The Australian Taxation Office (ATO) is an Australian government statutory agency operating under the Public Service Act 1999 and the Public Governance Performance and Accountability Act 2013.
We are responsible for administering a wide range of taxation and superannuation laws and have custody of the Australian Business Register (ABR).
- communicate our personal information handling practices
- enhance the transparency of our operations
- give individual taxpayers and our staff a better and more complete understanding of the personal information we hold and the way in which we deal with that information.
The Privacy Act
The Privacy Act protects personal information and requires that we comply with the Australian Privacy Principles (APPs) set out in Schedule 1 of the Act.
‘Personal information’ is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether the information is recorded in a material form or not.
Personal information includes ‘sensitive information’, which is a particular category of personal information. While we recognise that maintaining the confidentiality of all personal information is important in gaining and maintaining your trust, sensitive information is often afforded a higher level of protection.
How we collect personal information
We collect personal information:
- directly from you
- from other persons acting on your behalf
- from third parties
- from publicly available sources
- by using our formal access and information-gathering powers.
Our undertaking to you
We only collect personal information where it is reasonably necessary for, or directly related to, our functions and activities. These include:
- administering the taxation and superannuation laws
- administering the Australian Business Register
- the Commissioner of Taxation’s functions and activities as an employer.
We undertake to collect personal information about you in a fair and lawful way and in a manner that is not unreasonably intrusive. This means that we will not use any form of deception or threat when we collect personal information, either from you or from anyone else. When we collect personal information about you, we will take all reasonable steps to keep any inconvenience or intrusion to a minimum.
When you contact us
We must be certain of your identity before we can discuss your taxation or superannuation affairs with you. If you contact us to discuss your affairs, you must be able to prove your identity. This ensures that we are able to protect your personal information by only giving it to you or someone who can prove that they are lawfully authorised to act on your behalf.
For example, if you phone us, you can prove your identity by giving us your:
- date of birth
- address (as notified to us previously)
- details from an ATO-generated notice.
Other information can be used as proof of identity, depending on the circumstances.
If you have a general enquiry that does not involve discussing your personal information, you do not have to provide identification. In these situations, you will be able to deal with us without identifying yourself.
When we contact you
You have the right to be told why we are asking for your personal information and what legal authority we are relying on to request it from you.
Generally, when we collect personal information from you, we will tell you:
- about your rights and obligations under the law as early as possible, including the main consequences of not providing the requested information
- of any other entity to whom we usually disclose your personal information
- whether your personal information is likely to be disclosed overseas
- how you can make a complaint if you think your privacy has been breached.
When we ask a third party for information about you
The taxation and superannuation laws allow us to obtain information about you from other parties. If we ask third parties for information about you, we will normally tell you about this before seeking to obtain it.
There are some circumstances where it may not be reasonable in the circumstances to tell you that we are collecting your personal information from a third party. This may include when we collect information about a large number of individuals in similar circumstances, such as when we collect information from:
- financial institutions
- government agencies
- taxation authorities in other jurisdictions
- investment managers
- listed public entities such as companies and trusts
- share registries
- health funds and superannuation funds
Those circumstances may also include when we collect information to help us decide which individuals to audit.
When we use our formal access and information-gathering powers
In some cases, we may need to use our powers under the taxation and superannuation laws to obtain personal information about you. If we do this, we will tell you:
- when we are using our formal access and information-gathering powers to compel you to provide us with information
- about any penalties or other possible consequences if you do not comply with our request.
Only authorised taxation officers can use our formal access and information-gathering powers.
The taxation laws afford authorised taxation officers free and full access to all buildings, places, books, documents and other papers for the purposes of the laws we administer. We can also take extracts from or copies of any such books, documents or papers. Under the indirect taxation and excise laws, this also extends to goods and includes the capacity to take samples.
We can only use our access powers for the purposes of the laws we administer.
If we need to access information you hold, we prefer to consult with you and obtain the information cooperatively. In some situations, however, we will need to use our formal powers. This may occur if you do not wish to provide us with personal information or do not provide it in a timely way.
Our information-gathering powers allow us to require you to:
- give us certain information
- attend an interview with us and to provide information
- produce documents.
In some circumstances we may use a combination of these powers.
We can only use our information-gathering powers by serving you with a formal notice.
How we hold personal information
We take steps to ensure that the personal information we collect about you is accurate, up-to-date and complete. These steps include updating personal information when you tell us that your personal information has changed and at other times as necessary.
We take steps to protect the personal information we hold against loss, unauthorised access, use, modification or disclosure and other misuse. These steps include password-protecting access to our electronic information technology and communications systems and securing paper files in locked cabinets with physical access restrictions.
We also use an extensive range of physical and technological controls to ensure that only staff who need access to your personal information are able to access it.
We apply industry-best security methods, including information technology and physical security audits, penetration testing and industry best practice risk management and system security technologies to protect the personal information we hold.
Our staff may not access personal information contained in taxation records unless they are doing so:
- in the course of exercising powers or performing functions under or in relation to the taxation or superannuation laws
- in accordance with the processes of a court or tribunal
- under the Freedom of Information Act 1982.
Information we collect, hold, use and disclose
In administering the taxation and superannuation laws, we collect and hold a wide range of personal information. We may get this information from you, or from other parties. We undertake to respect your privacy and keep your information confidential, including sensitive information.
We also collect and hold personal information in our capacities as custodian of the Australian Business Register and as an employer under the Public Service Act 1999.
We collect, hold, use and disclose personal information about individual taxpayers, including:
- unique identifiers such as tax file numbers and Australian business numbers
- names, addresses, telephone and facsimile numbers
- dates of birth, occupations, gender, marital status, residency status, names of partners and relatives
- financial information, bank account and financial institution details
- shareholding and investment interest details
- student numbers and institution codes
- trustee and tax agent details
- health fund and superannuation fund details
- Australian Transaction Reports and Analysis Centre reports
- business ownership details, business transaction reports, property ownership and sales data.
Personal information contained in taxpayer records is usually collected, held, used or disclosed for the purpose of administering the taxation laws. Division 355 of Schedule 1 to the Taxation Administration Act 1953 sets out the specific circumstances in which personal information contained in taxation records can be recorded, used or disclosed.
In some circumstances, the law allows disclosures of personal information for reasons other than administering the taxation laws. These include disclosures to:
- assistance agencies to determine eligibility for government benefits
- law enforcement agencies for the purpose of investigating and prosecuting serious offences
- courts, tribunals, legal service providers and counsel representing us in disputes and debt collection activities
- state and territory revenue offices
- other government departments and agencies to enable them to administer their own legislation (for specified purposes).
When personal information contained in taxpayer records is disclosed by a taxation officer, on-disclosure rules apply to the recipient of that information. The on-disclosure rules apply to the recipient recording, using or on-disclosing that information.
For more information on the different types of personal information in taxpayer records that we collect, hold, use and disclose, see Appendix 1.
We collect, hold, use and disclose personal information about:
- superannuation guarantee obligations and entitlements of employers and employees
- self-managed superannuation fund members, trustees and directors of corporate trusts, so the funds can be registered, administered and regulated
- lost members, to maintain a central register of lost member entitlements
- individual superannuation holding account special accounts to enable accounts to be established for individuals where we have transferred unclaimed co-contribution or guarantee charge amounts to a special account
- individual taxpayer superannuation excess contribution records, to enable excess superannuation contributions to be identified and liabilities for excess contributions tax to be determined and assessed
- superannuation co-contribution system records, so that superannuation co-contribution entitlements can be determined and paid for eligible individuals
- the superannuation unclaimed money register, to maintain a register of unclaimed superannuation money paid to the Commissioner of Taxation.
Tax file numbers
A tax file number (TFN) is a unique identifier. The Commissioner of Taxation issues TFNs and we use them to help us administer the taxation and superannuation laws.
Sections 8WA and 8WB of the Taxation Administration Act 1953 (Taxation Administration Act) and the Privacy (Tax File Number) Rule 2015 protect TFNs.
Sections 8WA and 8WB of the Taxation Administration Act make it an offence to require or request that a TFN be quoted or to record, use or disclose a TFN, other than in certain circumstances stated below. These provisions relate to all TFNs, not just those belonging to individuals.
The TFN Rule is issued by the Information Commissioner under section 17 of the Privacy Act and has the force of law. It regulates the collection, storage, use, disclosure, security and disposal of an individual’s TFN information. It also protects information that records the TFN in any way that connects it with an individual’s identity.
Generally, a person must not:
- require or ask another person to quote their TFN
- record or maintain a record of another person’s TFN
- use another person’s TFN in a way that connects it to their identity
- disclose or communicate another person’s TFN to a third person.
There are some important exceptions to these rules. For example, we can request your TFN when we are performing functions under taxation laws.
Asking for your TFN
Only certain people and organisations may ask for an individual’s TFN. These include:
- taxation officers and other people carrying out functions under the taxation or superannuation laws
- payers who make payments under the pay as you go withholding system, such as employers
- the Department of Human Services, Centrelink and the Department of Veterans’ Affairs when you claim some pensions, benefits and allowances
- the Department of Education, when it administers the Higher Education Loan Program arrangements that provide financial assistance to students
- higher education institutions, in connection with Higher Education Loan Program arrangements
- trustees of regulated superannuation funds, approved deposit funds and regulated exempt public sector superannuation schemes for superannuation purposes
- State or Territory authorities, as part of operating a register of unclaimed money under the Superannuation (Unclaimed Money and Lost Members) Act 1999 or to report real property transactions as required by Subdivision 396-B of Schedule 1 to the Taxation Administration Act 1953
- trustees of closely held trusts, as defined in the Income Tax Assessment Act 1936, if you are an ultimate beneficiary of the trust
- the Child Support Agency, to administer the child support legislation
- investment bodies including banks, building societies, credit unions, government investment bodies, unit trusts, public companies and securities dealers
- registered tax agents, tax advisers, business activity statement agents, accountants and lawyers or anyone else you have authorised to act on your behalf with respect to your taxation or superannuation affairs
- the Inspector-General of Taxation, for the purposes of investigating a complaint about the administrative actions of the ATO
- other people or organisations where authorised by taxation law.
If you are asked to provide your TFN, the person asking for it must tell you:
- the legal basis for collecting the TFN
- the consequences of not providing your TFN – for example, if you choose not to give your TFN to your financial institution, they will normally withhold income tax (at the highest rate) and the Medicare levy from any interest you earn and send that amount to us (you can claim the amount as a credit when you lodge your income tax return)
- that it is not an offence if you do not provide your TFN.
Use and disclosure of TFNs
Unless authorised by law, your TFN must not be used or disclosed to:
- establish or confirm your identity for any purpose
- obtain any information about you for any purpose
- match personal information about you.
Your TFN is used to identify you in your dealings with us. You should destroy or delete your TFN from any documents before you throw those documents away. Your TFN and other personal information can be used by others to lodge tax returns and other tax forms and to receive refunds in your name.
If your TFN is known to, or being used by someone who shouldn’t have it, this is referred to as a compromised TFN.
If you think that your TFN has been lost, stolen or misused, phone us on 13 28 61 between 8:00am and 6:00pm, Monday to Friday.
When you phone, tell us whether your TFN is being used by someone else, or if it may be known to someone else and how you came to know this. For example, let us know if you have received a Notice of Assessment about a return you haven’t lodged, or if you have included your TFN in a profile you posted online while looking for work.
If we establish with you that your TFN has been compromised, the first steps we’ll take are to re-establish and confirm your identity and to check your tax records. Other action taken will depend on your situation.
Re-establishing and confirming your identity
You will need to re-establish your identity by providing us with original identification documents and by completing an application for a new TFN.
When you phone us, we’ll discuss the identification documents you’ll need to provide. We’ll also make an appointment for you to come to an ATO shopfront for a personal interview and to complete a new application.
If you are restricted by location (for example, you are in a remote area or are being held in custody) or by personal circumstances (for example, you have limited mobility or are ill), ask us what alternatives may be available to conduct the personal interview.
Once we have spoken to you, received your new application and seen your original documents, we will contact other government departments to confirm the authenticity of your identification documents. This can take a number of weeks.
Check your tax records
Once we’ve confirmed your personal details, we’ll check your tax records by looking at:
- TFN declarations
- tax returns (income reported, bank accounts used, tax agents involved and other details)
- ABNs applied for and being used
- employer superannuation guarantee payments made.
We may ask you to confirm any of this information so we can clearly determine which activity is yours and which are those from another person using your TFN.
How long this takes will depend on how much information is in your record, whether another person has used your TFN and how easy it is to confirm authenticity.
Tax practitioner records
We maintain a record of registered tax and business activity statement agents (tax practitioners) who are authorised to interact with us and perform transactions on behalf of taxpayers.
Personal information about tax practitioners that we hold includes the tax practitioner’s name, address(es), date of birth, telephone number(s), facsimile number(s), registration number, Australian business number, TFN, email address, bank details, lodgment history, statement of accounts and payment plans.
We hold these records so that we can contact tax practitioners about their clients’ taxation affairs and to monitor lodgment of tax agent prepared returns and business activity statements.
We do checks to test whether or not taxpayers are complying with the law. These checks include audit and verification programs and computer-based information matching.
This is known as data matching. It allows information from a variety of sources to be brought together, compiled and applied to a range of public policy purposes.
In the ATO, data matching helps us to both identify people who are not complying with their obligations and to detect fraud against the Commonwealth.
We align all of our data-matching activities to our published compliance program.
What data do we acquire?
Our usual data sources include investment income information from banks, financial institutions and investment bodies, employment information and welfare payments. The supply of this data is authorised by law. We match this data with our own information to detect those who may not be correctly disclosing all of their income.
We also undertake large scale activities involving information exchange with other government agencies. These exchanges of information are authorised by law. We also undertake data-matching projects relating to particular risks, issues or industries.
What action do we take with data we obtain?
We compare externally sourced data with information that we already hold. If we check your information it doesn’t mean we think you’re dishonest in your tax affairs. But if we find discrepancies we’ll take follow-up action.
We check the external data with information provided to us in tax returns and in business activity statements. We may use this information to detect people who are not in the taxation system or are not meeting other obligations, such as lodging documents, paying debts, meeting superannuation obligations and so on.
The data is also used to check trends within industries and helps us to focus on future compliance risks.
Protecting your personal information
Detailed rules set out in the Data-matching Program (Assistance and Tax) Act 1990 apply to some data-matching activities. To better protect your privacy, we also comply with voluntary guidelines about data matching issued by the Privacy Commissioner for any data matching undertaken outside of this legislative scheme.
The protocols that we follow to protect your information include:
- having our senior managers approve all external data matching
- publishing data-matching protocols that describe many of our data-matching activities
- advertising these protocols in the Commonwealth gazette
- advertising some data-matching activities in industry or other relevant publications
- secure storage of data-matching information
- giving access only to authorised staff
- regularly reviewing the progress of projects and checking that information is being properly used and protected
- providing the Information Commissioner with protocols for programs involving more than 5,000 individuals
- reporting to the Information Commissioner annually on programs involving 1,000 to 5,000 individuals.
For more information on the different types of data-matching records we hold, see Appendix 1.
Web browsing records
When you visit our website at ato.gov.au we will collect information from your browser relating to:
- your server address, operating system and top level domain name
- the date and time of your visit, the pages you accessed and documents you downloaded, the previous site you visited and the type of browser you used.
No attempt is made to identify users or their browsing activities except in the event of an investigation where a law enforcement agency may exercise a warrant to inspect our internet web server logs.
However, when you authenticate with online ATO systems directly or indirectly (for example, through myGov), certain information about your computer, your browser and the authentication process will also be logged by the ATO, such as:
- your internet provider number (IP address)
- the date and time of the use of the authentication service
- the authentication information you provided
- successful and unsuccessful attempts at authenticating.
The ATO may use this information to:
- confirm your identity
- compile statistics and reports to enhance ATO systems and services
- identify and respond to issues that may indicate authentication integrity is at risk
- detect, investigate and prosecute criminal offences.
We do not share this information with other government agencies or other organisations without your permission unless that is required or authorised by law.
The first time you visit ato.gov.au one cookie will be stored on your computer. On each visit to our website the system checks whether there is an ato.gov.au cookie on your computer. If so, it simply notes its presence and records your visit as a 'previous user'. If not, it will store one and record your visit as a 'first time visitor'. This cookie will be stored permanently unless you choose to delete it. The information is used by us to help it improve our website by understanding how it is used. There is no attempt made to identify individual users in any way.
On each use a 'session cookie' is temporarily placed on your computer, which is used to maintain navigation information during your site visit. These session cookies are deleted from your computer at the end of each internet session.
In addition, we make use of third-party sites such as Twitter, VioStream, Facebook, LinkedIn and YouTube and others to deliver content. Such third-party sites may send their own cookies to your computer. We do not control the setting of third-party cookies and suggest you check the third-party websites for more information about their cookies and how to manage them.
We maintain a voiceprint database which may in the future become a whole of government voiceprint database. With your consent, voice recordings may be used to create a biometric voiceprint that can be used to identify you.
Advisers, contractors and outsourcing
Sometimes we engage recognised expert advisers from outside the ATO, such as independent legal advisers, for assistance and advice.
The taxpayer confidentiality provisions in the tax legislation allow us to disclose personal information to these advisers.
If a third party is contracted to carry out some of our functions, such as processing forms, the contractor and its employees are bound by the taxpayer confidentiality provisions when dealing with your information.
We also ensure that the privacy and confidentiality of your personal information is addressed in these contracts.
We collect, hold, use and disclose personal information about ATO employees for the purpose of discharging the Commissioner of Taxation’s employer powers under the Public Service Act 1999. The Public Service Regulations 1999 describe circumstances in which personal information can be used and disclosed in exercising the powers of an agency head.
For more information about the nature and scope of these powers, see Appendix 1.
How you can access or correct personal information held about you
If you want to access or amend your own personal information, you should contact us first.
You can get copies of many documents without the need to make a formal request for them under the Freedom of Information Act 1982 (FOI Act).
For example, you can get a copy of any of your recent income tax returns, payment summaries or notices of assessment without making a freedom of information request.
An application form for requesting these specific categories of personal information is available on our website.
Right of access and to request changes
You have a right to request access to personal information we hold about you and to request changes to that information under:
- Australian Privacy Principles 12 and 13 (in Schedule 1 of the Privacy Act)
- sections 11 and 48 of the FOI Act.
If you request access to personal information we hold about you, or request that we change that personal information, we will:
- respond to your request for access within 30 days
- allow access or make the changes unless we consider that there is a sound reason under the Privacy Act, the FOI Act or the Taxation Administration Act 1953 to withhold the information or not make the changes.
If we do not agree to provide access to your personal information or to amend or annotate the information we hold about you, you may:
- seek a review of our decision or may appeal our decision under the FOI Act
- make a statement about the requested changes and we will attach this to the record.
For more information about how to request access or changes to the personal information we hold about you, see Appendix 2.
How we dispose of personal information
When we receive personal information about you (whether solicited or unsolicited) the information will, in almost all cases, be treated as a Commonwealth record.
We are bound by the Archives Act 1983 to retain Commonwealth records until we can lawfully dispose of them, generally either in accordance with:
- a ‘records authority’ issued or agreed to by the National Archives – a records authority determines how long we hold information and when we dispose of it
- ‘normal administrative practice’ – which permits the destruction of information that is duplicated, unimportant or of short-term facilitative value.
How you can enquire or make a complaint about a suspected breach of the Australian Privacy Principles
If you have a general question about privacy, or wish to report an instance where you think your privacy may have been compromised, you can call our Privacy Hotline on 1300 661 542 and speak to a taxation officer. If the officer is not available immediately, please leave a message. Messages are checked regularly and we will contact you to respond to your question or to obtain further information.
If you are not satisfied with how we have collected, held, used or disclosed your personal information, you can make a formal complaint.
You can lodge a complaint by:
- using the online complaints form at ato.gov.au/complaints
- phoning our complaints line on 1800 199 010
- phoning the National Relay Service on 13 36 77 (if you have a hearing, speech or communication impairment)
- sending us a free fax on 1800 060 063
- writing to:
- ATO Complaints
PO Box 1271
ALBURY NSW 2640
If you are an ATO employee and wish to obtain general information about a privacy matter, you can contact the ATO Privacy Hotline on 1300 661 542.
If you are an ATO employee and wish to make a complaint about a privacy matter relating to your taxation affairs, you may do so using the complaints process described above.
If you are an ATO employee and wish to make a complaint about a privacy matter relating to your employment relationship with the ATO, you may:
- escalate the matter within your business line
- complete an Employee Complaints form (available on the intranet)
- contact the People Helpline (details available on the intranet).
How we deal with privacy complaints
We treat complaints seriously and try to resolve them fairly and quickly.
If you make a complaint, we aim to contact you within three working days. We will work with you to resolve your complaint and keep you informed of its progress.
If you are not satisfied with how we deal with your complaint, the Privacy Commissioner at the Office of the Australian Information Commissioner may be able to help you. More information about the Office of the Australian Information Commissioner is available on their website at oaic.gov.auExternal Link or you can phone 1300 363 992.
Disclosing personal information to overseas recipients
While most of the personal information we collect about you is retained in Australia, there are circumstances where we provide personal information to overseas recipients. We do this in accordance with international tax treaties and tax information exchange agreements.
Tax treaties are also referred to as tax conventions or double tax agreements. The purpose of these agreements is to exchange tax information relevant to the tax administration of the respective countries to the agreement. We do this in order to prevent double taxation and tax fraud and evasion.
Tax information exchange agreements
We also use tax information exchange agreements (TIEA) to combat overseas tax evasion. The agreements allow us to exchange information with our TIEA partners. TIEAs promote fairness and enhance our ability to administer and enforce Australia’s own domestic tax laws.
Countries personal information is disclosed to
The countries that currently have tax treaties and tax information exchange agreements with Australia are listed in Appendix 3.