Varying from source entity identification requirements
The Australian Taxation Office (ATO) is seeking approval for the cryptocurrency data-matching program 2014–15 to 2022–23 to vary from one or more of the conditions detailed in Guideline 10 of the Office of the Australian Information Commissioner’s Guidelines on data matching in Australian government administration (2014) (the Guidelines).
We are seeking you exercise your discretion and allow us to continue to refrain from publishing the names of the cryptocurrency designated service providers, selected to provide data in order to prevent a commercial disadvantage. This recognises the immaturity of the industry and market, and possible commercial impacts for the chosen data providers over others in the same industry and market segment not chosen to provide data.
This deviation of the normal publication conditions in this circumstance is in the public interest. Publication of the names of the data providers can impact the following:
- Unfairly identify cryptocurrency designated service providers cooperating with the ATO leading to a potential commercial disadvantage for those named.
- The perception may damage relationships between named businesses and their customers.
- Potentially impact the Government’s intent to promote a ‘level playing field’ for commercial enterprises.
The ATO appreciates that not publishing source entity (data supplier) names may appear to impact on transparency. However, we also appreciate that it is important to mitigate the detrimental commercial effects on a source entity while meeting their responsibilities as a data supplier.
This program is subject to an evaluation within three years, which is consistent with the requirements of Guideline 9.
Additional information justifying this variation is included in the tables below:
- Table 1 – matters considered in accordance with Guideline 10.2 in seeking this variation
- Table 2 – consistency with requirements of the other guidelines issued by the Office of the Australian Information Commissioner
Table 1: Matters considered in seeking this variation to the Guidelines
Matter considered |
Consideration |
|
---|---|---|
10.2.a |
The effect that not abiding by the Guidelines would have on individual privacy |
|
10.2.b |
The seriousness of the administrative or enforcement action that may flow from a match obtained through the data-matching program |
|
10.2.c |
The effect that not abiding by the Guidelines would have on the fairness of the data-matching program – including its effect on the ability of individuals to determine the basis of decisions that affect them, and their ability to dispute those decisions |
|
10.2.d |
The effect that not abiding by the Guidelines would have on the transparency and accountability of agency and government operations |
|
10.2.e |
The effect that not abiding by the Guidelines would have on compliance of the proposed data-matching program with the Australian Privacy Principles in the Privacy Act 1988 and the Australian Government Privacy Code |
|
10.2.f |
The effect that complying with the Guidelines would have on the effectiveness of the proposed data-matching program |
|
10.2.g |
Whether complying fully with the Guidelines could jeopardise or endanger the life or physical safety of information providers or could compromise the source of information provided in confidence |
|
10.2.h |
The effect that complying fully with the Guidelines would have on public revenue – including tax revenue, personal benefit payments, debts to the Commonwealth and fraud against the Commonwealth |
|
10.2.i |
Whether complying fully with the Guidelines would involve the release of a document that would be an exempt document under the Freedom of Information Act 1982 |
|
10.2.j |
Any legal authority for, or any legal obligation that requires, the conduct of the proposed data-matching program in a way that is inconsistent with the Guidelines. |
|
Table 2: Matters considered in seeking this variation to the Guidelines
This section outlines where we are being consistent with the requirements of the Guidelines.
Paragraph/Guideline |
Action taken/To be taken |
|
---|---|---|
Paragraph 6 |
Status of the Guidelines |
Our commitment to complying with the Guidelines is embedded in our data management policies and principles and clearly stated in the chief executive instruction. |
Guideline 1 |
Application of the Guidelines |
We apply the Guidelines for all data-matching programs where it is anticipated the program will include records of 5,000 or more individuals. We recognise that programs where there are multiple data sources but with common objectives and algorithms are treated as a single data-matching program. |
Guideline 2 |
Deciding to carry out or participate in a data-matching program |
Cost-benefit analysis considers alternate methods against the conduct of a data-matching program. Further, we have rigorous governance arrangements, processes and system controls in place to protect the privacy of individuals. |
Guideline 3 |
Prepare a program protocol |
Prior to conducting a data-matching program, we prepare a data-matching program protocol, submit this to the Office of the Australian Information Commissioner and make a copy publicly available on the ATO website. When elements of a data-matching program change, the protocol is amended, a copy of the amended protocol is provided to the Office of the Australian Information Commissioner and updated on our website. |
Guideline 4 |
Prepare a technical standards report |
Documentation is prepared and maintained to satisfy the requirements of a technical standards report. |
Guideline 5 |
Notify the public |
We publish notification of our intention to undertake a data-matching program in the Federal Register of Legislation – Gazettes prior to the commencement of the program. This notice will include the following information as required by the Guidelines:
Notification of the program is also published on our website and data providers are advised they can advertise their participation in the data-matching program. |
Guideline 6 |
Notify individuals of proposed administrative action |
Prior to taking any administrative action as a result of the data-matching programs, individuals and other entities are given at least 28 days to verify the accuracy of the information provided to us by third parties. |
Guideline 7 |
Destroy information that is no longer required |
We regularly review our requirement to continue to retain data and destroy those datasets no longer reasonably necessary. |
Guideline 8 |
Do not create new registers, data sets or databases |
We do not create new registers or databases using data obtained during a data-matching program. |
Guideline 9 |
Regularly evaluate data-matching programs |
Programs are evaluated within three years of the commencement of the data-matching program. These evaluations are provided to the Office of the Australian Information Commissioner on request. |
Guideline 10 |
Seeking exemptions from Guideline requirements |
When we intend to vary from the requirements of the Guidelines, we seek the approval of the Office of the Australian Information Commissioner and provide documentation to support the variance. |
Guideline 11 |
Data matching with entities other than agencies |
We undertake our own data-matching programs. This function is not outsourced. Where data is obtained from an entity other than an individual, we usually do so by using our formal information gathering powers. In these instances, the entities are advised they may notify their clients of their participation in the data-matching program. |
Guideline 12 |
Data matching with exempt agencies |
We do not usually undertake data matching with agencies that are exempt from the operations of the Privacy Act 1988 under section 7 of that Act and that are subject to the operation of the Guidelines (i.e. any data matching undertaken with an exempt agency would usually be for fewer than 5,000 individuals). In the event a data-matching activity would otherwise be subject to these Guidelines except for the exemption status, we still adhere to the principles of the Guidelines and prepare a program protocol, seeking to vary from the Guidelines by not publicly notifying of the program and publishing the protocol. We would still lodge a copy of the protocol with the Office of the Australian Information Commissioner. |
Guideline 13 |
Enable review by the Office of the Australian Information Commissioner |
We would not prevent the Office of the Australian Information Commissioner from reviewing our data-matching activities and processes. These activities and processes have been reviewed by the Australian National Audit Office and Inspector-General of Taxation. |