4. In the principal Act, after section 8, insert —| “Disclosure of password, access code, etc., in relation to national digital identity service |
8A.—(1) Any user of the national digital identity service —| (a) | who discloses any password or access code of the user in relation to the national digital identity service, or provides any other means of securing access in the identity of the user to any program or data held in any computer by way of the national digital identity service; and | | (b) | who does so knowing, or having reasonable grounds to believe, that the purpose of the disclosure or provision is for any person to commit, or to facilitate the commission by any person of, any offence under any written law, |
| shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both. |
(2) For the purpose of proving an offence under subsection (1), it is not necessary for the prosecution to prove —| (a) | that the purpose of committing, or facilitating the commission of, an offence was carried out; | | (b) | that the user knew, or had reasonable grounds to believe, that the purpose was to commit, or facilitate the commission of, any specific offence; or | | (c) | that the disclosure or provision was made to any specific person, if the disclosure or provision was made by the user in a manner that was intended to be accessible or retrievable by another person, whether or not that other person is known to the user. |
|
(3) For the purposes of subsection (1)(b), a user of the national digital identity service who does an act mentioned in subsection (1)(a) is presumed, until the contrary is proved, to have reasonable grounds to believe that the purpose of the disclosure or provision is for a person to commit, or to facilitate the commission by a person of, an offence under any written law, if —| (a) | the user does the act for any gain —| (i) | whether or not the gain is a wrongful gain; | | (ii) | whether or not the gain is realised; and | | (iii) | whether the gain is to the user or to another person; |
| | (b) | the user does the act knowing that it is likely to cause wrongful loss to any person; or | | (c) | at the time the user does the act, the user fails to take reasonable steps to ascertain the identity and physical location of the person to whom the password, access code or means of securing access is disclosed or provided. |
|
| (4) It is not an offence under subsection (1) if the user of the national digital identity service had reasonable grounds to believe that the purpose of the disclosure or provision is to use or access the national digital identity service to carry out a transaction in the identity of the user for a lawful purpose. |
|
| Supplying, etc., credential of another person |
8B.—(1) A person shall be guilty of an offence if the person —| (a) | obtains or retains any credential of another person in relation to the national digital identity service; or | | (b) | supplies, offers to supply, transmits or makes available, by any means, any credential of another person in relation to the national digital identity service. |
(2) It is not an offence under subsection (1)(a) if the person obtained or retained the credential of the other person for a purpose that is not any of the following purposes:| (a) | for use in committing, or in facilitating the commission of, any offence under any written law; | | (b) | for the supply or transmission of, or making available, by any means, the credential to be used in committing, or in facilitating the commission of, any offence under any written law. |
|
(3) It is not an offence under subsection (1)(b) if —| (a) | the person did the act for a purpose other than for the credential of the other person to be used in committing, or in facilitating the commission of, any offence under any written law; and | | (b) | the person did not know or have reason to believe that the credential of the other person will be or is likely to be used to commit, or facilitate the commission of, any offence under any written law. |
|
| (4) For the purposes of subsection (1)(b), a person does not transmit or make available any credential of another person in relation to the national digital identity service merely because the person provides, or operates facilities for network access, or provides services relating to, or provides connections for, the transmission or routing of data. |
(5) A person who is guilty of an offence under subsection (1) shall be liable on conviction —| (a) | to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both; and | | (b) | in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both. |
|
(6) In this section —| (a) | a reference to a credential of another person in relation to the national digital identity service has the meaning given by paragraph 1(2) of the Schedule; and | | (b) | a reference to an offence under any written law includes an offence under subsection (1).”. |
|
|
|
|
