Show download pdf controls
  • Data breach guidance for tax professionals

    Information security is an important aspect of your business. It’s important you keep all your business, staff and client information secure. If your data is lost or compromised, it can be very difficult and costly to recover.

    Data breaches are often a precursor for refund fraud. The ATO has sophisticated mechanisms in place for identifying and protecting against potential refund and superannuation fraud that assist in meeting our obligation to protect government revenue.

    Data breaches and client protection

    As tax professionals hold a large amount of client, staff and business information they have become a target for identity thieves.

    Tax professionals who experience a data breach may discover their client's identities have been stolen, and refund fraud committed in the client's name.

    A data breach occurs when confidential taxpayer information has been accessed by an unauthorised third party.

    Examples of data breaches include but are not limited to:

    • unauthorised removal of computers, data, or records in both paper and digital formats
    • people with legitimate access to the data using it for fraudulent means
    • accessing taxpayer files using a fraudulently obtained credential, such as an AUSkey
    • criminals exploiting vulnerabilities in your IT security controls, hacking or phishing for information
    • accidental disclosure of information – for example, records emailed to an unauthorised third party, or hard copies left in a public place
    • payroll information for your employees being unlawfully accessed
    • unauthorised access to cloud based accounting software you use to store information.

    What we recommend you do

    Tax professionals are encouraged to report data breaches to us to ensure protective measures can be placed on client accounts, protecting them and government revenue from further harm.

    If you have experienced a breach we recommend you:

    • contact us as soon as practicable on 1800 467 033 Monday to Friday, 8:00am–6:00pm so that we may apply measures to protect your business, staff and clients where necessary
    • review this guidance materialExternal Link on the Office of the Australian Information Commissioner (OAIC) website to ensure you comply with any obligations you may have under the Privacy Act 1988, including the Notifiable Data Breaches Scheme (NDBS)
    • inform impacted clients and staff of the data breach. We may also contact your clients or staff directly
    • contact your software provider if you suspect the breach may have originated in one of their service offerings
    • consider what information was accessed during the breach and take steps to safeguard this where necessary – for example, you may need to cancel your AUSkey
    • take steps to secure the information in your business by ensuring all security software and controls are up-to-date
    • review systems access and remove it for people who no longer require it
    • continue to follow security best practice to reduce the risk in your business and reinforce these practices with your staff.

    If you or your clients are concerned about the security of other personal information and the wider impact of identity theft, we recommend you speak with IDCARE on 1300 432 273. IDCARE provide free advice and confidential support to victims of data breaches and identity theft.

    See also:

    How we protect clients affected by a data breach

    We protect the privacy of client records by our proof of record ownership processes. If a data breach occurs within your practice we may implement a range of additional safeguards to protect clients and government revenue.

    Understanding what treatments we may apply to protect your clients will help you support them.

    Treatment options

    Treatment options can include one or more of the following depending on the severity of the breach and any resultant fraud attempts.

    Additional proof of identity

    We may issue an alert to our staff requiring them to seek additional proof of record ownership from your client.

    The requirement will apply when your client interacts with us. The alert prompts our staff to ask additional questions when validating your client’s identity. This alert does not prevent you from dealing with us on behalf of your client or change how we will identify you.

    Asking questions only the genuine client will know assures us we are dealing with the actual client, and not an unauthorised third party.

    Your client may also elect to have a secret password created on their ATO record. The client can complete this with our staff over the phone or by attending one of our shopfronts with proof-of-identity documentation. Secret passwords validate a client’s identity when they deal with us.

    If a client fails to establish proof of identity with us, we will ask them to attend one of our shopfronts to supply full proof-of-identity documentation or complete a tax file number enquiry form on the Australia Post website.

    Additional monitoring processes

    We will continue to monitor your client’s ATO records. If we identify any irregular activity, we may contact you or your client to ensure the activity is legitimate. This may delay our processing of income tax returns and other forms.

    Additional security measures

    Depending on your client’s circumstances, we may also apply additional security measures within our systems. These measures prevent particular activity where we perceive increased risk to clients, government revenue or both.

    What this means for your client:

    • AUSkey applications will be delayed while we confirm the validity of the application
    • the client record may not be accessible through our online channels or myGov
    • pre-fill data may not be available
    • we may prevent business activity statements from issuing automatically; you or your client will need to contact us before each lodgment so we can generate these statements
    • we may stop income tax returns and other forms for verification; this may delay our processing of these forms.

    Appointment of a data breach manager

    In some cases we may assign a data breach manager who will assist you in the management of data breaches within your practice. The data breach manager may provide support to lessen the impact of the data breach on your practice and your client.

    Change AUSkey password

    If you are aware or suspect that your AUSkey has been compromised, we recommend you log in to the Australian Business Register AUSkey website and change your password.

    If you are a standard AUSkey holder you should also inform the AUSkey Administrator.

    If you are the Administrator AUSkey holder you should cancel an AUSkey when you are alerted to unauthorised access. You should also:

    • check AUSkey Manager and confirm all transactions are legitimate
    • regularly log in to AUSkey Manager to ensure only those authorised to have access to the portals hold active AUSkeys
    • cancel AUSkeys for staff who no longer require them
    • remove access immediately if your client has any concerns about an individual AUSkey holder's activities
    • ensure any employee who deals with us online on behalf of your business has their own AUSkey
    • keep AUSkey passwords secure – they should not be shared.

    See also:

    • Further information on how to change your password is available on the AUSkey websiteExternal Link.
    • Contact the AUSkey technical helpline for assistance on 1300 AUSKEY (1300 287 539)
    Last modified: 19 Jan 2018QC 54173