{"id":511,"date":"2018-11-14T16:43:55","date_gmt":"2018-11-14T16:43:55","guid":{"rendered":"http:\/\/www.16news.com.au\/?p=511"},"modified":"2018-11-14T16:43:55","modified_gmt":"2018-11-14T16:43:55","slug":"strengthening-privacy-under-the-tdif","status":"publish","type":"post","link":"http:\/\/www.16news.com.au\/index.php\/2018\/11\/14\/strengthening-privacy-under-the-tdif\/","title":{"rendered":"Strengthening privacy under the TDIF"},"content":{"rendered":"<p><a href=\"https:\/\/beta.dta.gov.au\/our-projects\/digital-identity\">Digital identity<\/a>\u00a0will make it easier for people to prove who they are when using government services online.<br \/>\nThe\u00a0<a href=\"https:\/\/beta.dta.gov.au\/node\/170\">Trusted Digital Identity Framework<\/a>\u00a0sets out the rules and standards which must be followed by every organisation providing digital identity services.<br \/>\nThis includes government agencies such as the Australian Taxation Office, which will operate the\u00a0<a href=\"https:\/\/beta.dta.gov.au\/our-projects\/digital-identity\/glossary#mygovid\">myGovID<\/a>\u00a0identity provider, the Department of Human Services, which operate the\u00a0<a href=\"https:\/\/beta.dta.gov.au\/our-projects\/digital-identity\/glossary#identity-exchange\">identity exchange<\/a>, as well as any private sector suppliers who join the program later on.<br \/>\nProtection of privacy has been a key consideration at all points during the development of the program, from the first policy documents to the technology we are testing with real people and businesses.<br \/>\nThe framework builds on, and has requirements as least as strong as the:<\/p>\n<ul>\n<li>Australian Privacy Principles and the Privacy Code<\/li>\n<li>Information Security Registered Assessors Program<\/li>\n<li>Australian Government Protective Security Policy Framework and Information Security Manual<\/li>\n<li>Australian Signals Directorate\u2019s Essential 8 cyber security mitigations<\/li>\n<\/ul>\n<p>It also requires participants to undertake independent security testing and assessments.<\/p>\n<h2 id=\"privacy-impact-assessments-pias\">Privacy Impact Assessments (PIAs)<\/h2>\n<p>Another way we are making sure digital identities are safe, secure and protect the privacy of their users is through independent assessments of the framework.<br \/>\nWe have commissioned a multi-phase PIA process to help identify, assess and minimise privacy risks in the framework.<br \/>\nPIAs are an important step in the protection of privacy for projects that involve the handling of personal information.<br \/>\nThese assessments provide an opportunity to make sure projects follow privacy laws and also help to identify potential impacts and mitigations that will address the expectations of the community.<br \/>\nEvery part of the digital identity system will undergo its own PIA including\u00a0<a href=\"https:\/\/beta.dta.gov.au\/our-projects\/digital-identity\/glossary#mygovid\">myGovID<\/a>\u00a0and the\u00a0<a href=\"https:\/\/beta.dta.gov.au\/our-projects\/digital-identity\/glossary#identity-exchange\">identity exchange<\/a>.<\/p>\n<h2 id=\"first-assessment\">First assessment<\/h2>\n<p>We commissioned an independent privacy company to run a multi-phase PIA process, involving engagements with privacy commissioners, consumer groups and privacy advocates.<br \/>\nThe initial PIA focused on the overall concept and design of the framework and made 23 recommendations.<br \/>\nWe\u00a0<a href=\"https:\/\/beta.dta.gov.au\/blogs\/govpass-privacy-design\">published the PIA<\/a>\u00a0and responded to its recommendations in May 2017.<\/p>\n<h2 id=\"second-assessment\">Second assessment<\/h2>\n<p>Today we\u2019re releasing the\u00a0<a href=\"https:\/\/dta-www-drupal-20180130215411153400000001.s3.ap-southeast-2.amazonaws.com\/s3fs-public\/files\/digital-identity\/PIAs\/gc527_dta_tdif_mid_2018_pia_v6_201809_final_Acc.pdf\">second PIA<\/a>\u00a0along with our responses to its recommendations.<br \/>\nThis assessment focused on strengthening the privacy requirements of the framework, ensuring data quality and making sure users have a consistent experience.<br \/>\nA summary of the recommendations of the second PIA and our responses are included below.<br \/>\n<strong>The TDIF\u2019s privacy requirements should be mandated<\/strong><br \/>\nWe agree that the TDIF could be strengthened through legal backing and we\u2019re looking into this.<br \/>\n<strong>The identity exchange should only keep metadata for a short period of time<\/strong><br \/>\nThe identity exchange needs to keep metadata related to transactions:<\/p>\n<ul>\n<li>to allow people to use the system<\/li>\n<li>for evidence in investigations of complaints and fraud<\/li>\n<\/ul>\n<p>We agree that there needs to be a time limit on how long metadata is kept for evidence in investigations of complaints and fraud. We\u2019re looking into use cases to work out what a reasonable time limit should be.<br \/>\n<strong>The identity exchange and identity providers need to develop their own privacy policies<\/strong><br \/>\nWe agree and we will make this a requirement in the next iteration of the TDIF\u2019s privacy requirements.<br \/>\n<strong>The TDIF\u2019s restrictions on the use of biometrics should be mandated<\/strong><br \/>\nWe agree that the TDIF could be strengthened through legal backing and we\u2019re looking into this.<br \/>\n<strong>The TDIF should outline a time period for the validity and renewal of identity credentials<\/strong><br \/>\nWe agree and we will include a time period in a future iteration of the TDIF\u2019s proofing requirements.<br \/>\n<strong>Complaints should be responded to within 30 days<\/strong><br \/>\nWe agree that this would help to ensure a consistent experience for our users.<br \/>\n<strong>A committee of key stakeholder representatives should be able to participate in the development and implementation of the TDIF<\/strong><br \/>\nWe\u2019ve consulted across privacy and community groups in the development of the TDIF and will be releasing the next part of the framework for consultation soon. We will make sure these groups are represented in the oversight of the TDIF.<br \/>\n<strong>The TDIF should be reviewed after 3 years<\/strong><br \/>\nWe\u2019re planning to review the TDIF within 2 years after the first public beta service \u2013 issuing a tax file number using myGovID.<\/p>\n<h2 id=\"moving-forward\">Moving forward<\/h2>\n<p>The governance and legal framework which supports digital identity will always include strong privacy protections embedded in robust rules or legislation.<br \/>\nBefore they can join the\u00a0<a href=\"https:\/\/beta.dta.gov.au\/our-projects\/digital-identity\/glossary#identity-federation\">identity federation<\/a>, all identity service providers must complete their own PIAs and prove they are meeting privacy requirements.<br \/>\nAs the digital identity pilot programs roll out, our user research continues. As part of that, we are focusing on how we can make it easier for users to understand how their identity information is used and make informed decision about how their information is used, and how we can improve privacy notices to make them more informative and effective.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Digital identity\u00a0will make it easier for people to prove who they are when using government services online. The\u00a0Trusted Digital Identity Framework\u00a0sets out the rules and standards which must be followed by every organisation providing digital identity services. This includes government agencies such as the Australian Taxation Office, which will operate the\u00a0myGovID\u00a0identity provider, the Department of &hellip; <a href=\"http:\/\/www.16news.com.au\/index.php\/2018\/11\/14\/strengthening-privacy-under-the-tdif\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Strengthening privacy under the TDIF&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-511","post","type-post","status-publish","format-standard","hentry","category-aussie"],"_links":{"self":[{"href":"http:\/\/www.16news.com.au\/index.php\/wp-json\/wp\/v2\/posts\/511","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.16news.com.au\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.16news.com.au\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.16news.com.au\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.16news.com.au\/index.php\/wp-json\/wp\/v2\/comments?post=511"}],"version-history":[{"count":0,"href":"http:\/\/www.16news.com.au\/index.php\/wp-json\/wp\/v2\/posts\/511\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.16news.com.au\/index.php\/wp-json\/wp\/v2\/media?parent=511"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.16news.com.au\/index.php\/wp-json\/wp\/v2\/categories?post=511"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.16news.com.au\/index.php\/wp-json\/wp\/v2\/tags?post=511"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}