Watchdog eyes govt digital ID scheme audit


Denham Sadler
Senior Reporter

The national auditor is considering putting the federal government’s $450 million digital identity program under the microscope, with a planned review of the scheme’s budget and effectiveness.

The Australian National Audit Office (ANAO) released its draft work plan for 2021-22 this week, revealing it is also eyeing off the COVIDSafe contact tracing app, the regulation of digital currency exchange providers and Services Australia’s data practices for potential review.

The ANAO will potentially launch an audit into the government’s development and delivery of digital identity reforms, which is being led by the Digital Transformation Agency (DTA). 

“This audit would review the progress of the implementation, design and functionality of the system, roles and responsibilities of stakeholders, and allocation and expenditure of funding, including contract management,” the ANAO said.

The digital identity scheme, known as GovPass, was handed a further $250 million in the budget late last year, bringing its total funding to more than $450 million over the last five years.

The whole-of-government program is aiming to provide identity verification across a range of government and private sector services, with four key elements: the Trusted Digital Identity Framework, the identity exchange (run by Home Affairs), the digital identity providers (including the ATO) and service providers.

Digital ID
Digital ID scheme may be put under the microscope.

It’s a pivotal year for the scheme, with the DTA currently developing legislation to expand the program to state governments and the private sector, and plans to integrate it with myGov and launch biometrics technology.

Earlier this year a range of consultants were awarded contracts worth $3.5 million over six months to develop a charging model for the scheme, as the government looks to monetise the digital identity program.

The audit would likely examine the government’s decision to build its own services as part of the program rather than purchasing existing off-the-shelf solutions from the private sector, and a number of cost-blowouts and delays associated with this.

It would also look at how the number of departments and agencies involved with the scheme are working together. The DTA is leading the project, with Home Affairs running the identity exchange which sits in the centre of it, and the ATO rolling out its own digital identity service myGovID, which has been accredited under the scheme.

The two digital identity services to be accredited under the scheme so far are both publicly-funded, with Australia Post also throwing its hat into the ring.

Security researchers have also raised concerns with the design of the digital identity scheme, saying that it should be “abandoned and redesigned from scratch” due to flaws in the system.

The ANAO will also potentially launch an audit into the highly controversial contact tracing app COVIDSafe, a project which was also led by the DTA.

The review would investigate how economically and effectively the app was designed and is being used, with the watchdog pointing to Health Minister Greg Hunt describing it as “one of the critical tools we will use to help protect the health of the community”.

COVIDSafe has not identified any new close contacts of COVID-19 cases this year, and has only picked up 17 close contacts, all in NSW, since it was launched early last year. 

The DTA entered into contracts worth nearly $10 million with private contractors to develop the app, including a $6 million deal with Canberra-based tech company Delv, and a $1 million contract with consulting giant Boston Consulting Group.

The DTA recently revealed that it is costing $100,000 per month to continue running, with a further $200,000 set aside for any potential changes in the future.

The ANAO investigation would probe this spending.

“The audit would examine the design and procurement processes for the app, how effectively it has been promoted and the extent to which it has assisted in contact tracing,” the audit office said.

The ANAO is also looking to continue its audits of compliance with the Essential Eight basic cybersecurity controls.

It will consider auditing AUSTRAC’s regulation of digital currency exchange providers, and will look at a review into Services Australia’s collection, verification, recording and exchange of customer information and data, along with its identity management strategy.

Also listed on the planned works is an audit of the government’s plan to stop using the Ultimo Global Switch data centre, which hosts data from the likes of Defence, ATO, ASIC, Home Affairs and NBN.

Last year Auditor-General Grant Hehir wrote to Prime Minister Scott Morrison seeking a funding increase, warning that performance audits would be cut if the office didn’t receive a budget boost. But the office’s budget was cut by a further $14 million in the October budget.

The Joint Committee of Public Accounts and Audit, chaired by Liberal MP Lucy Wicks, this week called for extra funding for the ANAO so it can complete 48 performance audits annually, The Guardian reported. 

Do you know more? Contact James Riley via Email.

Leave a Comment