Digital ID Assessment 3: myID notification of collection, use or disclosure of personal information

Part 1: Executive summary

1.1At the time of publishing this report, the Australian Tax Office (ATO) changed the name of the myGovID application to myID[1]. However, when conducting fieldwork, the application was called myGovID. This assessment report will refer to the application as myGovID.

1.2This report outlines the observations and findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of the ATO in its role as operator of the myGovID mobile application (myGovID app). The assessment examined compliance with requirements under Australian Privacy Principles (APPs) 1.3 and 1.4 (regarding a clearly expressed and up to date privacy policy), 5 (regarding notification of collection of personal information) and 6 (regarding the use or disclosure of personal information).

1.3myGovID is an accredited provider in the Australian Government’s Digital ID System (also known as Digital ID). Digital ID aims to be a secure, convenient, voluntary and inclusive way for individuals to verify their ID online.

1.4The objective of this assessment is to determine whether the ATO is taking reasonable steps under the APPs to clearly inform individuals on how their personal information will be handled when they choose to set up a myGovID digital identity. This includes handling biometric information.

1.5The scope of this assessment focused on:

• the ATO’s handling of personal information including biometric information through the myGovID app
• a review of the myGovID app source code to confirm the accuracy and currency of the privacy policy including consideration of the overall functionality of the app
• the user experience and whether the ATO is meeting its obligations under the APPs to clearly inform individuals of how their personal information will be handled when they choose to set up a myGovID digital identity.

1.6The OAIC engaged CyberCX to review the myGovID source code and functionality of the app.

1.7The assessment found that the myGovID app:

• operates largely in line with what the ATO describes in its privacy policy
• collects and uses system interaction data for monitoring system use and performance
• privacy policy does not accurately describe the potential for biometric information to be viewable by overseas recipients
• largely complies with APPs 5 and 6. However, a better practice would be to ensure that users have considered and read the privacy policy or collection notice via the use of a checkbox during the onboarding process.

1.8The OAIC recommends that the ATO should amend the myGovID privacy policy to better reflect the circumstances in which personal information may be viewable overseas.

1.9The OAIC suggests that the ATO could ensure users have been adequately notified of the collection of their personal information by incorporating a checkbox to agreement to the set up process of the myGovID app.

Part 2: The Digital ID system

Digital ID, ATO and myGovID

2.1The Digital ID Program is delivered by several Australian Government agencies including Services Australia, the ATO, the Attorney General's Department and the Department of Finance.

2.2Digital ID aims to provide a secure, safe, and convenient way for individuals to prove their identity online when they engage with many government services.<[2]

2.3At the time of fieldwork, Digital ID comprised of:

• the myGovID system[3] (operated by the ATO),
• the Relationship Authorisation Manager (RAM)[4] service (also operated by the ATO),
• the Identity Exchange (operated by Services Australia), and
• various technological, administrative, policy, and legal measures[5] which ensure the effective operation of the system.

2.4The ATO’s myGovID is accredited as a Digital ID identity provider. The ATO’s RAM service is accredited as a Digital ID attribute provider.

2.5myGovID is delivered in the form of an app that individuals download onto their smart device to prove their identity when accessing a range of government online services.

2.6As an identity provider, the ATO, through myGovID, creates, maintains, or manages information about an individual’s identity and offers identity-based services. myGovID helps to boost relying parties’ confidence in an individual’s digital identity by collecting, verifying, and validating attributes that confirm an individual’s identity to an appropriate level, known as an identity proofing level (IP).

2.7There are three IP levels:

• IP 1 – basic, which involves self-asserted identity,
• IP 2 – standard, which requires two or more identity documents to verify an identity, and
• IP 3 – strong, which requires verification of two or more identity documents plus biometric matching against an Australian Passport image.

2.8IP 3 is required for services where the risks of getting identity verification wrong will have high consequences to the individual or the service, for example access to welfare and related government services.

2.9The ATO is accredited for all 3 IP levels.

Part 3: Observations, findings and recommendations

3.1The OAIC reviewed documents provided by the ATO and conducted fieldwork interviews with relevant ATO staff to make observations and findings within the scope of this assessment.

3.2The OAIC engaged an external consultant, CyberCX, to assist with the technical aspects of the assessment scope including reviewing the source code and testing the functionality of the myGovID app.

3.3The observations and findings are outlined below.

The myGovID app privacy policy (APPs 1.3 and 1.4)

Observations

3.4The myGovID app privacy policy is up to date and contains relevant information about the handling of personal information through the myGovID system. It also reflects the flow of information through the myGovID app.

3.5It appears that all information collected during the myGovID sign-up process is retained as a Commonwealth record and is handled and stored in accordance with the Archives Act 1983 (Cth) (Archives Act). The exception is biometric data, which is destroyed after a maximum of 14 days. [6]

3.6During interviews, the ATO confirmed that all document and user information collected by the myGovID app is stored in Australian hosted servers.

3.7CyberCX’s review of the myGovID app code shows that it is possible for the app to collect technical data related to the user’s device, including, platform (Operating System (OS)), runtime type/version, form factor, device capabilities, device friendly name and device ID.

3.8The privacy policy lists a series of third parties to whom personal information may be disclosed (for the purpose of ATO verification). Discussions with the ATO during fieldwork found that some of the listed third parties do not have information disclosed to them.

3.9OS level biometrics (such as fingerprint) are utilised as an alternative to password authentication when enabled. The OS level biometric functions do not expose biometric information to the myGovID app for collection or storage. The OAIC did not observe any evidence of myGovID-specific biometric collection for initial registration or authentication that would give the myGovID app access to biometrics, outside of the facial verification used to upgrade IP level.

3.10 The ATO leverages a series of third-party providers such as AWS, Macquarie Telecom and iProov to support myGovID services. Fieldwork confirmed that personal information is provided to these service providers to enable the ATO to provide myGovID services.

3.11 Document review and interviews confirmed that the data collected through the myGovID app is only used for the purposes of

• verifying a user’s identity
• managing a user’s account
• investigating and verifying the operation of the myGovID system.

3.12 The ATO noted that investigating and verifying the operation of the myGovID system is included to cover two primary situations:

• potential fraud cases where accounts and personal information may need to be identified and accessed in support of fraud investigation
• support cases where an individual is having troubles with use of the app and specific account details may be needed to help troubleshoot the app.

3.13 From review of the app audit logging solution, reviewing the app code and interviews, CyberCX identified that the myGovID solution collects IP addresses, date and time of actions and authentication attempts (both failed and successful). These were all collected to service the authentication mechanism and auditing purposes, no other use of this information was identified during the assessment.

3.14 ‘Address’ and ‘phone number’ are listed as examples of collected personal information in the myGovID privacy policy, however the app did not contain the capability to collect this information. During fieldwork the ATO advised this was likely created for a specific use case that is to be implemented in future releases.

3.15 App source code review identified that the myGovID app has the capacity to collect the following information during the document verification process:

• the document type used,
• the information that was verified,
• the user's consent, and
• the result of the document verification outcome.

3.16 These data points are considered by the ATO as Commonwealth records and are retained in accordance with the Archives Act (and this is explained in the privacy policy).

3.17 The privacy policy states that the ATO ’won’t disclose personal information to overseas recipients.’ However, it does not indicate that biometric information may be viewed by iProov staff located in the UK for verification purposes.

3.18 Usually, iProov’s API verifies biometric data on Australian based cloud storage solutions (AWS). But in circumstances where automated checks fail (produce an error), images may be remotely viewed by employees of iProov who reside in the UK to be verified.

3.19 While the personal information is not stored outside Australian based cloud solutions, iProov employees in the UK view the images of myGovID users.

Findings

3.20 The technical operation of the myGovID app largely aligns with what is described in the privacy policy.

3.21 Document review and evidence provided by the ATO did not uncover any use cases for the collected system interaction data[7] that was not in the service of monitoring the system use and performance.

3.22 The privacy policy does not accurately describe the potential for biometric information to be viewed by overseas third parties.

Review of myGovID app source code

Observations

3.23Analysis of the app source code, provided documentation and interviews did not identify a use of collected data other than for:

• providing myGovID digital identity services to users, and
• monitoring and improving the security and performance of the myGovID system.

3.24Once IP 2 or IP 3 are attained the app only allows for user input to be directly collected when updating details such as email, document information or change of name.

3.25Review of the myGovID code base and interviews with the ATO confirmed that all identity document verification is managed by Australian state, territory and Commonwealth Government agencies.

3.26Source code review did not identify any information requested from third-party government agencies that was not related to the document verification process.

3.27It appears that penetration testing activities of the myGovID system and associated components is conducted at least annually.

3.28The app review indicates that the system leverages TLSv1.2 for all data in transit over network connections (TLSv1.2 is an industry standard protocol). Based on the myGovID implementation, CyberCX consider this to be adequate for the purpose of preserving the privacy of information between a client’s device and the myGovID (ATO) servers.

3.29Review of the iOS and Android app source code and through traffic analysis shows all personal information collected and processed by the app is sent to the myGovID.gov.au domain. It appears that all document and user information collected by the myGovID app is stored and remains in Australian hosted servers.

3.30The ATO uses data aggregation as a form of de-identification when undertaking reporting and system monitoring activities. These reporting and system monitoring activities only use aggregated, whole number data points (for example the number of active accounts), and do not use de-identified personal information from individual users.

3.31Review of the source code and using the app found that upgrading of a user’s identity to “Strong” (IP 3) requires biometric information (facial scans) to be provided through app. This upgrade is the only time a user is required to provide biometric information directly to the myGovID app.

Findings

3.32From reviewing the app’s data handling and processing components, CyberCX considered it adhered with many security best practices.

3.33Whilst this assessment was not a security review, at no point during the assessment did CyberCX identify any major security vulnerabilities in the app.

3.34CyberCX did not identify any area where the app audit capability was collecting more information than listed in the privacy policy.

Whether personal information is handled in accordance with APPs 5 and 6

Observations

3.35CyberCX’s testing of the myGovID app revealed that during user registration it collects user consent for disclosing information to third parties for the prescribed purposes. It collects consent by presenting the users with the option to review the privacy notice during registration.

3.36The myGovID privacy policy and privacy notice (myGovID’s collection notice) address the circumstances during which information may be disclosed and considers whether consent is required in those circumstances.

3.37The information presented in the myGovID privacy policy and privacy notice address the criteria set out in APP 5.

3.38While this may be considered a reasonable step to ensure that users are notified of the collection of their data, a better practice would be for the user to affirm they have considered this privacy notice.

3.39Users must consent to have biometric information collected when increasing their identity protection level to ‘Strong” (IP 3). This option is presented in the app.

Findings

3.40The myGovID app largely complies with APPs 5 and 6.

3.41While largely compliant, better practice would be to ensure that users have considered and read the privacy policy or privacy notice via the use of a checkbox during the onboarding process.

Part 4: ATO’s response to recommendations and suggestions

4.1 ATO response: Accept. ATO will update the myGovID privacy policy in the next 12 months.

4.2 ATO response: The suggestion to affirm that a user has viewed the myGovID privacy notice at the setup process has been considered and a feature will be created to be implemented in a future release.

Part 5: Description of assessment

Objective and scope

5.1The objective of this assessment was to determine whether the ATO is taking reasonable steps under the APPs to clearly inform individuals of how it will handle their personal information when they chose to set up a myGovID digital identity. This includes handling biometric data.

5.2 The scope of this assessment focused on:

• the ATO’s handling of personal information including biometric information in its capacity as operator of the myGovID app
• a review of the myGovID app source code by a consultant (CyberCX) confirming the accuracy and currency of the privacy policy. This included consideration of the overall functionality of the app
• the user experience when an individual sets up their digital identity, specifically whether the ATO is taking reasonable steps to clearly inform individuals on how their personal information will be handled when they choose to set up a myGovID, in accordance with:
  • APPs 1.3 and 1.4 – whether the ATO has a clearly expressed and up-to-date APP privacy policy for myGovID and whether it contains relevant information about the handling of personal information, including biometric information
  • APP 5 – when the ATO collects personal information about an individual through the myGovID app, whether it takes reasonable steps to notify individuals of the matters, as reasonable in the circumstances, referred to at APP 5.2, or ensure the individual is aware of those matters
  • APP 6 – when the ATO may use or disclose personal information, including consideration of how the myGovID app enables an individual to consent to primary and secondary use or disclosure, especially in relation to the matching of biometric information and the use of facial recognition technology.
• In addition to the myGovID privacy policy, collection notices and consent processes, the assessment also had regard to:
  • other information provided to individuals during the myGovID set-up process such as terms and conditions of use
  • myGovID’s compliance with Digital ID accreditation requirements relevant to the assessment’s scope, including the findings of any relevant assessments conducted by the ATO as part of its annual accreditation assessment
  • the findings and recommendations from the 2018 MyGovID Privacy Impact Assessment (PIA) relevant to the assessment’s scope.

5.3 The assessment’s scope did not include:

• an examination of the acts and practices of the ATO as a Digital ID attribute provider, specifically its Relationship Authorisation Manager (RAM) service. However, the assessment considered the personal information flows between myGovID and RAM and how this is communicated to individuals (e.g. as a use or a disclosure)
• identity verification services (documents or biometrics) operated by the Attorney-General’s Department and leveraged by Digital ID.

Privacy risks

5.4 Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance ( see Appendix A ), the OAIC has made recommendations to the ATO about how to address those risks. These recommendations are set out in Part 5 of this report.

5.5 The OAIC assessments are conducted as a ‘point in time’ assessment; that is, our observations and opinions are only applicable to the time period in which the assessment was undertaken.

5.6 For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’. Chapter 9 of the OAIC’s Guide to privacy regulatory action provides further detail on this approach.

Conduct of the assessment

5.7 The OAIC conducted a risk-based assessment of the ATO in its role as the operator of the myGovID in accordance with APPs.

5.8 The assessment involved the following:

• review of relevant documents provided by the ATO
• engaging CyberCX to assist the OAIC with reviewing the source code and functionality of the myGovID app
• fieldwork, which included virtual interviews of relevant ATO staff through videoconferencing platforms in July 2024.

Reporting

5.9 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.

Assumptions and caveats

5.10This report is not an endorsement of the myGovID app by the OAIC, or any other ATO product or service.

Previous digital identity assessments

5.11The OAIC received funding in 2022-23, 2023-24 and 2024-25 to conduct privacy assessments of Digital ID and to develop relevant guidance material. This funding was provided to assist in mitigating privacy risks within Digital ID and to provide assurance to the Australian public about the privacy protections built into the system.

5.12The OAIC’s first digital identity assessment commenced in February 2022 and examined whether Services Australia, in its capacity as the operator of the Identity Exchange for the Digital ID, was handling personal information in accordance with APP 1.2. The report for this assessment was published on 16 February 2023.[8]

5.13The OAIC’s second digital identity assessment commenced in July 2023 and assessed whether the ATO and its third-party vendor (iProov Limited) are taking reasonable steps under APP 11.2 to destroy, or de-identified biometric information handled as part of the myGovID system. The assessment report for this assessment was published on 30 September 2024[9].

5.14This report is the OAIC’s third Digital ID assessment.

Part 6: Appendices

Appendix A – Privacy risk guidance