2025 Digital ID Rules and Accreditation Rules consultation

Why we want your input?

The Department of Finance has released exposure drafts of the proposed changes to the Digital ID Rules 2024 and the Digital ID (Accreditation) Rules 2024.

We want to hear from you on the proposed changes, which include:

• Establishing a redress framework relating to incidents within the Australian Government Digital ID System
• Strengthening reportable incident obligations for accredited services
• Allowing individuals to give consent for up to 7 years when acting on behalf of a business
• Streamlining applications for government relying parties after a machinery of government change
• Authorising the Digital ID Data Standards Chair to use the Digital ID Accreditation Trustmark
• Deferring commencement of the voluntary  suspension and resumption obligations on identity service providers
• Updating the protective security policy framework requirements for accredited entities.

More information on these changes is provided below.

How to have your say

After reading the information below and the accompanying documents, submit your details and upload your document.

You can structure your submission around the key consultation questions included in the consultation guide provided under the relevant documentation section below. We also welcome any other comments you would like to include.

A template is available for providing feedback under relevant documentation. 

What will be the outcome of this consultation?

Your response will help inform changes being made to the Digital ID Rules and the Digital ID (Accreditation) Rules. Changes will be considered by the Minister for Finance and, if made. registered as legislative instruments on the Federal Register of Legislative Instruments.  

What will happen to your information

Submissions will not be published or made publicly available but may be included in a general summary. Please let us know if you want to remain anonymous in any submission summary that will be published on this website. 

For more information, see the privacy collection notice below. 

Digital ID Rules

The Digital ID Rules set out some requirements relating to entities wanting to participate in the Australian Government Digital ID System. The Australian Government Digital ID System enables individuals to verify their identity securely online with participating government services.

Elements of these Digital ID Rules apply to entities seeking to participate in the Australian Government Digital ID System. 

Proposed changes

• Establish a redress framework for incidents that occur in relation to accredited services of accredited entities that are provided within the Australian Government Digital ID System.
• Strengthen reportable incident obligations in relation to accredited services.
• Establish a streamlined application for approval to participate for State, Territory and Commonwealth government participating relying parties that are affected by machinery of government changes.
• Authorise the Digital ID Data Standards Chair to use the Digital ID Accreditation Trustmark.

Redress framework 

The redress framework seeks to improve support provided to individuals who are impacted by digital ID fraud incidents and cyber security incidents relating to services within the Australian Government Digital ID System. This framework complements existing provisions in the Accreditation Rules which require accredited entities to support individuals. 

Additional obligations are proposed on certain accredited entities, including: 

• Publishing policies relating to complaints handling and incident management
• Referring unresolved technical issues to the System Administrator to ensure its timely resolution
• Consider notifying affected individuals of incidents where appropriate.

For more information see page 7 in the Consultation guide.

Reportable incident obligations

Accredited entities participating within the Australian Government Digital ID System are already required to notify the System Administrator of cyber security and digital ID fraud incidents. The proposed amendments will enable the System Administrator to direct entities that have made a notification to conduct an investigation into the incident. Entities receiving such a direction must begin the investigation as soon as reasonably practicable and provide a summary of their findings once complete.

The proposed amendments strengthen oversight and accountability, helping ensure that incidents are investigated promptly and thoroughly.

For more information see page 13 in the Consultation guide.

Streamlined application for relying parties affected by machinery of government changes 

This proposed amendment applies to government entities that, due to machinery of government, are taking on a service that was previously approved to participate in the Australian Government Digital ID System. In this instance the service requires a new approval to participate. The proposed changes streamlines the application process for these entities in certain circumstances.

This change supports regulatory efficiency by streamlining approval processes in low risk scenarios, supporting continuity of service.

For more information see page 13 in the Consultation guide.

Authorisation for the Data Standards Chair to use the Digital ID Accreditation Trustmark 

The proposed amendment adds the Digital ID Data Standards Chair to the list of entities authorised to use and display the trustmark. 

This change supports the Data Standards Chair to fulfil the Chair's functions under the Act.

For more information see page 13 in the Consultation guide.
 

Digital ID Accreditation Rules

The Accreditation Rules apply to providers of digital ID services (identity, attribute and exchange service providers) who choose to obtain accreditation. 

The Accreditation Rules set out the types of services for which an entity may be accredited, details of the accreditation application process, and accreditation requirements such as security, privacy, usability and other requirements. These rules apply to accredited services whether or not they participate in the Australian Government Digital ID System. 

Proposed changes 

The Accreditation Amendment Rules amend the Accreditation Rules to: 

• Align the Accreditation Rules with the latest version of the Australian Government Protective Security Policy Framework (PSPF), while limiting use of the PSPF to non-corporate Commonwealth entities and introducing a three-month transition period for future PSPF updates.
• Provide a separate duration of express consent of up to 7 years when given to an accredited Attribute Service Provider for a business purpose.
• Extend the transition period by 12 months that transitioned accredited entities have to comply with digital ID voluntary suspension and resumption obligations.

Protective security framework requirement changes 

Currently, any accredited entity can choose the Australian Government’s Protective Security Policy Framework (PSPF) as one of three options for implementing protective security controls. The PSPF sets out the Australian Government’s core security requirements for protecting people, information, and assets. 

The proposed amendments modify the Accreditation Rules to align them with the latest PSPF requirements. 

The proposed amendments also limit the use of the PSPF to certain Australian Government entities. Other entities will retain the option to implement the international standard ISO/IEC 27001 Information Security Management Systems, or an alternative security framework as the basis for their accreditation.

These amendments would remove duplication, reduce regulatory burden, and ensure that accredited entities using the PSPF are aligned with the most current government security standards.

For more information see page 14 in the Consultation guide.

Express consent 

Currently, individuals can only provide express consent for a maximum of 12 months to any accredited entity for the collection, use or disclosure of their personal information. 

The proposed amendment creates an alternative consent period of up to 7 years when the individual is acting on behalf of a business. 

This is intended to apply to a range of relationships that a person may have with a business including employees, tax agents or sole traders operating their own business. 

These individuals often have relationships with multiple businesses.
Individuals can withdraw or vary their consent at any time. 

This reform better reflects the nature of business relationships, reducing administrative burden. It also ensures that express consent is meaningful, time-bound, and tailored to its context.

For more information see page 15 in the Consultation guide.

Deferred commencement of the suspensions and resumption obligations 

Currently, the Accreditation Rules contain provisions requiring Identity Service Providers to take specific steps if an individual requests a temporary suspension of their digital ID and to follow steps to restore the digital ID after suspension. These provisions are due to take effect at the end of 2025. 

The proposed amendment delays the application of the suspension and resumption obligations until 30 November 2026, allowing time for Identity Service Providers to develop the necessary systems and processes to comply with the obligations.

For more information see page 16 in the Consultation guide. 
 

Relevant documentation

• Consultation guide: Proposed amendments to the Digital ID Rules and the Digital ID (Accreditation) Rules [PDF 955KB]
• Exposure draft - Digital ID (Accreditation) Amendment (PSPF and Other Measures) Rules 2025 [PDF 652kb]
• Explanatory statement - Digital ID (Accreditation) Amendment (PSPF and Other Measures) Rules 2025 [PDF 466KB]
• Exposure draft - Digital ID Amendment (Redress Framework and Other Measures) Rules 2025 [PDF 489KB]
• Explanatory statement - Digital ID Amendment (Redress Framework and Other Measures) Rules 2025 [PDF 538KB]
• Template – Digital ID rules amendments consultation feedback [DOCX 47KB]
   

Making a submission

Please fill in the form below, and upload your submission in the relevant field. Templates and all the relevant information can be found in the links above.

Privacy collection notice

Making a submission is voluntary. You are not required to make a submission.

The Department of Finance (Finance) is seeking submissions as part of its consultation on proposed amendments to the Digital ID Rules 2024 (Cth) (Digital ID Rules) and the Digital ID (Accreditation) Rules 2024 (Accreditation Rules).

If you choose to provide a submission to Finance, information in your submission may be used to inform and refine proposed amendments to the Digital ID Rules and Accreditation Rules.

If your submission includes any personal information, that information will be collected by Finance and will be protected by law, including the Privacy Act 1988 (Cth) (Privacy Act). Please do not provide any personal information relating to another person, unless you have sought that person’s consent to do so.

To assist with analysing information from submissions, Finance may disclose your submission(s) to:

• third party service providers; and
• third party service certified providers of artificial intelligence (AI) software.

Please note, third party service providers that Finance contract with must protect personal information in accordance with the Privacy Act.

Finance may retain and use your personal information to communicate with you about Digital ID in the future, if you have provided:

• your contact details in your submission; and
• your consent to be contacted by Finance.

Publication

Finance will not use or disclose any personal and/or sensitive information collected from your submission for another purpose without your consent, unless required or authorised by law. 

For more information about how Finance handles your personal information, including information about access to or correction of your personal information, or how to make a complaint if Finance may have interfered with your privacy, please see our Privacy Policy.