For IT and cybersecurity teams, collecting and storing PII can be a significant burden. When dealing with millions of customer records, it becomes both a costly and risky endeavor to manage and protect data from hackers, as well as to handle the repercussions if a breach occurs.
This may change with the upcoming launch of a new digital verification system in Australia, which is set to progress to a pilot phase in January 2025.
Now in the proof of concept stage, the Trust Exchange, or TEx, system would allow Australians to provide their personal information via a digital wallet. PII would not always need to be shared with a business when a customer needs to verify their identity.
The Australian Government hopes TEx will reduce the number of Australians who are falling victim to data breaches. For businesses, the system could offer a streamlined and safer way of interacting with their customers.
Australia’s Trust Exchange system would allow Australians to prove their identity or share select details about themselves using information already stored by the government within their centralised MyGov account. MyGov is the central portal and data repository through which Australians access Government services, such as taxation, health, or social security.
SEE: What Australia’s Digital ID means for businesses and citizens
For individuals, the government is promising more control over personal data. For businesses, it is offering benefits such as the ability to streamline customer onboarding and minimise data risks. The Trust Exchange system is being developed as a distinct project alongside Australia’s existing Digital ID project, which will see the creation of a digital ID for Australians.
Three transaction categories have so far been identified by the government for TEx:
In cases where TEx is only verifying information, such as a person’s identity, the system would pass a digital token to businesses rather than sensitive private information, such as a driver’s licence.
Using a “tap-to-pay” style system with a QR code, the system would “digitally shake hands” with a business or service provider. While it would not pass on actual information, the system would provide assurance that the details are correct without needing to view them.
When individuals need to pass data to a business or entity, the TEx system allows them to select what information they hand over and ensure they consent to the information being exchanged. It also maintains a record of which information has been exchanged with which businesses, allowing individuals to track their digital information.
Verification will come from the pool of data held by Australian government agencies, in addition to information housed by Australian state governments, centralised via MyGov. The government has said that, rather than being in a central database, it was exploring a new decentralised model for citizen data that would have strong safety and security features.
Verified or shared information using the TEx system would include:
The government has put forward potential applications of the TEx system, including:
Contracts and accounts: Large businesses like telcos or banks will be able to integrate with TEx for identity verification when people take out new contracts or create new accounts.
Pubs, clubs, and hotels: TEx can prove a person’s age. Australians may not have to pass over ID documents such as drivers’ licences or passports to be copied and stored.
Rental applications: When a person rents a new apartment, key details about the applicant could be provided and verified by a real estate agent using the TEx system.
Applying for a job: The government has suggested the system may extend to include things like qualifications and certifications, making it easier for employers to verify job candidates.
The Australian government believes businesses will see TEx as a “win.” Although a business’ systems will need to be configured to interface with the system, it could lead to operational efficiencies, reduced data risk, and savings on data management.
The TEx system would relieve businesses of the operational burden of verifying someone’s identity, which had sometimes required multiple forms of ID. This could create process efficiencies in many areas, streamlining how businesses sell certain products and services.
When businesses hold PII data, they take on risk. With the government holding identification data, and the exchange of data limited to only what is required, businesses will be reducing risk in their data estates. They could end up holding less data they don’t need, in line with best practice principles, or seeing less fines or legal costs due to data breaches.
Any information verified by the system will still need to be collected, stored, and managed. While it is unclear how this process might work — and it may require IT to set up in-house systems to operate seamlessly with TEx’s public digital infrastructure — it is likely to become a feature in most third-party vendor products.
In some cases, businesses may have less data on customers than they may want. For example, if a business only needs to verify a person is over 18, a TEx system may verify this is the case without providing the business a date of birth. This could limit the collection of demographic data that may help with marketing segmentation strategies.
TEx will not be compulsory for consumers or businesses. Therefore, businesses that adopt the system must be set up for customers using TEx and for those who are not. While this may create further complexity, businesses find enough value from TEx customers to make it worthwhile, especially as TEx uptake increases over time.
The Trust Exchange system can reduce the number of times Australians need to hand out PII to identify themselves. As the number of businesses storing data reduces, individuals could warmly welcome a reduced risk of their data being breached.
SEE: Is Australia’s public sector ready for a major cyber security incident?
Some experts fear that the Trust Exchange and MyGov would be attractive to criminals because they would essentially create a centralised location for data. Though hacks of Australian businesses like Optus and Medibank have been problematic, a breach of the TEx system could be even more disastrous.