How we’re developing the policy behind digital identity
Building a safe, secure and easy-to-use digital identity system for Australia is complex. Products, services and government agencies need to work together to deliver everything from the technical platform to the rules and standards that support the system. Director of digital identity policy, Shannon Peterson takes us behind the scenes of these rules and standards, also known as the Trusted Digital Identity Framework (TDIF).
The TDIF covers several areas to ensure the identity system is consistent, safe and meets user needs. Some of these include:
- usability and accessibility
- privacy and security
- risk management
- fraud control
- identity proofing
- authentication and authorisation
- service operations and governance
- system architecture
This makes sure every government agency and organisation that becomes part of the identity system is held to the same standard. It’s likely in the future, many government agencies, banks, or other organisations may seek to become part of the identity system.
Looking around the world, trust frameworks like the TDIF aren’t new. They have been defined as ‘legally enforceable sets of specifications, rules and agreements regulating an identity system.’1 These frameworks have been used to manage a range of systems to make sure participants can interact safely and consistently. For example, credit card and electronic point of sale systems.
While other trust frameworks focus on a specific context, service or technology, the TDIF is attempting to achieve something no other trust framework in the world has achieved to date — to support the establishment and reuse of a digital identity across many different contexts, systems and environments. The framework is made for Australian use and has involved thousands of conversations with stakeholders, feedback from the community, and years of research and development.
The TDIF was a new concept in Australia and required a lot of investigation into what has already been done.
We started by mapping the landscape in a discovery phase. This involved learning about the needs of the people who will be using the identity system, their challenges with current approaches and investigating the work that’s already been done in Australia and internationally.
Ask, listen, share
We talked regularly with our counterparts in the US, UK, Canada and New Zealand to identify best practice in countries with similar needs. We also exchanged ideas with Mexico, Japan, Israel, South Korea and several European countries.
One key lesson we heard time and time again was the need to take people on the journey. Regularly updating stakeholders of progress is not enough. We need to work with stakeholders to test assumptions, draft policies and replay our understanding of their needs. As a policy writer, your ideas may be good but theirs might be great. You won’t know unless you’re willing to ask, listen and share - even if it means being wrong, or saying you don’t know.
Write, consult, re-write
After initial discovery activities, we released the first version of the framework in August 2016. This defined the broad problem space that we would aim to cover in subsequent releases.
Throughout the development of the framework we have released numerous policy drafts for consultation.
From face-to-face meetings, emails, video calls and online contributions we’ve received over 2,000 comments on these drafts. This feedback has come from the financial sector, privacy advocates, digital identity experts, industry groups, Australian Government agencies, state and territory governments, standards bodies, vendors and members of the public.
With each release, we have published summaries of the comments we’ve received and the changes made to the policies based on this feedback.
Where we’re up to
The framework is made up of 16 policies that are published on the DTA website. It outlines everything needed for the creation of a reusable digital identity for an individual. This includes an alternative approach for people who will not be able to use an online process to create a digital identity.
We’ve recently released another round of new documents and updates to existing documents for public consultation until 15 February 2019. These policies address the needs of individuals who need to work with government on behalf of a business.
As we learn more about the needs of users we’ll continue to iterate the TDIF and add additional policies as required. For example, once we finalise the current draft policies we’ll focus on authorisations. Specifically, we’ll start the process to understand the needs of users who act on behalf of others when interacting with government.