ATO information security guidelines for contractors
The Australian Government expects the Australian Taxation Office (ATO) to create and maintain an appropriate security environment for the protection of its functions and official resources. The Australian Government Protective Security Policy Framework (PSPF) sets out the policies, practices and procedures that all Australian Government departments and agencies must comply with.
Information security requirements apply to all ATO employees, and similar requirements apply to ATO contractors in the management of our information. The security of our information is critical.
These information security guidelines are derived from the minimum mandatory requirements of the PSPF information security management core policy. They explain the practices and procedures contractors must follow to provide adequate security for the ATO information they access, process or store.
Departure from these guidelines must be authorised in writing by ATO Physical Security Management (or ATO IT Security Branch for electronic systems) - see further information for details.
We are committed to preserving the security, privacy, confidentiality, integrity and availability of all information provided to us, or generated from within. This commitment is vital because:
- our reputation as a responsible custodian of sensitive client information is integral to community confidence in our operations
- the proper administration of the tax system depends on our ability to keep information secure
- legislation administered by the Commissioner of Taxation imposes certain information security obligations
- legislation, such as the Crimes Act 1914 and Privacy Act 1988, require us to safeguard information
- Australian Government policies make certain security procedures mandatory for all government agencies.
Procedures within these guidelines apply to all contractors (which includes officers, employees, agents and subcontractors) or any other person or entity acting for the ATO and having custody of or access to ATO information. Use of the word 'contractor' within these guidelines applies equally to all such parties, including consultants and service providers.
These guidelines will support contractors who access, process, store or otherwise handle ATO information that is either unclassified or warrants a Dissemination Limiting Marker (DLM).
Additional protective security measures apply to security-classified material - ATO Physical Security Management and/or IT Security Branch must be consulted if access to information other than unclassified or that bearing a DLM is required.
The contractor must appoint somebody who is responsible for the security of ATO information.
Contractors must deliver a plan that describes the security architecture of systems that will store, access or transmit ATO information. This plan must be approved by us.
Defining and assessing ATO information
In the context of these guidelines, 'ATO information' includes data from any source and in any form, which is collected, received, stored or developed by the ATO, or by ATO employees and contractors. Our information may exist in a range of forms, including:
- documents, papers and other printed or written material
- electronic data
- voice communications
- video and audio recordings
- any physical item from which information belonging to the ATO could be derived
- intellectual knowledge.
We assess all of our information according to the degree of harm that may result if it was accessed without authority, lost, damaged, destroyed, altered or otherwise compromised. Based on this assessed degree of harm, or other legislative requirements which restrict the distribution of the information, a protective marking is applied to information. Protective markings include DLMs and security classifications. Authority to downgrade or upgrade the security classification, or remove the protective marking of ATO information, rests exclusively with us.