How we use the crypto data
The data collected under this program will enable us to undertake a range of activities to support correct reporting of crypto asset transactions.
The data will be used to:
- identify and inform crypto consumers of their tax obligations as part of information and education campaigns
- provide tailored messages in our online services that prompt taxpayers to check they are correctly meeting their reposting obligations when completing their tax returns
- compare to our records, as part of the methodologies by which we select taxpayers for compliance activities
- provide insights that support our regulatory approach, to reduce the impact of financial crime
- design ways to make it easier for taxpayers to interact with the system and get their affairs right.
We don't use data from digital service providers to complete automated action or activities.
Previous related programs
The continued collection of data will be used to provide tailored advice and guidance to individuals on the tax implications of their crypto asset investment activities.
We prompt taxpayers through online messaging, to assess whether a capital gain or loss needs to be reported as they complete their tax return.
Where we identify clients who lodge returns without the appropriate income or capital gain (loss) reported, their return may be subject to audit and penalties applied.
The data helps us to:
- understand the level of risk crypto assets pose to the tax system
- measure the effectiveness of crypto asset treatment programs.
Early evidence from these programs indicate voluntary compliance is increasing among individuals who dispose of crypto assets.
Data providers
We are the matching agency, and in most cases the sole user, of the data obtained during this data-matching program.
The data providers for this data-matching program include crypto designated service providers through whom individuals and businesses can buy, sell or transfer crypto holdings.
Eligibility as a data provider
We adopt a principles-based approach to ensure that our selection of data providers is fair and transparent. Inclusion of a crypto asset designated service provider is based on the following principles:
- The data owner or its subsidiary operates a business in Australia that is governed by Australian law.
- The data owner provides a crypto asset designated service for individuals or businesses.
- The data owner provided these facilities for the years in focus.
- Where the client base of a data provider does not present a risk, or the administrative or financial cost of collecting the data exceeds the benefit the data may provide, the data owner may be excluded from the program.
- Designated service providers operating in this sector will be reviewed annually against the eligibility principles for this program. If suitable, they will be included in the data-matching program.
Our formal information gathering powers
To ensure statutory requirements are met, we obtain data under our formal information gathering powers. These are contained in section 353-10 of Schedule 1 to the Taxation Administration Act 1953.
This is a coercive power and the data provider is obligated to provide the information requested.
We will use the data for tax and super compliance purposes.
Privacy Act
Data will only be used within the limits prescribed by Australian Privacy Principle 6 (APP6) contained in Schedule 1 of the Privacy Act and in particular:
- APP6.2(b) – the use of the information is required or authorised by an Australian law
- APP6.2(e) – the ATO reasonably believes that the use of the information is reasonably necessary for our enforcement-related activities.
Data elements we collect
Crypto asset data will be collected from crypto designated service providers. We anticipate the data quality will be of a high standard based on our prior crypto asset data-matching programs.
We negotiate with the selected data providers individually to obtain data held within their systems. The collected data may contain all or a selection of the fields listed below.
Client identification details – individuals
Client identification data elements for individuals that we collect include:
- given and surname or surnames (if more than one name on the account)
- date or dates of birth
- addresses (residential, postal, other)
- Australian business number (if applicable)
- email address
- contact phone numbers
- social media account
- identify verification document details
- registration IP Address
- user ID
- account type (individual)
- sign up date.
Client identification details – non-individuals
Client identification data elements for non-individuals that we collect include:
- business name
- addresses (business, postal, registered, other)
- Australian business number
- contact phone number
- email address
- registration IP Address
- user ID
- account type (company, trust, super fund)
- sign up date.
Crypto asset transaction details
Crypto asset transaction data elements we collect include:
- status of account (open, closed, suspended, lost, etc)
- linked bank account details
- wallet address associated with the account
- lost or stolen crypto amounts linked to accounts
- unique identifier
- transaction date
- transaction time
- type of crypto asset
- amount (in fiat and crypto)
- type of transfer
- transfer description
- total account balance
- IP address.
Number of records
We expect to collect data on approximately 700,000 to 1,200,000 individuals and entities each financial year for this program.
Data retention
We collect data under this program for all financial years from 2014-15 to 2025-26. We collect this data annually between April and July each year.
We destroy data that is no longer required in accordance with the Archives Act 1983, and the records authorities issued by the National Archives of Australia, for both general and ATO-specific data.
For more information, see Data retention and destruction.
We will retain each financial year’s data for 7 years from receipt of the final instalment of verified data files from the data providers.
The data is required for this period for the protection of public revenue as:
- a retention period of 7 years will enable us to cross-reference taxpayer records retrospectively
- we are responsible for the administration of the CGT regime. CGT legislation requires the establishment of a cost base to determine an individual’s tax liability on disposal of crypto assets in certain circumstances
- individuals may retain crypto assets for many years, at times for their whole life, before disposing of it and potentially triggering a capital gains event
- individuals or businesses identified as not meeting their tax obligations, including being partly or wholly outside the tax system, may have been operating that way for multiple years
- retaining data for 7 years supports our general compliance approach of reviewing an assessment within the standard period of review, which also aligns with the requirements for taxpayers to keep their records
- it would enable us to conduct long-term trend analysis and risk profiling of the crypto market
- destruction of the data would inhibit our ability to identify taxpayers who may be subject to administrative action and therefore result in loss of public revenue.
While increased data-retention periods may increase the risk to privacy, we have a range of safeguards to appropriately manage and minimise this. Our systems and controls are designed to ensure the privacy and security of the data we manage.