01

An accredited entity that provides public-facing accredited services and is required to obtain the express consent of an individual must ensure that the process for an individual to provide express consent, or to withdraw or vary that consent, is described in clear, simple and accessible terms.

4.40 Providing information about express consent

02

(1) This rule applies if an individual gives an accredited entity express consent for the future collection, use or disclosure of the individual’s personal information. (2) An accredited entity providing public-facing accredited services must provide the individual with a clear and simple process to vary or withdraw any consent given in accordance with subrule (1). (3) Consent given in accordance with subrule (1) expires at the earliest of the following: (a) the end of the period of consent specified by the individual (if any) when the individual gave their consent or at any time afterwards; (b) if the individual has varied their consent—the end of the period of consent specified by the individual (if any) when the individual varied their consent; (c) the end of the period of consent specified by the accredited entity when the entity collected the individual’s consent; (d) 12 months after the consent was initially given. (4) An accredited entity must not rely on consent given in accordance with subrule (1) if that consent has been withdrawn or has expired.

4.41 Duration of express consent

03

(1) An accredited entity must only collect personal information that is reasonably necessary for the entity to provide its accredited services. (2) If an accredited entity discloses personal information to a relying party for the purposes of the relying party providing a service to an individual, or enabling the individual to access a service, the accredited entity must ensure that the personal information disclosed is limited to the information that is necessary by: (a) ensuring that the accredited entity’s information technology system allows the relying party to only select the attributes of the individual that the relying party requires to provide the service, or access to the service, to that individual; and (b) ensuring that the accredited entity provides only the selected attributes to the relying party.

4.42 Data minimisation principle

04

An accredited entity must notify individuals that the entity may use and disclose the individual’s personal information to prevent, detect, manage and investigate digital ID fraud incidents.

4.43 Disclosure of personal information for fraud activities

05

For the purposes of paragraph 45(f) of the Act, the following kinds of attributes are prescribed: (a) to the extent not covered by section 45 of the Act, attributes of an individual that are on a document or other credential listed in Schedules 1 to 4; (b) attributes that are derived from an attribute listed in paragraphs 45(a) to (e) of the Act or paragraph (a); (c) a special attribute of an individual; (d) an attribute that is self-asserted by the individual and not verified. Example: For paragraph (b), information as to whether an individual is aged 18 or above is an attribute derived from the individual’s date of birth.

7.1 Individuals must expressly consent to disclosure of certain attributes of individuals to relying parties

06

An IXP MUST provide a mechanism for the individual to choose an ISP.

AGDIS Onboarding Specifications: 2.2 Identity provider selection

07

The list of ISPs presented by an IXP MUST only display ISPs that satisfy the IP level and AL requested in the PRP’s authentication request.

AGDIS Onboarding Specifications: 2.2 Identity provider selection

08

An IXP MAY provide a mechanism for the individual to remember their choice of ISP for a given PRP. If an individual has remembered their ISP choice for a given PRP, an IXP MAY redirect them to the remembered ISP.  If an IXP provides a mechanism to remember ISP selection, the IXP MUST provide:  (a) a notice to ensure the individual understands the nature of the express consent they are providing;  (b) a notice outlining the duration of the remembered ISP selection and the limitations on how it is remembered (for example, if it is limited to the device or web browser from which the express consent is given); and (c) a mechanism to revoke the remembered choice. 

AGDIS Onboarding Specifications: 2.2 Identity provider selection

09

Given IXPs operate as central trusted entity in the AGDIS, IXPs MUST collect consent of the individual to whom the digital ID relates before redirecting the individual to the client that originated the authentication request.

AGDIS Open ID Connect Profile: 1.10 User consent

10

An IXP MUST adhere to all the attribute sharing policies set out in Chapter 2 and Chapter 3 of Schedule 3 (AGDIS Attribute Profile).

AGDIS Open ID Connect Profile: 1.11 Privacy considerations

11

As a central and trusted participant of the AGDIS all IXPs are responsible for collecting express consent from the individual in accordance with the attribute sharing policies outlined in Chapter 2 and Chapter 3 of Schedule 3 (AGDIS Attribute Profile).

AGDIS Open ID Connect Profile: 2.7.4 User consent

12

An IXP MUST provide the mechanisms to capture express consent from the individual.

AGDIS Open ID Connect Profile: 2.7.4 User consent

13

To support the objectives of the data minimisation principle, ASPs, ISPs and IXPs SHOULD, if possible, permit the elements of an attribute sets to be requested individually.

AGDIS Attribute Profile: 1.1 Attributes and attribute sets

14

Consent types prescribe requirements for gathering of express consent from the individual by an accredited entity participating in the AGDIS.

AGDIS Attribute Profile: 1.2.1 Consent types

15

Table 1 Attribute profile consent models Consent type: Not required Express consent is not required for the attribute or attribute set. This consent type MUST only be applied to an attribute or attribute set when: • the attributes are explicitly exempt from the express consent requirements under one or more of the following: ◦ the Act; ◦ the Accreditation Rules; ◦ the Digital ID Rules; and ◦ the Accreditation Data Standards; • the attributes are technical in nature and do not convey personal information on their own or when combined with other attributes; and • the attributes are classified as identity system meta data. Consent type: Every use Express consent is required every time the attribute or attribute set is shared. The consent MUST NOT be remembered or reused in subsequent requests for the attribute or attribute set. Consent type: Ongoing Express consent is required at least the first time the attribute or attribute set is bound to the individual or shared. The consent MAY be remembered for a fixed duration where determined by one or more of the following: (a)         the Act; (b)         the Accreditation Rules; (c)         the Digital ID Rules; (d)         the Accreditation Data Standards. If the consent is remembered, the individual MUST: • be made aware of the use cases they are providing the consent to facilitate; • have the option for the consent to not be remembered; and • be provided with a clear and simple process to vary or withdraw the consent. If the consent is remembered, the individual SHOULD be notified: • if the attribute is an authorisation and the authorisation is revoked by a third party, for example, by the owner or creator of the authorisation; and • when the consent facilitated use of their attributes in the execution of automated use cases. Consent type: Every Change Express consent for the attribute or attribute set is required the first time the attribute or attribute set is shared with the PRP, and every time it is modified. Accordingly, subsequent requests for express consent MUST occur when: • the attribute or attribute set has been modified; • the individual has varied or withdrawn any remembered on-going consent; and • the duration of the remembered consent has expired. Attribute sharing policies SHOULD only apply this consent type when the underlying attributes support the detection of changes.

AGDIS Attribute Profile: 1.2.1 Consent Types, Table 1

16

To provide transparency, IXPs should identify which PRP they will disclose the user's attributes to.

17

Accredited entities should make the consent process as easy to understand as possible. Accredited entities should nudge users to be more privacy conscious and should use appropriate interventions to mitigate cognitive overload, facilitate comprehension, and provide transparency and consumer control. This can be done in a variety of ways, including through the use of design patterns like progressive disclosure, micro and/or descriptive copy, and with the use of microinteractions.

18

Accredited entities should notify consumers of redirection.

WCAG Success Criterion 3.2.5: Change on Request (Changes of context)

01

An IXP MUST request express consent from the individual for Core Attributes which have changed since consent was last recorded by the IXP. [...] An IXP SHOULD use the Core Attributes Last Updated attribute to determine if the individual is required to provide consent before responding to the PRP’s attribute request.

AGDIS Attribute Profile: 2.1.1 Core

02

An IXP MUST request express consent from the individual for Validated Contact Details attributes which have changed since consent was last recorded by the IXP.

AGDIS Attribute Profile: 2.1.2 Validated Contact Details

03

An IXP MUST request express consent from the individual for the Verified Other Names attribute set which have changed since consent was last recorded by the IXP. [...] Each Verified Other Name attribute SHOULD follow the rules outlined in Table 5 below for Family Name, Middle Names and Given Names with respect to access policy, provenance, consent, and data representation.

AGDIS Attribute Profile: 2.1.3 Verified Other Names

04

An IXP MUST request express consent from the individual on every use of the Verified Documents attribute set.

AGDIS Attribute Profile: 2.1.4 Verified Documents

05

An IXP MUST request express consent from the individual on changes it is aware of to any Self- Asserted Attributes.

AGDIS Attribute Profile: 2.3 Assumed Self-Asserted Attributes

06

IXPs should highlight which attributes have been updated since the user's last authentication session.

10 Usability Heuristics for User Interface Design (Visibility of system status)