Tell me in 30 seconds
As part of the final phase of the rollout of the digital ID regime in Australia, private‑sector applications to join the Australian Government Digital ID System (AGDIS) are set to open on 30 November 2026. With this date fast approaching, the Federal Government has published new rules to govern the regime, headlined by the new redress framework for individuals affected by a cyber or fraud incident. In the context of a demanding approval process and complex accreditation, there is a unique opportunity here for entities that can act early.
Introduction
On 19 November 2025, the Federal Government released the Digital ID Amendment (Redress Framework and Other Measures) Rules 2025 (Digital ID Amendment Rules) and the Digital ID (Accreditation) Amendment (PSPF and Other Measures) Rules 2025 (Accreditation Amendment Rules) (together, the Rules). The Rules were accompanied by a Consultation Outcomes report that summarises industry submissions on the exposure drafts of the proposed new Rules and sets out the Government’s responses. The centrepiece of the new Rules is a redress framework for individuals impacted by cyber security and Digital ID fraud. Other amendments include strengthened protective security obligations for accredited entities, revised consent requirements for individuals acting on behalf of a business, and additional powers to direct investigations for the System Administrator.
The release of the Rules signals the countdown to the private sector’s integration in the AGDIS scheduled to commence on 30 November 2026. Now that we have started a new year, this is a timely moment for businesses contemplating direct participation in the AGDIS to review the emerging requirements and commence preparations. Entities that already collect and hold digital ID personal information for other purposes may be well-placed to redeploy existing capabilities and datasets to enter the digital ID market.
Quick recap
What is digital ID?
‘Identity’ refers to characteristics and attributes that allow a person to be uniquely differentiated from other people. The Digital ID Act 2024 (Cth) (Digital ID Act) defines digital ID as a distinct electronic representation of the individual that enables that individual to be sufficiently distinguished when interacting with services online. In practical terms, it is a structured set of information that verifies who a person is in digital contexts. This typically comprises standard personal information associated with individual, such as date of birth, email or postal address (referred to as ‘attributes’ in the digital ID world) and serves a range of purposes, including identity verification or assessment of entitlement. A digital ID is more sophisticated than a simple digitised version of an identity document such as a passport.
There is a range of potential benefits to having an economy-wide digital ID regime. A digital ID can offer consumers seamless access to services without the need to present physical documents. It can also enable them to share less personal information with entities and verify their identity online in a simple, secure manner.
For other industry participants, digital ID can drive meaningful efficiency gains by reducing the cost and time associated with customer verification and lowering data breach risk through the collection and storage of fewer data points. In addition, businesses with relevant capabilities will have an opportunity from 30 November 2026 to participate directly in the digital ID ecosystem by contributing services and solutions to the emerging regime.
Australian digital ID legal framework
At the Commonwealth level in Australia, the digital ID regime is governed by the Digital ID Act, which is supplemented by the Digital ID Rules 2024 (Digital ID Rules) and the Digital ID (Accreditation) Rules 2024 (Accreditation Rules). The Rules are accompanied by a set of the relevant Data Standards. This legal framework superseded the voluntary Trusted Digital Identity Framework (TDIF). You can read our previous insights on the digital ID scheme here and here.
The digital ID regime is overseen by the Digital ID Regulator — the Australian Competition and Consumer Commission (ACCC), with the Office of Australian Information Commissioner (OAIC) responsible for privacy compliance. The ACCC and the OAIC work alongside Centrelink as the System Administrator vested with security responsibilities under the Digital ID Act and Digital ID Rules. The Minister for Finance is empowered to create the Digital ID Rules and give directions on accreditation, privacy and the AGDIS, while the Digital ID Data Standards Chair, appointed by the Minister, makes, reviews and amends the Data Standards.
The other participants in the digital ID framework are summarised in the diagram below.
Notably, the NSW Government has recently piloted the NSW Digital ID program, enabling residents aged 16 and over to verify their identity in a single step when accessing state government online services. The program uses smartphone-based facial biometric verification, matching against identity documents such as driver's licences, passports, and birth certificates. This program is separate to the regime we describe in this article.
Accreditation and the AGDIS
Entities can apply for accreditation to offer at least one of the services listed above (or a service of a kind prescribed by the Accreditation Rules). In order to participate in the AGDIS, an entity — other than a relying party — must be accredited and approved by the Digital ID Regulator. In deciding whether to accredit an entity, the Digital ID Regulator must consider whether an entity complied with the Accreditation Rules and may have regard to whether an entity is a fit and proper person. Where directed by the Minister to do so, the Digital ID Regulator can refuse accreditation for ‘reasons of security’.
The application process to acquire accreditation includes the following assessments:
- Privacy impact assessment for both the applicant’s digital ID data environment and proposed accredited services.
- Technical testing of the information technology system through which accredited services will be provided.
- Assurance assessments, including a protective security assessment, fraud assessment and usability and accessibility assessment.
- System testing, including penetration, usability and Web Content Accessibility Guidelines testing.
The Digital ID Regulator may suspend or revoke accreditation.
Phased rollout of the digital ID regime
The Digital ID Act allows for the phased rollout of the digital ID regime by providing the Minister with the power to phase in the entities that may apply to participate in the AGDIS.
From 30 November 2026, accredited private entities may apply to participate in the AGDIS.
New Rules mark the countdown for AGDIS rollout to the private sector
The release of the amending Rules was driven by the Digital ID Act’s requirement to establish a redress framework within 12 months of commencement. Alongside the Rules, the Government published a Consultation Outcomes report summarising stakeholder feedback on the proposals and noting broad industry support.
While the new redress mechanism for individuals affected by cyber security incidents and digital ID fraud is the headline change, the Rules introduce several other significant amendments. We summarise the key updates below.
|
Subject matter
|
Requirement
|
Mallesons commentary
|
|
Digital ID Amendment Rules (amending the Digital ID Rules) |
||
|
A redress framework for individuals affected by cyber security and digital ID fraud incidents – notification requirement |
The new redress framework applies to accredited ASPs and ISPs (including where their approval to participate in the AGDIS has been revoked or suspended). ASPs and ISPs must make reasonable attempts to notify individuals affected by cyber security and digital fraud incidents that occurred or are reasonably suspected of having occurred, unless the notification is likely to cause an adverse outcome for the individual or a material effect on the operation of the AGDIS. There is no specified timeframe for notification or guidance as to when an individual is ‘affected’ by an incident. When notifying affected individuals, entities must direct the individual to relevant public resources (including the entity’s own incident‑resolution and complaints information) and, in some circumstances, reasonably assist them identify relevant third party service providers. The Consultation Outcomes report notes that the Digital ID Regulator and the System Administrator will develop guidance clarifying aspects of the redress framework. |
At first glance, the redress framework — which largely requires providers to notify and refer unresolved matters to the System Administrator (see below) — does not appear to impose a significant compliance burden. However, it operates alongside other digital ID fraud incident obligations in the Accreditation Rules and under the Privacy Act 1988 (Cth). This means that providers need to navigate layers of obligations across a range of legal instruments to maintain comprehensive compliance. For example, complying with the notification requirement under the redress framework would not relieve entities of their separate obligation to notify individuals affected by an eligible data breach. Entities will also need to triage incidents into those that are likely to result in serious harm to an individual (triggering obligations under the Privacy Act 1988 (Cth) and the Digital ID Rules) from those that merely ‘affect’ the individual (which only trigger obligations under the Digital ID Rules). Notably, under the redress framework, notification is not required where doing so would cause an adverse outcome for the individual. |
|
Redress framework — referring unresolved issues to the System Administrator |
Where a cyber security or digital ID fraud incident prevents an individual from using their digital ID due to a technical issue with an accredited service, ASPs and ISPs must — once satisfied that the issue cannot be resolved internally — refer the unresolved issue to the System Administrator as soon as practicable after becoming aware and, if awareness arose from an individual’s complaint, within 28 days. When the issue is raised through an individual’s complaint, the entity must (before referring the issue to the System Administrator):
The System Administrator may recommend a resolution, including an explanation or an apology to the affected individual. |
This rule raises some questions. It is unclear what should happen when an issue can be resolved internally but will take longer than the prescribed 28‑day period. The rule appears to suggest that, in this scenario, the entity is not required to refer the issue to the System Administrator. Further, there is no requirement for the entity to follow the course of action recommended by the System Administrator. |
|
Redress framework — publishing policies |
ASPs and ISPs must develop and publish policies for responding to cyber security and digital ID fraud incidents. These policies must include procedures for identifying, managing and resolving incidents and complaints‑handling policies. Unlike other aspects of the redress framework, this rule does not apply to an ASP or an ISP whose approval to participate in the AGDIS is suspended or revoked. |
This requirement complements existing usability and accessibility obligations under the Accreditation Rules. |
|
The System Administrator’s power to direct investigations |
The System Administrator may direct an accredited entity who has notified it of a cyber security or digital ID fraud incident to investigate the incident. The entity must commence the investigation as soon as practicable and report its findings on completion. If the investigation is not completed within 28 days, the entity must provide a progress update immediately after day 28 and at least once after each further 28‑day period until it is complete. There is no maximum time limit on completing an investigation. |
Apart from the obligation to provide updates to the System Administrator, there are no consequences for failing to complete an investigation. This can be contrasted with the existing ability of the System Administrator to issue binding directions under section 130 of the Digital ID Act, backed by civil penalties for non-compliance. |
|
Streamlined application to participate in the AGDIS for certain government relying parties |
A streamlined AGDIS participation application is available to government relying parties who seek to provide approved services due to a transfer of responsibilities caused by machinery of government change. |
This is a sensible requirement: a streamlined process may be needed so that a government relying party can join the AGDIS promptly and continue delivering services after internal reallocations or changes in responsibility. |
|
Accreditation Amendment Rules (amending the Accreditation Rules) |
||
|
Updating the protective security requirements for accredited entities |
Protective security framework requirements are amended to:
|
This requirement is limited to NCEs. It excludes private actors carrying out work in the government sector and holding government information. |
|
7-year maximum expiry period for express consent given to an ASP by individuals acting on behalf of a business |
Where an individual acting on behalf of a business gives an ASP an express consent for the future collection, use or disclosure of their personal information, that consent is valid for 7 years (contrasted with 12-month consent in the context of personal use). This requirement is not paired with safeguards, such as periodic reminders, to help ensure consent remains informed. |
Businesses, and any individuals acting on their behalf, should monitor the duration of their consent and promptly inform the relevant ASP if they no longer wish their personal information to be used. |
|
12-month deferral of the obligation to suspend and resume an individual’s digital ID at their request |
The Accreditation Amendment Rules postpone the requirement to suspend the use of a digital ID upon legitimate request of an individual and identity-proof the individual at the appropriate level before resuming use. This obligation will now apply on and after 30 November 2026. |
Recognising the technical complexity of implementing these mechanisms, the amendment provides businesses preparing to participate in the AGDIS with additional 12 months to comply. |
What’s next and how to get involved
The release of the new Rules further signal the Government’s readiness and commitment to the robust and secure digital ID regime. With less than a year left until applications to join the AGDIS open, private sector entities should prepare for the final rollout phases, beginning with obtaining accreditation.
For entities that already handle personal information for other business purposes, there is a distinctive opportunity to build on that capability by participating in the digital ID ecosystem as one or more accredited service providers. Among various accreditation requirements, a central consideration is implementing robust data protection mechanisms. Key challenges to anticipate include:
- Navigating complex compliance. Entities must be prepared to navigate complex and technical compliance requirements under the Digital ID Act, the Rules and the Data Standards, and to manage these alongside overlapping obligations under other legislative regimes, such as the Privacy Act 1988 (Cth) and the Identity Verification Services Act 2023 (Cth).
- Strict marketing prohibitions. Using or disclosing digital ID personal information to advertise or promote goods or services — or to enable others to do so — is prohibited. In practice, this means digital ID personal information cannot be used for direct marketing to the extent the entity is providing accredited services.
- Limits on collecting sensitive attributes. Accredited entities are prohibited from collecting certain attributes about an individual — such as racial or ethnic origin, political opinions, or religious beliefs — unless received on an unsolicited basis and deleted as soon as practicable. Entities that otherwise collect these attributes for separate business purposes should implement rigorous data separation controls. This consideration may be relevant for entities intending to use digital ID data to deliver anti-money laundering and counter-terrorism financing (AML/CTF) information services. As this can involve processing information that could, for example, reveal membership of a political organisation, entities should exercise caution when relying on digital ID for this purpose.
- Requirement to obtain express consent. Beyond accreditation requirements, entities must also comply with applicable privacy laws, including obtaining valid consent before using or disclosing personal information for purposes other than those for which it was collected.
Determining whether existing personal information can be repurposed for digital ID raises nuanced legal, technical and governance issues. While complex, these issues can be navigated with clear planning and prioritising them early will set businesses up for effective participation in the AGDIS.
In the meantime, watch out for further guidance on the new redress framework and updates to the Data Standards, with the statutory review of the Digital ID Act due 30 November 2026.
