DTA considering TDIF privacy legislation
The Digital Transformation Agency is “reviewing the benefits” of legislation that would enshrine the privacy protection requirements of the new Trusted Digital Identity Framework (TDIF).
The DTA revealed it is exploring ways to enshrine the privacy requirements of the new framework, either through legislation or binding contractual obligations, the agency revealed in its response to the second Privacy Impact Assessment of the TDIF project.
The agency agreed with all the recommendations of the independent assessment apart from one — a recommendation that the identity exchange should only retain transaction-related metadata for a short period — which the agency said needs to be explored further.
As part of its evaluation of legislative protections, the DTA is also looking into introducing legal restrictions on the use of biometric information supplied for the purpose of identification.
While the DTA said it agrees in principle with the need to set a maximum period for retention of this data, this information may need to be accessed by the Oversight Authority for evidence, so current use cases suggest that the data would need to be retained for longer than 18 months. Some data will also need to be retained indefinitely for individuals to use the system.
Among the review’s other recommendations are introducing a requirement for a mandatory review of the TDIF after three years, a requirement for the Identity Exchange and accredited identity providers to develop standalone privacy policies, and establishing a time period for the validity and renewal of identity credentials.
In a statement, the DTA said protection of privacy has been a key consideration at all points during the development of the program.
The framework has privacy and security requirements that are at least as strong as federally mandated standards such as the Australian Privacy Principles and Privacy Code, and the Australian Signals Directorate’s Essential Eight cybersecurity mitigation strategies.
Participants in the program are also required to undertake their own independent security testing and assessments.
Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.
F5 reaches Australian public sector milestone
Application security expert F5 has announced it now has over 20 federal and 50 state government...
Cobalt Iron earns patent on analytics-based dynamic authorisation control
Cobalt Iron says its patent introduces approaches that provide more dynamic control of...
Macquarie Government selected for Australian Defence procurement panel
Macquarie was added to the ICTPA panel following a long history of supporting Australian...