DTA considering TDIF privacy legislation


By Dylan Bushell-Embling
Wednesday, 14 November, 2018


DTA considering TDIF privacy legislation

The Digital Transformation Agency is “reviewing the benefits” of legislation that would enshrine the privacy protection requirements of the new Trusted Digital Identity Framework (TDIF).

The DTA revealed it is exploring ways to enshrine the privacy requirements of the new framework, either through legislation or binding contractual obligations, the agency revealed in its response to the second Privacy Impact Assessment of the TDIF project.

The agency agreed with all the recommendations of the independent assessment apart from one — a recommendation that the identity exchange should only retain transaction-related metadata for a short period — which the agency said needs to be explored further.

As part of its evaluation of legislative protections, the DTA is also looking into introducing legal restrictions on the use of biometric information supplied for the purpose of identification.

While the DTA said it agrees in principle with the need to set a maximum period for retention of this data, this information may need to be accessed by the Oversight Authority for evidence, so current use cases suggest that the data would need to be retained for longer than 18 months. Some data will also need to be retained indefinitely for individuals to use the system.

Among the review’s other recommendations are introducing a requirement for a mandatory review of the TDIF after three years, a requirement for the Identity Exchange and accredited identity providers to develop standalone privacy policies, and establishing a time period for the validity and renewal of identity credentials.

In a statement, the DTA said protection of privacy has been a key consideration at all points during the development of the program.

The framework has privacy and security requirements that are at least as strong as federally mandated standards such as the Australian Privacy Principles and Privacy Code, and the Australian Signals Directorate’s Essential Eight cybersecurity mitigation strategies.

Participants in the program are also required to undertake their own independent security testing and assessments.

Image credit: ©James Thew/Dollar Photo Club

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Related News

Rachel Noble named head of ACSC

Veteran public servant Rachel Noble is returning to the Australian Signals Directorate to lead up...

US DHS moves to store biometric data on AWS Cloud

The US Department of Homeland Security has launched a request for information for a cloud-based...

Man charged with using govt systems for crypto mining

A NSW man is facing a 10-year sentence on charges of abusing his position as an IT contractor to...


  • All content Copyright © 2019 Westwick-Farrow Pty Ltd