ato logo
Search Suggestion:

How we use the data

Last updated 26 November 2020

We use the data in this program:

  • for discrepancy matching to help  
    • detect potentially unreported income
    • identify taxpayers operating a business but failing to meet their registration, lodgment, reporting or payment obligations
  • increase our understanding of the behaviours and compliance profiles of individuals and businesses that sell goods or services via online selling platforms
  • with other ATO-held data in analytical models to detect high risk activity
  • to identify possible compliance issues and develop and implement engagement and assurance strategies to increase voluntary compliance, which may include educational or compliance activities.

The data in this program will not be used directly to initiate automated compliance activity.

Our previous related programs

The ongoing collection of this data enables us to review and educate online sellers who may be transitioning from hobby status to being in business.

The data collection has promoted awareness in the community of our data-matching capabilities. Publishing the data-matching protocol generates media interest, which promotes awareness and education of the risk.

Where the online selling data reveals discrepancies between online sales and information declared in the sellers' tax returns, we will investigate further.

Online selling data is used to deliver compliance outcomes for income tax and GST from taxpayer audits, voluntary disclosures and lodgments.

Data providers

The ATO is the matching agency and the sole user of the data obtained in the course of this data-matching program.

We obtain data from the following providers:

  • eBay Australia and New Zealand Pty Ltd
  • Amazon Commercial Services Pty Ltd.

Eligibility as a data provider

We adopt a principles-based approach to ensure our selection of data providers is fair and transparent. Inclusion of a data provider is based on the following principles:

  • the data owner or its subsidiary operates a business in Australia that is governed by Australian law
  • the data owner provides an online marketplace for businesses and individuals to buy and sell goods and services
  • the data owner tracks the activity of registered sellers
  • the data owner has clients whose annual trading activity amount to  
    • $12,000 or more for the 2015–16 to 2022–23 financial years
    • $10,000 or more for the 2014–15 financial year
  • the data owner provided an online marketplace for the years in focus
  • where the client base of a data provider does not present a risk, or the administrative or financial cost of collecting the data exceeds the benefit the data may provide, the data owner may be excluded from the program.

The data providers for this program will be reviewed annually against the eligibility principles.

Our formal information gathering powers

We will obtain the data under our formal information gathering powers contained in section 353-10 of Schedule 1 to the Taxation Administration Act 1953.

This is a coercive power that obligates the data providers to provide the information requested. We will use the information for tax and superannuation engagement and assurance purposes.

Privacy Act

Data will only be used within the limits prescribed by Australian Privacy Principle 6 (APP6) contained in Schedule 1 of the Privacy Act, and in particular:

  • APP6.2(b) – the use of the information is required or authorised by an Australian law
  • APP6.2(e) – the ATO reasonably believes that the use of the information is reasonably necessary for our enforcement-related activities.

Keeping data safe

The data-matching program will be conducted on our secure systems that comply with the requirements of:

All ATO computer systems are strictly controlled according to Australian Government security standards for government ICT systems. Security features include:

  • system access controls and security groupings
  • log in identification codes and password protection
  • full audit trails of data files and system accesses.

We will use our secure web-based data transfer facility to obtain the data from source entities.

Data elements collected

Data will be collected from online marketplaces whose registrants sold goods or services with a total annual value of $12,000 or more in the applicable financial year.

We negotiate with the selected data providers individually to obtain data held within their systems. The collected data may contain all or a selection of the fields listed below.

Client identification details – individuals

  • Given and surname(s) (if more than one name on the account)
  • Date(s) of birth
  • Account holders' addresses (residential, postal, other)
  • Australian business number (if applicable)
  • Email address
  • Contact phone number(s)

Client identification details – non-individuals

  • Business name
  • Addresses (business, postal, registered, other)
  • Australian business number
  • Contact name
  • Email address
  • Contact phone number(s)

Account details

  • Account name
  • Account identification number
  • Account registration date
  • Account registration type
  • Store type
  • Seller status
  • IP Address
  • Seller's linked PayPal account
  • Number of annual sales transactions
  • Value of annual sales transactions
  • Number of monthly sales transactions
  • Value of monthly sales transactions

Number of records

We estimate the total number of account records obtained to be between 20,000 and 30,000 each financial year. We expect around half of the matched accounts will relate to individuals.

Data quality

We anticipate the data quality will be of a high standard. Online market providers have sophisticated computer systems. The data providers' systems facilitate processing of information about their members' transactions.

The data is sourced from providers' systems and may not be available in a format that can be readily processed by our systems. We apply extra levels of scrutiny and analytics to verify the quality of the data. This includes but is not limited to:

  • meeting with data providers to understand their data holdings, including their data use, data currency, formats, compatibility and natural systems
  • sampling data to ensure it is fit for purpose before fully engaging providers on task
  • verification practices at receipt of data to check against requested specifications we then use algorithms and other analytical methods to refine the data.

Data is transformed into a standardised format. It is validated to ensure it contains the required data elements prior to loading to our computer systems. We undertake program evaluations to measure effectiveness before determining whether to continue to collect future years of the data or to discontinue the program.

To assure data is fit for consumption and maintains integrity throughout the data-matching program, it is assessed against the 11 dimensions of the ATO data-quality framework.

ATO data quality framework




The degree to which data correctly represents the actual value


Whether all the expected data in a data set are present


Whether data values in a data set are consistent with values elsewhere in the data set or in another data set


How recent the time period covered by the data is


The level of detail of a data element


The level of access control and usage monitoring required


Reasonable data is within the bounds of common sense or the bounds expected within the specific operational context

Referential Integrity

Exists when all intended references within a data set, or with other data sets, are valid


How quickly the data is available for use form the time of collection


Whether there are duplicate files or duplicated records in the data set


Whether data values are presented in the correct format and fall within a predefined set of values

Data retention

The collection of data under this program includes all financial years from 2014–15 to 2022–23. The data collection occurs annually following the end of each financial year.

We work co-operatively with the data providers and aim to balance our requests against peaks and troughs of demand in a data provider's own business.

The collection of 2014–15 data was conducted in January 2016. The collection of the 2015–16, 2016–17 and 2017–18 data was collected between September and November following the end of each financial year.

The Privacy Commissioner granted the ATO an exemption from the usual 12-month period. We are able to retain the data for five years from receipt of all verified data files from the data providers. The exemption request was required to satisfy the National Archives of Australia's General Disposal Authority 24 (GDA24) – Records relating to data matching exercises. GDA24 has now been revoked.

We destroy data that is no longer required, in accordance with the Archives Act 1983, the records authorities issued by the National Archives of Australia, both general and ATO-specific.

We will retain each financial year’s data for five years from receipt of the final instalment of verified data files from the data providers. The data is required for this period for the protection of public revenue as:

  • retaining data for five years enables us to conduct long-term trend analysis in the constantly evolving online selling market to develop targeted assistance and education programs
  • the data enhances our ability to identify taxpayers who may not be complying with their tax and superannuation obligations, which is integral to the protecting the integrity of the tax and superannuation systems
  • it enables us to cross reference taxpayer records retrospectively
  • retaining data for five years supports our general compliance approach of reviewing an assessment within the standard period of review, which also aligns with the requirements for taxpayers to keep their records
  • the data is also used in multiple risk models, including models that establish retrospective profiles over multiple years aligned with period of review.

While increased data-retention periods may increase the risk to privacy, we have a range of safeguards to appropriately manage and minimise this. ATO systems and controls are designed to ensure the privacy and security of the data we manage.

Find out about: