Digital ID Act 2024 (Cth)

Digital ID Act 2024

No. 25, 2024

Compilation No. 2

Compilation date: 21 February 2025

Includes amendments: Act No. 14, 2025

About this compilation

This compilation

This is a compilation of the Digital ID Act 2024 that shows the text of the law as amended and in force on 21 February 2025 (the compilation date).

The notes at the end of this compilation (the endnotes) include information about amending laws and the amendment history of provisions of the compiled law.

Uncommenced amendments

The effect of uncommenced amendments is not shown in the text of the compiled law. Any uncommenced amendments affecting the law are accessible on the Register ( The details of amendments made up to, but not commenced at, the compilation date are underlined in the endnotes. For more information on any uncommenced amendments, see the Register for the compiled law.

Application, saving and transitional provisions for provisions and amendments

If the operation of a provision or amendment of the compiled law is affected by an application, saving or transitional provision that is not included in this compilation, details are included in the endnotes.

Editorial changes

For more information about any editorial changes made in this compilation, see the endnotes.

Modifications

If the compiled law is modified by another law, the compiled law operates as modified but the modification does not amend the text of the law. Accordingly, this compilation does not show the text of the compiled law as modified. For more information on any modifications, see the Register for the compiled law.

Self‑repealing provisions

If a provision of the compiled law has been repealed in accordance with a provision of the law, details are included in the endnotes.

Contents

An Act to provide for the accreditation of entities in relation to digital IDs and to establish the Australian Government Digital ID System, and for related purposes

Chapter 1IntroductionPart 1Preliminary 1Short title

This Act is the Digital ID Act 2024.

2Commencement

(1)
Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

Commencement information
Column 1	Column 2	Column 3
Provisions	Commencement	Date/Details
1. The whole of the Act	A single day to be fixed by Proclamation. However, if the provisions do not commence within the period of 6 months beginning on the day this Act receives the Royal Assent, they commence on the day after the end of that period.	30 November 2024

Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.
(2)
Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act.

3Objects

(1)
The objects of this Act are as follows:
(a)
to provide individuals with secure, convenient, voluntary and inclusive ways to verify their identity in online transactions with government and businesses;
(aa)
to facilitate the inclusion of individuals in digital society by supporting the provision of digital ID services that are accessible for individuals who experience barriers in using such services;
(b)
to promote privacy and the security of personal information used to verify the identity or attributes of individuals;
(c)
to facilitate economic benefits for, and reduce burdens on, the Australian economy by encouraging the use of digital IDs and online services;
(d)
to promote trust in digital ID services amongst the Australian community.
(2)
These objects are to be achieved by:
(a)
establishing an accreditation scheme for entities providing digital ID services; and
(b)
providing additional privacy safeguards for the provision of accredited digital ID services; and
(c)
establishing an Australian Government Digital ID System that is secure, easy to use, voluntary, accessible, inclusive and reliable; and
(d)
strengthening the oversight and regulation of:
(i)
accredited digital ID service providers; and
(ii)
entities participating in the Australian Government Digital ID System; and
(iii)
the integrity and performance of the Australian Government Digital ID System.

4Simplified outline of this Act

This Act establishes an accreditation scheme for entities providing digital ID services. The Digital ID Regulator (which is the Australian Competition and Consumer Commission) may, on application, accredit certain kinds of entities as accredited attribute service providers, accredited identity exchange providers, accredited identity service providers or entities that provide, or propose to provide, services of a kind prescribed by the Accreditation Rules.
When providing accredited services, accredited entities must comply with certain privacy safeguards. These safeguards are in addition to, and build on, the safeguards contained in the Privacy Act 1988. An accredited entity may be liable to a civil penalty if certain privacy safeguards are breached.
The Digital ID Regulator oversees and maintains the Australian Government Digital ID System. Certain kinds of accredited entities can apply to the Digital ID Regulator to participate in the system. Certain kinds of relying parties can also apply for approval to participate in the system. If a relying party holds an approval, it is known as a participating relying party.
There is a System Administrator whose functions include providing assistance to entities participating in the Australian Government Digital ID System and managing the availability of the Australian Government Digital ID System.
The Digital ID Standards Chair may make Digital ID Data Standards about various matters, including technical integration requirements for entities to participate in the Australian Government Digital ID System and, if required to do so by the Accreditation Rules or the Digital ID Rules, technical, data or design standards relating to accreditation.
The Digital ID Rules may set out marks, symbols, logos or designs (called digital ID trustmarks) that may or must be used by accredited entities and participating relying parties.
The Digital ID Regulator must establish and maintain the Digital ID Accredited Entities Register and the AGDIS Register.
The Digital ID Regulator and the Information Commissioner may take enforcement action against accredited entities and other entities. The Digital ID Regulator can give directions regarding accreditation and participation in the Australian Government Digital ID System or require entities to undergo compliance assessments or produce information or documents. The System Administrator can also give directions to entities regarding participation in the Australian Government Digital ID System and require entities to produce information or documents.
Accredited entities that hold or held an approval to participate in the Australian Government Digital ID System have certain record‑keeping responsibilities and are required to destroy or de‑identify certain information in the possession or control of the entity.
Entities can apply for merits review of certain decisions made under this Act.
This Act also deals with other administrative matters such as annual reports and delegations.

5Act binds the Crown

This Act binds the Crown in each of its capacities.

6Extension to external Territories

This Act extends to every external Territory.

7Extraterritorial operation

(1)
This Act extends to acts, omissions, matters and things outside Australia.
Note: Geographical jurisdiction for civil penalty provisions is dealt with in section 160.
(2)
This Act has effect in relation to acts, omissions, matters and things outside Australia subject to:
(a)
the obligations of Australia under international law, including obligations under any international agreement binding on Australia; and
(b)
any law of the Commonwealth giving effect to such an agreement.

8Concurrent operation of State and Territory laws

This Act is not intended to exclude or limit the operation of a law of a State or Territory that is capable of operating concurrently with this Act.

Part 2Interpretation 9Definitions

In this Act:
Accreditation Rules means rules made under section 168 for the purposes of the provisions in which the term occurs.
accredited attribute service provider means an attribute service provider that is accredited under section 15 as an accredited attribute service provider.
accredited entity: each of the following is an accredited entity:
(a)
an accredited attribute service provider;
(b)
an accredited identity exchange provider;
(c)
an accredited identity service provider;
(d)
if Accreditation Rules are made for the purposes of paragraph 14(1)(d)—an entity that is accredited to provide services of a kind prescribed by the Accreditation Rules for the purposes of that paragraph.
accredited identity exchange provider means an identity exchange provider that is accredited under section 15 as an accredited identity exchange provider.
accredited identity service provider means an identity service provider that is accredited under section 15 as an accredited identity service provider.
accredited service, of an accredited entity, means the services provided, or proposed to be provided, by the entity in the entity’s capacity as a particular kind of accredited entity.
Note: Conditions may be imposed on an entity’s accredited services, including specifying the manner in which such services must be provided or excluding specific services from the entity’s accreditation altogether (see section 17).
Example: Acme Co is an accredited identity service provider. Under its conditions of accreditation, its accredited service is generating, managing, maintaining and verifying information relating to the identity of an individual. Its conditions exclude from its accreditation the provision of the following services:
(a) generating, binding, managing and distributing authenticators to an individual;
(b) binding, managing and distributing authenticators generated by an individual.
adverse or qualified security assessment means an adverse security assessment, or a qualified security assessment, within the meaning of Part IV of the Australian Security Intelligence Organisation Act 1979.
affected entity: see section 137.
AFP Minister means the Minister administering the Australian Federal Police Act 1979.
AGDIS Register means the register kept under section 121.
APP entity has the same meaning as in the Privacy Act 1988.
APP‑equivalent agreement: see section 34.
attribute of an individual: see section 10.
attribute service provider means an entity that provides, or proposes to provide, a service that verifies and manages an attribute of an individual.

Australia when used in a geographical sense, includes the external Territories.
Australian entity means any of the following:
(a)
an Australian citizen or a permanent resident of Australia;
(b)
a body corporate incorporated by or under a law of the Commonwealth or a State or Territory;
(c)
a Commonwealth entity, or a Commonwealth company, within the meaning of the Public Governance, Performance and Accountability Act 2013;
(d)
a person or body that is an agency within the meaning of the Freedom of Information Act 1982;
(e)
a body specified, or the person holding an office specified, in Part I of Schedule 2 to the Freedom of Information Act 1982;
(f)
a department or authority of a State;
(g)
a department or authority of a Territory;

(h)
a partnership formed in Australia;
(i)
a trust created in Australia;
(j)
an unincorporated association that:
(i)
has a governing body; and
(ii)
has its central management or control in Australia.
Australian Government Digital ID System: see subsection 58(2).
authenticator means the technology for authenticating an individual’s digital ID.
Note: Passwords and cryptographic keys are examples of authenticators.
biometric information of an individual:
(a)
means information about any measurable biological characteristic relating to an individual that could be used to identify the individual or verify the individual’s identity; and
(b)
includes biometric templates.
civil penalty provision has the same meaning as in the Regulatory Powers Act.
compliance assessment: see section 131.
cyber security incident means one or more acts, events or circumstances that involve:
(a)
unauthorised access to, modification of or interference with a system, service or network; or
(b)
an unauthorised attempt to gain access to, modify or interfere with a system, service or network; or
(c)
unauthorised impairment of the availability, reliability, security or operation of a system, service or network; or
(d)
an unauthorised attempt to impair the availability, reliability, security or operation of a system, service or network.
decision‑maker for a reviewable decision means:
(a)
for a decision under section 27 or 73—the Minister; or
(b)
for a decision under section 130—the System Administrator; or
(c)
otherwise—the Digital ID Regulator.
digital ID of an individual means a distinct electronic representation of the individual that enables the individual to be sufficiently distinguished when interacting online with services.
Digital ID Accredited Entities Register means the register kept under section 120.
Digital ID Data Standards means the standards made under section 99.
Digital ID Data Standards Chair means:
(a)
if a person holds an appointment under section 105—that person; or
(b)
otherwise—the Minister.
digital ID fraud incident means an act, event or circumstance that:
(a)
occurs in connection with:
(i)
an accredited service of an accredited entity; or
(ii)
a service that a participating relying party is approved to provide, or provide access to, within the Australian Government Digital ID System; and
(b)
results in any of the following being, or suspected of being, compromised or rendered unreliable:
(i)
a digital ID of an individual;
(ii)
an attribute of an individual;
(iii)
an authenticator relating to an individual;
(iv)
a representation relating to an attribute of an individual;
(v)
a representation relating to a digital ID of an individual.
Digital ID Regulator: see section 90.
Digital ID Rules means the rules made under section 168 for the purposes of the provisions in which the term occurs.
digital ID system means a federation of entities that facilitates, manages or relies on services that provide for either or both of the following in an online environment:
(a)
the verification of the identity of individuals;
(b)
the authentication of a digital ID of, or information associated with, individuals.
Note: Entities in the federation may include one or more relying parties, identity exchanges, identity service providers, attribute service providers and other kinds of service providers.
digital ID trustmark: see subsection 117(2).
enforcement body has the same meaning as in the Privacy Act 1988.
enforcement related activity has the same meaning as in the Privacy Act 1988.
entity means any of the following:
(a)
an individual;
(b)
a body corporate;
(c)
a Commonwealth entity, or a Commonwealth company, within the meaning of the Public Governance, Performance and Accountability Act 2013;
(d)
a person or body that is an agency within the meaning of the Freedom of Information Act 1982;
(e)
a body specified, or the person holding an office specified, in Part I of Schedule 2 to the Freedom of Information Act 1982;
(f)
a department or authority of a State;
(g)
a department or authority of a Territory;
(h)
a partnership;
(i)
an unincorporated association that has a governing body;
(j)
a trust.
entrusted person: see subsection 151(2).
identity exchange provider means an entity that provides, or proposes to provide, a service that conveys, manages and coordinates the flow of data or other information between participants in a digital ID system.
identity service provider means an entity that provides, or proposes to provide, a service that:
(a)
generates, manages, maintains or verifies information relating to the identity of an individual; and
(b)
generates, binds, manages or distributes authenticators to an individual; and
(c)
binds, manages or distributes authenticators generated by an individual.
law enforcement agency has the same meaning as in the Australian Crime Commission Act 2002.
one‑to‑many matching: see subsection 48(4).

paid work means work for financial gain or reward (whether as an employee, a self‑employed person or otherwise).
participate: an entity participates in the Australian Government Digital ID System at a particular time if, at that time:
(a)
the entity holds an approval under section 62 to participate in the system; and
(b)
either:
(i)
the entity is directly connected to an accredited entity that is participating in the Australian Government Digital ID System; or
(ii)
the entity is an accredited entity that is directly connected to a participating relying party.
participating relying party: a relying party is a participating relying party if:
(a)
the relying party holds an approval under section 62 to participate in the Australian Government Digital ID System; and
(b)
the participation start day for the relying party has arrived or passed.
participation start day for an entity means the day notified to the entity by the Digital ID Regulator for the purposes of paragraph 62(6)(d) as the day on which the entity must begin to participate in the Australian Government Digital ID System.
personal information:
(a)
means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(i)
whether the information or opinion is true or not; and
(ii)
whether the information or opinion is recorded in a material form or not; and
(b)
to the extent not already covered by paragraph (a), includes an attribute of an individual.

privacy impact assessment has the meaning given by subsection 33D(3) of the Privacy Act 1988.
protected information: see subsection 151(4).
Regulatory Powers Act means the Regulatory Powers (Standard Provisions) Act 2014.
relying party means an entity that relies, or seeks to rely, on an attribute of an individual that is provided by an accredited entity to:
(a)
provide a service to the individual; or
(b)
enable the individual to access a service.
restricted attribute of an individual: see section 11.
reviewable decision: see section 137.
Secretary means the Secretary of the Department.
security, other than in the following provisions, has its ordinary meaning:
(a)
subsection 27(1);
(b)
subsection 73(1);
(c)
subsection 137(3).
shielded person means a person to whom one or more of the following paragraphs apply:
(a)
the person has acquired or used an assumed identity under Part IAC of the Crimes Act 1914 or a corresponding assumed identity law within the meaning of that Part;
(b)
an authority for the person to acquire or use an assumed identity has been granted under that Part or such a law;
(c)
a witness identity protection certificate has been given for the person under Part IACA of the Crimes Act 1914;
(d)
a corresponding witness identity protection certificate has been given for the person under a corresponding witness identity protection law within the meaning of Part IACA of the Crimes Act 1914;
(e)
the person is a participant as defined in the Witness Protection Act 1994;
(f)
the person is or was on a witness protection program conducted by a State or Territory in which a complementary witness protection law (as defined in the Witness Protection Act 1994) is in force;
(g)
the person is involved in administering such a program under such a law and the person has acquired an identity under that law.
State or Territory privacy authority means a State or Territory authority (within the meaning of the Privacy Act 1988) that has functions to protect the privacy of individuals (whether or not the authority has other functions).
System Administrator: see section 94.
this Act includes:
(a)
the Accreditation Rules; and
(b)
the Digital ID Data Standards; and
(c)
the Digital ID Rules; and
(d)
the service levels determined under section 80; and
(e)
the Regulatory Powers Act as it applies in relation to this Act.

verifiable credential means a tamper‑evident credential with authorship that can be cryptographically verified.

10Meaning of attribute of an individual

(1)
An attribute of an individual means information that is associated with the individual, and includes information that is derived from another attribute.
(2)
Without limiting subsection (1), an attribute of an individual includes the following:
(a)
the individual’s current or former name;
(b)
the individual’s current or former address;
(c)
the individual’s date of birth;
(d)
information about whether the individual is alive or dead;
(e)
the individual’s phone number;
(f)
the individual’s email address;
(g)
if the individual has a digital ID—the time and date the digital ID was created;
(h)
biometric information of the individual;
(i)
a restricted attribute of the individual;
(j)
information or an opinion about the individual’s:
(i)
racial or ethnic origin; or
(ii)
political opinions; or
(iii)
membership of a political association; or
(iv)
religious beliefs or affiliations; or
(v)
philosophical beliefs; or
(vi)
sexual orientation or practices.
11Meaning of restricted attribute of an individual
(1)
A restricted attribute of an individual means:
(a)
health information (within the meaning of the Privacy Act 1988) about the individual; or
(b)
an identifier of the individual that has been issued or assigned by or on behalf of:
(i)
the Commonwealth, a State or a Territory; or
(ii)
an authority or agency of the Commonwealth, a State or a Territory; or
(iii)
a government of a foreign country; or
(c)
information or an opinion about the individual’s criminal record; or
(d)
information or an opinion about the individual’s membership of a professional or trade association; or
(e)
information or an opinion about the individual’s membership of a trade union; or
(f)
other information or opinion that is associated with an individual and is prescribed by the Accreditation Rules.
(2)
Without limiting paragraph (1)(b), an identifier of an individual includes the following:
(a)
the individual’s tax file number (within the meaning of section 202A of the Income Tax Assessment Act 1936);
(b)
the individual’s medicare number (within the meaning of Part VII of the National Health Act 1953);
(c)
the individual’s healthcare identifier (within the meaning of the Healthcare Identifiers Act 2010);
(d)
if the person holds a driver’s licence issued under the law of a State or Territory—the number of that driver’s licence.

12Fit and proper person considerations

In having regard to whether an entity is a fit and proper person for the purposes of this Act, the Digital ID Regulator:
(a)
must have regard to the matters (if any) specified in the Digital ID Rules; and
(b)
may have regard to any other matters the Digital ID Regulator considers relevant.

Chapter 2AccreditationPart 1Introduction 13Simplified outline of this Chapter

The Digital ID Regulator may, on application, accredit certain kinds of entities as accredited attribute service providers, accredited identity exchange providers, accredited identity service providers or entities that provide, or propose to provide, services of a kind prescribed by the Accreditation Rules.
An entity’s accreditation is subject to conditions. Some conditions are imposed by the Act and others may be imposed by the Digital ID Regulator or the Accreditation Rules. Conditions may include restrictions relating to the services an entity is accredited to provide, the manner in which those services must be provided and the kinds of restricted attributes of individuals an entity is authorised to collect or disclose.
The conditions imposed by the Digital ID Regulator on an entity’s accreditation, and the entity’s accreditation itself, can be varied or revoked. Accreditation can also be suspended.
The Minister may give directions to the Digital ID Regulator regarding the accreditation of an entity if, for reasons of security, the Minister considers it appropriate to do so. The Digital ID Regulator must comply with such directions.
An accredited entity must deactivate a digital ID of an individual if requested to do so, and must comply with requirements relating to the accessibility and useability of accredited services.

Part 2AccreditationDivision 1Applying for accreditation14Application for accreditation

(1)
An entity covered by subsection (2) may apply to the Digital ID Regulator for accreditation as one or more of the following kinds of accredited entities:
(a)
an accredited attribute service provider;
(b)
an accredited identity exchange provider;
(c)
an accredited identity service provider;
(d)
an entity that provides, or proposes to provide, a service of a kind prescribed by the Accreditation Rules.
(2)
An entity is covered by this section if the entity is one of the following:
(a)
a body corporate incorporated by or under a law of the Commonwealth or a State or Territory;
(b)
a registered foreign company within the meaning of the Corporations Act 2001;
(c)
a Commonwealth entity, or a Commonwealth company, within the meaning of the Public Governance, Performance and Accountability Act 2013;
(d)
a person or body that is an agency within the meaning of the Freedom of Information Act 1982;
(e)
a body specified, or the person holding an office specified, in Part I of Schedule 2 to the Freedom of Information Act 1982;
(f)
a department or authority of a State;
(g)
a department or authority of a Territory.

Division 2Accreditation15Digital ID Regulator must decide whether to accredit an entity

(1)
This section applies if an entity has made an application under section 14 for accreditation as an accredited entity.
(2)
The Digital ID Regulator must decide:
(a)
to accredit the entity; or
(b)
to refuse to accredit the entity.
(3)
The Digital ID Regulator must not accredit an entity:
(a)
as an accredited attribute service provider unless the entity provides, or will provide, some or all of the services described in the definition of attribute service provider; or
(b)
as an accredited identity exchange provider unless the entity provides, or will provide, some or all of the services described in the definition of identity exchange provider; or
(c)
as an accredited identity service provider unless the entity provides, or will provide, some or all of the services described in the definition of identity service provider; or
(d)
if Accreditation Rules made for the purposes of paragraph 14(1)(d) prescribe services—as an entity that provides services of the kind prescribed unless the entity provides, or will provide, some or all of the services of that kind.
(4)
The Digital ID Regulator must not accredit an entity if:
(a)
a direction under subsection 27(1) (about security) directing the Digital ID Regulator to refuse to accredit the entity is in force; or
(b)
the Digital ID Regulator is not satisfied that the entity is able to comply with this Act; or
(c)
Accreditation Rules made for the purposes of section 28 require specified criteria to be met and the entity does not meet the criteria; or
(d)
Accreditation Rules made for the purposes of section 28 require the Digital ID Regulator to be satisfied of specified matters and the Digital ID Regulator is not satisfied of those matters.
(5)
In deciding whether to accredit the entity, the Digital ID Regulator:
(a)
must have regard to the matters (if any) prescribed by the Accreditation Rules; and
(b)
may have regard to the following:
(i)
whether the entity is a fit and proper person;
(ii)
any other matters the Digital ID Regulator considers relevant.
Note: In having regard to whether an entity is a fit and proper person for the purposes of subparagraph (b)(i), the Digital ID Regulator must have regard to any matters specified in the Digital ID Rules and may have regard to any other matters considered relevant (see section 12).
(6)
The Digital ID Regulator must:
(a)
give written notice of a decision to accredit, or to refuse to accredit, the entity; and
(b)
if the decision is to refuse to accredit the entity—give reasons for the decision to the entity.
(7)
If the Digital ID Regulator decides to accredit the entity, the notice must also set out the following:
(a)
the kind or kinds of accredited entity that the entity is accredited as;
(b)
the day the accreditation comes into force;
(c)
any conditions imposed on the entity’s accreditation under subsection 17(2).

16Accreditation is subject to conditions

(1)
The accreditation of an entity as an accredited entity is subject to the following conditions (the accreditation conditions):
(a)
the conditions set out in subsection 17(1);
(b)
the conditions (if any) imposed by the Digital ID Regulator under subsection 17(2), including as varied under subsection 20(1);
(c)
the conditions (if any) determined by the Accreditation Rules under subsection 17(5).
(2)
An accredited entity must comply with the accreditation conditions that apply to the entity.
Note: Failure to comply with an accreditation condition may result in a suspension or revocation of the entity’s accreditation (see sections 25 and 26).

17Conditions on accreditation

Conditions imposed by the Act
(1)
The accreditation of an entity as an accredited entity is subject to the condition that the accredited entity must comply with this Act.
Conditions imposed by the Digital ID Regulator
(2)
The Digital ID Regulator:
(a)
may impose conditions on the accreditation of an entity, either at the time of accreditation or at a later time, if the Digital ID Regulator considers that doing so is appropriate in the circumstances; and
(b)
must impose conditions on the accreditation of an entity, either at the time of accreditation or at a later time, if directed to do so under subsection 27(1).
(3)
Conditions may be imposed under paragraph (2)(a) on application by the entity or on the Digital ID Regulator’s own initiative.
(4)
Without limiting paragraph (2)(a), the Digital ID Regulator may impose conditions relating to the following:
(a)
any limitations, exclusions or restrictions in relation to the accredited services of the entity;
(b)
the circumstances or manner in which the accredited services of the entity must be provided;
(c) the kinds of restricted attributes of individuals (if any) that the entity is authorised to collect or disclose and the circumstances in which such attributes may be collected or disclosed;
(d)
the kinds of restricted attributes of individuals (if any) that the entity must not collect;
(e)
the kinds of biometric information (if any) of an individual the entity is authorised to collect, use or disclose and the circumstances in which such information may be collected, used or disclosed;
(f)
the entity’s information technology systems through which the entity’s accredited services are provided, including restrictions on changes to such systems;
(g)
actions that the entity must take before the entity’s accreditation is suspended or revoked.
Conditions imposed by the Accreditation Rules
(5)
The Accreditation Rules may determine that the accreditation of each accredited entity, or each accredited entity included in a specified class, is subject to specified conditions.
(6)
Without limiting subsection (5), the Accreditation Rules may impose conditions relating to the matters in subsection (4).

18Conditions relating to restricted attributes of individuals

Matters to which the Digital ID Regulator must have regard before authorising disclosure etc. of restricted attributes
(1)
Subsection (2) applies if the Digital ID Regulator proposes to impose a condition on an entity’s accreditation authorising the entity to collect or disclose a restricted attribute of an individual.
(2)
In deciding whether to impose the condition, the Digital ID Regulator must have regard to the following matters:
(a)
whether the entity has provided sufficient justification for the need to collect or disclose the restricted attribute;
(b)
whether the entity has demonstrated that a similar outcome cannot be achieved without collecting or disclosing the restricted attribute;
(c)
if the collection or disclosure of the restricted attribute is regulated by other legislative or regulatory requirements—whether the entity would be able to comply with those requirements if the condition were imposed;
(d)
the potential harm that could result if restricted attributes of that kind were disclosed to an entity that was not authorised to collect them;
(e)
community expectations as to whether restricted attributes of that kind should be handled more securely than other kinds of attributes;
(f)
any of the following information provided by the entity seeking authorisation to collect or disclose the restricted attribute:
(i)
the entity’s risk assessment plan as it relates to the restricted attribute;
(ii)
the entity’s privacy impact assessment as it relates to the restricted attribute;
(iii)
the effectiveness of the entity’s protective security (including security governance, information security, personnel security and physical security), privacy arrangements and fraud control arrangements;
(iv)
if the entity is not a participating relying party—the arrangements in place between the entity and relying parties for the protection of the restricted attribute from further disclosure;
(g)
any other matter the Digital ID Regulator considers relevant.
Requirement to give statement of reasons if authorisation given
(3)
If the Digital ID Regulator imposes the condition authorising the entity to collect or disclose a restricted attribute of an individual, the Digital ID Regulator must publish on the Digital ID Regulator’s website a statement of reasons for giving the authorisation.

19Requirements before Accreditation Rules impose conditions relating to restricted attributes or biometric information of individuals

(1)
Subsection (2) applies if the Minister proposes to make Accreditation Rules for the purposes of subsection 17(5) providing that accredited entities, or specified kinds of accredited entities, are authorised to:
(a)
collect or disclose restricted attributes of individuals; or
(b)
collect, use or disclose biometric information of individuals.
Note: The Minister must also consult the Information Commissioner before making such rules (see paragraph 169(1)(b)).
(2)
In deciding whether to make the rules, the Minister must have regard to the following matters:
(a)
the potential harm that could result if the information were disclosed to an entity;
(b)
community expectations about the collection, use or disclosure of the information;
(c)
if the collection or disclosure of the restricted attribute is regulated by other legislative or regulatory requirements—whether the entities would be able to comply with those requirements if the rules were made;
(d)
any privacy impact assessment that has been conducted in relation to the proposal to make the rules;
(e)
any other matter the Minister considers relevant.

20Variation and revocation of conditions on accreditation

(1)
The Digital ID Regulator may vary or revoke a condition imposed on an entity’s accreditation under paragraph 17(2)(a):
(a)
at any time, on the Digital ID Regulator’s own initiative; or
(b)
on application by the entity under section 21;
if the Digital ID Regulator considers it is appropriate to do so.
(2)
Without limiting subsection (1), the Digital ID Regulator may have regard to matters relating to the security, reliability and stability of the Australian Government Digital ID System when considering whether it is appropriate to vary or revoke a condition.
(3)
The Digital ID Regulator must revoke a condition imposed under paragraph 17(2)(b) if the direction to impose the condition is revoked.

21Applying for variation or revocation of conditions on accreditation

(1)
An accredited entity may apply for a condition imposed on the entity’s accreditation under paragraph 17(2)(a) to be varied or revoked.
Note: See Part 5 of Chapter 9 for matters relating to applications.
(2)
If, after receiving an application under subsection (1), the Digital ID Regulator refuses to vary or revoke a condition, the Digital ID Regulator must give to the entity written notice of the refusal, including reasons for the refusal.

22Notice before changes to conditions on accreditation

(1)
The Digital ID Regulator must not, on the Digital ID Regulator’s own initiative:
(a)
impose a condition under paragraph 17(2)(a) on an entity’s accreditation after the entity has been accredited; or
(b)
vary or revoke a condition under subsection 20(1);
unless the Digital ID Regulator has given the entity a written notice in accordance with subsection (2) of this section.
(2)
The notice must:
(a)
state the proposed condition, variation or revocation; and
(b)
request the entity to give the Digital ID Regulator, within the period specified in the notice, a written statement relating to the proposed condition, variation or revocation.
(3)
The Digital ID Regulator must consider any written statement given within the period specified in the notice before making a decision to:
(a)
impose a condition under paragraph 17(2)(a) on an entity’s accreditation; or
(b)
vary or revoke a condition under subsection 20(1) on an entity’s accreditation.
(4)
This section does not apply if the Digital ID Regulator reasonably believes that the need to impose, vary or revoke the condition is serious and urgent.
(5)
If this section does not apply to an entity because of subsection (4), the Digital ID Regulator must give a written statement of reasons to the entity as to why the Digital ID Regulator reasonably believes that the need to impose, vary or revoke the condition is serious and urgent.
(6)
The statement of reasons under subsection (5) must be given within 7 days after the condition is imposed, varied or revoked.

23Notice of decision of changes to conditions on accreditation

(1)
Subject to subsection (2), the Digital ID Regulator must give an entity written notice of a decision to impose, vary or revoke a condition on an entity’s accreditation.
(2)
The Digital ID Regulator is not required to give an entity notice of the decision if notice of the condition was given in a notice under subsection 15(7).
(3)
The notice must:
(a)
state the condition or the variation, or state that the condition is revoked; and
(b)
state the day on which the condition, variation or revocation takes effect.

Division 3Varying, suspending and revoking accreditation24Varying accreditation

The Digital ID Regulator may vary the accreditation of an accredited entity to take account of a change in the accredited entity’s name.
Note: The Digital ID Regulator can also vary conditions on accreditation (see section 20).

25Suspension of accreditation

Digital ID Regulator must suspend accreditation if Minister’s direction about suspension is in force
(1)
The Digital ID Regulator must, in writing, suspend the accreditation of an accredited entity if a direction under subsection 27(1) directing the Digital ID Regulator to do so is in force in relation to the entity.
Digital ID Regulator may decide to suspend accreditation in other circumstances
(2)
The Digital ID Regulator may, in writing, suspend the accreditation of an accredited entity if:
(a)
the Digital ID Regulator reasonably believes that the accredited entity has contravened or is contravening this Act; or
(b)
the Digital ID Regulator reasonably believes that there has been a cyber security incident involving the entity; or
(c)
the Digital ID Regulator reasonably believes that a cyber security incident involving the entity is imminent; or
(d)
if the entity is a body corporate—the entity becomes a Chapter 5 body corporate (within the meaning of the Corporations Act 2001); or
(e)
the Digital ID Regulator is satisfied that it is not appropriate for the entity to be an accredited entity; or
(f)
circumstances specified in the Accreditation Rules apply in relation to the entity.
Note: The Digital ID Regulator may impose conditions on an entity’s accreditation before suspending it (see paragraph 17(4)(g)) and can give directions to give effect to a decision to suspend an entity’s accreditation (see paragraph 127(1)(b)).
(3)
The reference to cyber security incident in paragraph (2)(b) does not include acts, events or circumstances covered by paragraph (b) or (d) of the definition of that term unless the Digital ID Regulator is satisfied that the attempts referred to in those paragraphs involve an unacceptable risk to the provision of the entity’s accredited services.

(4)
In determining whether the Digital ID Regulator is satisfied of the matter in paragraph (2)(e), regard may be had to whether the entity is a fit and proper person.
Note: In having regard to whether an entity is a fit and proper person, the Digital ID Regulator must have regard to any matters specified in the Digital ID Rules and may have regard to any other matters considered relevant (see section 12).
(5)
Subsection (4) does not limit paragraph (2)(e).
Digital ID Regulator may suspend accreditation on application
(6)
The Digital ID Regulator may, on application by an accredited entity, suspend the accreditation of the entity.
Note: See Part 5 of Chapter 9 for matters relating to applications.
Show cause notice must generally be given before decision to suspend
(7)
Before suspending the accreditation of an entity under subsection (2), the Digital ID Regulator must give a written notice (a show cause notice) to the entity.
(8)
The show cause notice must:
(a)
state the grounds on which the Digital ID Regulator proposes to suspend the entity’s accreditation; and
(b)
invite the entity to give the Digital ID Regulator, within 28 days after the day the notice is given, a written statement showing cause why the Digital ID Regulator should not suspend the accreditation.
Exception—cyber security incident
(9)
Subsection (7) does not apply if the suspension is on a ground mentioned in paragraph (2)(b) or (c).
Notice of suspension
(10)
If the Digital ID Regulator suspends an entity’s accreditation under subsection (1), (2) or (6), the Digital ID Regulator must give the entity a written notice stating the following:
(a)
that the entity’s accreditation is suspended;
(b)
if the entity is accredited as more than one kind of accredited entity—the accreditation that is suspended;
(c)
the reasons for the suspension;
(d)
the day the suspension is to start;
(e)
if the accreditation is suspended for a period—the period of the suspension;
(f)
if the accreditation is suspended until a specified event occurs or action is taken—the event or action.
Effect of suspension
(11)
If an entity’s accreditation is suspended under this section:
(a)
the entity is taken not to be accredited while the suspension is in force; and
(b)
if the entity holds an approval to participate in the Australian Government Digital ID System as an accredited entity—the entity is taken not to hold that approval while the entity’s accreditation is suspended.
Revocation of suspension
(12)
If the Digital ID Regulator suspends an entity’s accreditation under subsection (2), the Regulator may revoke the suspension by written notice to the entity.
(13)
If the Digital ID Regulator suspends an entity’s accreditation under subsection (6), the Regulator must revoke the suspension by written notice to the entity if the entity requests the suspension be revoked.
(14)
A notice given under subsection (12) or (13) must specify the day the revocation takes effect.

26Revocation of accreditation

Digital ID Regulator must revoke accreditation if Minister gives a direction to do so
(1)
The Digital ID Regulator must, in writing, revoke the accreditation of an accredited entity if the Minister gives a direction under subsection 27(1) to do so.
Revocation on Digital ID Regulator’s own initiative
(2)
The Digital ID Regulator may, in writing, revoke an entity’s accreditation if:
(a)
the Digital ID Regulator reasonably believes that the accredited entity has contravened or is contravening this Act; or
(b)
the Digital ID Regulator reasonably believes that:
(i)
there has been a cyber security incident involving the entity; and
(ii)
the cyber security incident is serious; or
(c)
if the entity is a body corporate—the entity becomes a Chapter 5 body corporate (within the meaning of the Corporations Act 2001); or
(d)
the Digital ID Regulator is satisfied that it is not appropriate for the entity to be an accredited entity; or
(e)
circumstances specified in the Accreditation Rules apply in relation to the entity.
Note: The Digital ID Regulator may impose conditions on an entity’s accreditation before revoking it (see paragraph 17(4)(g)) and can give directions to give effect to a decision to revoke an entity’s accreditation (see paragraph 127(1)(b)).
(3)
In determining whether the Digital ID Regulator is satisfied of the matter in paragraph (2)(d), regard may be had to whether the entity is a fit and proper person.
Note: In having regard to whether an entity is a fit and proper person, the Digital ID Regulator must have regard to any matters specified in the Digital ID Rules and may have regard to any other matters considered relevant (see section 12).
(4)
Subsection (3) does not limit paragraph (2)(d).
Revocation on application
(5)
The Digital ID Regulator must, on application by an entity, revoke the entity’s accreditation.
Note: See Part 5 of Chapter 9 for matters relating to applications.
Date of effect
(6)
The revocation takes effect on the day determined by the Digital ID Regulator.
Approval must also be revoked
(7)
If:
(a)
an entity’s accreditation is revoked under subsection (1), (2) or (5); and
(b)
the entity holds an approval to participate in the Australian Government Digital ID System;
the Digital ID Regulator must at the same time revoke the entity’s approval to participate as an accredited entity.
Show cause notice must generally be given before decision to revoke
(8)
Before revoking the accreditation of an entity under subsection (2), the Digital ID Regulator must give a written notice (a show cause notice) to the entity.
(9)
The show cause notice must:
(a)
state the grounds on which the Digital ID Regulator proposes to revoke the entity’s accreditation; and
(b)
invite the entity to give the Digital ID Regulator, within 28 days after the day the notice is given, a written statement showing cause why the Digital ID Regulator should not revoke the accreditation.
Exception—cyber security incident
(10)
Subsection (8) does not apply if the revocation is on a ground mentioned in paragraph (2)(b).
Notice of revocation
(11)
If the Digital ID Regulator is to revoke an entity’s accreditation under subsection (1), (2) or (5), the Digital ID Regulator must give the entity a written notice stating the following:
(a)
that the entity’s accreditation is to be revoked;
(b)
if the entity is accredited as more than one kind of accredited entity—the accreditation that is to be revoked;
(c)
the reasons for the revocation;
(d)
the day the revocation is to take effect.
Accreditation can be revoked even while suspended
(12)
Despite paragraph 25(11)(a), the Digital ID Regulator may revoke an entity’s accreditation under this section even if a suspension is in force under section 25 in relation to the entity.

Division 4Minister’s directions regarding accreditation27Minister’s directions regarding accreditation

(1)
The Minister may, in writing, direct the Digital ID Regulator to do any of the following if, for reasons of security (within the meaning of the Australian Security Intelligence Organisation Act 1979), including on the basis of an adverse or qualified security assessment in respect of a person, the Minister considers it appropriate to do so:
(a)
refuse to accredit an entity;
(b)
impose conditions on the accreditation of an entity;
(c)
suspend the accreditation of an accredited entity;
(d)
revoke the accreditation of an accredited entity.
(2)
If the Minister gives a direction under subsection (1), the Digital ID Regulator must comply with the direction.
(3)
The direction remains in force unless it is revoked by the Minister. The Minister must notify the Digital ID Regulator and the entity if the Minister revokes the direction.
(4)
Despite subsection (3), a direction given under subsection (1) to revoke the accreditation of an accredited entity cannot be revoked.
(5)
A direction given under this section is not a legislative instrument.

Division 5Accreditation Rules28Accreditation Rules

(1)
The Accreditation Rules must provide for and in relation to matters concerning the accreditation of entities.
(2)
Without limiting subsection (1), the Accreditation Rules may deal with the following matters:
(a)
requirements that entities must meet in order to become and remain an accredited entity, including requirements relating to the following:
(i)
privacy;
(ii)
security;
(iii)
fraud control;
(iv)
incident management and reporting;
(v)
disaster recovery;
(vi)
user experience and inclusion;
(b)
without limiting paragraph (a), requirements relating to the conduct of, and reporting on, privacy impact assessments, fraud assessments and security assessments;
(c)
technical, data or design standards relating to the provision of accredited services of accredited entities;
(d)
without limiting paragraph (c), standards relating to the testing of the information technology systems of entities;
(e)
the conduct of periodic reviews of an entity’s compliance with specified requirements of the Accreditation Rules, including the timing of such reviews, who is to conduct such reviews and the provision of reports about such reviews to the Digital ID Regulator;
(f)
the obligations of accredited entities in relation to monitoring their compliance with this Act;
(g)
requirements relating to the collection, holding, use and disclosure of personal information of individuals;
(h)
matters relating to representatives or nominees of individuals in relation to the creation, maintenance or deactivation of digital IDs of individuals;
(i)
requirements or restrictions relating to the generation of digital IDs for children.
Note: In relation to subparagraph (2)(a)(iv), the Digital ID Rules may also provide for such arrangements in relation to incidents that occur within the Australian Government Digital ID System (see subsection 78(1)).

Division 6Other matters relating to accreditation29Digital IDs must be deactivated on request

(1)
This section applies if an accredited identity service provider generates a digital ID of an individual.
(2)
The accredited identity service provider must, if requested to do so by the individual, deactivate the digital ID of the individual as soon as practicable after receiving the request.
(3)
If a digital ID of an individual is deactivated under subsection (2), the digital ID of the individual:
(a)
must not be used by the accredited identity service provider for verifying the identity of the individual or authenticating a digital ID of the individual; and
(b)
if it can be reactivated, must not be reactivated by the accredited identity service provider without the express consent of the individual.

30Accredited services must be accessible and inclusive

(1AA)
An accredited entity must take reasonable steps to ensure that its accredited services are accessible for individuals who experience barriers when creating or using a digital ID.
(1) The Accreditation Rules must provide for and in relation to requirements relating to the accessibility and useability of the accredited services of accredited entities.

(2)
Without limiting subsection (1), the Accreditation Rules must:
(a)
require accredited entities, or specified kinds of accredited entities, to comply with specified accessibility standards; and
(b)
require accredited entities, or specified kinds of accredited entities, to have regard to specified accessibility guidelines; and
(c)
require accredited entities, or specified kinds of accredited entities, to conduct useability testing with a diverse range of individuals, covering diversity in disability, age, gender and ethnicity; and
(d)
specify requirements relating to device or browser access; and
(e)
specify requirements relating to the provision of support or assistance for individuals who may experience barriers when creating or using a digital ID.

31Prohibition on holding out that an entity is accredited

An entity must not hold out that the entity is an accredited entity if that is not the case.
Civil penalty: 1,000 penalty units.

Chapter 3PrivacyPart 1Introduction 32Simplified outline of this Chapter

When providing accredited services, accredited entities must comply with certain privacy safeguards. These safeguards are in addition to, and build on, the safeguards contained in the Privacy Act 1988.
An accredited entity may be liable to a civil penalty if certain privacy safeguards are breached, such as collecting certain attributes of individuals such as their political opinions or racial origin. There are restrictions on collecting, using or disclosing biometric information of individuals and on data profiling to track online behaviour is prohibited.

33Chapter applies to accredited entities only to extent entity is providing accredited services

This Chapter applies to an accredited entity only to the extent the entity is providing its accredited services.

34APP‑equivalent agreements

(1)
The Minister may, on behalf of the Commonwealth, enter into an agreement (an APP‑equivalent agreement) with an entity covered by subsection (2) that prohibits the entity from collecting, holding, using or disclosing personal information in any way that would, if the entity were an organisation within the meaning of the Privacy Act 1988, breach an Australian Privacy Principle.
(2)
The entities are as follows:
(a)
a department or authority of a State;
(b)
a department or authority of a Territory.
(3)
The Minister must provide the Information Commissioner with a copy of an APP‑equivalent agreement within 14 days after it is entered into.

Part 2PrivacyDivision 1Interaction with the Privacy Act 198835Extended meaning of personal information in relation to accredited entities

To the extent not already covered by the definition of personal information within the Privacy Act 1988, attributes of individuals, to the extent that they are in the possession or control of accredited entities, are taken, for the purposes of that Act, to be personal information about an individual.
Note 1: This section has the effect of extending the meaning of personal information in the Privacy Act 1988 as it applies to accredited entities to mirror the meaning of that term as it is used in this Act (see section 9).
Note 2: This means that the requirements in the Privacy Act 1988 about collecting, using and disclosing personal information under that Act extend to attributes of individuals to the extent that information is in the possession or control of accredited entities. However, this applies only to the extent the information is collected, used or disclosed when those entities are providing their accredited services (see section 33).

35ASmall business operator that is an accredited entity

(1)
If a small business operator is an accredited entity, the Privacy Act 1988 applies, with the prescribed modifications (if any), in relation to the small business operator as if it were an organisation.
(2)
In this section:
organisation has the same meaning as in the Privacy Act 1988.
prescribed modifications means modifications prescribed by the Digital ID Rules for the purposes of this definition.
small business operator has the same meaning as in the Privacy Act 1988.

36Privacy obligations for non‑APP entities

(1)
This section applies to an accredited entity that is not an APP entity.
Note: The obligations of accredited entities that are APP entities in relation to the handling of personal information are set out in the Privacy Act 1988.
(2)
The accredited entity must not do an act or engage in a practice with respect to personal information unless:
(a)
the Privacy Act 1988 applies in relation to the act or practice as if the entity were an organisation within the meaning of that Act; or
(b)
a law of a State or Territory that provides for all of the following applies in relation to the act or practice:
(i)
protection of personal information comparable to that provided by the Australian Privacy Principles;
(ii)
monitoring of compliance with the law;
(iii)
a means for an individual to seek recourse if the individual’s personal information is dealt with in a way contrary to the law; or
(c)
all of the following apply:
(i)
neither paragraph (a) nor (b) apply to the acts or practices of the entity;
(ii)
the entity has an APP‑equivalent agreement with the Commonwealth;
(iii)
the agreement includes a term that prohibits the entity from collecting, holding, using or disclosing personal information in any way that would, if the entity were an organisation within the meaning of the Privacy Act 1988, breach an Australian Privacy Principle.

37Contraventions of privacy obligations in APP‑equivalent agreements

(1)
This section applies to an entity if the entity has an APP‑equivalent agreement with the Commonwealth.
(2)
An act or practice of the entity that contravenes a term of the agreement in relation to an individual and collecting, holding, using or disclosing their personal information is taken to be:
(a)
an interference with the privacy of the individual for the purposes of the Privacy Act 1988; and
(b)
covered by sections 13, 13G and 13H of that Act.
Note: An act or practice that is, or may be, an interference with privacy may be the subject of a complaint under section 36 of the Privacy Act 1988.
(3)
The entity is taken, for the purposes of Part V of the Privacy Act 1988 and any other provision of that Act that relates to that Part, to be an organisation (within the meaning of that Act) if:
(a)
an act or practice of the entity has contravened, or may have contravened, the term of the agreement in relation to an individual; and
(b)
the act or practice is the subject of a complaint to, or an investigation by, the Information Commissioner under Part V of the Privacy Act 1988.
(4)
Sections 80V and 80W of the Privacy Act 1988 apply in relation to the term of the agreement as if the term were a provision of that Act.

38Contraventions of Division 2 and section 136 are interferences with privacy

(1)
An act or practice of an accredited entity that contravenes a provision of Division 2 of this Part or section 136 in relation to personal information about an individual is taken to be:
(a)
an interference with the privacy of the individual for the purposes of the Privacy Act 1988; and
(b)
covered by sections 13, 13G and 13H of that Act.
Note: An act or practice that is, or may be, an interference with privacy may be the subject of a complaint under section 36 of the Privacy Act 1988.
(2)
The respondent to a complaint under the Privacy Act 1988 about the act or practice, other than an act or practice of an agency or organisation, is the entity that engaged in the act or practice.
(3)
The entity is taken, for the purposes of Part V of the Privacy Act 1988 and any other provision of that Act that relates to that Part, to be an organisation if:
(a)
the act or practice of the entity that contravenes a provision of Division 2 of this Part or section 136 is the subject of a complaint to, or an investigation by, the Information Commissioner under Part V of the Privacy Act 1988; and
(b)
the entity is not an agency or organisation.
(4)
In this section:
agency has the same meaning as in the Privacy Act 1988.
organisation has the same meaning as in the Privacy Act 1988.

39Notification of eligible data breaches – accredited entities that are APP entities

(1)
This section applies to an accredited entity if the entity:
(a)
is an APP entity; and
(b)
is aware that there are reasonable grounds to believe that there has been an eligible data breach (within the meaning of the Privacy Act 1988) of the entity relating to the entity’s accredited services; and
(c)
is required under section 26WK of the Privacy Act 1988 to give the Information Commissioner a statement that complies with subsection 26WK(3) of that Act.
(2)
The entity must also give a copy of the statement to the Digital ID Regulator at the same time as the statement is given to the Information Commissioner.

40Notification of eligible data breaches – accredited entities that are not APP entities

(1)
This section applies to an accredited entity that is not an APP entity.
(2)
Despite subsection (1), this section does not apply to an accredited entity if:
(a)
the entity is a department or authority of a State or Territory; and
(b)
a law of the State or Territory provides for a scheme for the notification of data breaches that:

(i)
covers the entity; and
(ii)
is comparable to the scheme provided for in Part IIIC of the Privacy Act 1988.
Note: See section 41 for requirements in relation to these entities.
(3)
Part IIIC of the Privacy Act 1988, and any other provision of that Act that relates to that Part, apply in relation to the accredited entity as if the entity were an APP entity.
(4)
If:
(a)
the accredited entity is aware that there are reasonable grounds to believe that there has been an eligible data breach (within the meaning of the Privacy Act 1988) of the entity relating to the entity’s accredited services; and
(b)
because of the operation of subsection (3) of this section, the entity is required under section 26WK of that Act to give the Information Commissioner a statement that complies with subsection 26WK(3) of that Act;
the entity must also give a copy of the statement to the Digital ID Regulator at the same time as the statement is given to the Information Commissioner.

41Notification of corresponding data breaches – accredited State or Territory entities that are not APP entities

(1)
This section applies to an accredited entity if:
(a)
the entity is not an APP entity; and
(b)
the entity is a department or authority of a State or Territory; and
(c)
the entity is required under a law of the State or Territory to give a statement (however described) that corresponds to section 26WK of the Privacy Act 1988 to another entity (the notified entity); and
(d)
the statement relates to the accredited services of the entity.
(2)
The entity must also give a copy of the statement to the Digital ID Regulator and the Information Commissioner at the same time as the statement is given to the notified entity.

42Additional function of the Information Commissioner

In addition to the Information Commissioner’s functions under the Privacy Act 1988, the Information Commissioner has the function of providing advice, on request by the Digital ID Regulator, on matters relating to the operation of this Act.

43Information Commissioner may share information

Sections 33A and 33B of the Privacy Act 1988 apply as if a reference in those sections to that Act included a reference to this Act.
Note: Sections 33A and 33B of the Privacy Act 1988 allow the Information Commissioner to share information acquired in the course of exercising powers, or performing functions or duties, under that Act in certain circumstances.

Division 2Additional privacy safeguards

44Collection of certain attributes of individuals is prohibited
(1)
An accredited entity must not collect any of the following attributes of an individual:
(a)
information or an opinion about an individual’s racial or ethnic origin;
(b)
information or an opinion about an individual’s political opinions;
(c)
information or an opinion about an individual’s membership of a political association;
(d)
information or an opinion about an individual’s religious beliefs or affiliations;
(e)
information or an opinion about an individual’s philosophical beliefs;
(f)
information or an opinion about an individual’s sexual orientation or practices.
Civil penalty: 1,500 penalty units.
(2)
Subsection (1) does not apply if the accredited entity:
(a)
did not solicit the attribute of the individual; and
(b)
destroys the attribute, as soon as practicable, after becoming aware the accredited entity has collected the attribute.
Note: A person who wishes to rely on this subsection bears an evidential burden in relation to the matters in this subsection (see section 96 of the Regulatory Powers Act).
(3)
Subsection (1) does not prevent other kinds of attributes (permitted attributes) of individuals from being collected if the permitted attributes are not primarily of the kind described in subsection (1), even if attributes of the kind described in that subsection can reasonably be inferred from the permitted attributes.
Example: Even if an individual’s racial or ethnic origin can reasonably be inferred from the individual’s name or place of birth, this does not prevent the individual’s name or place of birth from being collected.
(4)
In this section:
solicits: an accredited entity solicits an attribute of an individual if the accredited entity requests another entity to provide the attribute, or to provide information that includes the attribute.
45Individuals must expressly consent to disclosure of certain attributes of individuals to relying parties
When verifying the identity of an individual or authenticating a digital ID of, or information about, an individual to a relying party, an accredited entity must not disclose any of the following attributes of the individual to the relying party without the express consent of the individual:
(a)
the individual’s current name or former name;
(b)
the individual’s address;
(c)
the individual’s date of birth;
(d)
the individual’s phone number;
(e)
the individual’s email address;
(f)
an attribute of a kind prescribed by the Accreditation Rules.
Civil penalty: 1,500 penalty units.

46Disclosure of restricted attributes of individuals

(1)
When verifying the identity of an individual or authenticating a digital ID of, or information about, an individual to a relying party, an accredited entity must not disclose a restricted attribute of the individual to the relying party without the express consent of the individual.
Civil penalty: 1,500 penalty units.
(2)
An accredited entity must not disclose a restricted attribute of an individual to a relying party that is not a participating relying party if the accredited entity’s conditions on accreditation do not include an authorisation to disclose the restricted attribute to the relying party.
Civil penalty: 1,500 penalty units.

47Restricting disclosure of unique identifiers

(1)
This section applies if:
(a)
an accredited entity (the assigning entity) assigns a unique identifier to an individual within a digital ID system; and
(b)
the assigning entity discloses the unique identifier to another accredited entity or to a relying party.
(2)
The assigning entity must not disclose the unique identifier to any other entity other than:
(a)
if the unique identifier was disclosed to another accredited entity—the other accredited entity; or
(b)
if the unique identifier was disclosed to a relying party—the relying party.
Civil penalty: 1,500 penalty units.
(3)
The accredited entity to whom the unique identifier is disclosed must not disclose the unique identifier to any other entity.
Civil penalty: 1,500 penalty units.
(4)
Subsections (2) and (3) do not apply if the disclosure of the unique identifier is for one or more of the following purposes:
(a)
detecting, reporting or investigating a contravention, or an alleged contravention, of a provision of this Act;
(b)
conducting proceedings in relation to a contravention, or an alleged contravention, of a civil penalty provision of this Act;
(c)
detecting, reporting or investigating either of the following within a digital ID system:
(i)
a digital ID fraud incident;
(ii)
a cyber security incident:
(d)
conducting an assessment of the matter referred to in paragraph 33C(1)(g) of the Privacy Act 1988 (about assessments by the Information Commissioner in relation to the handling and maintenance of personal information in accordance with certain aspects of this Act);
(e)
detecting, reporting, investigating or prosecuting an offence against a law of the Commonwealth, a State or a Territory.
Note: A person who wishes to rely on this subsection bears an evidential burden in relation to the matter mentioned in this subsection (see section 96 of the Regulatory Powers Act).
(5)
Subsections (2) and (3) also do not apply if the disclosure of the unique identifier is:
(a)
to a contractor engaged by the accredited entity; and
(b)
for the purposes of the contractor providing an accredited service, or part of an accredited service, of the accredited entity.
Note: A person who wishes to rely on this subsection bears an evidential burden in relation to the matter mentioned in this subsection (see section 96 of the Regulatory Powers Act).
(6)
Subsections (2) and (3) also do not apply if the unique identifier is disclosed to another entity if the other entity is facilitating access to the entity for whom the unique identifier was created.
Note: A person who wishes to rely on this subsection bears an evidential burden in relation to the matter mentioned in this subsection (see section 96 of the Regulatory Powers Act).
48Restrictions on collecting, using and disclosing biometric information
(1) An accredited entity may collect, use or disclose biometric information of an individual only if:
(a)
the collection, use or disclosure is authorised under section 49 or 50; and
(b)
unless the collection, use or disclosure is authorised under paragraph 49(3)(a) or subsection 49(5), (6) or (8)—the individual to whom the information relates has expressly consented to the collection, use or disclosure of the biometric information.
Civil penalty: 1,500 penalty units.
(2)
An accredited entity may retain biometric information of an individual only if the retention is authorised under section 49 or 50.
Note: Section 51 contains rules about destruction of biometric information that has been retained under section 49.
Civil penalty: 1,500 penalty units.
(3)
To avoid doubt, and without limiting subsection (1), an accredited entity must not:
(a)
collect, use or disclose biometric information of an individual for the purpose of one‑to‑many matching of the individual; or
(b)
collect, use or disclose biometric information of an individual to determine whether the individual has multiple digital IDs.
(4) One‑to‑many matching means the process of comparing a kind of biometric information of an individual against that kind of biometric information of individuals generally to identify the particular individual.

49Authorised collection, use and disclosure of biometric information of individuals—general rules
(1)
An accredited entity is authorised to collect, use or disclose biometric information of an individual if:
(a)
the accredited entity’s conditions on accreditation authorise the collection, use, or disclosure of the biometric information; and
(b)
the biometric information of the individual is collected, used or disclosed for the purposes of the accredited entity doing either or both of the following:
(i)
verifying the identity of the individual;
(ii)
authenticating the individual to their digital ID.
(2)
An accredited entity is authorised to collect, use or disclose biometric information of an individual if:
(a)
the biometric information is contained in a verifiable credential that is in the individual’s control; and
(b)
the Accreditation Rules prescribe requirements relating to the collection, use or disclosure of the biometric information; and
(c)
the collection, use or disclosure complies with those requirements.
(3)
An accredited entity is authorised to disclose biometric information of an individual to a law enforcement agency only if:
(a)
the disclosure of the information is required or authorised by or under a warrant issued under a law of the Commonwealth, a State or a Territory; or
(b)
the information is disclosed with the express consent of the individual to whom the biometric information relates, or purports to relate, and the disclosure is for the purpose of:
(i)
verifying the identity of the individual; or
(ii)
investigating or prosecuting an offence against a law of the Commonwealth, a State or a Territory.
(4)
Subsection (3) applies despite:
(a)
any law of the Commonwealth, a State or a Territory (whether enacted or made before or after this subsection); or
(b)
a warrant (other than a warrant of a kind mentioned in paragraph (3)(a)), authorisation or order issued under such a law.
(5)
An accredited entity is authorised to disclose biometric information of an individual if the disclosure is to the individual to whom the biometric information relates.
(6)
An accredited entity is authorised to retain, use or disclose biometric information of an individual if:
(a)
the accredited entity collected the information in accordance with subsection (1); and
(b)
the information is retained, used or disclosed for the purposes of undertaking testing in relation to the information; and
(c)
the entity complies with any requirements prescribed by the Accreditation Rules.
(6A)
Without limiting paragraph (6)(c), Accreditation Rules made for the purposes of that paragraph must prescribe requirements that relate to the management by accredited entities of the potential for biometric systems to selectively disadvantage or discriminate against groups of individuals.
(7)
Without limiting paragraph (6)(c), Accreditation Rules made for the purposes of that paragraph may prescribe requirements in relation to the following matters:
(a)
the purposes for which testing may be undertaken;
(b)
the kinds of testing that may be undertaken using biometric information;
(c)
the circumstances in which testing of the biometric information may be undertaken;
(d)
the manner in which the biometric information that has been retained for testing must be destroyed;
(e)
the preparation, content, approval and implementation of ethics plans relating to the testing of the biometric information;
(f)
obtaining express consent of individuals to whom the biometric information relates;
(g)
reporting of testing results to the Digital ID Regulator.
(8)
An accredited entity is authorised to retain, use or disclose biometric information of an individual if:
(a)
the entity collected the information in accordance with subsection (1); and
(b)
the information is retained, used or disclosed for the purposes of preventing or investigating a digital ID fraud incident; and
(c)
the entity complies with any requirements prescribed by the Accreditation Rules.
(9)
Without limiting paragraph (8)(c), Accreditation Rules made for the purposes of that paragraph may prescribe requirements in relation to the following matters:
(a)
the manner in which biometric information that has been retained for preventing or investigating digital ID fraud incidents must be destroyed;
(b)
the reporting of fraud prevention or investigation activities to the Digital ID Regulator.
49ABiometric information, testing and continuous improvement
(1)
This section applies if an accredited entity is authorised to retain, use or disclose biometric information of individuals under subsection 49(6) (about testing).
(2)
The accredited entity must take reasonable steps to continuously improve its biometric systems to ensure such systems do not selectively disadvantage or discriminate against any group.
50Accredited entities may collect etc. biometric information for purposes of government identity documents
(1)
This section applies if:
(a)
an accredited entity collects biometric information of an individual under subparagraph 49(1)(b)(i) for the purpose of verifying the identity of the individual; and
(b)
the accredited entity has verified that the biometric information is legitimate.
Note: Because this Chapter applies to an entity only to the extent that the entity is providing accredited services (see section 33), this section does not affect information collected, held etc. by the entity in its capacity as the issuer of the document or other credential.
(2)
If the entity is covered by subsection (3), the entity may collect, use, disclose or retain the biometric information for the purposes of issuing a document or other credential that:
(a)
contains personal information about the individual; and
(b)
the individual has expressly consented to the issue of; and
(c)
can be used to assist the individual to prove the individual’s age or identity or a permission or authorisation that the individual holds; and
(d)
is issued by or on behalf of the entity.
(3)
The entities covered by this subsection are as follows:
(a)
a body corporate incorporated by or under a law of the Commonwealth or a State or Territory;
(b)
a Commonwealth entity, or a Commonwealth company, within the meaning of the Public Governance, Performance and Accountability Act 2013;
(c)
a person or body that is an agency within the meaning of the Freedom of Information Act 1982;
(d)
a body specified, or the person holding an office specified, in Part I of Schedule 2 to the Freedom of Information Act 1982;
(e)
a department or authority of a State;
(f)
a department or authority of a Territory.
(4)
Subsection (2) applies despite anything else in this Division.
(5)
If:
(a)
the entity (the first entity) is not covered by subsection (3); and
(b)
the first entity has a written agreement with another entity (the government entity) that is covered by that subsection; and
(c)
the agreement provides for the first entity to disclose the biometric information of the individual to the government entity for the purposes of issuing a document or other credential that:
(i)
contains personal information about the individual; and
(ii)
the individual has expressly consented to the issue of; and
(iii)
can be used to assist the individual to prove the individual’s age or identity or a permission or authorisation that the individual holds; and
(iv)
is issued by or on behalf of the entity;
the entity may disclose the biometric information in accordance with the agreement if the disclosure occurs within 14 days after the biometric information is collected.

51Destruction of biometric information of individuals

(1)
Subject to subsections (2), (3), (4) and (5), if an accredited entity collects biometric information of an individual for the purposes of verifying an individual’s identity only, the provider must destroy the information immediately after the verification is complete.
Civil penalty: 1,500 penalty units.
(2)
Subject to subsections (3), (4) and (5), if:
(a)
an accredited entity collects biometric information of an individual; and
(b)
the information is collected for the purposes of authenticating the individual to their digital ID (regardless of whether that information is also collected for the purposes of verifying the individual’s identity); and
(c)
the individual has not given express consent for that information to be retained for the purposes of further authenticating of the individual to their digital ID;
the provider must destroy the information immediately after the authentication is complete.
Civil penalty: 1,500 penalty units.
(3)
Subject to subsections (4) and (5), if:
(a)
an accredited entity collects biometric information of an individual with the express consent of the individual to whom the information relates; and
(b)
the information is collected for the purposes of authenticating the individual to their digital ID; and
(c)
the individual withdraws their consent;
the accredited entity must destroy the information immediately after the consent is withdrawn.
(4)
If an accredited entity retains biometric information of an individual in accordance with subsection 49(6) (about testing), the accredited entity must destroy the information at the earlier of:
(a)
the completion of testing the information; and
(b)
14 days after the entity collects the information.
Civil penalty: 1,500 penalty units.
(5)
If an accredited entity retains biometric information of an individual in accordance with subsection 49(8) (about preventing or investigating digital ID fraud incidents), the accredited entity must destroy the information at the earlier of:
(a)
immediately after the completion of activities relating to the prevention or investigation of the digital ID fraud incident (as the case may be); and
(b)
14 days after the entity collects the information.
Civil penalty: 1,500 penalty units.

52Other rules relating to biometric information

(1)
The Accreditation Rules may provide for and in relation to the collection, use, disclosure, storage or destruction of biometric information of individuals by accredited entities.
(2)
Without limiting subsection (1), the Accreditation Rules may provide for requirements relating to quality, security or fraud.

53Data profiling to track online behaviour is prohibited

(1)
An accredited entity must not use or disclose information if:
(a)
the information is personal information about an individual that is in the entity’s possession or control; and
(b)
the information is any of the following:

(3)
Directions under subsection (2) have effect, and must be complied with, despite any other law of the Commonwealth.
(4)
Directions under subsection (2) are not legislative instruments.
(5)
In this subsection:
Commonwealth includes a Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013) that cannot be made liable to taxation by a law of the Commonwealth.

Division 2Fees charged by accredited entities148Charging of fees by accredited entities in relation to the Australian Government Digital ID System

(1)
An accredited entity that charges fees in relation to its accredited services that it provides in relation to the Australian Government Digital ID System must do so in accordance with the Digital ID Rules (if any) made for the purposes of subsection (2).
(2)
The Digital ID Rules may make provision in relation to the charging of fees by accredited entities for services provided in relation to Australian Government Digital ID System.
(3)
Without limiting subsection (2), the Digital ID Rules may do any of the following:
(a)
prescribe a fee by specifying the amount of the fee or a method of working out the fee;
(b)
make provision for when and how fees may be charged;
(c)
make provision in relation to the conduct of periodic reviews of fees;
(d)
make provision for any other matters in relation to the charging of fees, including in relation to exemptions, refunds, remissions or waivers.
(4)
The amount of a fee may be nil.
(5)
This section, and rules made for the purposes of subsection (2), do not otherwise affect the ability of an accredited entity to charge fees for its accredited services, either in relation to the Australian Government Digital ID System or otherwise.

Chapter 10Other mattersPart 1Introduction 149Simplified outline of this Chapter

The Minister may establish advisory committees to provide advice to the following in relation to matters arising under this Act:
(a)
the Minister;
(b)
the Secretary;
(c)
the Digital ID Data Standards Chair.
A person commits an offence if the person obtains certain kinds of information in the course of, or for the purposes of, performing functions or exercising powers under this Act and the person uses or discloses the information. There are some exceptions.
This Chapter also deals with matters of an administrative nature, including:
(a)
annual reports by the Digital ID Regulator, the Information Commissioner, law enforcement agencies, enforcement bodies and the AFP Minister; and
(b)
delegations; and
(c)
rule‑making powers.

Part 2Advisory committees 150Advisory committees

(1)
The Minister may establish, in writing, such advisory committees as the Minister considers appropriate to provide advice to the following in relation to matters arising under this Act, including but not limited to the performance of the Digital ID Regulator’s functions and exercise of the Digital ID Regulator’s powers under this Act:
(a)
the Minister;
(b)
the Secretary;
(c)
the System Administrator;
(d)
the Digital ID Data Standards Chair.
(2)
An advisory committee is to consist of such persons as the Minister determines.
(3)
If the Minister establishes an advisory committee under subsection (1), the Minister must, in writing, determine:
(a)
the committee’s terms of reference; and
(b)
the terms and conditions of appointment of the members of the committee, including:
(i)
term of office; and
(ii)
remuneration; and
(iii)
allowances; and
(iv)
leave of absence; and
(v)
disclosure of interests; and
(vi)
termination of membership; and
(c)
the procedures to be followed by the committee.
(4)
An instrument made under subsection (1) or (3) is not a legislative instrument.

Part 3Confidentiality 151Prohibition on entrusted persons using or disclosing certain kinds of protected information

Offence
(1)
A person commits an offence if:
(a)
the person is or has been an entrusted person; and
(b)
the person obtains protected information in the course of, or for the purposes of, performing functions or exercising powers under this Act; and
(c)
the person uses or discloses the information; and
(d)
either of the following applies:
(i)
the information is personal information about an individual;
(ii)
there is a risk that the use or disclosure might substantially prejudice the commercial interests of another person.
Penalty: Imprisonment for 2 years or 120 penalty units, or both.
(2)
An entrusted person means:
(a)
the Digital ID Regulator; or
(b)
a member of the Commission (within the meaning of the Competition and Consumer Act 2010); or
(c)
an associate member of the Australian Competition and Consumer Commission; or
(d)
a member of the staff of the Australian Competition and Consumer Commission; or
(e)
a person engaged under section 27A of the Competition and Consumer Act 2010; or
(f)
the System Administrator; or
(g)
a person referred to in section 16 of the Human Services (Centrelink) Act 1997.
Exception—authorised use or disclosure
(3)
Subsection (1) does not apply if the use or disclosure is authorised by section 152 (authorised uses and disclosures).
Note: A defendant bears an evidential burden in relation to a matter in this subsection (see subsection 13.3(3) of the Criminal Code).
Definition of protected information
(4)
Protected information means information that was disclosed or obtained under or for the purposes of this Act.

152Authorised uses and disclosures of protected information by entrusted persons

(1)
An entrusted person may use or disclose protected information if:
(a)
the use or disclosure is made for the purposes of:
(i)
performing a duty or function, or exercising a power, under or in relation to this Act; or
(ii)
enabling another person to perform duties or functions, or exercise powers, under or in relation to this Act; or
(iii)
assisting in the administration or enforcement of another law of the Commonwealth or a law of a Territory; or
(iv)
assisting in the administration or enforcement of a law of a State that is prescribed by the Digital ID Rules; or
(b)
the use or disclosure is required or authorised by or under:
(i)
a law of the Commonwealth (including this Act) or of a Territory; or
(ii)
a law of a State that is prescribed by the Digital ID Rules; or
(c)
the person referred to in subparagraph 151(1)(d)(i) or (ii) has expressly consented to the use or disclosure; or
(d)
at the time of the use or disclosure, the protected information is already lawfully publicly available; or
(e)
both:
(i)
the use or disclosure is, or is a kind of use or disclosure that is, certified in writing by the Minister to be in the public interest; and
(ii)
the use or disclosure is made in accordance with any requirements prescribed by the Digital ID Rules.
(2)
An instrument made under subparagraph (1)(e)(i) certifying that a particular use or disclosure is in the public interest is not a legislative instrument.
(3)
An instrument made under subparagraph (1)(e)(i) certifying that a kind of use or disclosure is in the public interest is a legislative instrument.

153Disclosing personal or commercially sensitive information to courts and tribunals etc. by entrusted persons

(1)
Except where it is necessary to do so for the purposes of giving effect to this Act, an entrusted person is not to be required:
(a)
to produce a document containing protected information to a body mentioned in subsection (2); or
(b)
to disclose protected information to such a body;
if either of the following applies:
(c)
the information is personal information of an individual other than the entrusted person;
(d)
there is a risk that production of the document or disclosure of the information might substantially prejudice the commercial interests of a person.
(2)
The bodies are a court, tribunal, authority or other person having power to require the production of documents or the answering of questions.

Part 4Other matters 154Annual report by the Digital ID Regulator

(1)
After the end of each financial year, the Digital ID Regulator must prepare and give a report to the Minister, for presentation to the Parliament, on the Digital ID Regulator’s activities during the financial year.
(2)
The report must include the following:
(a)
information about the operation of the accreditation scheme, including:
(i)
the number of applications for accreditation made under section 14; and
(ii)
the number of accreditations granted under section 15;
(b)
information about the operation of the Australian Government Digital ID System, including:
(i)
the number of applications made to participate in the system under section 61; and
(ii)
the number of approvals granted to participate in the system under section 62; and
(iii)
the number of digital ID fraud incidents or cyber security incidents, and the responses to any such incidents;
(c)
information on any other matters notified by the Minister to the Digital ID Regulator.
(3)
The report must be given to the Minister by:
(a)
the 30th day of October; or
(b)
the end of any further period granted under subsection 34C(5) of the Acts Interpretation Act 1901.

155Annual report by Information Commissioner

The annual report prepared by the Information Commissioner and given to the Minister under section 46 of the Public Governance, Performance and Accountability Act 2013 for a period must include information about the performance of the Information Commissioner’s functions, and the exercise of the Information Commissioner’s powers, under or in relation to Part 2 of Chapter 3 of this Act during the period.

155AAnnual reports by law enforcement agencies etc. on disclosure or use of personal information

(1)
This section applies to:
(a)
a law enforcement agency, if the agency requests or requires, during a financial year, an accredited entity to disclose biometric information of an individual obtained as part of the provision of the entity’s accredited services; or
(b)
an enforcement body, if the body requests or requires, during a financial year, an accredited entity to use or disclose personal information of an individual obtained as part of the provision of the entity’s accredited services for the purposes of enforcement related activities conducted by, or on behalf of, the enforcement body.
Note: An accredited entity is authorised to disclose biometric information of an individual to a law enforcement agency only in certain circumstances, such as under a warrant (see subsection 49(3)). An accredited entity can disclose personal information of an individual to an enforcement body in certain circumstances, but the personal information must not be biometric information (see section 54).
(2)
At the end of the financial year, the law enforcement agency or the enforcement body (as the case requires) must prepare and give a report to the AFP Minister that includes the following:
(a)
the total number of requests or requirements made by the agency or body during the financial year;
(b)
details of the type of information requested or required (but not including personal information of a particular individual or details that would identify a particular individual) during the financial year;
(c)
the total number of requests or requirements that were complied with (in whole or in part) by an accredited entity during the financial year.
(3)
The report must be given to the AFP Minister by:
(a)
the 30th day of September; or
(b)
the end of any further period granted under subsection 34C(5) of the Acts Interpretation Act 1901.

155BAnnual report by AFP Minister

(1)
The AFP Minister must prepare a report in relation to the provision of reports (section 155A reports) under section 155A for a financial year.
(2)
If no section 155A reports were provided for the financial year, the report by the AFP Minister must include a statement to that effect.
(3)
If subsection (2) does not apply, the report by the AFP Minister must include the following in relation to each law enforcement agency and enforcement body that provided a section 155A report for the financial year:
(a)
the total number of requests or requirements made by the law enforcement agency or enforcement body during the financial year;
(b)
details of the type of information requested or required (but not including personal information of a particular individual or details that would identify a particular individual) by the law enforcement agency or enforcement body during the financial year;
(c)
the total number of requests or requirements made by the law enforcement agency or enforcement body that were complied with (in whole or in part) by an accredited entity during the financial year.
(4)
The AFP Minister must prepare the report referred to in subsection (1) as soon as practicable after the end of each financial year.
(5)
The AFP Minister must cause a copy of the report prepared under subsection (1) to be tabled in each House of the Parliament within 15 sitting days of the day on which the report is completed.

156How this Act applies in relation to non‑legal persons

How permissions and rights are conferred and exercised
(1)
If this Act purports to confer a permission or right on an entity that is not a legal person, the permission or right:
(a)
is conferred on each person who is an accountable person for the entity at the time the permission or right may be exercised; and
(b)
may be exercised by:
(i)
any person who is an accountable person for the entity at the time the permission or right may be exercised; or
(ii)
any person who is authorised by a person referred to in subparagraph (i) to exercise the permission or right.
How obligations and duties are imposed and discharged
(2)
If this Act purports to impose an obligation or duty on an entity that is not a legal person, the obligation or duty:
(a)
is imposed on each person who is an accountable person for the entity at the time the obligation or duty arises or is in operation; and
(b)
may be discharged by:
(i)
any person who is an accountable person for the entity at the time the obligation or duty arises or is in operation; or
(ii)
any person who is authorised by a person referred to in subparagraph (i) to discharge the obligation or duty.
How non‑legal persons contravene this Act
(3)
A provision of this Act (including a civil penalty provision) that is purportedly contravened by an entity that is not a legal person is instead contravened by each accountable person for the entity who:
(a)
did the relevant act or made the relevant omission; or
(b)
aided, abetted, counselled or procured the relevant act or omission; or
(c)
was in any way knowingly concerned in, or party to, the relevant act or omission.
Meaning of accountable person
(4)
For the purposes of this section, a person is an accountable person for an entity at a particular time if:
(a)
in the case of a partnership in which one or more of the partners is an individual—the individual is a partner in the partnership at that time; or
(b)
in the case of a partnership in which one or more of the partners is a body corporate—the person is a director of the body corporate at that time; or
(c)
in the case of a trust in which the trustee, or one or more of the trustees, is an individual—the individual is a trustee of the trust at that time; or
(d)
in the case of a trust in which the trustee, or one or more of the trustees, is a body corporate—the person is a director of the body corporate at that time; or
(e)
in the case of an unincorporated association—the person is a member of the governing body of the unincorporated association at that time.

157Attributing conduct to the Commonwealth, States and Territories etc.

(1)
In determining whether the Commonwealth, a State or a Territory (each of which is a government body) has contravened this Act (including a civil penalty provision):
(a)
conduct engaged in on behalf of the government body by an employee, agent or officer of the government body acting within the scope (actual or apparent) of their employment or authority is taken to have been engaged in also by the government body; and
(b)
if it is necessary to establish intention, knowledge or recklessness, or any other state of mind, of the government body, it is sufficient to establish the intention of the person mentioned in paragraph (a).
(2)
Despite paragraph (1)(a), a government body does not contravene a provision of this Act because of conduct of a person that the government body is taken to have engaged in, if it is established that the government body took reasonable precautions and exercised due diligence to avoid the conduct.
(3)
If an infringement notice is to be given to a government body under Part 5 of the Regulatory Powers Act, the entity whose acts or omissions are alleged to have contravened the provision subject to the infringement notice may be specified in the infringement notice.
(4)
If civil penalty proceedings are brought against a government body in relation to a contravention of a civil penalty provision of this Act, the entity whose acts or omissions are alleged to have contravened the provision may be specified in any document initiating, or relating to, the proceedings.
(5)
Despite paragraph 82(5)(b) of the Regulatory Powers Act, if a government body contravenes a civil penalty provision of this Act, the maximum penalty that a court may order the government body to pay is 5 times the pecuniary penalty specified for the civil penalty provision.

158Bodies corporate and due diligence

For the purposes of section 97 of the Regulatory Powers Act (about attributing contraventions of employees etc. to a body corporate), a body corporate does not contravene a civil penalty provision of this Act because of conduct of a person that the body corporate is taken to have engaged in, if it is established that the body corporate took reasonable precautions and exercised due diligence to avoid the conduct.

159Protection from civil action

(1)
This section applies to the following:
(a)
the Minister;
(b)
the Digital ID Regulator;
(c)
a member of the Commission (within the meaning of the Competition and Consumer Act 2010);
(d)
an associate member of the Australian Competition and Consumer Commission;
(e)
a member of the staff of the Australian Competition and Consumer Commission;
(f)
the System Administrator;
(g)
a person referred to in section 16 of the Human Services (Centrelink) Act 1997;
(h)
the Digital ID Data Standards Chair;
(i)
the staff referred to in section 115 of this Act.
(2)
A person mentioned in subsection (1) is not liable to an action or other proceeding for damages for, or in relation to, an act done or omitted to be done in good faith by the person:
(a)
in the performance, or purported performance, of any functions under this Act; or
(b)
in the exercise, or purported exercise, of any powers under this Act.

160Geographical jurisdiction of civil penalty provisions

Geographical jurisdiction of civil penalty provisions
(1)
An entity does not contravene a civil penalty provision of this Act unless:
(a)
the conduct constituting the alleged contravention occurs wholly or partly in Australia, or wholly or partly on board an Australian aircraft or Australian ship; or
(b)
the conduct constituting the alleged contravention occurs wholly outside Australia and a result of the conduct occurs:
(i)
wholly or partly in Australia; or
(ii)
wholly or partly on board an Australian aircraft or an Australian ship; or
(c)
the conduct constituting the alleged contravention occurs wholly outside Australia and, at the time of the alleged contravention, the entity is an Australian entity; or
(d)
all of the following conditions are satisfied:
(i)
the alleged contravention is an ancillary contravention;
(ii)
the conduct constituting the alleged contravention occurs wholly outside Australia;
(iii)
the conduct constituting the primary contravention to which the ancillary contravention relates, or a result of that conduct, occurs wholly or partly in Australia or wholly or partly on board an Australian aircraft or an Australian ship.
Defence for primary contravention
(2)
Despite subsection (1), an entity does not contravene a civil penalty provision of this Act if:
(a)
the alleged contravention is a primary contravention; and
(b)
the conduct constituting the alleged contravention occurs wholly in a foreign country, but not on board an Australian aircraft or Australian ship; and

(c)
the entity is not an Australian entity; and
(d)
there is not in force, in the foreign country or the part of the foreign country where the conduct constituting the alleged contravention or offence occurred, a law creating a pecuniary or criminal penalty for conduct corresponding to the conduct constituting the alleged contravention.
Defence for ancillary contravention
(3)
Despite subsection (1), an entity does not contravene a civil penalty provision of this Act if:
(a)
the alleged contravention is an ancillary contravention; and
(b)
the conduct constituting the alleged contravention occurs wholly in a foreign country, but not on board an Australian aircraft or an Australian ship; and
(c)
the conduct constituting the primary contravention to which the alleged contravention relates, or a result of that conduct, occurs wholly in a foreign country, but not on board an Australian aircraft or Australian ship; and
(d)
the entity is not an Australian entity; and
(e)
there is not in force, in the foreign country or the part of the foreign country where the conduct constituting the alleged contravention occurred, a law creating a pecuniary or criminal penalty for conduct corresponding to the conduct constituting the primary contravention to which the alleged contravention relates.
Evidential burden
(4)
An entity who is alleged to have contravened a civil penalty provision of this Act and who wishes to rely on subsection (2) or (3) bears an evidential burden (within the meaning of the Regulatory Powers Act) in relation to the matters set out in the subsection.
Other matters
(5)
A reference in this section to a result of conduct is a reference to a result that is an element of the civil penalty provision.
(6)
For the purposes of this section and without limitation, if an entity sends, or causes to be sent, an electronic communication or other thing:
(a)
from a point outside Australia to a point in Australia; or
(b)
from a point in Australia to a point outside Australia;
that conduct is taken to have occurred partly in Australia.
Definitions
(7)
In this section:
ancillary contravention of a civil penalty provision means a contravention that arises out of the operation of section 92 of the Regulatory Powers Act.
Australian aircraft has the same meaning as in the Criminal Code.
Australian ship has the same meaning as in the Criminal Code.
electronic communication has the same meaning as in the Criminal Code.
foreign country has the same meaning as in the Criminal Code.
point includes a mobile or potentially mobile point, whether on land, underground, in the atmosphere, underwater, at sea or anywhere else.
primary contravention of a civil penalty provision means a contravention that does not arise out of the operation of section 92 of the Regulatory Powers Act.

161Interaction with tax file number offences

To avoid doubt, nothing in this Act affects or limits the operation of:
(a)
sections 8WA and 8WB of the Taxation Administration Act 1953; or
(b)
rules made under section 17 of the Privacy Act 1988.
Note 1: Sections 8WA and 8WB of the Taxation Administration Act 1953 contain offences for unauthorised use etc. of tax file numbers.
Note 2: Section 17 of the Privacy Act 1988 requires the Information Commissioner to issue rules concerning the collection, storage, use and security of tax file numbers.

162Review of operation of Act

(1)
The Minister must cause a review of the operation of this Act to be undertaken.
(2)
The review must be undertaken no later than 2 years after the commencement of this Act.
(3)
The persons who undertake the review must give the Minister a written report of the review.
(4)
The Minister must cause a copy of the report to be tabled in each House of the Parliament within 15 sitting days of that House after the Minister receives the report.

163Delegation—Minister

(1)
The Minister may, in writing, delegate all or any of the Minister’s functions or powers under this Act (other than the Minister’s power under section 168) to any of the following:
(a)
the Digital ID Regulator;
(b)
the Secretary;
(c)
an SES employee or acting SES employee in the Department.
Note: Sections 34AA to 34A of the Acts Interpretation Act 1901 contain provisions relating to delegations.

(2)
In exercising powers or performing functions under the delegation, the delegate must comply with any written directions of the Minister.

164Delegation – Digital ID Regulator

(1)
The Digital ID Regulator may, by resolution, delegate all or any of the Digital ID Regulator’s powers or functions under this Act to:
(a)
member of the Commission (within the meaning of the Competition and Consumer Act 2010); or
(b)
an SES employee, or an acting SES employee, in the Australian Competition and Consumer Commission; or
(c)
an SES employee, or an acting SES employee, in the Department.
Note 1: The Digital ID Regulator is the Australian Competition and Consumer Commission (see section 90).
Note 2: Sections 34AA to 34A of the Acts Interpretation Act 1901 contain provisions relating to delegations.
(2)
In exercising powers or performing functions under a delegation, the delegate must comply with any written directions of the Digital ID Regulator.

165Delegation – System Administrator

The System Administrator must not delegate any of the System Administrator’s functions or powers under this Act to a person who has functions or duties that relate to the operation or management of an information technology system through which an accredited entity provides its accredited services.
Note: For delegation by the System Administrator, see section 12 of the Human Services (Centrelink) Act 1997.

166Delegation – Digital ID Data Standards Chair

(1)
The Digital ID Data Standards Chair may delegate, in writing, any or all of the Chair’s functions or powers under this Act to a person assisting the Chair under section 115 who is:
(a)
an SES employee, or an acting SES employee; or
(b)
an APS employee who is holding or performing the duties of a specified office or position that the Chair is satisfied is sufficiently senior for the APS employee to perform the function or exercise the power.
(2)
Subsection (1) does not apply to the function referred to in section 99 (about making Digital ID Data Standards).
(3)
In performing a delegated function or exercising a delegated power, the delegate under subsection (1) must comply with any directions of the Digital ID Data Standards Chair.
167Instruments may incorporate etc. material as in force or existing from time to time
(1)
This section applies to the following instruments (each of which is a core instrument):
(a)
the Accreditation Rules;
(b)
the Digital ID Data Standards;
(c)
the Digital ID Rules.
(2)
A core instrument may make provision in relation to a matter by applying, adopting or incorporating, with or without modification, any matter contained in any other instrument or other writing (an incorporated instrument) as in force or existing from time to time.
(3)
If a core instrument makes provision in relation to a matter in accordance with subsection (2), the core instrument may also make provision in relation to when changes to an incorporated instrument take effect for the purposes of the core instrument.
(4)
Subsection (2) has effect despite subsection 14(2) of the Legislation Act 2003.

168Rules—general matters

(1)
The Minister may, by legislative instrument, make rules prescribing matters:
(a)
required or permitted by this Act to be prescribed by the rules; or
(b)
necessary or convenient to be prescribed for carrying out or giving effect to this Act.

(2)
Without limiting subsection 33(3A) of the Acts Interpretation Act 1901, the rules may prescribe a matter or thing differently for different kinds of entities, things or circumstances.
(3)
The rules may make provision for or in relation to a matter by conferring a power on the Digital ID Regulator, the System Administrator or the Minister to:
(a)
make an instrument of an administrative character; or
(b)
make a decision of an administrative character.
(4)
To avoid doubt, the rules may not do the following:
(a)
create an offence or civil penalty;
(b)
provide powers of:
(i)
arrest or detention; or
(ii)
entry, search or seizure;
(c)
impose a tax;
(d)
set an amount to be appropriated from the Consolidated Revenue Fund under an appropriation in this Act;
(e)
directly amend the text of this Act.
(5) In this section, a reference to this Act does not include a reference to:
(a)
the Accreditation Rules; or
(b)
the Digital ID Data Standards; or
(c)
the Digital ID Rules; or
(d)
the service levels determined under section 80; or
(e)
the Regulatory Powers Act as it applies in relation to this Act.

169Rules – requirement to consult

General requirement to consult
(1)
Before making or amending any rules under section 168, the Minister must:
(a)
cause to be published on the Department’s website a notice:
(i)
setting out the draft rules or amendments; and
(ii)
inviting persons to make submissions to the Minister about the draft rules or amendments within the period specified in the notice (which must be at least 28 days after the notice is published); and
(b)
if the rules deal with matters that relate to the privacy functions (within the meaning of the Australian Information Commissioner Act 2010)—consult the Information Commissioner; and
(c)
consider any submissions received within the specified period.
(2)
Without limiting paragraph (1)(b), the Minister must consult the Information Commissioner if the rules will provide that accredited entities, or specified kinds of accredited entities, are authorised to:
(a)
collect or disclose restricted attributes of individuals; or
(b)
collect, use or disclose biometric information of individuals.
(2A)
Before making or amending any rules under section 168, the Minister must also:
(a)
consult such organisations representing individuals who may experience barriers when creating or using a digital ID as the Minister considers appropriate; and
(b)
by written notice, invite such organisations to make comments to the Minister within the period specified in the written notice (which must be at least 28 days after the notice is given); and
(c)
consider any comments received within the specified period.
(3)
The Minister may consider any submissions received after the specified period if the Minister considers it appropriate to do so.
Exception if imminent threat etc.
(4)
Subsections (1) and (2A) do not apply if:
(a)
the Minister is satisfied that there is an imminent threat to the Australian Government Digital ID System; or
(b)
the Minister is satisfied that a hazard has had, or is having, a significant impact on the Australian Government Digital ID System.
Review
(5)
If:
(a)
because of subsection (4), subsections (1) and (2A) did not apply to the making of rules or amendments; and
(b)
the rules or amendments have not been disallowed by either House of the Parliament;
the Secretary must:
(c)
review the operation, effectiveness and implications of the rules or amendments; and
(d)
without limiting paragraph (a), consider whether any amendments should be made; and
(e)
give the Minister a report of the review and a statement setting out the Secretary’s findings.
(6)
For the purposes of the review, the Secretary must:
(a)
cause to be published on the Department’s website a notice:
(i)
setting out the rules or amendments concerned; and
(ii)
inviting persons to make submissions to the Secretary about the rules or amendments concerned within the period specified in the notice (which must be at least 28 days after the notice is published); and
(b)
if the rules deal with matters that relate to the privacy functions (within the meaning of the Australian Information Commissioner Act 2010)—consult the Information Commissioner; and
(c)
consider any submissions received within the specified period.
(6A)
For the purposes of the review, the Secretary must also:
(a)
consult such organisations representing individuals who may experience barriers when creating or using a digital ID as the Secretary considers appropriate; and
(b)
by written notice, invite such organisations to make comments to the Secretary within the period specified in the written notice (which must be at least 28 days after the notice is given); and
(c)
consider any comments received within the specified period.
Findings of review to be tabled
(7)
The Secretary must complete the review within 60 days after the commencement of the rules or amendments concerned.
(8)
The Minister must cause a copy of the statement of findings to be tabled in each House of the Parliament within 15 sitting days of that House after the Minister receives it.
Failure to comply does not affect validity etc.
(9)
A failure to comply with this section does not affect the validity or enforceability of any rules, or any amendments to any rules.
Relationship with the Legislation Act 2003
(10)
This section does not limit section 17 of the Legislation Act 2003 (rule‑makers should consult before making legislative instrument).

Endnotes

Endnote 1About the endnotes

The endnotes provide information about this compilation and the compiled law.

The following endnotes are included in every compilation:

Endnote 1—About the endnotes

Endnote 2—Abbreviation key

Endnote 3—Legislation history

Endnote 4—Amendment history

Abbreviation key—Endnote 2

The abbreviation key sets out abbreviations that may be used in the endnotes.

Legislation history and amendment history—Endnotes 3 and 4

Amending laws are annotated in the legislation history and amendment history.

The legislation history in endnote 3 provides information about each law that has amended (or will amend) the compiled law. The information includes commencement details for amending laws and details of any application, saving or transitional provisions that are not included in this compilation.

The amendment history in endnote 4 provides information about amendments at the provision (generally section or equivalent) level. It also includes information about any provision of the compiled law that has been repealed in accordance with a provision of the law.

Editorial changes

The Legislation Act 2003 authorises First Parliamentary Counsel to make editorial and presentational changes to a compiled law in preparing a compilation of the law for registration. The changes must not change the effect of the law. Editorial changes take effect from the compilation registration date.

If the compilation includes editorial changes, the endnotes include a brief outline of the changes in general terms. Full details of any changes can be obtained from the Office of Parliamentary Counsel.

Misdescribed amendments

A misdescribed amendment is an amendment that does not accurately describe how an amendment is to be made. If, despite the misdescription, the amendment can be given effect as intended, then the misdescribed amendment can be incorporated through an editorial change made under section 15V of the Legislation Act 2003.

If a misdescribed amendment cannot be given effect as intended, the amendment is not incorporated and “(md not incorp)” is added to the amendment history.

Endnote 2Abbreviation key

ad = added or inserted	o = order(s)
am = amended	Ord = Ordinance
amdt = amendment	orig = original
c = clause(s)	par = paragraph(s)/subparagraph(s)
C[x] = Compilation No. x	/sub‑subparagraph(s)
Ch = Chapter(s)	pres = present
def = definition(s)	prev = previous
Dict = Dictionary	(prev…) = previously
disallowed = disallowed by Parliament	Pt = Part(s)
Div = Division(s)	r = regulation(s)/rule(s)
ed = editorial change	reloc = relocated
exp = expires/expired or ceases/ceased to have	renum = renumbered
effect	rep = repealed
F = Federal Register of Legislation	rs = repealed and substituted
gaz = gazette	s = section(s)/subsection(s)
LA = Legislation Act 2003	Sch = Schedule(s)
LIA = Legislative Instruments Act 2003	Sdiv = Subdivision(s)
(md) = misdescribed amendment can be given	SLI = Select Legislative Instrument
effect	SR = Statutory Rules
(md not incorp) = misdescribed amendment	Sub‑Ch = Sub‑Chapter(s)
cannot be given effect	SubPt = Subpart(s)
mod = modified/modification	underlining = whole or part not
No. = Number(s)	commenced or to be commenced

Endnote 3Legislation history

Act	Number and year	Assent	Commencement	Application, saving and transitional provisions
Digital ID Act 2024	25, 2024	30 May 2024	30 Nov 2024 (s 2(1) item 1)
Privacy and Other Legislation Amendment Act 2024	128, 2024	10 Dec 2024	Sch 1 (item 47): 11 Dec 2024 (s 2(1) item 4)	—
Administrative Review Tribunal (Miscellaneous Measures) Act 2025	14, 2025	20 Feb 2025	Sch 2 (items 43–45): 21 Feb 2025 (s 2(1) item 2)	—

Endnote 4Amendment history

Provision affected	How affected
Chapter 3
Part 2
Division 1
s 37............................................	am No 128, 2024
s 38............................................	am No 128, 2024
Chapter 9
Part 4
s 140..........................................	am No 14, 2025