NotMeID · Research

The Digital ID Act 2024: what it means for your data, and what you can do about it

How Australia’s Digital ID framework changes what accredited providers may retain about you — and the access and deletion rights you can exercise today.

What the Act actually does

The Digital ID Act commenced on 1 December 2024. It created the Australian Government Digital ID System and a formal accreditation framework for verifying identity online with fewer copies of physical documents flowing through unrelated systems.

At launch, accredited participants include myGovID, ConnectID, and Australia Post’s Digital iD. Private-sector expansion is expected to roll in progressively from 2026. The Act includes prohibitions aimed at reducing misuse risk — for example, restrictions on treating a digital ID as a single universal identifier, constraints on profiling and marketing use of digital ID data, and governance obligations for accredited providers.

In plain terms: the policy intent is to centralise verification while reducing how often you hand raw identity documents to every service provider you touch.

What data providers hold

When you verify through an accredited Digital ID provider, the system can create and retain verified attributes — not always a 1:1 scan of a document sitting in a folder, but structured claims about you that are treated as authoritative for downstream reliance.

Depending on the pathway and provider, this can include verified legal name, date of birth, document reference signals tied to passports and driver licences, Medicare references where relevant, and transaction metadata showing which relying parties received attestations. Where liveness checks are used, providers may also retain biometric templates and associated check imagery consistent with their policies and the Act’s requirements.

The Act interacts with the Privacy Act 1988. That matters because APP 12 (access) and APP 13 (correction and deletion) still apply to personal information held by many accredited entities in scope — meaning you are not without levers if data is held longer than justified or used beyond what you were told.

The retention problem

Retention is the uncomfortable edge of any identity system: verification is useful because it persists, but persistence is also what creates long-tail breach risk and downstream profiling surface area.

Government materials and legal commentary have noted that reviews of retention settings are part of the Act’s longer operational story — but until those settings are fully tested in practice, the practical risk for consumers is simple: attributes may exist after the transaction that triggered them, and most people will never ask what is held, for how long, and why.

Legal analysis of the Act — including commentary published around commencement — has highlighted that the system’s security story is not the same thing as a guarantee of minimal retention. That distinction is exactly why consumer-accessible deletion workflows matter.

What you can do right now

If you have used accredited Digital ID flows, you can treat this like any other serious privacy exercise: map the provider, request access under APP 12, request deletion or correction under APP 13 where information is outdated, irrelevant, or no longer needed, and escalate to the OAIC where responses are missing or inadequate.

For Digital ID providers, the Act also layers additional expectations around accredited handling — which means your requests should explicitly reference both the Privacy Act and the Digital ID framework where applicable, so the recipient routes the request to the correct internal owner.

NotMeID exists because this is not a one-email problem: it is a catalogue-and-follow-up problem. The service tracks accredited providers, sequences requests from your own address for legal standing, and automates escalation where providers go quiet — the failure mode that makes ‘rights on paper’ meaningless in practice.

Sources

  1. Digital ID Act 2024 (Cth) — digitalidsystem.gov.au
  2. Clifford Chance, analysis of the Digital ID Act (2024)
  3. Maddocks, Privacy Impact Assessment materials (Oct–Nov 2024) — finance.gov.au
  4. OAIC, Digital ID guidance — oaic.gov.au/digital-id
  5. Gilbert + Tobin, commentary and analysis — gtlaw.com.au