8 December 2017

Our reference: D2017/009585

Mr Martin Ward
A/g Head of Identity
Digital Transformation Agency
50 Marcus Clarke Street
Canberra, ACT 2601

Dear Mr Ward

Trusted Digital Identity Framework consultation

I welcome the opportunity to provide comments to the Digital Transformation Agency (DTA) on the Trusted Digital Identity Framework (the Trust Framework). I understand that the Trust Framework sets out the tools, rules and accreditation criteria to govern the Govpass identity federation being developed by DTA. These include, in particular, the Core Privacy Requirements (CPR), which set out requirements relating to information privacy.

I recognise the value of this initiative to the community, which will make it easier for people to prove who they are when using online government services. I also welcome DTA’s commitment to building privacy into the design of the identity federation, as reflected in the Trust Framework. To ensure the success and sustainability of this initiative, public support will be essential. Building the social licence for new data-related activities will require well thought out data governance measures. Such measures will give individuals confidence about how their information will be managed, and give clear guidance to participants about how they should handle personal information.

My comments focus on aspects of the CPRs that overlap with the requirements in the Privacy Act 1988 (Privacy Act), including under the Australian Privacy Principles (APPs) and the notifiable data breaches (NDB) scheme in Part IIIC (to commence on 22 February 2018). The personal information handled by participants in the identity federation will include key identifying information. My comments are therefore intended to ensure that personal information within the identity federation is afforded a level of privacy protection that is at least equivalent to the Privacy Act. In addition, consistent with community expectations of privacy, my comments look to ensure that individuals can access appropriate complaint and redress mechanisms and that a robust oversight framework is in place.

I suggest, in particular, that DTA give further consideration to:

  • the alignment of the CPRs with the Privacy Act
  • complaint and redress mechanisms available to individuals
  • the expected role of my Office in responding to data breaches reported by members of the identity federation that are not subject to the Privacy Act
  • the internal or external complaint handling processes of identity federation participants
  • requirements around access to, and correction of, personal information held by a member of the identity federation.

Additional comments on particular aspects of the Trust Framework documents are included at Appendix A.

About the Office of the Australian Information Commissioner (OAIC)

The Australian Parliament established the OAIC in 2010 to bring together three functions:

  • freedom of information functions, including access to information held by the Australian Government in accordance with the Freedom of Information Act 1982 (Cth)
  • privacy functions through regulating the handling of personal information under the Privacy Act 1988 (Privacy Act) and other Acts, and
  • information management functions.

The integration of these three interrelated functions into one agency positions my Office to navigate the right to privacy and the right to access information, which should be recognised as a key national resource. It also provides my Office with unique insights about realising the opportunities of the digital era alongside the robust protection of personal information.

In the exercise of these functions, my Office has established itself as a key advisory body, shaping how agencies and organisations harness emerging technologies and data practices to positively impact the lives of every Australian.

Alignment of the Core Privacy Requirements with the Privacy Act

The CPRs set out privacy obligations applying to participants in the identity federation (Applicants) including Identity Service Providers (IdP), Credential Service Providers, and an Identity Exchange.[1] The CPRs address, for example, privacy governance, notice and consent, privacy impact assessments and cross border disclosures of information. The CPRs do not, in general, apply to organisations that rely on verified identity information and assertions provided by an IdP (relying parties), however I understand that DTA will be developing an additional document setting out requirements on relying parties.

The identity federation will involve participants that are covered by varying privacy laws. These include Federal, State and Territory agencies, some of which are subject to applicable privacy laws,[2] as well as the private sector organisations, including small businesses that may be exempt from the Privacy Act.[3] In addition, some of these participants will be subject to the Australian Government Agencies Privacy Code, which will commence on 1 July 2018.[4] I understand that the CPRs are designed to address this fragmentation, and that the CPRs will apply regardless of whether the Applicant is covered by Commonwealth, State or Territory privacy laws or is not covered by any privacy laws. I am broadly supportive of harmonising standards for personal information handling across the identity federation, provided the CPRs do not derogate from the obligations in the Privacy Act, and from the APPs in particular.

In adopting this approach, there may be some challenges in ensuring that the CPRs and the relevant information privacy laws remain aligned over time. This could include, for instance, legislative amendments or updated guidance material that may affect the interpretation of applicable privacy laws. These changes may have the effect, over time, of making the CPRs inconsistent with underlying privacy laws.

The CPRs do not appear to include a review mechanism to enable them to be amended to align with changes to information privacy laws in relevant jurisdictions. I suggest that DTA could include information in the Trust Framework documentation (and in particular in the CPRs) making clear how, and when, the Trust Framework requirements will be reviewed, and amended.

Complaints and redress mechanisms

There appears to be some limits on complaint and individual redress mechanisms under the Trust Framework where an Applicant is not bound by the Privacy Act or similar State or Territory information privacy laws.[5] The only complaint mechanisms available for privacy breaches would seem to be through the Trust Framework itself. I have been unable to identify possible outcomes of such mechanisms in the consultation documents, and it is not clear whether individual redress might be possible under this model.

I note that the CPRs require IdPs that are small business operators under the Privacy Act[6] to make use of a mechanism under s 6EA of the Privacy Act allowing a small business operator to choose to be treated as an organisation for the purposes of the Privacy Act. However, this requirement does not apply to a credential service provider that is not also an IdP. I suggest that the requirement be extended to credential service providers, and that DTA consider a similar requirement for relying parties. Alternatively, s 6E(1) of the Privacy Act provides for regulations to prescribe small business operators that are to be treated as organisations under the Privacy Act.

In respect of State and Territory agencies that are not covered by information privacy laws, DTA could consider utilising a mechanism in s 6F of the Privacy Act allowing state and territory authorities to be treated as organisations under the Privacy Act in certain circumstances. My Office would be pleased to explore these options further with DTA.

Compliance monitoring

It is unclear what mechanisms will be in place to monitor compliance with the CPRs. I note that there are requirements for an Applicant to document its compliance with the CPRs and to conduct regular (at least annual) privacy audits to ensure that privacy policies and practices are being implemented appropriately.[7] However, there appears to be no arrangement for this documentation to be reviewed by, for example, the Trust Framework Accreditation Authority or other governance body. I would welcome further information on this matter.

Data breach reporting

The CPRs include a requirement to report serious data breaches to affected individuals, my Office (or a relevant state regulator), the Trust Framework Accreditation Authority, and the Australian Signals Directorate.[8] The CPRs refer to the NBD scheme, which, as you would be aware, will commence as a new Part IIIC in the Privacy Act, on 22 February 2018. The NDB scheme will require organisations and Australian Government agencies covered by the Privacy Act, to notify my Office and particular individuals about ‘eligible data breaches’. A data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information relates.[9] A failure to comply with certain requirements of Part IIIC is an interference with the privacy of an individual under the Privacy Act,[10] and would be subject to the existing regulatory and enforcement powers under the Privacy Act, including, in some cases, civil penalties.

While my Office broadly supports data breach notification requirements that align with the NDB scheme, I seek clarification about the intended operation of the requirement for an applicant to report serious data breaches to my Office. In particular, it would appear that the CPRs may require notification to my Office by participants that are not covered by the NDB scheme, and could also involve the notification of data breaches that may not be ‘eligible data breaches’ notifiable under Part IIIC of the Privacy Act (this is discussed further in Appendix A).[11] Where the data breach is not notifiable under the NDB scheme, I will not have investigation or enforcement powers to deal with such breach notices. I would be pleased to discuss further with you my Office’s expected role in terms of handling such breach notices, including potential resourcing impacts, where they are not covered by the NDB scheme.

Complaints handling processes

The CPRs require Applicants to provide a complaints service meeting specified requirements such as accessibility, fairness, and timeliness.[12] The service must be ‘integrated with other complaint handling bodies’, analyse complaint information, and publish de-identified information and analysis about complaints. The CPRs do not specify whether this complaints service must be internal to the Applicant, or whether an Applicant could satisfy the CPR requirements through another mechanism, such as by being a member of an external dispute resolution (EDR) service. The Applicant must also participate in a service that enables de-identified data on complaints to be shared across participants in the identity federation. The nature of this service is not set out in the CPRs.

In this regard, I note that de-identification can be a complex process, and when choosing which techniques or controls to apply as part of this process, it is important to consider carefully both the type of data and the environment the data will be released into. The OAIC, together with CSIRO’s Data61, has recently released a De-Identification Decision-Making Framework that provides agencies and organisations with detailed guidance on what is involved in de-identification, and how to manage the associated risks.[13] DTA could include reference to this Framework in the CPRs. I would appreciate further information about these requirements and their possible implementations. For example, DTA may wish to consider utilising the EDR framework that is in place under the Privacy Act.

Under s 35A(1) of the Privacy Act, as Australian Information Commissioner, I may recognise an external dispute resolution scheme. Under s 41 of the Privacy Act, the Commissioner may decide not to investigate an act or practice about which a complaint has been made if the act or practice is being dealt with, or would be more effectively or appropriately dealt with, by a recognised EDR scheme. Membership of an EDR scheme is also required by participants in the consumer credit reporting system. Section 35A(2) requires to the Commissioner to take into account various matters, such as accessibility, fairness, and efficiency, when considering whether to recognise an EDR scheme. My Office has developed Guidelines for recognising external dispute resolution schemes, which provide further detail about the requirements for recognition of an EDR scheme under s 35A.[14] The Guidelines require, among other things, that an EDR scheme provide my Office with annual reports on privacy-related complaints, and quarterly reports on serious or repeated interferences with privacy or systemic privacy issues.

My Office would be pleased to discuss with DTA whether incorporating elements of the EDR framework under the Privacy Act would be of value in dealing with complaints relating to the Trust Framework and the identity federation.

Access to and correction of personal information

The CPRs include requirements for IdPs to provide access to records they hold about an individual and to provide a clear process to enable the individual to correct any errors or incorrect information.[15] These requirements are broadly aligned with APPs 12 and 13, respectively. However, unlike APP 12, the requirement for the IdP to provide access to all records it holds is not subject to any exceptions. For example, under APP 12.3, an organisation is not required to provide an individual with access to their personal information to the extent that giving access would have an unreasonable impact on the privacy of other individuals, or where giving access would be unlawful.

It is unclear what reasons DTA may have had for omitting such exceptions from the CPRs, and I would appreciate clarification on this point.

Additional comments

I have included, at Appendix A, comments on particular CPR content for DTA’s consideration.

To assist DTA in developing a Trust Framework that is underpinned by strong privacy practices and is consistent with community expectations, my Office would be pleased to continue to engage with DTA as this initiative is developed.

Additionally, my Office has developed, and is continuing to develop, a number of resources to assist agencies in meeting their obligations under the Australian Government Agencies Privacy Code (including training material, a privacy management plan template and guidance on privacy impact assessment requirements under the Code) which may be of assistance to participants in the identity federation.[16]

To discuss these matters further, please contact Sophie Higgins, Director, Regulation and Strategy Branch, on [contact details removed].

Yours sincerely

Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner

8 December 2017

Appendix A—OAIC comments on Core Privacy Requirements content

Page reference

Requirement

OAIC comment

Page 7

Requirement for State or Territory government IdPs not covered by State or Territory privacy laws to comply with the Australian Privacy Principles.

It is not clear how this requirement will be enforced—for example, whether there will be proactive monitoring by a governance body of the State or Territory government IdP’s compliance with the Privacy Act.

Additionally, this requirement may need to specify whether the State or Territory government IdP should comply with the APPs as an agency or an organisation, noting that some APPs apply differently in each case.

Page 8

Requirement to conduct regular (at least annual) privacy audits to ensure that privacy policies and practices are being implemented appropriately.

This requirement does not provide detail about what is required of an audit. Further detail could be added, including:

  • required scope, i.e. whether the audit should consider compliance with the CPRs or the APPs, and which particular requirements of the CPRs or the APPs
  • who should conduct the audit, i.e. an internal or external auditor
  • the relationship between these audits, the privacy assessment conducted as part of the accreditation process,[17] i.e. should the regular privacy audits apply the same methodologies as the privacy assessment
  • what requirements, if any, will exist for the participant to respond to and implement any recommendations of the audit.

Page 8

Requirement that a PIA be conducted by an ‘independent and qualified’ assessor.

The CPRs do not appear to define ‘independent’ or ‘qualified’. Further detail could be provided as to whether the PIA assessor may have, for example, an existing business relationship with the participant, or whether the PIA assessor must have particular formal qualifications.

Page 9

Data breach notification

The CPRs indicate that s 26WE of the Privacy Act, to commence 22 February 2018, provides a definition of whether a data breach is likely to result in serious harm to any of the individuals to whom the information relates.

However, s 26WE defines ‘eligible data breach’ for the purposes of the Privacy Act.

Other sections of the Privacy Act, upon commencement, will provide important related definitions. For example:

  • s 26WF provides exceptions to s 26WE where remedial action has been taken in relation to an access or disclosure with the result that a reasonable person would conclude that the access or disclosure would not be likely to result in serious harm to any of those individuals
  • s 26WG sets out what should be taken into account when determining whether a reasonable person would conclude that an access to, or a disclosure of, information would, or would not, be likely to result in serious harm to any of the individuals to whom the information relates.

The text of the CPRs may need to be amended to include reference to other relevant sections, to ensure alignment between the CPRs and the Privacy Act.

Additionally, footnote 9 of the CPRs includes a link to the Privacy Amendment (Notifiable Data Breaches) Bill 2016, and indicates that ‘reportable data breach’ is defined in the Bill. This link should be updated to refer to the Privacy Amendment (Notifiable Data Breaches) Act 2017, or Part IIIC of the Privacy Act upon commencement. The reference to ‘reportable data breach’ should also be amended (to ‘eligible data breach’), as this phrase is not used in the NDB scheme.

Page 10

Applicant must publish a clearly expressed and up to date privacy policy.

While this requires the Applicant to publish information about how an individual may complain about a breach of the APPs (or a particular jurisdictional privacy principle) or a registered code, we suggest the Applicant should also be required to publish information about how an individual may complain about a breach of the CPRs or other Trust Framework requirements. As outlined above, a breach of the APPs will not necessarily be a breach of the CPRs, or vice versa.

Pages 12–13

An IdP must ensure it has an enforceable contractual arrangement with an overseas recipient or contractor.

Under s 95B of the Privacy Act, an agency is required to ensure that any Commonwealth contract it enters into contains contractual measures to ensure that a contracted service provider does not do an act, or engage in a practice, that would breach an APP if done or engaged in by the agency. Contractual measures are also required to ensure that such an act or practice is not authorised by a subcontract. The OAIC generally considers this requirement, taken together with APP 11, to require the agency to take positive steps to assure itself that the contracted service provider is handling personal information in accordance with the APPs.

These requirements appear to go beyond the requirements on p 13 of the CPRs, and this may result in different levels of privacy protections between agencies and organisations in the identity federation.

Pages 12–13

An IdP must ensure it has an enforceable contractual arrangement with an overseas recipient or contractor.

Meeting these requirements of the CPRs may not be sufficient to comply with APP 8. APP 8 facilitates the disclosure of personal information to overseas recipients, but requires the disclosing APP entity to take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information (unless an exception applies under). Additionally, the disclosing APP entity may be held accountable for an act or practice of the recipient that would be a breach of the APPs, under s 16C of the Privacy Act.

The APPs 8 requirements appear to go beyond the requirements on p 13 of the CPRs, and this may result in an IdP that is an APP entity being in breach of APP 8 (and held accountable under s 16C), if it does not also comply with the requirements in APP 8.

Page 13

Contractual arrangement must specify that the IdP owns and controls the information.

The term ‘owns’ may be problematic. It may be more appropriate for contractual provisions to specify who controls the information, although we note that the OAIC would generally consider control of information to be a question of who actually controls the information in fact, rather than a contractual provision.

Page 13

An identity service provider is required to provide access to all the records that it holds about an individual, without exception.

This requirement appears to go beyond the requirements of APP 12 (access to personal information) in that it requires providing access to all records (whether or not they contain personal information) and that it requires access ‘without restriction’. APP 12 includes a range of exceptions. For example, an agency is not required to provide access where it is authorised or required to refuse access under the Freedom of Information Act 1982 (Cth) or other Commonwealth of Norfolk Island laws, and an organisation is not required to provide access to the extent that giving access would have an unreasonable impact on the privacy of others. While we appreciate that DTA is attempting to set a high standard under the CPRs, we suggest that it would be appropriate to include some of the exceptions to APP 12, and including for example, those referred to above, in the CPRs.

n/a

n/a

APP 11 of the Privacy Act requires APP entities to take reasonable steps to secure personal information. The Trust Framework includes (in Document 7—Core Protective Security Requirements) security requirements that draw on the Information Security Manual (ISM), the Protective Security Policy Framework (PSPF), and the Information Security Registered Assessors (IRAP) program. However, DTA could also consider including a requirement, aligned with APP 11, in the CPRs to ensure that participants in the identity federation take any reasonable steps that may go beyond the requirements of the ISM and the PSPF.

Additional information is available in the OAIC’s Guide to securing personal information.[18]

Footnotes

[1]Document 6—Core Privacy Requirements, p 4.

[2] For more information about State and Territory privacy laws, see <https://www.oaic.gov.au/privacy-law/other-privacy-jurisdictions>.

[3]Privacy Act 1988 (Cth), ss 6C(1), 6D.

[4] Further information about the Australian Government Agencies Privacy Code is available on the OAIC’s website at <https://oaic.gov.au/privacy-law/australian-government-agencies-privacy-code/>.

[5] In particular, South Australia and Western Australia do not have information privacy laws in place at present.

[6] Under the Privacy Act, many small businesses do not need to comply with the APPs. A small business is one that does not have an annual turnover greater than $3 million. For more information about the application of the Privacy Act to small businesses, see Privacy business resource 10: Does my small business need to comply with the Privacy Act?, available on the OAIC’s website at <https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-10>.

[7]Document 6—Core Privacy Requirements, p 7.

[8]Document 6—Core Privacy Requirements, p 9.

[9] Further information on the NDB scheme is available on the OAIC’s website at <https://www.oaic.gov.au/engage-with-us/consultations/notifiable-data-breaches/>.

[10] In particular, requirements under ss 26WH(2), 26WK(2), 26WL(3) or 26WR(10).

[11] The NDB scheme requires organisations covered by the Privacy Act to notify the OAIC and particular individuals about ‘eligible data breaches.’ A data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information relates.

[12]Document 6—Core Privacy Requirements, p 14.

[13] The De-Identification Decision-Making Framework is available on the CSIRO’s website at <http://data61.csiro.au/en/Our-Work/Safety-and-Security/Privacy-Preservation/De-identification-Decision-Making-Framework>. Further guidance is available in the OAIC’s Information policy agency resource 1: De-identification of data and information, available at <https://www.oaic.gov.au/information-policy/information-policy-resources/information-policy-agency-resource-1-de-identification-of-data-and-information>.

[14] <https://oaic.gov.au/agencies-and-organisations/advisory-guidelines/guidelines-for-recognising-external-dispute-resolution-schemes>

[15]Document 6—Core Privacy Requirements, p 13.

[16] These resources are available on the OAIC’s website at <https://oaic.gov.au/privacy-law/australian-government-agencies-privacy-code/>.

[17] These requirements are set out in Document 2—Accreditation Process and Document 4—Privacy Assessment.

[18] <https://oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information>