The Trusted Digital Identity Framework

The Trusted Digital Identity Framework (TDIF) comprises 13 policies.

Back to top

Background

The Australian Government established the Financial Systems Inquiry (FSI) in 2013. This was to examine the position of the financial system to meet the evolving needs and support economic growth for Australia.

In 2014, the FSI recommended developing 'a national strategy for a federated-style model of trusted digital identities' (Recommendation 15). It concluded that a federated Digital Identity model would best meet the cost, innovation, efficiency and flexibility requirements of the broader Australian digital economy.

In accepting FSI recommendations, the Australian Government agreed that a national approach to Digital Identity would streamline people’s interactions with government and provide efficiency improvements.

The Australian Government also agreed to work with the state and territory jurisdictions and with the private sector to develop the TDIF. The TDIF responds directly to the FSI and provides the rules and accreditation criteria that providers of Digital Identity services are accredited against. In this way, the TDIF creates a federation of agencies and systems working together to deliver a safe and secure Digital Identity system.

Strict standards are applied by the TDIF to the way the federated identity system works by:

  • defining requirements for the proper operation of the federated identity system 
  • defining the roles and operating responsibilities of the participants 
  • providing assurance about usability, privacy, security and interoperability of its processes and data.
Back to top

TDIF accreditation

Government agencies and organisations applying for TDIF accreditation undergo a series of rigorous evaluations across all aspects of their operations. Participants are required to demonstrate how their service meets strict requirements for usability, accessibility, privacy protection, security, risk management, fraud control and more.

This includes the need for:

  • an independent privacy impact assessment
  • privacy assessment
  • alignment with the Australian Government Protective Security Policy Framework, the Information Security Manual, the Australian Privacy Principles and the Privacy Code.

The requirements defined in the framework build on the baseline of the Australian Cyber Security Centre’s Essential 8 cyber security mitigations.

Once accredited, participants need to continually demonstrate they meet their TDIF obligations by undergoing annual assessments.

The TDIF supports 4 accreditation roles:

  1. Identity service providers (IDP) help you set up and manage your Digital Identity account. If you choose to create and use a Digital Identity, then your identity provider will be your gateway into the Digital Identity system. Examples of identity providers are myGovID and Australia Post’s Digital iD service.
  2. Credential service providers (CSP) play a critical role in keeping the system secure and safe. They are accredited to undertake the functions of authentication credential management and take care of all credentials (i.e. passwords and other forms of access restrictions) used in the system.
  3. Identity exchanges (IDX) provide the infrastructure for all these interactions to occur in a way which is secure and respects your privacy. The identity exchange acts like a switchboard: transferring information, with your consent, between relying parties, identity service providers and attribute service providers. The identity exchange only passes on the specific information which you consent to be transferred – nothing more, nothing less. In this way, the identity exchange incorporates privacy by design and helps protect your personal information.
  4. Attribute service providers (ASP) are entities such as professional bodies or universities who can provide, with your consent, authoritative information about your entitlements, relationships or other characteristics (for example, that you have a particular qualification).

Participants can apply to be accredited in one or more of these roles.

Back to top

TDIF accredited providers

The TDIF Accreditation Authority has granted accreditation to the following services:

Provider (and service name) Service type IP/CL Level Accreditation date
Department of Human Services
(Exchange)
IdX   13 May 2019
Australia Post (Digital iD) IdP and CSP (mobile app) IP 2
CL 2
17 May 2019
Australian Taxation Office (myGovID) IdP and CSP (mobile app) IP 2
CL 2
30 May 2019
Australian Taxation Office
(Relationship Authorisation Manager)
ASP   20 June 2019
Back to top

Get in touch

If you have any questions you can get in touch with us at digitalidentity@dta.gov.au
or visit the Digital Identity website.