Digital Transformation in Government Insight #52: Digital identity — first component released
The Digital Transformation Agency (DTA) recently released the first component of Australia’s Trusted Digital Identity Framework (TDIF).
The DTA has been working on bringing a digital identity system to Australia. In October last year we blogged about digital identity in the context of a GovPass update, and said we’d keep you informed...well here’s an update. This time, it’s around the Trusted Digital Identity Framework (TDIF), which underpins Australia’s digital identity system.
The new identity system will affect us all as Australian citizens, but will also have a significant flow-on effect in the public sector.
First component released
On 21 February, the DTA released the first component of the Trusted Digital Identity Framework (TDIF). The TDIF covers the requirements for security, usability, privacy protection, accessibility, fraud protection and risk management.
The first component addresses the standards for identity services for individuals. It consists of ten documents:
- Overview and glossary
- Accreditation process
- Authentication credential requirements
- Fraud control requirements
- Identity proofing requirements
- Privacy requirements
- Protective security requirements
- Risk management requirements
- Usability and accessibility requirements
- Protective security reviews
For those of you still getting up to speed with the digital identity framework, we thought we’d highlight some of the key messages from the overview.
The system for Australia
The overview defined the two types of possible identity systems — syndicated or federated. In the syndicated model, one identity credential is issued (usually by the government) and is then used to sign on to government and private sector services. The federated model is decentralised, and citizens choose their preferred identity providers from a pool of authorised providers.
Australia is going for the federated model, and so one of the key audiences for the TDIF is the potential providers.
The trust framework
The overview lists four main elements of the ‘trustworthiness of a trust framework’:
Functionality — the framework provides specifications, rules and agreements aimed to ensure the federated identity system operates as it should, and is compliant.
Trustworthiness — the framework’s specifications, rules and agreements deliver a system that is trustworthy enough to meet the needs of participants including managing risk and being legally certain and predictable, while also being transparent.
Content — the trust framework defines operational roles and functions of the identity system.
Binding — the trust framework is legally binding for participants (e.g. identity providers).
The final system
There’s a nice little section in the overview on what success will look like once the system’s in place. “Successful implementation of the TDIF will be evident when people are able to simply and securely establish a digital identity through an identity provider of their choice, and safely reuse that identity to transact across all tiers of government and with the private sector, with their privacy assured.”
The guiding principles
There are eight guiding principles outlined in the overview document. They are:
Use centric — the service should be easy to use with users able to choose their preferred provider.
Voluntary and transparent — users choose whether to participate, and they control their digital identities.
Service delivery — participation is cost-effective for public and private sectors, and users are given access to highly reputable providers.
Privacy enhancing — follows privacy laws and good privacy practices.
Collaborative — active collaboration between government, private sectors and the broader community to deliver the system.
Interoperable — robust systems to ensure interconnectedness with other identity services nationally and internationally.
Innovative — uses innovative technology and business models, and is adaptable so it can evolve with changing technology.
Secure and resilient — minimum standards and accreditation for identity providers, and threats/risks identified and managed.
Where to next?
There are more components of the TDIF coming. These additional documents are being drafted and will be released for public consultation in April. Then in July the DTA will release the third component, which will address business identity.
Salsa Digital’s take
There’s a lot going on in digital identity at the moment. It’s an extremely large project with far-reaching repercussions across all levels of government...although many of these changes won’t be felt for a while. As always, we’ll keep you up to date on this important issue for Australian digital transformation in government.