Show download pdf controls
  • ATO privacy policy

    Our privacy policy deals with our collection, storage, access to, use and disclosure of personal information.

    About our privacy policy

    Our privacy policy seeks to:

    • communicate our personal information handling practices
    • enhance the transparency of our operations
    • give individuals a better and more complete understanding of the personal information we hold and the way in which we deal with that information
    • We review our privacy policy regularly and publish it on ato.gov.au. If you would like to access a copy of our privacy policy in another form, or have feedback on our privacy policy, you can contact us.

    The Privacy Act

    The Privacy Act 1988External Link (Privacy Act) protects personal information and requires that we comply with the Australian Privacy Principles (APPs) set out in Schedule 1 of the Act in our handling of personal information.

    Under the Privacy Act, ‘personal information’ means 'information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether the information is recorded in a material form or not'.

    The ATO also complies with the requirements of the Australian Government Agencies Privacy Code 2017External Link which is registered under the Privacy Act.

    Under the Privacy Act, we:

    • have a Privacy Champion and a Privacy Officer
    • undertake privacy impact assessments (PIAs) and publish a version of those PIAs on our Privacy impact assessment register.

    Our undertaking to you

    We undertake to collect personal information about you in a fair and lawful way and in a manner that is not unreasonably intrusive. This means that we will not use any form of deception or threat when we collect personal information, either from you or from anyone else.

    We undertake to respect your privacy and to keep your information confidential. We undertake to handle your personal information as required by the Privacy Act and the Australian Government Agencies Privacy Code 2017.

    We will be transparent and open about what personal information we collect, hold, use and disclose as well as how you can make a complaint if you think your privacy has been interfered with.

    Why we collect, hold, use and disclose personal information

    In administering the taxation and superannuation laws, we collect, hold, use and disclose a wide range of personal information.

    We also collect, hold, use and disclose personal information in relation to our other functions and activities, including:

    • as custodian of the Australian Business Register
    • for data matching purposes
    • for prosecution and law enforcement processes
    • to manage enquiries and other contacts with us
    • to verify your identity
    • as the lead agency for the Government's digital identity program
    • in the course of procuring goods and services
    • as an employer under the Public Service Act 1999.

    Personal information we collect, hold, use and disclose

    We collect, hold, use and disclose personal information about individual taxpayers that is necessary for or related to the administration of taxation laws.

    Taxpayer records

    Personal information includes:

    • names, addresses, email addresses, telephone and facsimile numbers
    • dates of birth, occupations, gender, marital status, residency status, names of partners and relatives

    unique identifiers such as tax file numbers (TFNs) and Australian business numbers (ABNs)

    • business and financial information, bank account and financial institution details
    • income which includes salary and wages
    • shareholding and investment interest details
    • student numbers and institution codes
    • trustee and tax agent details
    • health fund and superannuation fund details
    • AUSTRAC (Australian Transaction Reports and Analysis Centre) reports
    • business ownership details, business transaction reports, property ownership and sales data.

    For more information on the different types of personal information in taxpayer records that we collect, hold, use and disclose, see Appendix 1.

    Superannuation records

    We collect, hold, use and disclose personal information about:

    • super guarantee obligations and entitlements of employers and employees
    • self-managed super fund members, trustees and directors of corporate trusts, so the funds can be registered, administered and regulated
    • lost members, to maintain a central register of lost super member entitlements
    • individual super holding account special accounts to enable accounts to be established for individuals where we have transferred unclaimed co-contribution or guarantee charge amounts to a special account
    • individual taxpayer super excess contribution records, to enable excess super contributions to be identified and liabilities for excess contributions tax to be determined and assessed
    • super co-contribution system records, so that super co-contribution entitlements can be determined and paid for eligible individuals
    • the super unclaimed money register, to maintain a register of unclaimed super money paid to us.

    Tax file numbers

    A tax file number (TFN) is a unique identifier. We issue TFNs and use them to help us identify you and administer the taxation and super laws.

    Sections 8WA and 8WB of the Taxation Administration Act 1953External Link and the Privacy (Tax File Number) Rule 2015External Link protect TFNs. We handle TFN information in accordance with those pieces of legislation.

    See also:

    If you have concerns about the security of your TFN and are concerned that your TFN has been lost, stolen or misused, please refer to our lost or stolen TFN webpage or phone us on 13 28 61 between 8.00am and 6.00pm, Monday to Friday.

    Digital identity program

    We are participating in the government's digital identity program, giving Australian citizens and permanent residents a single and secure way to access online government services.

    Under this program, we manage both:

    • myGovID
    • Relationship Authorisation Manager (RAM).

    Personal information that we collect, hold, use and disclose for the purpose of administering myGovID and the RAM service includes your:

    • first and last name
    • date of birth
    • address
    • email address
    • identity document details, to enable us to verify and validate these details with the government authorities that have issued them.

    For further information about the collection, use and disclosure of your personal information for these services, see:

    Biometric voiceprints and MBUNs (Meaningless but Unique Numbers)

    We maintain a voiceprint biometric database. With your consent, voice recordings may be used to create a biometric voiceprint that can be used to identify you.

    Where you have given your consent, and you have a myGov account linked to the ATO and other myGov Member Services, the ATO may share your voice biometric information with those linked Member Services.

    When sharing your voice biometric information with a linked myGov Member Service, the ATO will also share your ATO MBUN, which is a unique number linked to your ATO Member Service that is created when you link your myGov account to the ATO. If you have unlinked then relinked your myGov account to the ATO you will have multiple ATO MBUN’s. However we will only share the MBUN created when you last linked your myGov account to the ATO.

    Tax practitioner records

    We maintain a record of registered tax and business activity statement agents (tax practitioners) who are authorised to interact with us and undertake transactions on behalf of taxpayers.

    Personal information about tax practitioners that we hold includes the:

    • tax practitioner’s first name and surname
    • business trading name
    • address
    • telephone number
    • facsimile number
    • registration number
    • Australian business number
    • email address
    • bank details
    • client lodgment history.

    We hold these records so that we can contact tax practitioners about their clients’ taxation affairs and to monitor lodgment of tax agent prepared returns and business activity statements.

    Employee records

    We collect, hold, use and disclose personal information in personnel records that is reasonably necessary for the purposes of discharging the Commissioner of Taxation's employer powers. ‘Employer powers’ means all the rights, duties and powers of an agency head under the Public Service Act 1999.

    Web browsing records

    When you visit ato.gov.au we'll collect information from your browser relating to:

    • your server address, operating system and top-level domain name
    • the date and time of your visit, the pages you accessed and documents you downloaded, the previous site you visited and the type of browser you used.

    No attempt is made to identify users or their browsing activities except in the event of an investigation where a law enforcement agency may exercise a warrant to inspect our internet web server logs.

    When you authenticate with online ATO systems directly or indirectly (for example, through myGov), certain information about your computer, your browser and the authentication process will also be logged by us, such as:

    • your internet provider number (IP address)
    • the date and time of the use of the authentication service
    • the authentication information you provided
    • successful and unsuccessful attempts at authenticating.

    We may use this information to:

    • confirm your identity
    • compile statistics and reports to enhance our systems and services
    • identify and respond to issues that may indicate authentication integrity is at risk
    • detect, investigate and prosecute criminal offences.

    We don't share this information with other government agencies or other organisations without your permission unless that is required or authorised by law.

    Cookies

    Cookies are pieces of information that a website can transfer to an individual's computer hard drive or hand held device for record keeping. Cookies can make websites easier to use by storing information about your preferences on a particular website. The information remains on your device after the Internet session finishes.

    The first time you visit our website one cookie will be stored on your device. On each visit to our website the system checks whether there is an ato.gov.au cookie on your device. If so, it simply notes its presence and records your visit as a 'previous user'. If not, it will store one and record your visit as a 'first time visitor'. This cookie will be stored permanently unless you choose to delete it. The information is used by us to help improve our website by understanding how it is used. There is no attempt made to identify individual users in any way.

    On each use a 'session cookie' is temporarily placed on your device, which is used to maintain navigation information during your site visit. These session cookies are deleted from your device at the end of each internet session.

    In addition, we make use of third-party sites such as Twitter, VioStream, Facebook, LinkedIn and YouTube to deliver content. Such third-party sites may send their own cookies to your device. We do not control the setting of third-party cookies and suggest you check the third-party websites for more information about their cookies and how to manage them.

    We use Google Analytics to understand how our websites are being used in order to improve the services we offer. Google Analytics uses cookies to analyse how you use our websites. No identifying information is collected by Google Analytics and parts of your IP address are masked so your identity remains anonymous. Data captured by Google Analytics is processed and stored in the USA. If you don’t want your data being used by Google Analytics – when visiting our website – you can opt out by using the opt out service provided by GoogleExternal Link.

    You can also disable cookies and JavaScript in your browser – however this may prevent you from accessing certain services and functionality.

    ATO app Google API service

    The ATO app includes the myDeductions tool to make it easier and more convenient for you to keep your expense and income records in one place. We have provided myDeductions to you only as a record keeping tool.

    If you are an Android user, we have provided you with the option to connect the ATO app to your personal Google Drive account, to make backing up myDeductions records quick and easy. We do not access, collect, use, store or share the personal information you input into the myDeductions tool, or the personal information you back up to your Google Drive account, including your Google user data. Whilst the ATO does not access personal information you input into the myDeductions tool, when you are ready to do your tax return you can choose to upload myDeductions data to prefill your tax return.

    For more information about your privacy when using Google’s services, go to the Google Privacy PolicyExternal Link.

    How we collect personal information

    We collect personal information:

    • directly from you
    • from other persons acting on your behalf
    • from third parties, including
      • other government agencies
      • employers
      • your clients or customers (if applicable)
      • publicly available sources.

    We collect personal information when we ask for it, or by using our formal access and information-gathering powers.

    If we receive unsolicited information, we will handle it in accordance with Australian Privacy Principle 4.

    When we ask a third party for information about you

    Tax and super laws allow us to obtain information about you from other parties. We will normally tell you about this before seeking to obtain it.

    However, there are some circumstances where it may not be reasonable or practicable in the circumstances to tell you that we are collecting your personal information from a third party. This may include when we collect information about a large number of individuals in similar circumstances, such as when we collect information from:

    • financial institutions
    • government agencies
    • tax authorities in other jurisdictions
    • investment managers
    • listed public entities such as companies and trusts
    • share registries
    • health funds and super funds
    • employers.

    How we hold personal information

    We take steps to ensure that the personal information we collect about you is accurate, up-to-date and complete. These steps include updating personal information when you tell us that your personal information has changed and at other times as necessary.

    We take steps to protect the personal information we hold against:

    • misuse
    • interference
    • loss
    • unauthorised access, modification and disclosure.

    We apply industry-best security methods, including:

    • information technology and physical security audits
    • penetration testing
    • industry best practice risk management
    • system security technologies.

    Our staff may not access personal information contained in either taxation records or personnel records unless they are doing so in the course of exercising powers or performing functions under or in relation to the tax, super or other relevant laws.

    When you contact us

    We must be certain of your identity before we can discuss your tax or super affairs with you. If you contact us to discuss your affairs, you must be able to prove your identity. This ensures that we are able to protect your personal information by only giving it to you or someone who can prove that they are lawfully authorised to act on your behalf.

    For example, if you phone us, you can prove your identity by giving us your:

    • date of birth
    • address (as notified to us previously)
    • details from an ATO-generated notice.

    Other information can be used as proof of identity, depending on the circumstances.

    If you have a general enquiry that does not involve discussing your personal information, you do not have to provide identification. In these situations, you will be able to deal with us without identifying yourself.

    When we contact you

    You have the right to be told why we are asking for your personal information and what legal authority we are relying on to request it from you.

    Generally, when we collect personal information from you, we will tell you:

    • about your rights and obligations under the law as early as possible, including the main consequences of not providing the requested information
    • of any other entity to whom we usually disclose your personal information
    • whether your personal information is likely to be disclosed overseas
    • how you can make a complaint if you think your privacy has been compromised.

    Data matching and data exchange

    We do checks to test whether taxpayers are complying with relevant law. These checks include audit and verification programs and computer-based information matching.

    This is known as data matching. It allows information from a variety of sources to be brought together, compiled and applied to a range of public policy purposes.

    In the ATO, data matching helps us to both identify people who are not complying with their obligations and to detect fraud against the Commonwealth. If we check your information it doesn’t mean we think you’re dishonest in your tax affairs. But if we find discrepancies we’ll take follow-up action.

    Data sources we acquire

    Some of our data sources include investment income information from banks, financial institutions and investment bodies, employment information and welfare payment information. The supply of this data is authorised by law. We match this data with our own information to detect those who may not be correctly reporting all of their income.

    We also undertake large scale activities involving information exchange with other government agencies. These exchanges of information are authorised by law. We also undertake data-matching projects relating to particular risks, issues or industries.

    Action we take with data

    We compare externally sourced data with information that we already hold.

    We check the external data with information provided to us in tax returns, business activity statements and other forms. We may use this information to detect people who are not in the taxation system or are not meeting other obligations, such as lodging documents, paying debts, meeting super obligations and so on.

    The data is also used to check trends within industries and helps us to focus on future compliance risks.

    Protecting your personal information in data matching

    Detailed rules set out in the Data-matching Program (Assistance and Tax) Act 1990 apply to some data-matching activities. To better protect your privacy, we also comply with voluntary guidelines about data matching issued by the Privacy Commissioner.

    See also:

    For more information on the different types of data-matching records we hold, see Appendix 1.

    Advisers, contractors and outsourcing

    Sometimes we engage recognised expert advisers from outside the ATO, such as independent legal advisers, for assistance and advice. The taxpayer confidentiality provisions in the tax legislation allow us to disclose personal information to these advisers.

    If a third party is contracted to carry out some of our functions, such as processing forms, the contractor and its employees are bound by privacy and taxpayer confidentiality provisions when dealing with your information. We also ensure that the privacy and confidentiality of your personal information is addressed in these contracts.

    How we dispose of personal information

    When we receive personal information about you (whether solicited or unsolicited) the information will, in almost all cases, be treated as a Commonwealth record.

    We are bound by the Archives Act 1983 to retain Commonwealth records until we can lawfully dispose of them, generally either in accordance with:

    • a ‘records authority’ issued or agreed to by the National Archives – a records authority determines how long we hold information and when we dispose of it
    • ‘normal administrative practice’ – which permits the destruction of information that is duplicated, unimportant or of short-term facilitative value.

    Disclosing personal information to overseas recipients

    While most of the personal information we collect about you is retained in Australia, there are circumstances where we provide personal information to overseas recipients. We do this in accordance with international tax treaties and tax information exchange agreements.

    Tax treaties

    Tax treaties are also referred to as tax conventions or double tax agreements. The purpose of these agreements is to exchange tax information relevant to the tax administration of the respective countries to the agreement. We do this in order to prevent double taxation, tax fraud and tax evasion.

    Tax information exchange agreements

    We also use tax information exchange agreements (TIEA) to combat overseas tax evasion. The agreements allow us to exchange information with our TIEA partners. TIEAs promote fairness and enhance our ability to administer and enforce Australia’s own domestic tax laws.

    Countries and other jurisdictions personal information is disclosed to

    The countries and other jurisdictions that currently have tax treaties and tax information exchange agreements with Australia are listed in Appendix 2.

    How you can access your personal information and seek its correction

    You can update your own personal information via our online services.

    See also:

    You can access copies of your personal taxation information via myGov. Personal taxation records that can be accessed include:

    • your income tax returns
    • notices of assessments
    • payment summaries and income statements.

    Your authorised representative may also have access to your personal information or can request it on your behalf through our Online services for agents. For more information about accessing your personal taxation information through our online services, please refer to our copies of tax documents request webpage.

    Where you require access to documents that you cannot obtain through our online services or through our administrative access arrangements, you can lodge a request for those documents under Australian Privacy Principle (APP) 12 or the Freedom of Information Act 1982 (FOI Act).

    Access to personal information – Australian Privacy Principle 12

    You have a right to request access to your own personal information under APP 12.

    However, if we can refuse to give you access to the requested personal information under the FOI Act or any other Commonwealth Act, we do not have to give you access to the personal information under APP 12.

    We will respond to your request for access to your personal information within 30 days.

    In circumstances where we refuse to provide you with access to your own personal information, we will give you a written notice that sets out the reasons for the refusal (unless it would be unreasonable to do so).

    We will advise you how to complain about a refusal.

    We will not charge you for making a request or for giving you access to your own personal information.

    Correction of personal information – Australian Privacy Principle 13

    We will take reasonable steps to correct personal information that we hold about you to ensure that, having regard to the purpose for which the information is held, it is accurate, up to date, complete, relevant and not misleading. We will also take reasonable steps to correct personal information in circumstances where you request us to correct the information.

    We will respond to an amendment request within 30 days.

    If we refuse your amendment request, we will give you a written notice that sets out the reasons for the refusal, except to the extent that it would be unreasonable to do so.

    We will advise you how to complain about a refusal.

    We will not charge you for making an amendment request or for correcting personal information about you.

    Making a FOI request

    You can also make a Freedom of Information (FOI) request.

    The FOI Act gives you the right to:

    • access copies of documents (except exempt documents) held by us
    • ask for information concerning you to be amended or annotated if it is incomplete, out of date, incorrect or misleading
    • seek a review of our decision not to allow you access to a document or not to amend your personal record (this review can be done by us or by the Information CommissionerExternal Link).

    A FOI request must:

    • be in writing
    • state that the request is an application for the purposes of the FOI Act
    • provide such information concerning the document requested as is reasonably necessary to enable a taxation officer to identify it
    • provide details of how notices under the FOI Act may be sent to you (for example, by providing an email or postal address for correspondence).

    You can send your request to us by email at FOI@ato.gov.au with your name and the words FOI REQUEST in the subject line. You can use the FOI application form available on ato.gov.au.

    We prefer email but you can also send your FOI request to the postal address of our central or regional offices as given in a current telephone directory, clearly marked FOI REQUEST on the envelope and on the enclosed request.

    For more information about FOI requests please see accessing information under the FOI Act.

    How you can enquire or complain about a suspected breach of the APPs or the Australian Government Agencies Privacy Code 2017

    General questions

    If you have a general question about privacy or wish to report an instance where you think your privacy may have been compromised, you can call our Privacy Hotline on 1300 661 542 and speak to a taxation officer. If the officer is not available to speak with you, please leave a message and an ATO officer will contact you to respond to your question or to obtain further information.

    Complaints

    If you are not satisfied with how we have collected, held, used or disclosed your personal information, or another matter in relation to the APPs or the Australian Government Agencies Privacy Code 2017, you can make a formal complaint.

    You can lodge a complaint by:

    • using our online complaints form
    • phoning our complaints line on 1800 199 010
    • phoning the National Relay Service on 13 36 77 (if you have a hearing, speech or communication impairment)
    • sending us a fax on 1800 060 063
    • writing to    
      • ATO Complaints
        PO Box 1271
        ALBURY  NSW  2640

    How we deal with privacy complaints

    We treat complaints seriously and try to resolve them fairly and quickly.

    If you make a complaint, we aim to contact you within three working days. We will work with you to resolve your complaint and keep you informed of its progress.

    If you are not satisfied with how we deal with your complaint, the Privacy Commissioner at the Office of the Australian Information Commissioner may be able to help you. Visit the Office of the Australian Information Commissioner websiteExternal Link for more information, or you can phone 1300 363 992.

    Information for ATO employees

    The ATO cares about the privacy of its employees and we take our obligations under the Privacy Act seriously. If you are an ATO employee and wish to make a complaint about a privacy matter relating to your taxation affairs, you may wish to do so using the complaints process described above.

    If you are an ATO employee and have concerns that your privacy has been breached at work, or your personal information has not been treated as required under the Privacy Act at work, you can do one or more of the following:

    • refer to the ATO Intranet page on Privacy Breaches and Concerns
    • speak to your manager - we would recommend this in the first instance where possible
    • contact the People Helpline via phone or email (details available on the intranet).
    • If you are not satisfied with how we deal with your complaint, the Privacy Commissioner at the Office of the Australian Information Commissioner may be able to help you. Visit the Office of the Australian Information Commissioner websiteExternal Link for more information, or you can phone 1300 363 992.

    Appendix 1 – What information we collect, hold, use and disclose, and why

    Australian Business Register records

    The Australian Business Register (ABR) records unique identifiers called Australian business numbers (ABNs). The ABR also records other identity information about entities that carry on enterprises in Australia or that, when they carry on an enterprise; make their supplies in connection with Australia.

    The ABR records the details of individuals that a business entity has nominated (called ‘nominated representatives’) or of individuals who carry on a business themselves, to facilitate that business’ electronic dealings with government agencies.

    Some of the ABR information is publicly accessible through the ABN Lookup tool at business.gov.au. This is where the public version of the ABR is maintained. A person who does not wish to have their personal details publicly displayed can apply to the Registrar (who is also the Commissioner of Taxation) to not have those details disclosed in ABN Lookup.

    Information that is not publicly available may be disclosed to certain government agencies under section 30 of the A New Tax System (Australian Business Number) Act 1999 so that those other agencies can carry out their functions. Personal information contained in the ABR may also be disclosed to courts and tribunals in connection with proceedings under a taxation law.

    Prosecution and law enforcement records

    We investigate fraud and suspected abuses of the tax system. Alleged offenders may be prosecuted.

    We maintain a database of prosecution matters for breaches of taxation, superannuation and excise laws.

    Personal information collected, held, used and disclosed can include

    • names
    • contact details
    • telephone numbers
    • TFNs
    • details of alleged offences
    • company and trust affiliations
    • known assets and liabilities
    • land title information
    • information from AUSTRAC
    • related persons details
    • information from financial institutions and other jurisdictions.

    We receive requests for personal information from law enforcement agencies in relation to both taxation and non-taxation matters. We disclose personal information to law enforcement agencies according to the legislative provisions that permit these disclosures. We also make disclosures to law enforcement agencies of our own volition and according to these provisions.

    We keep a record of law enforcement agency requests for personal information and of the personal information we disclose to law enforcement agencies.

    Prescribed taskforces

    Taxation laws permit the disclosure of personal information to multi-agency prescribed taskforces. Prescribed taskforces are established to address priority issues and must have protecting the public finances of Australia as one of their purposes.

    Personal information disclosed to prescribed taskforces includes:

    • names, addresses, contact details
    • TFNs
    • information from third party sources including AUSTRAC and ASIC (Australian Securities and Investment Commission)
    • details of real and personal property
    • travel movements.

    Excise records

    The purpose of these records is to control the manufacture, storage, delivery and movement of excisable goods under the Excise Act 1901. Personal information collected, held, used and disclosed includes:

    • names and addresses
    • email addresses and telephone numbers
    • TFNs
    • criminal history checks
    • financial, social security and land titles information.

    We also receive information from ASIC, AUSTRAC, the Australian Border Force and the Department of Home Affairs.

    Data matching records

    We maintain data-matching databases relating to activities such as:

    • on-line selling and trade suppliers
    • credit and debit card transactions
    • property (including real property) transactions
    • information from other government agencies, including states and territories.

    The purpose of these records is to increase our understanding of the behaviour and compliance profile of businesses and individuals involved in particular industries by:

    • identifying employers whose registration status may not accurately reflect their business status
    • determining whether income tax returns have been lodged correctly
    • identifying compliance risks, trends and patterns.

    Call recordings

    We record all inbound and outbound telephone calls routed by our call management system within our contact centre environment. The call recording system also contains a screen capture facility. We use this information to assist with the administration of tax and super laws. We may also use call recordings and screen captures for:

    • coaching and quality assurance purposes
    • gathering business data
    • managing complaints
    • staff training
    • fraud investigations
    • making system and business improvements.

    Vendor records

    We collect, hold and use personal information about tenderers and suppliers to the ATO. The information is used to evaluate responses from tenderers for our procurement requirements and to manage supplier arrangements. Personal information collected, held and used may include:

    • names and addresses
    • contract details
    • tender responses
    • curricula vitae and employment histories of individual contractors
    • bank account and payment details
    • financial statements, credit ratings, cash securities and bank guarantees
    • declarations of pecuniary interests
    • character check records
    • security clearances
    • confidentiality undertakings
    • contract performance reports.

    Some personal information relating to contractors may be published on the Australian government’s procurement information system (AusTender). This will include the names of contractors, how much the contract was awarded for, business address and ABN.

    Employee records

    We collect, hold, use and disclose personal information in personnel records for the purpose of discharging the Commissioner's employer powers. ‘Employer powers’ means all the rights, duties and powers of an agency head under the Public Service Act 1999.

    Regulation 9.2 of the Public Service Regulations 1999 provides that an agency head may use or disclose personal information in their possession or control where the use or disclosure is necessary or relevant to the performance or exercise of the agency head’s employer powers.

      Last modified: 29 Oct 2020QC 39396