The DigitalIDsystem.gov.au website is currently undergoing changes. On 1 December the Digital ID Act commences, read our article on what's changing.

On this page

This material is owned and prepared by the Office of the Australian Information Commissioner (OAIC) as the Digital ID privacy regulator under the Digital ID Act 2024. The materials linked below outline the privacy rules and responsibilities all accredited entities need to follow to maintain accreditation.

For support or queries related to the information below please contact the OAIC.

Date Version Description of changes
Nov 2024 Version 1 Initial version

What is a relying party?

Relying parties are entities that rely or seek to rely on an attribute of an individual that is provided by an accredited entity to provide a service to the individual or enable the individual to access a service (s 9 of the Digital ID Act).  

A relying party becomes a ‘participating relying party’ if it holds approval under section 62 of the Digital ID Act 2024 (Cth) (the Act) to participate in the Australian Government Digital ID System (AGDIS) and the participation start day for the relying party has arrived or passed (s 9 of the Digital ID Act).  

‘Participating relying party’ is used in the Act to distinguish between a relying party that is approved to participate in the AGDIS, and a relying party that operates in another digital ID system (See [23] of the Revised Explanatory Memorandum to the Digital ID Act). Participating relying parties have obligations that relate to the handling of personal information. For example, the conditions on a participating relying party’s approval may relate to the handling of personal information. 

When a relying party allows an individual accessing its services to use a digital ID service to verify their identity, the relying party collects ‘attributes’ (personal information) of the individual from an accredited entity (See ss 10 and 11 of the Digital ID Act for a full list of attribute and restricted attributes).

What privacy obligations apply to relying parties? 

When using digital ID services, a relying party’s handling of personal information will be regulated by any existing privacy legislation that applies to it. The additional privacy safeguards in the Act do not apply to relying parties.  

For example: 

  • A relying party that is an APP entity covered by the Privacy Act (The Privacy Act applies to Australian Government agencies and organisations with an annual turnover of more than $3 million. The Privacy Act also covers some small business operators (organisations with an annual turnover of $3 million or less)): their handling of personal information when using digital ID services will be regulated by the Australian Privacy Principles (APPs).
  • A relying party that is a private sector entity that does not fall within the definition of ‘APP entity’: no specific privacy framework applies, but the entity should adopt best practice privacy practices.
  • A relying party that is a state or territory agency: their handling of personal information when using digital ID services will be regulated by their relevant state or territory privacy legislation. 

The legislation contains privacy-enhancing features to minimise the collection of ‘attributes’ by relying parties, so that a relying party only collects the attributes that are necessary for the service that an individual is accessing. These features include:

  • an accredited entity needing an individual’s express consent before it can disclose certain attributes to a relying party (s 45 of the Digital ID Act)
  • a ‘data minimisation principle’ obligation on an accredited entity to ensure that a relying party can only select the attributes of an individual that are necessary to provide its services (See rule 4.42 of the Digital ID (Accreditation) Rules)
  • participating relying parties do not have access to, or the ability to obtain and disclose, restricted attributes within the AGDIS by default (s 75 of the Digital ID Act and [31] of the Statement of Compatibility with Human Rights in the Revised Explanatory Memorandum to the Digital ID Act.). Furthermore, restricted attributes must not be disclosed to relying parties who do not participate in AGDIS if the accredited entity’s conditions do not include the correct authorisation (s 46(2) of the Digital ID Act). 

Key steps for relying parties to protect personal information 

Example: 

Rachel wishes to use XYZ bank’s online services. XYZ bank (as the relying party) offers a Digital ID log in page which Rachel selects.

The identity exchange provider (IXP) must obtain Rachel’s express consent for her identity service provider (ISP) to share certain attributes with the relying party. To do this, Rachel logs into her Digital ID and authenticates her identity. She provides express consent for the sharing of her attributes from the ISP to the relying party through the IXP. 

To ensure data minimisation and only required personal information is shared, the Digital ID Regulator has imposed accreditation conditions on the ISP which determine which restricted attributes can be provided through the IXP for the relying party’s purposes. XYZ bank does not require Rachel to provide any restricted attributes as part of delivering its service to Rachel. XYZ bank has selected from the ISP only the attributes it requires, in order to provide Rachel with use of their online banking services.

The relying party collects and uses the attributes required and provides Rachel with use of their online banking services.

Develop policies, procedures and systems

Relying parties who are APP entities must comply with their obligations under the APPs. For entities in the private sector who fall outside the APP definition, it is recommended that they adopt best privacy practices

APP 1.2 requires APP entities to take reasonable steps to implement practices, procedures and systems relating to their functions and activities that ensure compliance with the APPs, and that enable the entity to deal with inquiries or complaints from individuals about the entity’s compliance with the APPs. As a foundational principle, compliance with this APP assists compliance with all other APPs.

The requirement to implement these practices, procedures and systems is qualified by a ‘reasonable steps’ test. ‘Reasonable steps’ are dependent on circumstances that include: 

  • the nature of the personal information held. More rigorous steps may be required as the amount and sensitivity of personal information handled by an APP entity increases.
  • the possible adverse consequences for an individual if their personal information is not handled as required by the APPs. More rigorous steps may be required as the risk of adversity increases.
  • the nature of the APP entity. Relevant considerations include an entity’s size, resources and its business model. 
  • the practicability, including time and cost involved. Privacy protection must be viewed in the context of the practical options available to an APP entity but an entity is not excused by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take a particular step will depend on whether the burden is excessive in all the circumstances.

For more information, see the OAIC’s Australian Privacy Principles Guidelines: Chapter 1 (APP 1).

Data minimisation 

Data minimisation is the principle of limiting the collection, use, disclosure of personal information. 
Under the Accreditation Rules, accredited entities have an obligation to ensure: 

  • the collection of personal information is limited to what is reasonably necessary for the entity to provide its accredited services; and 
  • any personal information subsequently disclosed to relying parties is limited through appropriate functionalities in the information technology systems (See rule 4.42 of the Digital ID (Accreditation) Rules).  

Although relying parties are not subject to this specific obligation, relevant APP obligations apply to APP entities. Under APP 3, an APP entity must not collect personal information unless the information is reasonably necessary for one or more of their functions or activities and, in the case of sensitive information, the individual consents. APP 11.2 outlines the circumstances when an entity should take reasonable steps to destroy or de-identify the personal information of individuals. The circumstances include:

  • the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity; and 
  • the information is not contained in a Commonwealth record; and 
  • the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information. 

Relying parties who seek to rely on digital ID services should consider what kind of information is reasonably necessary to provide their services to an individual. A digital ID provided by an accredited provider means the individual has been through rigorous identity proofing processes. The higher the identity proofing level, the higher the assurance and trust that an individual is who they say they are. A relying party should consider what kind of personal information, if any, is required beyond the confidence that an individual’s identity has been verified to a certain level.

Data breach planning

For more information on data breach preparation and response plans: Part 2: Preparing a data breach response plan | OAIC

Compliance with the requirement to secure personal information in APP 11 is key to minimising the risk of a data breach.  APP 11 requires APP entities to take reasonable steps to protect the personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. The type of steps that are reasonable to protect information will depend on the circumstances of the entity and the risks associated with personal information handled by the entity. 

The OAIC recommends that all APP entities, including relying parties, have a data breach response plan. This plan will assist in meeting privacy obligations, limiting the consequences of a data breach and preserving and building public trust. 

A data breach response plan should set out the roles and responsibilities involved in managing a data breach and what steps an entity will take if a data breach occurs. 

For participating relying parties, it is important to note that the Digital ID Rules (See rule 3.3 of the Digital ID Rules) contain requirements in relation to cyber security, fraud management and disaster recovery plans which may be relevant to an entity’s data breach response planning.

Privacy complaints mechanisms

Relying parties, as APP entities, must implement procedures for receiving and responding to privacy complaints and inquiries (Privacy Act 1988 (Cth) APP 1.2(b)). If complainants are unhappy with how the entity has handled the matter and are dissatisfied with the response, they are able to lodge a complaint with the OAIC. For more information on handling privacy complaints: Handling privacy complaints | OAIC.

Further information

The OAIC notes that these key steps for relying parties cover some, but not all, actions that relying parties should be aware of and comply with. 

For more information on privacy obligations:

Privacy guidance for organisations and government agencies | OAIC 

State and territory privacy legislation | OAIC

Set it up once, then reuse it to prove who you are.

Set up your Digital ID

The Department of Finance acknowledges the Traditional Owners and Custodians throughout Australia and their continuing connection to land, water and community.