We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy.

News Join our team Contact us

Annan Boag

Annan Boag
General Manager, Regulatory Intelligence and Strategy

Published:  

When you start any new relationship with a business or government agency – whether you are taking out a loan, applying for a rental, signing a phone contract, starting a business, beginning studies or seeking government support – you need to verify who you are.

Too often, verifying your identity means sharing ID documents. I don’t think I’m alone in feeling a twinge of concern when hitting send on an email with a photo of my passport or driver’s licence, or when handing them over to be scanned when I enter a venue. Where’s the document going? What happens if it gets into the wrong hands?

Organisations collecting this information are often just as uncomfortable about holding ID documents as most people are about sharing them. This information once collected needs to be held securely and often gets caught by retention rules that require organisations to keep it for longer than they would like to.

When things go wrong, customer personal information like ID documents are the costliest kinds of records for a business to have compromised in a data breach.

Australia’s Digital ID System

Australia’s Digital ID System provides a secure, convenient and voluntary way to verify identity online – crucially, without needing to share ID documents with multiple organisations, and only sharing necessary information.

Currently the system is mainly used to help people access government services, but it is progressively expanding to support identity verification by organisations in the public and private sectors and across the economy.

The OAIC has been appointed as the privacy regulator of the system and will use our regulatory powers to enforce the strong privacy protections that apply to accredited Digital ID services within the system.

Our vision for better ID verification practices

To supplement our enforcement of the privacy safeguards within Australia’s Digital ID System, we will also examine unsafe identity practices outside the system, both to discourage those practices and to help members of the Australian public recognise and avoid them.

We want to see a future where no one needs to email their identity documents to an organisation or upload them to an online portal with questionable security or data handling practices. And we want users of Digital ID to have confidence in the strong privacy safeguards in Australia’s Digital ID System.

The OAIC’s Digital ID regulatory strategy sets out how we will use our regulatory powers to do this.

We are adopting a whole-of-system approach to regulation, with a focus on education, collaboration and deterrence, backed by compliance monitoring and enforcement – considering not only the privacy and security settings of accredited services in Australia’s Digital ID system, but also less favourable identity verification practices across the Australian economy.

Organisations that collect, handle and manage individuals’ identity information should be aware that this will be an area of focus for the OAIC.

Our regulatory activities

By gathering intelligence and monitoring trends, we can focus our enforcement action efforts to be an active and effective regulator, increasing public awareness and shifting sector values, making all organisations engage in more secure means of identity verification, such as accredited Digital ID services.

Equally, by creating privacy guidance for organisations, we can support them to comply with their legal obligations, helping Australians to trust that their privacy is protected when using accredited Digital ID services or other ID verification solutions in the wider economy.

Given the potential for risk and harm, we have identified biometric information, law enforcement access, express consent, data retention and ID verification services and practices as areas where we will focus proactive regulatory efforts.

Using the range of regulatory activities outlined in the strategy, we will target actions that breach the law, aiming for results that reflect the continued promotion of privacy and the focus on increasing the security of personal information.

Something as fundamental and essential as verifying who you are should not require a privacy trade off. Our Digital ID regulatory strategy signals that we will be using our full range of regulatory powers to make sure identity verification is safe and secure for all Australians.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia