The independent assessor made eight total recommendations in the report in the areas of biometrics, retention of meta-data and the necessity of “stand-alone” privacy policies for both public and private sector identity providers (IdPs). Mostly the assessor noted gaps in legislation regarding these areas as well as potential contraventions of pre-existing requirements such as the Australian Privacy Principles (APP).
Biometrics, the private sector and community expectations
There were four salient privacy concerns identified by the PIA that must be allayed through the TFID to ensure a successful implementation of a digital identities platform:
- Engaging the community through a stakeholder’s advisory committee or similar. Digital identities are “absolutely essential” to Minister Keenan’s 2025 Vision for digital Government, yet public knowledge of its importance has been lacking. The PIA recommends that such consultation will prevent “function creep” and help guide the platform along according to public expectations.
- There remains a general lack of understanding of the legalities and potential privacy pitfalls of utilising biometric data among both Government and the public. Clarity will only emerge from targeted regulation in this area.
- Generally inadequate privacy legislation, the Privacy Act 1988 (Cth) comes across as dated and unresponsive to the digital era. The PIA suggests “enshrining [privacy rights] in a legislative instrument” to ensure data is protected against threats of exploitation.
- There exists a lack of clarity as to the exact responsibilities of private sector IdPs. Discrepancies exist between private organisations and government agencies under the APP. Legislation levelling the field between providers and potentially instituting a “Privacy Champion” would work to prevent corporate misuse of data.
These central concerns are also echoed in a recent article published by the Australian Strategic Policy Institute (ASPI), suggesting a consensus around the ultimate future of legislation in these areas. Concerning the grey area of biometric data use and retention, the assessor recommended seeking “specific legislative backing” and similar recommendations were made for the involvement of the private sector in a federated model.
The DTA response was in agreement with the assessor with regards to implementing tangible legislation, an acknowledgement that privacy is crucial to the success of the TDIF. The response stated that the DTA remains committed to a carefully considered process regarding privacy through a “multi-phase” process replete with trials and consultations.
The DTA sees “privacy by design” as a bulwark against these potential threats, prioritising principles such as consumer choice and minimising the collection of data. Coupled with the need for all involved parties to develop their own policies and being subject to individual PIAs to become accredited providers, private sector stakeholders may be expected to prioritise privacy in dealings with the TDIF.
Privacy Law in Australia
In an interview with Intermedium in 2017, Sheila Fitzpatrick, Chief Privacy Officer of NetApp noted that “we are certainly going to see an enhancement in data privacy laws” in the near future. Jurisdictions such as the EU and China have already implemented stringent legislation, such as the European General Data Protection Regulation (GDPR). Communications Minister Mitch Fifield recently expressed support for similar laws at the federal level in Australia.
Currently as it stands in Australia, the APP contains many modern principles, however protection for private data online is lacking. Recourse for breaches of Privacy Act 1988 (Cth) is limited by the narrow legal definition of ‘personal information’ in Australia. A recent Federal Court decision excluded metadata from this definition, signifying the lack of clarity around citizens’ rights to data privacy.
The federated model with multiple public and private IdPs is proposed by the government as a panacea to these privacy concerns, but will likely require a simultaneous overhaul of privacy law.