Digital identity and verifiable credential policy
Purpose
The Digital Identity and Verifiable Credential (DIVC) policy enables agencies to leverage credentials and identities established across public and private sectors, elevate the strength of these credential and identities, where required for business needs, and promote the responsible sharing and reuse of established identities and credentials in an interoperable format.
Policy statement
The Queensland Government’s identity approach underpins a digital identity ecosystem encompassing public jurisdictions and private sector delivery partners who trust each other’s assurances of identity and can readily accept and verify in a diverse range of use cases across different industries and channels.
The ability to readily verify trusted identity information across this ecosystem is key to supporting a seamless digital government as well as allowing Queenslander’s to readily use their identity in real world, whole of economy use cases.
Policy benefits
The adoption of a digital identity approach will:
- reduce the propagation of duplicate identities and contribute to identity fraud reduction and improvement of the security and protection of identities
- reduce the issuance of single purpose credentials (consolidation) through the ability to reuse credentials issued by another trusted party
- reduce the need to continually re-prove identity through the ability to reuse previous identity verifications (in part or in-full) undertaken by another trusted party
- allow information and assurance to be exchanged between differing systems across trusted parties
- support a seamless experience between services, across delivery channels, the Queensland public sector, and partner services for customers, clients, partners and staff through portability of identity
- encourage attestations-as-to-identity by other agencies, government jurisdictions, or third parties which are authoritative and hold up to date information
- provide customers with choice of digital and physical identity credential and evidence category, that they can use to prove their identity regardless of which service they access
- provide staff with simplified access to cross-departmental and whole-of-government ICT systems
- lower the risks of inappropriate access by providing relevant and verified identity information for use in authorisation decisions
- enable agencies to adopt solutions that meet their business needs while still allowing them to exchange identity information.
- Improved efficiency and costs reductions for government from minimising the duplication of systems and processes.
Policy requirements
1. Agencies must leverage and accept existing credentials and/or identities for authentication purposes
If there is an endorsed existing credential or identity provider that services the constituency, the agency must use them as a credential or identity service provider, provided they meet requirements for service experience, privacy, identity assurance and security. Using an existing identity or credential provider can provide the ability to leverage results of a previous authentication and/or identity verification across multiple services or organisations.
The reuse of existing credentials can reduce friction, enhance user experience, especially for registration and recurrent access to services. When selecting a credential or identity provider, agencies must consider the:
- constituency and likely credentials they may already hold or depend on
- authoritative sources and pedigree of identity attributes
- types of devices used and support for biometrics which may serve as additional factors
- degree of trust placed on each credential e.g. strength and resistance to tampering.
Advice
Further information on how to determine authentication requirements can be located in the Queensland Government authentication framework (QGAF) and the Queensland Government Information security classification framework (QGISCF).
- 5.1 DIVC Core and common (Currently under development)
2. Agencies must support credential and/or identity strength to be elevated, commensurate with business risk
Agencies must follow the Queensland Government Authentication Framework (QGAF) to identify the appropriate level of assurance for identities and credentials that hold identities. This required strength can then be mapped to a comparable strength that is being offered by an identity or credential provider.
Where identity strength for an activity is assessed to be insufficient, agencies must implement appropriate security controls to elevate the strength of registration or authentication as necessary, often using multiple sources. Agencies need to adopt the identity strength commensurate with the business risk assessment. Where the identity strength is not met, agencies must choose the right trusted identity/credential to meet the agency requirement for the current interaction and subsequent interactions at the same or lower strength.
The results of any additional verification(s) undertaken by the agency must also be sharable in accordance with policy requirement 3 to enable others to rely upon the upgraded strength as required.
3. Agencies must provide credential and identity information assertions in a standard interoperable format
Queensland Government agencies issuing credentials or identities must either:
- establish a documented agreement with a relying party to share the credential or identity information or make available the credential or identity information as a productised service under an agreed set of standard terms and conditions. The information being exchanged, roles and responsibilities, policies and procedures, including security and privacy obligations each party needs to comply with and the measurements to verify adherence must be clearly defined.
or
- provide a self-service mechanism by which relevant individuals as the owner of specific information attributes held by the agency can share their credential or identity information with another trusted party (to the extent permitted by the agency).
Queensland Government agencies must use industry and government recognised identity standards where appropriate to maximise interoperability and support the exchange of credential or identity information.
Queensland's digital identity ecosystem must be able to interact and exchange information with many differing systems across trusted parties to support the sharing of credential or identity information. A lack of interoperability produces silos of identity information and access control, whereby the value of an identity is lost across boundaries.
Queensland Government agencies regarded as an authoritative source for specific credential or identity information must consider where appropriate implementing mechanisms which support the responsible verification, sharing and/or reuse of established identities, attributes and credentials in an interoperable format. This is to assist other agencies, jurisdictions and industry sectors to meet their identity and/or credential assurance requirements. This includes making available supporting information regarding the policies and procedures for issuance, maintenance and revocation of the credential or identity information. This will assist relying parties to make a business risk determination regarding the degree of trust and confidence they place in the credential or identity information for their own business purposes.
Advice
The Queensland Government has developed an identity policy framework that will provide guidance on the standards that will be used in this area. For more information, refer to:
- 6.1 Interoperability standards (currently under development)
- 4.1 Information security standards (refer to the Information security policy (IS18) and QGAF.
4. Agencies must ensure identities are secured and apply privacy preserving measures
Agencies that store personal identifying information (PII) must ensure reasonable measures are in place to secure that data and ensure a security plan exists and applied against relevant documented security standards and controls. This should also include dealing with incidents related to cyber and data breaches and fraud management.
Additionally, the process of collecting, managing and removing that personal identifying information should comply with statutory and regulatory measures related to privacy and have a documented privacy impact assessment (PIA) undertaken across that process and the services that is in scope.
Advice
The Queensland Government is developing an identity policy framework that will provide guidance on the standards that will be used in this area. Please refer to:
- 2.0 Privacy (Currently under development)
- 4.0 Security (Currently under development but will refer to IS18 and QGAF).
5. Agencies must ensure that customers that do not have a digital identity, have alternate pathways/channels to access services
To ensure that no individual or entity is left behind, any services that use a digital identity to provide service and enable transactions, need to also ensure that there are non-digital pathways for those services. These pathways must be documented and made known to customers in an accessible format.
Advice
The Queensland Government is developing an identity policy framework that will provide guidance on the standards that will be used in this area. Please refer to:
- 3.0 Customer experience (currently under development)
- 3.3 Non digital pathways (currently under development).
Applicability
This policy applies to all Queensland Government departments (as defined by the Public Sector Act 2022). This policy also applies to accountable officers (not already in scope of the Public Sector Act 2022) and to statutory bodies under the Financial and Performance Management Standard 2019 in the context of internal controls, financial information management systems and risk management. See How to apply the QGEA for further information.
Implementation
This policy comes into effect from the issue date.
Issued
Issue date: TBA
This QGEA policy is published within the QGEA and administered by the Queensland Government Customer and Digital Group.
Definitions
| Term | Definition |
|---|---|
| Identity | A set of attributes that uniquely describe a subject within a given context. An identity can be verified digitally or non-digitally or held in a digital or non-digital form. (reference NIST SP 800-63-3) |
| Identity provider | A trusted entity which orchestrates the registration of identity, binds that identity to a credential and asserts the identity at the time of authentication. The Identity provider may also perform the role of an attribute provider which asserts the correctness and consistency of specific attributes |
| Credential | A qualification, achievement, quality, or aspect of an entity’s background that when used indicates eligibility, competence, or compliance by an entity. Credentials may be evidence by physical card or digitally |
| Credential provider | A trusted entity that manages and issues to users one or more trusted credentials |
| Customer | A person or entity that intentionally consumes a government service |
| Client | A person or entity that receives services or resources from the government |
| Digital identity | The unique representation of a subject engaged in a transaction. A digital identity is always unique in the context of a digital service but does not necessarily need to uniquely identify the subject in all contexts. (reference NIST SP 800-63-3) |
| Partner | A person or entity that provides services on the government’s behalf |
| Personal identifying information | Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(reference, Office of the Australian Information Commissioner) |
| Resource | A good or product that is provided to customers or clients as part of interaction with government |
| Services | A provision of an interaction or transaction undertaken with a customer to access an outcome from government |
| Staff | A person or entity that works for the government to deliver services |
| User | Any person or entity defined above that interacts with a service |
| Verifiable credential | A verifiable credential is a specific tamper-evident credential that has authorship that can be cryptographically verified. Verifiable credentials can be used to build verifiable presentations, which can also be cryptographically verified. The credentials issued and are verified are compliant with a trusted international standard |