16 July, 2021

Dear Sir/Madam,

The .au Domain Administration Limited (auDA) is the administrator of, and Australian self-regulatory policy body for, the .au country code Top Level Domain (.au ccTLD). auDA operates under an agreement with the Internet Corporation for Assigned Names and Numbers to manage the .au ccTLD, and under Terms of Endorsement issued by the Australian Government, which require auDA to manage the .au domain in the public interest.

We welcome the opportunity to provide input on the Digital Transformation Agency’s Digital Identity Legislation Position Paper, and we understand there will be further opportunities for public comment before the proposed new legislation is finalised.

Registering a .au domain name – identity validation requirements

To maintain trust and confidence in the .au domain, auDA requires domain name registrars who sell .au domain licences to validate the identity of anyone registering a
.au domain and confirm they have an Australian presence. Where a registrant is a natural person that is not a sole trader with an ABN number, registrars must validate identity documents such as an Australian driver’s licence, passport, or birth certificate.

Accordingly, a voluntary and secure mechanism for individuals to digitally verify their identities is of interest to auDA and we offer the following preliminary comments:

  1. We welcome efforts to establish a voluntary framework for establishing and verifying identities in a way that safeguards security and privacy, and we support in principle the extension of the Trusted Digital Identity Framework to state, territory and local governments and to the private sector.
  2. We agree robust and effective governance of any digital identity system will be essential in gaining and maintaining public confidence in it and we consider independent oversight of the system an important means by which to address this concern. To this end, an adequately supported independent Oversight Authority and a role for the Information Commissioner as described in section 3.1 of the position paper will be necessary to ensure consumer and privacy safeguards.
  3. To maintain trust and confidence in a digital identity system, it will be important to ensure that each verified identity does in fact represent who it claims to represent, and that the creation of fraudulent digital identities is prevented.

    Section 3.5.1 of the Position Paper indicates that the Oversight Authority will play a role in coordinating information sharing to assist in managing cyber security and fraud incidents. auDA considers this a useful measure; however, we note that rolling out a digital identity system more broadly may result in more cyber security and fraud incidents. Accordingly, we suggest consideration should be given to which Commonwealth agency or agencies will investigate such incidents and appropriate resourcing be directed towards effective investigation and mitigation.
  4. Section 4 of the position paper indicates that a notifiable instrument will set out technical and other specifications outlining how the system will operate, and section 6.4.2 indicates that the Minister may establish a technical standards board comprised of entities participating in the system as well as private and public sector experts to provide advice.

    Given the importance of digital data security and the need to protect digital identities from fraudulent activity, auDA considers there should be public consultation on all technical standards associated with the system prior to the drafting of the notifiable instrument.
  5. Section 5.4.1 states that any government body, company, trust, partnership, or unincorporated association may apply to be onboarded as a relying party. auDA recognises that malicious actors may be motivated to become a relying party in order to obtain access to user data. auDA therefore suggests that the thresholds for onboarding relying parties warrant careful consideration in addition to an assessment of whether a relying party is a fit and proper person.
  6. We support the inclusion in legislation of the proposed matters the Oversight Authority will consider. Section 5.4.4 of the Position Paper indicates this will include (among other things) national security and an assessment of whether a relying party is a fit and proper person. We consider this appropriate; however, we also suggest additional safeguards for ensuring user security, privacy and data handling (such as ISO 27001, ASD’s Essential Eight and the Consumer Data Standards) should be adopted, in order to ensure adequate protections in the legislation.
  7. We support privacy and consumer safeguards being enshrined in legislation and agree this should help build trust in the Framework. We note section 6.4.6 indicates there will be additional privacy safeguards beyond those in the Privacy Act, and section 7.1 states the intention is not to duplicate or conflict with existing legislation.

    Since the Privacy Act is currently under review, we suggest that finalising the privacy obligations for the digital identity framework should be delayed until the review has concluded to ensure legislative consistency.

auDA understands an Exposure Draft of the proposed Bill will be published for consultation later this year. We look forward to engaging further during that process.

Yours sincerely,
Rosemary Sinclair AM Chief Executive Officer