The new National Strategy for Identity Resilience replaces the 2012 National Identity Security Strategy. It features Shared Principles for Resilient Identities -
1 Seamless Commonwealth, state and territory digital ID systems will support identity resilience
Digital IDs provide a highly secure credential which can be used to prove identity online. They can reduce the amount of information you share, as they allow you to share only the information needed, which means you do not need to share all the details of a valuable identity document such as a passport. Governments will work together to achieve interoperability between digital ID systems and credentials so that Australians can access services in any jurisdiction.
2 Identity needs to be inclusive
Australian governments are committed to supporting vulnerable cohorts to access services, and to supporting Australians that choose not to use digital services or credentials. Indigenous Australians, people from culturally and linguistically diverse communities, and people with disabilities are disproportionately targeted by certain types of scams, and may also have more difficulty accessing or understanding ways to remediate compromises to their ID. Older Australians are also vulnerable and reported the highest losses to scams in 2021, and may be less likely to adopt digital credentials or other technologies. Where practical, Australian governments are committed to providing digital and non-digital options so that individuals have a choice in how they manage their identity.
3 Individuals, industry and government have a role to play
Individuals, industry and government all have roles to play in achieving identity resilience. Individuals need to know how to protect their identity and be empowered to proactively respond to identity misuse. Industry and governments can strengthen identity resilience by adopting best practice for preventing, deterring and responding to identity misuse, and by actively coordinating efforts to improve and promote education on identity resilience, secure cyber practices and support services.
4 All jurisdictions will work towards consistent high national standards
Individuals need to have secure and trusted identity credentials regardless of who they are issued by. Australian governments will develop stronger, nationally consistent standards for issuing physical and digital credentials. Australian governments will also ensure that identity credentials have security measures that make them resilient.
5 Biometric establishment and verification of identity with consent can improve resilience
Where appropriate, and with an individual’s consent, Australian governments will use biometrics to make it harder for criminals to misuse identity credentials. Combinations of biographic attributes (e.g. name, date of birth and licence number) do not adequately protect Australians from identity crime, and can be exposed in a data breach. Passwords can be forgotten, stolen or compromised. Australian governments will protect personal privacy and secure data in regards to the use of biometrics.
6 All jurisdictions will allow an individual to update their information conveniently across agencies
Currently, an individual who changes their name or moves house has to update each credential individually, and often does not. As a result, their personal details may differ between government agencies and jurisdictions, which increases the potential for identity fraud. Australian governments will work towards enabling individuals to update their credentials in a more streamlined and convenient way, if the individual wishes to do so.
7 Less data collection and retention
Large data breaches have demonstrated the risks associated with large stores of personal information and of retaining copies of credentials. We need to consider the likelihood of future data breaches when deciding what we collect and retain. Digital IDs, digital credentials and government services like the Document Verification Service, allow government agencies and businesses to verify identity while minimising their collection of personal information. Australian governments will support businesses and government agencies to collect and retain less personal information where appropriate. This will be balanced against existing and legitimate needs relating to law enforcement and regulatory regimes.
8 Clear data-sharing arrangements
To support individuals impacted by large scale cyber incidents and data breaches, governments need to be able to collect and share data. Australian governments will work to put in place data-sharing arrangements to better protect victims of cyber incidents and data breaches.
9 Consistent revocation and re-issuance
Across Australia there are different processes for revoking and reissuing credentials. This makes it harder for a victim of identity crime to recover, especially when they have to engage with multiple Commonwealth, state and territory agencies and the private sector. Australian governments will work towards streamlined and consistent processes for remediating compromised identity credentials to reduce the burden on victims.
10 Clear accountability and liability
Liability for the cost of remediating credentials compromised in a data breach, cyber-attack, or other identity crimes needs to be clear, along with appropriate enforcement actions. The lack of clear accountability can delay mitigation measures when responding to a data breach. The solution should minimise further harm to the individual whose data was compromised.
the Strategy document states
Building on existing work and being future ready
To give effect to the above principles, Australian governments have committed to the following short, medium and long term initiatives. Plans for implementing the initiatives will be considered by the Data and Digital Ministers Meeting. The Data and Digital Ministers Meeting, a sub-committee of National Cabinet, will also oversee the implementation of the initiatives. Building on the innovative and leading edge work of the Commonwealth, states and territories, the initiatives include the elevation of existing projects to the national stage. They complement initiatives that support identity resilience, which are in development or already in operation, but have not been included in this Strategy. These include, for example, the Commonwealth’s myGov and myGovID systems, the Trusted Digital Identity Framework, ID Support NSW, and the Australian Death Check.
Short term initiatives (Up to 12 months to implement)
Update of the National Identity Proofing Guidelines
Australian identity proofing standards need to be fit for purpose and used consistently across the country. The National Identity Proofing Guidelines (the Guidelines) provide guidance for government and private sector organisations on proofing the identity of individuals. The Guidelines will be updated and aligned with the Trusted Digital Identity Framework to support consistent processes across digital and non-digital credentials. This will help to address longstanding inconsistencies in identity management practices between jurisdictions; support less collection and retention of data; and build confidence in the use of Commonwealth, state and territory digital ID systems.
Cohesive national approach for responding to the identity security aspects of data breaches
Large-scale data breaches and cyber incidents have demonstrated the need for a cohesive national response to the identity security aspects of data breaches, to minimise the damage caused and to expedite the recovery of individuals’ identities. This initiative will seek to establish a Centre of Excellence to increase the speed and efficiency of responses to the identity security aspects of significant data breaches. This will be a single and highly visible point of expertise that supports the management of the identity security aspects of breaches at a Commonwealth level, and works with state and territory bodies, to minimise the harm for individuals, businesses and governments.
Identity resilience education and awareness
Education and awareness can help build individual, industry and government resilience. A range of education and awareness programs exist across the Commonwealth, states and territories. These include the Australian Competition and Consumer Commission’s Scamwatch and awareness information delivered by ID Support NSW. Improving consistency and coordination at a national level will increase the effectiveness of these programs. This initiative will focus on amplifying and coordinating existing education and awareness efforts to better protect Australians.
Medium term initiatives (1-3 years to implement)
Credential Protection Register
When a credential is discovered to have been compromised it can take a long time to remediate. During this time, criminals can continue to misuse the credential. In October 2022, the Commonwealth established the Credential Protection Register to prevent the Identity Matching Services verifying a compromised credential that has been listed on the Register. This initiative will seek to further develop the Credential Protection Register, for example to allow individuals to have better control of their credentials, and also to improve the sophistication of the Register.
Mobile phone trust scores
Mobile phone numbers can be integral to identity authentication (for example when used in multifactor authentication) and as an alternative to using email and social media to contact a client. However, they can also be used for identity takeover and fraud. A ‘Mobile phone trust score’ system would allow telecommunication providers to assign trust scores to mobile phone numbers based on risk factors such as recent sim swaps, tenure of phone plan and virtual private numbers. The trust score will help to prevent mobile phones being used to facilitate fraud.
Long term initiatives (3-5 years to implement)
Reissuing Digital Credentials through Digital wallets
Digital Credentials (for example Working with Children Checks or mobile driver licences) are important for identity resilience. It is cheaper, easier and quicker to reissue a digital version of a compromised credential than a physical one. The development of digital credential standards is vital to ensure consistency of data, user experience and interoperability, while maintaining choice and privacy. This initiative will look at addressing technical and legislative differences and barriers across jurisdictions to help reduce fraud, improve customer experience and reduce duplication of effort. This initiative can also inform upcoming digital credential projects so that they are ready for digital wallets at launch.
No wrong doors for identity remediation
Individuals should be able to engage with one government organisation in order to fully and quickly recover their identity. This could include regaining control of online accounts, revocation and re-issue of credentials, and protective measures for compromised credentials. Some states and territories have already established comprehensive support services that operate within their jurisdiction. This initiative will focus on a cross-jurisdictional approach to improve the experience for individuals, reduce further harm and enable full identity recovery.
Strong, consistent commencement of identity records
Commencement of identity records such as birth certificates, and immigration records for Australians born overseas, are issued by different jurisdictions and are not always linked to change of identity (e.g. change of name) processes in other jurisdictions. This initiative will explore how jurisdictions can work together to improve the integrity of identity records, and provide every Australian with an accurate commencement of identity record updated for life events.
Implementation
Realising the intent of the Strategy will require a strong focus on cross jurisdictional collaboration, application of the principles, and the implementation of the initiatives. Under the oversight of the Data and Digital Ministers Meeting, and in close collaboration with all Australian governments, the Commonwealth, through the Department of Home Affairs, will coordinate the implementation of this Strategy. A detailed plan, including resources required, will be developed for each initiative for consideration and approval by the Data and Digital Ministers Meeting.
Assessing effectiveness
In implementing this strategy, effectiveness will be assessed by progress made towards implementation of the initiatives, and the effectiveness of these outcomes. An annual report will be provided to the Data and Digital Ministers Meetings on the effectiveness of the Strategy, associated policy and legislation, and follow-on actions required to ensure that Australians’ identities are resilient.