About This Initiative
Understanding the purpose, scope, and governance of the MyID Consent proof of concept
Understanding the purpose, scope, and governance of the MyID Consent proof of concept
ID Exchange is an Australian privacy and consent technology company founded in 2015 to put individuals back in control of their personal data. Through its Human Data Agency model, IP Portfolio centered around trademark Opt In® and Opt Out® trademark instruments/signals and ConsentX verified consent access proofs gateway platform, ID Exchange automates universal and standards-based consent distribution between the consumer and data holder to compliantly activate the use of identity, and data-sharing infrastructure that lets people decide what they share unique data attributes, with whom, for what value or benefit and for how long. The company has provided regulatory consultations to the UK, US, and Australian governments, championing privacy-by-design and digital democracy solutions, and is a recognised voice in the emerging field of digital consent and data privacy. See https://www.idexchange.me
Joanne Cooper founded ID Exchange in 2015 to lead in the field of privacy and consent technologies. Across four decades she has worked at the leading edge of emerging technology — including roles with Getronics, Optus, and Allianz — and has provided regulatory consultation to the UK, US, and Australian governments. She has attended several UK trade delegations since 2017 and is an active ambassador for digital democracy solutions.
Joanne is the daughter of Australian captain of industry Tom Cooper, who launched the first luggable computer and personal computer into the Australian market in the early 1980s — a heritage of technology pioneering she carries into her work on individual data sovereignty.
Her work has been widely recognised. She was named an OWI Top 100 Influencer in Identity, received the Women in Security Recognition Award as Australia's Most Outstanding Female in ICT in 2024, and was honoured with the AB+F Innovation Award. In 2026, ConsentX was shortlisted by the UK Department of Trade Smart Data Forum.
The MyID Consent proof of concept was established to explore practical, standards-based approaches to digital identity and consent management within the Australian financial services sector.
Demonstrate that individuals can control their own identity data — deciding what to share, with whom, and for how long — using open, interoperable standards rather than proprietary centralised systems.
The PoC is designed to align with Australia's evolving digital identity regulatory framework — including the Digital Identity Act 2024, Privacy Act 1988, and the Consumer Data Right (CDR).
A structured shortlist of two leading vendors — Affinidi and Inrupt — has been developed to assess which platform best meets the technical, regulatory, and commercial requirements of a production deployment.
This site serves as a secure briefing resource for internal stakeholders, executive sponsors, and invited external reviewers — providing a structured overview of the initiative and its findings.
Today's identity and data sharing landscape creates systemic risk for individuals and institutions alike.
Australians maintain dozens of separate digital identities across government, banking, health, and commercial services — each with its own credentials, data stores, and consent mechanisms. There is no unified, user-controlled identity layer.
When individuals share data with financial institutions or government agencies, they typically have no visibility into how that data is used, stored, or shared onward. Consent is often buried in lengthy terms and conditions.
Organisations routinely collect more data than is necessary for the transaction at hand — creating unnecessary privacy risk and regulatory exposure under Australia's Privacy Act and the forthcoming Privacy Act reform.
Individuals have no practical way to audit who has accessed their data, when, and under what authority. This makes it impossible to detect unauthorised access or enforce data deletion rights.
Proprietary identity platforms create dependency on single vendors — making it difficult for organisations to switch providers or for individuals to move their data between services.
Financial institutions must navigate overlapping regulatory requirements — AML/KYC, Privacy Act, CDR, Digital Identity Act — often with siloed, manual processes that create compliance risk and operational cost.
The MyID Consent PoC is built on four core design principles.
All technical components are built on open, ratified standards — W3C Verifiable Credentials, Solid Protocol, DID (Decentralised Identifiers), and OpenID Connect. No proprietary lock-in at the protocol layer.
The individual is the authoritative source of their own identity data. Organisations request access; they do not hold copies. Consent can be granted, modified, or revoked at any time by the user.
Selective disclosure and zero-knowledge proof techniques ensure that only the specific data required for a transaction is shared — not entire identity profiles.
Every design decision is evaluated against Australia's regulatory framework — Privacy Act 1988, Digital Identity Act 2024, CDR, and AML/CTF Act — to ensure a production deployment would meet compliance requirements.
The PoC is designed to operate within Australia's existing and emerging regulatory landscape.
⚠️ Important: This proof of concept is for evaluation and discussion purposes only. It does not constitute legal, compliance, or procurement advice. All regulatory assessments should be independently verified by qualified legal and compliance professionals before any production deployment is undertaken.
Subject to stakeholder review and approval, the following phases are proposed following PoC evaluation.
Stakeholder review of this briefing site. Vendor demonstrations from Affinidi and Inrupt. Technical architecture review. Regulatory alignment assessment.
In ProgressSelect preferred vendor based on PoC evaluation. Design pilot scope with real (but limited) user cohort. Engage legal and compliance for regulatory sign-off. Establish data governance framework.
PlannedDeploy pilot with selected vendor. Onboard limited user cohort. Measure against defined success criteria. Engage AUSTRAC and OAIC as appropriate for regulatory guidance.
PlannedSecurity penetration testing. Full regulatory compliance review. Integration architecture with core systems. Business case development for board approval.
PlannedReview the five-stage proof of concept walkthrough or dive into the vendor briefs.