Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy agency resource 5: The Privacy (Tax File Number) Rule 2015 and the protection of tax file number information

pdfPrintable version232.34 KB

August 2015

This resource provides a number of steps agencies should consider taking to protect the privacy of Tax File Number (TFN) information, and ensure they comply with the  binding Privacy (Tax File Number) Rule 2015 (TFN Rule) issued under s 17 of the Privacy Act 1988 (Privacy Act).

1. What is a TFN recipient?

Under the TFN Rule, 'TFN recipient' has the same meaning as 'file number recipient' in s 11 of the Privacy Act and covers any person, agency or organisation or other entity that is (whether lawfully or unlawfully) in possession or control of a record that contains TFN information. A TFN recipient includes:

  • the Commissioner of Taxation (ie the ATO)
  • the following government assistance agencies:
    • the Department of Human Services (DHS) (which administers the Centrelink, Child Support and Medicare Programs)
    • the Department of Social Services (DSS)
    • the Department of Education and Training (DET)
    • the Department of Veterans' Affairs (DVA)
  • an authorised recipient, ie lawful TFN recipients who are authorised by taxation, personal assistance or superannuation law to receive TFNs, such as:
    • employers
    • employers in their capacity as employee share scheme (ESS) providers
    • higher education providers (such as universities)
    • investment bodies
  • an approved recipient, ie lawful TFN recipients who are engaged by authorised recipients to provide services where it is reasonably necessary to have access to TFN information, or who have obtained an individual's consent to access their TFN to help manage that individual's taxation, superannuation or personal assistance affairs. This can include the following:
    • solicitors
    • tax agents
    • accountants
    • share registries and agents of ESS providers
  • the trustee of a superannuation fund. Trustees, other than those of a superannuation fund, are also able to collect and use TFNs where this is authorised by taxation law.

Back to Contents

2. What is TFN information and what does the TFN Rule protect?

The TFN Rule protects the TFN information of individuals only. The TFN Rule is not intended to protect TFN information relating to other entities, such as corporate entities, partnerships, superannuation funds and trusts.

Where TFNs are assigned to individuals, TFN information is information that connects a TFN with the identity of a particular individual (for example, a database record that links a person's name and date of birth with the person's TFN).

Under the TFN Rule, a TFN recipient must not record, collect, use or disclose TFN information unless this is permitted under taxation, personal assistance or superannuation law.

In addition to the TFN Rule, TFN recipients must also abide by the Taxation Administration Act 1953 (TAA). However, the TAA protects all TFNs, including of individuals and other entities. Sections 8WA and 8WB of the TAA create offences for unauthorised requirements or requests that a person's TFN be quoted, and the unauthorised recording, maintaining a record of, use or disclosure of an individual's TFN respectively, unless an exception applies.

Back to Contents

3. Why is it important to protect the privacy of TFNs?

It is important to protect the privacy of TFNs because they are unique identifiers which are issued to individuals for life.

Some of the privacy concerns associated with TFNs include:

  • they could potentially be used by all TFN recipients as part of a national identification system
  • they could be used to match or link records of personal information held by many TFN recipients, which could:
    • enable a TFN recipient to look up detailed information about a person just by knowing their TFN
    •  increase the risk of serious breaches of personal privacy if data is lost or misused
    •  increase the risk of identity theft.

Back to Contents

4. Can anyone ask for and receive an individual's TFN?

No.

There are very strict rules about who is lawfully allowed to ask for and receive TFNs. The TFN Rule only allows certain people, agencies, organisations and other entities that are authorised by taxation, personal assistance or superannuation law to ask for and receive TFN information — they are known as authorised or lawful TFN recipients.

It is generally a criminal offence under the TAA and a breach of the TFN Rule for anyone else to request an individual's TFN.

The ATO and the Australian Prudential Regulation Authority (APRA) are required under the TFN Rule to maintain a list of the classes of people, agencies, organisations and other entities allowed to ask for and receive TFNs, what they will do with them and who they can give them to. This list is known as the Classes of lawful tax file number recipients document. More information regarding whether an agency is an authorised or lawful TFN recipient is available from the ATO.

Back to Contents

5. Do individuals need to provide their TFN to an authorised TFN recipient?

No.

There is no law in Australia that says individuals must give an authorised TFN recipient their TFN if they are asked for it.

This forms the basis of what is known as the 'voluntary quotation principle', which recognises that taxation, personal assistance, or superannuation laws do not make the quotation of a TFN a requirement. However, the financial consequences of not quoting a TFN can be significant. For example, under personal assistance law, the quotation of a TFN is a condition for the receipt of personal assistance payments.

Back to Contents

6. What happens when an authorised TFN recipient collects an individual's TFN?

If an agency is authorised to request an individual's TFN they:

  • must tell the individual the name of the law (or laws) that authorises them to collect the TFN, the purpose for which the TFN is collected, that it is not an offence to refuse to provide a TFN and the consequences of refusing to provide a TFN
  • must take reasonable steps to ensure that the manner of collection does not unreasonably intrude on the individual's affairs
  • must take reasonable steps to ensure that they only request or collect information that is necessary and relevant to the purpose of collection under applicable taxation law, personal assistance law or superannuation law.

The obligations on an agency relating to the collection of TFNs under the TFN Rule are in addition to responsibilities under the Australian Privacy Principles and other legislation e.g. taxation laws, superannuation laws, personal assistance laws, secrecy laws and the Data-matching Program (Assistance and Tax) Act 1990 (Data-matching Act).

An agency authorised to request an individual's TFN can keep the description of the purposes for collection reasonably general as long as the description is adequate to ensure that the individual is aware of what the law authorises the TFN recipient to do with the TFN.

Example:

  • Mary works for an agency which is authorised to collect an individual's TFN under a personal assistance law. Mary's responsibilities include collecting clients' TFNs so that her agency may make personal assistance payments to those individuals. She usually collects a client's name, postal address and TFN.
    Under the TFN Rule, Mary may collect clients' TFNs if she gives them a form which explains that she is authorised to collect this information under the particular personal assistance law, that she is collecting this information so that her agency can make personal assistance payments to the individual, that it is not an offence to refuse to provide this information, but that an individual may not receive personal assistance payments if they decide not to provide this information.
    She may also request the individual's name and address to ensure that she can record the TFN against the correct record.

Back to Contents

7. How does the TFN Rule interact with other privacy obligations?

The obligations on an agency relating to the handling of TFNs under the TFN Rule are in addition to responsibilities under other laws, including:

  • the Australian Privacy Principles (for example, when requesting an individual's TFN, agencies and organisations also need to consider the notice obligations under Australian Privacy Principle 5)
  • the TAA, including offences for the unauthorised use, disclosure, collection, or requests for TFNs
  • Part VA of the Income Tax Assessment Act 1936, which contains provisions related to the handling of TFNs
  • Part 25A of the Superannuation Industry (Supervision) Act 1993 (SIS Act) and Part 11 of the Retirement Savings Accounts Act 1997 (RSA Act), which provide for the collection of TFNs by the trustees of superannuation funds and retirement savings account providers
  • the Data-Matching Act which provides for, and regulates, the matching of records between the ATO and assistance agencies (ie DHS, DSS, DET and DVA) that use the TFN in a data-matching process.

Back to Contents

8. What should TFN recipients do if a person provides information which includes a TFN?

Under the TFN Rule, a TFN recipient must not record, collect, use or disclose a TFN unless this is permitted under taxation, personal assistance or superannuation law.

If an individual provides information to a TFN recipient for a purpose not connected with the operation of a taxation, personal assistance or superannuation law and that information incidentally contains a TFN, the individual providing the information may remove the TFN.

If the individual does not remove the TFN, the TFN recipient must not use or disclose the TFN or record the TFN in a way that is inconsistent with the TAA or the TFN Rule.

Unauthorised use or disclosure of TFNs can be an offence under the TAA, as well as constituting a breach of the TFN Rule. Specifically, sections 8WA and 8WB of the TAA create offences for unauthorised requirements or requests that a person's TFN be quoted, and the unauthorised recording, maintaining a record of, use or disclosure of an individual's TFN respectively, unless an exception applies.

Example:

  • An agency may receive and scan inbound correspondence that incidentally contains TFN information. This would likely occur prior to the correspondence being identified as containing an individual's TFN information. The TFN information would then be 'recorded' even if there is no intention by the agency to retain this information. Where an individual provides TFN information incidentally in this way, the agency needs to undertake its own risk assessment to determine whether it is handling the TFN information lawfully.

Back to Contents

9. When can an agency lawfully use or disclose an individual's TFN?

Under the TFN Rule, an individual's TFN information can only be used or disclosed for the purpose of facilitating the effective administration of taxation law, certain aspects of personal assistance and superannuation law and to assist with the identification of individuals for other purposes.

For example, the ATO and other lawful TFN recipients may use a TFN to identify an individual when they:

  • lodge a tax return
  • apply for income assistance or support payments, such as pensions or benefits from DHS (which administers the Centrelink, Child Support and Medicare Programs) or DVA
  • start a new job or change jobs
  • have savings accounts or investments that earn income, for example, interest or dividends
  • receive a payment under the Higher Education Loan Program
  • join a superannuation fund.

TFNs may not be used:

  • by a financial institution to confirm an individual's identity
  • as part of a national identification system (unless this is authorised by taxation, personal assistance or superannuation law)
  • to match personal information about an individual unless it is authorised by taxation, personal assistance or superannuation law or by the Data-matching Act.

The Commissioner of Taxation and APRA identify the types of entities who may request TFNs under taxation and superannuation law. The main way they make this information available is by maintaining a list of those people, agencies, organisations and other entities allowed to ask for and receive TFNs, what they will do with it and who they can disclose it to. This list is known as the Classes of lawful tax file number recipients document, and it is published on the OAIC website.

Examples of lawful TFN recipients include:

  • the ATO
  • DHS is an agency that has authority to request a TFN from recipients of personal assistance payments such as pensions, benefits and allowances
  • an employer
  • banks and other financial institutions
  • superannuation funds
  • higher education providers
  • tax agents, accountants and solicitors.

The TFN Rule also explicitly authorises the use and disclosure of TFN information by a TFN recipient for the purpose of giving an individual any TFN information that they hold about an individual.

Back to Contents

10. How can an agency protect the security of TFNs?

Under the TFN Rule, TFN recipients must take reasonable steps to safeguard TFN information from loss, unauthorised access, use, modification, disclosure or other misuse, whether the information is stored in physical or electronic form. This means that appropriate security measures for protecting TFN information need to be considered in regards to all of your agency’s acts and practices.

TFN recipients must restrict access to records containing TFN information to staff who need to handle this information under taxation, personal assistance or superannuation law.

Australian Government agencies who are TFN recipients will also need to comply with other relevant laws, government policies and standards regarding the security of information. Furthermore, agencies are subject to the Australian Privacy Principles and will need to consider their obligations under APP 11 — Security of personal information.

The OAIC’s Guide to securing personal information provides guidance on steps and strategies that you should consider taking to secure personal information. Examples from the guide include:

  • Governance, culture and training — to foster a privacy and security aware culture among your staff — such as:
    • privacy and personal information security steps and strategies being driven by your senior executives
    • clear procedures for oversight, accountability and lines of authority for decisions related to personal information security
    • providing staff with training on physical and ICT security and the handling of personal information, including TFN information.
  • Access security — to ensure that TFNs are only accessed by authorised persons — such as:
    • limiting access to TFN information to those staff who need to handle it to enable your agency to carry out its functions and activities
    • using audit logs and audit trails and monitoring access by both internal and external persons
    • enforcing password or passphrase complexity. For example, including uppercase characters, lowercase characters, punctuation, symbols, and/or numbers.
  • ICT security — to protect both your hardware and software from misuse, interference, loss, unauthorised access, modification and disclosure —  such as:
    • software testing to ensure that there are no flaws which can result in privacy breaches
    • ensuring the latest versions of software and applications are in use
    • employing and maintaining an intrusion prevention and detection system and regularly analysing event logs
    • developing procedures to manage the transmission of TFNs via email, as email is not a secure form of communication.
  • Physical security — to ensure that TFN information is not inappropriately accessed — such as:
    • having work areas with access to TFN information being physically segregated from other areas of business
    • considering privacy and security when designing the workspace
    • making provisions for securing physical files containing TFN information.

What qualifies as reasonable steps to ensure the security of TFN information depends on the circumstances of the TFN recipient.

Back to Contents

11. What is involved in securely destroying and de-identifying TFN information?

Under the TFN Rule, TFN recipients must take reasonable steps to securely destroy or permanently de-identify TFN information when they are no longer required by law to retain the information or the TFN information is not necessary for a purpose under taxation, personal assistance or superannuation law (including the administration of such law). If the TFN information is contained in a Commonwealth record, the agency is not required to destroy or de-identify that information under the TFN Rule. The agency will instead need to comply with the provisions of the Archives Act 1983 in relation to those records.

Agencies are also subject to the Australian Privacy Principles and will need to consider their obligations under APP 11 – Security of personal information.

The OAIC’s Guide to securing personal information contains guidance on securely destroying and de-identifying personal information. The following information is extracted from the guide.

Personal information, including TFN information, is destroyed when it can no longer be retrieved. The steps that are reasonable for an agency to take to destroy TFN information will depend on whether the TFN information is held in hard copy or electronic form. Where TFN information is contained in hard copy records and disposed of through garbage or recycling collection, it should be destroyed through a process such as pulping, burning, pulverising, disintegrating or shredding.

Hardware containing TFN information in electronic form should be properly ‘sanitised’ to completely remove the stored TFN information. Where it is not possible for an agency to irretrievably destroy TFN information held in electronic format, reasonable steps to destroy it would include putting the TFN information ‘beyond use’. For example, this could include where technical reasons may make it impossible to irretrievably destroy the TFN information without also irretrievably destroying other information held with it.

What qualifies as reasonable steps to securely destroy or permanently de-identify TFN information depends on the circumstances of the TFN recipient.

Back to Contents

12. How can an agency make staff aware of their obligations under the TFN Rule?

Appropriate staff awareness activities may include:

  • conducting regular staff training sessions
  • reminding staff who regularly handle TFN information of their obligations under the TFN Rule and the TAA during staff meetings, by email or in a staff bulletin
  • requiring staff to review the TFN Rule, the Classes of lawful tax file number recipients document and this resource.

Back to Contents

13. How do the ATO, APRA and assistance agencies make information about their TFN handling practices publicly available?

Under the TFN Rule, the ATO, APRA and assistance agencies need to issue publicly available information about:

  • the purposes for which TFNs may be requested
  • when TFN information may not be collected, recorded, used or disclosed
  • penalties applying to unauthorised handling of TFNs
  • where to find further detail about these matters.

The ATO and APRA may use their websites and other publications to make this information available.

Also, APRA has issued legally binding legislative instruments which approve the manner of quoting, requesting, and transferring TFNs for the purposes of Part 25A of the SIS Act and various sections of the RSA Act.

Back to Contents

Resources

The information provided in this resource is of a general nature. It is not a substitute for legal advice.

Back to Contents