|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Australian Senate Standing Committee for the Scrutiny of Bills - Scrutiny Digests |
|
Purpose
|
The Digital ID Bill 2023 seeks to establish an accreditation scheme for
entities providing digital ID services; provide additional privacy safeguards
for
the provision of accredited digital ID services; establish an Australian
Government Digital ID System (the AGDIS); and strengthen
the oversight and
regulation of accredited digital ID providers, entities participating in the
AGDIS and the integrity and performance
of the AGDIS.
|
|
Portfolio
|
Finance
|
|
Introduced
|
Senate on 30 November 2023
|
|
Bill status
|
Before the Senate
|
2.36 Clause 84 of the bill seeks to provide that accredited entities participating in the Australian Government Digital ID System (AGDIS) are protected from civil and criminal liability in certain circumstances. Subclause 84(1) provides that an accredited entity[165] is not liable to an action or other proceeding in relation to the provision or non-provision of an accredited service[166] to another accredited entity participating in the AGDIS, or to a participating relying party.[167] The immunity from civil and criminal liability is applicable where:
• the accredited entity provides or does not provide the accredited service in good faith in compliance with the bill;[168] or
• the accredited entity does not comply with the bill in relation to the accredited service and the non-compliance is not the ground or the cause for the action or the other proceeding.[169]
2.37 Accordingly, in Scrutiny Digest 2 of 2024, the committee requested the minister’s advice as to why it is considered necessary and appropriate to provide an accredited entity immunity from civil and criminal liability so that affected persons have their right to bring an action to enforce their legal rights limited to situations where a lack of good faith is shown.[170]
2.38 The Minister for Finance (the minister) advised that the bill seeks to create a liability regime that provides incentives for Digital ID service providers, once accredited, to participate in the AGDIS. Although clause 84 of the bill grants accredited entities a protection from liability, this is limited in a number of ways.
2.39 The minister advised that the protection only applies in relation to the provision or non-provision of accredited services to other accredited entities and relying parties participating in the AGDIS and does not apply to individuals using their Digital ID to access services within the AGDIS. Further, the minister advised that clause 85 creates a statutory contract between accredited entities participating (and participating relying parties) in the AGDIS, and that a limit on liability is common in a commercial contractual relationship. An accredited entity is also only able to claim the protection from liability if it has complied with the Act and rules and acted in good faith.
2.40 Finally, the minister advised that the department will work with the Office of Parliamentary Counsel to ensure that the provision applies only the parties to the statutory contract as intended.
2.41 The committee thanks the minister for this advice.
2.42 The committee welcomes the additional context that clause 84 of the bill is intended to apply only to parties to the statutory contract as created by clause 85 of the bill, and that the department will work with the Office of Parliamentary Counsel to ensure the provision only applies to parties to the statutory contract.
2.43 In light of the above, the committee makes no further comment on this issue.
2.44 Subclause 145(1) provides that the Minister for Finance (the minister) must cause periodic reviews of provisions in the Digital ID Rules that relate to the charging of fees by the Digital ID Regulator[173] to be undertaken.[174] Subclause 145(4) provides that the minister must cause a written report about each review to be prepared and published on the Digital ID Regulator’s website.[175] The provision does not require any such report to be tabled in both Houses of the Parliament.
2.45 In Scrutiny Digest 2 of 2024, the committee requested the minister’s advice as to whether the bill could be amended to provide that reports prepared under subclause 145(4) be tabled in Parliament in order to improve parliamentary scrutiny.[176]
2.46 The minister advised that should the committee express a preference for tabling in Parliament, the minister has no reservations about doing so.
2.47 The committee thanks the minister for this advice.
2.48 The committee considers that the tabling of documents in the Parliament is important to parliamentary scrutiny, as it alerts parliamentarians to the existence of documents and provides opportunities for debate that are not available where documents are only published online.
2.49 In light of the above, the committee requests that the minister move amendments to clause 145 of the bill to require the tabling in Parliament of reports prepared under subclause 145(4), and seeks the minister’s further advice on this point.
2.50 Subclause 150(1) of the bill seeks to provide that the minister may establish, in writing, advisory committees to provide advice to the minister, the Secretary, the System Administrator and the Digital ID Data Standards Chair.[179] This advice may relate to any matters within the bill, including but not limited to the performance of the Digital ID Regulator’s powers and functions under the bill.[180] The minister may determine the persons appointed to the advisory committee and must also determine various matters in relation to the operation and members of the committee, which are provided by subclause 150(3).[181]
2.51 In Scrutiny Digest 2 of 2024, the committee requested the minister’s advice as to:
• why it is considered necessary and appropriate to leave the matter of establishing an advisory committee under subclause 150(1), and determining matters relating to the operation and members of such committees under subclause 150(3), to written instruments, rather than these matters being included in the primary legislation; and
• why it is considered necessary and appropriate to specify that instruments made under subclauses 150(1) and 150(3) are not legislative instruments (including why it is considered that the instruments are not legislative in character); and
• whether the bill could, at a minimum, be amended to provide that these instruments are legislative instruments, to ensure that they are subject to appropriate parliamentary oversight.[182]
2.52 The minister advised that the composition, purpose and terms of Advisory Committees are appropriately left to executive control to ensure committees are able to be established as required with appropriate subject-matter experts and terms of reference. Committees may also be short-term, set up to advise on a particular issue as an emerging threat or measures to implement a new digital ID technology, and in some cases, there may be no remuneration to a committee member (if a committee member is a government employee).
2.53 The minister also advised that instruments establishing committees, their composition, purposes and terms are administrative in character as they do not determine the law or alter the content of the law. The minister advised that these instruments deal with administrative matters relevant to setting up a committee and that it is appropriate those matters remain within executive control.
2.54 The committee thanks the minister for this advice.
2.55 The committee acknowledges that committees may need to be set up on a short-term basis in response to fast-paced changes in digital ID technology and would need to be established by instrument. However, the committee reiterates its concern that as these committees are established to provide advice about matters arising under the Act, including in relation to the Digital ID Regulator’s powers and functions, the establishment of these committees forms a significant part of the overall legislative scheme. In this instance, the instruments establishing these committees are not subject to any parliamentary oversight, including the tabling, disallowance and sunsetting processes as they are not legislative instruments.
2.56 The committee also notes that while subsection 8(4) of the Legislation Act 2003[184] provides that an instrument is a legislative instrument if it determines or alters the law, this does not preclude the minister from prescribing these matters be set out in legislative instruments under subsection 8(3).[185]
2.57 In light of the above, the committee draws this matter to the attention of senators and leaves to the Senate as a whole the appropriateness of establishing Advisory Committees by written instruments under subclauses 150(1) and 150(3), noting that these instruments are not subject to parliamentary oversight.
2.58 Subclause 151(1) of the bill seeks to provide that a person commits an offence if the person is or has been an entrusted person,[187] obtains protected information in the course of or for the purposes of performing functions or exercising powers under the bill, and discloses the protected information.[188] Paragraph 151(1)(d) provides a further stipulation that the offence only applies to personal information about an individual, or that there must be a risk that the use or disclosure might substantially prejudice the commercial interests of another person. The offence carries a penalty of imprisonment for up to two years or 120 penalty units, or both.
2.59 Subclause 151(3) provides that the offence does not apply if the use or disclosure is authorised by clause 152. Clause 152 provides a list of circumstances in which an entrusted person may use or disclose protected information. A note to subclause 151(3) clarifies that a defendant bears an evidential burden of proof in relation to the offence-specific defence in subclause 151(3).
2.60 Accordingly, in Scrutiny Digest 2 of 2024, the committee requested the minister’s advice as to why it is proposed to use an offence-specific defence in subclause 151(3), which reverses the evidential burden of proof, in relation to the offence under subclause 151(1).[189]
2.61 The minister advised that the entrusted person in this instance would be required to raise evidence about the matter that brings the use or disclosure within one of the authorised uses listed in clause 152. The entrusted persons, before using or disclosing protected information, would need to ensure that use or disclosure is for an authorised purpose. The minister advised that the facts in relation to that authorised purpose would be peculiarly within the entrusted person’s knowledge and could be readily and cheaply provided by that person.
2.62 Further, the minister addressed each set of circumstances in clause 152 and provided justification as to how those matters would be within the knowledge of the defendant. One example provided by the minister is that when acting as required or authorised by or under a law, the entrusted person would have the knowledge of what law, at Commonwealth, state or territory level, required or authorised the particular use or disclosure of protected information in those circumstances.
2.63 The committee thanks the minister for this advice.
2.64 The committee acknowledges that there are a range of circumstances in clause 152 which determine when the use or disclosure of protected information is authorised and that the entrusted person would be able to provide evidence as to which circumstance was relied on for the disclosure. However, it is unclear to the committee that all of these circumstances would require evidence that is peculiar to the defendant’s knowledge. The committee notes that, as a general principle, a matter should not be included in an offence-specific defence merely because that matter may be in the knowledge of a defendant if there are other people from whom the prosecution could adduce evidence concerning the matter.
2.65 The committee notes that one circumstance under clause 152 relates to disclosure that is in the performance of a power, function or duty under the bill or its rules. In this instance, the committee notes that there is a relatively narrow legislative scheme for the prosecution to consider in determining whether the entrusted person disclosed information in an authorised circumstance. Similarly, it remains unclear to the committee how the compliance with or enforcement of a law can be peculiarly within any person’s knowledge.
2.66 In light of the above, the committee draws this matter to the attention of senators and leaves to the Senate as a whole the appropriateness of reversing the evidential burden of proof in relation to the offence under subclause 151(1).
2.67 Subclause 167(2) of the bill provides that the Accreditation Rules, the Digital ID Data Standards and the Digital ID Rules, which are core instruments that will be made pursuant to the bill, may apply, adopt or incorporate any matter contained in other material as in force or existing from time to time. The explanatory memorandum provides examples of material that may be incorporated, which includes Commonwealth documents relating to protective security and cyber security, international standards and digital identity standards set by internationally recognised organisations.[192]
2.68 Accordingly, in Scrutiny Digest 2 of 2024, the committee requested the minister’s advice as to whether documents applied, adopted or incorporated by reference under clause 167 will be made freely available to all persons interested in the law and why it is necessary to apply the documents as in force or existing from time to time, rather than when the instrument is first made.[193]
2.69 The minister advised that the Digital ID Bill and legislative rules seek to adopt existing frameworks, standards or policies that are appropriate for digital ID. These standards and policies change over time as circumstances, risks and threats change. The minister advised that the draft Accreditation Rules include a provision stating accredited entities will have 12 months to comply with changes in any incorporated standard or policy unless the incorporated document itself sets out a longer timeframe.
2.70 The minister advised that there will be two kinds of incorporated documents in the legislative rules, one of which includes standards relating to security, biometric technology operation and biometric technology testing which are not freely and publicly available in full and are unable to be made publicly available due to copyright. The minister advised summaries and previews of each of these standards are publicly available and the legislative rules will include links to where the public information may be accessed.
2.71 The committee thanks the minister for this advice.
2.72 The committee remains concerned that entities will be required by the Accreditation Rules to comply with standards that are incorporated by those rules but are not fully and freely accessible to those entities, particularly as these standards relate to the handling of highly sensitive biometric information. Further, access to all materials which form the content of the law is essential for public confidence in the operation of regulatory schemes. Documents which are incorporated into the law should be freely available not only to the entities that are directly required to comply with these measures, but also to members of the public who have an interest in oversight and understanding of the law, particularly as it pertains to public health and safety and the use of Australian resources.
2.73 The committee understands that it is not uncommon for incorporated documents that may be subject to copyright to be made available by Departments in other manners, such as via access through public library systems, the National Library of Australia, or at Departmental offices, for free viewing by interested parties.[195]
2.74 Although the committee notes summaries and previews of each standard are available, this is inadequate to properly comply with the standards in full, which the committee understands will be a requirement of the regulations.
2.75 In light of the above, the committee requests the minister’s further advice as to whether free access to documents that will be applied, adopted or incorporated by reference into legislative instruments as a result of clause 167 can be provided via other means such as display in public libraries or departmental offices.
[163] This entry can be cited as: Senate Standing Committee for the Scrutiny of Bills, Digital ID Bill 2023, Scrutiny Digest 3 of 2024; [2024] AUSStaCSBSD 44.
[164] Clause 84. The committee draws senators’ attention to this provision pursuant to Senate standing order 24(1)(a)(i).
[165] Clause 9. An accredited entity includes an accredited attribute, identity exchange or identity service provider or an entity that is accredited to provide services of a kind prescribed by the Accreditation Rules.
[166] Clause 9. An accredited service is the service provided or proposed to be provided by an accredited entity in the entity’s capacity as a particular kind of accredited entity.
[167] Subclause 84(1).
[168] Paragraph 84(1)(a).
[169] Paragraph 84(1)(b).
[170] Senate Scrutiny of Bills Committee, Scrutiny Digest 2 of 2024 (7 February 2024) pp. 29–30.
[171] The minister responded to the committee’s comments in a letter dated 16 February 2024. A copy of the letter is available on the committee’s webpage (see correspondence relating to Scrutiny Digest 3 of 2024).
[172] Subclause 145(1). The committee draws senators’ attention to this provision pursuant to Senate standing order 24(1)(a)(v).
[173] Subclause 144(1).
[174] Subclause 145(1).
[175] Subclause 145(4).
[176] Senate Scrutiny of Bills Committee, Scrutiny Digest 2 of 2024 (7 February 2024) p. 31.
[177] The minister responded to the committee’s comments in a letter dated 16 February 2024. A copy of the letter is available on the committee’s webpage (see correspondence relating to Scrutiny Digest 3 of 2024).
[178] Subclauses 150(1) and 150(3). The committee draws senators’ attention to these provisions pursuant to Senate standing order 24(1)(a)(v).
[179] Subclause 150(1).
[180] Subclause 150(1).
[181] Subclause 150(3).
[182] Senate Scrutiny of Bills Committee, Scrutiny Digest 2 of 2024 (7 February 2024) pp. 31–33.
[183] The minister responded to the committee’s comments in a letter dated 16 February 2024. A copy of the letter is available on the committee’s webpage (see correspondence relating to Scrutiny Digest 3 of 2024).
[184] Legislation Act 2003, subsection 8(4).
[185] Legislation Act 2003, subsection 8(3).
[186] Subclause 151(3). The committee draws senators’ attention to this provision pursuant to Senate standing order 24(1)(a)(i).
[187] Under subclause 151(2) of the bill, an ‘entrusted person’ includes: the Digital ID Regulator, the System Administrator, a member, associated member or member of staff of, or consultant for, the Australian Competition and Consumer Commission, and departmental employees assisting the Chief Executive Centrelink.
[188] Subclause 151(1).
[189] Senate Scrutiny of Bills Committee, Scrutiny Digest 2 of 2024 (7 February 2024) pp. 33-34.
[190] The minister responded to the committee’s comments in a letter dated 16 February 2024. A copy of the letter is available on the committee’s webpage (see correspondence relating to Scrutiny Digest 3 of 2024).
[191] Clause 167. The committee draws senators’ attention to this provision pursuant to Senate Standing Order 24(1)(a)(v).
[192] Explanatory memorandum, pp. 120–121.
[193] Senate Scrutiny of Bills Committee, Scrutiny Digest 2 of 2024 (7 February 2024) p. 35.
[194] The minister responded to the committee’s comments in a letter dated 16 February 2024. A copy of the letter is available on the committee’s webpage (see correspondence relating to Scrutiny Digest 3 of 2024).
[195] See, for example, correspondence between the Attorney-General and the Senate Standing Committee for the Scrutiny of Delegated Legislation in relation to the Disability (Access to Premises – Buildings) Amendment Standards 2020 [F2020L01245].
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/other/AUSStaCSBSD/2024/44.html