Blog /
Australia’s ID Scheme or GDPR
Australia's forthcoming digital ID system promises to revolutionise how we manage our identities, offering a more efficient, secure means of verification through digital tokens. But is it enough?

As the federal government prepares to pilot the system next year, concerns are mounting that it may not meet international privacy standards, particularly when compared to frameworks like the European Union’s General Data Protection Regulation (GDPR).

In a recent speech to the National Press Club in Canberra, Federal Minister for Government Services Bill Shorten hailed the new system as “world-leading.” Yet, for all its potential, the Australian scheme has raised significant privacy issues that set it apart from best practices observed globally.

Australia’s proposed digital ID system is intended to be centralised: personal data will be managed, monitored, and stored by a single government entity. This centralisation poses a significant security risk, making the system a prime target for cyberattacks and undermining users’ ability to control their digital identities.

Further compounding these concerns is the system’s lack of alignment with the World Wide Web Consortium’s (W3C) standards for verifiable credentials. These globally recognised standards give individuals more granular control over their personal data, allowing them to disclose only the minimum required information — such as proof of age — to access services. Australia’s approach, however, does not fully embrace this level of user control, potentially exposing more personal data than necessary.

A fundamental principle of global privacy frameworks like GDPR is the prevention of “linkability,” or the risk of aggregating user data across multiple services in a way that could compromise privacy.

Australia’s digital ID, a token-based system, could inadvertently allow service providers to track users across different platforms and profile their behaviours. By contrast, the GDPR includes specific safeguards to prevent such tracking unless users have given explicit consent.

Finally, Australia’s framework lacks the stringent safeguards in the EU’s privacy laws regarding biometric data, such as facial recognition and fingerprints. Under the GDPR, biometric data is considered sensitive information, and its collection and processing require explicit consent.

While Australia’s digital ID system holds significant promise, its current design may not meet the high privacy standards set by global leaders like the European Union.

As the system evolves, addressing these shortcomings will be crucial to ensuring it can be secure and privacy-respecting in a world increasingly defined by digital identity.

So, what exactly is GDPR, and why is it important to Australian businesses?

The General Data Protection Regulation (GDPR) is a comprehensive data privacy law enacted by the European Union (EU) in May 2018. It is designed to protect individuals’ data and enhance their control over their data use. It applies to organisations that collect, process, and store personal data of individuals located within the EU, regardless of where the organisation is based.

Even though the EU’s GDPR does not directly regulate Australian businesses, its importance cannot be overstated. As global data protection standards evolve, Australian companies handling personal data risk significant fines and reputational damage.

Beyond legal obligations, compliance with GDPR demonstrates a commitment to privacy, building trust with consumers in an increasingly privacy-conscious market.

Additionally, as more countries adopt similar regulations, aligning with GDPR can future-proof businesses, ensuring they remain competitive and responsible in a global economy where data protection is paramount.

Key Principles of GDPR

The fundamental principles of GDPR govern the processing of personal data.

  • Lawfulness, Fairness, and Transparency: Personal data must be processed legally, fairly, and transparently. Organisations must inform individuals about how their data will be used.
  • Purpose Limitation: Data must only be collected for specific, legitimate purposes and not further processed in incompatible ways.
  • Data Minimisation: Organisations should only collect personal data necessary for the specified purpose. Excessive data collection is prohibited.
  • Accuracy: Personal data must be accurate and kept up to date. Inaccurate data must be corrected or deleted.
  • Storage Limitation: Personal data should not kept for longer than necessary. Once the purpose for which it was collected is fulfilled, the data must be erased or anonymised.
  • Integrity and Confidentiality: Personal data must be processed in a manner that ensures its security, using appropriate technical and organisational measures to protect against unauthorised access, loss, or damage.
  • Accountability: Organisations must take responsibility for complying with the GDPR principles and be able to demonstrate their compliance.

Rights of Individuals under GDPR

GDPR provides several rights to individuals, empowering them to have greater control over their data:

  • Right to Access: Individuals can request access to their data held by an organisation, sometimes called a “data subject access request.”
  • Right to Rectification: Individuals can request that inaccurate or incomplete data be corrected.
  • Right to Erasure: Individuals can request the deletion of their data under certain circumstances, such as when it is no longer needed or when consent is withdrawn.
  • Right to Restrict Processing: Individuals can request the restriction of the processing of their data, such as when the accuracy of the data is contested.
  • Right to Data Portability: Individuals can request their data in a structured, commonly used, and machine-readable format, allowing them to transfer it to another service provider.
  • Right to Object: Individuals can object to certain types of data processing, such as processing based on legitimate interests or for direct marketing purposes.
  • Right Not to Be Subject to Automated Decision-Making: Individuals have the right not to be subjected to decisions based solely on automated processing, including profiling, if those decisions have legal consequences or significant effects.

How Secure is GDPR for User’s Personal Information?

GDPR places a strong emphasis on data security and privacy. It requires organisations to implement stringent measures to protect personal data. Some of these include:

  • Data Encryption: Personal data must be encrypted at rest (stored data) and in transit.
  • Data Anonymization and Pseudonymization: GDPR encourages techniques like anonymisation and pseudonymisation to reduce the risks associated with data processing. If data is anonymised, it is no longer considered personal data and, therefore, not subject to GDPR.
  • Data Breach Notification: Organisations must notify regulators and affected individuals of data breaches within 72 hours of becoming aware of the breach, provided there is a risk to individual rights and freedoms.
  • Privacy by Design and by Default: GDPR mandates that privacy measures be integrated into the design of systems and processes (Privacy by Design) and that the most privacy-friendly settings be used by default (Privacy by Default). For instance, organisations should ensure that personal data is processed with the highest privacy protection.
  • Impact Assessments: If an organisation’s processing activities are likely to result in a high risk to individuals’ privacy, they must carry out a Data Protection Impact Assessment (DPIA) to assess risks and identify mitigation strategies.
  • Third-Party Security: GDPR holds organisations accountable for the actions of third-party service providers that handle personal data. The organisation must ensure that appropriate contracts are in place with these third parties and that they adhere to GDPR requirements.
  • Access Controls and Role-Based Permissions: Organisations must control and limit access to personal data based on roles within the organisation, reducing the risk of unauthorised access

The GDPR is a strong framework for ensuring the protection of individual personal data, and its implementation has significantly raised the standards for data privacy worldwide.

It provides solid safeguards for users’ data and ensures businesses are held accountable for collecting, storing, and processing personal information. However, data security under GDPR depends on how sound organisations implement its requirements and whether they consistently monitor and update their data protection practices to address new threats.

In Australia, Docuworx is proud to partner with DocuWare, a leading document management system that meets the stringent requirements of GDPR and is hosted in Microsoft Azure’s Australian data centres.

This collaboration ensures that Australian businesses can manage their documents efficiently and securely while maintaining compliance with global data protection standards.

As privacy regulations evolve, investing in trusted, GDPR-compliant solutions like DocuWare is more crucial than ever.

Don’t wait for compliance to become a challenge—take action today to safeguard your business and build lasting trust with your customers.

Contact Docuworx to learn how we can help you streamline your document management while protecting your data.

Author: Carlos Lucia
Experienced Director with a demonstrated history of working in the document management industry. Skilled in sales, business development, document management solutions, marketing strategy, and building new business. Strong background in business finance and passionate about facilitating companies' digital transformations. Co-founder and Director of Docuworx, an Australian company that facilitates the digital transformations of businesses and organisations across Asia-Pacific.