Show download pdf controls
  • Protective measures following a data breach

    Data breaches and client protection

    A data breach occurs when confidential taxpayer information could be, or has been, accessed by an unauthorised third party. Examples of data breaches would include:

    • stealing computer or paper-based taxpayer information
    • hacking into computer files containing taxpayer information
    • accessing taxpayer files using a fraudulently obtained tax practitioner AUSkey.

    The privacy of client records is protected by our proof of record ownership processes as well as the many safeguards you as a tax professional implement in your practice. However, if a data breach occurs within your practice we may implement a range of additional safeguards. These safeguards generally mean your affected clients will not need to be issued with new tax file number.

    How we protect clients affected by a data breach

    If a data breach has occurred at your practice then understanding what treatments we may apply to protect your clients will help you support them.

    Treatment options

    Treatment options can include one or more of the following.

    Additional proof of identity

    We may issue an alert to our staff requiring them to seek additional proof of record ownership from your client.

    The requirement will apply when your client contacts us or we contact them. The alert prompts our staff to ask additional questions when validating your client’s identity. This alert does not prevent you, as the tax practitioner, dealing with us on behalf of your client or change how we will identify you. However, in some cases we may wish to speak directly with your client.

    Asking questions only the genuine client will know assures us we are dealing with the genuine client, and not an unauthorised third party.

    Your client may also elect to have a secret password created on their ATO record. The client can complete this with our staff over the phone or by attending one of our shopfronts with proof-of-identity documentation. Secret passwords validate a client’s identity when they deal with us.

    If a client fails to establish proof of identity with us, we will ask them to attend one of our shopfronts to supply full proof-of-identity documentation or complete a tax file number enquiry form on the Australia Post website.

    Additional monitoring processes

    We will continue to monitor your client’s ATO records. If we identify any irregular activity, we may contact you or your client to ensure the activity is legitimate. This may delay our processing of income tax returns and other forms.

    Additional security measures

    Depending on your client’s circumstances, we may also apply additional security measures within our systems. These measures prevent particular activity where we perceive increased risk.

    What this means for your client:

    • AUSkey applications will be delayed while we confirm the validity of the application with the taxpayer
    • the client record may not be accessible through our online channels or MyGov
    • pre-fill data may not be available
    • we may prevent business activity statements from issuing automatically; you or your client will need to contact us before each lodgment so we can generate these statements
    • we may stop income tax returns and other forms for verification; this may delay our processing of these forms.

    Appointment of a relationship manager

    In some cases we may assign a relationship manager who will assist management of data breaches within your practice. The relationship manager can provide support to lessen the impact of the data breach on your practice and your client.

    What we recommend you do

    We recommend you immediately advise any of your clients affected by a data breach. We may also contact your clients directly. We will collaborate with you on the best way to communicate this information to them.

    We also encourage you to continue following security best practices to reduce the risk of fraud in your practice and to maintain high professional standards.

    See also:

    You can keep up to date on current scams by:

    Consider the wider impact of identity theft

    Your client should consider the wider potential impact of identity theft. For instance, they may consider checking their credit report. The Office of the Australian Information Commissioner website provides information on how to obtain these reports.

    Additional support and information can be located on our website about the effects of identity theft and how we can support victims of identity crime.

    In addition Identity Care Australia & New Zealand (iDCare) is a joint public-private sector non-profit organisation that has been established to support Australian and New Zealand communities in responding to identity theft.

    We encourage you to share the helpful links below with your clients.

    See also:

    Change AUSkey password

    If your client hold an Administrator AUSkey, we strongly recommend they log into the AUSkey website and change their password. Further information on how to complete this is available on the AUSkey websiteExternal Link.

    We also recommended as Administrator AUSkey holders they:

    • regularly log into the AUSkey website to ensure that only those authorised to have access to the portals hold active AUSkeys
    • cancel AUSkeys for staff who no longer require them
    • remove access immediately if your client has any concerns about an individual AUSkey holder's activities
    • ensure each person who deals with us online on behalf of your client's business has their own AUSkey
    • keep AUSkey passwords secure – they should not be shared.

    See also:

    • Your client can contact the AUSkey technical helpline for assistance on 1300 AUSKEY (1300 287 539).

    Your client may contact our Client Identity Support Centre on 1800 467 033 to further discuss level of security safeguards that have been applied.

    Last modified: 11 Nov 2016QC 50501