Digital ID must prove more than who we are

Australians are still being asked to hand over passports, licences, payslips and personal documents to prove things that should be much simpler: who they are, whether they are eligible, and whether they are allowed to act. That is the problem Australia’s Digital ID rollout now needs to solve. More than 15 million myIDs have been created, and around 80 million verified transactions flowed through the Australian Government Digital ID System (AGDIS) in the past year. The federal government has also committed $654.3 million to expand Digital ID, reduce unnecessary data storage and improve access to online services.

The momentum is there, but as Australia prepares to open AGDIS to private sector participants from late 2026, the real test is whether Digital ID can reduce the amount of personal information people are asked to share, or simply move old identity checks into a digital format. That means moving beyond a narrow focus on proving who someone is. In many real-world transactions, the more important question is whether a person is eligible, authorised, or allowed to act on behalf of someone else.

Identity is only the first check

Accessing a government service as a citizen is one kind of transaction. A person acting on behalf of a business, patient, client, family member, trust, supplier or regulated organisation is another. In those moments, the basic identity question is only the starting point. A company director lodging information on behalf of an entity does not only need to prove their name. They need to prove they can act for that entity. A payroll manager or finance employee may need access to sensitive systems, but only within the limits of their role. A healthcare worker may need to show they are qualified, registered and authorised to perform a function in a particular setting.

The practical question is often narrower than “who are you?” It is: are you eligible, credentialed, authorised, still registered, still employed, still delegated or still allowed to act in this context? Australian public services already recognise this through the Relationship Authorisation Manager (RAM), which allows people to link their Digital ID to an ABN and act on behalf of a business. More than 2 million ABNs are now connected to RAM, showing that Australians are already navigating identity and delegated authority in digital systems. That is an important foundation, but it also shows why authority cannot be treated as a secondary issue. It is central to how digital services work in the real world.

Digital ID should reduce what we ask people to share

The promise of Digital ID is often framed around convenience. People should be able to verify themselves once and reuse that verification safely. That is important of course, but the bigger goal should be reducing unnecessary data collection. Australians are still routinely asked to hand over passports, licences, payslips and other sensitive documents to access basic services. Rental applications are one of the clearest examples. In April, the Privacy Commissioner found the 2Apply rental technology platform had collected excessive personal information by unfair means, pointing to the power imbalance in the rental market and the pressure on applicants to disclose private information or risk missing out on housing.

This should worry every digital government leader. It shows what happens when identity checks are built around collecting and storing documents, rather than proving the minimum facts required for a transaction. Once these documents are copied across platforms, agencies, businesses and service providers, the risk does not sit in one place; it spreads across the economy. A renter does not necessarily need to provide a full identity file to every property manager. A property manager needs confidence that the person is who they say they are and that they meet the relevant criteria. The federal government’s rental application pilot, using Digital ID and the Consumer Data Right, recognises this distinction by exploring how renters can prove identity and affordability without sharing passports, payslips or bank statements.

The same principle applies across banking, telcos, health care, business services and government. A service may need to confirm account ownership, eligibility, professional registration, business representation or authority to act. It does not always need a broader bundle of personal documents.

The private sector phase will expose old gaps

AGDIS is due to open to private sector entities from late 2026, which will be a major turning point. Until now, Digital ID has largely been viewed through a government access lens. However, the next phase will involve more complex transactions, more relying parties and more pressure on systems to interpret identity, attributes and authority consistently.

If public and private systems connect without clear ways to verify authority, organisations will keep falling back on manual workarounds. Staff will still ask for letters of authority, screenshots, ABN extracts, copies of licences, employment records, PDFs, delegated access forms and internal approvals. Those workarounds may satisfy a process, but they create delay, duplication and risk. They also undermine the point of Digital ID.

A modern identity system should not leave agencies and businesses doing analog permission checks behind the scenes. It should allow trusted proofs to move safely between environments, with the individual or organisation in control of what is shared.

This is already starting to happen in regulated Australian industries. Under the Motor Vehicle Information Sharing Scheme, independent repairers need fair access to technical vehicle information, while manufacturers and data providers need confidence that restricted repair data, particularly for hybrid and electric vehicles, is only accessed by appropriately verified technicians. In that context, our work with Solera Autodata shows how digital identity can support both access and control; verifying the person, their role and their eligibility to access sensitive information without forcing every party back into manual checks.

But this does not mean every sector needs the same model. Banking, healthcare, real estate, education, tax and social services all carry different risks. But the principle should be consistent: verify the smallest amount of information needed to make the decision.

Measuring success by what Digital ID removes

The next stage of Digital ID should be measured by what it removes from the system. Does it remove the need for people to repeatedly upload passports and licences? Does it reduce unnecessary data collection in high-pressure transactions like rental applications? Does it remove manual checks that slow down onboarding and service delivery? Does it reduce uncertainty about who can act for a business, agency, patient or client?

If the answer is no, Australia may end up digitising identity without fixing the underlying trust problem. The federal government’s investment in Digital ID, the growth of myID, the expansion of RAM, the NSW Digital ID pilot and the upcoming private sector phase of AGDIS all point to a more trusted digital economy. But trust will not come from verifying more information. It will come from verifying the right information.

Australia has an opportunity to get this right before Digital ID becomes deeply embedded across the economy. The risk is that we build a modern identity layer on top of old habits: too much collection, too much repetition, too much manual checking and too much sensitive data stored in too many places. Digital ID should ask less of Australians, not more. Its success should be measured by whether people can access services, prove rights and complete transactions without surrendering more of themselves than the moment requires.

Top image credit: iStock.com/Rneaw