On this page
This material is owned and prepared by the Office of the Australian Information Commissioner (OAIC) as the Digital ID privacy regulator under the Digital ID Act 2024. The materials linked below outline the privacy rules and responsibilities all accredited entities need to follow to maintain accreditation.
For support or queries related to the information below please contact the OAIC.
Date | Version | Description of changes |
---|---|---|
Nov 2024 | Version 1 | Initial version |
Privacy obligations of an accredited entity
Privacy protections are built into Australia’s Digital ID system. When providing accredited services, accredited entities must comply with the privacy safeguards in the Digital ID Act 2024 (Digital ID Act). These safeguards are in addition to, and build on, the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Privacy Act) (or equivalent state or territory laws).
All accredited entities will be required to comply with the following privacy requirements:
Privacy obligations of an accredited entity
- be subject to the federal Privacy Act or an comparable state or territory law or enter into an APP-equivalent agreement
- comply with the federal Notifiable Data Breaches scheme, unless they are covered by a comparable state or territory scheme
- comply with the 13 additional privacy safeguards in the Digital ID Act
Privacy safeguards in the Digital ID Act
The Digital ID Act contains 13 additional privacy safeguards that apply to all accredited entities and that build on the privacy safeguards contained in the Privacy Act (or equivalent state or territory laws). The 13 additional privacy safeguards:
- regulate accredited entities’ handling of biometric information and certain attributes when providing accredited services;
- outline requirements to obtain express consent for the handling of biometric information and certain other attributes of individuals; and
- limit the handling of personal information for data profiling, enforcement purposes and marketing.
Privacy obligations in the Privacy Act
In addition to complying with the 13 additional privacy safeguards in the Digital ID Act, APP entities and certain other accredited entities will have to comply with privacy obligations in the Privacy Act, in particular the 13 Australian Privacy Principles (APPs), when providing accredited services. These accredited entities are:
- APP entities (including organisations with an annual turnover of more than $3 million and Australian Government agencies)
- entities that have entered an APP-equivalent agreement (s 34 and s 36(2)(c) of the Digital ID Act), and
- small business operators that are accredited entities (s 33 and s 35A of the Digital ID Act).
The Privacy Act obligations will not apply to accredited state or territory entities that are not APP entities, when the entity is instead subject to state or territory privacy legislation that provides protection comparable to the Privacy Act.
Table summarising the interactions between the Digital ID Safeguards and Privacy Act Australian Privacy Principles
The following table provides a brief outline of how each Digital ID privacy safeguard and APP interact. For further information on the mandatory requirements of the APPs, see the OAIC’s Australian Privacy Principles guidelines.
Safeguard |
Relevant APP |
Interaction between safeguard and APP |
---|---|---|
Section 44: Prohibition on collection of certain attributes |
Collection – APPs 3 and 4 |
By prohibiting collection of certain attributes, s 44 overrides (For the purposes of this guidance, 'overrides' is used to convey situations where a safeguard imposes stricter requirements than the corresponding APPs. This term does not alter the legal position that both the Digital ID Act and the Privacy Act apply concurrently.) APP 3.3 and 3.4 in relation to the collection of those attributes listed in s 44 (APP 3 generally allows collection of sensitive information where certain conditions are met). If an accredited entity collects a prohibited attribute which it did not solicit, the entity can avoid being in breach of s 44 if it destroys the attribute as soon as practicable after becoming aware of the collection. In relation to the collection of unsolicited information generally, an accredited entity must still comply with APP 4. |
Section 45: Express consent for disclosure of certain attributes to relying parties |
Disclosure – APP 6 |
For disclosure of the specified attributes listed in s 45, the provision sets out how disclosure can occur and overrides the operation of APP 6 as express consent is the only basis for disclosure of these attributes to relying parties. |
Section 46: Prohibition of disclosure of restricted attributes without express consent |
Disclosure – APP 6 |
For disclosure of restricted attributes of individuals to relying parties, s 46 will override the operation of APP 6 as express consent is the only basis for disclosing these attributes. Restricted attributes are defined in s 11 of the Digital ID Act. S 46 introduces an additional limitation on disclosure of restricted attributes when the disclosure is to a relying party that is not a ‘participating relying party’ – the accredited entity may only disclose restricted attributes if the accredited entity’s accreditation conditions authorise disclosure to the relying party. |
Section 47: Restriction of disclosure of unique identifiers |
Disclosure – APP 6 |
The restrictions in s 47 on disclosing a unique identifier overrides the operation of APP 6. S 47 prohibits an accredited entity from disclosing unique identifiers to another accredited entity or a relying party (other than an accredited entity or relying party which provided the unique identifier to the accredited entity in the first instance). Exceptions to this are set out in subsections 47(4), (5) and (6), and include where disclosure of the unique identifier is for the purpose of investigating a contravention of the Digital ID Act, prosecuting an offence against a law of the Commonwealth or state or territory, or to a contractor who is engaged by the accredited entity to provide all or part of an accredited service. |
Sections 48 – 52: Sections governing the handling of biometric information |
Collection – APP 3 Disclosure – APP 6 Retention and Destruction– APP 11.2 |
S 48 prohibits the handling of biometric information unless the handling is specifically authorised by ss 49 and 50, and in some cases, only if express consent is also obtained. Due to their prescriptive nature, these sections override APP3, APP6 and APP 11.1 in relation to the handling of biometric information. S 51 overrides APP 11.2 in relation to the retention and destruction of biometric information as it contains specific timeframes for destruction which are more immediate than those set out in APP 11.2. It also requires destruction rather than allowing deidentification as an alternative. |
Section 53: Prohibition on data profiling to track online behaviour |
Disclosure – APP 6 |
S 53 overrides APP 6 in this situation by providing only a very limited number of exceptions at subsection 53(3) where online behavioural data can be used or disclosed by the accredited entity. |
Section 54: Prohibition on handling of personal information for enforcement purposes |
Disclosure – APP 6 |
By restricting the use and disclosure of personal information for enforcement related activities to a limited number of prescribed circumstances, s 54 overrides APP 6 which allows personal information to be handled in a broader range of situations. |
Section 55: Prohibition on handling personal information for marketing purposes |
Direct Marketing – APP 7 |
S 55 overrides APP 7 by only allowing handling of personal information for marketing purposes, where the information is disclosed to an individual for the purposes of offering to supply the entity’s accredited services, or advertising or promoting those services, and the information is disclosed to the individual with their express consent. |
Section 56: Prohibition on the retention of certain attributes by an accredited identity exchange provider |
Destruction – APP 11.2 |
S 56 overrides APP 11.2 for accredited identity exchange providers in relation to the retention of certain attributes, by prohibiting retention after the end of an authentication session (as defined in the Digital ID (Accreditation) Rules 2024) rather than applying a ‘reasonable steps’ requirement as set out in APP 11.2. |
Section 136: Destruction or de-identification of information by AGDIS participants |
Destruction – APP 11.2 |
S 136 overrides APP 11.2 for accredited entities that hold an approval to participate in the AGDIS (or whose approval is suspended/revoked) in relation to the information outlined in the section. |