Show download pdf controls
  • How we use the data

    The data collected under this program will enable us to undertake a range of activities to support correct reporting of cryptocurrency transactions. The data will be used to:

    • identify and inform cryptocurrency consumers of their taxation obligations as part of information and education campaigns
    • provide tailored messages in our online services that prompt taxpayers to check they are correctly meeting their reporting obligations when completing their tax returns
    • compare to ATO records, as part of the methodologies by which we select taxpayers for compliance activities
    • provide insights that support the ATO's regulatory approach, to reduce the impact of financial crime
    • design ways to make it easier for our clients to interact with the system and get their affairs right.

    The ATO does not use data from digital service providers to initiate automated action or activities.

    On this page:

    Our previous related programs

    We are using the collected data to provide tailored advice and guidance to individuals on the tax implications of their cryptocurrency investing activities.

    We prompt taxpayers through online messaging, to assess whether a capital gain or loss needs to be reported as they complete their tax return.

    Where we identify clients who lodge returns without the appropriate income or capital gain (loss) reported, their return may be subject to audit and penalties applied.

    The data helps us to:

    • understand the level of risk cryptocurrency poses to the tax system
    • measure the effectiveness of cryptocurrency treatment programs.

    Early evidence from these programs indicate voluntary compliance is increasing among individuals who dispose of cryptocurrency.

    Data providers

    The ATO is the matching agency and sole user of the data obtained during this data-matching program.

    The data providers for this data-matching program include cryptocurrency designated service providers through whom individuals and businesses can buy, sell or transfer cryptocurrency holdings.

    The Submission to the Information Commissioner sets out the basis for deviating from the publication conditions of the guidelines and its impacts on individual privacy.

    Find out about:

    Eligibility as a data provider

    We adopt a principles-based approach to ensure that our selection of data providers is fair and transparent. Inclusion of a cryptocurrency designated service provider is based on the following principles:

    • The data owner or its subsidiary operates a business in Australia that is governed by Australian law.
    • The data owner provides a cryptocurrency designated service for individuals or businesses.
    • The data owner provided these facilities for the years in focus.
    • Where the client base of a data provider does not present a risk, or the administrative or financial cost of collecting the data exceeds the benefit the data may provide, the data owner may be excluded from the program.

    Designated service providers operating in this sector will be reviewed annually against the eligibility principles for this program. If suitable, they will be included in the data-matching program.

    Our formal information gathering powers

    The data will be obtained under our formal information gathering powers contained in section 353-10 of Schedule 1 to the Taxation Administration Act 1953.

    This is a coercive power that obligates the data providers to provide the information requested. We will use the information for tax and superannuation compliance purposes.

    Privacy Act

    Data will only be used within the limits prescribed by Australian Privacy Principle 6 (APP6) contained in Schedule 1 of the Privacy Act and in particular:

    • APP6.2(b) – the use of the information is required or authorised by an Australian law
    • APP6.2(e) – the ATO reasonably believes that the use of the information is reasonably necessary for our enforcement-related activities.

    Keeping data safe

    The data-matching program will be conducted on our secure systems that comply with the requirements of:

    All ATO computer systems are strictly controlled according to Australian Government security standards for government ICT systems, with features including:

    • system access controls and security groupings
    • login identification codes and password protection
    • full audit trails of data files and system accesses.

    We will use our secure internet-based data transfer facility to obtain the data from source entities.

    Data elements collected

    Cryptocurrency data will be collected from cryptocurrency designated service providers

    We negotiate with the selected data providers individually to obtain data held within their systems. The collected data may contain all or a selection of the fields listed below.

    Client identification details – individuals

    • Given and surname(s) (if more than one name on the account)
    • Date(s) of birth
    • Addresses (residential, postal, other)
    • Australian business number (if applicable)
    • Email address
    • Contact phone numbers
    • Social media account

    Client identification details – non-individuals

    • Business name
    • Addresses (business, postal, registered, other)
    • Australian business number
    • Contact name
    • Contact phone number
    • Email address

    Cryptocurrency transaction details

    • Status of account (open, closed, suspended, lost, etc)
    • Linked bank accounts
    • Wallet address associated with the account
    • Lost or stolen (crypto)currency amounts linked to accounts
    • Unique identifier
    • Transaction date
    • Transaction time
    • Type of (crypto)currency
    • Amount (in fiat and cryptocurrency)
    • Type of transfer
    • Transfer description
    • Total account balance

    Number of records

    The number of individuals affected by this data collection is expected to range between 400,000 and 600,000 individuals per year.

    Data quality

    We anticipate that the data quality will be of a high standard based on our prior cryptocurrency data matching.

    The data is sourced from providers' systems and may not be available in a format that can be readily processed by our systems. We apply extra levels of scrutiny and analytics to verify the quality of the data. This includes but is not limited to:

    • meeting with data providers to understand their data holdings, including their data use, data currency, formats, compatibility and natural systems
    • sampling data to ensure it is fit for purpose before fully engaging providers on task
    • verification practices at receipt of data to check against confirming documentation; we then use algorithms and other analytical methods to refine the data.

    Data is transformed into a standardised format and validated to ensure that it contains the required data elements prior to loading to our computer systems. We undertake program evaluations to measure effectiveness before determining whether to continue to collect future years of the data or to discontinue the program.

    To assure data is fit for consumption and maintains integrity throughout the data-matching program, it is assessed against the 11 elements of the ATO data-quality framework:

    • accuracy – the data correctly represents the actual value
    • completeness – all expected data in a data set is present
    • consistency – data values are consistent with values within the data set
    • currency – how recent the time period is that the data set covers
    • precision – the level of detail of a data element
    • privacy – access control and usage monitoring
    • reasonableness – reasonable data is within the bounds of common sense or specific operational context
    • referential integrity – when all intended references within a data set are valid
    • timeliness – how quickly the data is available for use from the time of collection
    • uniqueness – if duplicated files or records are in the data set
    • validity – data values are presented in the correct format and fall within predefined values

    Data retention

    The collection of data under this program includes all financial years from 2014–15 to 2022–23. The data collection will be annually between April and July each year.

    Due to the number of data providers, we collect data periodically. We work co-operatively with the data providers and aim to balance our requests against peaks and troughs of demand in a data provider's own business.

    The collection of 2014–15 to 2018–19 data under the original program was conducted between September 2018 and September 2019. The 2019–20 data was collected between April and July 2020.

    In 2019, the ATO was granted exemption by the Privacy Commissioner to retain the data for seven years from the receipt of all verified data files from the data providers. The exemption request was required to satisfy the National Archives of Australia's General Disposal Authority 24 (GDA24) – Records relating to data matching exercises. GDA24 has now been revoked.

    We destroy data that is no longer required, in accordance with the Archives Act 1983, the records authorities issued by the National Archives of Australia, both general and ATO-specific.

    We will retain each financial year’s data for seven years from receipt of the final instalment of verified data files from the data providers. We intend to undertake a review by the seven-year anniversary to determine whether the data is still required.

    The data is required for this period for the protection of public revenue as:

    • A retention period of seven years will enable the ATO to cross-reference taxpayer records retrospectively.
    • The ATO is responsible for the administration of the CGT regime. CGT legislation requires the establishment of a cost base to determine an individual’s taxation liability on disposal of cryptocurrency in certain circumstances.
    • Individuals may retain cryptocurrency for many years, at times for their whole life, before disposing of it and potentially triggering a capital gains event.
    • Individuals or businesses identified as not meeting their taxation obligations, including being partly or wholly outside the taxation system, may have been operating that way for multiple years.
    • Retaining data for seven years supports our general compliance approach of reviewing an assessment within the standard period of review, which also aligns with the requirements for taxpayers to keep their records.
    • It would enable the ATO to conduct long-term trend analysis and risk profiling of the cryptocurrency market.
    • Destruction of the data would inhibit the ATO’s ability to identify taxpayers who may be subject to administrative action and therefore result in loss of public revenue.

    While increased data-retention periods may increase the risk to privacy, we have a range of safeguards to appropriately manage and minimise this. ATO systems and controls are designed to ensure the privacy and security of the data we manage.

    See also:

    Public notification of the program

    We will notify the public of our intention to collect 2020–21 to 2022–23 data by:

    • publishing a notice in the Federal Register of Legislation gazettes in the week commencing 7 June 2021
    • publishing this data-matching program protocol on our website at ato.gov.au/dmprotocols
    • advising the data providers that they
      • can notify their clients of their participation in this program
      • should update their privacy policies to note that personal information is disclosed to the ATO for data-matching purposes. 
       

    Gazette notice content

    The following information about the data-matching program appears as a gazette notice in the Federal Register of Legislation.

    Gazette notice: Commissioner of Taxation – Notice of a data-matching program

    The Australian Taxation Office (ATO) will acquire account identification and transaction data from cryptocurrency designated service providers for the 2021 financial year through to the 2023 financial year inclusively. The data items include:

    • Client identification details (names, addresses, date of birth, phone numbers, social media account and email addresses)
    • Transaction details (bank account details, wallet addresses, transaction dates, transaction time, transaction type, deposits, withdrawals, transaction quantities and coin type)

    We estimate that records relating to approximately 400,000 to 600,000 individuals will be obtained each financial year.

    The data will be acquired and matched to ATO systems to identify and treat clients who failed to report a disposal of cryptocurrency in their income tax return. Furthermore, the matching process strengthens our ability to develop tailored treatments for clients who may not be meeting their obligations. These obligations may include registration, lodgment, reporting and payment responsibilities.

    The objectives of this program are to:

    • promote voluntary compliance by communicating how we use external data with our own to help encourage taxpayers to comply with their tax and superannuation obligations
    • identify and educate those individuals and businesses that may be failing to meet their registration and/or lodgment obligations and assist them to comply.
    • gain insights from the data that may help to develop and implement treatment strategies to improve voluntary compliance; this may include educational or compliance activities as appropriate.
    • gain insights from the data to increase the ATO’s understanding of the behaviours and compliance profiles of individuals and businesses that have bought, sold or accepted payment via cryptocurrency
    • help ensure that individuals and businesses that trade or accept cryptocurrency as payment are fulfilling their taxation lodgment, reporting and payment obligations.
    • help ensure that individuals and businesses are fulfilling their tax and superannuation reporting obligations.

    A document describing this program is available at ato.gov.au/dmprotocols.

    This program follows the Office of the Australian Information Commissioner’s Guidelines on data matching in Australian Government administration (2014) (the guidelines). The guidelines include standards for the use of data matching as an administrative tool in a way that:

    • complies with the Australian Privacy Principles (APPs) and the Privacy Act 1988 (Privacy Act)
    • is consistent with good privacy practice.

    A full copy of the ATO’s privacy policy can be accessed at ato.gov.au/privacy.

    End of example
      Last modified: 09 Jun 2021QC 65885