Digital ID in your practice: A Guide for Firms and Their Clients
Key insights:
The Australian Government’s Digital ID Scheme is being expanded to encompass state governments and the private sector via a newTrusted Digital ID Framework.
The use of Digital Identity will be voluntary. Expected benefits are convenience, reduced costs and increased security through a reduction in the number of information “honeypots” across organisations.
For law firms, Digital ID can streamline identification processes and reduce risks associated with identity theft or data breaches that come with holding identity data, however other regulatory changes may be required before these benefits can be fully realised.
Image: example of a Digital ID app screen
This article was first published in the October 2024 edition of the LSJ
With the passing of new national Digital Identity laws in Australia, lawyers need to get up to speed with the implications if they are to explain these to clients and mitigate the potential impacts of data breaches.
Many Australians currently use a form of Digital ID, such as myGovID, to interact with government agencies like the Australian Taxation Office (ATO), but to date there has not been a single government standard for Digital ID in Australia. However, by December 2024, that will change.
The Digital ID Act 2024 and the Digital ID (Transitional and Consequential Provisions) Act 2024 will take effect from late 2024. They are intended to provide individuals with secure, convenient, and voluntary ways to verify their identity when transacting with government and businesses.
The ‘honeypot’ problem
Large-scale data breaches involving companies such as Optus, Medibank and Latitude have demonstrated the risks associated with holding large ‘honeypots’ of identity data, for both organisations and individuals, making the elimination of such datasets a government priority under its national cybersecurity strategy.
However, a competing issue is the legal requirement for organisations of all kinds to properly identify individuals. For example, financial services providers have strict Know Your Customer (KYC) obligations and lawyers are required to certify that they have identified individuals involved in property transactions.
In addition to the security issues associated with holding identity information, the need for individuals to constantly prove their identity increases risks through the insecure sharing of their identity documents. These risks include communications by email, where control over the use of the document no longer belongs to the person being identified, or where identity information is then shared with other organisations as a result of inter-connected systems, outsourcing, and so on.
A further issue is the weakness of systems that rely only on usernames and passwords for security, given that these credentials can now be so easily compromised, particularly by cybercriminals who can leverage artificial intelligence to crack user credentials.
What is, and what is not, Digital ID
Digital ID under the Australian government’s Trusted Digital ID Framework (“TDIF”) is a broader initiative than the simple use of digital versions of identity documents such as a NSW digital driver’s licence, because the TDIF facilitates identity verification across multiple sectors and services nationwide.
The Digital ID system allows individuals to quickly, conveniently and securely verify their identity against existing identification documents held by government agencies, replacing traditional 100-point checks using hard-copy documents which can then be copied and shared insecurely, making them vulnerable in the event of a data breach.
Techniques that Accredited Digital ID providers use to verify identities online include biometric identifiers such as facial-recognition technologies; the matching of a face to an individual’s identity document (such as a passport) held by the Australian Government’s Document Verification Service; and ‘proof of life’ techniques such as the use of a smartphone camera to observe subtle, real-time movements of the eyes to rule out the possibility that the image being verified is a still photograph or pre-recorded video.
In addition to identifying individuals, the expanded Digital ID System will give individuals the option of sharing only certain data; for example, providing only proof of age when entering a club, rather than a full name and address. In this way, it will potentially support other types of verification measures designed to reduce online harms, such as verifying that a user is the minimum required age for accessing social media sites or licensed premises.
Once a Digital ID is created, it can be reused without needing to repeat the initial verification process. In other words, once an individual confirms who they are when creating their Digital ID, they are not required to repeat this process when they want to identify themselves again in the future.
Trusted Digital ID Framework (TDIF)
The current Australian Government Digital Identity System (AGDIS) encompasses the Australian Government’s Digital Identity infrastructure, which includes myGov and myGovID. Australia’s new national Digital ID laws create the framework for wider adoption of digital identity systems beyond the AGDIS and support expansion of the use of Digital IDs by state governments and the private sector.
The Digital ID Act 2024 and the Digital ID (Transitional and Consequential Provisions) Act 2024 (the Digital ID Acts), provide for a national, government-regulated Digital ID scheme that creates a legal framework for accrediting Digital ID providers and for organisations to rely on Digital ID credentials (the Digital ID System).
The TDIF will accredit government and non-government Digital ID providers to the existing AGDIS. To be part of the expanded Digital ID system, Digital ID providers must be accredited in order to demonstrate they meet high standards related to privacy, cybersecurity, fraud control and more. Use of a Digital ID will be voluntary for individuals who can then elect whether to opt-in and which Digital ID provider they prefer.
Digital ID will also support other regimes such as the Consumer Data Right (CDR) which is designed to give consumers greater control over their data and facilitate secure data sharing between businesses. Digital ID complements the CDR by providing a streamlined and secure method for verifying identity, ensuring that data access and sharing under the CDR framework is efficient and protected.
Centralised versus De-centralised Digital ID and Self-Sovereign Identity Structures
The expected benefits to individuals of using Digital ID are convenience and increased security through a reduction in the number of information “honeypots”. However, there are also concerns that Digital ID providers could themselves become targets because of the scale of their data repositories. For this reason it is important to understand the difference between centralised and non-centralised forms of Digital ID.
A centralised Digital ID is managed by a single authority, such as a government or corporation, which controls the storage, access, and verification of identity data.
In contrast, a non-centralised Digital ID gives individuals control over their own data, allowing them to share only what is needed with different parties, often using blockchain or similar technologies for secure verification without relying on a single authority.
Non-centralised systems offer greater privacy and reduce the risk of single points of failure or misuse. Self-sovereign Digital ID (SSI) is a type of non-centralised digital identity, but it goes a step further.
While both give users more control, SSI allows individuals full ownership and control of their identity data, letting them decide how, when, and with whom to share it, without needing intermediaries. In non-centralised systems, there may still be some shared control with other entities, but SSI is user-driven and focuses on complete autonomy.
In its submission to the Government about the Digital ID system, the Law Council of Australia noted that the proposed Digital ID framework is directed towards regulating a centralised environment for the collection and storage of personal identifiable information, and it suggested that the Government consider the use of SSIs which give individuals additional control over the information they use to establish their identity.
SSIs provide for a dispersed or federated environment which reduces reliance on a central authority. They move control of Digital ID from third party “identity providers” directly to individuals. The use of SSIS enable individuals to prove and control their own identity online (for example, by using a Digital ID app on their smartphone). The use of SSIS could address concerns that Digital ID could be used to form intrusive data sets about individuals that could lead to exclusion and discrimination or the monetisation of data.
In August 2024 the Government announced it would be trialling a new Trusted Exchange (TEx) form of Digital ID which appears to involve the use of SSIs.
Implications for solicitors
A key feature of the TDIF is that providers will not share or store copies of an individual’s identity documents during or after an identity transaction.
Let’s say that a solicitor needs to verify a client’s identity in a commercial transaction. The Digital ID platform will carry out online checks to verify the client is who they say they are, and it will then confirm the successful verification with the other party to the identity ‘transaction’, who in this case is the solicitor. The Digital ID provider will keep a record that the client’s identity has been verified at a particular date and time, and the solicitor will receive an official record to this effect. Importantly, however, the solicitor will not receive copies of the identity documents themselves.
This is an important difference with products that offer ways of collecting information digitally, but which continue to store and share identity information, such as some existing virtual or online verification of identity (VOI) services used by property practitioners. Using a Digital ID instead of these existing VOI services will mean that, while the solicitor can prove they identified their client, in the event that the law firm has a data breach, the client’s identity documents will not be compromised or misused because those identity documents will not actually be stored by the firm.
In order for the full benefits of Digital IDs to extend to lawyers and their clients, changes will likely be required to other laws and regulations.
For example, current VOI requirements which require face-to-face VOI in e-conveyancing transactions may need amendment to specifically approve the use of Digital ID. Similar issues are likely to arise in other areas of the law and legal practice.
Privacy requirements
Under the Privacy Act, Australian Privacy Principle (APP) 11 requires organisations that are subject to the Act to “take reasonable steps” to protect personal information from misuse, loss, or unauthorised access, and to securely “destroy or de-identify” information when it is no longer needed to ensure that personal data is handled securely and responsibly throughout its life cycle. The Digital ID System supports compliance with APP 11 by offering a secure, verified way to confirm identity without requiring identity information to be stored either physically or electronically. At the present time only firms with annual revenue of more than $3million are required to comply with the Privacy Act, however as the government has foreshadowed its intention to remove the “small business exception” under the Act smaller firms should be aware that these requirements will in the future apply to them as well.
Concerns about privacy under the Digital ID system include the potential for citizens’ interactions to be ‘logged’ in a single database, and how the Digital ID system might be extended in the future. As the Digital ID system will ultimately include government and private sector options, people who elect to use Digital ID using a non-government Digital ID should not be required to share more information with government than would otherwise be the case.
Conclusion
The Digital ID system aims to enhance security for Australians online and reduce the risk of identity theft from data breaches. For law firms, this presents a significant opportunity to mitigate the impacts of data breaches, as well as to minimise the time and inconvenience in VOI processes, which are likely to increase significantly over time.
This is particularly true given that is appears highly likely that from 2026, lawyers providing designated services under the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act 2006 will be required to conduct KYC checks.
There is no doubt that the widespread adoption of the Digital ID System may require some shifts in legal practice. As was the case during COVID-19 lockdowns, when the legal sector swiftly adapted to online courts and the virtual witnessing of documents, Digital ID changes could transform identity verification processes faster than anticipated. Lawyers should stay informed and prepare for this potential shift.
____________________________
[Note: Law & Cyber has a commercial relationship with a Digital ID provider.]
AUTHOR
Simone Herbert-Lowe
Simone Herbert-Lowe is the Director of Law & Cyber. She acts for businesses and individuals impacted by cyber events, has provided written expert opinion in legal proceedings and is the author of the online, CPD-eligible courses Cyber Risk for Law Firms and Cyber Risk Resilience for Directors.