Commonwealth: Digital ID Act 2024 (Cth)

Digital ID Act 2024 No. 25, 2024 Compilation No. 2 Compilation date: 21 February 2025 Includes amendments: Act No. 14, 2025 About this compilation This compilation This is a compilation of the Digital ID Act 2024 that shows the text of the law as amended and in force on 21 February 2025 (the compilation date). The notes at the end of this compilation (the endnotes) include information about amending laws and the amendment history of provisions of the compiled law. Uncommenced amendments The effect of uncommenced amendments is not shown in the text of the compiled law. Any uncommenced amendments affecting the law are accessible on the Register (www.legislation.gov.au). The details of amendments made up to, but not commenced at, the compilation date are underlined in the endnotes. For more information on any uncommenced amendments, see the Register for the compiled law. Application, saving and transitional provisions for provisions and amendments If the operation of a provision or amendment of the compiled law is affected by an application, saving or transitional provision that is not included in this compilation, details are included in the endnotes. Editorial changes For more information about any editorial changes made in this compilation, see the endnotes. Modifications If the compiled law is modified by another law, the compiled law operates as modified but the modification does not amend the text of the law. Accordingly, this compilation does not show the text of the compiled law as modified. For more information on any modifications, see the Register for the compiled law. Self‑repealing provisions If a provision of the compiled law has been repealed in accordance with a provision of the law, details are included in the endnotes. Contents Chapter 1—Introduction Part 1—Preliminary 1 Short title 2 Commencement 3 Objects 4 Simplified outline of this Act 5 Act binds the Crown 6 Extension to external Territories 7 Extraterritorial operation 8 Concurrent operation of State and Territory laws Part 2—Interpretation 9 Definitions 10 Meaning of attribute of an individual 11 Meaning of restricted attribute of an individual 12 Fit and proper person considerations Chapter 2—Accreditation Part 1—Introduction 13 Simplified outline of this Chapter Part 2—Accreditation Division 1—Applying for accreditation 14 Application for accreditation Division 2—Accreditation 15 Digital ID Regulator must decide whether to accredit an entity 16 Accreditation is subject to conditions 17 Conditions on accreditation 18 Conditions relating to restricted attributes of individuals 19 Requirements before Accreditation Rules impose conditions relating to restricted attributes or biometric information of individuals 20 Variation and revocation of conditions on accreditation 21 Applying for variation or revocation of conditions on accreditation 22 Notice before changes to conditions on accreditation 23 Notice of decision of changes to conditions on accreditation Division 3—Varying, suspending and revoking accreditation 24 Varying accreditation 25 Suspension of accreditation 26 Revocation of accreditation Division 4—Minister's directions regarding accreditation 27 Minister's directions regarding accreditation Division 5—Accreditation Rules 28 Accreditation Rules Division 6—Other matters relating to accreditation 29 Digital IDs must be deactivated on request 30 Accredited services must be accessible and inclusive 31 Prohibition on holding out that an entity is accredited Chapter 3—Privacy Part 1—Introduction 32 Simplified outline of this Chapter 33 Chapter applies to accredited entities only to extent entity is providing accredited services 34 APP‑equivalent agreements Part 2—Privacy Division 1—Interaction with the Privacy Act 1988 35 Extended meaning of personal information in relation to accredited entities 35A Small business operator that is an accredited entity 36 Privacy obligations for non‑APP entities 37 Contraventions of privacy obligations in APP‑equivalent agreements 38 Contraventions of Division 2 and section 136 are interferences with privacy 39 Notification of eligible data breaches—accredited entities that are APP entities 40 Notification of eligible data breaches—accredited entities that are not APP entities 41 Notification of corresponding data breaches—accredited State or Territory entities that are not APP entities 42 Additional function of the Information Commissioner 43 Information Commissioner may share information Division 2—Additional privacy safeguards 44 Collection of certain attributes of individuals is prohibited 45 Individuals must expressly consent to disclosure of certain attributes of individuals to relying parties 46 Disclosure of restricted attributes of individuals 47 Restricting disclosure of unique identifiers 48 Restrictions on collecting, using and disclosing biometric information 49 Authorised collection, use and disclosure of biometric information of individuals—general rules 49A Biometric information, testing and continuous improvement 50 Accredited entities may collect etc. biometric information for purposes of government identity documents 51 Destruction of biometric information of individuals 52 Other rules relating to biometric information 53 Data profiling to track online behaviour is prohibited 54 Certain personal information must not be used or disclosed for prohibited enforcement purposes 55 Personal information must not be used or disclosed for prohibited marketing purposes 56 Accredited identity exchange providers must not retain certain attributes of individuals Chapter 4—Australian Government Digital ID System Part 1—Introduction 57 Simplified outline of this Chapter Part 2—Australian Government Digital ID System Division 1—Australian Government Digital ID System 58 Digital ID Regulator must oversee and maintain the Australian Government Digital ID System 59 Circumstances in which entities may provide or receive services within the Australian Government Digital ID System Division 2—Participating in the Australian Government Digital ID System 60 Phasing‑in of participation in the Australian Government Digital ID System 61 Applying for approval to participate in the Australian Government Digital ID System 62 Approval to participate in the Australian Government Digital ID System 63 Approval to participate in the Australian Government Digital ID System is subject to conditions 64 Conditions on approval to participate in the Australian Government Digital ID System 65 Conditions relating to restricted attributes of individuals 66 Variation and revocation of conditions 67 Applying for variation or revocation of conditions on approval 68 Notice before changes to conditions on approval 69 Notice of decision of changes of conditions on approval Division 3—Varying, suspending and revoking approval to participate 70 Varying approval to participate in the Australian Government Digital ID System 71 Suspension of approval to participate in the Australian Government Digital ID System 72 Revocation of approval to participate in the Australian Government Digital ID System Division 4—Minister's directions regarding participation 73 Minister's directions regarding participation Division 5—Other matters relating to the Australian Government Digital ID System 74 Creating and using a digital ID is voluntary 75 Restriction on collection of restricted attributes of individuals by participating relying parties 76 Notice before exemption is revoked 77 Holding etc. information outside Australia 78 Reportable incidents 79 Interoperability 80 Service levels for accredited entities and participating relying parties 81 Entities may conduct testing in the Australian Government Digital ID System 82 Use and disclosure of personal information to conduct testing 83 Prohibition on holding out that an entity holds an approval Part 3—Liability and redress framework Division 1—Liability of participating entities 84 Accredited entities participating in the Australian Government Digital ID System protected from liability in certain circumstances Division 2—Statutory contract 85 Statutory contract between entities participating in the Australian Government Digital ID System 86 Participating entities to maintain insurance as directed by the Digital ID Regulator 87 Dispute resolution procedures Division 3—Redress framework 88 Redress framework Chapter 5—Digital ID Regulator Part 1—Introduction 89 Simplified outline of this Chapter Part 2—Digital ID Regulator 90 Digital ID Regulator 91 Functions of the Digital ID Regulator 92 Powers of the Digital ID Regulator Chapter 6—System Administrator Part 1—Introduction 93 Simplified outline of this Chapter Part 2—System Administrator 94 System Administrator 95 Functions of the System Administrator 96 Powers of the System Administrator 97 Directions to the System Administrator Chapter 7—Digital ID Data Standards Part 1—Introduction 98 Simplified outline of this Chapter Part 2—Digital ID Data Standards 99 Digital ID Data Standards 100 Requirement to consult before making Part 3—Digital ID Data Standards Chair Division 1—Establishment and functions of the Digital ID Data Standards Chair 101 Digital ID Data Standards Chair 102 Functions of the Digital ID Data Standards Chair 103 Powers of the Digital ID Data Standards Chair 104 Directions to the Digital ID Data Standards Chair Division 2—Appointment of the Digital ID Data Standards Chair 105 Appointment 106 Term of appointment 107 Acting appointments 108 Application of the finance law etc. Division 3—Terms and conditions for the Digital ID Data Standards Chair 109 Remuneration 110 Leave of absence 111 Outside work 112 Resignation of appointment 113 Termination of appointment 114 Other terms and conditions Division 4—Other matters 115 Arrangements relating to staff Chapter 8—Trustmarks and registers Part 1—Introduction 116 Simplified outline of this Chapter Part 2—Digital ID trustmarks 117 Digital ID trustmarks 118 Authorised use of digital ID trustmarks etc. 119 Displaying digital ID trustmark Part 3—Registers 120 Digital ID Accredited Entities Register 121 AGDIS Register Chapter 9—Administration Part 1—Introduction 122 Simplified outline of this Chapter Part 2—Compliance and enforcement Division 1—Enforcement powers 123 Civil penalty provisions 124 Infringement notices 125 Enforceable undertakings 126 Injunctions Division 2—Directions powers Subdivision A—Digital ID Regulator's directions powers 127 Digital ID Regulator's power to give directions to entities in relation to accreditation and participation 128 Digital ID Regulator's power to give directions to protect the integrity or performance of the Australian Government Digital ID System 129 Remedial directions to accredited entities etc. Subdivision B—System Administrator's directions powers 130 System Administrator's power to give directions to protect the integrity or performance of the Australian Government Digital ID System Division 3—Compliance assessments 131 Compliance assessments 132 Entities must provide assistance to persons undertaking compliance assessments Division 4—Power to require information or documents 133 Digital ID Regulator's power to require information or documents 134 System Administrator's power to require information or documents Part 3—Record keeping 135 Record keeping by participating entities and former participating entities 136 Destruction or de‑identification of certain information Part 4—Review of decisions 137 Reviewable decisions 138 Internal review of decisions 139 Reconsideration by decision‑maker 140 Review by the Administrative Review Tribunal Part 5—Applications under this Act 141 Requirements for applications 142 Powers in relation to applications 143 Decisions not required to be made in certain circumstances Part 6—Fees Division 1—Fees charged by the Digital ID Regulator 144 Charging of fees by Digital ID Regulator etc. 145 Review of fees 146 Recovery of fees charged by the Digital ID Regulator 147 Commonwealth not liable to pay fees charged by entities that are part of the Commonwealth Division 2—Fees charged by accredited entities 148 Charging of fees by accredited entities in relation to the Australian Government Digital ID System Chapter 10—Other matters Part 1—Introduction 149 Simplified outline of this Chapter Part 2—Advisory committees 150 Advisory committees Part 3—Confidentiality 151 Prohibition on entrusted persons using or disclosing certain kinds of protected information 152 Authorised uses and disclosures of protected information by entrusted persons 153 Disclosing personal or commercially sensitive information to courts and tribunals etc. by entrusted persons Part 4—Other matters 154 Annual report by the Digital ID Regulator 155 Annual report by Information Commissioner 155A Annual reports by law enforcement agencies etc. on disclosure or use of personal information 155B Annual report by AFP Minister 156 How this Act applies in relation to non‑legal persons 157 Attributing conduct to the Commonwealth, States and Territories etc. 158 Bodies corporate and due diligence 159 Protection from civil action 160 Geographical jurisdiction of civil penalty provisions 161 Interaction with tax file number offences 162 Review of operation of Act 163 Delegation—Minister 164 Delegation—Digital ID Regulator 165 Delegation—System Administrator 166 Delegation—Digital ID Data Standards Chair 167 Instruments may incorporate etc. material as in force or existing from time to time 168 Rules—general matters 169 Rules—requirement to consult Endnotes Endnote 1—About the endnotes Endnote 2—Abbreviation key Endnote 3—Legislation history Endnote 4—Amendment history An Act to provide for the accreditation of entities in relation to digital IDs and to establish the Australian Government Digital ID System, and for related purposes Chapter 1—Introduction Part 1—Preliminary 1 Short title This Act is the Digital ID Act 2024. 2 Commencement (1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms. Commencement information Column 1 Column 2 Column 3 Provisions Commencement Date/Details 1. The whole of the Act A single day to be fixed by Proclamation. 30 November 2024 However, if the provisions do not commence within the period of 6 months beginning on the day this Act receives the Royal Assent, they commence on the day after the end of that period. Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act. (2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act. 3 Objects (1) The objects of this Act are as follows: (a) to provide individuals with secure, convenient, voluntary and inclusive ways to verify their identity in online transactions with government and businesses; (aa) to facilitate the inclusion of individuals in digital society by supporting the provision of digital ID services that are accessible for individuals who experience barriers in using such services; (b) to promote privacy and the security of personal information used to verify the identity or attributes of individuals; (c) to facilitate economic benefits for, and reduce burdens on, the Australian economy by encouraging the use of digital IDs and online services; (d) to promote trust in digital ID services amongst the Australian community. (2) These objects are to be achieved by: (a) establishing an accreditation scheme for entities providing digital ID services; and (b) providing additional privacy safeguards for the provision of accredited digital ID services; and (c) establishing an Australian Government Digital ID System that is secure, easy to use, voluntary, accessible, inclusive and reliable; and (d) strengthening the oversight and regulation of: (i) accredited digital ID service providers; and (ii) entities participating in the Australian Government Digital ID System; and (iii) the integrity and performance of the Australian Government Digital ID System. 4 Simplified outline of this Act This Act establishes an accreditation scheme for entities providing digital ID services. The Digital ID Regulator (which is the Australian Competition and Consumer Commission) may, on application, accredit certain kinds of entities as accredited attribute service providers, accredited identity exchange providers, accredited identity service providers or entities that provide, or propose to provide, services of a kind prescribed by the Accreditation Rules. When providing accredited services, accredited entities must comply with certain privacy safeguards. These safeguards are in addition to, and build on, the safeguards contained in the Privacy Act 1988. An accredited entity may be liable to a civil penalty if certain privacy safeguards are breached. The Digital ID Regulator oversees and maintains the Australian Government Digital ID System. Certain kinds of accredited entities can apply to the Digital ID Regulator to participate in the system. Certain kinds of relying parties can also apply for approval to participate in the system. If a relying party holds an approval, it is known as a participating relying party. There is a System Administrator whose functions include providing assistance to entities participating in the Australian Government Digital ID System and managing the availability of the Australian Government Digital ID System. The Digital ID Standards Chair may make Digital ID Data Standards about various matters, including technical integration requirements for entities to participate in the Australian Government Digital ID System and, if required to do so by the Accreditation Rules or the Digital ID Rules, technical, data or design standards relating to accreditation. The Digital ID Rules may set out marks, symbols, logos or designs (called digital ID trustmarks) that may or must be used by accredited entities and participating relying parties. The Digital ID Regulator must establish and maintain the Digital ID Accredited Entities Register and the AGDIS Register. The Digital ID Regulator and the Information Commissioner may take enforcement action against accredited entities and other entities. The Digital ID Regulator can give directions regarding accreditation and participation in the Australian Government Digital ID System or require entities to undergo compliance assessments or produce information or documents. The System Administrator can also give directions to entities regarding participation in the Australian Government Digital ID System and require entities to produce information or documents. Accredited entities that hold or held an approval to participate in the Australian Government Digital ID System have certain record‑keeping responsibilities and are required to destroy or de‑identify certain information in the possession or control of the entity. Entities can apply for merits review of certain decisions made under this Act. This Act also deals with other administrative matters such as annual reports and delegations. 5 Act binds the Crown This Act binds the Crown in each of its capacities. 6 Extension to external Territories This Act extends to every external Territory. 7 Extraterritorial operation (1) This Act extends to acts, omissions, matters and things outside Australia. Note: Geographical jurisdiction for civil penalty provisions is dealt with in section 160. (2) This Act has effect in relation to acts, omissions, matters and things outside Australia subject to: (a) the obligations of Australia under international law, including obligations under any international agreement binding on Australia; and (b) any law of the Commonwealth giving effect to such an agreement. 8 Concurrent operation of State and Territory laws This Act is not intended to exclude or limit the operation of a law of a State or Territory that is capable of operating concurrently with this Act. Part 2—Interpretation 9 Definitions In this Act: Accreditation Rules means rules made under section 168 for the purposes of the provisions in which the term occurs. accredited attribute service provider means an attribute service provider that is accredited under section 15 as an accredited attribute service provider. accredited entity: each of the following is an accredited entity: (a) an accredited attribute service provider; (b) an accredited identity exchange provider; (c) an accredited identity service provider; (d) if Accreditation Rules are made for the purposes of paragraph 14(1)(d)—an entity that is accredited to provide services of a kind prescribed by the Accreditation Rules for the purposes of that paragraph. accredited identity exchange provider means an identity exchange provider that is accredited under section 15 as an accredited identity exchange provider. accredited identity service provider means an identity service provider that is accredited under section 15 as an accredited identity service provider. accredited service, of an accredited entity, means the services provided, or proposed to be provided, by the entity in the entity's capacity as a particular kind of accredited entity. Note: Conditions may be imposed on an entity's accredited services, including specifying the manner in which such services must be provided or excluding specific services from the entity's accreditation altogether (see section 17). Example: Acme Co is an accredited identity service provider. Under its conditions of accreditation, its accredited service is generating, managing, maintaining and verifying information relating to the identity of an individual. Its conditions exclude from its accreditation the provision of the following services: (a) generating, binding, managing and distributing authenticators to an individual; (b) binding, managing and distributing authenticators generated by an individual. adverse or qualified security assessment means an adverse security assessment, or a qualified security assessment, within the meaning of Part IV of the Australian Security Intelligence Organisation Act 1979. affected entity: see section 137. AFP Minister means the Minister administering the Australian Federal Police Act 1979. AGDIS Register means the register kept under section 121. APP entity has the same meaning as in the Privacy Act 1988. APP‑equivalent agreement: see section 34. attribute of an individual: see section 10. attribute service provider means an entity that provides, or proposes to provide, a service that verifies and manages an attribute of an individual. Australia when used in a geographical sense, includes the external Territories. Australian entity means any of the following: (a) an Australian citizen or a permanent resident of Australia; (b) a body corporate incorporated by or under a law of the Commonwealth or a State or Territory; (c) a Commonwealth entity, or a Commonwealth company, within the meaning of the Public Governance, Performance and Accountability Act 2013; (d) a person or body that is an agency within the meaning of the Freedom of Information Act 1982; (e) a body specified, or the person holding an office specified, in Part I of Schedule 2 to the Freedom of Information Act 1982; (f) a department or authority of a State; (g) a department or authority of a Territory; (h) a partnership formed in Australia; (i) a trust created in Australia; (j) an unincorporated association that: (i) has a governing body; and (ii) has its central management or control in Australia. Australian Government Digital ID System: see subsection 58(2). authenticator means the technology for authenticating an individual's digital ID. Note: Passwords and cryptographic keys are examples of authenticators. biometric information of an individual: (a) means information about any measurable biological characteristic relating to an individual that could be used to identify the individual or verify the individual's identity; and (b) includes biometric templates. civil penalty provision has the same meaning as in the Regulatory Powers Act. compliance assessment: see section 131. cyber security incident means one or more acts, events or circumstances that involve: (a) unauthorised access to, modification of or interference with a system, service or network; or (b) an unauthorised attempt to gain access to, modify or interfere with a system, service or network; or (c) unauthorised impairment of the availability, reliability, security or operation of a system, service or network; or (d) an unauthorised attempt to impair the availability, reliability, security or operation of a system, service or network. decision‑maker for a reviewable decision means: (a) for a decision under section 27 or 73—the Minister; or (b) for a decision under section 130—the System Administrator; or (c) otherwise—the Digital ID Regulator. digital ID of an individual means a distinct electronic representation of the individual that enables the individual to be sufficiently distinguished when interacting online with services. Digital ID Accredited Entities Register means the register kept under section 120. Digital ID Data Standards means the standards made under section 99. Digital ID Data Standards Chair means: (a) if a person holds an appointment under section 105—that person; or (b) otherwise—the Minister. digital ID fraud incident means an act, event or circumstance that: (a) occurs in connection with: (i) an accredited service of an accredited entity; or (ii) a service that a participating relying party is approved to provide, or provide access to, within the Australian Government Digital ID System; and (b) results in any of the following being, or suspected of being, compromised or rendered unreliable: (i) a digital ID of an individual; (ii) an attribute of an individual; (iii) an authenticator relating to an individual; (iv) a representation relating to an attribute of an individual; (v) a representation relating to a digital ID of an individual. Digital ID Regulator: see section 90. Digital ID Rules means the rules made under section 168 for the purposes of the provisions in which the term occurs. digital ID system means a federation of entities that facilitates, manages or relies on services that provide for either or both of the following in an online environment: (a) the verification of the identity of individuals; (b) the authentication of a digital ID of, or information associated with, individuals. Note: Entities in the federation may include one or more relying parties, identity exchanges, identity service providers, attribute service providers and other kinds of service providers. digital ID trustmark: see subsection 117(2). enforcement body has the same meaning as in the Privacy Act 1988. enforcement related activity has the same meaning as in the Privacy Act 1988. entity means any of the following: (a) an individual; (b) a body corporate; (c) a Commonwealth entity, or a Commonwealth company, within the meaning of the Public Governance, Performance and Accountability Act 2013; (d) a person or body that is an agency within the meaning of the Freedom of Information Act 1982; (e) a body specified, or the person holding an office specified, in Part I of Schedule 2 to the Freedom of Information Act 1982; (f) a department or authority of a State; (g) a department or authority of a Territory; (h) a partnership; (i) an unincorporated association that has a governing body; (j) a trust. entrusted person: see subsection 151(2). identity exchange provider means an entity that provides, or proposes to provide, a service that conveys, manages and coordinates the flow of data or other information between participants in a digital ID system. identity service provider means an entity that provides, or proposes to provide, a service that: (a) generates, manages, maintains or verifies information relating to the identity of an individual; and (b) generates, binds, manages or distributes authenticators to an individual; and (c) binds, manages or distributes authenticators generated by an individual. law enforcement agency has the same meaning as in the Australian Crime Commission Act 2002. one‑to‑many matching: see subsection 48(4). paid work means work for financial gain or reward (whether as an employee, a self‑employed person or otherwise). participate: an entity participates in the Australian Government Digital ID System at a particular time if, at that time: (a) the entity holds an approval under section 62 to participate in the system; and (b) either: (i) the entity is directly connected to an accredited entity that is participating in the Australian Government Digital ID System; or (ii) the entity is an accredited entity that is directly connected to a participating relying party. participating relying party: a relying party is a participating relying party if: (a) the relying party holds an approval under section 62 to participate in the Australian Government Digital ID System; and (b) the participation start day for the relying party has arrived or passed. participation start day for an entity means the day notified to the entity by the Digital ID Regulator for the purposes of paragraph 62(6)(d) as the day on which the entity must begin to participate in the Australian Government Digital ID System. personal information: (a) means information or an opinion about an identified individual, or an individual who is reasonably identifiable: (i) whether the information or opinion is true or not; and (ii) whether the information or opinion is recorded in a material form or not; and (b) to the extent not already covered by paragraph (a), includes an attribute of an individual. privacy impact assessment has the meaning given by subsection 33D(3) of the Privacy Act 1988. protected information: see subsection 151(4). Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014. relying party means an entity that relies, or seeks to rely, on an attribute of an individual that is provided by an accredited entity to: (a) provide a service to the individual; or (b) enable the individual to access a service. restricted attribute of an individual: see section 11. reviewable decision: see section 137. Secretary means the Secretary of the Department. security, other than in the following provisions, has its ordinary meaning: (a) subsection 27(1); (b) subsection 73(1); (c) subsection 137(3). shielded person means a person to whom one or more of the following paragraphs apply: (a) the person has acquired or used an assumed identity under Part IAC of the Crimes Act 1914 or a corresponding assumed identity law within the meaning of that Part; (b) an authority for the person to acquire or use an assumed identity has been granted under that Part or such a law; (c) a witness identity protection certificate has been given for the person under Part IACA of the Crimes Act 1914; (d) a corresponding witness identity protection certificate has been given for the person under a corresponding witness identity protection law within the meaning of Part IACA of the Crimes Act 1914; (e) the person is a participant as defined in the Witness Protection Act 1994; (f) the person is or was on a witness protection program conducted by a State or Territory in which a complementary witness protection law (as defined in the Witness Protection Act 1994) is in force; (g) the person is involved in administering such a program under such a law and the person has acquired an identity under that law. State or Territory privacy authority means a State or Territory authority (within the meaning of the Privacy Act 1988) that has functions to protect the privacy of individuals (whether or not the authority has other functions). System Administrator: see section 94. this Act includes: (a) the Accreditation Rules; and (b) the Digital ID Data Standards; and (c) the Digital ID Rules; and (d) the service levels determined under section 80; and (e) the Regulatory Powers Act as it applies in relation to this Act. verifiable credential means a tamper‑evident credential with authorship that can be cryptographically verified. 10 Meaning of attribute of an individual (1) An attribute of an individual means information that is associated with the individual, and includes information that is derived from another attribute. (2) Without limiting subsection (1), an attribute of an individual includes the following: (a) the individual's current or former name; (b) the individual's current or former address; (c) the individual's date of birth; (d) information about whether the individual is alive or dead; (e) the individual's phone number; (f) the individual's email address; (g) if the individual has a digital ID—the time and date the digital ID was created; (h) biometric information of the individual; (i) a restricted attribute of the individual; (j) information or an opinion about the individual's: (i) racial or ethnic origin; or (ii) political opinions; or (iii) membership of a political association; or (iv) religious beliefs or affiliations; or (v) philosophical beliefs; or (vi) sexual orientation or practices. 11 Meaning of restricted attribute of an individual (1) A restricted attribute of an individual means: (a) health information (within the meaning of the Privacy Act 1988) about the individual; or (b) an identifier of the individual that has been issued or assigned by or on behalf of: (i) the Commonwealth, a State or a Territory; or (ii) an authority or agency of the Commonwealth, a State or a Territory; or (iii) a government of a foreign country; or (c) information or an opinion about the individual's criminal record; or (d) information or an opinion about the individual's membership of a professional or trade association; or (e) information or an opinion about the individual's membership of a trade union; or (f) other information or opinion that is associated with an individual and is prescribed by the Accreditation Rules. (2) Without limiting paragraph (1)(b), an identifier of an individual includes the following: (a) the individual's tax file number (within the meaning of section 202A of the Income Tax Assessment Act 1936); (b) the individual's medicare number (within the meaning of Part VII of the National Health Act 1953); (c) the individual's healthcare identifier (within the meaning of the Healthcare Identifiers Act 2010); (d) if the person holds a driver's licence issued under the law of a State or Territory—the number of that driver's licence. 12 Fit and proper person considerations In having regard to whether an entity is a fit and proper person for the purposes of this Act, the Digital ID Regulator: (a) must have regard to the matters (if any) specified in the Digital ID Rules; and (b) may have regard to any other matters the Digital ID Regulator considers relevant. Chapter 2—Accreditation Part 1—Introduction 13 Simplified outline of this Chapter The Digital ID Regulator may, on application, accredit certain kinds of entities as accredited attribute service providers, accredited identity exchange providers, accredited identity service providers or entities that provide, or propose to provide, services of a kind prescribed by the Accreditation Rules. An entity's accreditation is subject to conditions. Some conditions are imposed by the Act and others may be imposed by the Digital ID Regulator or the Accreditation Rules. Conditions may include restrictions relating to the services an entity is accredited to provide, the manner in which those services must be provided and the kinds of restricted attributes of individuals an entity is authorised to collect or disclose. The conditions imposed by the Digital ID Regulator on an entity's accreditation, and the entity's accreditation itself, can be varied or revoked. Accreditation can also be suspended. The Minister may give directions to the Digital ID Regulator regarding the accreditation of an entity if, for reasons of security, the Minister considers it appropriate to do so. The Digital ID Regulator must comply with such directions. An accredited entity must deactivate a digital ID of an individual if requested to do so, and must comply with requirements relating to the accessibility and useability of accredited services. Part 2—Accreditation Division 1—Applying for accreditation 14 Application for accreditation (1) An entity covered by subsection (2) may apply to the Digital ID Regulator for accreditation as one or more of the following kinds of accredited entities: (a) an accredited attribute service provider; (b) an accredited identity exchange provider; (c) an accredited identity service provider; (d) an entity that provides, or proposes to provide, a service of a kind prescribed by the Accreditation Rules. (2) An entity is covered by this section if the entity is one of the following: (a) a body corporate incorporated by or under a law of the Commonwealth or a State or Territory; (b) a registered foreign company within the meaning of the Corporations Act 2001; (c) a Commonwealth entity, or a Commonwealth company, within the meaning of the Public Governance, Performance and Accountability Act 2013; (d) a person or body that is an agency within the meaning of the Freedom of Information Act 1982; (e) a body specified, or the person holding an office specified, in Part I of Schedule 2 to the Freedom of Information Act 1982; (f) a department or authority of a State; (g) a department or authority of a Territory. Division 2—Accreditation 15 Digital ID Regulator must decide whether to accredit an entity (1) This section applies if an entity has made an application under section 14 for accreditation as an accredited entity. (2) The Digital ID Regulator must decide: (a) to accredit the entity; or (b) to refuse to accredit the entity. (3) The Digital ID Regulator must not accredit an entity: (a) as an accredited attribute service provider unless the entity provides, or will provide, some or all of the services described in the definition of attribute service provider; or (b) as an accredited identity exchange provider unless the entity provides, or will provide, some or all of the services described in the definition of identity exchange provider; or (c) as an accredited identity service provider unless the entity provides, or will provide, some or all of the services described in the definition of identity service provider; or (d) if Accreditation Rules made for the purposes of paragraph 14(1)(d) prescribe services—as an entity that provides services of the kind prescribed unless the entity provides, or will provide, some or all of the services of that kind. (4) The Digital ID Regulator must not accredit an entity if: (a) a direction under subsection 27(1) (about security) directing the Digital ID Regulator to refuse to accredit the entity is in force; or (b) the Digital ID Regulator is not satisfied that the entity is able to comply with this Act; or (c) Accreditation Rules made for the purposes of section 28 require specified criteria to be met and the entity does not meet the criteria; or (d) Accreditation Rules made for the purposes of section 28 require the Digital ID Regulator to be satisfied of specified matters and the Digital ID Regulator is not satisfied of those matters. (5) In deciding whether to accredit the entity, the Digital ID Regulator: (a) must have regard to the matters (if any) prescribed by the Accreditation Rules; and (b) may have regard to the following: (i) whether the entity is a fit and proper person; (ii) any other matters the Digital ID Regulator considers relevant. Note: In having regard to whether an entity is a fit and proper person for the purposes of subparagraph (b)(i), the Digital ID Regulator must have regard to any matters specified in the Digital ID Rules and may have regard to any other matters considered relevant (see section 12). (6) The Digital ID Regulator must: (a) give written notice of a decision to accredit, or to refuse to accredit, the entity; and (b) if the decision is to refuse to accredit the entity—give reasons for the decision to the entity. (7) If the Digital ID Regulator decides to accredit the entity, the notice must also set out the following: (a) the kind or kinds of accredited entity that the entity is accredited as; (b) the day the accreditation comes into force; (c) any conditions imposed on the entity's accreditation under subsection 17(2). 16 Accreditation is subject to conditions (1) The accreditation of an entity as an accredited entity is subject to the following conditions (the accreditation conditions): (a) the conditions set out in subsection 17(1); (b) the conditions (if any) imposed by the Digital ID Regulator under subsection 17(2), including as varied under subsection 20(1); (c) the conditions (if any) determined by the Accreditation Rules under subsection 17(5). (2) An accredited entity must comply with the accreditation conditions that apply to the entity. Note: Failure to comply with an accreditation condition may result in a suspension or revocation of the entity's accreditation (see sections 25 and 26). 17 Conditions on accreditation Conditions imposed by the Act (1) The accreditation of an entity as an accredited entity is subject to the condition that the accredited entity must comply with this Act. Conditions imposed by the Digital ID Regulator (2) The Digital ID Regulator: (a) may impose conditions on the accreditation of an entity, either at the time of accreditation or at a later time, if the Digital ID Regulator considers that doing so is appropriate in the circumstances; and (b) must impose conditions on the accreditation of an entity, either at the time of accreditation or at a later time, if directed to do so under subsection 27(1). (3) Conditions may be imposed under paragraph (2)(a) on application by the entity or on the Digital ID Regulator's own initiative. (4) Without limiting paragraph (2)(a), the Digital ID Regulator may impose conditions relating to the following: (a) any limitations, exclusions or restrictions in relation to the accredited services of the entity; (b) the circumstances or manner in which the accredited services of the entity must be provided; (c) the kinds of restricted attributes of individuals (if any) that the entity is authorised to collect or disclose and the circumstances in which such attributes may be collected or disclosed; (d) the kinds of restricted attributes of individuals (if any) that the entity must not collect; (e) the kinds of biometric information (if any) of an individual the entity is authorised to collect, use or disclose and the circumstances in which such information may be collected, used or disclosed; (f) the entity's information technology systems through which the entity's accredited services are provided, including restrictions on changes to such systems; (g) actions that the entity must take before the entity's accreditation is suspended or revoked. Conditions imposed by the Accreditation Rules (5) The Accreditation Rules may determine that the accreditation of each accredited entity, or each accredited entity included in a specified class, is subject to specified conditions. (6) Without limiting subsection (5), the Accreditation Rules may impose conditions relating to the matters in subsection (4). 18 Conditions relating to restricted attributes of individuals Matters to which the Digital ID Regulator must have regard before authorising disclosure etc. of restricted attributes (1) Subsection (2) applies if the Digital ID Regulator proposes to impose a condition on an entity's accreditation authorising the entity to collect or disclose a restricted attribute of an individual. (2) In deciding whether to impose the condition, the Digital ID Regulator must have regard to the following matters: (a) whether the entity has provided sufficient justification for the need to collect or disclose the restricted attribute; (b) whether the entity has demonstrated that a similar outcome cannot be achieved without collecting or disclosing the restricted attribute; (c) if the collection or disclosure of the restricted attribute is regulated by other legislative or regulatory requirements—whether the entity would be able to comply with those requirements if the condition were imposed; (d) the potential harm that could result if restricted attributes of that kind were disclosed to an entity that was not authorised to collect them; (e) community expectations as to whether restricted attributes of that kind should be handled more securely than other kinds of attributes; (f) any of the following information provided by the entity seeking authorisation to collect or disclose the restricted attribute: (i) the entity's risk assessment plan as it relates to the restricted attribute; (ii) the entity's privacy impact assessment as it relates to the restricted attribute; (iii) the effectiveness of the entity's protective security (including security governance, information security, personnel security and physical security), privacy arrangements and fraud control arrangements; (iv) if the entity is not a participating relying party—the arrangements in place between the entity and relying parties for the protection of the restricted attribute from further disclosure; (g) any other matter the Digital ID Regulator considers relevant. Requirement to give statement of reasons if authorisation given (3) If the Digital ID Regulator imposes the condition authorising the entity to collect or disclose a restricted attribute of an individual, the Digital ID Regulator must publish on the Digital ID Regulator's website a statement of reasons for giving the authorisation. 19 Requirements before Accreditation Rules impose conditions relating to restricted attributes or biometric information of individuals (1) Subsection (2) applies if the Minister proposes to make Accreditation Rules for the purposes of subsection 17(5) providing that accredited entities, or specified kinds of accredited entities, are authorised to: (a) collect or disclose restricted attributes of individuals; or (b) collect, use or disclose biometric information of individuals. Note: The Minister must also consult the Information Commissioner before making such rules (see paragraph 169(1)(b)). (2) In deciding whether to make the rules, the Minister must have regard to the following matters: (a) the potential harm that could result if the information were disclosed to an entity; (b) community expectations about the collection, use or disclosure of the information; (c) if the collection or disclosure of the restricted attribute is regulated by other legislative or regulatory requirements—whether the entities would be able to comply with those requirements if the rules were made; (d) any privacy impact assessment that has been conducted in relation to the proposal to make the rules; (e) any other matter the Minister considers relevant. 20 Variation and revocation of conditions on accreditation (1) The Digital ID Regulator may vary or revoke a condition imposed on an entity's accreditation under paragraph 17(2)(a): (a) at any time, on the Digital ID Regulator's own initiative; or (b) on application by the entity under section 21; if the Digital ID Regulator considers it is appropriate to do so. (2) Without limiting subsection (1), the Digital ID Regulator may have regard to matters relating to the security, reliability and stability of the Australian Government Digital ID System when considering whether it is appropriate to vary or revoke a condition. (3) The Digital ID Regulator must revoke a condition imposed under paragraph 17(2)(b) if the direction to impose the condition is revoked. 21 Applying for variation or revocation of conditions on accreditation (1) An accredited entity may apply for a condition imposed on the entity's accreditation under paragraph 17(2)(a) to be varied or revoked. Note: See Part 5 of Chapter 9 for matters relating to applications. (2) If, after receiving an application under subsection (1), the Digital ID Regulator refuses to vary or revoke a condition, the Digital ID Regulator must give to the entity written notice of the refusal, including reasons for the refusal. 22 Notice before changes to conditions on accreditation (1) The Digital ID Regulator must not, on the Digital ID Regulator's own initiative: (a) impose a condition under paragraph 17(2)(a) on an entity's accreditation after the entity has been accredited; or (b) vary or revoke a condition under subsection 20(1); unless the Digital ID Regulator has given the entity a written notice in accordance with subsection (2) of this section. (2) The notice must: (a) state the proposed condition, variation or revocation; and (b) request the entity to give the Digital ID Regulator, within the period specified in the notice, a written statement relating to the proposed condition, variation or revocation. (3) The Digital ID Regulator must consider any written statement given within the period specified in the notice before making a decision to: (a) impose a condition under paragraph 17(2)(a) on an entity's accreditation; or (b) vary or revoke a condition under subsection 20(1) on an entity's accreditation. (4) This section does not apply if the Digital ID Regulator reasonably believes that the need to impose, vary or revoke the condition is serious and urgent. (5) If this section does not apply to an entity because of subsection (4), the Digital ID Regulator must give a written statement of reasons to the entity as to why the Digital ID Regulator reasonably believes that the need to impose, vary or revoke the condition is serious and urgent. (6) The statement of reasons under subsection (5) must be given within 7 days after the condition is imposed, varied or revoked. 23 Notice of decision of changes to conditions on accreditation (1) Subject to subsection (2), the Digital ID Regulator must give an entity written notice of a decision to impose, vary or revoke a condition on an entity's accreditation. (2) The Digital ID Regulator is not required to give an entity notice of the decision if notice of the condition was given in a notice under subsection 15(7). (3) The notice must: (a) state the condition or the variation, or state that the condition is revoked; and (b) state the day on which the condition, variation or revocation takes effect. Division 3—Varying, suspending and revoking accreditation 24 Varying accreditation The Digital ID Regulator may vary the accreditation of an accredited entity to take account of a change in the accredited entity's name. Note: The Digital ID Regulator can also vary conditions on accreditation (see section 20). 25 Suspension of accreditation Digital ID Regulator must suspend accreditation if Minister's direction about suspension is in force (1) The Digital ID Regulator must, in writing, suspend the accreditation of an accredited entity if a direction under subsection 27(1) directing the Digital ID Regulator to do so is in force in relation to the entity. Digital ID Regulator may decide to suspend accreditation in other circumstances (2) The Digital ID Regulator may, in writing, suspend the accreditation of an accredited entity if: (a) the Digital ID Regulator reasonably believes that the accredited entity has contravened or is contravening this Act; or (b) the Digital ID Regulator reasonably believes that there has been a cyber security incident involving the entity; or (c) the Digital ID Regulator reasonably believes that a cyber security incident involving the entity is imminent; or (d) if the entity is a body corporate—the entity becomes a Chapter 5 body corporate (within the meaning of the Corporations Act 2001); or (e) the Digital ID Regulator is satisfied that it is not appropriate for the entity to be an accredited entity; or (f) circumstances specified in the Accreditation Rules apply in relation to the entity. Note: The Digital ID Regulator may impose conditions on an entity's accreditation before suspending it (see paragraph 17(4)(g)) and can give directions to give effect to a decision to suspend an entity's accreditation (see paragraph 127(1)(b)). (3) The reference to cyber security incident in paragraph (2)(b) does not include acts, events or circumstances covered by paragraph (b) or (d) of the definition of that term unless the Digital ID Regulator is satisfied that the attempts referred to in those paragraphs involve an unacceptable risk to the provision of the entity's accredited services. (4) In determining whether the Digital ID Regulator is satisfied of the matter in paragraph (2)(e), regard may be had to whether the entity is a fit and proper person. Note: In having regard to whether an entity is a fit and proper person, the Digital ID Regulator must have regard to any matters specified in the Digital ID Rules and may have regard to any other matters considered relevant (see section 12). (5) Subsection (4) does not limit paragraph (2)(e). Digital ID Regulator may suspend accreditation on application (6) The Digital ID Regulator may, on application by an accredited entity, suspend the accreditation of the entity. Note: See Part 5 of Chapter 9 for matters relating to applications. Show cause notice must generally be given before decision to suspend (7) Before suspending the accreditation of an entity under subsection (2), the Digital ID Regulator must give a written notice (a show cause notice) to the entity. (8) The show cause notice must: (a) state the grounds on which the Digital ID Regulator proposes to suspend the entity's accreditation; and (b) invite the entity to give the Digital ID Regulator, within 28 days after the day the notice is given, a written statement showing cause why the Digital ID Regulator should not suspend the accreditation. Exception—cyber security incident (9) Subsection (7) does not apply if the suspension is on a ground mentioned in paragraph (2)(b) or (c). Notice of suspension (10) If the Digital ID Regulator suspends an entity's accreditation under subsection (1), (2) or (6), the Digital ID Regulator must give the entity a written notice stating the following: (a) that the entity's accreditation is suspended; (b) if the entity is accredited as more than one kind of accredited entity—the accreditation that is suspended; (c) the reasons for the suspension; (d) the day the suspension is to start; (e) if the accreditation is suspended for a period—the period of the suspension; (f) if the accreditation is suspended until a specified event occurs or action is taken—the event or action. Effect of suspension (11) If an entity's accreditation is suspended under this section: (a) the entity is taken not to be accredited while the suspension is in force; and (b) if the entity holds an approval to participate in the Australian Government Digital ID System as an accredited entity—the entity is taken not to hold that approval while the entity's accreditation is suspended. Revocation of suspension (12) If the Digital ID Regulator suspends an entity's accreditation under subsection (2), the Regulator may revoke the suspension by written notice to the entity. (13) If the Digital ID Regulator suspends an entity's accreditation under subsection (6), the Regulator must revoke the suspension by written notice to the entity if the entity requests the suspension be revoked. (14) A notice given under subsection (12) or (13) must specify the day the revocation takes effect. 26 Revocation of accreditation Digital ID Regulator must revoke accreditation if Minister gives a direction to do so (1) The Digital ID Regulator must, in writing, revoke the accreditation of an accredited entity if the Minister gives a direction under subsection 27(1) to do so. Revocation on Digital ID Regulator's own initiative (2) The Digital ID Regulator may, in writing, revoke an entity's accreditation if: (a) the Digital ID Regulator reasonably believes that the accredited entity has contravened or is contravening this Act; or (b) the Digital ID Regulator reasonably believes that: (i) there has been a cyber security incident involving the entity; and (ii) the cyber security incident is serious; or (c) if the entity is a body corporate—the entity becomes a Chapter 5 body corporate (within the meaning of the Corporations Act 2001); or (d) the Digital ID Regulator is satisfied that it is not appropriate for the entity to be an accredited entity; or (e) circumstances specified in the Accreditation Rules apply in relation to the entity. Note: The Digital ID Regulator may impose conditions on an entity's accreditation before revoking it (see paragraph 17(4)(g)) and can give directions to give effect to a decision to revoke an entity's accreditation (see paragraph 127(1)(b)). (3) In determining whether the Digital ID Regulator is satisfied of the matter in paragraph (2)(d), regard may be had to whether the entity is a fit and proper person. Note: In having regard to whether an entity is a fit and proper person, the Digital ID Regulator must have regard to any matters specified in the Digital ID Rules and may have regard to any other matters considered relevant (see section 12). (4) Subsection (3) does not limit paragraph (2)(d). Revocation on application (5) The Digital ID Regulator must, on application by an entity, revoke the entity's accreditation. Note: See Part 5 of Chapter 9 for matters relating to applications. Date of effect (6) The revocation takes effect on the day determined by the Digital ID Regulator. Approval must also be revoked (7) If: (a) an entity's accreditation is revoked under subsection (1), (2) or (5); and (b) the entity holds an approval to participate in the Australian Government Digital ID System; the Digital ID Regulator must at the same time revoke the entity's approval to participate as an accredited entity. Show cause notice must generally be given before decision to revoke (8) Before revoking the accreditation of an entity under subsection (2), the Digital ID Regulator must give a written notice (a show cause notice) to the entity. (9) The show cause notice must: (a) state the grounds on which the Digital ID Regulator proposes to revoke the entity's accreditation; and (b) invite the entity to give the Digital ID Regulator, within 28 days after the day the notice is given, a written statement showing cause why the Digital ID Regulator should not revoke the accreditation. Exception—cyber security incident (10) Subsection (8) does not apply if the revocation is on a ground mentioned in paragraph (2)(b). Notice of revocation (11) If the Digital ID Regulator is to revoke an entity's accreditation under subsection (1), (2) or (5), the Digital ID Regulator must give the entity a written notice stating the following: (a) that the entity's accreditation is to be revoked; (b) if the entity is accredited as more than one kind of accredited entity—the accreditation that is to be revoked; (c) the reasons for the revocation; (d) the day the revocation is to take effect. Accreditation can be revoked even while suspended (12) Despite paragraph 25(11)(a), the Digital ID Regulator may revoke an entity's accreditation under this section even if a suspension is in force under section 25 in relation to the entity. Division 4—Minister's directions regarding accreditation 27 Minister's directions regarding accreditation (1) The Minister may, in writing, direct the Digital ID Regulator to do any of the following if, for reasons of security (within the meaning of the Australian Security Intelligence Organisation Act 1979), including on the basis of an adverse or qualified security assessment in respect of a person, the Minister considers it appropriate to do so: (a) refuse to accredit an entity; (b) impose conditions on the accreditation of an entity; (c) suspend the accreditation of an accredited entity; (d) revoke the accreditation of an accredited entity. (2) If the Minister gives a direction under subsection (1), the Digital ID Regulator must comply with the direction. (3) The direction remains in force unless it is revoked by the Minister. The Minister must notify the Digital ID Regulator and the entity if the Minister revokes the direction. (4) Despite subsection (3), a direction given under subsection (1) to revoke the accreditation of an accredited entity cannot be revoked. (5) A direction given under this section is not a legislative instrument. Division 5—Accreditation Rules 28 Accreditation Rules (1) The Accreditation Rules must provide for and in relation to matters concerning the accreditation of entities. (2) Without limiting subsection (1), the Accreditation Rules may deal with the following matters: (a) requirements that entities must meet in order to become and remain an accredited entity, including requirements relating to the following: (i) privacy; (ii) security; (iii) fraud control; (iv) incident management and reporting; (v) disaster recovery; (vi) user experience and inclusion; (b) without limiting paragraph (a), requirements relating to the conduct of, and reporting on, privacy impact assessments, fraud assessments and security assessments; (c) technical, data or design standards relating to the provision of accredited services of accredited entities; (d) without limiting paragraph (c), standards relating to the testing of the information technology systems of entities; (e) the conduct of periodic reviews of an entity's compliance with specified requirements of the Accreditation Rules, including the timing of such reviews, who is to conduct such reviews and the provision of reports about such reviews to the Digital ID Regulator; (f) the obligations of accredited entities in relation to monitoring their compliance with this Act; (g) requirements relating to the collection, holding, use and disclosure of personal information of individuals; (h) matters relating to representatives or nominees of individuals in relation to the creation, maintenance or deactivation of digital IDs of individuals; (i) requirements or restrictions relating to the generation of digital IDs for children. Note: In relation to subparagraph (2)(a)(iv), the Digital ID Rules may also provide for such arrangements in relation to incidents that occur within the Australian Government Digital ID System (see subsection 78(1)). Division 6—Other matters relating to accreditation 29 Digital IDs must be deactivated on request (1) This section applies if an accredited identity service provider generates a digital ID of an individual. (2) The accredited identity service provider must, if requested to do so by the individual, deactivate the digital ID of the individual as soon as practicable after receiving the request. (3) If a digital ID of an individual is deactivated under subsection (2), the digital ID of the individual: (a) must not be used by the accredited identity service provider for verifying the identity of the individual or authenticating a digital ID of the individual; and (b) if it can be reactivated, must not be reactivated by the accredited identity service provider without the express consent of the individual. 30 Accredited services must be accessible and inclusive (1AA) An accredited entity must take reasonable steps to ensure that its accredited services are accessible for individuals who experience barriers when creating or using a digital ID. (1) The Accreditation Rules must provide for and in relation to requirements relating to the accessibility and useability of the accredited services of accredited entities. (2) Without limiting subsection (1), the Accreditation Rules must: (a)