04 - functional requirements... · functional requirements 2 . official 17 . 2 fraud ontr ol...

OFFICIAL

OFFICIAL

04 - Functional Requirements

Trusted Digital Identity Framework (TDIF) Release 4 (R4) December 2019, version 0.3

CONSULTATION DRAFT

Digital Transformation Agency — TDIF Release 4 Consultation Draft iii

OFFICIAL

Digital Transformation Agency

This work is copyright. Apart from any use as permitted under the Copyright Act 1968

and the rights explicitly granted below, all rights are reserved.

Licence

With the exception of the Commonwealth Coat of Arms and where otherwise noted,

this product is provided under a Creative Commons Attribution 4.0 International

Licence. (http://creativecommons.org/licenses/by/4.0/legalcode)

This licence lets you distribute, remix, tweak and build upon this work, even

commercially, as long as they credit the DTA for the original creation. Except where

otherwise noted, any reference to, reuse or distribution of part or all of this work must

include the following attribution:

Trusted Digital Identity Framework (TDIF)™: 04 – Functional Requirements ©

Commonwealth of Australia (Digital Transformation Agency) 2019

Use of the Coat of Arms

The terms under which the Coat of Arms can be used are detailed on the It’s an Honour website (http://www.itsanhonour.gov.au)

Conventions

TDIF documents refenced by this document are denoted in italics. For example,

TDIF: 02 - Overview is a reference to the TDIF document titled ‘02 – Overview’.

The abbreviations and terms used in this document including the key words “MUST”,

“MUST NOT”, and “MAY” are to be interpreted as described in the current published

version of the TDIF: 01 – Glossary of Abbreviations and Terms.

Contact us

The Digital Transformation Agency is committed to providing web accessible content

wherever possible. This document has undergone an accessibility check however, if

you are having difficulties with accessing the document, or have questions or

comments regarding the document please email the Director, Digital Identity Policy at

[email protected].

http://creativecommons.org/licenses/by/4.0/legalcode

http://www.itsanhonour.gov.au/

mailto:[email protected]

Digital Transformation Agency — TDIF Release 4 Consultation Draft iv

OFFICIAL

Document management

The Trust Framework Accreditation Authority (TFAA) has reviewed and endorsed this

document for release.

Change log

Version Date Author Description of the changes

0.1 Aug 2019 SJP Initial version

0.2 Oct 2019 SJP Updated to incorporate feedback provided by

stakeholders during the first round of

collaboration on TDIF Release 4

0.3 Dec 2019 JS & SJP Updated to incorporate feedback provided by

stakeholders during the second round of

collaboration on TDIF Release 4

Digital Transformation Agency — TDIF Release 4 Consultation Draft v

OFFICIAL

Contents

1 Introduction ...................................................................................................................... 1

2 Fraud Control Requirements ........................................................................................... 2

2.1 Accountable Authority .................................................................................................................... 2

2.2 Fraud risk assessments ................................................................................................................. 2

2.3 Fraud control plans ........................................................................................................................ 3

2.4 Fraud prevention, awareness and training .................................................................................... 3

2.5 Fraud detection .............................................................................................................................. 4

2.6 Fraud investigations ....................................................................................................................... 4

2.7 Fraud reporting .............................................................................................................................. 6

2.8 Support for victims of identity fraud ............................................................................................... 6

3 Privacy Requirements ...................................................................................................... 7

3.1 General privacy requirements ........................................................................................................ 7

3.2 Privacy governance ....................................................................................................................... 7

3.2.1 Privacy roles ............................................................................................................................ 7

3.2.2 Privacy Policy .......................................................................................................................... 8

3.2.3 Privacy Management Plan ...................................................................................................... 9

3.2.4 Privacy awareness training ..................................................................................................... 9

3.3 Privacy Impact Assessment ......................................................................................................... 10

3.4 Data Breach Response Management .......................................................................................... 11

3.5 Notice of Collection ...................................................................................................................... 11

3.6 Collection and use limitation ........................................................................................................ 12

3.7 Limitation on use of behavioural information ............................................................................... 12

3.8 Collection and disclosure of biometrics ....................................................................................... 13

3.9 Consent ........................................................................................................................................ 13

3.10 Cross border and contractor disclosure of personal information ............................................... 14

3.11 Government Identifiers............................................................................................................... 15

3.12 Access, correction and individual history log ............................................................................. 15

3.12.1 Access ................................................................................................................................. 15

3.12.2 Correction ............................................................................................................................ 16

3.12.3 Individual history log ............................................................................................................ 16

3.13 Quality of personal information .................................................................................................. 16

3.14 Handling Privacy Complaints ..................................................................................................... 17

3.15 Destruction and de-identification ............................................................................................... 17

4 Protective Security Requirements .................................................................................18

4.1 Protective Security Policy Framework ......................................................................................... 19

4.1.1 Governance (GOVSEC) ........................................................................................................ 19

Digital Transformation Agency — TDIF Release 4 Consultation Draft vi

OFFICIAL

4.1.2 Information security (INFOSEC) ........................................................................................... 19

4.1.3 Personnel security (PERSEC) .............................................................................................. 20

4.1.4 Physical security (PHYSEC) ................................................................................................. 21

4.2 Australian Government Information Security Manual .................................................................. 21

4.3 Additional security requirements .................................................................................................. 22

5 User Experience Requirements ......................................................................................24

5.1 Usability requirements ................................................................................................................. 24

5.2 Requirements for the identity verification journey ........................................................................ 25

5.3 Requirements for the authentication journey ............................................................................... 26

5.4 Usability test plans ....................................................................................................................... 27

5.5 Conduct usability testing .............................................................................................................. 27

5.6 Accessibility requirements ........................................................................................................... 28

6 Functional Assessments ................................................................................................29

6.1 Applicant obligations .................................................................................................................... 29

6.2 Assessor skills, experience and independence ........................................................................... 29

6.3 Assessment process .................................................................................................................... 29

6.4 Assessment report ....................................................................................................................... 30

Digital Transformation Agency — TDIF: 04 – Functional Requirements 1

OFFICIAL

1 Introduction 1

Agencies and organisations that apply to be accredited under the Trusted Digital 2

Identity Framework (TDIF) undergo a series of rigorous evaluations across all aspects 3

of their identity system operations. This document defines the functional requirements 4

to be met by Applicants in order to achieve TDIF accreditation. 5

• Fraud control requirements are listed in Section 2. 6

• Privacy requirements are listed in Section 3. 7

• Protective security requirements are listed in Section 4. 8

• User Experience requirements are listed in Section 5. 9

• Functional assessments are listed in Section 6. 10

The intended audience for this document includes: 11

• Potential Applicants for TDIF accreditation. 12

• Potential Relying Parties. 13

• Assessors. 14

• Participants. 15

• Vendors. 16


OFFICIAL

2 Fraud Control Requirements 17

These Fraud Control Requirements are taken from the Commonwealth Fraud Control 18

Framework (CFCF)1

. The purpose of these requirements are to ensure that there is a 19

minimum standard Applicants must meet for managing risk and incidents of fraud. 20

Applicants that undergo the TDIF Accreditation Process should note the following: 21

• Refences to ‘Agencies’, ‘Accountable Authority’, ‘Commonwealth Entities’, 22

‘Entities’, ‘Officials’, ‘Australian Government’ in the CFCF are to be interpreted as 23

being references to the Applicant. 24

• The scope of CFCF controls are limited to the identity service being accredited 25

and not to the Applicant’s wider operating environment. 26

If there is conflict between: 27

• Any requirement in these Fraud Control Requirements and the current edition of 28

the CFCF, then the CFCF takes precedence. 29

2.1 Accountable Authority 30

TDIF Req: FRAUD-02-01-01; Updated: Dec-19; Applicability: A, C, I, X 31

The Applicant MUST appoint a senior executive as the designated Accountable 32

Authority for managing fraud risks within their organisation. 33


The Applicant MUST take all reasonable measures to prevent, detect and deal with 35

fraud relating to its identity system. 36

TDIF Req: FRAUD-02-01-02a; Updated: Sep-19; Applicability: A, C, I, X 37

The Accountable Authority MUST demonstrate how its fraud control measures are 38

applied to its identity system. 39

2.2 Fraud risk assessments 40


1 A copy of the CFCF is available at https://www.ag.gov.au/Integrity/counter-fraud/fraud-

australia/Documents/CommonwealthFraudControlFramework2017.PDF


OFFICIAL

The Applicant MUST conduct fraud risk assessments at least annually and when 42

there is a substantial change in the structure, functions or activities of the Applicant, 43

which impact the operation of the system. 44


The Applicant MUST review and refine its risk assessment strategies on an ongoing 46

basis considering its experience with continuing or emerging fraud vulnerabilities. 47


The Applicant MUST assess the likely occurrence of fraud and its impact on its 49

organisational objectives, core business and its identity system and implement 50

applicable controls. 51

2.3 Fraud control plans 52

TDIF Req: FRAUD-02-03-01; Updated: Sep-19; Applicability: A, C, I, X 53

The Applicant MUST develop and implement a fraud control plan that deals with 54

identified risks as soon as practicable after conducting a risk assessment. 55


The Fraud Control Plan MUST include: 57

a) A summary of fraud risks and vulnerabilities associated with the Applicant. 58

b) Treatment strategies and controls put in place to manage fraud risks and 59

vulnerabilities. 60

c) Information about implementing fraud control arrangements within the 61

Applicant’s operating environment. 62

d) Strategies to ensure the Applicant meets its training and awareness needs 63

e) Mechanisms for collecting, analysing and reporting fraud incidents. 64

f) Protocols for handling fraud incidents. 65

g) An outline of key roles and responsibilities for fraud control within the 66

Applicant’s organisation. 67

2.4 Fraud prevention, awareness and training 68



OFFICIAL

The Applicant MUST ensure all personnel are made aware of what constitutes fraud 70

in their organisation. 71


The Applicant MUST demonstrate how they consider the risk of fraud when planning 73

and conducting activities associated with the operation of its identity system. 74


The Applicant MUST maintain appropriately documented instructions and procedures 76

to assist personnel prevent, detect, report and deal with fraud. 77


The Applicant MUST ensure personnel primarily engaged in fraud control activities 79

possess or attain relevant qualifications or training 80


The Applicant MUST conduct background checks on personnel prior to 82

commencement, on personnel with access to personal information to ensure that they 83

do not have a history of misconduct and do not have ties to organised crime. 84

2.5 Fraud detection 85


The Applicant MUST implement a mechanism for detecting incidents of fraud or 87

suspected fraud, including a process for personnel and users to report suspected 88

fraud confidentially. 89

2.6 Fraud investigations 90


The Applicant MUST implement an appropriate mechanism for investigating or 92

otherwise dealing with incidents of fraud or suspected fraud. 93


The Applicant MUST maintain documented procedures setting out criteria for making 95

decisions at critical stages in managing a suspected fraud incident. 96


The Applicant MUST have in place investigation and referral processes and 98

procedures that are consistent with the Australian Government Investigations 99

Standards 2011 (AGIS). 100


OFFICIAL


The Applicant MUST appropriately document decisions to use civil, administrative or 102

disciplinary procedures, or to take no further action in response to a suspected fraud 103

incident. 104


The Applicant MUST take responsibility for investigating instances of fraud or 106

suspected fraud against it, including investigating disciplinary matters, unless the 107

matter is referred to and accepted by the Australian Federal Police (AFP) or another 108

law enforcement agency. 109


Where a law enforcement agency declines a referral, the Applicant MUST resolve the 111

matter in accordance with relevant internal and external requirements. 112


The Applicant MUST refer all instances of potential or serious or complex fraud 114

offences to the AFP in accordance with the AGIS and AFP referral process, except in 115

the following circumstances: 116

a) Where legislation sets out specific alternative arrangements. 117

b) Where the Applicant: 118

i. Has the capacity and the appropriate skills and resources needed to 119

investigate potential criminal matters. 120

ii. Meets the requirements of the AGIS for gathering evidence and the 121

Commonwealth Director of Public Prosecutions (CDPP) in preparing 122

briefs of evidence. 123


Fraud investigations MUST be carried out by appropriately qualified personnel as set 125

out in the AGIS. If external investigators are engaged, they must as a minimum meet 126

the investigations competency requirements set out in the AGIS. 127


The Applicant MUST take all reasonable measures to recover financial losses caused 129

by illegal activity through proceeds of crime and civil recovery processes or 130

administrative remedies. 131


OFFICIAL

2.7 Fraud reporting 132


The Applicant MUST implement a mechanism for recording and reporting incidents of 134

fraud or suspected fraud to the Oversight Authority. 135

2.8 Support for victims of identity fraud 136

TDIF Req: FRAUD-02-08-01; Updated: Sep-19; Applicability: A, C, I 137

The Applicant MUST implement a process which allows users to notify them when 138

they suspect or become aware of fraudulent use of their attributes, digital identity or 139

authentication credential. 140

TDIF Req: FRAUD-02-08-02; Updated: Sep-19; Applicability: A, C, I 141

The Applicant MUST provide (either directly or through a third party) support services 142

to users whose attributes, digital identity or authentication credential have been 143

compromised. 144

TDIF Req: FRAUD-02-08-03; Updated: Dec-19; Applicability: A, C, I 145

The Applicant MUST prevent the continued fraudulent use of an user’s attributes, 146

digital identity or authentication credential once the Applicant suspects or it becomes 147

aware of the fraudulent use. 148


OFFICIAL

3 Privacy Requirements 149

3.1 General privacy requirements 150

TDIF Req: PRIV-03-01-01; Updated: Sep-19; Applicability: A, C, I, X 151

The Applicant MUST comply with its obligations under the Privacy Act, including the 152

Australian Privacy Principles, and Australian Government Agencies Privacy Code or, 153

where relevant, state or territory privacy legislation. 154


If the Applicant is a small business operator as defined by the Privacy Act, and 156

therefore exempt from the Privacy Act, it MUST opt-in to coverage of the APPs as an 157

organisation. 158


Any state or territory government Applicant not covered by state privacy laws MUST 160

comply with APPs for the purpose of achieving and maintaining TDIF accreditation. 161

This will be enforced by the Oversight Authority. 162

3.2 Privacy governance 163

3.2.1 Privacy roles 164


The Applicant MUST have at least one designated Privacy Officer who is the primary 166

point of contact for advice on privacy matters. 167

TDIF Req: PRIV-03-02-01a; Updated: Sep-19; Applicability: A, C, I, X 168

The Applicant MUST demonstrate how the following Privacy Officer functions are 169

carried out: 170

a) Handling of internal and external privacy enquiries and complaints. 171

b) handles requests for access to and correction of personal information. 172

c) maintaining a record of personal information holdings. 173

d) assisting with the preparation of Privacy Impact Assessments (PIAs). 174

e) maintaining a register of PIAs. 175


OFFICIAL

f) measuring and documenting performance against the Privacy Management 176

Plan and reviewing and, where relevant updating, the Privacy Policy at least 177

annually relevant to the TDIF. 178

179


The Applicant MUST have at least one designated Privacy Champion. 181


The Applicant MUST demonstrate how their Privacy Champion promotes a culture of 183

privacy that values and protects personal information. 184

TDIF Req: PRIV-03-02-02b; Updated: Sep-19; Applicability: A, C, I, X 185

The Applicant MUST demonstrate how their Privacy Champion approves their privacy 186

management plan, and reviews of the Applicant’s progress against the privacy 187

management plan. 188

3.2.2 Privacy Policy 189

TDIF Req: PRIV-03-02-03; Updated: Sep-19; Applicability: I, X 190

The Applicant MUST have a separate privacy policy to that of its other business or 191

agency functions. 192

193


The Applicant MUST publish a clearly expressed and up to date Privacy Policy about 195

the management of personal information by the entity. 196

197


The Applicant’s Privacy Policy MUST include information on: 199

a) The kinds of personal information that the entity collects and holds 200

b) How the entity collects and holds personal information 201

c) The purposes for which the Applicant collects, holds, uses and discloses 202

personal information. 203

d) How an individual can access personal information about themselves that is 204

held by the Applicant and how to seek the correction of such information. 205


OFFICIAL

e) How an individual can complain about a breach of the APPs

(or a particular 206

jurisdiction Privacy Principle) and how the Applicant will deal with such a 207

complaint. 208

f) Whether the Applicant is likely to disclose personal information to overseas 209

recipients and if so the countries in which such recipients are likely to be 210

located (if it is practicable to do so). 211


The Applicant MUST review their Privacy Policy at least annually and update as 213

necessary. 214

3.2.3 Privacy Management Plan 215


The Applicant MUST develop and maintain a Privacy Management Plan that identifies 217

measurable privacy goals and targets for its identity system and the practices, 218

procedures and systems that will be implemented to achieve these targets and goals. 219


The Applicant MUST review and update their performance against their Privacy 221

Management Plan at least annually. 222

3.2.4 Privacy awareness training 223


The Applicant MUST on an annual basis, provide privacy awareness training which 225

incorporates these privacy requirements, to all personnel that access the Applicant’s 226

identity system. 227


The privacy awareness training provided by the Applicant, MUST cover the 229

Applicant’s Privacy Policy and Privacy Management Plan and include the key privacy 230

requirements in the TDIF. ATO comment: It should also cover the core privacy 231

requirements of the TDIF. 232


OFFICIAL

3.3 Privacy Impact Assessment 233


The Applicant MUST commission an Assessor to conduct a Privacy Impact 235

Assessment2

on their identity system. 236


The Applicant MUST conduct a Privacy Impact Assessment on all high-risk projects 238

related to their identity system. 239


The Privacy Impact Assessment conducted MUST: 241

a) Be undertaken early enough to influence the design of the identity system. 242

b) Reflect consultation with relevant stakeholders. 243

c) Include a description of the proposed identity system. 244

d) Map the identity system’s personal information flows. 245

e) Include an analysis of risks of non-compliance with relevant privacy laws and 246

these TDIF Privacy Requirements. 247

f) Include an analysis of the impact of the project on the privacy of individuals. 248

g) Include an analysis of whether privacy impacts are necessary or avoidable. 249

h) Include an analysis of possible mitigations to privacy risks. 250

i) Include recommendations 251

252


The Applicant MUST respond in writing, at a senior management level, to the 254

recommendations outlined in the PIA including whether the recommendations are 255

accepted, the reasons for any non-acceptance and the timeframe for implementation 256

of the recommendations. 257


The Applicant MUST maintain a register of the PIAs it conducts. 259


The Applicant MUST publish the register, or a version of the register, on its website. 261


2 See the Office of the Australian Information Commissioner website for further information and guidance on undertaking PIAs.


OFFICIAL

The Applicant’s TDIF accredited system MUST undergo a Privacy Assessment (which 263

is separate to and follows on from the PIA). 264

3.4 Data Breach Response Management 265


An Applicant, whether or not covered by the Privacy Act 1988, MUST report eligible 267

data breaches to affected individuals and the Information Commissioner as required 268

under the Privacy Act 19883

and also report the eligible data breach to the Oversight 269

Authority. 270


The Applicant MUST develop and maintain a Data Breach Response Plan that 272

includes a description of the actions to be taken if a breach is suspected, discovered, 273

or reported by a staff member or external party, including a clear communication plan 274

and information about when it is to be escalated to the data breach response team 275

(response team) or third party. 276


The Data Breach Response Plan MUST: 278

a) List the roles or members of the response team. 279

b) List the actions the response team is expected to take. 280

c) Describe how the actions and roles in the plan align to the Applicant’s Incident 281

Response Plan4

. 282

3.5 Notice of Collection 283


The Applicant MUST publish a Notice of Collection that is fully compliant with APP 5. 285

3 See Part IIIC of https://www.legislation.gov.au/Details/C2019C00025 for the definition of an eligible data breach including

exceptions to reporting. 4 See Part D - Protective Security for further information on the Incident Response Plan.


OFFICIAL

3.6 Collection and use limitation 286


The Applicant MUST only collect personal information that it is permitted to collect 288

under law and that is reasonably necessary for one or more of its functions or 289

activities directly relating to identity verification. 290


The Applicant MUST only collect personal information by lawful and fair means. 292


The Applicant MUST only collect personal information from the individual or their 294

representative, unless it is unreasonable or impractical to do so. 295


The Applicant MUST only collect sensitive information where it is required or 297

authorised by or under an Australian law or court order or is otherwise authorised 298

under APP 3.4. 299


The Applicant MUST NOT use personal information for direct marketing purposes. 301

TDIF Req: PRIV-03-06-06; Updated: Sep-19; Applicability: X 302

The Applicant MUST publish in an open and accessible manner an annual 303

‘Transparency Report’ that discloses the scale, scope and reasons for access to 304

personal information (including metadata) by an enforcement body, as defined in the 305

Privacy Act 1988. 306


The Applicant MUST NOT retain users’ attributes once they are passed from an 308

Identity Service Provider to a Relying Party. 309

3.7 Limitation on use of behavioural information 310


The Applicant MUST only collect, use and disclose information about an individual’s 312

behaviour on the identity federation to: 313

a) Verify the identity of an individual and assist them to get a service. 314

b) To support identity fraud management functions. 315

c) To improve the performance or usability of the Applicant’s product 316


OFFICIAL

d) To de-identify the data to create aggregate data 317

3.8 Collection and disclosure of biometrics 318

TDIF Req: PRIV-03-08-01; Updated: Sep-19; Applicability: I 319

The Applicant MUST only collect sensitive information5

(including biometric 320

information) as outlined in APP 3.3 and 3.4. 321

322


A biometric collected to prove an individual’s identity MUST be destroyed once the 324

biometric has been used to prove identity (for example it has been matched against a 325

source photograph), unless to biometric is a photograph and: 326

• The individual chooses to retain the biometric to affix to a digital identity 327

document or wallet (such as a digital driver licence or an attribute wallet stored 328

on controlled by the individual on their device), or 329

• The biometric is collected or was collected to create a government identity 330

document (for example where a road authority is a driver licence issuer and an 331

Identity Service Provider) 332

333


A biometric collected to prove an individual’s identity MUST NOT be used and 335

disclosed for purposes other than those listed in TDIF Req: PRIV-03-11-02 336

3.9 Consent 337

TDIF Req: PRIV-03-09-01; Updated: Sep-19; Applicability: I6

, X 338

The Applicant MUST obtain express consent from an individual prior to disclosing 339

attributes to a Relying Party or any third party. 340

TDIF Req: PRIV-03-09-01a; Updated: Sep-19; Applicability: X 341

5 As defined by the Privacy Act 1988.

6 If the Identity Service Provider connects directly with a Relying Party, it is required to obtain express consent prior to the

disclosure. If the connection to the Relying Party is brokered by an Identity Exchange, express consent may be obtained by the

Identity Exchange on behalf of the Identity Service Provider.


OFFICIAL

The Applicant MUST only disclose the minimum identity attributes required for the 342

Relying Party’s transaction. 343


The Applicant MUST allow an individual to withdraw their consent for the individual to 345

further use the system. 346


The Applicant MUST demonstrate how this consent withdrawal process is 348

straightforward and easy to use. 349


The Applicant MUST maintain auditable logs that demonstrate that consent was 351

obtained and is current. 352


The auditable logs MUST NOT contain biometric information. 354


The Applicant MUST inform individuals of other channels available to verify identity 356

and make clear to the user what the consequences are of declining to provide 357

consent or the required information. 358


The Applicant MUST obtain consent to verify identity attributes against an 360

Authoritative Source. For example, through services such as the Document 361

Verification Service or Facial Verification Service. 362

3.10 Cross border and contractor disclosure of personal 363

information 364


The Applicant MUST demonstrate how it complies with APP 8 - cross border 366

disclosure of personal information7

. 367


7 See Australian Privacy Principle 8 at www.legislation.gov.au/Details/C2017C00283

https://www.legislation.gov.au/Details/C2017C00283


OFFICIAL

The Applicant MUST take reasonable steps to ensure an overseas recipient of 369

personal information used to run the service only uses the personal information for 370

purposes directly related to identity verification. 371


If it discloses personal information to an overseas recipient, the Applicant MUST 373

demonstrate it has appropriate contractual and practical measures to ensure the 374

overseas recipient complies with these TDIF Privacy Requirements. 375

3.11 Government Identifiers 376


The Applicant MUST NOT create a new government identifier that is used across the 378

identity federation (i.e. an identifier that is sent to more than one Relying Party or 379

Identity Service Provider). 380

3.12 Access, correction and individual history log 381

3.12.1 Access 382


The Applicant MUST on request by an individual, give that individual access to the 384

personal information it holds about the individual, unless an exception is available 385

under APP 12 (APP 12.2 for Commonwealth agencies and APP 12.3 for other 386

Applicants. 387


The Applicant MUST respond to a request for access to personal information within 389

30 days after the request is received. 390


The Applicant MUST give access to the personal information in the manner requested 392

by the individual, if it is reasonable, secure and practicable to do so. 393


The Applicant MUST provide access at no cost to the individual. 395


OFFICIAL


The Applicant MUST where access is refused, take steps to meet the needs of the 397

individual and provide a written notice as set out in APP 12. 398

3.12.2 Correction 399


The Applicant MUST allow individuals to correct their personal information as set out 401

in APP 13. 402

TDIF Req: PRIV-03-15-07; Updated: Sep-19; Applicability: A, C, I 403

The Applicant MUST provide individuals with a simple means to review and update 404

their personal information on an ongoing basis. 405

3.12.3 Individual history log 406


The Applicant MUST provide individuals with a centralised view of the metadata of 408

services the individual accessed, the time of access and the attributes passed to the 409

service unless already destroyed by the Applicant. 410

3.13 Quality of personal information 411

TDIF Req: PRIV-03-13-01; Updated: Sep-19; Applicability: A, C, I 412

An applicant MUST that reasonable steps to ensure quality of personal information as 413

outlined in APP 10. 414


The Applicant MUST implement internal practices, procedures and systems (including 416

training staff in these practices, procedures and systems) to audit, monitor, identify 417

and correct poor-quality personal information. 418


The Applicant MUST ensure updated or new personal information is promptly added 420

to relevant existing records. 421


OFFICIAL

3.14 Handling Privacy Complaints 422


The Applicant MUST provide a complaints service which: 424

a) is readily accessible, including prominent contact information about the service. 425

a) Is fair, including a process that is impartial, confidential and transparent. 426

b) Has a process that is timely, clear and can provide a remedy where applicable. 427

c) Has skilled and professional people who have knowledge of privacy laws and 428

these TDIF Privacy Requirements and the complaint service process. 429

d) Is integrated with other complaint handling bodies, (e.g. other Participants of 430

the identity federation) as required, so it can assist the user and refer 431

complaints. 432


The Applicant MUST provide a complaints service which publishes de-identified 434

information and analysis about complaints. 435

3.15 Destruction and de-identification 436


The Applicant MUST demonstrate it takes reasonable steps to destroy or de-identify8

438

personal information in line with APP 11.2. 439

8 De-identification is defined at section 6 of the Privacy Act and destruction is explained in the OAIC’s Australian Privacy Principle

Guidelines under the heading


OFFICIAL

4 Protective Security Requirements 440

These Protective Security Requirements do not replace, remove or diminish existing 441

government agency or organisation obligations for cyber security. Rather, they 442

supplement existing obligations and apply specifically to identity services that undergo 443

the TDIF Accreditation Process. 444

Several requirements listed in this section align with cyber security advice, guidance, 445

policies and publications developed by the Australian Government. This includes the 446

Australian Government Protective Security Policy Framework (PSPF) 9

developed by 447

the Commonwealth Attorney General’s Department, and Information Security Manual 448

(ISM)10

developed by the Australian Cyber Security Centre (ACSC). 449

Applicants that undergo the TDIF Accreditation Process should note the following: 450

• Refences to ‘Entities’, ‘Agencies’, ‘Accountable Authority’, ‘Australian Government’ 451

in the PSPF or ISM are to be interpreted as references to the Applicant. 452

• References to PSPF or ISM controls that are applicable to an agency are to be 453

interpreted as being applicable to the Applicant. 454

• The scope of PSPF or ISM controls are limited to the identity service being 455

accredited and not to the Applicant’s wider operating environment. 456

• At a minimum the Applicant must handle all information as ‘sensitive information’ 457

(OFFICIAL: Sensitive) unless the Applicant has determined a higher security 458

classification is required. See PSPF INFOSEC-08 for further information on the 459

sensitive and security classification of information. 460

If there is conflict between: 461

• Any requirement in these Protective Security Requirements and the current edition 462

of the PSPF, then the PSPF takes precedence. 463

• Any requirement listed in these Protective Security Requirements and the current 464

edition of the ISM, then the ISM takes precedence. 465

9 A copy of the PSPF is available at https://www.protectivesecurity.gov.au/

10 A copy of the PSPF is available at https://www.cyber.gov.au/ism


OFFICIAL

4.1 Protective Security Policy Framework 466

4.1.1 Governance (GOVSEC) 467

TDIF Req: PROT-04-01-01; Updated: Dec-19; Applicability: A, C, I, X 468

The Applicant MUST meet the following PSPF requirements listed in GOVSEC-02 469

Management structures and responsibilities. 470

a) Core requirement - B.1. 471

b) Security advisors - B.2 (requirement 1). 472

c) Security procedures - B.2 (requirement 2). 473

d) Reporting security incidents – B.2 (requirement 3). 474

e) Security training – B.2 (requirement 4). 475

f) Specific training – B.2 (requirement 5). 476

g) General email – B.2 (requirement 6). 477



Security Planning and Risk Management. 480


b) Security plan review - B.2 (requirement 1). 482

c) Critical assets - B.2 (requirement 2). 483

d) Risk steward – B.2 (requirement 3). 484

e) Impact of risks – B.2 (requirement 4). 485

f) Alternative mitigations – B.2 (requirement 6). 486



Security maturity monitoring. 489


b) Security maturity records - B.2 (requirement 1). 491

4.1.2 Information security (INFOSEC) 492

493


OFFICIAL


The Applicant MUST meet the following PSPF requirements listed in INFOSEC-08 495

Sensitive and classified information. 496


b) Identifying information holdings - B.2 (requirement 1). 498

c) Assessing sensitive and security classified information - B.2 (requirement 2). 499

d) Storage – B.2 (requirement 7). 500

e) Transfer – B.2 (requirement 8). 501

f) Disposal – B.2 (requirement 9). 502



Access to information. 505


b) Limiting access to sensitive and security classified information and resources - 507

B.2 (requirement 2). 508

c) Managing access to information systems – B.2 (requirement 5). 509



Safeguarding information from cyber threats. 512


b) Transacting online with the public - B.2 (requirement 1). 514



Robust ICT systems. 517


b) ICT systems - B.2 (requirement 1). 519

c) Certification and accreditation - B.2 (requirement 2). 520

d) System monitoring – B.2 (requirement 3). 521

4.1.3 Personnel security (PERSEC) 522

523


OFFICIAL


The Applicant MUST meet the following PSPF requirements listed in PERSEC-12 525

Eligibility and suitability of personnel. 526

a) Pre-employment screening - B.2 (requirement 1). 527



Ongoing assessment of personnel. 530




Separating personnel. 534

a) Withdrawal of access - B.2 (requirement 2). 535

b) Risk assessment - B.2 (requirement 3). 536

4.1.4 Physical security (PHYSEC) 537


The Applicant MUST meet the following PSPF requirements listed in PHYSEC-15 539

Physical security for entity resources. 540


b) Physical security measures - B.2 (requirement 1). 542

c) Security containers, cabinets and rooms - B.2 (requirement 2). 543

d) Disposal – B.2 (requirement 3). 544

545


The Applicant MUST meet the following PSPF requirements listed in PHYSEC-16 547

Entity facilities. 548


4.2 Australian Government Information Security Manual 550

As per ACCRED-04-01-03 in the TDIF: 03 – Accreditation Process, the Applicant 551

must establish a Statement of Applicability (SoA) for its identity system, which 552


OFFICIAL

includes a list of controls from the Australian Government Information Security 553

Manual (ISM) it will implement. At a minimum, the SoA must include: 554

• All ISM controls listed in the PSPF (as per Section 4.1 above). 555

• The Essential Eight. 556

• All other requirements listed in Section 4.3 below. 557

The SoA will form the basis of the Applicant’s Information Security Registered 558

Assessor Program (IRAP) Assessment (as per PROT-04-03-02). 559

4.3 Additional security requirements 560

TDIF Req: PROT-04-03-01; Updated: Sep-19; Applicability: A, C, I, X 561

The Applicant MUST implement the Australian Cyber Security Centre’s Essential 562

Eight. 563


The Applicant’s identity system MUST undergo an independent IRAP assessment by 565

an approved IRAP Assessor. 566


The Applicant’s identity system MUST undergo a penetration test as part of each 568

major production release. 569


The Applicant MUST maintain a disaster recovery and business continuity plan for 571

their identity system that covers: 572

a) Business continuity governance. 573

b) Training requirements for recovery team members. 574

c) Recovery objectives and priorities. 575

d) Continuity strategies. 576

e) Testing requirements and restoration procedures. 577


The Applicant MUST maintain a cryptographic key management plan for their identity 579

system which covers: 580


OFFICIAL

a) Cryptographic key lifecycle management over the lifecycle of the key 581

(generation, delivery, renewal, revocation, etc). 582

b) How records will be maintained and audited. 583

c) The conditions under which compromised keys will be declared. 584

d) Maintenance of cryptographic components. 585

e) Evidence of cryptographic evaluations undertaken. 586

587


OFFICIAL

5 User Experience Requirements 588

5.1 Usability requirements 589

TDIF Req: UX-05-01-01; Updated: Dec-19; Applicability: A, C, I, X 590

The Applicant MUST demonstrate how users of their identity system can also use 591

other available channels if needed, without repetition or confusion. 592


The Applicant MUST demonstrate how users of their identity system with low digital 594

skills can have readily available access to assisted digital support. 595

TDIF Req: UX-05-01-03 Updated: Dec-19; Applicability: A, C, I, X 596

The Applicant MUST demonstrate how their identity system is built with responsive 597

design methods to support common devices and browsers, including desktop and 598

mobile devices. 599

TDIF Req: UX-05-01-04; Updated: Sep-19; Applicability: A, C, I, X 600

The Applicant MUST allow individuals to provide feedback, seek assistance or 601

otherwise resolve disputes or complaints. 602


The Applicant MUST create and maintain an individual end-to-end journey map11

for 604

their service. 605

TDIF Req: UX-05-01-05a; Updated: Sep-19; Applicability: I 606

Where the Applicant cannot support an individual’s technology preference, the 607

individual journey map MUST indicate how an individual will use an alternative 608

channel to complete a specific activity. 609


The Applicant MUST ensure information it provides to individuals is available in 611

multiple accessible formats, including accessible online formats (such as HTML), 612

large print format, Easy English, and braille (on request). 613


11

An individual journey map is a visualization or diagram (or several diagrams) that depict the stages, and interfaces, that a

person goes through when interacting with the identity system in order to accomplish their goal.


OFFICIAL

The Applicant MUST provide individuals with uncomplicated ways to learn about its 615

identity system on digital channels. 616

5.2 Requirements for the identity verification journey 617

TDIF Req: UX-05-02-01; Updated: Sep-19; Applicability: I 618

The Applicant MUST provide individuals with information about the entire identity 619

management process, including what to expect in each step of the individual journey 620

and what they will need to do in order to complete each step. 621


The Applicant MUST provide individuals with information on technical requirements 623

(for example, requirements for internet access, or access to a mobile phone or 624

webcam). 625


The Applicant MUST provide individuals with information on the required identity 627

documents, whether each piece is mandatory, and the consequences for not 628

providing the complete set of required documents. Individuals need to know the 629

specific combinations of identity documents. 630


If a code or number is issued as part of the identity verification process, the Applicant 632

MUST notify individuals in advance that they will receive a digital code or number and 633

what to do with it. 634


The Applicant MUST advise individuals whether the identity verification process has 636

been successfully completed. 637

TDIF Req: UX-05-02-05a; Updated: Sep-19; Applicability: I 638

If verification is successful, the Applicant MUST send individuals confirmation 639

regarding the successful verification and information on next steps. 640

TDIF Req: UX-05-02-05b; Updated: Sep-19; Applicability: I 641


OFFICIAL

If verification is partially complete12

, the Applicant MUST communicate to individuals 642

what information will be discarded. 643

TDIF Req: UX-05-02-05c; Updated: Sep-19; Applicability: I 644

If verification is unsuccessful, the Applicant MUST provide individuals with information 645

for alternative options, for example, offering an over-the-counter identity verification 646

process if they were unable to complete the digital identity verification process. 647


The Applicant MUST provide online help options for individuals who need assistance 649

during the identity verification process. 650


The Applicant MUST provide support to individuals who do not have the technology or 652

capacity to create a digital identity. For example, by providing support via a shop front 653

or call centre. 654


The Applicant MUST provide clear instructions on how an individual can update their 656

personal details collected as part of the identity verification process. 657

5.3 Requirements for the authentication journey 658

TDIF Req: UX-05-03-01; Updated: Sep-19; Applicability: C 659

The Applicant MUST provide individuals with relevant information for the use and 660

maintenance of the authentication credential. For example, this may include 661

instructions for use, information on credential expiry, and what to do if the credential is 662

forgotten or stolen. 663

TDIF Req: UX-05-03-02; Updated: Sep-19; Applicability: C 664

The Applicant MUST enable individuals to recover authentication credentials if they’ve 665

been lost or forgotten. Additionally, the recovery mechanism must be as strong as the 666

initial credential provisioning process. 667

12

A partially complete identity verification may occur due to individuals not having the complete set of identity evidence,

individual's choosing to stop the process, or session timeouts.


OFFICIAL

5.4 Usability test plans 668


The Applicant MUST document, by way of a test plan, how they will conduct usability 670

testing. 671

TDIF Req: UX-05-04-01a; Updated: Dec-19; Applicability: A, C, I, X 672

The Applicant’s usability test plan MUST: 673

a) Describe the test objectives, usability goals, and usability metrics that will be 674

captured. 675

b) Describe the number of test participants, how they will be recruited and the 676

cohort to which they belong. 677

c) Document the approach and the methodology used to conduct the tests. This 678

is required to indicate what is working, pain points and where improvements 679

are needed. 680

d) Document representative scenarios for testing, on both desktop and mobile 681

devices. 682

e) Identify a range of representative individuals of the identity system. 683

TDIF Req: UX-05-04-01b; Updated: Sep-19; Applicability: A, C, I, X 684

This representative range MUST include: 685

a) Individuals with disability. 686

b) Older individuals. 687

c) Individuals who use assistive technologies. 688

d) Individuals with low literacy. 689

e) Individuals from culturally and linguistically diverse backgrounds. 690

f) Individuals who are Aboriginal or Torres Strait Islander. 691

g) Individuals from regional and remote areas. 692

h) Older technology and low bandwidth connections. 693

TDIF Req: UX-05-04-01c; Updated: Sep-19; Applicability: A, C, I, X 694

This representative range MUST be gender neutral. 695

5.5 Conduct usability testing 696



OFFICIAL

The Applicant MUST use experienced researchers to test its service. (An experienced 698

individual researcher is highly skilled in identifying individual needs, conducting 699

usability tests, and feeding insights back to the product team). 700


The Applicant MUST continually test as the identity system is developed or refined. 702


The Applicant MUST test the identity system from end to end, in an environment that 704

replicates the live environment and include both desktop and mobile devices with a 705

range of representative individuals. 706


The Applicant MUST document the outcomes of its testing, including test 708

methodology(s), test results, findings and recommendations. 709

5.6 Accessibility requirements 710


The Applicant’s TDIF accredited system MUST at a minimum, meet the international 712

accessibility standard Web Content Accessibility Guidelines (WCAG), version 2.0 to 713

the AA standard. 714


The Applicant’s TDIF accredited system MUST be presented in a clear and concise 716

manner, using plain language that is easy to understand and accessible across all 717

devices. 718

https://www.w3.org/TR/WCAG21/

https://www.w3.org/TR/WCAG21/


OFFICIAL

6 Functional Assessments 719

The Applicant is required to undergo a series of functional assessments by suitably 720

skilled and experienced assessors. These functional assessments include: 721

• A Privacy Assessment. 722

• An IRAP Assessment 723

• An assessment against the WCAG, version 2.0 to the AA standard. 724

6.1 Applicant obligations 725

TDIF Req: ASSESS-06-01-01; Updated: Sep-19; Applicability: A, C, I, X 726

The Applicant MUST demonstrate they’ve met each functional assessment. 727

TDIF Req: ASSESS-06-01-02; Updated: Dec-19; Applicability: A, C, I, X 728

The Applicant MUST define the scope13

, objectives and criteria for each functional 729

assessment and provide this to the TFAA as part of their Accreditation Plan. 730

6.2 Assessor skills, experience and independence 731


The Applicant MUST demonstrate how the assessor has relevant, reasonable and 733

adequate experience, training and qualifications to conduct the Assessment. 734


The Applicant MUST demonstrate how the assessor is independent from the 736

development and operational teams of the Applicant’s TDIF accredited system. 737

6.3 Assessment process 738

TDIF Req: ASSESS-06-03-01; Updated: Dec-19; Applicability: A, C, I, X 739

13

In the context of the IRAP Assessment this refers to the ‘Statement of Applicability’.


OFFICIAL

The Applicant MUST ensure the assessor has access to and considers all relevant 740

evidence provided by the Applicant to the TFAA. This includes any responses to 741

questions which may have been asked. 742


The Applicant MUST ensure the assessor conducts the functional assessment. 744

TDIF Req: ASSESS-06-03-02a; Updated: Sep-19; Applicability: A, C, I, X 745

The functional assessment MUST include: 746

a) Documentation reviews. 747

b) Interviews with key personnel. 748

c) A run through of the Applicant’s identity system. 749

TDIF Req: ASSESS-06-03-02b; Updated: Sep-19; Applicability: A, C, I, X 750

The functional assessment MAY include a site visit. 751


The Applicant MUST ensure the assessor provides them with a reasonable 753

opportunity to respond to the assessment findings, including the actions and 754

timeframes in which remediation actions will occur. This is required if non-compliance 755

issues are identified. 756

6.4 Assessment report 757


The Applicant MUST ensure the assessor documents the outcomes of the 759

assessment in an Assessment Report. 760

TDIF Req: ASSESS-06-04-01a; Updated: Dec-19; Applicability: A, C, I, X 761

The Applicant’s Assessment Report MUST include: 762

A summary of the activities performed during the assessment. 763

a) The test or evaluation methodology(s) used. 764

b) The test or evaluation results. 765

c) Findings14. 766

d) Remediation actions or recommendations to address any areas of non-767

compliance. 768

14

The Applicant MUST provide a copy of the full findings report [not an executive summary or redacted version of the report] to

the TFAA.


OFFICIAL

e) Advise whether the Applicant’s TDIF accredited system complies with the 769

assessment criteria, including any requirements that could not be adequately 770

assessed due to access or timing issues. 771

f) The Applicant’s response to the assessment findings, including what actions 772

they’ll take to remediate adverse findings and the dates by when these actions 773

will be implemented. 774