Articles
Unlocking the future: Is your practice ready for Digital ID?
Law firms must understand imminent new Digital ID laws if they are to explain them to clients and also mitigate the potential impacts of data breaches, writes Simone Herbert-Lowe.
In short
- The Digital ID Act 2024 establishes a national, government-regulated Digital ID scheme that creates a legal framework for accredited Digital ID providers.
- Digital ID has the potential to offer a more secure alternative to traditional identity verification, allowing individuals to verify their identity electronically without sharing physical document copies.
- The system is voluntary, gives individuals more control over their personal information, and aims to reduce the risks associated with large-scale data breaches.
With the passing of new national digital identity laws in Australia, lawyers need to quickly get up to speed with the implications.
Many Australians currently use a form of Digital ID, such as myGovID, to interact with government agencies like the Australian Taxation Office (ATO), but to date there has not been a single government standard for Digital ID in Australia. However, by December 2024, that will change.
The Digital ID Act 2024 and the Digital ID (Transitional and Consequential Provisions) Act 2024 commenced operation on 1 December 2024 (see breakout for a detailed explanation of the reforms). They are intended to provide individuals with secure, convenient, voluntary and self-sovereign ways to verify their identity when transacting with government and businesses.
For law firms, the changes come with opportunites to streamline identification processes and reduce the risks associated with data breaches that come with holding identity data, however other regulatory changes may be needed before these can benefits can be realised.
The ‘honeypot’ problem
Large-scale data breaches that have hit companies such as Optus, Medibank and Latitude in recent years have demonstrated the risks associated with holding large ‘honeypots’ of identity data, for organisations and individuals, making the elimination of such datasets a government priority under its national cybersecurity strategy.
However, a competing issue is the legal requirement for organisations of all kinds to properly identify individuals. For example, financial services providers have strict Know Your Customer (KYC) obligations; lawyers are required to certify that they have identified individuals involved in property transactions; and training organisations require 100 points of identification to ensure that the person accredited with successfully completing a training program is who they say they are.
In addition to the security issues associated with holding identity information, the need for individuals to constantly prove their identity increases risks through the insecure sharing of their identity documents. These risks include communications by email, where control over the use of the document no longer belongs to the person being identified, or where identity information is then shared with other organisations as a result of inter-connected systems, outsourcing, etc.
Protection from cyber breaches
The government’s Digital ID System allows individuals to quickly, conveniently and securely verify their identity against existing identification documents held by government agencies, replacing traditional 100-point checks using hard-copy documents which can then be copied and shared insecurely, making them vulnerable in the event of a cyber breach.
Techniques that accredited Digital ID providers use to verify identities online include biometric identifiers such as facial-recognition technologies; the matching of a face to an individual’s identity document (e.g. passport) held by the Australian Government’s Document Verification Service; and ‘proof of life’ techniques such as the use of a smartphone camera to observe subtle, real-time movements of the eyes to rule out the possibility that the image being verified is a still photograph or pre-recorded video.
In addition to identifying individuals, the expanded Digital ID System will give individuals the option of sharing only certain data; for example, providing only proof of age when entering a club, rather than a full name and address. In this way, it will potentially support other types of verification measures designed to reduce online harms, such as verifying that a user is the minimum required age for accessing social media sites.
Once a Digital ID is created, it can be reused without needing to repeat the initial verification process. In other words, once an individual confirms who they are when creating their Digital ID, they are not required to repeat this process when they want to identify themselves again in the future.
Implications for solicitors
A key feature of what the government is calling its new Trusted Digital ID Framework (TDIF) is that providers will not share or store copies of an individual’s identity documents during or after an identity transaction.
Let us say that a solicitor needs to verify a client’s identity in a commercial transaction. The Digital ID platform will carry out online checks to verify the client is who they say they are, and it will then confirm the successful verification with the other party to the identity ‘transaction’, who in this case is the solicitor. The Digital ID provider will keep a record that the client’s identity has been verified at a particular date and time, and the solicitor will receive an official record to this effect. Importantly, however, the solicitor will not receive copies of the identity documents themselves.
This is an important difference with products that offer ways of collecting information digitally, but which continue to store and share identity information, such as some existing virtual or online verification of identity (VOI) services used by property practitioners. Using a Digital ID instead of these existing VOI services will mean that, while the solicitor can prove they identified their client, in the event that the law firm has a data breach, the client’s identity documents will not be compromised or misused because those identity documents will not actually be stored by the firm.
In order for the full benefits of Digital IDs to extend to lawyers and their clients, changes will likely be required to other laws and regulations. For example, current VOI requirements which require face-to-face VOI in e-conveyancing transactions may need amendment to specifically approve the use of Digital ID. Similar issues are likely to arise in other areas of the law and legal practice.
Privacy requirements
Under the Privacy Act, Australian Privacy Principle (APP) 11 requires organisations to “take reasonable steps” to protect personal information from misuse, loss, or unauthorised access, and to securely “destroy or de-identify” information when it is no longer needed to ensure that personal data is handled securely and responsibly throughout its life cycle.
The Digital ID System supports compliance with APP 11 by offering a secure, verified way to confirm identity without requiring identity information to be stored either physically or electronically. Currently, only firms with annual revenue of more than $3 million are required to comply with the Privacy Act, but, as the government has foreshadowed its intention to remove the ‘small business exception’ under the Act, smaller firms should be aware that these requirements will in the future apply to them as well.
Concerns about privacy under the Digital ID system include the potential for citizens’ interactions to be ‘logged’ in a single database, and how the Digital ID system might be extended in the future. As the Digital ID system will ultimately include government and private sector options, people who elect to use Digital ID using a non-government Digital ID should not be required to share more information with government than would otherwise be the case.
Conclusion
The Digital ID system aims to enhance security for Australians online and reduce the risk of identity theft from data breaches. For law firms, this presents a significant opportunity to mitigate the impacts of data breaches, as well as to minimise the time and inconvenience in VOI processes, which are likely to increase significantly over time. This is particularly true given the impending introduction of KYC checks for law firms under upcoming anti-money laundering and counter-terrorism regulations.
There is no doubt that the widespread adoption of the Digital ID System may require some shifts in legal practice. As was the case during COVID-19 lockdowns, when the legal sector swiftly adapted to online courts and the virtual witnessing of documents, Digital ID changes could transform identity verification processes faster than anticipated. Lawyers should stay informed and prepare for this potential shift.
The key actions they should take to ensure they are prepared include:
- Stay informed and compliant – understand the evolving regulatory landscape around Digital ID in Australia, and ensure your firm’s practices align with privacy and data-protection laws.
- Invest in secure technology – adopt and integrate Digital ID solutions that are secure, compliant and interoperable with your existing systems, enhancing both efficiency and client trust.
- Train and educate – provide training for staff on using Digital ID tools and educate clients on their benefits and how to use them securely.
These steps will help your firm effectively transition to Digital ID, and maintain security and compliance while improving client experience and reducing inconvenience and cost.
In detail: What is changing under the Digital ID System?
The current Australian Government Digital Identity System (AGDIS) encompasses the Australian Government’s Digital Identity infrastructure, which includes myGov and myGovID.
Australia’s new national Digital ID laws create the framework for wider adoption of digital identity systems beyond the AGDIS and support expansion of the use of Digital IDs by state governments and the private sector.
The Digital ID Act 2024 and the Digital ID (Transitional and Consequential Provisions) Act 2024 (the Digital ID Acts) provide for a national, government-regulated Digital ID scheme that creates a legal framework for accrediting Digital ID providers and for organisations to rely on Digital ID credentials (known as the Digital ID System).
The Trusted Digital ID Framework (TDIF) will accredit government and non-government Digital ID providers to the existing AGDIS. To be part of the expanded Digital ID system, Digital ID providers must be accredited in order to demonstrate they meet high standards related to privacy, cybersecurity, fraud control and more. Use of a Digital ID will be voluntary for individuals who can then elect whether to opt-in and which Digital ID provider they prefer.
The Digital ID system involves the phased expansion of the existing AGDIS, commencing with the creation of the regulatory framework and expansion of Digital ID across government services to include state governments, leading to the use of Digital IDs in the private sector and ultimately permission for accredited private sector Digital IDs to verify individuals when accessing some government services.
Simone Herbert-Lowe is the Director of Law & Cyber. She acts for businesses and individuals impacted by cyber events, has provided written expert opinion in legal proceedings and is the author of the online, CPD-eligible courses Cyber Risk for Law Firms and Cyber Risk in the Property Industry.
[Note: Law & Cyber has a commercial relationship with a Digital ID provider.]
More reading…
For additional information on the new Digital ID system, see the following links:
Australian Government: Set up your Digital ID
Ashurst: Australia’s Digital ID Act and a new Trusted Exchange (TEx) – an update and a deep dive
Herbert Smith Freehills: Australia’s Digital ID Act 2024 signed into law
Gilbert + Tobin: Digital ID Act 2024