DTA considering TDIF privacy legislation

The Digital Transformation Agency is “reviewing the benefits” of legislation that would enshrine the privacy protection requirements of the new Trusted Digital Identity Framework (TDIF).

The DTA revealed it is exploring ways to enshrine the privacy requirements of the new framework, either through legislation or binding contractual obligations, the agency revealed in its response to the second Privacy Impact Assessment of the TDIF project.

The agency agreed with all the recommendations of the independent assessment apart from one — a recommendation that the identity exchange should only retain transaction-related metadata for a short period — which the agency said needs to be explored further.

As part of its evaluation of legislative protections, the DTA is also looking into introducing legal restrictions on the use of biometric information supplied for the purpose of identification.

While the DTA said it agrees in principle with the need to set a maximum period for retention of this data, this information may need to be accessed by the Oversight Authority for evidence, so current use cases suggest that the data would need to be retained for longer than 18 months. Some data will also need to be retained indefinitely for individuals to use the system.

Among the review’s other recommendations are introducing a requirement for a mandatory review of the TDIF after three years, a requirement for the Identity Exchange and accredited identity providers to develop standalone privacy policies, and establishing a time period for the validity and renewal of identity credentials.

In a statement, the DTA said protection of privacy has been a key consideration at all points during the development of the program.

The framework has privacy and security requirements that are at least as strong as federally mandated standards such as the Australian Privacy Principles and Privacy Code, and the Australian Signals Directorate’s Essential Eight cybersecurity mitigation strategies.

Participants in the program are also required to undertake their own independent security testing and assessments.

Image credit: ©James Thew/Dollar Photo Club

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.