Privacy and security

Privacy and security benefits

Private and protected

Your personal information is valuable and worth protecting.

It's important to know who you are sharing your personal information with online. It's also important to understand how your information and privacy are being protected. Using an accredited Digital ID provider means information is:

• securely encrypted.
• only shared with providers and services with your consent, unless required by law or to investigate instances of fraud.
• not collected, profiled, used or sold for other purposes, such as direct marketing.
• protected by strict security protocols set by the Australian Government. 

Information about what services you access using your Digital ID is protected and only used to:

• manage your Digital ID.
• investigate and prevent fraud.

What information is shared?

Your personal information is only shared with your consent. Information that is shared is usually limited to your:

• name.
• date of birth.
• contact details.

The services you access will also know who is verifying your identity (for example, myID). However, the provider that verifies your identity will not know which services you are accessing. This helps to protect your privacy.

Some services may require more information with your agreement. They must justify this request in writing and seek express consent from you. They also need to demonstrate that:

• they have appropriate security, privacy and fraud control processes.
• they have completed a risk assessment before they receive more information.

Protecting your biometric information

Using biometric information such as a scan of your face is a safe, secure and reliable way to verify that you are a true and live person. It also confirms that your face matches your photo ID such as a drivers licence or passport. This is an important requirement to increase confidence that you are who you say you are and allows you to access more services with your digital ID.

When using an accredited digital ID provider to verify your identity using biometric information, a range of additional privacy and security safeguards apply. An accredited digital ID provider will:

• only use your biometric information to verify your identity by matching an image of your face with your photo ID.
• require you to consent before collecting and using your biometric information.
• delete your biometric information after your identity is verified.
• ensure that your digital ID, including all your personal information is always encrypted with strong security protocols. 

A secure Digital ID system

Australia's Digital ID System has been designed with your security in mind. This includes the Accreditation Scheme and the Australian Government Digital ID System.

This includes security features which undergo rigorous assessment and testing.

Providers within the system must be accredited under the Digital ID Act 2024. Accredited providers must meet strict requirements for privacy protection, security, risk management and fraud control. These requirements include protection of users’ privacy and security, and control against fraud.

These requirements include the need for accredited providers to have:

• demonstrated compliance with the Australian Privacy Principles and the Privacy Code.
• an independent privacy impact assessment.
• independent information security assessments.
• ICT penetration tests.

The Digital ID Regulator accredits organisations and approves accredited organisations to join the Australian Government Digital ID System.

Strong governance

Australia’s Digital ID System operates under the Digital ID Act 2024 commencing on 1 December 2024.
The Digital ID Act is supported by legislative rules, made by the Minister for Finance, and data standards made by the Digital ID Data Standards Chair. From 1 December 2024, the ACCC will be the Digital ID Regulator and the OAIC will be the privacy regulator of Digital ID. 

More information on regulating Australia's Digital ID System. 

The Privacy Act

The use of a digital ID involves the exchange of sensitive and personal information when a person is seeking to verify their ID online.

The Privacy Act  promotes and protects the privacy of individuals and covers many Digital ID transactions. The Privacy Act includes a range of enforcement and regulatory powers.

The Digital ID Act 2024 builds on the requirements in the Privacy Act, ensuring that accredited providers meet high standards for privacy and security.

Privacy Impact Assessments

There have been five independent Privacy Impact Assessments conducted on the Australian Government Digital ID System and associated policy which are available to download (last updated 24 January 2024):

List of Privacy Impact Assessments

2024

• Privacy Impact Assessment for the Digital ID Framework, October 2024, Maddocks
• Departmental Responses to the Maddocks Privacy Impact Assessment Recommendations, November 2024, Department of Finance

2023

• Privacy Impact Assessment for the Digital ID Bill 2023 Exposure Draft and Rules, December 2023, Maddocks
• Addendum for the Digital ID Bill 2023, January 2024, Maddocks
• Departmental Responses to the Maddocks Privacy Impact Assessment Recommendations, January 2024, Department of Finance.  

2022

• Privacy Impact Assessment Report for the draft TDI Legislation, February 2022, HWL Ebsworth

2021

• 3rd Independent Privacy Impact Assessment (PIA) on the TDIF and related Digital Identity Eco-system, March 2021, Galexia

2018

• Second Independent Privacy Impact Assessment (PIA) for the Trusted Digital Identity Framework (TDIF), September 2018, Galexia

2016

• Initial Privacy Impact Assessment (PIA) for the Trusted Digital Identity Framework (TDIF) Alpha, December 2016, Galexia