Express consent [draft]

This section provides guidance for how to implement express consent for the Australian Government Digital ID System (AGDIS).

⚠️

Disclaimer: This page contains draft content intended for internal agency use. It is not intended for public distribution or reference. The information may be incomplete, subject to change, and should not be considered final or formally endorsed.

‣

On this page

Overview

In accordance with Rule 4.40 of the Digital ID Accreditation Rules, an accredited entity that provides public-facing accredited services and is required to obtain the express consent of an individual must ensure that the process for an individual to provide express consent, or to withdraw or vary that consent, is described in clear, simple and accessible terms.

The Digital ID (AGDIS) Data Standards require the following from accredited entities in relation to obtaining express consent:

Identity Exchange Providers (IXPs) are required to obtain consent from individuals before redirecting them to the client that initiated the authentication request.
Identity Service Providers (ISPs) may choose to obtain consent from individuals to share attributes.
When acting in its capacity as an Attribute Service Provider (ASP), the Relationship Authorisation Manager (RAM) must request express consent from the individual when they accept a Business Authorisation.

For additional explanation on consent related obligations, please refer to OAIC’s guidance on Express consent in Australia’s Digital ID System.

This diagram illustrates where consent fits within the end-to-end AGDIS digital ID experience. An individual may not always need to provide consent to an ISP or ASP—obtaining consent is optional for ISPs, while ASPs only require express consent for business attribute requests.

UX guidance for express consent

The below UX guidance cover consent and related variations.

This guidance provides examples for how to implement express consent for Identity Exchange Providers (IXPs) in the Australian Government Digital ID System (AGDIS). Read more about Identity Exchange Provider (IXP) consent

This guidance provides examples for how to implement express consent for Identity Service Providers (ISPs) in the Australian Government Digital ID System (AGDIS). Read more about Identity Service Provider (ISP) consent

This guidance provides examples for how to implement express consent for Attribute Service Providers (ASPs) in the Australian Government Digital ID System (AGDIS). Read more about Attribute Service Providers (ASPs)

Last updated

This page was updated @March 26, 2025

Note: This document provides general guidance only. It does not constitute legal or other professional advice and should not be relied on as a statement of the law. As this is only a guide, it may contain generalisations. We encourage participants to obtain their own professional advice to ensure they understand their obligations under the Digital ID framework.

Have your say

Community consultations and maintenance are part of our ongoing process. Here’s how you can get involved:

Request new guidance or changes to existing guidance through the UX guidance Consultation process
Request new Standards or changes to existing Standards through the Standards Maintenance process
Log a ticket for any questions about the rules, standards, or guidelines through the Digital ID Support Portal
Email your feedback to cx@dsb.gov.au