How we use the data

The data collected under this program will enable us to undertake a range of activities to support correct reporting of crypto asset transactions. The data will be used to:

• identify and inform crypto consumers of their taxation obligations as part of information and education campaigns
• provide tailored messages in our online services that prompt taxpayers to check they are correctly meeting their reporting obligations when completing their tax returns
• compare to our records, as part of the methodologies by which we select taxpayers for compliance activities
• provide insights that support our regulatory approach, to reduce the impact of financial crime
• design ways to make it easier for our clients to interact with the system and get their affairs right.

We do not use data from digital service providers to initiate automated action or activities.

Our previous related programs

We are using the collected data to provide tailored advice and guidance to individuals on the tax implications of their crypto asset investment activities.

We prompt taxpayers through online messaging, to assess whether a capital gain or loss needs to be reported as they complete their tax return.

Where we identify clients who lodge returns without the appropriate income or capital gain (loss) reported, their return may be subject to audit and penalties applied.

The data helps us to:

• understand the level of risk crypto poses to the tax system
• measure the effectiveness of crypto treatment programs.

Early evidence from these programs indicate voluntary compliance is increasing among individuals who dispose of crypto assets.

Data providers

We are the matching agency and sole user of the data obtained during this data-matching program.

The data providers for this data-matching program include crypto designated service providers through which individuals and businesses can buy, sell or transfer crypto holdings.

The Submission to the Information Commissioner sets out the basis for deviating from the publication conditions of the guidelines and its impacts on individual privacy.

Find out more about:

• Eligibility as a data provider
• Our formal information gathering powers
• Privacy Act

Eligibility as a data provider

We adopt a principles-based approach to ensure that our selection of data providers is fair and transparent. Inclusion of a crypto asset designated service provider is based on the following principles:

• The data owner or its subsidiary operates a business in Australia that is governed by Australian law.
• The data owner provides a crypto asset designated service for individuals or businesses.
• The data owner provided these facilities for the years in focus.
• Where the client base of a data provider does not present a risk, or the administrative or financial cost of collecting the data exceeds the benefit the data may provide, the data owner may be excluded from the program.

Designated service providers operating in this sector will be reviewed annually against the eligibility principles for this program. If suitable, they will be included in the data-matching program.

Our formal information gathering powers

The data will be obtained under our formal information gathering powers contained in section 353-10 of Schedule 1 to the Taxation Administration Act 1953.

This is a coercive power that obligates the data providers to provide the information requested. We will use the information for tax and superannuation compliance purposes.

Privacy Act

Data will only be used within the limits prescribed by Australian Privacy Principle 6 (APP6) contained in Schedule 1 of the Privacy Act and in particular:

• APP6.2(b) – the use of the information is required or authorised by an Australian law
• APP6.2(e) – we reasonably believe that the use of the information is reasonably necessary for our enforcement-related activities.

Keeping data safe

The data-matching program will be conducted on our secure systems that comply with the requirements of:

• the Australian Government Information Security ManualExternal Link produced by the Australian Signals Directorate, which governs the security of government information and communication technology (ICT) systems
• the Australian Government Protective Security Policy FrameworkExternal Link, which provides guidance on security governance, personnel security, physical security and information security.

All ATO computer systems are strictly controlled according to Australian Government security standards for government ICT systems, with features including:

• system access controls and security groupings
• login identification codes and password protection
• full audit trails of data files and system accesses.

We will use our secure internet-based data transfer facility to obtain the data from source entities.

Data elements collected

Crypto asset data will be collected from crypto designated service providers

We negotiate with the selected data providers individually to obtain data held within their systems. The collected data may contain all or a selection of the fields listed below.

• Client identification details – individuals
• Client identification details – non-individuals
• Crypto transaction details

Client identification details – individuals

• Given and family name(s) (if more than one name on the account)
• Date(s) of birth
• Addresses (residential, postal, other)
• Australian business number (if applicable)
• Email address
• Contact phone numbers
• Social media account

Client identification details – non-individuals

• Business name
• Addresses (business, postal, registered, other)
• Australian business number
• Contact name
• Contact phone number
• Email address

Crypto transaction details

• Status of account (open, closed, suspended, lost, etc)
• Linked bank accounts
• Wallet address associated with the account
• Lost or stolen crypto amounts linked to accounts
• Unique identifier
• Transaction date
• Transaction time
• Type of (crypto)currency
• Amount (in fiat and crypto)
• Type of transfer
• Transfer description
• Total account balance

Number of records

The number of individuals affected by this data collection is expected to range between 400,000 and 600,000 individuals per year.

Data quality

We anticipate that the data quality will be of a high standard based on our prior crypto asset data matching.

The data is sourced from providers' systems and may not be available in a format that can be readily processed by our systems. We apply extra levels of scrutiny and analytics to verify the quality of the data. This includes but is not limited to:

• meeting with data providers to understand their data holdings, including their data use, data currency, formats, compatibility and natural systems
• sampling data to ensure it is fit for purpose before fully engaging providers on task
• verification practices at receipt of data to check against confirming documentation; we then use algorithms and other analytical methods to refine the data.

Data is transformed into a standardised format and validated to ensure that it contains the required data elements prior to loading to our computer systems. We undertake program evaluations to measure effectiveness before determining whether to continue to collect future years of the data or to discontinue the program.

To assure data is fit for consumption and maintains integrity throughout the data-matching program, it is assessed against the 11 elements of our data-quality framework:

• accuracy – the data correctly represents the actual value
• completeness – all expected data in a data set is present
• consistency – data values are consistent with values within the data set
• currency – how recent the time period is that the data set covers
• precision – the level of detail of a data element
• privacy – access control and usage monitoring
• reasonableness – reasonable data is within the bounds of common sense or specific operational context
• referential integrity – when all intended references within a data set are valid
• timeliness – how quickly the data is available for use from the time of collection
• uniqueness – if duplicated files or records are in the data set
• validity – data values are presented in the correct format and fall within predefined values

Data retention

The collection of data under this program includes all financial years from 2014–15 to 2022–23. The data collection will be annually between April and July each year.

Due to the number of data providers, we collect data periodically. We work co-operatively with the data providers and aim to balance our requests against peaks and troughs of demand in a data provider's own business.

The collection of 2014–15 to 2018–19 data under the original program was conducted between September 2018 and September 2019. The 2019–20 data was collected between April and July 2020.

In 2019, we were granted exemption by the Privacy Commissioner to retain the data for 7 years from the receipt of all verified data files from the data providers. The exemption request was required to satisfy the National Archives of Australia's General Disposal Authority 24 (GDA24) – Records relating to data matching exercises. GDA24 has now been revoked.

We destroy data that is no longer required, in accordance with the Archives Act 1983, the records authorities issued by the National Archives of Australia, both general and ATO-specific.

We will retain each financial year’s data for 7 years from receipt of the final instalment of verified data files from the data providers. We intend to undertake a review by the 7-year anniversary to determine whether the data is still required.

The data is required for this period for the protection of public revenue as:

• A retention period of 7 years will enable us to cross-reference taxpayer records retrospectively.
• We are responsible for the administration of the CGT regime. CGT legislation requires the establishment of a cost base to determine an individual’s taxation liability on disposal of crypto assets in certain circumstances.
• Individuals may retain crypto assets for many years, at times for their whole life, before disposing of it and potentially triggering a capital gains event.
• Individuals or businesses identified as not meeting their taxation obligations, including being partly or wholly outside the taxation system, may have been operating that way for multiple years.
• Retaining data for 7 years supports our general compliance approach of reviewing an assessment within the standard period of review, which also aligns with the requirements for taxpayers to keep their records.
• It would enable us to conduct long-term trend analysis and risk profiling of the crypto market.
• Destruction of the data would inhibit our ability to identify taxpayers who may be subject to administrative action and therefore result in loss of public revenue.

While increased data-retention periods may increase the risk to privacy, we have a range of safeguards to appropriately manage and minimise this. ATO systems and controls are designed to ensure the privacy and security of the data we manage.