Conditions to access information
To reduce information being lost, destroyed, damaged, compromised or misused, access to ATO information by a contractor or other party is authorised only if all the following conditions are met:
- There is a genuine 'need to know' the information
- Access will comply with legislative requirements
- There is no conflict of interest regarding the information
- The person has the required level of security clearance.
ATO information must not be given to any third party or transferred to unapproved systems, including those overseas, unless the contractor has received written approval from the ATO contract manager prior to the placement or transfer. The contract manager is required to ensure ATO IT Security is notified and any required security reviews are initiated prior to any transfer.
We must be consulted and provide formal written approval before any outsourcing arrangements are put into effect.
Note that all data supplied by or created for and that which is collected, received, stored or developed by the ATO always remains the property of the ATO.
Need-to-know
The 'need-to-know' principle states that the availability of information is limited to those who need to use or access it to do their work. Contractors are not entitled to access information merely for the sake of convenience or by virtue of status, position, office or level of security clearance. The need-to-know principle must be enforced through the use of access controls and authorisation procedures.
Systems access
If a contractor processes or stores ATO information on any electronic system, the contractor must provide appropriate documentation outlining security arrangements for the system (for example, system security plans and standard operating procedures). These documents must be endorsed by ATO IT Security.
Authorised personnel
All contractors with access to ATO information in any format must satisfy our pre-engagement integrity checks. This includes:
- identity verification
- character assessment, including a police records check
- completion of an ATO Declaration of secrecy.
Pre-engagement integrity checks must be undertaken by the ATO. Contractors may be responsible for costs associated with these requirements. Our contract managers are responsible for ensuring integrity-checking requirements are completed before access commences.
Security clearances
Contractors and their authorised personnel who access systems that store, process or communicate ATO information will be required to obtain and maintain the appropriate government security clearance as per the Protective Security Policy FrameworkExternal Link and Information security manualExternal Link.
Security awareness and training
Contractors must ensure all personnel undertake ATO security awareness training prior to accessing ATO information or accessing systems that store ATO information. This can be obtained through the contract manager before accessing our information.
You and your authorised personnel must be made aware of the following:
- appropriate levels of access to systems, facilities, assets and electronic information
- ATO security classification and protective marking system
- close-of-business security procedures
- how to protect ICT workstations and devices from unauthorised access
- information management requirements, including storage, transmission and destruction of information
- privacy and secrecy obligations
- proper use of ATO IT systems, facilities and assets
- protocols to report security-related incidents
- requirements for ATO pre-engagement integrity check
- requirements for obtaining security clearance
- rules and regulations governing the secure operation and authorised use of systems the legitimate use of system accounts, software and information
- the 'need-to-know' principle
- the security of accounts, including shared passwords
- their responsibilities to notify changes in circumstance relating to service provision (for example, subcontracting out of services, relocation or renovation of premises, changes in key personnel, conflicts of interest).