This transcript has been edited for clarity.
Dave Ellett, HOST: Hello and welcome to episode two of the Australian Payments Plus point of view podcast in which we examine the theme of trust from all angles. I'm your host, Dave Ellett, Chief Commercial Officer at AP+. And joining me today is Andrew Black, Managing Director of our Digital ID solution, Connect ID. Our guest is John Shepherd, the First Assistant Secretary of the Digital ID and Data Policy Division within the Department of Finance. The Division includes the Digital ID Taskforce, which is leading work to develop a comprehensive economy-wide system for Digital ID, including the introduction of legislation and rules and the establishment of a regulator.
John has held senior roles at the Australian Bureau of Statistics (ABS) and the Australian Tax Office (ATO), and is one of Australia's foremost thinkers and practitioners on digital identity and what it means to the everyday lives of Australians.
John, Andrew, welcome to the AP+ POV.
John Shepherd, First Assistant Secretary, Digital ID and Data Policy: Thanks for having us.
Dave Ellett: So John, maybe I'll start with you. It's been a big 12 months for Digital ID in Australia. But before we dive into that, tell us a little bit about yourself, a bit about your background and what led you to the role you have now.
John Shepherd: Thanks, it certainly has been a big 12 months. I reflect on that more and more as we get closer to 30 June. I have been at the Department of Finance, leading Digital ID for just over 12 months. I've been in the Australian Public Service for over 33 years. As you mentioned, I worked in the ATO and for quite a long time, actually, on a range of initiatives, and also had a really good period in the ABS, particularly when COVID hit and data was gold during that period. So I came to be leading Digital ID as they were looking for someone to lead the taskforce. Last year, someone was moving on and I got asked if I would come over. My background - I've been leading transformational projects for up to probably the last 20 years, working with industry in particular to understand their processes and look at how we can leverage those in government. So really focused on those natural business processes rather than having business change their processes to meet government needs. A key example of that was the Single Touch Payroll initiative, which I led for three years through implementation, getting legislation and implementing at the ATO. That was 800,000 plus employers in Australia who had to report differently. They had to report every payday as part of paying staff, as part of producing a pay slip out of their system, and then the byproduct was reporting and data that's become so important for things through COVID, like Job Keeper, through ABS, analysis of jobs and wages over that time, it's just been a really good example of leveraging a natural business process but to actually get other benefits. And the key benefit for that one for government and for citizens, was protecting the super guarantee of employees because it created visibility that wasn't previously there, that people’s super was both being accrued and being paid, and marrying those two things up. I've done a few other similar kind of things since then but that's probably the key one. And the actual Digital ID initiative represented something for me, of even greater scale and importance, particularly something I think that's going to touch every Australian, not just every employee and every employer, but everybody, including my kids. And we'll probably get onto that later, about some of those personal examples that we need to solve.
Dave Ellett: Yeah, thanks for that obviously vast experience there. And as you say, a big, busy 12 months around Digital ID, and we will start to unpack some of that. Andrew, I'm interested from you - you've been around the Digital ID world for a few years. Just talk about your experience in recent years and the role you've been playing.
Andrew Black, Managing Director, Connect ID at AP+: Thank you, it's been the journey that I've looked back on and started to connect the dots a bit more recently, without thinking about it. But my background has been primarily financial services, but largely in fraud and cyber security. So in the UK, building digital identity products around fraud, around protecting people and biometrics products, and looking actually in the UK at how could we have built a digital identity network. I then moved to Australia with my wonderful wife, who gave me a pretty straightforward sales pitch and as to why Sydney was great, and actually saw this very similar market with similar dynamics, but the exact same need for a strong, robust digital identity network. So I’ve been fortunate to be part of Australian Payments Plus and in building out Connect ID, and for those who maybe don't know what Connect ID is, we're building a digital identity network where you can reuse trusted providers who you already have a relationship with to prove something about you. So your bank - instead of having to take photographs of documents and passports and share them online, using your bank to login to something or sign up to something, or share that data. So it's a mission that's incredibly close to my heart, and how we help protect people and something I'm very, very passionate about.
Dave Ellett: I mean, I think one of the things that, even having you both on today, thinking about the public and private intersection for anything like a digital ID solution is quite important, and we've got to think about that intersection. I think that we will unpack that bit later, but clearly we've all got to collectively work on trust and how we underpin trust for everyone who wants to use those services. So John, I've got another question for you - citizen trust is crucial for any successful digital ID service in Australia. How do you think the expansion of digital ID services benefit and inspire trust for Australians?
John Shepherd: So I'll probably start with a short story around that happened a couple of weeks ago. My son's just moved, he just finished uni and moved to Sydney to rent a little place in Redfern, and as part of that, him and his girlfriend needed a couple of guarantors to go on the rental application for him because him and his girlfriend were both just moving into full time work for the first time. I was sent a link to a rental app where I started by having to provide three pay slips, my bank statement with transactions balances, and 100 points of ID. It was not only a total pain and inconvenient, but I was thinking, ‘where's this data going?’. He's one of many applicants for this property. There's myself, there's him, his girlfriend, his girlfriend's mum, all providing data into this thing. He's thinking he's not going to get a property first go, he's going to have to apply for other properties so there’s proliferation of data. I was sitting at a computer because I had to scan stuff and upload it and into this app and you couldn't pass go without updating every single thing. And I'm contemplating loading blank documents with ‘Please call me.’ on them to get around it. But it really just brought home to me why we need to expand our Digital ID and other services to reduce this oversharing that we're all doing, and also, the importance of accredited systems. This [rental] app is not accredited. There's no regulator who knows who the data has been shared with, how long it's been stored, how it's protected. I just know there's way, way, way too much data being collected off people, and you're not in control of it. You don't have any choice. You can't pass go. His application wouldn't have even got looked at if I didn't actually do it. I ended up doing it, but it made me feel incredibly uncomfortable.
Dave Ellett: I mean, you talk about there, about all the data is being shared. What are the key things that the industry is focusing on for data minimization? I'll be interested in both of you. How are you thinking about that? I mean, obviously some data needs to be shared to do 100 point check. It needs to be shared securely and safely, but you don't want to share more than you need to. So maybe start with you, Andrew, how are you thinking about the data minimization?
Andrew Black: I think there's two parts we've got a real challenge for. One is, how do we educate consumers to help them understand there's better ways to do that, whether that's solutions, tools, what the legislation and the bill is seeking to achieve, to give them the rights to do that. One of the other major challenges is businesses and regulators, right? So there's a little bit of inherent legacy of businesses taking the ‘just in case’ mentality. So ‘don't need to capture that’, ‘not sure’, ‘trade off of risk department’, ‘compliance department’, ‘we should keep it just in case’, right? So, and it's the lore of digital—L, O, R, E (lore)—of digital identity, instead of actually the law. It's that practice of, ‘we should keep it just in case’, instead of thinking, ‘what do I need?’. Thankfully, I think the tide is beginning to turn on that, and we've seen the last couple of years in the market, and feedback from customers and feedback from the bill that actually there’s lots of businesses who are actually taking the opposite stance of saying, ‘I don't want it’, ‘I want to reduce the amount of data I have to store’, ‘I want to reduce my risk profile’, ‘I want to give customers control’. So I think it's there's a real education piece to do with different sectors and industries who have sort of inherited practices to just stop and check to see if that's the case, and then educating consumers on the tools they can use to have more control over that data.
Dave Ellett: Yeah, it's interesting, because on the consumer side, you're worried about ‘what your data is’, but on the merchant side, or the business side, it’s ‘how much data do you want to hold?’ Because the cost associated with the risk of that getting out is higher, much higher, in the digital world. So John, same question to you, though, how are you thinking about data minimization from a government perspective?
John Shepherd: I agree with what Andrew said. There's a bunch of L, A, W’s (law’s), but there's also a bunch of L, O, R, E’s (lore’s) where people just have always erred on the side of keeping more rather than less. Data storage has been pretty cheap, or has become cheaper over time as well. But if I go back to my first point about what you know really inspires trust and what trust means to me, if you think about that interaction that I spoke about with the rental application, that's not putting the citizen at the centre. That was not an easy process to follow. They were collecting what was more convenient for them in that flow to make every applicant collect the max amount of data in one hit. But it wasn't a pleasant experience or an easy experience or a secure experience for the citizen. So they weren't putting me at the centre of that. In fact, it was a horrible process that they put me through and every other applicant, but they were putting their needs first, or thinking ‘let's just collect it all up front and then we can sort it out because we'll have it all, we don't need to go back and ask for more’. Like ideally, if they were looking after me, they would say, just collect the minimum they need to assess my application. Then if they decide that my son's going to get the property, come back and collect that other data, don't collect it off everybody. So I think it's in that regard, how do you continue to think about people and citizen and ease, as well as that minimization principle.
Dave Ellett: And I think about like the Australia Card that obviously was an initiative some time ago, and that had barriers to adoption, and they're probably going to be similar barriers to adoption of digital ID. You know, the stigmas with consumers and merchants. So how do we, collectively as the government and private sector, think about those stigmas and work together to change those over time? And how do you think that's maybe changed in the last few years with the kind of move to the digital economy?
John Shepherd: That's a real culture piece and there’s still a real source of misinformation as well. So we lead a lot of times with saying ‘digital ID is not a new card, it's not a new number’. And I know you picked up the point about the 100 point check, so I increasingly talk about it as a modern form of the 100 point check, which we've all been doing since 1988 except that it puts you in control of the documents you haven't got to scan and send them off somewhere. It allows you to verify yourself once and reuse it, which in the 100 point check you had to verify every single time, and allows you to prove who you are, say you are in an online interaction. So I think that's certainly a key part - how do we move away from that? Our culture in Australia is not to have a card and not to have a single new number. Unlike other international systems where that is the case and the government gives everyone an ID card that's just not going to fit our culture. It didn't back when the Australia Card was mooted, and it doesn't today. So I think we've got a good way forward to build on what people have accepted—the 100 point thing that's been around—and that people are happy to do with their existing identity documents. We just want to make it easier and make it so you don't have to share all that stuff over and over again.
Andrew Black: I might just jump in and build on that, because John’s absolutely right. And the principles we take forward as to how we take the public on the journey are part of the bill, part of what we're doing is around consumers and individuals having choice and also being voluntary, right? The system Connect ID is voluntary, and having individuals be able to choose whether to use this and also which provider. So: would I like to use my bank? Would I like to use my government agency, my state or federal government agency? I think that's the way we take people on the journey and make sure that they feel bought in to John's example of the rental journey. How much better is an experience where you log on, and not only don't have to provide all the information, but you choose where you want your information to come from. And I think that's what I'm certainly hopeful for, is how we take the country on that journey and make it really clear this is better. We think it’s better for people to have more control, but it is voluntary as a system, and it's ultimately about you choosing your relationships.
Dave Ellett: I mean, I think my sense is the last five years, digital economy, post COVID, you know, obviously people are much more comfortable using their digital services and therefore providing their ID. But I think what we're thinking about via the public and private is still that there's choice. You're still going to choose where you want to verify that. And I think for me, that's one of the differences, maybe, from where the Australia Card is to where we are now. And I think therefore, my personal view is that consumers are much more likely to adopt this. And I think the kind of macro-economic factors have also kind of moved that way as well.
John Shepherd: There's also an important comms bit that we've got here, and there's also a vehicle in the legislative framework, which is a trustmark, which we will be allowing accredited providers to use to demonstrate that they've met that higher standard of security and privacy, etc. So there's an important role here all of us around communicating this to users, educating people to look for accredited services and that that's better than unaccredited services.
Dave Ellett: Yeah, I was going to ask you about that later, but thanks for picking it up now. Yeah, I agree. On the trustmark, if a consumer over time gets used to seeing that, it builds trust in the consumer, and it's used consistently, which I know is part of the Bill's work. I think that should engender trust from businesses and consumers to drive adoption. So absolutely agree. One of the things certainly we think about a lot in AP+, is around inclusion, and I know, obviously from a government perspective, that's super important as well. So how do we think about digital ID from an inclusion perspective, and what barriers may we face to that as we think about access?
Andrew Black: I think first is understanding what those use cases are today, and understanding who we're talking about. I think making sure that whilst this is called a digital ID, we don't design for digital only and digital first journeys. So certainly what we do is it's understanding all of those examples where there's online, in person, remote use cases, those who perhaps have difficulty interacting online, and designing products and services with accessibility standards, so making sure that everyone can access them, making sure that, because this is voluntary, there's always a route for citizens to go. But also thinking about those in remote communities, and particularly those for those of our sort of First Nations Australians who don't perhaps fit into today's 100 point check bucket, and making sure that we don't just replicate that system online. It's not about digitizing what we are today. It's about truly making it a digital economy and having an inclusive digital economy. So we're working with leaders and those communities, some amazing enterprises and startups, looking at how we capture unique attributes, and making sure we capture whole of economy use cases. But for me, it starts first and foremost with consultation and understanding - what are the pain points today? What are the use cases where there's perhaps higher barriers to entry and making sure those are baked in as part of any design of service or regulation?
Dave Ellett: And John, how are you thinking about inclusion?
John Shepherd: I'll add what Andrew said about that consultation, certainly first and foremost, actually listening to community and what some of those barriers are. We've certainly had a lot of great input and feedback through the consultation we did on the Bill last year and now on the rules that's been happening. Certainly, some of these challenges are not unique to Digital ID. They're more about digital inclusion overall. And I know we think about these as barriers around accessibility, affordability and ability, the digital ability, to be able to do this. So we've got some really good examples. There's some really simple examples in our current way we verify people who use, for example, a myGovID. You can only get a strong myGovID if you have a passport, which brings us to 53% at the moment of the community have a passport. So that's already a barrier for some people to get a strong ID through there, through facial verification. Another really good example we heard through consultation was in a submission to the Senate committee from Blind Citizens Australia, and that was a really practical one about not just the fact that we need more than passports and driver's licenses, because blind people don't have driver's licenses, they have proof of age cards. But also the fact that the current process of taking the liveness test, where you take a selfie with your phone to actually verify back to your passport is not a straightforward thing for a blind person to get right. So they need voice prompts and other things in there to be national best practice, and they're not things that we currently do. But we need to hear and change for these obvious things when you hear it. But that's why consultation and really taking account of the submissions from some of these groups can really make this a better system. And I'll finish by saying one of the things we also frequently heard through consultation was inclusion is as much about trust as anything else in the system. If you can't make it inclusive, you're not going to get the trust of society either. So I think that, for me, kind of just really says it.
Dave Ellett: So loud and clear, I hear from both of you, inclusion is really high on the agenda, but inclusion comes with consultation, and we've got to continue to consult to make sure we understand those use cases, and we're serving the needs of all the communities that we need to.
John Shepherd: Dave, can I just add to that quickly? The source documents is a real challenge - people having enough source documents, whether that's First Nations people, a lot of whom don't have a birth certificate, migrants who don't have a lot of identity documents when they come to Australia. That's one area that we're really focused on, such as pilots to try to resolve it, looking at those undocumented or people with poor source documents, looking at some different ways that we can build trust in the fact they are who they say they are.
Dave Ellett: Great. Sounds like there's a lot happening in that space. So we talked a little bit earlier about how it's been a huge 12 months, particularly for you, John, but I know for you as well, Andrew, so if you look ahead over the next 12 months, what's the big things on the agenda for you? Maybe start with you, John.
John Shepherd: So the consultation on the rules - the Digital ID legislative framework has now become the Digital ID Act. And I love saying that the Digital ID rules and the Digital ID standards that sit underneath the Act is the set of things that spell it out. So we've been in consultation for the last four weeks on the rules and some of the standards. We'll do more of that. We're doing that in a couple of tranches, so the next set of rules will be consulted on later this year and into next year. Our target now, with the legislation passed, is the implementation of that, and the target for that has to be implemented by the first of December this year, six months from royal ascent. So we're certainly working on making sure we've got the essential rules and standards in place. They'll have to be made as legislative instruments in Parliament. There's work to do there in terms of transitioning existing services to the legislative framework that includes the range of Commonwealth and some state and territory services that are currently part of the Australian Government Digital ID system, and getting the regulator ready. So ACCC will start as a regulator from the first of December, so they’re getting their systems and processes ready to take over the accreditation that's been happening in the Interim Oversight Authority, which is part of my group for now. So there's a bit there. The other big one is as part of the budget - the government has also announced the idea of pilots for verifiable credentials and digital wallets, and including potential pilots with the private sector. So for us, it's how we now start to bring this thing to life, particularly the expansion through things like pilots, but learning through those pilots gradually, and then looking at how we can expand into some of those key use cases that I've talked about.
Andrew Black: It's a perfect build up for our focus for the next 12 months which is supporting John and the Government and consultation and feedback and Connect ID as an accredited digital identity exchange. We're the first digital identity exchange to be accredited. We're the first private sector one, sorry, three years ago. So we continue to support there. But for us, the focus is bringing those use cases to life, which I'm super excited about. So, John will be delighted to hear one of those first ones we've already launched with is a rental use case. So hopefully, if he doesn't get the apartment or needs to move again, then, you know, let us try and make that process a bit easier. But we're working with three major identity providers live already. We have CommBank, National Australia Bank and ANZ, all live and working with others to bring them onboard by the end of the year. I'm incredibly excited to see this in people's hands over the next 12 months. So the kind of core sectors for us are that rental and real estate market we're supporting customers in already. Employee onboarding is one we're seeing a lot of interest and demand in, and that employee onboarding journey making that seamless in the telco sector, as well as actually sectors like insurance and also digital skills marketplaces, so peer to peer marketplaces online where I want to verify not only that you are who you’re say you are, but you've got the credentials behind it - is it the plumber, for example, on those sites. So yeah, I'm just very passionate. We've worked on this for a very long time to see this out and live and have Australians be able to use it over the next 12 months.
Dave Ellett: So John, it's in the bill, over the next two years, the interoperability between public and private sector. How important do you think that is? And how are you thinking about that from your perspective?
John Shepherd: I think it's a key feature of the system that Australian Government, Digital ID System that we've spoken about, and the government's spoken about having that whole of economy focus. Importantly, we talked earlier about choice, so giving citizens choice of not just a government provided ID, I mentioned some of those cultural barriers and challenges that people have about whether they want to use a government ID for all parts of their life. We certainly get different feedback on that, that people would prefer to use an ID of their choice to do certain things in their life when they're not interacting with government, as an example. I think also the importance of that innovation piece - it's very hard for one provider to meet everybody's needs and to be fit for purpose, for all the kinds of different uses and use cases that we talk about for digital ID. So that idea of tailoring, I think there's a massive opportunity for seeing providers come forward to tailor their solutions to certain segments of the community, to certain problems. They're all the things that I see are important about having the private sector involved here as well.
Dave Ellett: And it would be remiss of me not to ask. Andrews talked a bit about Connect ID. What's your views on Connect ID?
John Shepherd: I'm not sure I've heard of it, actually.
Dave Ellett: or heard of the person who's running it.
John Shepherd: My views on Connect ID is, it is on our accredited list so I might have heard of it. They play a part and we obviously have some good partnerships there. We've been a part of a couple of the events where we share thinking about use cases and things, it's been good to see that kind of market starting to evolve a bit. And Andrew's not a bad fella either.
Andrew Black: Oh, thanks John for the glowing recommendation and stuff, I’ll give you that 20 bucks later. But just on the public private sector, it's not just a nice idea, nice to have, we see it in other markets, globally, and particularly in the Nordics where it's vital, right? If we don't have a cohesive, interoperable private and public sector, the country loses out, we create siloed, different, fragmented services, and we don't realize that societal but also the economic gains. So the average log on for a bank ID is 230 times a year, right? The potential economic benefit for Australia is 3-4% of GDP, if we do this right over the next sort of 10-15 years. So it's fundamental for choice, but it's not just a nice idea on white paper, we see other countries doing it really, really well. So it's a track record to get out there and chase down and beat.
John Shepherd: I think it also addresses, in part, the single point of failure of thing as well. So there's a redundancy or fall back here with so much to go through these systems, having a range of solutions there, not only gives choice, but it also gives fallback. When we've seen, for example, with telcos, having choice as well as redundancy is really important.
Dave Ellett: Yeah, helps with the big social issue as well, right? As we talked about earlier, trust, data minimization, I think public and private sector working together around the higher-order challenge is great to see. And I think, personally, I feel that's what we're trying to do here. So last question for you both, if you think about the future, what excites you most about the next five years? What do you think or hope will be the lasting impact to the legislation that you're putting in place?
John Shepherd: Look for me, I've said this a few times, but I'm excited about not talking about Digital ID and trying to explain it and correct and bust myths and correct misinformation. It just becomes part of what we do. I don't think about how I pay anymore when I go and buy a coffee or I go to the supermarket and pay for my groceries, I just don't think about what I'm using. It's just that convenience of secure tap and go pay for my things. It's just part of what I do. I don't even think about how I'm doing it anymore. That's what I look forward to with digital ID and the increased use of credentials as it just becomes natural part of what we do, and it makes things easier. And I don't even need to think about ‘is it secure?’, I just trust it.
Andrew Black: Completely agree. I think as a user, I'm incredibly excited at the prospect of never having to scan a photocopy of my passport or driving license or hand it over to somebody and hope it's in some secure filing cabinet somewhere. Being able to reduce the amount of times I have to do that, I'm incredibly passionate about and excited about that. I'm going to contradict the previous answer, but I'm actually really excited for the prospect for Australia as well, because we often reference Canada or the Nordics, and these examples of what's gone really well, but actually, in five years time, I hope Australia is the global leader, and they're referencing us. We've got the perfect platform, not just Connect ID platform, but the perfect platform as a country, regulatory environment, buy in from private and public sector, and that opportunity to have a real hybrid ecosystem, I think, puts us with a phenomenal opportunity to be a global leader and have bank ID knock on our door and say, ‘Oh, how have you done that?’ I think that's very possible in the next five years, and I'd be very excited about that prospect.
Dave Ellett: I'll forgive you for shamelessly pushing Connect ID, it wasn't lost on me. But in closing, John, Andrew, thank you very much for joining me today and talking about trust, particularly as it relates to Digital ID, I know the listeners would have got a lot of valuable insights from the discussion and really interested to hear how public and private sector are working together over what's to come over the next 12-24+ months. So thank you very much for your time today.
Andrew Black: Yeah, thanks for having us. Thank you.
John Shepherd: That's been great. Appreciate you inviting me on.
