04 - functional requirements... · functional requirements 2 . official 17 . 2 fraud ontr ol...
TRANSCRIPT
OFFICIAL
OFFICIAL
04 - Functional Requirements
Trusted Digital Identity Framework (TDIF) Release 4 (R4) December 2019, version 0.3
CONSULTATION DRAFT
Digital Transformation Agency — TDIF Release 4 Consultation Draft iii
OFFICIAL
Digital Transformation Agency
This work is copyright. Apart from any use as permitted under the Copyright Act 1968
and the rights explicitly granted below, all rights are reserved.
Licence
With the exception of the Commonwealth Coat of Arms and where otherwise noted,
this product is provided under a Creative Commons Attribution 4.0 International
Licence. (http://creativecommons.org/licenses/by/4.0/legalcode)
This licence lets you distribute, remix, tweak and build upon this work, even
commercially, as long as they credit the DTA for the original creation. Except where
otherwise noted, any reference to, reuse or distribution of part or all of this work must
include the following attribution:
Trusted Digital Identity Framework (TDIF)™: 04 – Functional Requirements ©
Commonwealth of Australia (Digital Transformation Agency) 2019
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are detailed on the It’s an Honour website (http://www.itsanhonour.gov.au)
Conventions
TDIF documents refenced by this document are denoted in italics. For example,
TDIF: 02 - Overview is a reference to the TDIF document titled ‘02 – Overview’.
The abbreviations and terms used in this document including the key words “MUST”,
“MUST NOT”, and “MAY” are to be interpreted as described in the current published
version of the TDIF: 01 – Glossary of Abbreviations and Terms.
Contact us
The Digital Transformation Agency is committed to providing web accessible content
wherever possible. This document has undergone an accessibility check however, if
you are having difficulties with accessing the document, or have questions or
comments regarding the document please email the Director, Digital Identity Policy at
Digital Transformation Agency — TDIF Release 4 Consultation Draft iv
OFFICIAL
Document management
The Trust Framework Accreditation Authority (TFAA) has reviewed and endorsed this
document for release.
Change log
Version Date Author Description of the changes
0.1 Aug 2019 SJP Initial version
0.2 Oct 2019 SJP Updated to incorporate feedback provided by
stakeholders during the first round of
collaboration on TDIF Release 4
0.3 Dec 2019 JS & SJP Updated to incorporate feedback provided by
stakeholders during the second round of
collaboration on TDIF Release 4
Digital Transformation Agency — TDIF Release 4 Consultation Draft v
OFFICIAL
Contents
1 Introduction ...................................................................................................................... 1
2 Fraud Control Requirements ........................................................................................... 2
2.1 Accountable Authority .................................................................................................................... 2
2.2 Fraud risk assessments ................................................................................................................. 2
2.3 Fraud control plans ........................................................................................................................ 3
2.4 Fraud prevention, awareness and training .................................................................................... 3
2.5 Fraud detection .............................................................................................................................. 4
2.6 Fraud investigations ....................................................................................................................... 4
2.7 Fraud reporting .............................................................................................................................. 6
2.8 Support for victims of identity fraud ............................................................................................... 6
3 Privacy Requirements ...................................................................................................... 7
3.1 General privacy requirements ........................................................................................................ 7
3.2 Privacy governance ....................................................................................................................... 7
3.2.1 Privacy roles ............................................................................................................................ 7
3.2.2 Privacy Policy .......................................................................................................................... 8
3.2.3 Privacy Management Plan ...................................................................................................... 9
3.2.4 Privacy awareness training ..................................................................................................... 9
3.3 Privacy Impact Assessment ......................................................................................................... 10
3.4 Data Breach Response Management .......................................................................................... 11
3.5 Notice of Collection ...................................................................................................................... 11
3.6 Collection and use limitation ........................................................................................................ 12
3.7 Limitation on use of behavioural information ............................................................................... 12
3.8 Collection and disclosure of biometrics ....................................................................................... 13
3.9 Consent ........................................................................................................................................ 13
3.10 Cross border and contractor disclosure of personal information ............................................... 14
3.11 Government Identifiers............................................................................................................... 15
3.12 Access, correction and individual history log ............................................................................. 15
3.12.1 Access ................................................................................................................................. 15
3.12.2 Correction ............................................................................................................................ 16
3.12.3 Individual history log ............................................................................................................ 16
3.13 Quality of personal information .................................................................................................. 16
3.14 Handling Privacy Complaints ..................................................................................................... 17
3.15 Destruction and de-identification ............................................................................................... 17
4 Protective Security Requirements .................................................................................18
4.1 Protective Security Policy Framework ......................................................................................... 19
4.1.1 Governance (GOVSEC) ........................................................................................................ 19
Digital Transformation Agency — TDIF Release 4 Consultation Draft vi
OFFICIAL
4.1.2 Information security (INFOSEC) ........................................................................................... 19
4.1.3 Personnel security (PERSEC) .............................................................................................. 20
4.1.4 Physical security (PHYSEC) ................................................................................................. 21
4.2 Australian Government Information Security Manual .................................................................. 21
4.3 Additional security requirements .................................................................................................. 22
5 User Experience Requirements ......................................................................................24
5.1 Usability requirements ................................................................................................................. 24
5.2 Requirements for the identity verification journey ........................................................................ 25
5.3 Requirements for the authentication journey ............................................................................... 26
5.4 Usability test plans ....................................................................................................................... 27
5.5 Conduct usability testing .............................................................................................................. 27
5.6 Accessibility requirements ........................................................................................................... 28
6 Functional Assessments ................................................................................................29
6.1 Applicant obligations .................................................................................................................... 29
6.2 Assessor skills, experience and independence ........................................................................... 29
6.3 Assessment process .................................................................................................................... 29
6.4 Assessment report ....................................................................................................................... 30
Digital Transformation Agency — TDIF: 04 – Functional Requirements 1
OFFICIAL
1 Introduction 1
Agencies and organisations that apply to be accredited under the Trusted Digital 2
Identity Framework (TDIF) undergo a series of rigorous evaluations across all aspects 3
of their identity system operations. This document defines the functional requirements 4
to be met by Applicants in order to achieve TDIF accreditation. 5
• Fraud control requirements are listed in Section 2. 6
• Privacy requirements are listed in Section 3. 7
• Protective security requirements are listed in Section 4. 8
• User Experience requirements are listed in Section 5. 9
• Functional assessments are listed in Section 6. 10
The intended audience for this document includes: 11
• Potential Applicants for TDIF accreditation. 12
• Potential Relying Parties. 13
• Assessors. 14
• Participants. 15
• Vendors. 16
Digital Transformation Agency — TDIF: 04 – Functional Requirements 2
OFFICIAL
2 Fraud Control Requirements 17
These Fraud Control Requirements are taken from the Commonwealth Fraud Control 18
Framework (CFCF)1
. The purpose of these requirements are to ensure that there is a 19
minimum standard Applicants must meet for managing risk and incidents of fraud. 20
Applicants that undergo the TDIF Accreditation Process should note the following: 21
• Refences to ‘Agencies’, ‘Accountable Authority’, ‘Commonwealth Entities’, 22
‘Entities’, ‘Officials’, ‘Australian Government’ in the CFCF are to be interpreted as 23
being references to the Applicant. 24
• The scope of CFCF controls are limited to the identity service being accredited 25
and not to the Applicant’s wider operating environment. 26
If there is conflict between: 27
• Any requirement in these Fraud Control Requirements and the current edition of 28
the CFCF, then the CFCF takes precedence. 29
2.1 Accountable Authority 30
TDIF Req: FRAUD-02-01-01; Updated: Dec-19; Applicability: A, C, I, X 31
The Applicant MUST appoint a senior executive as the designated Accountable 32
Authority for managing fraud risks within their organisation. 33
TDIF Req: FRAUD-02-01-02; Updated: Dec-19; Applicability: A, C, I, X 34
The Applicant MUST take all reasonable measures to prevent, detect and deal with 35
fraud relating to its identity system. 36
TDIF Req: FRAUD-02-01-02a; Updated: Sep-19; Applicability: A, C, I, X 37
The Accountable Authority MUST demonstrate how its fraud control measures are 38
applied to its identity system. 39
2.2 Fraud risk assessments 40
TDIF Req: FRAUD-02-02-01; Updated: Dec-19; Applicability: A, C, I, X 41
1 A copy of the CFCF is available at https://www.ag.gov.au/Integrity/counter-fraud/fraud-
australia/Documents/CommonwealthFraudControlFramework2017.PDF
Digital Transformation Agency — TDIF: 04 – Functional Requirements 3
OFFICIAL
The Applicant MUST conduct fraud risk assessments at least annually and when 42
there is a substantial change in the structure, functions or activities of the Applicant, 43
which impact the operation of the system. 44
TDIF Req: FRAUD-02-02-02; Updated: Dec-19; Applicability: A, C, I, X 45
The Applicant MUST review and refine its risk assessment strategies on an ongoing 46
basis considering its experience with continuing or emerging fraud vulnerabilities. 47
TDIF Req: FRAUD-02-02-03; Updated: Dec-19; Applicability: A, C, I, X 48
The Applicant MUST assess the likely occurrence of fraud and its impact on its 49
organisational objectives, core business and its identity system and implement 50
applicable controls. 51
2.3 Fraud control plans 52
TDIF Req: FRAUD-02-03-01; Updated: Sep-19; Applicability: A, C, I, X 53
The Applicant MUST develop and implement a fraud control plan that deals with 54
identified risks as soon as practicable after conducting a risk assessment. 55
TDIF Req: FRAUD-02-03-02; Updated: Sep-19; Applicability: A, C, I, X 56
The Fraud Control Plan MUST include: 57
a) A summary of fraud risks and vulnerabilities associated with the Applicant. 58
b) Treatment strategies and controls put in place to manage fraud risks and 59
vulnerabilities. 60
c) Information about implementing fraud control arrangements within the 61
Applicant’s operating environment. 62
d) Strategies to ensure the Applicant meets its training and awareness needs 63
e) Mechanisms for collecting, analysing and reporting fraud incidents. 64
f) Protocols for handling fraud incidents. 65
g) An outline of key roles and responsibilities for fraud control within the 66
Applicant’s organisation. 67
2.4 Fraud prevention, awareness and training 68
TDIF Req: FRAUD-02-04-01; Updated: Sep-19; Applicability: A, C, I, X 69
Digital Transformation Agency — TDIF: 04 – Functional Requirements 4
OFFICIAL
The Applicant MUST ensure all personnel are made aware of what constitutes fraud 70
in their organisation. 71
TDIF Req: FRAUD-02-04-02; Updated: Dec-19; Applicability: A, C, I, X 72
The Applicant MUST demonstrate how they consider the risk of fraud when planning 73
and conducting activities associated with the operation of its identity system. 74
TDIF Req: FRAUD-02-04-03; Updated: Dec-19; Applicability: A, C, I, X 75
The Applicant MUST maintain appropriately documented instructions and procedures 76
to assist personnel prevent, detect, report and deal with fraud. 77
TDIF Req: FRAUD-02-04-04; Updated: Sep-19; Applicability: A, C, I, X 78
The Applicant MUST ensure personnel primarily engaged in fraud control activities 79
possess or attain relevant qualifications or training 80
TDIF Req: FRAUD-02-04-05; Updated: Dec-19; Applicability: A, C, I, X 81
The Applicant MUST conduct background checks on personnel prior to 82
commencement, on personnel with access to personal information to ensure that they 83
do not have a history of misconduct and do not have ties to organised crime. 84
2.5 Fraud detection 85
TDIF Req: FRAUD-02-05-01; Updated: Dec-19; Applicability: A, C, I, X 86
The Applicant MUST implement a mechanism for detecting incidents of fraud or 87
suspected fraud, including a process for personnel and users to report suspected 88
fraud confidentially. 89
2.6 Fraud investigations 90
TDIF Req: FRAUD-02-06-01; Updated: Sep-19; Applicability: A, C, I, X 91
The Applicant MUST implement an appropriate mechanism for investigating or 92
otherwise dealing with incidents of fraud or suspected fraud. 93
TDIF Req: FRAUD-02-06-02; Updated: Dec-19; Applicability: A, C, I, X 94
The Applicant MUST maintain documented procedures setting out criteria for making 95
decisions at critical stages in managing a suspected fraud incident. 96
TDIF Req: FRAUD-02-06-03; Updated: Dec-19; Applicability: A, C, I, X 97
The Applicant MUST have in place investigation and referral processes and 98
procedures that are consistent with the Australian Government Investigations 99
Standards 2011 (AGIS). 100
Digital Transformation Agency — TDIF: 04 – Functional Requirements 5
OFFICIAL
TDIF Req: FRAUD-02-06-04; Updated: Sep-19; Applicability: A, C, I, X 101
The Applicant MUST appropriately document decisions to use civil, administrative or 102
disciplinary procedures, or to take no further action in response to a suspected fraud 103
incident. 104
TDIF Req: FRAUD-02-06-05; Updated: Sep-19; Applicability: A, C, I, X 105
The Applicant MUST take responsibility for investigating instances of fraud or 106
suspected fraud against it, including investigating disciplinary matters, unless the 107
matter is referred to and accepted by the Australian Federal Police (AFP) or another 108
law enforcement agency. 109
TDIF Req: FRAUD-02-06-06; Updated: Sep-19; Applicability: A, C, I, X 110
Where a law enforcement agency declines a referral, the Applicant MUST resolve the 111
matter in accordance with relevant internal and external requirements. 112
TDIF Req: FRAUD-02-06-07; Updated: Dec-19; Applicability: A, C, I, X 113
The Applicant MUST refer all instances of potential or serious or complex fraud 114
offences to the AFP in accordance with the AGIS and AFP referral process, except in 115
the following circumstances: 116
a) Where legislation sets out specific alternative arrangements. 117
b) Where the Applicant: 118
i. Has the capacity and the appropriate skills and resources needed to 119
investigate potential criminal matters. 120
ii. Meets the requirements of the AGIS for gathering evidence and the 121
Commonwealth Director of Public Prosecutions (CDPP) in preparing 122
briefs of evidence. 123
TDIF Req: FRAUD-02-06-08; Updated: Dec-19; Applicability: A, C, I, X 124
Fraud investigations MUST be carried out by appropriately qualified personnel as set 125
out in the AGIS. If external investigators are engaged, they must as a minimum meet 126
the investigations competency requirements set out in the AGIS. 127
TDIF Req: FRAUD-02-06-09; Updated: Sep-19; Applicability: A, C, I, X 128
The Applicant MUST take all reasonable measures to recover financial losses caused 129
by illegal activity through proceeds of crime and civil recovery processes or 130
administrative remedies. 131
Digital Transformation Agency — TDIF: 04 – Functional Requirements 6
OFFICIAL
2.7 Fraud reporting 132
TDIF Req: FRAUD-02-07-01; Updated: Dec-19; Applicability: A, C, I, X 133
The Applicant MUST implement a mechanism for recording and reporting incidents of 134
fraud or suspected fraud to the Oversight Authority. 135
2.8 Support for victims of identity fraud 136
TDIF Req: FRAUD-02-08-01; Updated: Sep-19; Applicability: A, C, I 137
The Applicant MUST implement a process which allows users to notify them when 138
they suspect or become aware of fraudulent use of their attributes, digital identity or 139
authentication credential. 140
TDIF Req: FRAUD-02-08-02; Updated: Sep-19; Applicability: A, C, I 141
The Applicant MUST provide (either directly or through a third party) support services 142
to users whose attributes, digital identity or authentication credential have been 143
compromised. 144
TDIF Req: FRAUD-02-08-03; Updated: Dec-19; Applicability: A, C, I 145
The Applicant MUST prevent the continued fraudulent use of an user’s attributes, 146
digital identity or authentication credential once the Applicant suspects or it becomes 147
aware of the fraudulent use. 148
Digital Transformation Agency — TDIF: 04 – Functional Requirements 7
OFFICIAL
3 Privacy Requirements 149
3.1 General privacy requirements 150
TDIF Req: PRIV-03-01-01; Updated: Sep-19; Applicability: A, C, I, X 151
The Applicant MUST comply with its obligations under the Privacy Act, including the 152
Australian Privacy Principles, and Australian Government Agencies Privacy Code or, 153
where relevant, state or territory privacy legislation. 154
TDIF Req: PRIV-03-01-02; Updated: Sep-19; Applicability: A, C, I, X 155
If the Applicant is a small business operator as defined by the Privacy Act, and 156
therefore exempt from the Privacy Act, it MUST opt-in to coverage of the APPs as an 157
organisation. 158
TDIF Req: PRIV-03-01-03; Updated: Sep-19; Applicability: A, C, I, X 159
Any state or territory government Applicant not covered by state privacy laws MUST 160
comply with APPs for the purpose of achieving and maintaining TDIF accreditation. 161
This will be enforced by the Oversight Authority. 162
3.2 Privacy governance 163
3.2.1 Privacy roles 164
TDIF Req: PRIV-03-02-01; Updated: Sep-19; Applicability: A, C, I, X 165
The Applicant MUST have at least one designated Privacy Officer who is the primary 166
point of contact for advice on privacy matters. 167
TDIF Req: PRIV-03-02-01a; Updated: Sep-19; Applicability: A, C, I, X 168
The Applicant MUST demonstrate how the following Privacy Officer functions are 169
carried out: 170
a) Handling of internal and external privacy enquiries and complaints. 171
b) handles requests for access to and correction of personal information. 172
c) maintaining a record of personal information holdings. 173
d) assisting with the preparation of Privacy Impact Assessments (PIAs). 174
e) maintaining a register of PIAs. 175
Digital Transformation Agency — TDIF: 04 – Functional Requirements 8
OFFICIAL
f) measuring and documenting performance against the Privacy Management 176
Plan and reviewing and, where relevant updating, the Privacy Policy at least 177
annually relevant to the TDIF. 178
179
TDIF Req: PRIV-03-02-02; Updated: Sep-19; Applicability: A, C, I, X 180
The Applicant MUST have at least one designated Privacy Champion. 181
TDIF Req: PRIV-03-02-02a; Updated: Sep-19; Applicability: A, C, I, X 182
The Applicant MUST demonstrate how their Privacy Champion promotes a culture of 183
privacy that values and protects personal information. 184
TDIF Req: PRIV-03-02-02b; Updated: Sep-19; Applicability: A, C, I, X 185
The Applicant MUST demonstrate how their Privacy Champion approves their privacy 186
management plan, and reviews of the Applicant’s progress against the privacy 187
management plan. 188
3.2.2 Privacy Policy 189
TDIF Req: PRIV-03-02-03; Updated: Sep-19; Applicability: I, X 190
The Applicant MUST have a separate privacy policy to that of its other business or 191
agency functions. 192
193
TDIF Req: PRIV-03-02-04; Updated: Sep-19; Applicability: A, C, I, X 194
The Applicant MUST publish a clearly expressed and up to date Privacy Policy about 195
the management of personal information by the entity. 196
197
TDIF Req: PRIV-03-02-05; Updated: Sep-19; Applicability: A, C, I, X 198
The Applicant’s Privacy Policy MUST include information on: 199
a) The kinds of personal information that the entity collects and holds 200
b) How the entity collects and holds personal information 201
c) The purposes for which the Applicant collects, holds, uses and discloses 202
personal information. 203
d) How an individual can access personal information about themselves that is 204
held by the Applicant and how to seek the correction of such information. 205
Digital Transformation Agency — TDIF: 04 – Functional Requirements 9
OFFICIAL
e) How an individual can complain about a breach of the APPs
(or a particular 206
jurisdiction Privacy Principle) and how the Applicant will deal with such a 207
complaint. 208
f) Whether the Applicant is likely to disclose personal information to overseas 209
recipients and if so the countries in which such recipients are likely to be 210
located (if it is practicable to do so). 211
TDIF Req: PRIV-03-02-06; Updated: Sep-19; Applicability: A, C, I, X 212
The Applicant MUST review their Privacy Policy at least annually and update as 213
necessary. 214
3.2.3 Privacy Management Plan 215
TDIF Req: PRIV-03-02-07; Updated: Sep-19; Applicability: A, C, I, X 216
The Applicant MUST develop and maintain a Privacy Management Plan that identifies 217
measurable privacy goals and targets for its identity system and the practices, 218
procedures and systems that will be implemented to achieve these targets and goals. 219
TDIF Req: PRIV-03-02-08; Updated: Sep-19; Applicability: A, C, I, X 220
The Applicant MUST review and update their performance against their Privacy 221
Management Plan at least annually. 222
3.2.4 Privacy awareness training 223
TDIF Req: PRIV-03-02-09; Updated: Sep-19; Applicability: A, C, I, X 224
The Applicant MUST on an annual basis, provide privacy awareness training which 225
incorporates these privacy requirements, to all personnel that access the Applicant’s 226
identity system. 227
TDIF Req: PRIV-03-02-10; Updated: Sep-19; Applicability: A, C, I, X 228
The privacy awareness training provided by the Applicant, MUST cover the 229
Applicant’s Privacy Policy and Privacy Management Plan and include the key privacy 230
requirements in the TDIF. ATO comment: It should also cover the core privacy 231
requirements of the TDIF. 232
Digital Transformation Agency — TDIF: 04 – Functional Requirements 10
OFFICIAL
3.3 Privacy Impact Assessment 233
TDIF Req: PRIV-03-03-01; Updated: Sep-19; Applicability: A, C, I, X 234
The Applicant MUST commission an Assessor to conduct a Privacy Impact 235
Assessment2
on their identity system. 236
TDIF Req: PRIV-03-03-02; Updated: Sep-19; Applicability: A, C, I, X 237
The Applicant MUST conduct a Privacy Impact Assessment on all high-risk projects 238
related to their identity system. 239
TDIF Req: PRIV-03-03-03; Updated: Sep-19; Applicability: A, C, I, X 240
The Privacy Impact Assessment conducted MUST: 241
a) Be undertaken early enough to influence the design of the identity system. 242
b) Reflect consultation with relevant stakeholders. 243
c) Include a description of the proposed identity system. 244
d) Map the identity system’s personal information flows. 245
e) Include an analysis of risks of non-compliance with relevant privacy laws and 246
these TDIF Privacy Requirements. 247
f) Include an analysis of the impact of the project on the privacy of individuals. 248
g) Include an analysis of whether privacy impacts are necessary or avoidable. 249
h) Include an analysis of possible mitigations to privacy risks. 250
i) Include recommendations 251
252
TDIF Req: PRIV-03-03-04; Updated: Sep-19; Applicability: A, C, I, X 253
The Applicant MUST respond in writing, at a senior management level, to the 254
recommendations outlined in the PIA including whether the recommendations are 255
accepted, the reasons for any non-acceptance and the timeframe for implementation 256
of the recommendations. 257
TDIF Req: PRIV-03-03-05; Updated: Sep-19; Applicability: A, C, I, X 258
The Applicant MUST maintain a register of the PIAs it conducts. 259
TDIF Req: PRIV-03-03-05a; Updated: Sep-19; Applicability: A, C, I, X 260
The Applicant MUST publish the register, or a version of the register, on its website. 261
TDIF Req: PRIV-03-03-06; Updated: Sep-19; Applicability: A, C, I, X 262
2 See the Office of the Australian Information Commissioner website for further information and guidance on undertaking PIAs.
Digital Transformation Agency — TDIF: 04 – Functional Requirements 11
OFFICIAL
The Applicant’s TDIF accredited system MUST undergo a Privacy Assessment (which 263
is separate to and follows on from the PIA). 264
3.4 Data Breach Response Management 265
TDIF Req: PRIV-03-04-01; Updated: Sep-19; Applicability: A, C, I, X 266
An Applicant, whether or not covered by the Privacy Act 1988, MUST report eligible 267
data breaches to affected individuals and the Information Commissioner as required 268
under the Privacy Act 19883
and also report the eligible data breach to the Oversight 269
Authority. 270
TDIF Req: PRIV-03-04-02; Updated: Sep-19; Applicability: A, C, I, X 271
The Applicant MUST develop and maintain a Data Breach Response Plan that 272
includes a description of the actions to be taken if a breach is suspected, discovered, 273
or reported by a staff member or external party, including a clear communication plan 274
and information about when it is to be escalated to the data breach response team 275
(response team) or third party. 276
TDIF Req: PRIV-03-04-03; Updated: Sep-19; Applicability: A, C, I, X 277
The Data Breach Response Plan MUST: 278
a) List the roles or members of the response team. 279
b) List the actions the response team is expected to take. 280
c) Describe how the actions and roles in the plan align to the Applicant’s Incident 281
Response Plan4
. 282
3.5 Notice of Collection 283
TDIF Req: PRIV-03-05-01; Updated: Sep-19; Applicability: A, C, I, X 284
The Applicant MUST publish a Notice of Collection that is fully compliant with APP 5. 285
3 See Part IIIC of https://www.legislation.gov.au/Details/C2019C00025 for the definition of an eligible data breach including
exceptions to reporting. 4 See Part D - Protective Security for further information on the Incident Response Plan.
Digital Transformation Agency — TDIF: 04 – Functional Requirements 12
OFFICIAL
3.6 Collection and use limitation 286
TDIF Req: PRIV-03-06-01; Updated: Sep-19; Applicability: A, C, I, X 287
The Applicant MUST only collect personal information that it is permitted to collect 288
under law and that is reasonably necessary for one or more of its functions or 289
activities directly relating to identity verification. 290
TDIF Req: PRIV-03-06-02; Updated: Sep-19; Applicability: A, C, I, X 291
The Applicant MUST only collect personal information by lawful and fair means. 292
TDIF Req: PRIV-03-06-03; Updated: Sep-19; Applicability: A, C, I, X 293
The Applicant MUST only collect personal information from the individual or their 294
representative, unless it is unreasonable or impractical to do so. 295
TDIF Req: PRIV-03-06-04; Updated: Sep-19; Applicability: A, C, I, X 296
The Applicant MUST only collect sensitive information where it is required or 297
authorised by or under an Australian law or court order or is otherwise authorised 298
under APP 3.4. 299
TDIF Req: PRIV-03-06-05; Updated: Sep-19; Applicability: A, C, I, X 300
The Applicant MUST NOT use personal information for direct marketing purposes. 301
TDIF Req: PRIV-03-06-06; Updated: Sep-19; Applicability: X 302
The Applicant MUST publish in an open and accessible manner an annual 303
‘Transparency Report’ that discloses the scale, scope and reasons for access to 304
personal information (including metadata) by an enforcement body, as defined in the 305
Privacy Act 1988. 306
TDIF Req: PRIV-03-06-07; Updated: Sep-19; Applicability: X 307
The Applicant MUST NOT retain users’ attributes once they are passed from an 308
Identity Service Provider to a Relying Party. 309
3.7 Limitation on use of behavioural information 310
TDIF Req: PRIV-03-07-01; Updated: Sep-19; Applicability: A, C, I, X 311
The Applicant MUST only collect, use and disclose information about an individual’s 312
behaviour on the identity federation to: 313
a) Verify the identity of an individual and assist them to get a service. 314
b) To support identity fraud management functions. 315
c) To improve the performance or usability of the Applicant’s product 316
Digital Transformation Agency — TDIF: 04 – Functional Requirements 13
OFFICIAL
d) To de-identify the data to create aggregate data 317
3.8 Collection and disclosure of biometrics 318
TDIF Req: PRIV-03-08-01; Updated: Sep-19; Applicability: I 319
The Applicant MUST only collect sensitive information5
(including biometric 320
information) as outlined in APP 3.3 and 3.4. 321
322
TDIF Req: PRIV-03-08-02; Updated: Sep-19; Applicability: I 323
A biometric collected to prove an individual’s identity MUST be destroyed once the 324
biometric has been used to prove identity (for example it has been matched against a 325
source photograph), unless to biometric is a photograph and: 326
• The individual chooses to retain the biometric to affix to a digital identity 327
document or wallet (such as a digital driver licence or an attribute wallet stored 328
on controlled by the individual on their device), or 329
• The biometric is collected or was collected to create a government identity 330
document (for example where a road authority is a driver licence issuer and an 331
Identity Service Provider) 332
333
TDIF Req: PRIV-03-08-03; Updated: Sep-19; Applicability: I 334
A biometric collected to prove an individual’s identity MUST NOT be used and 335
disclosed for purposes other than those listed in TDIF Req: PRIV-03-11-02 336
3.9 Consent 337
TDIF Req: PRIV-03-09-01; Updated: Sep-19; Applicability: I6
, X 338
The Applicant MUST obtain express consent from an individual prior to disclosing 339
attributes to a Relying Party or any third party. 340
TDIF Req: PRIV-03-09-01a; Updated: Sep-19; Applicability: X 341
5 As defined by the Privacy Act 1988.
6 If the Identity Service Provider connects directly with a Relying Party, it is required to obtain express consent prior to the
disclosure. If the connection to the Relying Party is brokered by an Identity Exchange, express consent may be obtained by the
Identity Exchange on behalf of the Identity Service Provider.
Digital Transformation Agency — TDIF: 04 – Functional Requirements 14
OFFICIAL
The Applicant MUST only disclose the minimum identity attributes required for the 342
Relying Party’s transaction. 343
TDIF Req: PRIV-03-09-02; Updated: Sep-19; Applicability: I 344
The Applicant MUST allow an individual to withdraw their consent for the individual to 345
further use the system. 346
TDIF Req: PRIV-03-09-02a; Updated: Sep-19; Applicability: A, C, I, X 347
The Applicant MUST demonstrate how this consent withdrawal process is 348
straightforward and easy to use. 349
TDIF Req: PRIV-03-09-03; Updated: Sep-19; Applicability: A, C, I, X 350
The Applicant MUST maintain auditable logs that demonstrate that consent was 351
obtained and is current. 352
TDIF Req: PRIV-03-09-03a; Updated: Sep-19; Applicability: A, C, I, X 353
The auditable logs MUST NOT contain biometric information. 354
TDIF Req: PRIV-03-09-04; Updated: Sep-19; Applicability: I 355
The Applicant MUST inform individuals of other channels available to verify identity 356
and make clear to the user what the consequences are of declining to provide 357
consent or the required information. 358
TDIF Req: PRIV-03-09-05; Updated: Sep-19; Applicability: I 359
The Applicant MUST obtain consent to verify identity attributes against an 360
Authoritative Source. For example, through services such as the Document 361
Verification Service or Facial Verification Service. 362
3.10 Cross border and contractor disclosure of personal 363
information 364
TDIF Req: PRIV-03-10-01; Updated: Sep-19; Applicability: A, C, I, X 365
The Applicant MUST demonstrate how it complies with APP 8 - cross border 366
disclosure of personal information7
. 367
TDIF Req: PRIV-03-10-02; Updated: Sep-19; Applicability: A, C, I, X 368
7 See Australian Privacy Principle 8 at www.legislation.gov.au/Details/C2017C00283
Digital Transformation Agency — TDIF: 04 – Functional Requirements 15
OFFICIAL
The Applicant MUST take reasonable steps to ensure an overseas recipient of 369
personal information used to run the service only uses the personal information for 370
purposes directly related to identity verification. 371
TDIF Req: PRIV-03-10-02a; Updated: Sep-19; Applicability: A, C, I, X 372
If it discloses personal information to an overseas recipient, the Applicant MUST 373
demonstrate it has appropriate contractual and practical measures to ensure the 374
overseas recipient complies with these TDIF Privacy Requirements. 375
3.11 Government Identifiers 376
TDIF Req: PRIV-03-11-01; Updated: Sep-19; Applicability: X 377
The Applicant MUST NOT create a new government identifier that is used across the 378
identity federation (i.e. an identifier that is sent to more than one Relying Party or 379
Identity Service Provider). 380
3.12 Access, correction and individual history log 381
3.12.1 Access 382
TDIF Req: PRIV-03-12-01; Updated: Sep-19; Applicability: A, C, I, X 383
The Applicant MUST on request by an individual, give that individual access to the 384
personal information it holds about the individual, unless an exception is available 385
under APP 12 (APP 12.2 for Commonwealth agencies and APP 12.3 for other 386
Applicants. 387
TDIF Req: PRIV-03-12-02; Updated: Sep-19; Applicability: A, C, I, X 388
The Applicant MUST respond to a request for access to personal information within 389
30 days after the request is received. 390
TDIF Req: PRIV-03-12-03; Updated: Sep-19; Applicability: A, C, I, X 391
The Applicant MUST give access to the personal information in the manner requested 392
by the individual, if it is reasonable, secure and practicable to do so. 393
TDIF Req: PRIV-03-12-04; Updated: Sep-19; Applicability: A, C, I, X 394
The Applicant MUST provide access at no cost to the individual. 395
Digital Transformation Agency — TDIF: 04 – Functional Requirements 16
OFFICIAL
TDIF Req: PRIV-03-12-05; Updated: Sep-19; Applicability: A, C, I, X 396
The Applicant MUST where access is refused, take steps to meet the needs of the 397
individual and provide a written notice as set out in APP 12. 398
3.12.2 Correction 399
TDIF Req: PRIV-03-12-06; Updated: Sep-19; Applicability: A, C, I, X 400
The Applicant MUST allow individuals to correct their personal information as set out 401
in APP 13. 402
TDIF Req: PRIV-03-15-07; Updated: Sep-19; Applicability: A, C, I 403
The Applicant MUST provide individuals with a simple means to review and update 404
their personal information on an ongoing basis. 405
3.12.3 Individual history log 406
TDIF Req: PRIV-03-12-08; Updated: Sep-19; Applicability: X 407
The Applicant MUST provide individuals with a centralised view of the metadata of 408
services the individual accessed, the time of access and the attributes passed to the 409
service unless already destroyed by the Applicant. 410
3.13 Quality of personal information 411
TDIF Req: PRIV-03-13-01; Updated: Sep-19; Applicability: A, C, I 412
An applicant MUST that reasonable steps to ensure quality of personal information as 413
outlined in APP 10. 414
TDIF Req: PRIV-03-13-02; Updated: Sep-19; Applicability: I 415
The Applicant MUST implement internal practices, procedures and systems (including 416
training staff in these practices, procedures and systems) to audit, monitor, identify 417
and correct poor-quality personal information. 418
TDIF Req: PRIV-03-13-03; Updated: Sep-19; Applicability: I 419
The Applicant MUST ensure updated or new personal information is promptly added 420
to relevant existing records. 421
Digital Transformation Agency — TDIF: 04 – Functional Requirements 17
OFFICIAL
3.14 Handling Privacy Complaints 422
TDIF Req: PRIV-03-14-01; Updated: Sep-19; Applicability: A, C, I, X 423
The Applicant MUST provide a complaints service which: 424
a) is readily accessible, including prominent contact information about the service. 425
a) Is fair, including a process that is impartial, confidential and transparent. 426
b) Has a process that is timely, clear and can provide a remedy where applicable. 427
c) Has skilled and professional people who have knowledge of privacy laws and 428
these TDIF Privacy Requirements and the complaint service process. 429
d) Is integrated with other complaint handling bodies, (e.g. other Participants of 430
the identity federation) as required, so it can assist the user and refer 431
complaints. 432
TDIF Req: PRIV-03-14-02; Updated: Sep-19; Applicability: A, C, I, X 433
The Applicant MUST provide a complaints service which publishes de-identified 434
information and analysis about complaints. 435
3.15 Destruction and de-identification 436
TDIF Req: PRIV-03-15-01; Updated: Sep-19; Applicability: A, C, I, X 437
The Applicant MUST demonstrate it takes reasonable steps to destroy or de-identify8
438
personal information in line with APP 11.2. 439
8 De-identification is defined at section 6 of the Privacy Act and destruction is explained in the OAIC’s Australian Privacy Principle
Guidelines under the heading
Digital Transformation Agency — TDIF: 04 – Functional Requirements 18
OFFICIAL
4 Protective Security Requirements 440
These Protective Security Requirements do not replace, remove or diminish existing 441
government agency or organisation obligations for cyber security. Rather, they 442
supplement existing obligations and apply specifically to identity services that undergo 443
the TDIF Accreditation Process. 444
Several requirements listed in this section align with cyber security advice, guidance, 445
policies and publications developed by the Australian Government. This includes the 446
Australian Government Protective Security Policy Framework (PSPF) 9
developed by 447
the Commonwealth Attorney General’s Department, and Information Security Manual 448
(ISM)10
developed by the Australian Cyber Security Centre (ACSC). 449
Applicants that undergo the TDIF Accreditation Process should note the following: 450
• Refences to ‘Entities’, ‘Agencies’, ‘Accountable Authority’, ‘Australian Government’ 451
in the PSPF or ISM are to be interpreted as references to the Applicant. 452
• References to PSPF or ISM controls that are applicable to an agency are to be 453
interpreted as being applicable to the Applicant. 454
• The scope of PSPF or ISM controls are limited to the identity service being 455
accredited and not to the Applicant’s wider operating environment. 456
• At a minimum the Applicant must handle all information as ‘sensitive information’ 457
(OFFICIAL: Sensitive) unless the Applicant has determined a higher security 458
classification is required. See PSPF INFOSEC-08 for further information on the 459
sensitive and security classification of information. 460
If there is conflict between: 461
• Any requirement in these Protective Security Requirements and the current edition 462
of the PSPF, then the PSPF takes precedence. 463
• Any requirement listed in these Protective Security Requirements and the current 464
edition of the ISM, then the ISM takes precedence. 465
9 A copy of the PSPF is available at https://www.protectivesecurity.gov.au/
10 A copy of the PSPF is available at https://www.cyber.gov.au/ism
Digital Transformation Agency — TDIF: 04 – Functional Requirements 19
OFFICIAL
4.1 Protective Security Policy Framework 466
4.1.1 Governance (GOVSEC) 467
TDIF Req: PROT-04-01-01; Updated: Dec-19; Applicability: A, C, I, X 468
The Applicant MUST meet the following PSPF requirements listed in GOVSEC-02 469
Management structures and responsibilities. 470
a) Core requirement - B.1. 471
b) Security advisors - B.2 (requirement 1). 472
c) Security procedures - B.2 (requirement 2). 473
d) Reporting security incidents – B.2 (requirement 3). 474
e) Security training – B.2 (requirement 4). 475
f) Specific training – B.2 (requirement 5). 476
g) General email – B.2 (requirement 6). 477
TDIF Req: PROT-04-01-02; Updated: Dec-19; Applicability: A, C, I, X 478
The Applicant MUST meet the following PSPF requirements listed in GOVSEC-03 479
Security Planning and Risk Management. 480
a) Core requirement - B.1. 481
b) Security plan review - B.2 (requirement 1). 482
c) Critical assets - B.2 (requirement 2). 483
d) Risk steward – B.2 (requirement 3). 484
e) Impact of risks – B.2 (requirement 4). 485
f) Alternative mitigations – B.2 (requirement 6). 486
TDIF Req: PROT-04-01-03; Updated: Dec-19; Applicability: A, C, I, X 487
The Applicant MUST meet the following PSPF requirements listed in GOVSEC-04 488
Security maturity monitoring. 489
a) Core requirement - B.1. 490
b) Security maturity records - B.2 (requirement 1). 491
4.1.2 Information security (INFOSEC) 492
493
Digital Transformation Agency — TDIF: 04 – Functional Requirements 20
OFFICIAL
TDIF Req: PROT-04-01-04; Updated: Dec-19; Applicability: A, C, I, X 494
The Applicant MUST meet the following PSPF requirements listed in INFOSEC-08 495
Sensitive and classified information. 496
a) Core requirement - B.1. 497
b) Identifying information holdings - B.2 (requirement 1). 498
c) Assessing sensitive and security classified information - B.2 (requirement 2). 499
d) Storage – B.2 (requirement 7). 500
e) Transfer – B.2 (requirement 8). 501
f) Disposal – B.2 (requirement 9). 502
TDIF Req: PROT-04-01-05; Updated: Dec-19; Applicability: A, C, I, X 503
The Applicant MUST meet the following PSPF requirements listed in INFOSEC-09 504
Access to information. 505
a) Core requirement - B.1. 506
b) Limiting access to sensitive and security classified information and resources - 507
B.2 (requirement 2). 508
c) Managing access to information systems – B.2 (requirement 5). 509
TDIF Req: PROT-04-01-06; Updated: Dec-19; Applicability: A, C, I, X 510
The Applicant MUST meet the following PSPF requirements listed in INFOSEC-10 511
Safeguarding information from cyber threats. 512
a) Core requirement - B.1. 513
b) Transacting online with the public - B.2 (requirement 1). 514
TDIF Req: PROT-04-01-07; Updated: Dec-19; Applicability: A, C, I, X 515
The Applicant MUST meet the following PSPF requirements listed in INFOSEC-11 516
Robust ICT systems. 517
a) Core requirement - B.1. 518
b) ICT systems - B.2 (requirement 1). 519
c) Certification and accreditation - B.2 (requirement 2). 520
d) System monitoring – B.2 (requirement 3). 521
4.1.3 Personnel security (PERSEC) 522
523
Digital Transformation Agency — TDIF: 04 – Functional Requirements 21
OFFICIAL
TDIF Req: PROT-04-01-08; Updated: Dec-19; Applicability: A, C, I, X 524
The Applicant MUST meet the following PSPF requirements listed in PERSEC-12 525
Eligibility and suitability of personnel. 526
a) Pre-employment screening - B.2 (requirement 1). 527
TDIF Req: PROT-04-01-09; Updated: Dec-19; Applicability: A, C, I, X 528
The Applicant MUST meet the following PSPF requirements listed in PERSEC-13 529
Ongoing assessment of personnel. 530
a) Core requirement - B.1. 531
TDIF Req: PROT-04-01-10; Updated: Dec-19; Applicability: A, C, I, X 532
The Applicant MUST meet the following PSPF requirements listed in PERSEC-14 533
Separating personnel. 534
a) Withdrawal of access - B.2 (requirement 2). 535
b) Risk assessment - B.2 (requirement 3). 536
4.1.4 Physical security (PHYSEC) 537
TDIF Req: PROT-04-01-11; Updated: Dec-19; Applicability: A, C, I, X 538
The Applicant MUST meet the following PSPF requirements listed in PHYSEC-15 539
Physical security for entity resources. 540
a) Core requirement - B.1. 541
b) Physical security measures - B.2 (requirement 1). 542
c) Security containers, cabinets and rooms - B.2 (requirement 2). 543
d) Disposal – B.2 (requirement 3). 544
545
TDIF Req: PROT-04-01-12; Updated: Dec-19; Applicability: A, C, I, X 546
The Applicant MUST meet the following PSPF requirements listed in PHYSEC-16 547
Entity facilities. 548
a) Core requirement - B.1. 549
4.2 Australian Government Information Security Manual 550
As per ACCRED-04-01-03 in the TDIF: 03 – Accreditation Process, the Applicant 551
must establish a Statement of Applicability (SoA) for its identity system, which 552
Digital Transformation Agency — TDIF: 04 – Functional Requirements 22
OFFICIAL
includes a list of controls from the Australian Government Information Security 553
Manual (ISM) it will implement. At a minimum, the SoA must include: 554
• All ISM controls listed in the PSPF (as per Section 4.1 above). 555
• The Essential Eight. 556
• All other requirements listed in Section 4.3 below. 557
The SoA will form the basis of the Applicant’s Information Security Registered 558
Assessor Program (IRAP) Assessment (as per PROT-04-03-02). 559
4.3 Additional security requirements 560
TDIF Req: PROT-04-03-01; Updated: Sep-19; Applicability: A, C, I, X 561
The Applicant MUST implement the Australian Cyber Security Centre’s Essential 562
Eight. 563
TDIF Req: PROT-04-03-02; Updated: Sep-19; Applicability: A, C, I, X 564
The Applicant’s identity system MUST undergo an independent IRAP assessment by 565
an approved IRAP Assessor. 566
TDIF Req: PROT-04-03-03; Updated: Sep-19; Applicability: A, C, I, X 567
The Applicant’s identity system MUST undergo a penetration test as part of each 568
major production release. 569
TDIF Req: PROT-04-03-04; Updated: Dec-19; Applicability: A, C, I, X 570
The Applicant MUST maintain a disaster recovery and business continuity plan for 571
their identity system that covers: 572
a) Business continuity governance. 573
b) Training requirements for recovery team members. 574
c) Recovery objectives and priorities. 575
d) Continuity strategies. 576
e) Testing requirements and restoration procedures. 577
TDIF Req: PROT-04-03-05; Updated: Dec-19; Applicability: A, C, I, X 578
The Applicant MUST maintain a cryptographic key management plan for their identity 579
system which covers: 580
Digital Transformation Agency — TDIF: 04 – Functional Requirements 23
OFFICIAL
a) Cryptographic key lifecycle management over the lifecycle of the key 581
(generation, delivery, renewal, revocation, etc). 582
b) How records will be maintained and audited. 583
c) The conditions under which compromised keys will be declared. 584
d) Maintenance of cryptographic components. 585
e) Evidence of cryptographic evaluations undertaken. 586
587
Digital Transformation Agency — TDIF: 04 – Functional Requirements 24
OFFICIAL
5 User Experience Requirements 588
5.1 Usability requirements 589
TDIF Req: UX-05-01-01; Updated: Dec-19; Applicability: A, C, I, X 590
The Applicant MUST demonstrate how users of their identity system can also use 591
other available channels if needed, without repetition or confusion. 592
TDIF Req: UX-05-01-02; Updated: Dec-19; Applicability: A, C, I, X 593
The Applicant MUST demonstrate how users of their identity system with low digital 594
skills can have readily available access to assisted digital support. 595
TDIF Req: UX-05-01-03 Updated: Dec-19; Applicability: A, C, I, X 596
The Applicant MUST demonstrate how their identity system is built with responsive 597
design methods to support common devices and browsers, including desktop and 598
mobile devices. 599
TDIF Req: UX-05-01-04; Updated: Sep-19; Applicability: A, C, I, X 600
The Applicant MUST allow individuals to provide feedback, seek assistance or 601
otherwise resolve disputes or complaints. 602
TDIF Req: UX-05-01-05; Updated: Sep-19; Applicability: A, C, I, X 603
The Applicant MUST create and maintain an individual end-to-end journey map11
for 604
their service. 605
TDIF Req: UX-05-01-05a; Updated: Sep-19; Applicability: I 606
Where the Applicant cannot support an individual’s technology preference, the 607
individual journey map MUST indicate how an individual will use an alternative 608
channel to complete a specific activity. 609
TDIF Req: UX-05-01-06; Updated: Sep-19; Applicability: A, C, I, X 610
The Applicant MUST ensure information it provides to individuals is available in 611
multiple accessible formats, including accessible online formats (such as HTML), 612
large print format, Easy English, and braille (on request). 613
TDIF Req: UX-05-01-07; Updated: Dec-19; Applicability: A, C, I, X 614
11
An individual journey map is a visualization or diagram (or several diagrams) that depict the stages, and interfaces, that a
person goes through when interacting with the identity system in order to accomplish their goal.
Digital Transformation Agency — TDIF: 04 – Functional Requirements 25
OFFICIAL
The Applicant MUST provide individuals with uncomplicated ways to learn about its 615
identity system on digital channels. 616
5.2 Requirements for the identity verification journey 617
TDIF Req: UX-05-02-01; Updated: Sep-19; Applicability: I 618
The Applicant MUST provide individuals with information about the entire identity 619
management process, including what to expect in each step of the individual journey 620
and what they will need to do in order to complete each step. 621
TDIF Req: UX-05-02-02; Updated: Sep-19; Applicability: I 622
The Applicant MUST provide individuals with information on technical requirements 623
(for example, requirements for internet access, or access to a mobile phone or 624
webcam). 625
TDIF Req: UX-05-02-03; Updated: Sep-19; Applicability: I 626
The Applicant MUST provide individuals with information on the required identity 627
documents, whether each piece is mandatory, and the consequences for not 628
providing the complete set of required documents. Individuals need to know the 629
specific combinations of identity documents. 630
TDIF Req: UX-05-02-04; Updated: Sep-19; Applicability: I 631
If a code or number is issued as part of the identity verification process, the Applicant 632
MUST notify individuals in advance that they will receive a digital code or number and 633
what to do with it. 634
TDIF Req: UX-05-02-05; Updated: Sep-19; Applicability: I 635
The Applicant MUST advise individuals whether the identity verification process has 636
been successfully completed. 637
TDIF Req: UX-05-02-05a; Updated: Sep-19; Applicability: I 638
If verification is successful, the Applicant MUST send individuals confirmation 639
regarding the successful verification and information on next steps. 640
TDIF Req: UX-05-02-05b; Updated: Sep-19; Applicability: I 641
Digital Transformation Agency — TDIF: 04 – Functional Requirements 26
OFFICIAL
If verification is partially complete12
, the Applicant MUST communicate to individuals 642
what information will be discarded. 643
TDIF Req: UX-05-02-05c; Updated: Sep-19; Applicability: I 644
If verification is unsuccessful, the Applicant MUST provide individuals with information 645
for alternative options, for example, offering an over-the-counter identity verification 646
process if they were unable to complete the digital identity verification process. 647
TDIF Req: UX-05-02-06; Updated: Sep-19; Applicability: I 648
The Applicant MUST provide online help options for individuals who need assistance 649
during the identity verification process. 650
TDIF Req: UX-05-02-07; Updated: Sep-19; Applicability: I 651
The Applicant MUST provide support to individuals who do not have the technology or 652
capacity to create a digital identity. For example, by providing support via a shop front 653
or call centre. 654
TDIF Req: UX-05-02-08; Updated: Sep-19; Applicability: I 655
The Applicant MUST provide clear instructions on how an individual can update their 656
personal details collected as part of the identity verification process. 657
5.3 Requirements for the authentication journey 658
TDIF Req: UX-05-03-01; Updated: Sep-19; Applicability: C 659
The Applicant MUST provide individuals with relevant information for the use and 660
maintenance of the authentication credential. For example, this may include 661
instructions for use, information on credential expiry, and what to do if the credential is 662
forgotten or stolen. 663
TDIF Req: UX-05-03-02; Updated: Sep-19; Applicability: C 664
The Applicant MUST enable individuals to recover authentication credentials if they’ve 665
been lost or forgotten. Additionally, the recovery mechanism must be as strong as the 666
initial credential provisioning process. 667
12
A partially complete identity verification may occur due to individuals not having the complete set of identity evidence,
individual's choosing to stop the process, or session timeouts.
Digital Transformation Agency — TDIF: 04 – Functional Requirements 27
OFFICIAL
5.4 Usability test plans 668
TDIF Req: UX-05-04-01; Updated: Sep-19; Applicability: A, C, I, X 669
The Applicant MUST document, by way of a test plan, how they will conduct usability 670
testing. 671
TDIF Req: UX-05-04-01a; Updated: Dec-19; Applicability: A, C, I, X 672
The Applicant’s usability test plan MUST: 673
a) Describe the test objectives, usability goals, and usability metrics that will be 674
captured. 675
b) Describe the number of test participants, how they will be recruited and the 676
cohort to which they belong. 677
c) Document the approach and the methodology used to conduct the tests. This 678
is required to indicate what is working, pain points and where improvements 679
are needed. 680
d) Document representative scenarios for testing, on both desktop and mobile 681
devices. 682
e) Identify a range of representative individuals of the identity system. 683
TDIF Req: UX-05-04-01b; Updated: Sep-19; Applicability: A, C, I, X 684
This representative range MUST include: 685
a) Individuals with disability. 686
b) Older individuals. 687
c) Individuals who use assistive technologies. 688
d) Individuals with low literacy. 689
e) Individuals from culturally and linguistically diverse backgrounds. 690
f) Individuals who are Aboriginal or Torres Strait Islander. 691
g) Individuals from regional and remote areas. 692
h) Older technology and low bandwidth connections. 693
TDIF Req: UX-05-04-01c; Updated: Sep-19; Applicability: A, C, I, X 694
This representative range MUST be gender neutral. 695
5.5 Conduct usability testing 696
TDIF Req: UX-05-05-01; Updated: Sep-19; Applicability: A, C, I, X 697
Digital Transformation Agency — TDIF: 04 – Functional Requirements 28
OFFICIAL
The Applicant MUST use experienced researchers to test its service. (An experienced 698
individual researcher is highly skilled in identifying individual needs, conducting 699
usability tests, and feeding insights back to the product team). 700
TDIF Req: UX-05-05-02; Updated: Sep-19; Applicability: A, C, I, X 701
The Applicant MUST continually test as the identity system is developed or refined. 702
TDIF Req: UX-05-05-03; Updated: Dec-19; Applicability: A, C, I, X 703
The Applicant MUST test the identity system from end to end, in an environment that 704
replicates the live environment and include both desktop and mobile devices with a 705
range of representative individuals. 706
TDIF Req: UX-05-05-04; Updated: Dec-19; Applicability: A, C, I, X 707
The Applicant MUST document the outcomes of its testing, including test 708
methodology(s), test results, findings and recommendations. 709
5.6 Accessibility requirements 710
TDIF Req: UX-05-06-01; Updated: Dec-19; Applicability: A, C, I, X 711
The Applicant’s TDIF accredited system MUST at a minimum, meet the international 712
accessibility standard Web Content Accessibility Guidelines (WCAG), version 2.0 to 713
the AA standard. 714
TDIF Req: UX-05-06-02; Updated: Sep-19; Applicability: A, C, I, X 715
The Applicant’s TDIF accredited system MUST be presented in a clear and concise 716
manner, using plain language that is easy to understand and accessible across all 717
devices. 718
Digital Transformation Agency — TDIF: 04 – Functional Requirements 29
OFFICIAL
6 Functional Assessments 719
The Applicant is required to undergo a series of functional assessments by suitably 720
skilled and experienced assessors. These functional assessments include: 721
• A Privacy Assessment. 722
• An IRAP Assessment 723
• An assessment against the WCAG, version 2.0 to the AA standard. 724
6.1 Applicant obligations 725
TDIF Req: ASSESS-06-01-01; Updated: Sep-19; Applicability: A, C, I, X 726
The Applicant MUST demonstrate they’ve met each functional assessment. 727
TDIF Req: ASSESS-06-01-02; Updated: Dec-19; Applicability: A, C, I, X 728
The Applicant MUST define the scope13
, objectives and criteria for each functional 729
assessment and provide this to the TFAA as part of their Accreditation Plan. 730
6.2 Assessor skills, experience and independence 731
TDIF Req: ASSESS-06-02-01; Updated: Sep-19; Applicability: A, C, I, X 732
The Applicant MUST demonstrate how the assessor has relevant, reasonable and 733
adequate experience, training and qualifications to conduct the Assessment. 734
TDIF Req: ASSESS-06-02-02; Updated: Sep-19; Applicability: A, C, I, X 735
The Applicant MUST demonstrate how the assessor is independent from the 736
development and operational teams of the Applicant’s TDIF accredited system. 737
6.3 Assessment process 738
TDIF Req: ASSESS-06-03-01; Updated: Dec-19; Applicability: A, C, I, X 739
13
In the context of the IRAP Assessment this refers to the ‘Statement of Applicability’.
Digital Transformation Agency — TDIF: 04 – Functional Requirements 30
OFFICIAL
The Applicant MUST ensure the assessor has access to and considers all relevant 740
evidence provided by the Applicant to the TFAA. This includes any responses to 741
questions which may have been asked. 742
TDIF Req: ASSESS-06-03-02; Updated: Sep-19; Applicability: A, C, I, X 743
The Applicant MUST ensure the assessor conducts the functional assessment. 744
TDIF Req: ASSESS-06-03-02a; Updated: Sep-19; Applicability: A, C, I, X 745
The functional assessment MUST include: 746
a) Documentation reviews. 747
b) Interviews with key personnel. 748
c) A run through of the Applicant’s identity system. 749
TDIF Req: ASSESS-06-03-02b; Updated: Sep-19; Applicability: A, C, I, X 750
The functional assessment MAY include a site visit. 751
TDIF Req: ASSESS-06-03-03; Updated: Sep-19; Applicability: A, C, I, X 752
The Applicant MUST ensure the assessor provides them with a reasonable 753
opportunity to respond to the assessment findings, including the actions and 754
timeframes in which remediation actions will occur. This is required if non-compliance 755
issues are identified. 756
6.4 Assessment report 757
TDIF Req: ASSESS-06-04-01; Updated: Sep-19; Applicability: A, C, I, X 758
The Applicant MUST ensure the assessor documents the outcomes of the 759
assessment in an Assessment Report. 760
TDIF Req: ASSESS-06-04-01a; Updated: Dec-19; Applicability: A, C, I, X 761
The Applicant’s Assessment Report MUST include: 762
A summary of the activities performed during the assessment. 763
a) The test or evaluation methodology(s) used. 764
b) The test or evaluation results. 765
c) Findings14. 766
d) Remediation actions or recommendations to address any areas of non-767
compliance. 768
14
The Applicant MUST provide a copy of the full findings report [not an executive summary or redacted version of the report] to
the TFAA.
Digital Transformation Agency — TDIF: 04 – Functional Requirements 31
OFFICIAL
e) Advise whether the Applicant’s TDIF accredited system complies with the 769
assessment criteria, including any requirements that could not be adequately 770
assessed due to access or timing issues. 771
f) The Applicant’s response to the assessment findings, including what actions 772
they’ll take to remediate adverse findings and the dates by when these actions 773
will be implemented. 774