Commonwealth Coat of Arms of Australia

Digital ID Act 2024

No. 25, 2024

An Act to provide for the accreditation of entities in relation to digital IDs and to establish the Australian Government Digital ID System, and for related purposes

[Assented to 30 May 2024]

The Parliament of Australia enacts:

Chapter 1—Introduction

Part 1—Preliminary

1 Short title

This Act is the Digital ID Act 2024.

2 Commencement

(1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

Commencement information
Column 1	Column 2	Column 3
Provisions	Commencement	Date/Details
1. The whole of the Act	A single day to be fixed by Proclamation. However, if the provisions do not commence within the period of 6 months beginning on the day this Act receives the Royal Assent, they commence on the day after the end of that period.

Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.

(2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act.

3 Objects

(1) The objects of this Act are as follows:

(a) to provide individuals with secure, convenient, voluntary and inclusive ways to verify their identity in online transactions with government and businesses;

(aa) to facilitate the inclusion of individuals in digital society by supporting the provision of digital ID services that are accessible for individuals who experience barriers in using such services;

(b) to promote privacy and the security of personal information used to verify the identity or attributes of individuals;

(c) to facilitate economic benefits for, and reduce burdens on, the Australian economy by encouraging the use of digital IDs and online services;

(d) to promote trust in digital ID services amongst the Australian community.

(2) These objects are to be achieved by:

(a) establishing an accreditation scheme for entities providing digital ID services; and

(b) providing additional privacy safeguards for the provision of accredited digital ID services; and

(c) establishing an Australian Government Digital ID System that is secure, easy to use, voluntary, accessible, inclusive and reliable; and

(d) strengthening the oversight and regulation of:

(i) accredited digital ID service providers; and

(ii) entities participating in the Australian Government Digital ID System; and

(iii) the integrity and performance of the Australian Government Digital ID System.

4 Simplified outline of this Act

This Act establishes an accreditation scheme for entities providing digital ID services. The Digital ID Regulator (which is the Australian Competition and Consumer Commission) may, on application, accredit certain kinds of entities as accredited attribute service providers, accredited identity exchange providers, accredited identity service providers or entities that provide, or propose to provide, services of a kind prescribed by the Accreditation Rules.

When providing accredited services, accredited entities must comply with certain privacy safeguards. These safeguards are in addition to, and build on, the safeguards contained in the Privacy Act 1988. An accredited entity may be liable to a civil penalty if certain privacy safeguards are breached.

The Digital ID Regulator oversees and maintains the Australian Government Digital ID System. Certain kinds of accredited entities can apply to the Digital ID Regulator to participate in the system. Certain kinds of relying parties can also apply for approval to participate in the system. If a relying party holds an approval, it is known as a participating relying party.

There is a System Administrator whose functions include providing assistance to entities participating in the Australian Government Digital ID System and managing the availability of the Australian Government Digital ID System.

The Digital ID Standards Chair may make Digital ID Data Standards about various matters, including technical integration requirements for entities to participate in the Australian Government Digital ID System and, if required to do so by the Accreditation Rules or the Digital ID Rules, technical, data or design standards relating to accreditation.

The Digital ID Rules may set out marks, symbols, logos or designs (called digital ID trustmarks) that may or must be used by accredited entities and participating relying parties.

The Digital ID Regulator must establish and maintain the Digital ID Accredited Entities Register and the AGDIS Register.

The Digital ID Regulator and the Information Commissioner may take enforcement action against accredited entities and other entities. The Digital ID Regulator can give directions regarding accreditation and participation in the Australian Government Digital ID System or require entities to undergo compliance assessments or produce information or documents. The System Administrator can also give directions to entities regarding participation in the Australian Government Digital ID System and require entities to produce information or documents.

Accredited entities that hold or held an approval to participate in the Australian Government Digital ID System have certain record‑keeping responsibilities and are required to destroy or de‑identify certain information in the possession or control of the entity.

Entities can apply for merits review of certain decisions made under this Act.

This Act also deals with other administrative matters such as annual reports and delegations.

5 Act binds the Crown

This Act binds the Crown in each of its capacities.

6 Extension to external Territories

This Act extends to every external Territory.

7 Extraterritorial operation

(1) This Act extends to acts, omissions, matters and things outside Australia.

Note: Geographical jurisdiction for civil penalty provisions is dealt with in section 160.

(2) This Act has effect in relation to acts, omissions, matters and things outside Australia subject to:

(a) the obligations of Australia under international law, including obligations under any international agreement binding on Australia; and

(b) any law of the Commonwealth giving effect to such an agreement.

8 Concurrent operation of State and Territory laws

This Act is not intended to exclude or limit the operation of a law of a State or Territory that is capable of operating concurrently with this Act.

Part 2—Interpretation

9 Definitions

In this Act:

Accreditation Rules means rules made under section 168 for the purposes of the provisions in which the term occurs.

accredited attribute service provider means an attribute service provider that is accredited under section 15 as an accredited attribute service provider.

accredited entity: each of the following is an accredited entity:

(a) an accredited attribute service provider;

(b) an accredited identity exchange provider;

(d) if Accreditation Rules are made for the purposes of paragraph 14(1)(d)—an entity that is accredited to provide services of a kind prescribed by the Accreditation Rules for the purposes of that paragraph.

accredited identity exchange provider means an identity exchange provider that is accredited under section 15 as an accredited identity exchange provider.

accredited identity service provider means an identity service provider that is accredited under section 15 as an accredited identity service provider.

accredited service, of an accredited entity, means the services provided, or proposed to be provided, by the entity in the entity’s capacity as a particular kind of accredited entity.

Note: Conditions may be imposed on an entity’s accredited services, including specifying the manner in which such services must be provided or excluding specific services from the entity’s accreditation altogether (see section 17).

Example: Acme Co is an accredited identity service provider. Under its conditions of accreditation, its accredited service is generating, managing, maintaining and verifying information relating to the identity of an individual. Its conditions exclude from its accreditation the provision of the following services:

(a) generating, binding, managing and distributing authenticators to an individual;

(b) binding, managing and distributing authenticators generated by an individual.

adverse or qualified security assessment means an adverse security assessment, or a qualified security assessment, within the meaning of Part IV of the Australian Security Intelligence Organisation Act 1979.

affected entity: see section 137.

AFP Minister means the Minister administering the Australian Federal Police Act 1979.

AGDIS Register means the register kept under section 121.

APP entity has the same meaning as in the Privacy Act 1988.

APP‑equivalent agreement: see section 34.

attribute of an individual: see section 10.

attribute service provider means an entity that provides, or proposes to provide, a service that verifies and manages an attribute of an individual.

Australia when used in a geographical sense, includes the external Territories.

Australian entity means any of the following:

(a) an Australian citizen or a permanent resident of Australia;

(b) a body corporate incorporated by or under a law of the Commonwealth or a State or Territory;

(c) a Commonwealth entity, or a Commonwealth company, within the meaning of the Public Governance, Performance and Accountability Act 2013;

(d) a person or body that is an agency within the meaning of the Freedom of Information Act 1982;

(e) a body specified, or the person holding an office specified, in Part I of Schedule 2 to the Freedom of Information Act 1982;

(f) a department or authority of a State;

(g) a department or authority of a Territory;

(h) a partnership formed in Australia;

(i) a trust created in Australia;

(j) an unincorporated association that:

(i) has a governing body; and

(ii) has its central management or control in Australia.

Australian Government Digital ID System: see subsection 58(2).

authenticator means the technology for authenticating an individual’s digital ID.

Note: Passwords and cryptographic keys are examples of authenticators.

biometric information of an individual:

(a) means information about any measurable biological characteristic relating to an individual that could be used to identify the individual or verify the individual’s identity; and

(b) includes biometric templates.

civil penalty provision has the same meaning as in the Regulatory Powers Act.

compliance assessment: see section 131.

cyber security incident means one or more acts, events or circumstances that involve:

(a) unauthorised access to, modification of or interference with a system, service or network; or

(b) an unauthorised attempt to gain access to, modify or interfere with a system, service or network; or

(d) an unauthorised attempt to impair the availability, reliability, security or operation of a system, service or network.

decision‑maker for a reviewable decision means:

(a) for a decision under section 27 or 73—the Minister; or

(b) for a decision under section 130—the System Administrator; or

digital ID of an individual means a distinct electronic representation of the individual that enables the individual to be sufficiently distinguished when interacting online with services.

Digital ID Accredited Entities Register means the register kept under section 120.

Digital ID Data Standards means the standards made under section 99.

Digital ID Data Standards Chair means:

(a) if a person holds an appointment under section 105—that person; or

(b) otherwise—the Minister.

digital ID fraud incident means an act, event or circumstance that:

(a) occurs in connection with:

(i) an accredited service of an accredited entity; or

(ii) a service that a participating relying party is approved to provide, or provide access to, within the Australian Government Digital ID System; and

(b) results in any of the following being, or suspected of being, compromised or rendered unreliable:

(i) a digital ID of an individual;

(ii) an attribute of an individual;

(iii) an authenticator relating to an individual;

(iv) a representation relating to an attribute of an individual;

(v) a representation relating to a digital ID of an individual.

Digital ID Regulator: see section 90.

Digital ID Rules means the rules made under section 168 for the purposes of the provisions in which the term occurs.

digital ID system means a federation of entities that facilitates, manages or relies on services that provide for either or both of the following in an online environment:

(a) the verification of the identity of individuals;

(b) the authentication of a digital ID of, or information associated with, individuals.

Note: Entities in the federation may include one or more relying parties, identity exchanges, identity service providers, attribute service providers and other kinds of service providers.

digital ID trustmark: see subsection 117(2).

enforcement body has the same meaning as in the Privacy Act 1988.

enforcement related activity has the same meaning as in the Privacy Act 1988.

entity means any of the following:

(a) an individual;

(b) a body corporate;

(c) a Commonwealth entity, or a Commonwealth company, within the meaning of the Public Governance, Performance and Accountability Act 2013;

(d) a person or body that is an agency within the meaning of the Freedom of Information Act 1982;

(e) a body specified, or the person holding an office specified, in Part I of Schedule 2 to the Freedom of Information Act 1982;

(f) a department or authority of a State;

(g) a department or authority of a Territory;

(h) a partnership;

(i) an unincorporated association that has a governing body;

(j) a trust.

entrusted person: see subsection 151(2).

identity exchange provider means an entity that provides, or proposes to provide, a service that conveys, manages and coordinates the flow of data or other information between participants in a digital ID system.

identity service provider means an entity that provides, or proposes to provide, a service that:

(a) generates, manages, maintains or verifies information relating to the identity of an individual; and

(b) generates, binds, manages or distributes authenticators to an individual; and

law enforcement agency has the same meaning as in the Australian Crime Commission Act 2002.

one‑to‑many matching: see subsection 48(4).

paid work means work for financial gain or reward (whether as an employee, a self‑employed person or otherwise).

participate: an entity participates in the Australian Government Digital ID System at a particular time if, at that time:

(a) the entity holds an approval under section 62 to participate in the system; and

(b) either:

(i) the entity is directly connected to an accredited entity that is participating in the Australian Government Digital ID System; or

(ii) the entity is an accredited entity that is directly connected to a participating relying party.

participating relying party: a relying party is a participating relying party if:

(a) the relying party holds an approval under section 62 to participate in the Australian Government Digital ID System; and

(b) the participation start day for the relying party has arrived or passed.

participation start day for an entity means the day notified to the entity by the Digital ID Regulator for the purposes of paragraph 62(6)(d) as the day on which the entity must begin to participate in the Australian Government Digital ID System.

personal information:

(a) means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(i) whether the information or opinion is true or not; and

(ii) whether the information or opinion is recorded in a material form or not; and

(b) to the extent not already covered by paragraph (a), includes an attribute of an individual.

privacy impact assessment has the meaning given by subsection 33D(3) of the Privacy Act 1988.

protected information: see subsection 151(4).

Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014.

relying party means an entity that relies, or seeks to rely, on an attribute of an individual that is provided by an accredited entity to:

(a) provide a service to the individual; or

(b) enable the individual to access a service.

restricted attribute of an individual: see section 11.

reviewable decision: see section 137.

Secretary means the Secretary of the Department.

security, other than in the following provisions, has its ordinary meaning:

(a) subsection 27(1);

(b) subsection 73(1);

shielded person means a person to whom one or more of the following paragraphs apply:

(a) the person has acquired or used an assumed identity under Part IAC of the Crimes Act 1914 or a corresponding assumed identity law within the meaning of that Part;

(b) an authority for the person to acquire or use an assumed identity has been granted under that Part or such a law;

(d) a corresponding witness identity protection certificate has been given for the person under a corresponding witness identity protection law within the meaning of Part IACA of the Crimes Act 1914;

(e) the person is a participant as defined in the Witness Protection Act 1994;

(f) the person is or was on a witness protection program conducted by a State or Territory in which a complementary witness protection law (as defined in the Witness Protection Act 1994) is in force;

(g) the person is involved in administering such a program under such a law and the person has acquired an identity under that law.

State or Territory privacy authority means a State or Territory authority (within the meaning of the Privacy Act 1988) that has functions to protect the privacy of individuals (whether or not the authority has other functions).

System Administrator: see section 94.

this Act includes:

(a) the Accreditation Rules; and

(b) the Digital ID Data Standards; and

(d) the service levels determined under section 80; and

(e) the Regulatory Powers Act as it applies in relation to this Act.

verifiable credential means a tamper‑evident credential with authorship that can be cryptographically verified.

10 Meaning of attribute of an individual

(1) An attribute of an individual means information that is associated with the individual, and includes information that is derived from another attribute.

(2) Without limiting subsection (1), an attribute of an individual includes the following:

(a) the individual’s current or former name;

(b) the individual’s current or former address;

(d) information about whether the individual is alive or dead;

(e) the individual’s phone number;

(f) the individual’s email address;

(g) if the individual has a digital ID—the time and date the digital ID was created;

(h) biometric information of the individual;

(i) a restricted attribute of the individual;

(j) information or an opinion about the individual’s:

(i) racial or ethnic origin; or

(ii) political opinions; or

(iii) membership of a political association; or

(iv) religious beliefs or affiliations; or

(v) philosophical beliefs; or

(vi) sexual orientation or practices.

11 Meaning of restricted attribute of an individual

(1) A restricted attribute of an individual means:

(a) health information (within the meaning of the Privacy Act 1988) about the individual; or

(b) an identifier of the individual that has been issued or assigned by or on behalf of:

(i) the Commonwealth, a State or a Territory; or

(ii) an authority or agency of the Commonwealth, a State or a Territory; or

(iii) a government of a foreign country; or

(d) information or an opinion about the individual’s membership of a professional or trade association; or

(e) information or an opinion about the individual’s membership of a trade union; or

(f) other information or opinion that is associated with an individual and is prescribed by the Accreditation Rules.

(2) Without limiting paragraph (1)(b), an identifier of an individual includes the following:

(a) the individual’s tax file number (within the meaning of section 202A of the Income Tax Assessment Act 1936);

(b) the individual’s medicare number (within the meaning of Part VII of the National Health Act 1953);

(d) if the person holds a driver’s licence issued under the law of a State or Territory—the number of that driver’s licence.

12 Fit and proper person considerations

In having regard to whether an entity is a fit and proper person for the purposes of this Act, the Digital ID Regulator:

(a) must have regard to the matters (if any) specified in the Digital ID Rules; and

(b) may have regard to any other matters the Digital ID Regulator considers relevant.

Chapter 2—Accreditation

Part 1—Introduction

13 Simplified outline of this Chapter

The Digital ID Regulator may, on application, accredit certain kinds of entities as accredited attribute service providers, accredited identity exchange providers, accredited identity service providers or entities that provide, or propose to provide, services of a kind prescribed by the Accreditation Rules.

An entity’s accreditation is subject to conditions. Some conditions are imposed by the Act and others may be imposed by the Digital ID Regulator or the Accreditation Rules. Conditions may include restrictions relating to the services an entity is accredited to provide, the manner in which those services must be provided and the kinds of restricted attributes of individuals an entity is authorised to collect or disclose.

The conditions imposed by the Digital ID Regulator on an entity’s accreditation, and the entity’s accreditation itself, can be varied or revoked. Accreditation can also be suspended.

The Minister may give directions to the Digital ID Regulator regarding the accreditation of an entity if, for reasons of security, the Minister considers it appropriate to do so. The Digital ID Regulator must comply with such directions.

An accredited entity must deactivate a digital ID of an individual if requested to do so, and must comply with requirements relating to the accessibility and useability of accredited services.

Part 2—Accreditation

Division 1—Applying for accreditation

14 Application for accreditation

(1) An entity covered by subsection (2) may apply to the Digital ID Regulator for accreditation as one or more of the following kinds of accredited entities:

(a) an accredited attribute service provider;

(b) an accredited identity exchange provider;

(d) an entity that provides, or proposes to provide, a service of a kind prescribed by the Accreditation Rules.

(2) An entity is covered by this section if the entity is one of the following:

(a) a body corporate incorporated by or under a law of the Commonwealth or a State or Territory;

(b) a registered foreign company within the meaning of the Corporations Act 2001;

(c) a Commonwealth entity, or a Commonwealth company, within the meaning of the Public Governance, Performance and Accountability Act 2013;

(d) a person or body that is an agency within the meaning of the Freedom of Information Act 1982;

(e) a body specified, or the person holding an office specified, in Part I of Schedule 2 to the Freedom of Information Act 1982;

(f) a department or authority of a State;

(g) a department or authority of a Territory.

Division 2—Accreditation

15 Digital ID Regulator must decide whether to accredit an entity

(1) This section applies if an entity has made an application under section 14 for accreditation as an accredited entity.

(2) The Digital ID Regulator must decide:

(a) to accredit the entity; or

(b) to refuse to accredit the entity.

(3) The Digital ID Regulator must not accredit an entity:

(a) as an accredited attribute service provider unless the entity provides, or will provide, some or all of the services described in the definition of attribute service provider; or

(b) as an accredited identity exchange provider unless the entity provides, or will provide, some or all of the services described in the definition of identity exchange provider; or

(c) as an accredited identity service provider unless the entity provides, or will provide, some or all of the services described in the definition of identity service provider; or

(d) if Accreditation Rules made for the purposes of paragraph 14(1)(d) prescribe services—as an entity that provides services of the kind prescribed unless the entity provides, or will provide, some or all of the services of that kind.

(4) The Digital ID Regulator must not accredit an entity if:

(a) a direction under subsection 27(1) (about security) directing the Digital ID Regulator to refuse to accredit the entity is in force; or

(b) the Digital ID Regulator is not satisfied that the entity is able to comply with this Act; or

(c) Accreditation Rules made for the purposes of section 28 require specified criteria to be met and the entity does not meet the criteria; or

(d) Accreditation Rules made for the purposes of section 28 require the Digital ID Regulator to be satisfied of specified matters and the Digital ID Regulator is not satisfied of those matters.

(5) In deciding whether to accredit the entity, the Digital ID Regulator:

(a) must have regard to the matters (if any) prescribed by the Accreditation Rules; and

(b) may have regard to the following:

(i) whether the entity is a fit and proper person;

(ii) any other matters the Digital ID Regulator considers relevant.

Note: In having regard to whether an entity is a fit and proper person for the purposes of subparagraph (b)(i), the Digital ID Regulator must have regard to any matters specified in the Digital ID Rules and may have regard to any other matters considered relevant (see section 12).

(6) The Digital ID Regulator must:

(a) give written notice of a decision to accredit, or to refuse to accredit, the entity; and

(b) if the decision is to refuse to accredit the entity—give reasons for the decision to the entity.

(7) If the Digital ID Regulator decides to accredit the entity, the notice must also set out the following:

(a) the kind or kinds of accredited entity that the entity is accredited as;

(b) the day the accreditation comes into force;

16 Accreditation is subject to conditions

(1) The accreditation of an entity as an accredited entity is subject to the following conditions (the accreditation conditions):

(a) the conditions set out in subsection 17(1);

(b) the conditions (if any) imposed by the Digital ID Regulator under subsection 17(2), including as varied under subsection 20(1);

(2) An accredited entity must comply with the accreditation conditions that apply to the entity.

Note: Failure to comply with an accreditation condition may result in a suspension or revocation of the entity’s accreditation (see sections 25 and 26).

17 Conditions on accreditation

Conditions imposed by the Act

(1) The accreditation of an entity as an accredited entity is subject to the condition that the accredited entity must comply with this Act.

Conditions imposed by the Digital ID Regulator

(2) The Digital ID Regulator:

(a) may impose conditions on the accreditation of an entity, either at the time of accreditation or at a later time, if the Digital ID Regulator considers that doing so is appropriate in the circumstances; and

(b) must impose conditions on the accreditation of an entity, either at the time of accreditation or at a later time, if directed to do so under subsection 27(1).

(3) Conditions may be imposed under paragraph (2)(a) on application by the entity or on the Digital ID Regulator’s own initiative.

(4) Without limiting paragraph (2)(a), the Digital ID Regulator may impose conditions relating to the following:

(a) any limitations, exclusions or restrictions in relation to the accredited services of the entity;

(b) the circumstances or manner in which the accredited services of the entity must be provided;

(c) the kinds of restricted attributes of individuals (if any) that the entity is authorised to collect or disclose and the circumstances in which such attributes may be collected or disclosed;

(d) the kinds of restricted attributes of individuals (if any) that the entity must not collect;

(e) the kinds of biometric information (if any) of an individual the entity is authorised to collect, use or disclose and the circumstances in which such information may be collected, used or disclosed;

(f) the entity’s information technology systems through which the entity’s accredited services are provided, including restrictions on changes to such systems;

(g) actions that the entity must take before the entity’s accreditation is suspended or revoked.

Conditions imposed by the Accreditation Rules

(5) The Accreditation Rules may determine that the accreditation of each accredited entity, or each accredited entity included in a specified class, is subject to specified conditions.

(6) Without limiting subsection (5), the Accreditation Rules may impose conditions relating to the matters in subsection (4).

18 Conditions relating to restricted attributes of individuals

Matters to which the Digital ID Regulator must have regard before authorising disclosure etc. of restricted attributes

(1) Subsection (2) applies if the Digital ID Regulator proposes to impose a condition on an entity’s accreditation authorising the entity to collect or disclose a restricted attribute of an individual.

(2) In deciding whether to impose the condition, the Digital ID Regulator must have regard to the following matters:

(a) whether the entity has provided sufficient justification for the need to collect or disclose the restricted attribute;

(b) whether the entity has demonstrated that a similar outcome cannot be achieved without collecting or disclosing the restricted attribute;

(c) if the collection or disclosure of the restricted attribute is regulated by other legislative or regulatory requirements—whether the entity would be able to comply with those requirements if the condition were imposed;

(d) the potential harm that could result if restricted attributes of that kind were disclosed to an entity that was not authorised to collect them;

(e) community expectations as to whether restricted attributes of that kind should be handled more securely than other kinds of attributes;

(f) any of the following information provided by the entity seeking authorisation to collect or disclose the restricted attribute:

(i) the entity’s risk assessment plan as it relates to the restricted attribute;

(ii) the entity’s privacy impact assessment as it relates to the restricted attribute;

(iii) the effectiveness of the entity’s protective security (including security governance, information security, personnel security and physical security), privacy arrangements and fraud control arrangements;

(iv) if the entity is not a participating relying party—the arrangements in place between the entity and relying parties for the protection of the restricted attribute from further disclosure;

(g) any other matter the Digital ID Regulator considers relevant.

Requirement to give statement of reasons if authorisation given

(3) If the Digital ID Regulator imposes the condition authorising the entity to collect or disclose a restricted attribute of an individual, the Digital ID Regulator must publish on the Digital ID Regulator’s website a statement of reasons for giving the authorisation.

19 Requirements before Accreditation Rules impose conditions relating to restricted attributes or biometric information of individuals

(1) Subsection (2) applies if the Minister proposes to make Accreditation Rules for the purposes of subsection 17(5) providing that accredited entities, or specified kinds of accredited entities, are authorised to:

(a) collect or disclose restricted attributes of individuals; or

(b) collect, use or disclose biometric information of individuals.

Note: The Minister must also consult the Information Commissioner before making such rules (see paragraph 169(1)(b)).

(2) In deciding whether to make the rules, the Minister must have regard to the following matters:

(a) the potential harm that could result if the information were disclosed to an entity;

(b) community expectations about the collection, use or disclosure of the information;

(c) if the collection or disclosure of the restricted attribute is regulated by other legislative or regulatory requirements—whether the entities would be able to comply with those requirements if the rules were made;

(d) any privacy impact assessment that has been conducted in relation to the proposal to make the rules;

(e) any other matter the Minister considers relevant.

20 Variation and revocation of conditions on accreditation

(1) The Digital ID Regulator may vary or revoke a condition imposed on an entity’s accreditation under paragraph 17(2)(a):

(a) at any time, on the Digital ID Regulator’s own initiative; or

(b) on application by the entity under section 21;

if the Digital ID Regulator considers it is appropriate to do so.

(2) Without limiting subsection (1), the Digital ID Regulator may have regard to matters relating to the security, reliability and stability of the Australian Government Digital ID System when considering whether it is appropriate to vary or revoke a condition.

(3) The Digital ID Regulator must revoke a condition imposed under paragraph 17(2)(b) if the direction to impose the condition is revoked.

21 Applying for variation or revocation of conditions on accreditation

(1) An accredited entity may apply for a condition imposed on the entity’s accreditation under paragraph 17(2)(a) to be varied or revoked.

Note: See Part 5 of Chapter 9 for matters relating to applications.

(2) If, after receiving an application under subsection (1), the Digital ID Regulator refuses to vary or revoke a condition, the Digital ID Regulator must give to the entity written notice of the refusal, including reasons for the refusal.

22 Notice before changes to conditions on accreditation

(1) The Digital ID Regulator must not, on the Digital ID Regulator’s own initiative:

(a) impose a condition under paragraph 17(2)(a) on an entity’s accreditation after the entity has been accredited; or

(b) vary or revoke a condition under subsection 20(1);

unless the Digital ID Regulator has given the entity a written notice in accordance with subsection (2) of this section.

(2) The notice must:

(a) state the proposed condition, variation or revocation; and

(b) request the entity to give the Digital ID Regulator, within the period specified in the notice, a written statement relating to the proposed condition, variation or revocation.

(3) The Digital ID Regulator must consider any written statement given within the period specified in the notice before making a decision to:

(a) impose a condition under paragraph 17(2)(a) on an entity’s accreditation; or

(b) vary or revoke a condition under subsection 20(1) on an entity’s accreditation.

(4) This section does not apply if the Digital ID Regulator reasonably believes that the need to impose, vary or revoke the condition is serious and urgent.

(5) If this section does not apply to an entity because of subsection (4), the Digital ID Regulator must give a written statement of reasons to the entity as to why the Digital ID Regulator reasonably believes that the need to impose, vary or revoke the condition is serious and urgent.

(6) The statement of reasons under subsection (5) must be given within 7 days after the condition is imposed, varied or revoked.

23 Notice of decision of changes to conditions on accreditation

(1) Subject to subsection (2), the Digital ID Regulator must give an entity written notice of a decision to impose, vary or revoke a condition on an entity’s accreditation.

(2) The Digital ID Regulator is not required to give an entity notice of the decision if notice of the condition was given in a notice under subsection 15(7).

(3) The notice must:

(a) state the condition or the variation, or state that the condition is revoked; and

(b) state the day on which the condition, variation or revocation takes effect.

Division 3—Varying, suspending and revoking accreditation

24 Varying accreditation

The Digital ID Regulator may vary the accreditation of an accredited entity to take account of a change in the accredited entity’s name.

Note: The Digital ID Regulator can also vary conditions on accreditation (see section 20).

25 Suspension of accreditation

Digital ID Regulator must suspend accreditation if Minister’s direction about suspension is in force

(1) The Digital ID Regulator must, in writing, suspend the accreditation of an accredited entity if a direction under subsection 27(1) directing the Digital ID Regulator to do so is in force in relation to the entity.

Digital ID Regulator may decide to suspend accreditation in other circumstances

(2) The Digital ID Regulator may, in writing, suspend the accreditation of an accredited entity if:

(a) the Digital ID Regulator reasonably believes that the accredited entity has contravened or is contravening this Act; or

(b) the Digital ID Regulator reasonably believes that there has been a cyber security incident involving the entity; or

(d) if the entity is a body corporate—the entity becomes a Chapter 5 body corporate (within the meaning of the Corporations Act 2001); or

(e) the Digital ID Regulator is satisfied that it is not appropriate for the entity to be an accredited entity; or

(f) circumstances specified in the Accreditation Rules apply in relation to the entity.

Note: The Digital ID Regulator may impose conditions on an entity’s accreditation before suspending it (see paragraph 17(4)(g)) and can give directions to give effect to a decision to suspend an entity’s accreditation (see paragraph 127(1)(b)).

(3) The reference to cyber security incident in paragraph (2)(b) does not include acts, events or circumstances covered by paragraph (b) or (d) of the definition of that term unless the Digital ID Regulator is satisfied that the attempts referred to in those paragraphs involve an unacceptable risk to the provision of the entity’s accredited services.

(4) In determining whether the Digital ID Regulator is satisfied of the matter in paragraph (2)(e), regard may be had to whether the entity is a fit and proper person.

Note: In having regard to whether an entity is a fit and proper person, the Digital ID Regulator must have regard to any matters specified in the Digital ID Rules and may have regard to any other matters considered relevant (see section 12).

(5) Subsection (4) does not limit paragraph (2)(e).

Digital ID Regulator may suspend accreditation on application

(6) The Digital ID Regulator may, on application by an accredited entity, suspend the accreditation of the entity.

Note: See Part 5 of Chapter 9 for matters relating to applications.

Show cause notice must generally be given before decision to suspend

(7) Before suspending the accreditation of an entity under subsection (2), the Digital ID Regulator must give a written notice (a show cause notice) to the entity.

(8) The show cause notice must:

(a) state the grounds on which the Digital ID Regulator proposes to suspend the entity’s accreditation; and

(b) invite the entity to give the Digital ID Regulator, within 28 days after the day the notice is given, a written statement showing cause why the Digital ID Regulator should not suspend the accreditation.

Exception—cyber security incident

(9) Subsection (7) does not apply if the suspension is on a ground mentioned in paragraph (2)(b) or (c).

Notice of suspension

(10) If the Digital ID Regulator suspends an entity’s accreditation under subsection (1), (2) or (6), the Digital ID Regulator must give the entity a written notice stating the following:

(a) that the entity’s accreditation is suspended;

(b) if the entity is accredited as more than one kind of accredited entity—the accreditation that is suspended;

(d) the day the suspension is to start;

(e) if the accreditation is suspended for a period—the period of the suspension;

(f) if the accreditation is suspended until a specified event occurs or action is taken—the event or action.

Effect of suspension

(11) If an entity’s accreditation is suspended under this section:

(a) the entity is taken not to be accredited while the suspension is in force; and

(b) if the entity holds an approval to participate in the Australian Government Digital ID System as an accredited entity—the entity is taken not to hold that approval while the entity’s accreditation is suspended.

Revocation of suspension

(12) If the Digital ID Regulator suspends an entity’s accreditation under subsection (2), the Regulator may revoke the suspension by written notice to the entity.

(13) If the Digital ID Regulator suspends an entity’s accreditation under subsection (6), the Regulator must revoke the suspension by written notice to the entity if the entity requests the suspension be revoked.

(14) A notice given under subsection (12) or (13) must specify the day the revocation takes effect.

26 Revocation of accreditation

Digital ID Regulator must revoke accreditation if Minister gives a direction to do so

(1) The Digital ID Regulator must, in writing, revoke the accreditation of an accredited entity if the Minister gives a direction under subsection 27(1) to do so.

Revocation on Digital ID Regulator’s own initiative

(2) The Digital ID Regulator may, in writing, revoke an entity’s accreditation if:

(a) the Digital ID Regulator reasonably believes that the accredited entity has contravened or is contravening this Act; or

(b) the Digital ID Regulator reasonably believes that:

(i) there has been a cyber security incident involving the entity; and

(ii) the cyber security incident is serious; or

(c) if the entity is a body corporate—the entity becomes a Chapter 5 body corporate (within the meaning of the Corporations Act 2001); or

(d) the Digital ID Regulator is satisfied that it is not appropriate for the entity to be an accredited entity; or

(e) circumstances specified in the Accreditation Rules apply in relation to the entity.

Note: The Digital ID Regulator may impose conditions on an entity’s accreditation before revoking it (see paragraph 17(4)(g)) and can give directions to give effect to a decision to revoke an entity’s accreditation (see paragraph 127(1)(b)).

(3) In determining whether the Digital ID Regulator is satisfied of the matter in paragraph (2)(d), regard may be had to whether the entity is a fit and proper person.

(4) Subsection (3) does not limit paragraph (2)(d).

Revocation on application

(5) The Digital ID Regulator must, on application by an entity, revoke the entity’s accreditation.

Note: See Part 5 of Chapter 9 for matters relating to applications.

Date of effect

(6) The revocation takes effect on the day determined by the Digital ID Regulator.

Approval must also be revoked

(7) If:

(a) an entity’s accreditation is revoked under subsection (1), (2) or (5); and

(b) the entity holds an approval to participate in the Australian Government Digital ID System;

the Digital ID Regulator must at the same time revoke the entity’s approval to participate as an accredited entity.

Show cause notice must generally be given before decision to revoke

(8) Before revoking the accreditation of an entity under subsection (2), the Digital ID Regulator must give a written notice (a show cause notice) to the entity.

(9) The show cause notice must:

(a) state the grounds on which the Digital ID Regulator proposes to revoke the entity’s accreditation; and

(b) invite the entity to give the Digital ID Regulator, within 28 days after the day the notice is given, a written statement showing cause why the Digital ID Regulator should not revoke the accreditation.

Exception—cyber security incident

(10) Subsection (8) does not apply if the revocation is on a ground mentioned in paragraph (2)(b).

Notice of revocation

(11) If the Digital ID Regulator is to revoke an entity’s accreditation under subsection (1), (2) or (5), the Digital ID Regulator must give the entity a written notice stating the following:

(a) that the entity’s accreditation is to be revoked;

(b) if the entity is accredited as more than one kind of accredited entity—the accreditation that is to be revoked;

(d) the day the revocation is to take effect.

Accreditation can be revoked even while suspended

(12) Despite paragraph 25(11)(a), the Digital ID Regulator may revoke an entity’s accreditation under this section even if a suspension is in force under section 25 in relation to the entity.

Division 4—Minister’s directions regarding accreditation

27 Minister’s directions regarding accreditation

(1) The Minister may, in writing, direct the Digital ID Regulator to do any of the following if, for reasons of security (within the meaning of the Australian Security Intelligence Organisation Act 1979), including on the basis of an adverse or qualified security assessment in respect of a person, the Minister considers it appropriate to do so:

(a) refuse to accredit an entity;

(b) impose conditions on the accreditation of an entity;

(d) revoke the accreditation of an accredited entity.

(2) If the Minister gives a direction under subsection (1), the Digital ID Regulator must comply with the direction.

(3) The direction remains in force unless it is revoked by the Minister. The Minister must notify the Digital ID Regulator and the entity if the Minister revokes the direction.

(4) Despite subsection (3), a direction given under subsection (1) to revoke the accreditation of an accredited entity cannot be revoked.

(5) A direction given under this section is not a legislative instrument.

Division 5—Accreditation Rules

28 Accreditation Rules

(1) The Accreditation Rules must provide for and in relation to matters concerning the accreditation of entities.

(2) Without limiting subsection (1), the Accreditation Rules may deal with the following matters:

(a) requirements that entities must meet in order to become and remain an accredited entity, including requirements relating to the following:

(i) privacy;

(ii) security;

(iii) fraud control;

(iv) incident management and reporting;

(v) disaster recovery;

(vi) user experience and inclusion;

(b) without limiting paragraph (a), requirements relating to the conduct of, and reporting on, privacy impact assessments, fraud assessments and security assessments;

(d) without limiting paragraph (c), standards relating to the testing of the information technology systems of entities;

(e) the conduct of periodic reviews of an entity’s compliance with specified requirements of the Accreditation Rules, including the timing of such reviews, who is to conduct such reviews and the provision of reports about such reviews to the Digital ID Regulator;

(f) the obligations of accredited entities in relation to monitoring their compliance with this Act;

(g) requirements relating to the collection, holding, use and disclosure of personal information of individuals;

(h) matters relating to representatives or nominees of individuals in relation to the creation, maintenance or deactivation of digital IDs of individuals;

(i) requirements or restrictions relating to the generation of digital IDs for children.

Note: In relation to subparagraph (2)(a)(iv), the Digital ID Rules may also provide for such arrangements in relation to incidents that occur within the Australian Government Digital ID System (see subsection 78(1)).

Division 6—Other matters relating to accreditation

29 Digital IDs must be deactivated on request

(1) This section applies if an accredited identity service provider generates a digital ID of an individual.

(2) The accredited identity service provider must, if requested to do so by the individual, deactivate the digital ID of the individual as soon as practicable after receiving the request.

(3) If a digital ID of an individual is deactivated under subsection (2), the digital ID of the individual:

(a) must not be used by the accredited identity service provider for verifying the identity of the individual or authenticating a digital ID of the individual; and

(b) if it can be reactivated, must not be reactivated by the accredited identity service provider without the express consent of the individual.

30 Accredited services must be accessible and inclusive

(1AA) An accredited entity must take reasonable steps to ensure that its accredited services are accessible for individuals who experience barriers when creating or using a digital ID.

(1) The Accreditation Rules must provide for and in relation to requirements relating to the accessibility and useability of the accredited services of accredited entities.

(2) Without limiting subsection (1), the Accreditation Rules must:

(a) require accredited entities, or specified kinds of accredited entities, to comply with specified accessibility standards; and

(b) require accredited entities, or specified kinds of accredited entities, to have regard to specified accessibility guidelines; and

(c) require accredited entities, or specified kinds of accredited entities, to conduct useability testing with a diverse range of individuals, covering diversity in disability, age, gender and ethnicity; and

(d) specify requirements relating to device or browser access; and

(e) specify requirements relating to the provision of support or assistance for individuals who may experience barriers when creating or using a digital ID.

31 Prohibition on holding out that an entity is accredited

An entity must not hold out that the entity is an accredited entity if that is not the case.

Civil penalty: 1,000 penalty units.

Chapter 3—Privacy

Part 1—Introduction

32 Simplified outline of this Chapter

An accredited entity may be liable to a civil penalty if certain privacy safeguards are breached, such as collecting certain attributes of individuals such as their political opinions or racial origin. There are restrictions on collecting, using or disclosing biometric information of individuals and on data profiling to track online behaviour is prohibited.

33 Chapter applies to accredited entities only to extent entity is providing accredited services

This Chapter applies to an accredited entity only to the extent the entity is providing its accredited services.

34 APP‑equivalent agreements

(1) The Minister may, on behalf of the Commonwealth, enter into an agreement (an APP‑equivalent agreement) with an entity covered by subsection (2) that prohibits the entity from collecting, holding, using or disclosing personal information in any way that would, if the entity were an organisation within the meaning of the Privacy Act 1988, breach an Australian Privacy Principle.

(2) The entities are as follows:

(a) a department or authority of a State;

(b) a department or authority of a Territory.

(3) The Minister must provide the Information Commissioner with a copy of an APP‑equivalent agreement within 14 days after it is entered into.

Part 2—Privacy

Division 1—Interaction with the Privacy Act 1988

35 Extended meaning of personal information in relation to accredited entities

To the extent not already covered by the definition of personal information within the Privacy Act 1988, attributes of individuals, to the extent that they are in the possession or control of accredited entities, are taken, for the purposes of that Act, to be personal information about an individual.

Note 1: This section has the effect of extending the meaning of personal information in the Privacy Act 1988 as it applies to accredited entities to mirror the meaning of that term as it is used in this Act (see section 9).

Note 2: This means that the requirements in the Privacy Act 1988 about collecting, using and disclosing personal information under that Act extend to attributes of individuals to the extent that information is in the possession or control of accredited entities. However, this applies only to the extent the information is collected, used or disclosed when those entities are providing their accredited services (see section 33).

35A Small business operator that is an accredited entity

(1) If a small business operator is an accredited entity, the Privacy Act 1988 applies, with the prescribed modifications (if any), in relation to the small business operator as if it were an organisation.

(2) In this section:

organisation has the same meaning as in the Privacy Act 1988.

prescribed modifications means modifications prescribed by the Digital ID Rules for the purposes of this definition.

small business operator has the same meaning as in the Privacy Act 1988.

36 Privacy obligations for non‑APP entities

(1) This section applies to an accredited entity that is not an APP entity.

Note: The obligations of accredited entities that are APP entities in relation to the handling of personal information are set out in the Privacy Act 1988.

(2) The accredited entity must not do an act or engage in a practice with respect to personal information unless:

(a) the Privacy Act 1988 applies in relation to the act or practice as if the entity were an organisation within the meaning of that Act; or

(b) a law of a State or Territory that provides for all of the following applies in relation to the act or practice:

(i) protection of personal information comparable to that provided by the Australian Privacy Principles;

(ii) monitoring of compliance with the law;

(iii) a means for an individual to seek recourse if the individual’s personal information is dealt with in a way contrary to the law; or

(i) neither paragraph (a) nor (b) apply to the acts or practices of the entity;

(ii) the entity has an APP‑equivalent agreement with the Commonwealth;

(iii) the agreement includes a term that prohibits the entity from collecting, holding, using or disclosing personal information in any way that would, if the entity were an organisation within the meaning of the Privacy Act 1988, breach an Australian Privacy Principle.

37 Contraventions of privacy obligations in APP‑equivalent agreements

(1) This section applies to an entity if the entity has an APP‑equivalent agreement with the Commonwealth.

(2) An act or practice of the entity that contravenes a term of the agreement in relation to an individual and collecting, holding, using or disclosing their personal information is taken to be:

(a) an interference with the privacy of the individual for the purposes of the Privacy Act 1988; and

(b) covered by sections 13 and 13G of that Act.

Note: An act or practice that is, or may be, an interference with privacy may be the subject of a complaint under section 36 of the Privacy Act 1988.

(3) The entity is taken, for the purposes of Part V of the Privacy Act 1988 and any other provision of that Act that relates to that Part, to be an organisation (within the meaning of that Act) if:

(a) an act or practice of the entity has contravened, or may have contravened, the term of the agreement in relation to an individual; and

(b) the act or practice is the subject of a complaint to, or an investigation by, the Information Commissioner under Part V of the Privacy Act 1988.

(4) Sections 80V and 80W of the Privacy Act 1988 apply in relation to the term of the agreement as if the term were a provision of that Act.

38 Contraventions of Division 2 and section 136 are interferences with privacy

(1) An act or practice of an accredited entity that contravenes a provision of Division 2 of this Part or section 136 in relation to personal information about an individual is taken to be:

(a) an interference with the privacy of the individual for the purposes of the Privacy Act 1988; and

(b) covered by sections 13 and 13G of that Act.

Note: An act or practice that is, or may be, an interference with privacy may be the subject of a complaint under section 36 of the Privacy Act 1988.

(2) The respondent to a complaint under the Privacy Act 1988 about the act or practice, other than an act or practice of an agency or organisation, is the entity that engaged in the act or practice.

(3) The entity is taken, for the purposes of Part V of the Privacy Act 1988 and any other provision of that Act that relates to that Part, to be an organisation if:

(a) the act or practice of the entity that contravenes a provision of Division 2 of this Part or section 136 is the subject of a complaint to, or an investigation by, the Information Commissioner under Part V of the Privacy Act 1988; and

(b) the entity is not an agency or organisation.

(4) In this section:

agency has the same meaning as in the Privacy Act 1988.

organisation has the same meaning as in the Privacy Act 1988.

39 Notification of eligible data breaches—accredited entities that are APP entities

(1) This section applies to an accredited entity if the entity:

(a) is an APP entity; and

(b) is aware that there are reasonable grounds to believe that there has been an eligible data breach (within the meaning of the Privacy Act 1988) of the entity relating to the entity’s accredited services; and

(c) is required under section 26WK of the Privacy Act 1988 to give the Information Commissioner a statement that complies with subsection 26WK(3) of that Act.

(2) The entity must also give a copy of the statement to the Digital ID Regulator at the same time as the statement is given to the Information Commissioner.

40 Notification of eligible data breaches—accredited entities that are not APP entities

(1) This section applies to an accredited entity that is not an APP entity.

(2) Despite subsection (1), this section does not apply to an accredited entity if:

(a) the entity is a department or authority of a State or Territory; and

(b) a law of the State or Territory provides for a scheme for the notification of data breaches that:

(i) covers the entity; and

(ii) is comparable to the scheme provided for in Part IIIC of the Privacy Act 1988.

Note: See section 41 for requirements in relation to these entities.

(3) Part IIIC of the Privacy Act 1988, and any other provision of that Act that relates to that Part, apply in relation to the accredited entity as if the entity were an APP entity.

(4) If:

(a) the accredited entity is aware that there are reasonable grounds to believe that there has been an eligible data breach (within the meaning of the Privacy Act 1988) of the entity relating to the entity’s accredited services; and

(b) because of the operation of subsection (3) of this section, the entity is required under section 26WK of that Act to give the Information Commissioner a statement that complies with subsection 26WK(3) of that Act;

the entity must also give a copy of the statement to the Digital ID Regulator at the same time as the statement is given to the Information Commissioner.

41 Notification of corresponding data breaches—accredited State or Territory entities that are not APP entities

(1) This section applies to an accredited entity if:

(a) the entity is not an APP entity; and

(b) the entity is a department or authority of a State or Territory; and

(c) the entity is required under a law of the State or Territory to give a statement (however described) that corresponds to section 26WK of the Privacy Act 1988 to another entity (the notified entity); and

(d) the statement relates to the accredited services of the entity.

(2) The entity must also give a copy of the statement to the Digital ID Regulator and the Information Commissioner at the same time as the statement is given to the notified entity.

42 Additional function of the Information Commissioner

In addition to the Information Commissioner’s functions under the Privacy Act 1988, the Information Commissioner has the function of providing advice, on request by the Digital ID Regulator, on matters relating to the operation of this Act.

43 Information Commissioner may share information

Sections 33A and 33B of the Privacy Act 1988 apply as if a reference in those sections to that Act included a reference to this Act.

Note: Sections 33A and 33B of the Privacy Act 1988 allow the Information Commissioner to share information acquired in the course of exercising powers, or performing functions or duties, under that Act in certain circumstances.

Division 2—Additional privacy safeguards

44 Collection of certain attributes of individuals is prohibited

(1) An accredited entity must not collect any of the following attributes of an individual:

(a) information or an opinion about an individual’s racial or ethnic origin;

(b) information or an opinion about an individual’s political opinions;

(d) information or an opinion about an individual’s religious beliefs or affiliations;

(e) information or an opinion about an individual’s philosophical beliefs;

(f) information or an opinion about an individual’s sexual orientation or practices.

Civil penalty: 1,500 penalty units.

(2) Subsection (1) does not apply if the accredited entity:

(a) did not solicit the attribute of the individual; and

(b) destroys the attribute, as soon as practicable, after becoming aware the accredited entity has collected the attribute.

Note: A person who wishes to rely on this subsection bears an evidential burden in relation to the matters in this subsection (see section 96 of the Regulatory Powers Act).

(3) Subsection (1) does not prevent other kinds of attributes (permitted attributes) of individuals from being collected if the permitted attributes are not primarily of the kind described in subsection (1), even if attributes of the kind described in that subsection can reasonably be inferred from the permitted attributes.

Example: Even if an individual’s racial or ethnic origin can reasonably be inferred from the individual’s name or place of birth, this does not prevent the individual’s name or place of birth from being collected.

(4) In this section:

solicits: an accredited entity solicits an attribute of an individual if the accredited entity requests another entity to provide the attribute, or to provide information that includes the attribute.

45 Individuals must expressly consent to disclosure of certain attributes of individuals to relying parties

When verifying the identity of an individual or authenticating a digital ID of, or information about, an individual to a relying party, an accredited entity must not disclose any of the following attributes of the individual to the relying party without the express consent of the individual:

(a) the individual’s current name or former name;

(b) the individual’s address;

(d) the individual’s phone number;

(e) the individual’s email address;

(f) an attribute of a kind prescribed by the Accreditation Rules.

Civil penalty: 1,500 penalty units.

46 Disclosure of restricted attributes of individuals

(1) When verifying the identity of an individual or authenticating a digital ID of, or information about, an individual to a relying party, an accredited entity must not disclose a restricted attribute of the individual to the relying party without the express consent of the individual.

Civil penalty: 1,500 penalty units.

(2) An accredited entity must not disclose a restricted attribute of an individual to a relying party that is not a participating relying party if the accredited entity’s conditions on accreditation do not include an authorisation to disclose the restricted attribute to the relying party.

Civil penalty: 1,500 penalty units.

47 Restricting disclosure of unique identifiers

(1) This section applies if:

(a) an accredited entity (the assigning entity) assigns a unique identifier to an individual within a digital ID system; and

(b) the assigning entity discloses the unique identifier to another accredited entity or to a relying party.

(2) The assigning entity must not disclose the unique identifier to any other entity other than:

(a) if the unique identifier was disclosed to another accredited entity—the other accredited entity; or

(b) if the unique identifier was disclosed to a relying party—the relying party.

Civil penalty: 1,500 penalty units.

(3) The accredited entity to whom the unique identifier is disclosed must not disclose the unique identifier to any other entity.

Civil penalty: 1,500 penalty units.

(4) Subsections (2) and (3) do not apply if the disclosure of the unique identifier is for one or more of the following purposes:

(a) detecting, reporting or investigating a contravention, or an alleged contravention, of a provision of this Act;

(b) conducting proceedings in relation to a contravention, or an alleged contravention, of a civil penalty provision of this Act;

(i) a digital ID fraud incident;

(ii) a cyber security incident:

(d) conducting an assessment of the matter referred to in paragraph 33C(1)(g) of the Privacy Act 1988 (about assessments by the Information Commissioner in relation to the handling and maintenance of personal information in accordance with certain aspects of this Act);

(e) detecting, reporting, investigating or prosecuting an offence against a law of the Commonwealth, a State or a Territory.

Note: A person who wishes to rely on this subsection bears an evidential burden in relation to the matter mentioned in this subsection (see section 96 of the Regulatory Powers Act).

(5) Subsections (2) and (3) also do not apply if the disclosure of the unique identifier is:

(a) to a contractor engaged by the accredited entity; and

(b) for the purposes of the contractor providing an accredited service, or part of an accredited service, of the accredited entity.

Note: A person who wishes to rely on this subsection bears an evidential burden in relation to the matter mentioned in this subsection (see section 96 of the Regulatory Powers Act).

(6) Subsections (2) and (3) also do not apply if the unique identifier is disclosed to another entity if the other entity is facilitating access to the entity for whom the unique identifier was created.

Note: A person who wishes to rely on this subsection bears an evidential burden in relation to the matter mentioned in this subsection (see section 96 of the Regulatory Powers Act).

48 Restrictions on collecting, using and disclosing biometric information

(1) An accredited entity may collect, use or disclose biometric information of an individual only if:

(a) the collection, use or disclosure is authorised under section 49 or 50; and

(b) unless the collection, use or disclosure is authorised under paragraph 49(3)(a) or subsection 49(5), (6) or (8)—the individual to whom the information relates has expressly consented to the collection, use or disclosure of the biometric information.

Civil penalty: 1,500 penalty units.

(2) An accredited entity may retain biometric information of an individual only if the retention is authorised under section 49 or 50.

Note: Section 51 contains rules about destruction of biometric information that has been retained under section 49.

Civil penalty: 1,500 penalty units.

(3) To avoid doubt, and without limiting subsection (1), an accredited entity must not:

(a) collect, use or disclose biometric information of an individual for the purpose of one‑to‑many matching of the individual; or

(b) collect, use or disclose biometric information of an individual to determine whether the individual has multiple digital IDs.

(4) One‑to‑many matching means the process of comparing a kind of biometric information of an individual against that kind of biometric information of individuals generally to identify the particular individual.

49 Authorised collection, use and disclosure of biometric information of individuals—general rules

(1) An accredited entity is authorised to collect, use or disclose biometric information of an individual if:

(a) the accredited entity’s conditions on accreditation authorise the collection, use, or disclosure of the biometric information; and

(b) the biometric information of the individual is collected, used or disclosed for the purposes of the accredited entity doing either or both of the following:

(i) verifying the identity of the individual;

(ii) authenticating the individual to their digital ID.

(2) An accredited entity is authorised to collect, use or disclose biometric information of an individual if:

(a) the biometric information is contained in a verifiable credential that is in the individual’s control; and

(b) the Accreditation Rules prescribe requirements relating to the collection, use or disclosure of the biometric information; and

(3) An accredited entity is authorised to disclose biometric information of an individual to a law enforcement agency only if:

(a) the disclosure of the information is required or authorised by or under a warrant issued under a law of the Commonwealth, a State or a Territory; or

(b) the information is disclosed with the express consent of the individual to whom the biometric information relates, or purports to relate, and the disclosure is for the purpose of:

(i) verifying the identity of the individual; or

(ii) investigating or prosecuting an offence against a law of the Commonwealth, a State or a Territory.

(4) Subsection (3) applies despite:

(a) any law of the Commonwealth, a State or a Territory (whether enacted or made before or after this subsection); or

(b) a warrant (other than a warrant of a kind mentioned in paragraph (3)(a)), authorisation or order issued under such a law.

(5) An accredited entity is authorised to disclose biometric information of an individual if the disclosure is to the individual to whom the biometric information relates.

(6) An accredited entity is authorised to retain, use or disclose biometric information of an individual if:

(a) the accredited entity collected the information in accordance with subsection (1); and

(b) the information is retained, used or disclosed for the purposes of undertaking testing in relation to the information; and

(6A) Without limiting paragraph (6)(c), Accreditation Rules made for the purposes of that paragraph must prescribe requirements that relate to the management by accredited entities of the potential for biometric systems to selectively disadvantage or discriminate against groups of individuals.

(7) Without limiting paragraph (6)(c), Accreditation Rules made for the purposes of that paragraph may prescribe requirements in relation to the following matters:

(a) the purposes for which testing may be undertaken;

(b) the kinds of testing that may be undertaken using biometric information;

(d) the manner in which the biometric information that has been retained for testing must be destroyed;

(e) the preparation, content, approval and implementation of ethics plans relating to the testing of the biometric information;

(f) obtaining express consent of individuals to whom the biometric information relates;

(g) reporting of testing results to the Digital ID Regulator.

(8) An accredited entity is authorised to retain, use or disclose biometric information of an individual if:

(a) the entity collected the information in accordance with subsection (1); and

(b) the information is retained, used or disclosed for the purposes of preventing or investigating a digital ID fraud incident; and

(9) Without limiting paragraph (8)(c), Accreditation Rules made for the purposes of that paragraph may prescribe requirements in relation to the following matters:

(a) the manner in which biometric information that has been retained for preventing or investigating digital ID fraud incidents must be destroyed;

(b) the reporting of fraud prevention or investigation activities to the Digital ID Regulator.

49A Biometric information, testing and continuous improvement

(1) This section applies if an accredited entity is authorised to retain, use or disclose biometric information of individuals under subsection 49(6) (about testing).

(2) The accredited entity must take reasonable steps to continuously improve its biometric systems to ensure such systems do not selectively disadvantage or discriminate against any group.

50 Accredited entities may collect etc. biometric information for purposes of government identity documents

(1) This section applies if:

(a) an accredited entity collects biometric information of an individual under subparagraph 49(1)(b)(i) for the purpose of verifying the identity of the individual; and

(b) the accredited entity has verified that the biometric information is legitimate.

Note: Because this Chapter applies to an entity only to the extent that the entity is providing accredited services (see section 33), this section does not affect information collected, held etc. by the entity in its capacity as the issuer of the document or other credential.

(2) If the entity is covered by subsection (3), the entity may collect, use, disclose or retain the biometric information for the purposes of issuing a document or other credential that:

(a) contains personal information about the individual; and

(b) the individual has expressly consented to the issue of; and

(c) can be used to assist the individual to prove the individual’s age or identity or a permission or authorisation that the individual holds; and

(d) is issued by or on behalf of the entity.

(3) The entities covered by this subsection are as follows:

(a) a body corporate incorporated by or under a law of the Commonwealth or a State or Territory;

(b) a Commonwealth entity, or a Commonwealth company, within the meaning of the Public Governance, Performance and Accountability Act 2013;

(d) a body specified, or the person holding an office specified, in Part I of Schedule 2 to the Freedom of Information Act 1982;

(e) a department or authority of a State;

(f) a department or authority of a Territory.

(4) Subsection (2) applies despite anything else in this Division.

(5) If:

(a) the entity (the first entity) is not covered by subsection (3); and

(b) the first entity has a written agreement with another entity (the government entity) that is covered by that subsection; and

(c) the agreement provides for the first entity to disclose the biometric information of the individual to the government entity for the purposes of issuing a document or other credential that:

(i) contains personal information about the individual; and

(ii) the individual has expressly consented to the issue of; and

(iii) can be used to assist the individual to prove the individual’s age or identity or a permission or authorisation that the individual holds; and

(iv) is issued by or on behalf of the entity;

the entity may disclose the biometric information in accordance with the agreement if the disclosure occurs within 14 days after the biometric information is collected.

51 Destruction of biometric information of individuals

(1) Subject to subsections (2), (3), (4) and (5), if an accredited entity collects biometric information of an individual for the purposes of verifying an individual’s identity only, the provider must destroy the information immediately after the verification is complete.

Civil penalty: 1,500 penalty units.

(2) Subject to subsections (3), (4) and (5), if:

(a) an accredited entity collects biometric information of an individual; and

(b) the information is collected for the purposes of authenticating the individual to their digital ID (regardless of whether that information is also collected for the purposes of verifying the individual’s identity); and

(c) the individual has not given express consent for that information to be retained for the purposes of further authenticating of the individual to their digital ID;

the provider must destroy the information immediately after the authentication is complete.

Civil penalty: 1,500 penalty units.

(3) Subject to subsections (4) and (5), if:

(a) an accredited entity collects biometric information of an individual with the express consent of the individual to whom the information relates; and

(b) the information is collected for the purposes of authenticating the individual to their digital ID; and

the accredited entity must destroy the information immediately after the consent is withdrawn.

(4) If an accredited entity retains biometric information of an individual in accordance with subsection 49(6) (about testing), the accredited entity must destroy the information at the earlier of:

(a) the completion of testing the information; and

(b) 14 days after the entity collects the information.

Civil penalty: 1,500 penalty units.

(5) If an accredited entity retains biometric information of an individual in accordance with subsection 49(8) (about preventing or investigating digital ID fraud incidents), the accredited entity must destroy the information at the earlier of:

(a) immediately after the completion of activities relating to the prevention or investigation of the digital ID fraud incident (as the case may be); and

(b) 14 days after the entity collects the information.

Civil penalty: 1,500 penalty units.

52 Other rules relating to biometric information

(1) The Accreditation Rules may provide for and in relation to the collection, use, disclosure, storage or destruction of biometric information of individuals by accredited entities.

(2) Without limiting subsection (1), the Accreditation Rules may provide for requirements relating to quality, security or fraud.

53 Data profiling to track online behaviour is prohibited

(1) An accredited entity must not use or disclose information if:

(a) the information is personal information about an individual that is in the entity’s possession or control; and

(b) the information is any of the following:

(i) information about the services provided by the entity that the individual has accessed, or attempted to access;

(ii) information relating to how or when access was obtained or attempted to be obtained by the individual;

(iii) information relating to the method of access or attempted access by the individual;

(iv) the date and time the individual’s identity was verified.

Civil penalty: 1,500 penalty units.

(2) Subsection (1) applies even if the individual has consented to the use or disclosure.

(3) However, subsection (1) does not apply if the use or disclosure:

(a) is for purposes relating to improving the performance or useability of the entity’s information technology system through which the entity’s accredited services are provided and not for broader business purposes; or

(b) is for the purposes of the entity complying with this Act; or

Note: A person who wishes to rely on this subsection bears an evidential burden in relation to the matter mentioned in this subsection (see section 96 of the Regulatory Powers Act).

54 Certain personal information must not be used or disclosed for prohibited enforcement purposes

(1) An accredited entity must not use or disclose personal information of an individual that is in the entity’s possession or control for the purposes of enforcement related activities conducted by, or on behalf of, an enforcement body unless:

(a) the personal information is not biometric information of the individual; and

(b) any of the following apply:

(i) at the time the information is used or disclosed, the accredited entity is satisfied that the enforcement body has started proceedings against a person for an offence against a law of the Commonwealth, a State or a Territory;

(ii) at the time the information is used or disclosed, the accredited entity is satisfied that the enforcement body has started proceedings against a person in relation to a breach of a law imposing a penalty or sanction;

(iii) the disclosure of the information is required or authorised by or under a warrant issued under a law of the Commonwealth, a State or a Territory;

(iv) the information is used or disclosed for the purposes of reporting a suspected or actual digital ID fraud incident or suspected or actual cyber security incident;

(v) the information is used or disclosed by the accredited entity for the purposes of complying with this Act;

(vi) the information is disclosed with the express consent of the individual to whom the personal information relates, or purports to relate, and the disclosure is for the purpose of verifying the identity of the individual, or investigating or prosecuting an offence against a law of the Commonwealth, a State or a Territory.

Civil penalty: 1,500 penalty units.

(2) Subsection (1) does not apply in relation to enforcement related activities conducted by, or on behalf of, an enforcement body under, or for the purpose of, this Act or the Privacy Act 1988.

(3) Despite section 96 of the Regulatory Powers Act, in proceedings for a civil penalty order against a person for a contravention of subsection (1), the person does not bear an evidential burden in relation to the matter in subparagraphs (1)(b)(i) to (vi) or subsection (2).

(4) This section applies despite:

(a) section 86E of the Crimes Act 1914 (about disclosure of personal information to certain entities for integrity purposes); and

(b) any other law of the Commonwealth, a State or a Territory, whether enacted or made before or after the commencement of this section.

55 Personal information must not be used or disclosed for prohibited marketing purposes

(1) An accredited entity must not use or disclose personal information about an individual that is in the entity’s possession or control for any of the following purposes:

(a) offering to supply goods or services;

(b) advertising or promoting goods or services;

(d) enabling another entity to advertise or promote goods or services;

(e) market research.

Civil penalty: 1,500 penalty units.

(2) Subsection (1) does not apply to the disclosure of personal information about an individual if:

(a) the information is disclosed to an individual for the purposes of:

(i) offering to supply the entity’s accredited services; or

(ii) advertising or promoting the entity’s accredited services; and

(b) the information is disclosed to the individual with the individual’s express consent.

Note: A person who wishes to rely on this subsection bears an evidential burden in relation to the matter mentioned in this subsection (see section 96 of the Regulatory Powers Act).

56 Accredited identity exchange providers must not retain certain attributes of individuals

(1) This section applies if, during an authenticated session, an accredited identity exchange provider receives any of the following attributes of an individual:

(a) a restricted attribute of the individual;

(b) the individual’s name;

(d) the individual’s date of birth;

(e) the individual’s phone number;

(f) the individual’s email address;

(g) an attribute of a kind prescribed by the Accreditation Rules.

(2) The accredited identity exchange provider must not retain the attribute of the individual after the end of the authenticated session.

Civil penalty: 1,500 penalty units.

(3) In this section:

authenticated session has the meaning given by the Accreditation Rules.

Chapter 4—Australian Government Digital ID System

Part 1—Introduction

57 Simplified outline of this Chapter

The Australian Government Digital ID System is overseen and maintained by the Digital ID Regulator. To participate in the Australian Government Digital ID System, an entity must meet certain criteria, including being either an accredited entity or a relying party and holding an approval from the Digital ID Regulator to participate.

Only certain kinds of accredited entities and relying parties can apply to the Digital ID Regulator to participate, and specified criteria must be met before the Digital ID Regulator gives an approval. If a relying party holds an approval, it is known as a participating relying party.

An entity’s approval to participate in the Australian Government Digital ID System is subject to conditions. Some conditions are imposed by the Act and others may be imposed by the Digital ID Regulator or the Digital ID Rules. Conditions may include requirements relating to the kinds of attributes of individuals an entity is authorised to collect or disclose, or that it must not collect.

The conditions imposed by the Digital ID Regulator on an entity’s approval to participate, and the entity’s approval itself, can be varied or revoked. An entity’s approval to participate in the Australian Government Digital ID System can also be suspended.

The Minister may give directions to the Digital ID Regulator regarding the approval of an entity to participate in the Australian Government Digital ID System if, for reasons of security, the Minister considers it appropriate to do so. The Digital ID Regulator must comply with such directions.

A participating relying party must not, as a condition of providing a service or access to a service, require an individual to create or use a digital ID. There are some exceptions to this, including if the relying party holds an exemption granted by the Digital ID Regulator.

The Digital ID Rules may make provision in relation to the following:

(a) notifying and managing incidents that have occurred, or are reasonably suspected of having occurred, in relation to the Australian Government Digital ID System;

(b) requirements relating to interoperability;

(c) a redress framework for incidents that occur in relation to accredited services of accredited entities that are provided within the Australian Government Digital ID System.

A statutory contract is taken to be in force between entities participating in the Australian Government Digital ID System. An entity that is party to the contract may apply to the Federal Circuit and Family Court of Australia (Division 2) if the entity has suffered, or is likely to suffer, loss or damage as a result of a breach of this statutory contract.

Part 2—Australian Government Digital ID System

Division 1—Australian Government Digital ID System

58 Digital ID Regulator must oversee and maintain the Australian Government Digital ID System

(1) The Digital ID Regulator must oversee and maintain a digital ID system.

(2) The Australian Government Digital ID System means the digital ID system overseen and maintained by the Digital ID Regulator under subsection (1).

59 Circumstances in which entities may provide or receive services within the Australian Government Digital ID System

(1) An entity mentioned in column 1 of an item in the following table may provide or receive services within the Australian Government Digital ID System if the entity satisfies the requirements set out in column 2 of that item.

Services provided or received within the Australian Government Digital ID System
Item	Column 1 Entity	Column 2 Requirements
1	Attribute service provider	(a) the attribute service provider: (i) must be an accredited attribute service provider; and (ii) must hold an approval under section 62 to participate in the system; and (b) the participation start day for the attribute service provider must have arrived or passed
2	Identity exchange provider	(a) the identity exchange provider: (i) must be an accredited identity exchange provider; and (ii) must hold an approval under section 62 to participate in the system; and (b) the participation start day for the identity exchange provider must have arrived or passed
3	Identity service provider	(a) the identity service provider: (i) must be an accredited identity service provider; and (ii) must hold an approval under section 62 to participate in the system; and (b) the participation start day for the identity service provider must have arrived or passed
4	Relying party	(a) the relying party: (i) must be an Australian entity or registered foreign company (within the meaning of the Corporations Act 2001); and (ii) must hold an approval under section 62 to participate in the system; and (b) the participation start day for the relying party must have arrived or passed
5	An entity that provides, or proposes to provide, services of a kind prescribed by the Accreditation Rules for the purposes of paragraph 14(1)(d)	(a) the entity: (i) must be accredited to provide services of that kind; and (ii) must hold an approval under section 62 to participate in the system; and (iii) must meet any other requirements prescribed by the Digital ID Rules; and (b) the participation start day for the entity must have arrived or passed

(2) An entity contravenes this subsection if:

(a) the entity provides or receives services within the Australian Government Digital ID System; and

(b) the entity is not an entity mentioned in column 1 of an item in the table in subsection (1).

Civil penalty: 1,000 penalty units.

(3) Subsection (2) does not apply to the following when performing functions or exercising powers under this Act:

(a) the Digital ID Regulator;

(b) the System Administrator.

(3A) Subsection (2) does not apply to an entity if the entity is conducting testing in accordance with an authorisation granted to the entity under section 81.

(4) Despite section 96 of the Regulatory Powers Act, in proceedings for a civil penalty order against a person for a contravention of subsection (2), the person does not bear an evidential burden in relation to the matter in subsection (3) or (3A).

(5) An entity contravenes this subsection if:

(a) the entity provides or receives services within the Australian Government Digital ID System; and

(b) the entity is an entity mentioned in column 1 of an item in the table in subsection (1); and

Civil penalty: 1,000 penalty units.

Division 2—Participating in the Australian Government Digital ID System

60 Phasing‑in of participation in the Australian Government Digital ID System

(1) The Minister may, by legislative instrument, determine the entities that may apply to the Digital ID Regulator for approval to participate in the Australian Government Digital ID System.

Note: The determination may specify entities by class (see subsection 33(3A) of the Acts Interpretation Act 1901).

(2) The determination may specify entities in any way, including by reference to:

(a) whether the entities are relying parties or accredited entities; or

(b) kinds of relying parties; or

(d) whether the entity belongs to the public or private sector.

(3) The Minister:

(a) must not revoke the determination; and

(b) may vary the determination only to:

(i) specify additional kinds of entities that may apply; or

(ii) correct an error, defect or irregularity in the determination.

61 Applying for approval to participate in the Australian Government Digital ID System

An entity may apply to the Digital ID Regulator for approval to participate in the Australian Government Digital ID System if:

(a) the entity is an accredited entity that is a non‑corporate Commonwealth entity, within the meaning of the Public Governance, Performance and Accountability Act 2013; or

(b) the entity is a relying party that is:

(i) a Commonwealth entity, or a Commonwealth company, within the meaning of the Public Governance, Performance and Accountability Act 2013; or

(ii) a person or body that is an agency within the meaning of the Freedom of Information Act 1982; or

(iii) a body specified, or the person holding an office specified, in Part I of Schedule 2 to the Freedom of Information Act 1982; or

(i) an accredited entity; or

(ii) an entity that has applied for accreditation under section 14; or

(iii) a relying party that is an Australian entity; or

(iv) a relying party that is a registered foreign company (within the meaning of the Corporations Act 2001); or

(d) the application is made more than 2 years after the day this Act commenced and the entity is:

(i) an accredited entity; or

(ii) an entity that has applied for accreditation under section 14; or

(iii) a relying party that is an Australian entity; or

(iv) a relying party that is a registered foreign company (within the meaning of the Corporations Act 2001).

Note 1: Only entities of particular kinds can be, or apply to be, an accredited entity (see subsection 14(2)).

Note 2: See Part 5 of Chapter 9 for matters relating to applications.

62 Approval to participate in the Australian Government Digital ID System

(1) The Digital ID Regulator may approve an entity to participate in the Australian Government Digital ID System if:

(a) the entity has made an application under section 61; and

(b) unless the entity is a relying party—the entity is an accredited entity; and

(c) the Digital ID Regulator is satisfied that the entity will comply with the Digital ID Data Standards that apply in relation to the entity and that relate to participation in the Australian Government Digital ID System; and

(d) if the Digital ID Regulator makes a requirement under paragraph 131(1)(a) in relation to the entity—the entity has been assessed as being able to comply with this Act; and

(e) the Digital ID Regulator is satisfied that it is appropriate to approve the entity to participate in the system; and

(f) any other requirements prescribed by the Digital ID Rules are met.

(2) Without limiting paragraph (1)(e), the Digital ID Regulator may have regard to the following matters when considering whether it is appropriate to approve the entity:

(a) whether the entity is a fit and proper person;

(b) whether the entity has appropriate procedures for dealing with the identities (whether real or not, and whether assumed or not) of shielded persons.

Note: In having regard to whether an entity is a fit and proper person for the purposes of paragraph (a), the Digital ID Regulator must have regard to any matters specified in the Digital ID Rules and may have regard to any other matters considered relevant (see section 12).

(3) Without limiting paragraph (1)(f), the Digital ID Rules may prescribe requirements relating to the security, reliability and stability of the Australian Government Digital ID System.

(4) However, the Digital ID Regulator must not approve an entity to participate in the Australian Government Digital ID System if a direction under subsection 73(1) (about security) directing the Digital ID Regulator to refuse to approve the entity is in force.

(5) The Digital ID Regulator must:

(a) give written notice of a decision to approve, or to refuse to approve, an entity to participate in the Australian Government Digital ID System; and

(b) if the decision is to refuse to approve the entity—give reasons for the decision to the entity.

(6) If the Digital ID Regulator approves an entity to participate in the Australian Government Digital ID System, the notice must set out:

(a) the day the approval comes into force; and

(b) whether the entity is a participating relying party or an accredited entity and, if the entity is an accredited entity, the kind of accredited entity it is accredited as; and

(d) the day on which the entity must begin to participate in the Australian Government Digital ID System.

Note: It is a condition of the entity’s approval that the entity begin to participate on the day referred to in paragraph (d) (see paragraph 64(1)(c)). An entity must not begin to participate before that day (see the requirements in column 2 of the table in subsection 59(1)).

63 Approval to participate in the Australian Government Digital ID System is subject to conditions

(1) The approval of an entity to participate in the Australian Government Digital ID System is subject to the following conditions (the approval conditions):

(a) the conditions set out in subsection 64(1);

(b) the conditions (if any) imposed by the Digital ID Regulator under subsection 64(2), including as varied under subsection 66(1);

(2) An entity that holds an approval to participate in the Australian Government Digital ID System must comply with the approval conditions that apply to the entity.

Note: Failure to comply with an approval condition may result in a suspension or revocation of the entity’s approval to participate (see sections 71 and 72).

64 Conditions on approval to participate in the Australian Government Digital ID System

Conditions imposed by the Act

(1) The approval of an entity to participate in the Australian Government Digital ID System is subject to the following conditions:

(a) unless the entity is a relying party—the entity must be an accredited entity;

(b) if the entity is an accredited entity:

(i) the entity must participate in the Australian Government Digital ID System only as the kind of accredited entity it is accredited as and approved to participate as; and

(ii) the entity must provide only its accredited services in the Australian Government Digital ID System;

(c) the entity must begin to participate in the Australian Government Digital ID System on the entity’s participation start day;

(d) the entity must comply with this Act.

Conditions imposed by the Digital ID Regulator

(2) The Digital ID Regulator:

(a) may impose conditions on the approval of an entity to participate in the Australian Government Digital ID System, either at the time of approval or at a later time, if the Digital ID Regulator considers that doing so is appropriate in the circumstances; and

(b) must impose conditions on the approval of an entity to participate in the Australian Government Digital ID System, either at the time of approval or at a later time, if directed to do so under subsection 73(1).

(3) Conditions may be imposed under paragraph (2)(a) on application by the entity or on the Digital ID Regulator’s own initiative.

(4) Without limiting paragraph (2)(a), the Digital ID Regulator may impose conditions that relate to any of the following:

(a) the kind of accredited entity or participating relying party that the entity must directly connect to in order to participate in the Australian Government Digital ID System;

(b) the kinds of attributes of individuals that the entity is authorised to collect or disclose and the circumstances in which such attributes may be collected or disclosed;

(d) for an accredited entity—the circumstances in which the entity may or must not provide its accredited services within the Australian Government Digital ID System;

(e) for an accredited entity—the accredited services of the entity that the entity must provide within the Australian Government Digital ID System;

(f) for a relying party—the services the relying party is approved to provide, or to provide access to, within the Australian Government Digital ID System;

(g) actions that the entity must take before the entity’s approval to participate in the Australian Government Digital ID System is suspended or revoked.

Note 1: For the purposes of paragraph (b), the Digital ID Regulator must have regard to the matters in subsection 65(2) before authorising an entity to collect or disclose restricted attributes of individuals within the Australian Government Digital ID System. If the Digital ID Regulator gives such an authorisation, the Digital ID Regulator must publish a statement of reasons (see subsection 65(3)).

Note 2: An accredited entity may contravene a civil penalty provision of this Act if it discloses a restricted attribute of an individual and the accredited entity’s conditions on accreditation do not authorise the disclosure (see subsection 46(2)).

Conditions imposed by the Digital ID Rules

(5) The Digital ID Rules may determine that the approval of each entity, or of each entity included in a specified class, to participate in the Australian Government Digital ID System is subject to one or more specified conditions.

(6) Without limiting subsection (5), the Digital ID Rules may impose conditions that relate to the matters mentioned in subsection (4).

Note: The Minister must have regard to the matters in subsection 65(5) before making Digital ID Rules that authorise participating relying parties to collect or disclose restricted attributes of individuals within the Australian Government Digital ID System.

65 Conditions relating to restricted attributes of individuals

Matters to which the Digital ID Regulator must have regard before authorising disclosure etc. of restricted attributes

(1) Subsection (2) applies if the Digital ID Regulator proposes to impose a condition on an entity’s approval to participate in the Australian Government Digital ID System authorising the entity:

(a) to collect or disclose a restricted attribute of an individual within the Australian Government Digital ID System; or

(b) to disclose a restricted attribute of an individual that is collected by the entity within the Australian Government Digital ID System to an entity outside the system.