To reduce information being lost, destroyed, damaged, compromised or misused, access to ATO information by a contractor or other party is authorised only if all the following conditions are met:
- there is a genuine 'need to know' the information
- access will comply with legislative requirements
- there is no conflict of interest regarding the information
- the person has the required level of security clearance.
ATO information must not be given to any third party or transferred to unapproved systems including those overseas unless the contractor has received written approval from the ATO Contract manager prior to the placement or transfer. The contract manager is required to ensure IT security is notified and any required IT security reviews are initiated prior to any transfer.
We must be consulted and provide formal written approval before any outsourcing arrangements are put into effect.
ICT services must not be delivered or managed from overseas. ATO data must not be transmitted, stored or processed overseas.
Please note that all data supplied by or created for and that which is collected, received, stored or developed by the ATO always remains the property of the ATO.
Need-to-know
The 'need-to-know' principle states that the availability of information should be limited to those who need to use or access it to do their work. Contractors are not entitled to access information merely for the sake of convenience, or by virtue of status, position, office, or level of security clearance. The need to know principles must be enforced through the uses of access controls and authorisation procedures.
Systems access
If a contractor processes or stores ATO information on any electronic system and is required to access the ATO information the contractor must provide appropriate documentation such as (an Information Technology (IT) Security Plan and standard operating procedures) which document access requirements as specified in the ISM . These documents must be endorsed by ATO IT Security.
Authorised personnel
All contractors with access to ATO information in any format must satisfy our pre-engagement integrity checking requirements. These requirements include:
- identity verification
- character assessment, including a police records check
- completion of an ATO Declaration of Secrecy.
Pre-engagement integrity checks must be undertaken by us . Contractors may be responsible for costs associated with these requirements. Our contract managers are responsible for ensuring integrity-checking requirements are completed before access commences.
Security clearances
Contractors and their authorised personnel who access systems that store, process or communicate ATO information will be required to obtain and maintain an appropriate government security clearance as per the PSPF and ISM.
Security awareness and training
Contractors must ensure all personnel who have access to ATO information (including systems that store ATO information) undertake ATO mandatory security awareness training (this can be obtained through the contract manager) before accessing ATO information.
You and your authorised personnel must be made aware of the following:
- ATO security classification and protective marking system
- requirements for ATO pre-engagement integrity check
- requirements for obtaining security clearance
- information management requirements, including storage, transmission and destruction of information
- proper use of ATO IT systems, facilities and assets
- appropriate levels of access to systems, facilities, assets and electronic information
- close-of-business security procedures
- the 'need-to-know' principle
- protocols to report security-related incidents
- their responsibilities to notify changes in circumstance relating to service provision (for example, subcontracting out of services, relocation/renovation of premises, changes in key personnel, conflicts of interest)
- privacy and secrecy obligations
- the legitimate use of system accounts, software and information
- the security of accounts, including shared passwords
- how to protect ICT workstations and devices from unauthorised access
- rules and regulations governing the secure operation and authorised use of systems.