Private companies will soon be able to join the government’s federated digital identity program with the further use of biometrics also being scoped.
The Digital Transformation Agency has now finalised the framework and set of rules that will be used to accredit private companies looking to be a part of its digital identity ecosystem, and is also looking to commission a review for the potential to include the further use of biometrics in its GovPass scheme.
GovPass is the name given to the federal government’s overarching digital identity project, which includes many different facets spanning across several departments. Overall, it aims to be a whole-of-government way to verify identity across government and private sector services, as a federated model with many different options for users.
It has four key elements: the Trusted Digital Identity Framework (TDIF), the exchange gateway, the digital identity services and the actual service providers.
The DTA last week listed an opportunity on its digital marketplace for a biometrics and security specialist to write a report “reviewing the potential uses of biometrics within the digital identity ecosystem”.
It will investigate potential future uses for biometric data, including face, voice, fingerprint, gait and device usage rhythm, such as for identity proofing and fraud management.
“The report will also analyse potential options for restricting the usage of biometrics within the ecosystem and the risks and benefits for those options,” the listing said.
The listing has only been made available to three invited sellers, with the report to be completed by mid-July.
The DTA also recently completed the fourth version of the TDIF, which will now remain unchanged for the next two years. It is also looking to hire a consultant to begin the work of accrediting private sector entities against the framework.
The TDIF is a set of rules and guidelines for the scheme, and any providers looking to join in the project must be accredited against them. So far only three entities have been approved and all from the public sector.
The Department of Human Service has been approved to run the identity exchange gateway, while Australia Post and the ATO have been accredited as digital identity providers.
The fourth version of the TDIF was given the green light last month and recently released to the public. The biggest change in the update is an expansion of the accreditation and identity proofing levels to incorporate commercial entities in the scheme, allowing for private companies to apply to have their digital identity service accredited by the federal government and join its ecosystem of providers.
After four versions in two years, the TDIF is now set in stone for the next two years, with an update expected in 2022.
The new TDIF outlines how private sector entities can gain accreditation under the framework, and what privacy and security safeguards will have to be in place.
It states that a company should receive accreditation within a year of applying, but this would be greatly expedited if they are prepared and aware of the TDIF requirements. To be accredited, a company offering a digital identity service must have a designated privacy officer and “privacy champion”, a privacy policy, privacy management plan and conduct annual privacy awareness training.
An independent privacy impact assessment must be conducted on the company’s operations too, and the identity system must be fully operational before accreditation is awarded.
If the company is the subject of a cybersecurity or fraud incident, or is found to have breach the TDIF policies, its accreditation will be stripped and they will have to reapply.
The TDIF was developed across this year, with three rounds of consultation and nearly 2500 comments received, the DTA said.
With the TDIF now completed, the DTA is on the hunt for a policy and strategy expert to begin assessing private companies for accreditation in the federal government’s digital identity ecosystem.
The consultant will “provide assistance with accreditation activities including, but not limited to, the evaluation of participant documentation and the provision of professional opinions regarding conformance against TDIF requirements”.
The new hire will also oversee the implementation of the “DTA participant guide” and ensure this also aligns with the TDIF.
“The DTA is seeking a suitably qualified consultant who can provide advice and assistance on accreditation activities and policy development. The government’s digital identity is a federated whole-of-economy solution and is a multi-agency initiative led by the DTA,” the listing on the DTA’s Digital Marketplace said.
“The consultant will be responsible for the provision of expert advice and assistance relating to accreditation activities and the development of supporting policy, including overseeing the implementation and performance of certain system governance functions, required to support the implementation of digital identity.”
The initial contract will be for three months, with potential extensions on offer. Similar to the biometrics offering, only three sellers have been invited to apply for the position.
Do you know more? Contact James Riley via Email.