , 2023
Part
2--Digital ID Data Standards
1
2
99 Digital ID Data Standards
3
(1) The Digital ID Data Standards Chair may, in writing, make one or
4
more standards (
Digital ID Data Standards
) about the following:
5
(a) technical integration requirements for entities to participate in
6
the Australian Government Digital ID System;
7
(b) technical or design features that entities must have to
8
participate in the Australian Government Digital ID System;
9
(c) if required to do so by the Accreditation Rules or the Digital
10
ID Rules
--
technical, data or design standards, including test
11
standards for an entity's information technology systems
and
12
processes, relating to accreditation;
13
(d) other matters prescribed by the Digital ID Rules.
14
(2) Without limiting subsection 33(3A) of the
Acts Interpretation Act
15
1901
, Digital ID Data Standards may provide differently for
16
different kinds of entities, things or circumstances.
17
(3) Digital ID Data Standards that are inconsistent with the
18
Accreditation Rules have no effect to the extent of the
19
inconsistency, but Digital ID Data Standards are taken to be
20
consistent with the Accreditation Rules to the extent that Digital ID
21
Data Standards are capable of operating concurrently with the
22
Accreditation Rules.
23
(4) Digital ID Data Standards are legislative instruments, but
24
section 42 (disallowance) of the
Legislation Act 2003
does not
25
apply to them.
26
100 Requirement to consult before making
27
(1) Before making, amending or revoking Digital ID Data Standards
28
under section 99, the Digital ID Data Standards Chair must:
29
(a) consult the Minister, the Digital ID Regulator, the System
30
Administrator and the Information Commissioner; and
31
Digital ID Data Standards
Chapter 7
Digital ID Data Standards
Part 2
Section 100
No. , 2023
Digital ID Bill 2023
103
(b) cause to be published on an Australian government website a
1
notice:
2
(i) setting out the draft standards or amendments; and
3
(ii) inviting persons to make submissions to the Chair about
4
the draft standards or amendments within the period
5
specified in the notice (which must be at least 28 days
6
after the notice is published); and
7
(c) consider any submissions received within the specified
8
period.
9
(2) The Digital ID Data Standards Chair may consider any
10
submissions received after the specified period if the Chair
11
considers it appropriate to do so.
12
(3) Subsection (1) does not apply to an amendment that is, in the
13
opinion of the Digital ID Data Standards Chair, urgent or minor.
14
(4) This section does not limit section 17 of the
Legislation Act 2003
15
(rule-makers should consult before making legislative instrument).
16
Chapter 7
Digital ID Data Standards
Part 3
Digital ID Data Standards Chair
Division 1
Establishment and functions of the Digital ID Data Standards Chair
Section 101
104
Digital ID Bill 2023
No. , 2023
Part
3--Digital ID Data Standards Chair
1
Division
1--Establishment and functions of the Digital ID
2
Data Standards Chair
3
101 Digital ID Data Standards Chair
4
There is to be a Digital ID Data Standards Chair.
5
102 Functions of the Digital ID Data Standards Chair
6
The functions of the Digital ID Data Standards Chair are:
7
(a) to make Digital ID Data Standards; and
8
(b) to review those standards regularly; and
9
(c) such other functions as are conferred on the Chair by this
10
Act; and
11
(d) to do anything incidental or conducive to the performance of
12
any of the above functions.
13
103 Powers of the Digital ID Data Standards Chair
14
The Digital ID Data Standards Chair has the following powers:
15
(a) the power to establish committees, advisory panels and
16
consultative groups;
17
(b) the power to do all other things necessary or convenient to be
18
done for or in connection with the performance of the Chair's
19
functions.
20
104 Directions to the Digital ID Data Standards Chair
21
(1) The Minister may give written directions to the Digital ID Data
22
Standards
Chair about the performance of the Chair's functions
or
23
the exercise of the Chair's powers.
24
(2) A direction under subsection (1) must be of a general nature only.
25
Digital ID Data Standards
Chapter 7
Digital ID Data Standards Chair
Part 3
Establishment and functions of the Digital ID Data Standards Chair
Division 1
Section 104
No. , 2023
Digital ID Bill 2023
105
(3) The Digital ID Data Standards Chair must comply with a direction
1
under subsection (1).
2
(4) A direction under subsection (1) is not a legislative instrument.
3
Chapter 7
Digital ID Data Standards
Part 3
Digital ID Data Standards Chair
Division 2
Appointment of the Digital ID Data Standards Chair
Section 105
106
Digital ID Bill 2023
No. , 2023
Division
2--Appointment of the Digital ID Data Standards
1
Chair
2
105 Appointment
3
(1) The Digital ID Data Standards Chair is to be appointed by the
4
Minister by written instrument.
5
Note:
The Minister will be the Digital ID Data Standards Chair in the
6
absence of an appointment under this section (see the definition of
7
Digital ID Data Standards Chair
in section 9).
8
(2) The Digital ID Data Standards Chair is to be appointed on a
9
full-time or part-time basis.
10
106 Term of appointment
11
The Digital ID Data Standards Chair holds office for the period
12
specified in the instrument of appointment. The period must not
13
exceed 3 years.
14
Note:
The Digital ID Data Standards Chair may be reappointed: see
15
section 33AA of the
Acts Interpretation Act 1901
.
16
107 Acting appointments
17
The Minister may, by written instrument, appoint a person to act as
18
the Digital ID Data Standards Chair:
19
(a) during a vacancy in the office of Digital ID Data Standards
20
Chair (whether or not an appointment has previously been
21
made to the office); or
22
(b) during any period, or during all periods, when the Digital ID
23
Data Standards Chair:
24
(i) is absent from duty or from Australia; or
25
(ii) is, for any reason, unable to perform the duties of the
26
office.
27
Note:
For rules that apply to acting appointments, see sections 33AB and
28
33A of the
Acts Interpretation Act 1901
.
29
Digital ID Data Standards
Chapter 7
Digital ID Data Standards Chair
Part 3
Appointment of the Digital ID Data Standards Chair
Division 2
Section 108
No. , 2023
Digital ID Bill 2023
107
108 Application of the finance law etc.
1
(1) For the purposes of the finance law (within the meaning of the
2
Public Governance, Performance and Accountability Act 2013
),
3
the Digital ID Data Standards Chair is an official of the
4
Department.
5
Note:
A consequence of this subsection is that the Secretary of the
6
Department is the accountable authority (within the meaning of that
7
Act) applicable to the Digital ID Data Standards Chair.
8
(2)
The Secretary of the Department, when preparing the Department's
9
annual report under section 46 of the
Public Governance,
10
Performance and Accountability Act 2013
for a period, must
11
include information in that report about:
12
(a) the performance of the Digital ID Data Standards
Chair's
13
functions; and
14
(b) the exercise of the Digital ID Data Standards
Chair's powers;
15
during the period.
16
(3) If at any time the Digital ID Data Standards Chair is the Minister
17
then:
18
(a) subsections (1) and (2) do not apply during that time; and
19
(b)
the Department's annual report under
section 46 of the
20
Public Governance, Performance and Accountability Act
21
2013
for the period that includes that time must include
22
information about the performance of the Digital ID Data
23
Standards
Chair's functions, and the exercise of the
Digital
24
ID Data Standards
Chair's powers, at that time.
25
Chapter 7
Digital ID Data Standards
Part 3
Digital ID Data Standards Chair
Division 3
Terms and conditions for the Digital ID Data Standards Chair
Section 109
108
Digital ID Bill 2023
No. , 2023
Division
3--Terms and conditions for the Digital ID Data
1
Standards Chair
2
109 Remuneration
3
(1) The Digital ID Data Standards Chair is to be paid the remuneration
4
that is determined by the Remuneration Tribunal. If no
5
determination of that remuneration by the Tribunal is in operation,
6
the Digital ID Data Standards Chair is to be paid the remuneration
7
that is prescribed by legislative instrument under subsection (3).
8
(2) The Digital ID Data Standards Chair is to be paid the allowances
9
that are prescribed by legislative instrument under subsection (3).
10
(3) The Minister may, by legislative instrument, prescribe:
11
(a) remuneration for the purposes of subsection (1); and
12
(b) allowances for the purposes of subsection (2).
13
(4) Subsections (1) and (2) do not apply while the Digital ID Data
14
Standards Chair is the Minister.
15
(5) Subsections 7(9) and (13) of the
Remuneration Tribunal Act 1973
16
do not apply in relation to the office of the Digital ID Data
17
Standards Chair.
18
Note:
The effect of this subsection is that remuneration or allowances of the
19
Digital ID Data Standards Chair will be paid out of money
20
appropriated by an Act other than the
Remuneration Tribunal Act
21
1973
.
22
(6) This section has effect subject to the
Remuneration Tribunal Act
23
1973
(except as provided by subsection (5) of this section).
24
110 Leave of absence
25
(1) If the Digital ID Data Standards Chair is appointed on a full-time
26
basis, the Digital ID Data Standards Chair has the recreation leave
27
entitlements that are determined by the Remuneration Tribunal.
28
(2) If the Digital ID Data Standards Chair is appointed on a full-time
29
basis, the Minister may grant the Digital ID Data Standards Chair
30
Digital ID Data Standards
Chapter 7
Digital ID Data Standards Chair
Part 3
Terms and conditions for the Digital ID Data Standards Chair
Division 3
Section 111
No. , 2023
Digital ID Bill 2023
109
leave of absence, other than recreation leave, on the terms and
1
conditions as to remuneration or otherwise that the Minister
2
determines.
3
(3) If the Digital ID Data Standards Chair is appointed on a part-time
4
basis, the Secretary of the Department may grant leave of absence
5
to the Digital ID Data Standards Chair on the terms and conditions
6
that the Secretary determines.
7
111 Outside work
8
The Digital ID Data Standards Chair must not engage in paid work
9
outside the duties of the Digital ID Data Standards Chair
's office
10
without the Minister's approval.
11
112 Resignation of appointment
12
(1) The Digital ID Data Standards Chair may resign the Digital ID
13
Data Standards
Chair's appoint
ment by giving the Minister a
14
written resignation.
15
(2) The resignation takes effect on the day it is received by the
16
Minister or, if a later day is specified in the resignation, on that
17
later day.
18
113 Termination of appointment
19
(1) The Minister may terminate the appointment of the Digital ID Data
20
Standards Chair:
21
(a) for misbehaviour; or
22
(b) if the Digital ID Data Standards Chair is unable to perform
23
the duties of the Digital ID Data Standards
Chair's office
24
because of physical or mental incapacity.
25
(2) The Minister may terminate the appointment of the Digital ID Data
26
Standards Chair if:
27
(a) the Digital ID Data Standards Chair:
28
(i) becomes bankrupt; or
29
(ii) applies to take the benefit of any law for the relief of
30
bankrupt or insolvent debtors; or
31
Chapter 7
Digital ID Data Standards
Part 3
Digital ID Data Standards Chair
Division 3
Terms and conditions for the Digital ID Data Standards Chair
Section 114
110
Digital ID Bill 2023
No. , 2023
(iii) compounds with the Digital ID Data Standards
Chair's
1
creditors; or
2
(iv) makes an assignment of the Digital ID Data Standards
3
Chair's remuneration for the benefit of the
Digital ID
4
Data Standards
Chair's creditors; or
5
(b) if the Digital ID Data Standards Chair is appointed on a
6
full-time basis
--
the Digital ID Data Standards Chair is
7
absent, except on leave of absence, for 14 consecutive days
8
or for 28 days in any 12-month period; or
9
(c) the Digital ID Data Standards Chair fails, without reasonable
10
excuse, to comply with section 29 of the
Public Governance,
11
Performance and Accountability Act 2013
(which deals with
12
the duty to disclose interests) or rules made for the purposes
13
of that section.
14
114 Other terms and conditions
15
(1) The Digital ID Data Standards Chair holds office on the terms and
16
conditions (if any) in relation to matters not covered by this
17
Division that are determined by the Minister.
18
(2) Subsection (1) does not apply while the Digital ID Data Standards
19
Chair is the Minister.
20
Digital ID Data Standards
Chapter 7
Digital ID Data Standards Chair
Part 3
Other matters
Division 4
Section 115
No. , 2023
Digital ID Bill 2023
111
Division
4--Other matters
1
115 Arrangements relating to staff
2
(1) The staff assisting the Digital ID Data Standards Chair are to be:
3
(a) APS employees in the Department whose services are made
4
available to the Chair, by the Secretary, in connection with
5
the performa
nce of any of the Chair's functions or the
6
exercise of any of the Chair's powers
; or
7
(b) APS employees in another Department of the
8
Commonwealth whose services are made available to the
9
Chair, by the Secretary of that Department, in connection
10
with the pe
rformance of any of the Chair's functions or the
11
exercise of any of the Chair's powers
.
12
(2) When performing services for the Digital ID Data Standards Chair,
13
the staff are subject to the directions of the Chair.
14
Chapter 8
Trustmarks and registers
Part 1
Introduction
Section 116
112
Digital ID Bill 2023
No. , 2023
Chapter
8--Trustmarks and registers
1
Part
1--Introduction
2
3
116 Simplified outline of this Chapter
4
The Digital ID Rules may set out marks, symbols, logos or designs
5
(called digital ID trustmarks) that may or must be used by
6
accredited entities and participating relying parties.
7
An entity may be liable to a civil penalty if the entity:
8
(a) uses a digital ID trustmark and the entity is not
9
authorised by the Digital ID Rules to do so; or
10
(b) is required by the Digital ID Rules to display a digital ID
11
trustmark in circumstances specified in the Digital ID
12
Rules and the entity fails to comply with the
13
requirement.
14
The Digital ID Regulator must establish and maintain the Digital
15
ID Accredited Entities Register, which is a register of entities that
16
are, or have been, accredited entities.
17
The Digital ID Regulator must also establish and maintain the
18
AGDIS Register, which is a register of entities that are approved to
19
participate in the Australian Government Digital ID System.
20
Trustmarks and registers
Chapter 8
Digital ID trustmarks
Part 2
Section 117
No. , 2023
Digital ID Bill 2023
113
Part
2--Digital ID trustmarks
1
2
117 Digital ID trustmarks
3
(1) The Digital ID Rules may do one or more of the following:
4
(a) specify one or more digital ID trustmarks that may or must
5
be used by accredited entities;
6
(b) specify one or more digital ID trustmarks that may or must
7
be used by participating relying parties;
8
(c) prescribe conditions or requirements in relation to the use or
9
display of those digital ID trustmarks.
10
(2)
Digital ID trustmark
means a mark, symbol, logo or design set out
11
in the Digital ID Rules.
12
118 Authorised use of digital ID trustmarks etc.
13
(1) An entity is authorised to use a digital ID trustmark if:
14
(a) the Digital ID Rules permit or require the entity to use the
15
digital ID trustmark; and
16
(b) if the Digital ID Rules prescribe conditions in relation to the
17
use or display of the digital ID trustmark
--
the entity
18
complies with the conditions.
19
(2) An entity must not use a digital ID trustmark if the entity is not
20
authorised under subsection (1) to use the trustmark.
21
Civil penalty:
1,000 penalty units.
22
(3) An entity must not do any of the following in relation to a mark,
23
symbol, logo or design so closely resembling a digital ID trustmark
24
as to be likely to lead a reasonable person to believe that the entity
25
is an accredited entity or a participating relying party:
26
(a) use it in relation to a business, trade, profession or
27
occupation;
28
(b) apply (as a trade mark or otherwise) it to goods imported,
29
manufactured, produced, sold, offered for sale or let on hire;
30
Chapter 8
Trustmarks and registers
Part 2
Digital ID trustmarks
Section 119
114
Digital ID Bill 2023
No. , 2023
(c) use it in relation to:
1
(i) goods or services; or
2
(ii) the promotion (by any means) of the supply or use of
3
goods or services.
4
Civil penalty:
1,000 penalty units.
5
119 Displaying digital ID trustmark
6
An entity contravenes this section if:
7
(a) the entity is required by the Digital ID Rules to display a
8
digital ID trustmark in circumstances specified in the Digital
9
ID Rules; and
10
(b) the entity fails to comply with the requirement.
11
Civil penalty:
1,000 penalty units.
12
Trustmarks and registers
Chapter 8
Registers
Part 3
Section 120
No. , 2023
Digital ID Bill 2023
115
Part
3--Registers
1
2
120 Digital ID Accredited Entities Register
3
(1) The Digital ID Regulator must establish and maintain a register
4
(the
Digital ID Accredited Entities Register
) of entities that are, or
5
have been, accredited entities.
6
(2) The Digital ID Accredited Entities Register must contain the
7
following details for each entity:
8
(a) the kinds of accredited entity that the entity is accredited as
9
and the day on which each accreditation came into force;
10
(b) any conditions imposed on the accreditation under
11
paragraph 17(2)(a) that are in force, including any variations
12
to those conditions, and the day the condition or variation
13
took effect;
14
(c) any conditions imposed on the accreditation under
15
paragraph 17(2)(a) that have been revoked, and the day the
16
revocation took effect;
17
(d)
if the entity's accreditation is or has been suspended for a
18
period
--
that fact and the period of the suspension;
19
(e)
if the entity's accreditation is or has been suspended until a
20
specified event occurs or action is taken
--
that fact and the
21
event or action;
22
(f)
if the entity's accreditation has been revoked--
that fact, and
23
the date the revocation took effect;
24
(g) any other information prescribed by the Digital ID Rules.
25
(3) The Digital ID Accredited Entities Register may contain any other
26
information that the Digital ID Regulator considers appropriate.
27
(4)
If an entity's accreditation is revoked and the entity
does not
28
become an accredited entity again for 12 months after the day the
29
revocation came into force, the Digital ID Regulator must remove
30
the entity from the Digital ID Accredited Entities Register at the
31
end of that period.
32
Chapter 8
Trustmarks and registers
Part 3
Registers
Section 121
116
Digital ID Bill 2023
No. , 2023
(5) The Digital ID Rules may make provision for and in relation to the
1
following:
2
(a) the correction of information in the Digital ID Accredited
3
Entities Register;
4
(b) any other matter relating to the administration or operation of
5
the Digital ID Accredited Entities Register.
6
(6) The Digital ID Accredited Entities Register must be made publicly
7
available on the Digital ID Regulator's website.
8
(7) The Digital ID Accredited Entities Register is not a legislative
9
instrument.
10
121 AGDIS Register
11
(1) The Digital ID Regulator must establish and maintain a register
12
(the
AGDIS Register
) of entities that are approved to participate in
13
the Australian Government Digital ID System.
14
(2) The AGDIS Register must contain the following details for each
15
entity:
16
(a)
the day the entity's approval
to participate in the Australian
17
Government Digital ID System came into force;
18
(b)
the entity's participation start day;
19
(c) if the entity is a participating relying party
--
each service the
20
participating relying party is approved to provide, or to
21
provide access to, within the Australian Government Digital
22
ID System;
23
(d) if the entity is an accredited entity
--
the kind of accredited
24
entity it is accredited as;
25
(e)
any conditions imposed on the entity's approval to participate
26
under paragraph 64(2)(a) that are in force, including any
27
variations to those conditions, and the day the condition or
28
variation took effect;
29
(f)
any conditions imposed on the entity's approval to participate
30
under paragraph 64(2)(a) that have been revoked, and the day
31
the revocation took effect;
32
(g)
if the entity's approval to participate is or has been suspended
33
for a period
--
that fact and the period of the suspension;
34
Trustmarks and registers
Chapter 8
Registers
Part 3
Section 121
No. , 2023
Digital ID Bill 2023
117
(h)
if the entity's approval to participate is or has been suspended
1
until a specified event occurs or action is taken
--
that fact and
2
the event or action;
3
(i)
if the entity's approval to participate has been revoked--
that
4
fact, and the date the revocation took effect;
5
(j) any other information prescribed by the Digital ID Rules.
6
(3) The AGDIS Register may contain any other information that the
7
Digital ID Regulator considers appropriate.
8
(4)
If an entity's approval to participate in the
Australian Government
9
Digital ID System is revoked, and the entity does not hold another
10
approval to participate in the Australian Government Digital ID
11
System for 3 years after the day the revocation came into force, the
12
Digital ID Regulator must remove the entity from the AGDIS
13
Register at the end of that period.
14
(5) The Digital ID Rules may make provision for and in relation to the
15
following:
16
(a) the correction of information in the AGDIS Register;
17
(b) any other matter relating to the administration or operation of
18
the AGDIS Register.
19
(6) The AGDIS Register must be made publicly available on the
20
Digital ID Regulator's website.
21
(7) The AGDIS Register is not a legislative instrument.
22
Chapter 9
Administration
Part 1
Introduction
Section 122
118
Digital ID Bill 2023
No. , 2023
Chapter
9--Administration
1
Part
1--Introduction
2
3
122 Simplified outline of this Chapter
4
The Digital ID Regulator and the Information Commissioner may
5
take enforcement action against accredited entities and other
6
entities, including by issuing an infringement notice, or applying to
7
a court for a pecuniary penalty order or an injunction, if the entity
8
contravenes a civil penalty provision.
9
The Digital ID Regulator may give directions to entities in relation
10
to accreditation and participation in the Australian Government
11
Digital ID System. Directions may also be given to protect the
12
integrity or performance of the Australian Government Digital ID
13
System. Such directions may also be given by the System
14
Administrator.
15
The Digital ID Regulator may give remedial directions to an
16
accredited entity, or an entity whose accreditation is suspended, if
17
the Digital ID Regulator reasonably believes that the entity has
18
contravened, or is contravening, a provision of this Act.
19
The Digital ID Regulator may require an entity to undergo a
20
compliance assessment for certain purposes, such as determining
21
whether the entity is complying with this Act or if the Digital ID
22
Regulator is satisfied that a cyber security incident or a digital ID
23
fraud incident has occurred, or is suspected to have occurred, in
24
relation to an accredited entity.
25
The Digital ID Regulator, or the System Administrator, may
26
require an entity to give information or produce document in
27
certain circumstances.
28
Accredited entities that hold or held an approval to participate in
29
the Australian Government Digital ID System have certain
30
Administration
Chapter 9
Introduction
Part 1
Section 122
No. , 2023
Digital ID Bill 2023
119
record-keeping responsibilities and are required to destroy or
1
de-identify certain information in the possession or control of the
2
entity.
3
Entities can apply for merits review of certain decisions made
4
under this Act.
5
Applications made under this Act must comply with certain
6
requirements.
7
The Digital ID Rules may make provision in relation to the
8
charging of fees by the Digital ID Regulator and others to whom
9
applications may be made under this Act.
10
Accredited entities that charges fees in relation to accredited
11
services provided in relation to the Australian Government Digital
12
ID System must do so in accordance with any Digital ID Rules that
13
are in force.
14
Chapter 9
Administration
Part 2
Compliance and enforcement
Division 1
Enforcement powers
Section 123
120
Digital ID Bill 2023
No. , 2023
Part
2--Compliance and enforcement
1
Division
1--Enforcement powers
2
123 Civil penalty provisions
3
Enforceable civil penalty provisions
4
(1) Each civil penalty provision of this Act is enforceable under Part 4
5
of the Regulatory Powers Act.
6
Note:
Part 4 of the Regulatory Powers Act allows a civil penalty provision to
7
be enforced by obtaining an order for a person to pay a pecuniary
8
penalty for the contravention of the provision.
9
Authorised applicant
10
(2) For the purposes of Part 4 of the Regulatory Powers Act:
11
(a) the Information Commissioner or a member of staff of the
12
Office of the Australian Information Commissioner who is an
13
SES employee or acting SES employee are authorised
14
applicants in relation to the civil penalty provisions in
15
Division 2 of Part 2 of Chapter 3 of this Act (about additional
16
privacy safeguards); and
17
(b) the Digital ID Regulator is an authorised applicant in relation
18
to every other civil penalty provision of this Act.
19
Relevant court
20
(3) For the purposes of Part 4 of the Regulatory Powers Act, each of
21
the following courts is a relevant court in relation to the civil
22
penalty provisions of this Act:
23
(a) the Federal Court of Australia;
24
(b) the Federal Circuit and Family Court of Australia
25
(Division 2);
26
(c) a court of a State or Territory that has jurisdiction in relation
27
to the matter.
28
Administration
Chapter 9
Compliance and enforcement
Part 2
Enforcement powers
Division 1
Section 124
No. , 2023
Digital ID Bill 2023
121
124 Infringement notices
1
Provisions subject to an infringement notice
2
(1) Each civil penalty provision of this Act is subject to an
3
infringement notice under Part 5 of the Regulatory Powers Act.
4
Note:
Part 5 of the Regulatory Powers Act creates a framework for using
5
infringement notices in relation to provisions.
6
Infringement officer
7
(2) For the purposes of Part 5 of the Regulatory Powers Act:
8
(a) the Information Commissioner or a member of staff of the
9
Office of the Australian Information Commissioner who is an
10
SES employee or acting SES employee are infringement
11
officers in relation to the civil penalty provisions in
12
Division 2 of Part 2 of Chapter 3 of this Act (about additional
13
privacy safeguards); and
14
(b) the Digital ID Regulator is an infringement officer in relation
15
to every other civil penalty provision of this Act.
16
Relevant chief executive
17
(3) For the purposes of Part 5 of the Regulatory Powers Act, the
18
relevant chief executive is:
19
(a) in relation to the provisions mentioned in paragraph (2)(a) of
20
this section
--
the Information Commissioner; and
21
(b) in relation to the provisions mentioned in paragraph (2)(b) of
22
this section
--
the Digital ID Regulator.
23
125 Enforceable undertakings
24
Enforceable provisions
25
(1) Each civil penalty provision of this Act is enforceable
under Part 6
26
of the Regulatory Powers Act.
27
Note:
Part 6 of the Regulatory Powers Act creates a framework for
28
accepting and enforcing undertakings relating to compliance with
29
provisions.
30
Chapter 9
Administration
Part 2
Compliance and enforcement
Division 1
Enforcement powers
Section 126
122
Digital ID Bill 2023
No. , 2023
Authorised person
1
(2) For the purposes of Part 6 of the Regulatory Powers Act:
2
(a) the Information Commissioner is an authorised person in
3
relation to the civil penalty provisions in Division 2 of Part 2
4
of Chapter 3 of this Act (about additional privacy
5
safeguards); and
6
(b) the Digital ID Regulator is an authorised person in relation to
7
every other civil penalty provision of this Act.
8
Relevant court
9
(3) For the purposes of Part 6 of the Regulatory Powers Act, each of
10
the following courts is a relevant court in relation to the provisions
11
mentioned in subsection (1):
12
(a) the Federal Court of Australia;
13
(b) the Federal Circuit and Family Court of Australia
14
(Division 2);
15
(c) a court of a State or Territory that has jurisdiction in relation
16
to the matter.
17
Publishing undertakings
18
(4) The Information Commissioner may publish an undertaking
19
accepted by the Information Commissioner on the Information
20
Commissioner's website.
21
(5) The Digital ID Regulator may publish an undertaking accepted by
22
the Re
gulator on the Regulator's website.
23
126 Injunctions
24
Enforceable provisions
25
(1) Each civil penalty provision of this Act is enforceable under Part 7
26
of the Regulatory Powers Act.
27
Note:
Part 7 of the Regulatory Powers Act creates a framework for using
28
injunctions to enforce provisions.
29
Administration
Chapter 9
Compliance and enforcement
Part 2
Enforcement powers
Division 1
Section 126
No. , 2023
Digital ID Bill 2023
123
Authorised person
1
(2) For the purposes of Part 7 of the Regulatory Powers Act:
2
(a) the Information Commissioner is an authorised person in
3
relation to the civil penalty provisions in Division 2 of Part 2
4
of Chapter 3 of this Act (about additional privacy
5
safeguards); and
6
(b) the Digital ID Regulator is an authorised person in relation to
7
every other civil penalty provision of this Act.
8
Relevant court
9
(3) For the purposes of Part 7 of the Regulatory Powers Act, each of
10
the following courts is a relevant court in relation to the provisions
11
mentioned in subsection (1):
12
(a) the Federal Court of Australia;
13
(b) the Federal Circuit and Family Court of Australia
14
(Division 2);
15
(c) a court of a State or Territory that has jurisdiction in relation
16
to the matter.
17
Chapter 9
Administration
Part 2
Compliance and enforcement
Division 2
Directions powers
Section 127
124
Digital ID Bill 2023
No. , 2023
Division
2--Directions powers
1
Subdivision A
--Digital ID Regulator's directions powers
2
127 Digital ID Regulator
's power to give directions to entities in
3
relation to accreditation and participation
4
(1) The Digital ID Regulator may give an entity a direction to do a
5
specified act or thing, or not do a specified act or thing, within the
6
period specified in the direction if the Digital ID Regulator
7
considers it necessary to:
8
(a) give effect to a decision to accredit an entity as an accredited
9
entity; or
10
(b)
give effect to a decision to suspend or revoke an entity's
11
accreditation as an accredited entity; or
12
(c) deal with matters arising as a result of the suspension or
13
revocation of an entity's accreditation as an accredited ent
ity;
14
or
15
(d) give effect to a decision to approve an entity to participate in
16
the Australian Government Digital ID System; or
17
(e)
give effect to a decision to suspend or revoke an entity's
18
approval to participate in the Australian Government Digital
19
ID System; or
20
(f) deal with matters arising as a result of the suspension or
21
revocation of an entity's approval to participate in the
22
Australian Government Digital ID System.
23
(2) Without limiting subsection (1), a direction may:
24
(a) require an accredited identity exchange provider to:
25
(i) provide information to an entity that holds an approval
26
to participate in the Australian Government Digital ID
27
System about the steps required to connect to the
28
system; and
29
(ii) connect the entity to the Australian Government Digital
30
ID System by a specified date; or
31
(b) require an entity whose accreditation has been suspended or
32
revoked to notify other participants in the digital ID system
33
Administration
Chapter 9
Compliance and enforcement
Part 2
Directions powers
Division 2
Section 128
No. , 2023
Digital ID Bill 2023
125
in which the entity participates of the suspension or
1
revocation and the date on which the suspension or
2
revocation takes effect.
3
(3) The direction must:
4
(a) be in writing; and
5
(b) specify the reason for the direction.
6
(4) An entity must comply with a direction given under subsection (1).
7
Civil penalty:
1,000 penalty units.
8
(5) A direction under subsection (1) is not a legislative instrument.
9
128
Digital ID Regulator's power to give directions to protect the
10
integrity or performance of the Australian Government
11
Digital ID System
12
(1) The Digital ID Regulator may give a direction to the following
13
entities if the Digital ID Regulator considers it necessary to do so
14
to protect the integrity or performance of the Australian
15
Government Digital ID System:
16
(a) accredited entities;
17
(b) entities whose accreditation as an accredited entity is
18
suspended.
19
(2) Without limiting subsection (1), the Digital ID Regulator may give
20
a direction to do one or more of the following:
21
(a) conduct a privacy impact assessment in relation to a specified
22
matter and provide a copy of the assessment to the Digital ID
23
Regulator;
24
(b) conduct a fraud assessment in relation to a specified matter
25
and provide a copy of the report to the Digital ID Regulator
26
in relation to the assessment;
27
(c) conduct a security assessment in relation to a specified matter
28
and provide a copy of the report to the Digital ID Regulator
29
in relation to the assessment;
30
(d) an act or thing specified by the Digital ID Rules.
31
Chapter 9
Administration
Part 2
Compliance and enforcement
Division 2
Directions powers
Section 129
126
Digital ID Bill 2023
No. , 2023
(3) If Accreditation Rules made for the purposes of section 28
1
prescribe requirements in relation to the conduct of an assessment
2
mentioned in subsection (2), the assessment must comply with the
3
requirements.
4
(4) The direction must:
5
(a) be in writing; and
6
(b) specify the reason for the direction.
7
(5) An entity must comply with a direction given under subsection (1).
8
Civil penalty:
1,000 penalty units.
9
(6) A direction under subsection (1) is not a legislative instrument.
10
129 Remedial directions to accredited entities etc.
11
(1) This section applies if the Digital ID Regulator reasonably believes
12
that an accredited entity, or an entity whose accreditation is
13
suspended, has contravened, or is contravening, a provision of this
14
Act.
15
(2) The Digital ID Regulator may give the entity a direction requiring
16
the entity to take specified action directed towards ensuring that the
17
entity does not contravene the provision, or is unlikely to
18
contravene the provision, in the future.
19
(3) The direction must:
20
(a) be in writing; and
21
(b) specify the reason for the direction.
22
(4) An entity must comply with a direction given under subsection (2).
23
Civil penalty:
1,000 penalty units.
24
(5) A direction under subsection (2) is not a legislative instrument.
25
Administration
Chapter 9
Compliance and enforcement
Part 2
Directions powers
Division 2
Section 130
No. , 2023
Digital ID Bill 2023
127
Subdivision B
--System Administrator's directions powers
1
130
System Administrator's power to give directions to protect the
2
integrity or performance of the Australian Government
3
Digital ID System
4
(1) The System Administrator may give a direction to the following
5
entities if the System Administrator considers it necessary to do so
6
to protect the integrity or performance of the Australian
7
Government Digital ID System:
8
(a) entities that hold an approval to participate in the Australian
9
Government Digital ID System;
10
(b) entities whose approval to participate in the Australian
11
Government Digital ID System is suspended.
12
(2) Without limiting subsection (1), the System Administrator may
13
give a direction to do one or more of the following:
14
(a) take or not take specified action in relation to the
15
performance of the Australian Government Digital ID
16
System;
17
(b) conduct a fraud assessment in relation to a specified matter
18
and provide a copy of the report to the System Administrator
19
in relation to the assessment;
20
(c) conduct a security assessment in relation to a specified matter
21
and provide a copy of the report to the System Administrator
22
in relation to the assessment;
23
(d) an act or thing specified by the Digital ID Rules.
24
(3) If Accreditation Rules made for the purposes of section 28
25
prescribe requirements in relation to the conduct of an assessment
26
mentioned in subsection (2), the assessment must comply with the
27
requirements.
28
(4) The direction must:
29
(a) be in writing; and
30
(b) specify the reason for the direction.
31
(5) An entity must comply with a direction given under subsection (1).
32
Chapter 9
Administration
Part 2
Compliance and enforcement
Division 2
Directions powers
Section 130
128
Digital ID Bill 2023
No. , 2023
Civil penalty:
1,000 penalty units.
1
(6) A direction under subsection (1) is not a legislative instrument.
2
Administration
Chapter 9
Compliance and enforcement
Part 2
Compliance assessments
Division 3
Section 131
No. , 2023
Digital ID Bill 2023
129
Division
3--Compliance assessments
1
131 Compliance assessments
2
(1) The Digital ID Regulator may, by written notice, require an entity
3
to undergo an assessment (a
compliance assessment
):
4
(a) for the purposes of determining whether the entity has
5
complied, is complying or is able to comply with this Act; or
6
(b) if the Digital ID Regulator is satisfied that any of the
7
following has occurred, or is suspected to have occurred, in
8
relation to an accredited entity:
9
(i) a cyber security incident;
10
(ii) a digital ID fraud incident;
11
(iii) a serious or repeated breach of the Accreditation Rules;
12
(iv) an incident that is having, or may have, a material
13
impact on the operation of the entity's
information
14
technology systems through which it provides its
15
accredited services;
16
(v) an incident that is having, or may have, a material
17
impact on the operation of the Australian Government
18
Digital ID System;
19
(vi)
a change to the entity's operating environment that is
20
having, or may h
ave, a material impact on the entity's
21
risk profile; or
22
(c) in circumstances specified in the Digital ID Rules.
23
Note:
For variation and revocation of a notice given under this subsection,
24
see subsection 33(3) of the
Acts Interpretation Act 1901
.
25
(2) The notice must specify:
26
(a) the period within which the compliance assessment is to be
27
undertaken; and
28
(b) whether the compliance assessment must be undertaken:
29
(i) by or on behalf of the Digital ID Regulator; or
30
(ii) by an independent assessor arranged by the entity.
31
(3) The entity must comply with the notice within the period specified
32
in the notice.
33
Chapter 9
Administration
Part 2
Compliance and enforcement
Division 3
Compliance assessments
Section 132
130
Digital ID Bill 2023
No. , 2023
Note 1:
If an entity has applied for approval to participate in the Australian
1
Government Digital ID System and is given a notice under
2
subsection (1), the Digital ID Regulator is not required to make a
3
decision on the application until the assessment is conducted (see
4
subsection 143(4)).
5
Note 2:
For accredited entities and entities that hold an approval to participate
6
in the Australian Government Digital ID System, a failure to comply
7
with a notice given under subsection (1) may lead to compliance
8
action such as suspension and revocation of approvals and
9
accreditation.
10
(4) The Digital ID Rules may make provision for and in relation to
11
compliance assessments.
12
(5) Without limiting subsection (4), the Digital ID Rules may make
13
provision for or in relation to the following:
14
(a) processes to be followed during a compliance assessment or
15
after a compliance assessment has been conducted;
16
(b) information that must be provided to or by an entity during a
17
compliance assessment or after a compliance assessment has
18
been conducted;
19
(c) requirements in relation to reports to be provided in relation
20
to a compliance assessment;
21
(d) actions the Digital ID Regulator may require the entity
22
subject to a compliance assessment to take during the
23
compliance assessment or after the assessment has been
24
conducted.
25
(6) This section does not limit the Accreditation Rules that may be
26
made for the purposes of section 28.
27
132 Entities must provide assistance to persons undertaking
28
compliance assessments
29
An entity that is the subject of a compliance assessment must
30
provide the person undertaking the assessment with the facilities
31
and assistance that are reasonably necessary for the conduct of the
32
compliance assessment.
33
Administration
Chapter 9
Compliance and enforcement
Part 2
Power to require information or documents
Division 4
Section 133
No. , 2023
Digital ID Bill 2023
131
Division
4--Power to require information or documents
1
133
Digital ID Regulator's p
ower to require information or
2
documents
3
(1) This section applies if the Digital ID Regulator reasonably believes
4
that an entity has or may have information or documents relevant
5
to:
6
(a) whether an entity is complying, or has complied, with the
7
entity's obligations under this Act; or
8
(b)
the performance of the Digital ID Regulator's functions, or
9
the exercise of any of the Digital ID Reg
ulator's powers,
10
under this Act.
11
(2) The Digital ID Regulator may, by written notice, require the entity:
12
(a) to give to the Digital ID Regulator, within the period and in
13
the manner and form specified in the notice, any such
14
information; or
15
(b) to produce to the Digital ID Regulator, within the period and
16
in the manner specified in the notice, any such documents.
17
(3) A period specified in a notice under subsection (2) must not be less
18
than 28 days after the notice is given.
19
(4) A notice under subsection (2) must contain a statement to the effect
20
that an entity may be liable to a civil penalty if the entity fails to
21
comply with the notice.
22
(5) An entity must comply with a requirement under subsection (2)
23
within the period and in the manner specified in the notice.
24
Civil penalty:
1,000 penalty units.
25
(6) Subsection (5) does not apply if the entity has a reasonable excuse.
26
Note:
A person who wishes to rely on this subsection bears an evidential
27
burden in relation to the matter mentioned in this subsection (see
28
section 96 of the Regulatory Powers Act).
29
Chapter 9
Administration
Part 2
Compliance and enforcement
Division 4
Power to require information or documents
Section 134
132
Digital ID Bill 2023
No. , 2023
134
System Administrator's power to require information or
1
documents
2
(1) This section applies if the System Administrator reasonably
3
believes that an entity has or may have information or documents
4
relevant to the operation of the Australian Government Digital ID
5
System.
6
(2) The System Administrator may, by written notice, require the
7
entity:
8
(a) to give to the System Administrator, within the period and in
9
the manner and form specified in the notice, any such
10
information; or
11
(b) to produce to the System Administrator, within the period
12
and in the manner specified in the notice, any such
13
documents.
14
(3) A period specified in a notice under subsection (2) must not be less
15
than 28 days after the notice is given.
16
(4) A notice under subsection (2) must contain a statement to the effect
17
that an entity may be liable to a civil penalty if the entity fails to
18
comply with the notice.
19
(5) An entity must comply with a requirement under subsection (2)
20
within the period and in the manner specified in the notice.
21
Civil penalty:
1,000 penalty units.
22
(6) Subsection (5) does not apply if the entity has a reasonable excuse.
23
Note:
A person who wishes to rely on this subsection bears an evidential
24
burden in relation to the matter mentioned in this subsection (see
25
section 96 of the Regulatory Powers Act).
26
Administration
Chapter 9
Record keeping
Part 3
Section 135
No. , 2023
Digital ID Bill 2023
133
Part
3--Record keeping
1
2
135 Record keeping by participating entities and former
3
participating entities
4
(1) This section applies to:
5
(a) entities that hold an approval to participate in the Australian
6
Government Digital ID System; and
7
(b) entities whose approval to participate in the Australian
8
Government Digital ID System is suspended; and
9
(c) entities whose approval to participate in the Australian
10
Government Digital ID System has been revoked.
11
(2) However, this section does not apply to relying parties.
12
(3) The entity must keep records of the kind, for the period and in the
13
manner prescribed by the Digital ID Rules.
14
Civil penalty:
1,000 penalty units.
15
(4) Digital ID Rules made for the purposes of subsection (3):
16
(a) must not prescribe records of a kind that do not relate to
17
information obtained by entities through the Australian
18
Government Digital ID System; and
19
(b) may only prescribe a period of retention of more than 7 years
20
if specified circumstances apply in relation to the record.
21
Note:
For the purposes of paragraph (b), specified circumstances may
22
include legal proceedings involving the entity and the records.
23
136 Destruction or de-identification of certain information
24
(1) This section applies to:
25
(a) accredited entities that hold an approval to participate in the
26
Australian Government Digital ID System; and
27
(b) accredited entities whose approval to participate in the
28
Australian Government Digital ID System is suspended; and
29
Chapter 9
Administration
Part 3
Record keeping
Section 136
134
Digital ID Bill 2023
No. , 2023
(c) accredited entities whose approval to participate in the
1
Australian Government Digital ID System has been revoked.
2
(2) The accredited entity must destroy or de-identify information in the
3
possession or control of the entity if:
4
(a) the information is personal information; and
5
(b) the information was obtained by the entity through the
6
Australian Government Digital ID System; and
7
(c) the entity is not required or authorised to retain the
8
information by or under:
9
(i) this Act; or
10
(ii) another law of the Commonwealth; or
11
(iii) a law of a State or Territory; or
12
(iv) a court/tribunal order (within the meaning of the
13
Privacy Act 1988
); and
14
(d) the information does not relate to any current or anticipated
15
legal proceedings or dispute resolution proceedings to which
16
the entity is a party.
17
Note:
For the purposes of subparagraph (c)(i), the entity may be required to
18
retain the information for a specified period under Digital ID Rules
19
made for the purposes of section 135.
20
Civil penalty:
1,000 penalty units.
21
Administration
Chapter 9
Review of decisions
Part 4
Section 137
No. , 2023
Digital ID Bill 2023
135
Part
4--Review of decisions
1
2
137 Reviewable decisions
3
(1) A decision referred to in column 1 of an item of the following table
4
is a
reviewable decision
. An entity referred to in column 2 of the
5
item is the
affected entity
for the decision.
6
7
Reviewable decisions
Item
Column 1
Reviewable decision
Column 2
Affected entity
1
A decision by the Digital ID Regulator
under section 15 to refuse to accredit
an entity as an accredited entity (other
than on the ground referred to in
paragraph 15(4)(a))
The entity who made the
application
2
A decision by the Digital ID Regulator
under paragraph 17(2)(a) to impose a
condition on an entity's accreditation
The entity on whom the condition
is imposed
3
A decision by the Digital ID Regulator
under subsection 17(2) to refuse to
impose, on application by an entity, a
condition on the entity's accreditation
The entity who made the
application
4
A decision by the Digital ID Regulator
under subsection 20(1) to vary, on the
Digital ID Regulator's own init
iative,
the conditions imposed on an entity's
accreditation
The entity on whom the
conditions are imposed
5
A decision by the Digital ID Regulator
under subsection 20(1) to refuse to
vary, on application by an accredited
entity, the conditions imposed on the
entity's accreditation
The entity who made the
application
6
A decision by the Digital ID Regulator
under subsection 25(2) to suspend the
accreditation of an accredited entity
The accredited entity
Chapter 9
Administration
Part 4
Review of decisions
Section 137
136
Digital ID Bill 2023
No. , 2023
Reviewable decisions
Item
Column 1
Reviewable decision
Column 2
Affected entity
7
A decision by the Digital ID Regulator
under subsection 25(6) to refuse to
suspend the accreditation of an
accredited entity
The accredited entity
8
A decision by the Digital ID Regulator
under subsection 26(2) to revoke an
entity's accreditation
The entity whose accreditation is
revoked
9
A decision by the Minister to give a
direction under subsection 27(1)
The entity subject to the direction
10
A decision by the Digital ID Regulator
under section 62 to refuse to approve
an entity to participate in the
Australian Government Digital ID
System (other than on the ground
referred to in subsection 62(4))
The entity who made the
application
11
A decision by the Digital ID Regulator
under paragraph 64(2)(a) to impose a
condition on an entity's approval to
participate in the Australian
Government Digital ID System
The entity on whom the condition
is imposed
12
A decision by the Digital ID Regulator
under paragraph 64(2)(a) to refuse to
impose, on application by an entity, a
condition on the entity's approval to
participate in the Australian
Government Digital ID System
The entity who made the
application
13
A decision by the Digital ID Regulator
under subsection 66(1) to vary or
revoke
, on the Digital ID Regulator's
own initiative, a condition imposed on
an entity's approval to participate in
the Australian Government Digital ID
System
The entity on whom the condition
is imposed
14
A decision by the Digital ID Regulator
under subsection 66(1) to refuse to
The entity who made the
application
Administration
Chapter 9
Review of decisions
Part 4
Section 137
No. , 2023
Digital ID Bill 2023
137
Reviewable decisions
Item
Column 1
Reviewable decision
Column 2
Affected entity
vary, on application by an entity, a
condition imposed on the entity's
approval to participate in the
Australian Government Digital ID
System
15
A decision by the Digital ID Regulator
under subsection 71(2) to suspend an
entity's approval to participate in the
Australian Government Digital ID
System
The entity that holds the approval
16
A decision by the Digital ID Regulator
under subsection 71(5) to refuse to
suspend, on application by an entity,
the entity's approval to participate in
the Australian Government Digital ID
System
The entity who made the
application
17
A decision by the Digital ID Regulator
under subsection 71(12) to refuse to
revoke a suspension of an entity's
approval to participate in the
Australian Government Digital ID
System
The entity whose approval is
suspended
18
A decision by the Digital ID Regulator
under subsection 72(2) to revoke an
entity's approval to participate in the
Australian Government Digital ID
System
The entity that held the approval
19
A decision by the Minister to give a
direction under subsection 73(1)
The entity subject to the direction
20
A decision by the Digital ID Regulator
under subsection 74(4) to refuse to
grant an exemption to a participating
relying party
The participating relying party
who made the application
21
A decision by the Digital ID Regulator
under subsection 86(1) to direct an
accredited entity to maintain adequate
The entity subject to the direction
Chapter 9
Administration
Part 4
Review of decisions
Section 138
138
Digital ID Bill 2023
No. , 2023
Reviewable decisions
Item
Column 1
Reviewable decision
Column 2
Affected entity
insurance
22
A decision by the Digital ID Regulator
to give a direction to an entity under
Subdivision A of Division 2 of Part 2
of Chapter 9
The entity subject to the direction
23
A decision by the System
Administrator to give a direction to an
entity under Subdivision B of
Division 2 of Part 2 of Chapter 9
The entity subject to the direction
(2) The Digital ID Rules may also:
1
(a) provide that a decision made under a specified provision of
2
this Act is a
reviewable decision
; and
3
(b) specify the entity who is an
affected entity
for the reviewable
4
decision.
5
(3) Despite subsection (1), a decision made for reasons of security
6
(within the meaning of the
Australian Security Intelligence
7
Organisation Act 1979
) in relation to an entity that is not an
8
Australian entity is not a
reviewable decision
.
9
138 Internal review of decisions
10
(1) If a reviewable decision is made by a delegate of the
11
decision-maker for the reviewable decision, the affected entity for
12
the reviewable decision may apply in writing to the decision-maker
13
for review (an
internal review
) of the decision.
14
(2) An application for an internal review must be made within 28 days
15
after the day on which the decision first came to the notice of the
16
applicant.
17
Administration
Chapter 9
Review of decisions
Part 4
Section 139
No. , 2023
Digital ID Bill 2023
139
139 Reconsideration by decision-maker
1
(1) Within 90 days after receiving an application under section 138 for
2
internal review, the decision-maker for the reviewable decision
3
must:
4
(a) review the decision; and
5
(b) affirm, vary or revoke the decision; and
6
(c) if the decision-maker revokes the decision
--
make such other
7
decision (if any) that the decision-maker thinks appropriate.
8
(2) The decision-maker for the reviewable decision must, as soon as
9
practicable after making a decision under subsection (1), give the
10
applicant a written statement of the decision-maker
's reasons for
11
the decision.
12
(3) If the decision-
maker's
functions under this section are performed
13
by a delegate of the decision-maker for the reviewable decision,
14
the delegate who makes the decision under subsection (1):
15
(a) must not have been involved in making the original
16
reviewable decision; and
17
(b) must hold a position or perform duties of a higher level than
18
the delegate who made the original reviewable decision.
19
140 Review by the Administrative Appeals Tribunal
20
(1) Applications may be made to the Administrative Appeals Tribunal
21
for review of the following decisions:
22
(a) a reviewable decision made by the decision-maker for the
23
reviewable decision personally;
24
(b) an internal review decision made by the decision-maker for
25
the reviewable decision under subsection 139(1).
26
(2) An application under subsection (1) may be made only by, or on
27
behalf of, an affected entity for the reviewable decision.
28
(3) Subsection (2) has effect despite subsection 27(1) of the
29
Administrative Appeals Tribunal Act 1975
.
30
Chapter 9
Administration
Part 5
Applications under this Act
Section 141
140
Digital ID Bill 2023
No. , 2023
Part
5--Applications under this Act
1
2
141 Requirements for applications
3
(1) An application made under this Act must:
4
(a) be given in a form and manner for that kind of application
5
approved by the person to whom the application is made; and
6
(b) be accompanied by any information or documents required
7
by the form; and
8
(c) be accompanied by any information or documents required
9
by the Digital ID Rules or the Accreditation Rules; and
10
(d) if Digital ID Rules made for the purposes of section 144
11
specify a fee that must accompany the application and
12
payment of the fee has not been waived
--
be accompanied by
13
the fee.
14
Note:
A decision on an application is not required to be made if this
15
subsection is not complied with (see section 143).
16
(2) The person to whom the application is made may accept any
17
information or document previously given to the person in
18
connection with another application made under this Act as
19
satisfying any requirement to give that information or document
20
under subsection (1).
21
(3) To avoid doubt, approval may be given for:
22
(a) different forms for different kinds of applications; or
23
(b) a single form for more than one kind of application.
24
142 Powers in relation to applications
25
(1) If a person (the
applicant
) makes an application under this Act, the
26
person to whom the application is made may, by written notice,
27
require the applicant to give the person such further information or
28
documents in relation to the application as the person reasonably
29
requires.
30
Note 1:
The person is not required to make a decision on the application if this
31
subsection is not complied with (see section 143).
32
Administration
Chapter 9
Applications under this Act
Part 5
Section 143
No. , 2023
Digital ID Bill 2023
141
Note 2:
The Digital ID Regulator may also require an applicant to undergo a
1
compliance assessment before making a decision on the application
2
(see section 131).
3
(2) A notice under subsection (1) may specify a period, which must
4
not be less than 14 days, within which the information or
5
documents must be given.
6
143 Decisions not required to be made in certain circumstances
7
(1) If this Act requires an application to be in a form approved by the
8
person to whom the application is made, the person is not required
9
to make a decision on the application if it is not in that form.
10
(2) If this Act requires an application to be accompanied by
11
information or documents, the person to whom the application is
12
made is not required to make a decision on the application until the
13
information or documents are provided.
14
(3) If this Act permits a person to require further information or
15
documents in relation to an application, the person is not required
16
to make a decision on the application until the information or
17
documents are provided.
18
(4) If the Digital ID Regulator requires a compliance assessment to be
19
conducted for the purposes of making a decision under this Act, the
20
Digital ID Regulator is not required to make the decision until the
21
assessment is conducted.
22
(5) If Digital ID Rules made for the purposes of section 144 specify a
23
fee that must accompany an application and payment of the fee has
24
not been waived, the person to whom the application is made is not
25
required to make a decision on the application until the fee is paid.
26
Chapter 9
Administration
Part 6
Fees
Division 1
Fees charged by the Digital ID Regulator
Section 144
142
Digital ID Bill 2023
No. , 2023
Part
6--Fees
1
Division
1--Fees charged by the Digital ID Regulator
2
144 Charging of fees by Digital ID Regulator etc.
3
(1) The Digital ID Rules may make provision in relation to the
4
charging of fees by:
5
(a) the Digital ID Regulator for activities carried out by or on
6
behalf of the Digital ID Regulator in performing functions or
7
exercising powers under this Act; or
8
(b) other persons to whom application may be made under this
9
Act.
10
(2) Without limiting subsection (1), the Digital ID Rules may do any
11
of the following:
12
(a) prescribe a fee by specifying the amount of the fee or a
13
method of working out the fee;
14
(b) specify that the amount of a fee is the cost incurred by the
15
Digital ID Regulator in arranging and paying for another
16
person to carry out a relevant activity;
17
(c) make provision for when and how fees are to be paid;
18
(d) make provision in relation to penalties for late payment of
19
specified fees;
20
(e) make provision in relation to the refund, remission or waiver
21
of specified fees or penalties for late payment of specified
22
fees.
23
(3) However, the Digital ID Rules made for the purposes of
24
subsection (1) must not provide for the charging of a fee to an
25
individual for the creation or use of a digital ID of the individual.
26
(4) A fee prescribed by the Digital ID Rules made under subsection (1)
27
is payable to the Commonwealth.
28
(5) The amount of a fee may be nil.
29
Administration
Chapter 9
Fees
Part 6
Fees charged by the Digital ID Regulator
Division 1
Section 145
No. , 2023
Digital ID Bill 2023
143
(6) A fee prescribed by the Digital ID Rules must not be such as to
1
amount to taxation.
2
(7) If a fee is payable for a service, the service need not be provided
3
while the fee remains unpaid. The Digital ID Rules may provide
4
for the extension of any times for providing services accordingly.
5
145 Review of fees
6
(1) The Minister must cause periodic reviews of rules made for the
7
purposes of subsection 144(1) to be undertaken.
8
(2) The first review must:
9
(a) start no later than 2 years after rules made for the purposes of
10
subsection 144(1) commence; and
11
(b) be completed within 12 months.
12
(3) Subsequent reviews must:
13
(a) start no later than every 2 years after the completion of the
14
previous review; and
15
(b) be completed within 12 months.
16
(4) The Minister must cause a written report about each review to be
17
prepared and published on the Digital ID Regulator
's website.
18
146 Recovery of fees charged by the Digital ID Regulator
19
A fee charged by the Digital ID Regulator that is due and payable
20
to the Commonwealth under this Act may be recovered as a debt
21
due to the Commonwealth by action in a court of competent
22
jurisdiction.
23
147 Commonwealth not liable to pay fees charged by entities that
24
are part of the Commonwealth
25
(1) The Commonwealth is not liable to pay a fee that is payable under
26
this Act to a part of the Commonwealth that is not a separate legal
27
entity. However, it is the Parliament's intention that the
28
Commonwealth should be notionally liable to pay such a fee.
29
Chapter 9
Administration
Part 6
Fees
Division 1
Fees charged by the Digital ID Regulator
Section 147
144
Digital ID Bill 2023
No. , 2023
(2) The Finance Minister may give such written directions as are
1
necessary or convenient for carrying out or giving effect to
2
subsection (1) and, in particular, may give directions in relation to
3
the transfer of money within an account, or between accounts,
4
operated by the Commonwealth.
5
(3) Directions under subsection (2) have effect, and must be complied
6
with, despite any other law of the Commonwealth.
7
(4) Directions under subsection (2) are not legislative instruments.
8
(5) In this subsection:
9
Commonwealth
includes a Commonwealth entity (within the
10
meaning of the
Public Governance, Performance and
11
Accountability Act 2013)
that cannot be made liable to taxation by
12
a law of the Commonwealth.
13
Administration
Chapter 9
Fees
Part 6
Fees charged by accredited entities
Division 2
Section 148
No. , 2023
Digital ID Bill 2023
145
Division
2--Fees charged by accredited entities
1
148 Charging of fees by accredited entities in relation to the
2
Australian Government Digital ID System
3
(1) An accredited entity that charges fees in relation to its accredited
4
services that it provides in relation to the Australian Government
5
Digital ID System must do so in accordance with the Digital ID
6
Rules (if any) made for the purposes of subsection (2).
7
(2) The Digital ID Rules may make provision in relation to the
8
charging of fees by accredited entities for services provided in
9
relation to Australian Government Digital ID System.
10
(3) Without limiting subsection (2), the Digital ID Rules may do any
11
of the following:
12
(a) prescribe a fee by specifying the amount of the fee or a
13
method of working out the fee;
14
(b) make provision for when and how fees may be charged;
15
(c) make provision in relation to the conduct of periodic reviews
16
of fees;
17
(d) make provision for any other matters in relation to the
18
charging of fees, including in relation to exemptions, refunds,
19
remissions or waivers.
20
(4) The amount of a fee may be nil.
21
(5) This section, and rules made for the purposes of subsection (2), do
22
not otherwise affect the ability of an accredited entity to charge
23
fees for its accredited services, either in relation to the Australian
24
Government Digital ID System or otherwise.
25
Chapter 10
Other matters
Part 1
Introduction
Section 149
146
Digital ID Bill 2023
No. , 2023
Chapter
10--Other matters
1
Part
1--Introduction
2
3
149 Simplified outline of this Chapter
4
The Minister may establish advisory committees to provide advice
5
to the following in relation to matters arising under this Act:
6
(a) the Minister;
7
(b) the Secretary;
8
(c) the Digital ID Data Standards Chair.
9
A person commits an offence if the person obtains certain kinds of
10
information in the course of, or for the purposes of, performing
11
functions or exercising powers under this Act and the person uses
12
or discloses the information. There are some exceptions.
13
This Chapter also deals with matters of an administrative nature,
14
including:
15
(a) annual reports by the Digital ID Regulator and the
16
Information Commissioner; and
17
(b) delegations; and
18
(c) rule-making powers.
19
Other matters
Chapter 10
Advisory committees
Part 2
Section 150
No. , 2023
Digital ID Bill 2023
147
Part
2--Advisory committees
1
2
150 Advisory committees
3
(1) The Minister may establish, in writing, such advisory committees
4
as the Minister considers appropriate to provide advice to the
5
following in relation to matters arising under this Act, including
6
but not limited to the performance of the Digital ID Regulator's
7
functions and exercise of the Digital ID Regulator's powers under
8
this Act:
9
(a) the Minister;
10
(b) the Secretary;
11
(c) the System Administrator;
12
(d) the Digital ID Data Standards Chair.
13
(2) An advisory committee is to consist of such persons as the Minister
14
determines.
15
(3) If the Minister establishes an advisory committee under
16
subsection (1), the Minister must, in writing, determine:
17
(a)
the committee's terms of reference;
and
18
(b) the terms and conditions of appointment of the members of
19
the committee, including:
20
(i) term of office; and
21
(ii) remuneration; and
22
(iii) allowances; and
23
(iv) leave of absence; and
24
(v) disclosure of interests; and
25
(vi) termination of membership; and
26
(c) the procedures to be followed by the committee.
27
(4) An instrument made under subsection (1) or (3) is not a legislative
28
instrument.
29
Chapter 10
Other matters
Part 3
Confidentiality
Section 151
148
Digital ID Bill 2023
No. , 2023
Part
3--Confidentiality
1
2
151 Prohibition on entrusted persons using or disclosing certain
3
kinds of protected information
4
Offence
5
(1) A person commits an offence if:
6
(a) the person is or has been an entrusted person; and
7
(b) the person obtains protected information in the course of, or
8
for the purposes of, performing functions or exercising
9
powers under this Act; and
10
(c) the person uses or discloses the information; and
11
(d) either of the following applies:
12
(i) the information is personal information about an
13
individual;
14
(ii) there is a risk that the use or disclosure might
15
substantially prejudice the commercial interests of
16
another person.
17
Penalty: Imprisonment for 2 years or 120 penalty units, or both.
18
(2) An
entrusted person
means:
19
(a) the Digital ID Regulator; or
20
(b) a member of the Commission (within the meaning of the
21
Competition and Consumer Act 2010
); or
22
(c) an associate member of the Australian Competition and
23
Consumer Commission; or
24
(d) a member of the staff of the Australian Competition and
25
Consumer Commission; or
26
(e) a person engaged under section 27A of the
Competition and
27
Consumer Act 2010
; or
28
(f) the System Administrator; or
29
(g) a person referred to in section 16 of the
Human Services
30
(Centrelink) Act 1997
.
31
Other matters
Chapter 10
Confidentiality
Part 3
Section 152
No. , 2023
Digital ID Bill 2023
149
Exception
--
authorised use or disclosure
1
(3) Subsection (1) does not apply if the use or disclosure is authorised
2
by section 152 (authorised uses and disclosures).
3
Note:
A defendant bears an evidential burden in relation to a matter in this
4
subsection (see subsection 13.3(3) of the
Criminal Code
).
5
Definition of protected information
6
(4)
Protected information
means information that was disclosed or
7
obtained under or for the purposes of this Act.
8
152 Authorised uses and disclosures of protected information by
9
entrusted persons
10
(1) An entrusted person may use or disclose protected information if:
11
(a) the use or disclosure is made for the purposes of:
12
(i) performing a duty or function, or exercising a power,
13
under or in relation to this Act; or
14
(ii) enabling another person to perform duties or functions,
15
or exercise powers, under or in relation to this Act; or
16
(iii) assisting in the administration or enforcement of another
17
law of the Commonwealth or a law of a Territory; or
18
(iv) assisting in the administration or enforcement of a law
19
of a State that is prescribed by the Digital ID Rules; or
20
(b) the use or disclosure is required or authorised by or under:
21
(i) a law of the Commonwealth (including this Act) or of a
22
Territory; or
23
(ii) a law of a State that is prescribed by the Digital ID
24
Rules; or
25
(c) the person referred to in subparagraph 151(1)(d)(i) or (ii) has
26
expressly consented to the use or disclosure; or
27
(d) at the time of the use or disclosure, the protected information
28
is already lawfully publicly available; or
29
(e) both:
30
(i) the use or disclosure is, or is a kind of use or disclosure
31
that is, certified in writing by the Minister to be in the
32
public interest; and
33
Chapter 10
Other matters
Part 3
Confidentiality
Section 153
150
Digital ID Bill 2023
No. , 2023
(ii) the use or disclosure is made in accordance with any
1
requirements prescribed by the Digital ID Rules.
2
(2) An instrument made under subparagraph (1)(e)(i) certifying that a
3
particular use or disclosure is in the public interest is not a
4
legislative instrument.
5
(3) An instrument made under subparagraph (1)(e)(i) certifying that a
6
kind of use or disclosure is in the public interest is a legislative
7
instrument.
8
153 Disclosing personal or commercially sensitive information to
9
courts and tribunals etc. by entrusted persons
10
(1) Except where it is necessary to do so for the purposes of giving
11
effect to this Act, an entrusted person is not to be required:
12
(a) to produce a document containing protected information to a
13
body mentioned in subsection (2); or
14
(b) to disclose protected information to such a body;
15
if either of the following applies:
16
(c) the information is personal information of an individual other
17
than the entrusted person;
18
(d) there is a risk that production of the document or disclosure
19
of the information might substantially prejudice the
20
commercial interests of a person.
21
(2) The bodies are a court, tribunal, authority or other person having
22
power to require the production of documents or the answering of
23
questions.
24
Other matters
Chapter 10
Other matters
Part 4
Section 154
No. , 2023
Digital ID Bill 2023
151
Part
4--Other matters
1
2
154 Annual report by the Digital ID Regulator
3
(1) After the end of each financial year, the Digital ID Regulator must
4
prepare and give a report to the Minister, for presentation to the
5
Parliament, on the Digital ID Regulator
's activities during the
6
financial year.
7
(2) The report must include the following:
8
(a) information about the operation of the accreditation scheme,
9
including:
10
(i) the number of applications for accreditation made under
11
section 14; and
12
(ii) the number of accreditations granted under section 15;
13
(b) information about the operation of the Australian
14
Government Digital ID System, including:
15
(i) the number of applications made to participate in the
16
system under section 61; and
17
(ii) the number of approvals granted to participate in the
18
system under section 62; and
19
(iii) the number of digital ID fraud incidents or cyber
20
security incidents, and the responses to any such
21
incidents;
22
(c) information on any other matters notified by the Minister to
23
the Digital ID Regulator.
24
(3) The report must be given to the Minister by:
25
(a) the 30th day of October; or
26
(b) the end of any further period granted under
27
subsection 34C(5) of the
Acts Interpretation Act 1901
.
28
155 Annual report by Information Commissioner
29
The annual report prepared by the Information Commissioner and
30
given to the Minister under section 46 of the
Public Governance,
31
Chapter 10
Other matters
Part 4
Other matters
Section 156
152
Digital ID Bill 2023
No. , 2023
Performance and Accountability Act 2013
for a period must
1
include information about the performance of the Information
2
Commis
sioner's functions, and the exercise of the Information
3
Commissioner's powers, under or in relation to
Part 2 of Chapter 3
4
of this Act during the period.
5
156 How this Act applies in relation to non-legal persons
6
How permissions and rights are conferred and exercised
7
(1) If this Act purports to confer a permission or right on an entity that
8
is not a legal person, the permission or right:
9
(a) is conferred on each person who is an accountable person for
10
the entity at the time the permission or right may be
11
exercised; and
12
(b) may be exercised by:
13
(i) any person who is an accountable person for the entity
14
at the time the permission or right may be exercised; or
15
(ii) any person who is authorised by a person referred to in
16
subparagraph (i) to exercise the permission or right.
17
How obligations and duties are imposed and discharged
18
(2) If this Act purports to impose an obligation or duty on an entity
19
that is not a legal person, the obligation or duty:
20
(a) is imposed on each person who is an accountable person for
21
the entity at the time the obligation or duty arises or is in
22
operation; and
23
(b) may be discharged by:
24
(i) any person who is an accountable person for the entity
25
at the time the obligation or duty arises or is in
26
operation; or
27
(ii) any person who is authorised by a person referred to in
28
subparagraph (i) to discharge the obligation or duty.
29
Other matters
Chapter 10
Other matters
Part 4
Section 157
No. , 2023
Digital ID Bill 2023
153
How non-legal persons contravene this Act
1
(3) A provision of this Act (including a civil penalty provision) that is
2
purportedly contravened by an entity that is not a legal person is
3
instead contravened by each accountable person for the entity who:
4
(a) did the relevant act or made the relevant omission; or
5
(b) aided, abetted, counselled or procured the relevant act or
6
omission; or
7
(c) was in any way knowingly concerned in, or party to, the
8
relevant act or omission.
9
Meaning of accountable person
10
(4) For the purposes of this section, a person is an
accountable person
11
for an entity at a particular time if:
12
(a) in the case of a partnership in which one or more of the
13
partners is an individual
--
the individual is a partner in the
14
partnership at that time; or
15
(b) in the case of a partnership in which one or more of the
16
partners is a body corporate
--
the person is a director of the
17
body corporate at that time; or
18
(c) in the case of a trust in which the trustee, or one or more of
19
the trustees, is an individual
--
the individual is a trustee of
20
the trust at that time; or
21
(d) in the case of a trust in which the trustee, or one or more of
22
the trustees, is a body corporate
--
the person is a director of
23
the body corporate at that time; or
24
(e) in the case of an unincorporated association
--
the person is a
25
member of the governing body of the unincorporated
26
association at that time.
27
157 Attributing conduct to the Commonwealth, States and
28
Territories etc.
29
(1) In determining whether the Commonwealth, a State or a Territory
30
(each of which is a
government body
) has contravened this Act
31
(including a civil penalty provision):
32
(a) conduct engaged in on behalf of the government body by an
33
employee, agent or officer of the government body acting
34
Chapter 10
Other matters
Part 4
Other matters
Section 158
154
Digital ID Bill 2023
No. , 2023
within the scope (actual or apparent) of their employment or
1
authority is taken to have been engaged in also by the
2
government body; and
3
(b) if it is necessary to establish intention, knowledge or
4
recklessness, or any other state of mind, of the government
5
body, it is sufficient to establish the intention of the person
6
mentioned in paragraph (a).
7
(2) Despite paragraph (1)(a), a government body does not contravene a
8
provision of this Act because of conduct of a person that the
9
government body is taken to have engaged in, if it is established
10
that the government body took reasonable precautions and
11
exercised due diligence to avoid the conduct.
12
(3) If an infringement notice is to be given to a government body
13
under Part 5 of the Regulatory Powers Act, the entity whose acts or
14
omissions are alleged to have contravened the provision subject to
15
the infringement notice may be specified in the infringement
16
notice.
17
(4) If civil penalty proceedings are brought against a government body
18
in relation to a contravention of a civil penalty provision of this
19
Act, the entity whose acts or omissions are alleged to have
20
contravened the provision may be specified in any document
21
initiating, or relating to, the proceedings.
22
(5) Despite paragraph 82(5)(b) of the Regulatory Powers Act, if a
23
government body contravenes a civil penalty provision of this Act,
24
the maximum penalty that a court may order the government body
25
to pay is 5 times the pecuniary penalty specified for the civil
26
penalty provision.
27
158 Bodies corporate and due diligence
28
For the purposes of section 97 of the Regulatory Powers Act (about
29
attributing contraventions of employees etc. to a body corporate), a
30
body corporate does not contravene a civil penalty provision of this
31
Act because of conduct of a person that the body corporate is taken
32
to have engaged in, if it is established that the body corporate took
33
reasonable precautions and exercised due diligence to avoid the
34
conduct.
35
Other matters
Chapter 10
Other matters
Part 4
Section 159
No. , 2023
Digital ID Bill 2023
155
159 Protection from civil action
1
(1) This section applies to the following:
2
(a) the Minister;
3
(b) the Digital ID Regulator;
4
(c) a member of the Commission (within the meaning of the
5
Competition and Consumer Act 2010
);
6
(d) an associate member of the Australian Competition and
7
Consumer Commission;
8
(e) a member of the staff of the Australian Competition and
9
Consumer Commission;
10
(f) the System Administrator;
11
(g) a person referred to in section 16 of the
Human Services
12
(Centrelink) Act 1997
;
13
(h) the Digital ID Data Standards Chair;
14
(i) the staff referred to in section 115 of this Act.
15
(2) A person mentioned in subsection (1) is not liable to an action or
16
other proceeding for damages for, or in relation to, an act done or
17
omitted to be done in good faith by the person:
18
(a) in the performance, or purported performance, of any
19
functions under this Act; or
20
(b) in the exercise, or purported exercise, of any powers under
21
this Act.
22
160 Geographical jurisdiction of civil penalty provisions
23
Geographical jurisdiction of civil penalty provisions
24
(1) An entity does not contravene a civil penalty provision of this Act
25
unless:
26
(a) the conduct constituting the alleged contravention occurs
27
wholly or partly in Australia, or wholly or partly on board an
28
Australian aircraft or Australian ship; or
29
(b) the conduct constituting the alleged contravention occurs
30
wholly outside Australia and a result of the conduct occurs:
31
(i) wholly or partly in Australia; or
32
Chapter 10
Other matters
Part 4
Other matters
Section 160
156
Digital ID Bill 2023
No. , 2023
(ii) wholly or partly on board an Australian aircraft or an
1
Australian ship; or
2
(c) the conduct constituting the alleged contravention occurs
3
wholly outside Australia and, at the time of the alleged
4
contravention, the entity is an Australian entity; or
5
(d) all of the following conditions are satisfied:
6
(i) the alleged contravention is an ancillary contravention;
7
(ii) the conduct constituting the alleged contravention
8
occurs wholly outside Australia;
9
(iii) the conduct constituting the primary contravention to
10
which the ancillary contravention relates, or a result of
11
that conduct, occurs wholly or partly in Australia or
12
wholly or partly on board an Australian aircraft or an
13
Australian ship.
14
Defence for primary contravention
15
(2) Despite subsection (1), an entity does not contravene a civil
16
penalty provision of this Act if:
17
(a) the alleged contravention is a primary contravention; and
18
(b) the conduct constituting the alleged contravention occurs
19
wholly in a foreign country, but not on board an Australian
20
aircraft or Australian ship; and
21
(c) the entity is not an Australian entity; and
22
(d) there is not in force, in the foreign country or the part of the
23
foreign country where the conduct constituting the alleged
24
contravention or offence occurred, a law creating a pecuniary
25
or criminal penalty for conduct corresponding to the conduct
26
constituting the alleged contravention.
27
Defence for ancillary contravention
28
(3) Despite subsection (1), an entity does not contravene a civil
29
penalty provision of this Act if:
30
(a) the alleged contravention is an ancillary contravention; and
31
(b) the conduct constituting the alleged contravention occurs
32
wholly in a foreign country, but not on board an Australian
33
aircraft or an Australian ship; and
34
Other matters
Chapter 10
Other matters
Part 4
Section 160
No. , 2023
Digital ID Bill 2023
157
(c) the conduct constituting the primary contravention to which
1
the alleged contravention relates, or a result of that conduct,
2
occurs wholly in a foreign country, but not on board an
3
Australian aircraft or Australian ship; and
4
(d) the entity is not an Australian entity; and
5
(e) there is not in force, in the foreign country or the part of the
6
foreign country where the conduct constituting the alleged
7
contravention occurred, a law creating a pecuniary or
8
criminal penalty for conduct corresponding to the conduct
9
constituting the primary contravention to which the alleged
10
contravention relates.
11
Evidential burden
12
(4) An entity who is alleged to have contravened a civil penalty
13
provision of this Act and who wishes to rely on subsection (2) or
14
(3) bears an evidential burden (within the meaning of the
15
Regulatory Powers Act) in relation to the matters set out in the
16
subsection.
17
Other matters
18
(5) A reference in this section to a result of conduct is a reference to a
19
result that is an element of the civil penalty provision.
20
(6) For the purposes of this section and without limitation, if an entity
21
sends, or causes to be sent, an electronic communication or other
22
thing:
23
(a) from a point outside Australia to a point in Australia; or
24
(b) from a point in Australia to a point outside Australia;
25
that conduct is taken to have occurred partly in Australia.
26
Definitions
27
(7) In this section:
28
ancillary contravention
of a civil penalty provision means a
29
contravention that arises out of the operation of section 92 of the
30
Regulatory Powers Act.
31
Australian aircraft
has the same meaning as in the
Criminal Code
.
32
Chapter 10
Other matters
Part 4
Other matters
Section 161
158
Digital ID Bill 2023
No. , 2023
Australian ship
has the same meaning as in the
Criminal Code
.
1
electronic communication
has the same meaning as in the
2
Criminal Code
.
3
foreign country
has the same meaning as in the Criminal Code.
4
point
includes a mobile or potentially mobile point, whether on
5
land, underground, in the atmosphere, underwater, at sea or
6
anywhere else.
7
primary contravention
of a civil penalty provision means a
8
contravention that does not arise out of the operation of section 92
9
of the Regulatory Powers Act.
10
161 Interaction with tax file number offences
11
To avoid doubt, nothing in this Act affects or limits the operation
12
of:
13
(a) sections 8WA and 8WB of the
Taxation Administration Act
14
1953
; or
15
(b) rules made under section 17 of the
Privacy Act 1988
.
16
Note 1:
Sections 8WA and 8WB of the
Taxation Administration Act 1953
17
contain offences for unauthorised use etc. of tax file numbers.
18
Note 2:
Section 17 of the
Privacy Act 1988
requires the Information
19
Commissioner to issue rules concerning the collection, storage, use
20
and security of tax file numbers.
21
162 Review of operation of Act
22
(1) The Minister must cause a review of the operation of this Act to be
23
undertaken.
24
(2) The review must be undertaken no later than 2 years after the
25
commencement of this Act.
26
(3) The persons who undertake the review must give the Minister a
27
written report of the review.
28
Other matters
Chapter 10
Other matters
Part 4
Section 163
No. , 2023
Digital ID Bill 2023
159
(4) The Minister must cause a copy of the report to be tabled in each
1
House of the Parliament within 15 sitting days of that House after
2
the Minister receives the report.
3
163 Delegation
--
Minister
4
(1) The Minister may, in
writing, delegate all or any of the Minister's
5
functions or powers under this Act
(other than the Minister's power
6
under section 168) to any of the following:
7
(a) the Digital ID Regulator;
8
(b) the Secretary;
9
(c) an SES employee or acting SES employee in the Department.
10
Note:
Sections 34AA to 34A of the
Acts Interpretation Act 1901
contain
11
provisions relating to delegations.
12
(2) In exercising powers or performing functions under the delegation,
13
the delegate must comply with any written directions of the
14
Minister.
15
164 Delegation
--
Digital ID Regulator
16
(1) The Digital ID Regulator may, by resolution, delegate all or any of
17
the Digital ID Regulator's powers or functions under this Act to:
18
(a) member of the Commission (within the meaning of the
19
Competition and Consumer Act 2010
); or
20
(b) an SES employee, or an acting SES employee, in the
21
Australian Competition and Consumer Commission; or
22
(c) an SES employee, or an acting SES employee, in the
23
Department.
24
Note 1:
The Digital ID Regulator is the Australian Competition and Consumer
25
Commission (see section 90).
26
Note 2:
Sections 34AA to 34A of the
Acts Interpretation Act 1901
contain
27
provisions relating to delegations.
28
(2) In exercising powers or performing functions under a delegation,
29
the delegate must comply with any written directions of the Digital
30
ID Regulator.
31
Chapter 10
Other matters
Part 4
Other matters
Section 165
160
Digital ID Bill 2023
No. , 2023
165 Delegation
--
System Administrator
1
The System Administrator must not delegate any of the System
2
Administrator's functions or powers under this Act to a person who
3
has functions or duties that relate to the operation or management
4
of an information technology system through which an accredited
5
entity provides its accredited services.
6
Note:
For delegation by the System Administrator, see section 12 of the
7
Human Services (Centrelink) Act 1997
.
8
166 Delegation
--
Digital ID Data Standards Chair
9
(1) The Digital ID Data Standards Chair may delegate, in writing, any
10
or all of the Chair's
functions or powers under this Act to a person
11
assisting the Chair under section 115 who is:
12
(a) an SES employee, or an acting SES employee; or
13
(b) an APS employee who is holding or performing the duties of
14
a specified office or position that the Chair is satisfied is
15
sufficiently senior for the APS employee to perform the
16
function or exercise the power.
17
(2) Subsection (1) does not apply to the function referred to in
18
section 99 (about making Digital ID Data Standards).
19
(3) In performing a delegated function or exercising a delegated
20
power, the delegate under subsection (1) must comply with any
21
directions of the Digital ID Data Standards Chair.
22
167 Instruments may incorporate etc. material as in force or existing
23
from time to time
24
(1) This section applies to the following instruments (each of which is
25
a
core instrument
):
26
(a) the Accreditation Rules;
27
(b) the Digital ID Data Standards;
28
(c) the Digital ID Rules.
29
(2) A core instrument may make provision in relation to a matter by
30
applying, adopting or incorporating, with or without modification,
31
Other matters
Chapter 10
Other matters
Part 4
Section 168
No. , 2023
Digital ID Bill 2023
161
any matter contained in any other instrument or other writing (an
1
incorporated instrument
) as in force or existing from time to time.
2
(3) If a core instrument makes provision in relation to a matter in
3
accordance with subsection (2), the core instrument may also make
4
provision in relation to when changes to an incorporated
5
instrument take effect for the purposes of the core instrument.
6
(4) Subsection (2) has effect despite subsection 14(2) of the
7
Legislation Act 2003
.
8
168 Rules
--
general matters
9
(1) The Minister may, by legislative instrument, make rules
10
prescribing matters:
11
(a) required or permitted by this Act to be prescribed by the
12
rules; or
13
(b) necessary or convenient to be prescribed for carrying out or
14
giving effect to this Act.
15
(2) Without limiting subsection 33(3A) of the
Acts Interpretation Act
16
1901
, the rules may prescribe a matter or thing differently for
17
different kinds of entities, things or circumstances.
18
(3) The rules may make provision for or in relation to a matter by
19
conferring a power on the Digital ID Regulator, the System
20
Administrator or the Minister to:
21
(a) make an instrument of an administrative character; or
22
(b) make a decision of an administrative character.
23
(4) To avoid doubt, the rules may not do the following:
24
(a) create an offence or civil penalty;
25
(b) provide powers of:
26
(i) arrest or detention; or
27
(ii) entry, search or seizure;
28
(c) impose a tax;
29
(d) set an amount to be appropriated from the Consolidated
30
Revenue Fund under an appropriation in this Act;
31
(e) directly amend the text of this Act.
32
Chapter 10
Other matters
Part 4
Other matters
Section 169
162
Digital ID Bill 2023
No. , 2023
(5) In this section, a reference to this Act does not include a reference
1
to:
2
(a) the Accreditation Rules; or
3
(b) the Digital ID Data Standards; or
4
(c) the Digital ID Rules; or
5
(d) the service levels determined under section 80; or
6
(e) the Regulatory Powers Act as it applies in relation to this
7
Act.
8
169 Rules
--
requirement to consult
9
General requirement to consult
10
(1) Before making or amending any rules under section 168, the
11
Minister must:
12
(a)
cause to be published on the Department's website a notice:
13
(i) setting out the draft rules or amendments; and
14
(ii) inviting persons to make submissions to the Minister
15
about the draft rules or amendments within the period
16
specified in the notice (which must be at least 28 days
17
after the notice is published); and
18
(b) if the rules deal with matters that relate to the privacy
19
functions (within the meaning of the
Australian Information
20
Commissioner Act 2010
)
--
consult the Information
21
Commissioner; and
22
(c) consider any submissions received within the specified
23
period.
24
(2) Without limiting paragraph (1)(b), the Minister must consult the
25
Information Commissioner if the rules will provide that accredited
26
entities, or specified kinds of accredited entities, are authorised to:
27
(a) collect or disclose restricted attributes of individuals; or
28
(b) collect, use or disclose biometric information of individuals.
29
(3) The Minister may consider any submissions received after the
30
specified period if the Minister considers it appropriate to do so.
31
Other matters
Chapter 10
Other matters
Part 4
Section 169
No. , 2023
Digital ID Bill 2023
163
Exception if imminent threat etc.
1
(4) Subsection (1) does not apply if:
2
(a) the Minister is satisfied that there is an imminent threat to the
3
Australian Government Digital ID System; or
4
(b) the Minister is satisfied that a hazard has had, or is having, a
5
significant impact on the Australian Government Digital ID
6
System.
7
Review
8
(5) If:
9
(a) because of subsection (4), subsection (1) did not apply to the
10
making of rules or amendments; and
11
(b) the rules or amendments have not been disallowed by either
12
House of the Parliament;
13
the Secretary must:
14
(c) review the operation, effectiveness and implications of the
15
rules or amendments; and
16
(d) without limiting paragraph (a), consider whether any
17
amendments should be made; and
18
(e) give the Minister a report of the review and a statement
19
setting out the Secretary's findings.
20
(6) For the purposes of the review, the Secretary must:
21
(a)
cause to be published on the Department's website a notice:
22
(i) setting out the rules or amendments concerned; and
23
(ii) inviting persons to make submissions to the Secretary
24
about the rules or amendments concerned within the
25
period specified in the notice (which must be at least 28
26
days after the notice is published); and
27
(b) if the rules deal with matters that relate to the privacy
28
functions (within the meaning of the
Australian Information
29
Commissioner Act 2010
)
--
consult the Information
30
Commissioner; and
31
(c) consider any submissions received within the specified
32
period.
33
Chapter 10
Other matters
Part 4
Other matters
Section 169
164
Digital ID Bill 2023
No. , 2023
Findings of review to be tabled
1
(7) The Secretary must complete the review within 60 days after the
2
commencement of the rules or amendments concerned.
3
(8) The Minister must cause a copy of the statement of findings to be
4
tabled in each House of the Parliament within 15 sitting days of
5
that House after the Minister receives it.
6
Failure to comply does not affect validity etc.
7
(9) A failure to comply with this section does not affect the validity or
8
enforceability of any rules, or any amendments to any rules.
9
Relationship with the Legislation Act 2003
10
(10) This section does not limit section 17 of the
Legislation Act 2003
11
(rule-makers should consult before making legislative instrument).
12