How we use the data
Collected data will be used for analytics, education campaigns, and compliance actions. Insights will encourage voluntary compliance and inform risk treatment strategies.
Data analytics and insights
The data helps us to:
- identify non-resident businesses who are required to be registered for Australian GST
- confirm that GST is correctly reported on supplies
- understand the composition, demographics, and geographical location of the offshore population making supplies to Australian consumers
- encourage willing compliance with Australian GST obligations
- promote fairness in the tax administration of Australian GST by establishing and maintaining a level playing field between domestic and offshore businesses making supplies to Australian consumers
- improve our understanding of the non-resident business population with Australian GST obligations
- tailor our risk treatment strategies.
Previous related programs
Data will be sourced from the 4 largest Australian banks leveraging from a pilot undertaken in 2024.
This pilot demonstrated that obtaining third party bank data of aggregate transaction amounts paid to non-resident merchants by Australian consumers could improve our understanding of the offshore business population that makes supplies of digital products and services and low value goods to Australian consumers.
Data providers
We are the matching agency and, in most cases the sole user of the data obtained during this data-matching program.
We may obtain data from the top 4 largest Australian banks:
- Australian and New Zealand Banking Group Limited
- Commonwealth Bank of Australia
- National Australia Bank
- Westpac Banking Corporation.
Eligibility as a data provider
We adopt a principles-based approach to ensure that our selection of data providers is fair and transparent.
Inclusion of a data provider is based on the following principles:
- The data owner or its subsidiary operates a business in Australia that is governed by Australian law.
- The data owner provides banking services to Australian consumers.
- The data owner provided banking services for the years in focus.
If the client base of a data provider doesn't present a risk, or the administrative or financial cost of collecting the data exceeds the benefit the data may provide, the data owner may be excluded from the program.
The data providers for this program will be reviewed annually against the eligibility principles.
Our formal information gathering powers
To ensure statutory requirements are met, we obtain data under our formal information gathering powers. These are contained in section 353-10 of Schedule 1 to the Taxation Administration Act 1953.
This is a coercive power, and data providers are obligated to provide the information requested.
We will use the data for tax and super compliance purposes.
Privacy Act
Data will only be used within the limits prescribed by Australian Privacy Principle 6 (APP6) contained in Schedule 1 of the Privacy Act and in particular:
- APP6.2(b) – the use of the information is required or authorised by an Australian law
- APP6.2(e) – the ATO reasonably believes that the use of the information is reasonably necessary for our enforcement-related activities.
Data elements we collect
We expect the data quality to be high, as it is sourced directly from Australian financial institutions using their natural banking systems. The transaction data is anonymised and captures only aggregated debit and credit card payments made by Australian consumers to offshore businesses.
During the pilot program, the banks successfully collated and aggregated the data to meet our specifications, demonstrating both reliability and responsiveness.
Client identification details – non-individuals
Client identification data elements for non-individuals that we collect include:
- the name of the offshore entity or other descriptors of the offshore entity and the merchant country
- merchant city
- merchant acquirer code
- merchant category code
- contact details
- mailing addresses
- phone numbers
- email addresses.
Offshore merchant transaction details
Offshore merchant transaction data elements that we collect include:
- the total aggregated value of the transactions in Australian dollars for each offshore entity for the requested period
- the count of transactions for each offshore entity
- all currencies used other than AUD.
Number of records
We expect to collect data on approximately 9,000 offshore merchants each financial year for this program.
Data retention
We collect data under this program for all financial years from 2024–25 to 2026–27. We collect this data annually following the end of each financial year.
Due to the number of data providers, we collect data periodically. We work with the data providers and aim to balance our requests against peaks and troughs of demand in a data provider's own business.
We will retain each financial year’s data for 5 years from receipt of the final instalment of verified data files from all data providers. We may extend the timeframe for retention of offshore merchant data, which will be reviewed on a rolling basis at intervals of no longer than 5 years. Each review will determine whether an extension of the data retention period is required.
The data is required for this period for the protection of public revenue:
- retaining data for 5 years enables us to ensure that we register businesses from the correct date (first 12-month period where sales exceed $75,000AUD). As per the legislation, the Commissioner can backdate the registration for 4 years due to the 4-year period of review
- the data enhances our ability to identify taxpayers who may not be complying with their tax and super obligations, which is integral to protecting the integrity of the tax and superannuation systems
- retaining data for 5 years supports our general compliance approach of reviewing an assessment within the standard period of review and aligns with the requirements for taxpayers to keep their records
- the data is also used in multiple risk models, including models that establish retrospective profiles over multiple years aligned with period of review.
While increased data retention periods may increase the risk to privacy, we have a range of safeguards to manage and minimise this. Our systems and controls are designed to ensure the privacy and security of the data we manage.