Search for     
ato.gov.au        Corporate section only        
Advanced search
Search tips
> Individuals > About us > Tenders & procurement  
 

ATO information security guidelines for contractors

 
Increase text size Decrease text size
 

General principles

Introduction

The Australian Government expects the Australian Taxation Office (ATO) to create and maintain an appropriate security environment for the protection of its functions and official resources. The Australian Government Protective Security Policy Framework (PSPF) sets out the policies, practices and procedures that all Australian Government departments and agencies must comply with.

Information security requirements apply to all ATO employees, and similar requirements apply to ATO contractors in the management of our information. As emphasised in these guidelines, the security of our information is critical.

These information security guidelines are derived from the minimum mandatory requirements of the PSPF Information Security Core Policy. They explain the practices and procedures contractors must follow to provide adequate security for the ATO information they access, process or store.

Departure from these guidelines must be authorised in writing by ATO Security Policy and Services (or ATO Trusted Access Branch for electronic systems) - see further information for details.

Policy

The ATO is committed to preserving the security, privacy, confidentiality, integrity and availability of all information provided to us, or generated from within. This commitment is vital because:

  • our reputation as a responsible custodian of sensitive client information is integral to community confidence in our operations
  • the proper administration of the tax system depends on our ability to keep information secure
  • legislation administered by the Commissioner of Taxation imposes certain obligations in relation to information security
  • legislation, such as the Crimes Act and Privacy Act, require us to safeguard information
  • Australian Government policies make certain security procedures mandatory for all government agencies.

Applicability

Procedures within these guidelines apply to all contractors (which includes officers, employees, agents and subcontractors) or any other person or entity acting for the ATO and having custody of and/or access to ATO information. Use of the word 'contractor' within these guidelines applies equally to all such parties, including consultants and service providers.

Scope

These guidelines have been prepared for use by contractors who access, process, store or otherwise handle ATO information that is either unclassified or warrants a Dissemination Limiting Marker (DLM).

Additional protective security measures apply to security classified material - ATO Security Policy and Services and/or Trusted Access must be consulted if access to information other than unclassified or that bearing a DLM is required.

The contractor must appoint a body who is responsible for the security of ATO information.

Contractors must develop and deliver a plan that describes the security architecture of systems that will store, access or transmit ATO information. This plan must be approved by the ATO.

Defining ATO information

In the context of these guidelines, 'ATO information' includes data from any source and in any form, which is collected, received, stored or developed by the ATO, or its employees and contractors. ATO information may exist in a range of forms, including:

  • documents, papers and other printed or written material
  • electronic data
  • voice communications
  • video and audio recordings
  • any physical item from which information belonging to the ATO could be derived
  • intellectual knowledge.

Assessing ATO information

The ATO assesses its information according to the degree of harm that may result if the information was accessed without authority, lost, damaged, destroyed, altered or otherwise compromised. Based on this assessed degree of harm, or other legislative requirements which restrict the distribution of the information, a protective marking is applied to information. Protective markings include DLMs and security classifications. Authority to downgrade or upgrade the security classification, or remove the protective marking of ATO information, rests exclusively with the ATO.

Last Modified: Monday, 30 July 2012
 
Table of contents
Give us your feedback
 
© Australian Taxation Office for the Commonwealth of Australia
Top of page
More information on page