Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy business resource 12: The Privacy (Tax File Number) Rule 2015 and the protection of tax file number information

pdfPrintable version269 KB

August 2015

This resource provides a number of steps organisations and other TFN recipients should consider taking to protect the privacy of Tax File Number (TFN) information, and ensure they comply with the binding Privacy (Tax File Number) Rule 2015 (TFN Rule) issued under s 17 of the Privacy Act 1988 (Privacy Act).

Questions 14 to 18 are for investment bodies only.

1. What is a TFN recipient?

Under the TFN Rule, 'TFN recipient' has the same meaning as 'file number recipient' in s 11 of the Privacy Act and covers any person, agency, organisation or other entity that is (whether lawfully or unlawfully) in possession or control of a record that contains TFN information.

A TFN recipient includes:

  • the Commissioner of Taxation (ie the ATO)
  • the following government assistance agencies:
    • the Department of Human Services (DHS) (which administers the Centrelink, Child Support and Medicare Programs)
    • the Department of Social Services
    • the Department of Education and Training
    • the Department of Veterans' Affairs
  • an authorised recipient, ie lawful TFN recipients who are authorised by taxation, personal assistance or superannuation law to receive TFNs, such as:
    • employers
    • employers in their capacity as employee share scheme (ESS) providers
    • higher education providers (such as universities)
    • investment bodies
  • an approved recipient, ie lawful TFN recipients who are engaged by authorised recipients to provide services where it is reasonably necessary to have access to TFN information or who have obtained an individual's consent to access their TFN to help manage that individual's taxation, superannuation or personal assistance affairs. This can include the following:
    • solicitors
    • tax agents
    • accountants
    • share registries and agents of ESS providers
  • the trustee of a superannuation fund. Trustees, other than those of a superannuation fund are also able to collect and use TFNs where this is authorised by taxation law.

Back to Contents

2. What is TFN information and what does the TFN Rule protect?

The TFN Rule protects the TFN information of individuals only. The TFN Rule is not intended to protect TFN information relating to other entities, such as corporate entities, partnerships, superannuation funds and trusts.

Where TFNs are assigned to individuals, TFN information is information that connects a TFN with the identity of a particular individual (for example, a database record that links a person's name and date of birth with the person's TFN).

Under the TFN Rule, a TFN recipient must not record, collect, use or disclose TFN information unless this is permitted under taxation, personal assistance or superannuation law.

In addition to the TFN Rule, TFN recipients must also abide by the Taxation Administration Act 1953 (TAA). However, the TAA protects all TFNs, including of individuals and other entities. Sections 8WA and 8WB of the TAA create offences for unauthorised requirements or requests that a person's TFN be quoted, and the unauthorised recording, maintaining a record of, use or disclosure of an individual's TFN respectively, unless an exception applies.

Back to Contents

3. Why is it important to protect the privacy of TFNs?

It is important to protect the privacy of TFNs because they are unique identifiers which are issued to individuals for life.
Some of the privacy concerns associated with TFNs include:

  • they could potentially be used by all  TFN recipients as part of a national identification system
  • they could be used to match or link records of personal information held by many different TFN recipients, which could:
    • enable a  TFN recipient to look up detailed information about a person just by knowing their TFN
    • increase the risk of serious breaches of personal privacy if data is lost or misused
    • increase the risk of identity theft.

Back to Contents

4. Can anyone ask for and receive an individual's TFN?

No.

There are very strict rules about who is lawfully allowed to ask for and receive TFNs. The TFN Rule only allows certain people, agencies, organisations and other entities that are authorised by taxation, personal assistance or superannuation law to ask for and receive TFN information — they are known as authorised or lawful TFN recipients.

It is generally a criminal offence under the TAA and a breach of the TFN Rule for anyone else to request an individual's TFN.

The ATO and the Australian Prudential Regulation Authority (APRA) are required under the TFN Rule to maintain a list of the classes of people, agencies, organisations and other entities allowed to ask for and receive TFNs, what they will do with them and who they can give them to. This list is known as the Classes of lawful tax file number recipients document. More information regarding whether an individual or entity is an authorised or lawful TFN recipient is available from the ATO.

Back to Contents

5. Do individuals need to provide their TFN to an authorised TFN recipient?

No.

There is no law in Australia that says individuals must give an authorised TFN recipient their TFN if they are asked for it.
This forms the basis of what is known as the 'voluntary quotation principle', which recognises that taxation, personal assistance, or superannuation laws do not make the quotation of a TFN a requirement. However, the financial consequences of not quoting a TFN can be significant. For example, under personal assistance law, the quotation of a TFN is a condition for the receipt of personal assistance payments.

Back to Contents

6. What happens when an authorised TFN recipient collects an individual's TFN?

When a an authorised TFN recipient requests an individual's TFN they:

  • must tell the individual the name of the law (or laws) that authorises them to collect the TFN, the purpose for which the TFN is collected, that it is not an offence to refuse to provide a TFN and the consequences of refusing to provide a TFN
  • must take reasonable steps to ensure that the manner of collection does not unreasonably intrude on the individual's affairs
  • must take reasonable steps to ensure that they only request or collect information that is necessary and relevant to the purpose of collection under applicable taxation law, personal assistance law or superannuation law.

The obligations on a TFN recipient relating to the collection of TFNs under the TFN Rule are in addition to responsibilities under the Australian Privacy Principles and other legislation e.g. taxation laws, superannuation laws, personal assistance laws and secrecy laws.
An authorised TFN recipient that requests an individual's TFN can keep the description of the purposes for collection reasonably general as long as the description is adequate to ensure that the individual is aware of what the law authorises the TFN recipient to do with the TFN.

Back to Contents

7. How does the TFN Rule interact with other privacy obligations?

The obligations on a TFN recipient relating to the handling of TFNs under the TFN Rule are in addition to responsibilities under other laws, including:

  • the Australian Privacy Principles (for example, when requesting an individual's TFN, agencies and organisations also need to consider the notice obligations under Australian Privacy Principle 5)
  • the TAA, including offences for the unauthorised use, disclosure, collection, or requests for TFNs
  • Part VA of the Income Tax Assessment Act 1936, which contains provisions related to the handling of TFNs
  • Part 25A of the Superannuation Industry (Supervision) Act 1993 (SIS Act) and Part 11 of the Retirement Savings Accounts Act 1997 (RSA Act), which provide for the collection of TFNs by the trustees of superannuation funds and retirement savings account providers.

Back to Contents

8. What should TFN recipients do if a person provides information which includes a TFN?

Under the TFN Rule, a TFN recipient must not record, collect, use or disclose a TFN unless this is permitted under taxation, personal assistance or superannuation law.

If an individual provides information to a TFN recipient for a purpose not connected with the operation of a taxation, personal assistance or superannuation law and that information incidentally contains a TFN, the individual providing the information may remove the TFN.

If the individual does not remove the TFN, the TFN recipient must not use or disclose the TFN or record the TFN in a way that is inconsistent with the TAA or the TFN Rule.

Unauthorised use or disclosure of TFNs can be an offence under the TAA, as well as constituting a breach of the TFN Rule. Specifically, sections 8WA and 8WB of the TAA create offences for unauthorised requirements or requests that a person's TFN be quoted, and the unauthorised recording, maintaining a record of, use or disclosure of an individual's TFN respectively, unless an exception applies.

Example:

  • An organisation may receive and scan inbound correspondence that incidentally contains TFN information. This would likely occur prior to the correspondence being identified as containing an individual's TFN information. The TFN information would then be 'recorded' even if there is no intention by the organisation to retain this information. Where an individual provides TFN information incidentally in this way, the organisation needs to undertake its own risk assessment to determine whether it is handling the TFN information lawfully.

Back to Contents

9. When can a TFN recipient lawfully use or disclose an individual’s TFN?

Under the TFN Rule, an individual's TFN information can only be used or disclosed for the purpose of facilitating the effective administration of taxation law, certain aspects of personal assistance and superannuation law and to assist with the identification of individuals for other purposes.

For example, the ATO and other lawful TFN recipients may use a TFN to identify an individual when they:

  • lodge a tax return
  • apply for income assistance or support payments, such as pensions or benefits from DHS (which administers the Centrelink, Child Support and Medicare Programs) or the Department of Veterans' Affairs
  • start a new job or change jobs
  • have savings accounts or investments that earn income, for example, interest or dividends
  • receive a payment under the Higher Education Loan Program
  • join a superannuation fund.

TFNs may not be used:

  • by a financial institution to confirm an individual's identity
  • as part of a national identification system (unless this is authorised by taxation, personal assistance or superannuation law)
  • to match personal information about an individual unless it is authorised by taxation, personal assistance or superannuation law or by the Data-matching Program (Assistance and Tax) Act 1990.

The Commissioner of Taxation and APRA identify the types of entities who may request TFNs under taxation and superannuation law. The main way they make this information available is by maintaining a list of those people, agencies, organisations and other entities allowed to ask for and receive TFNs, what they will do with it and who they can disclose it to. This list is known as the Classes of lawful tax file number recipients document, and it is published on the OAIC website.

Examples of lawful TFN recipients include:

  • the ATO
  • DHS is an agency that has authority to request a TFN from recipients of personal assistance payments such as pensions, benefits and allowances
  • an employer
  • banks and other financial institutions
  • superannuation funds
  • higher education providers
  • tax agents, accountants and solicitors.

The TFN Rule also explicitly authorises the use and disclosure of TFN information by a TFN recipient for the purpose of giving an individual any TFN information that they hold about an individual.

Back to Contents

10. How can a TFN recipient protect the security of TFNs?

Under the TFN Rule, TFN recipients must take reasonable steps to safeguard TFN information from loss, unauthorised access, use, modification, disclosure or other misuse, whether the information is stored in physical or electronic form. This means that appropriate security measures for protecting TFN information need to be considered in regards to a TFN recipient’s acts and practices.

TFN recipients must restrict access to records containing TFN information to staff who need to handle this information under taxation, personal assistance or superannuation law.

Organisations that are subject to the Australian Privacy Principles and will also need to consider their obligations under APP 11 — Security of personal information.

The OAIC’s Guide to securing personal information provides guidance on steps and strategies that you should consider taking to secure personal information. Examples from the guide include:

  • Governance, culture and training — to foster a privacy and security aware culture among your staff — such as:
    • privacy and personal information security steps and strategies being driven by your senior executives
    • clear procedures for oversight, accountability and lines of authority for decisions related to personal information security
    • providing staff with training on physical and ICT security and the handling of personal information, including TFN information.
  • Access security — to ensure that TFNs are only accessed by authorised persons — such as:
    • limiting access to TFN information to those staff who need to handle it to enable the TFN recipient to carry out its functions and activities
    • using audit logs and audit trails and monitoring access by both internal and external persons
    • enforcing password or passphrase complexity. For example, including uppercase characters, lowercase characters, punctuation, symbols, and/or numbers.
  • ICT security — to protect both your hardware and software from misuse, interference, loss, unauthorised access, modification and disclosure — such as:
    • software testing to ensure that there are no flaws which can result in privacy breaches
    • ensuring the latest versions of software and applications are in use
    • employing and maintaining an intrusion prevention and detection system and regularly analysing event logs
    • developing procedures to manage the transmission of TFNs via email, as email is not a secure form of communication.
  • Physical security — to ensure that TFN information is not inappropriately accessed — such as:
    • having work areas with access to TFN information being physically segregated from other areas of business
    • considering privacy and security when designing the workspace
    • making provisions for securing physical files containing TFN information.

What qualifies as reasonable steps to ensure the security of TFN information depends on the circumstances, of the TFN recipient.

Back to Contents

11. What is involved in securely destroying and de-identifying TFN information?

Under the TFN Rule, TFN recipients must take reasonable steps to securely destroy or permanently de-identify TFN information when they are no longer required by law to retain the information or the TFN information is not necessary for a purpose under taxation, personal assistance or superannuation law (including the administration of such law).

Organisations that are subject to the Australian Privacy Principles and will also need to consider their obligations under APP 11 – Security of personal information.

The OAIC’s Guide to securing personal information contains guidance on securely destroying and de-identifying personal information. The following information is extracted from the guide.

Personal information, including TFN information, is destroyed when it can no longer be retrieved. The steps that are reasonable for a TFN recipient to take to destroy TFN information will depend on whether the TFN information is held in hard copy or electronic form. Where TFN information is contained in hard copy records and disposed of through garbage or recycling collection, it should be destroyed through a process such as pulping, burning, pulverising, disintegrating or shredding.

Hardware containing TFN information in electronic form should be properly ‘sanitised’ to completely remove the stored TFN information. Where it is not possible for a TFN recipient to irretrievably destroy TFN information held in electronic format, reasonable steps to destroy it would include putting the TFN information ‘beyond use’. For example, this could include where technical reasons may make it impossible to irretrievably destroy the TFN information without also irretrievably destroying other information held with it.

What qualifies as reasonable steps to securely destroy or permanently de-identify TFN information depends on the circumstances of the TFN recipient.

Back to Contents

12. How can a TFN recipient make staff aware of their obligations under the TFN Rule?

Appropriate staff awareness activities may include:

  • conducting regular staff training sessions
  • reminding staff who regularly handle TFN information of their obligations under the TFN Rule and the TAA during staff meetings, by email or in a staff bulletin
  • requiring staff to review the TFN Rule, the Classes of lawful tax file number recipients document and this fact sheet.

Back to Contents

13. How do the ATO, APRA and assistance agencies make information about their TFN handling practices publicly available?

Under the TFN Rule, the ATO, APRA and assistance agencies need to issue publicly available information about:

  • the purposes for which TFNs may be requested
  • when TFN information may not be collected, recorded, used or disclosed
  • penalties applying to unauthorised handling of TFNs
  • where to find further detail about these matters.

The ATO and APRA may use their websites and other publications to make this information available.

Also, APRA has issued legally binding legislative instruments which approve the manner of quoting, requesting, and transferring TFNs for the purposes of Part 25A of the SIS Act and various sections of the RSA Act.

Resources

Back to Contents

14. Can investment bodies collect an individual's TFN?

Yes.

However, under the TFN Rule no-one is required by law to quote their TFN in relation to investments, although there may be financial consequences for individuals who do not.

The collection, use and disclosure of TFNs by investment bodies to build up a database or to cross-match personal information is not permitted.

The legal basis for collection must always be made clear, including the law (or laws) that allows the investment body to request or collect the TFN and the purpose for which the TFN is requested or collected. The description of the purpose for collection can be reasonably general as long as it is adequate to ensure that the individual is aware of what the law authorises the investment body to do with the TFN. Collection includes when individuals give their TFN either in written form or over the telephone.

Remember: the forms used to collect TFN information should comply with the Australian Taxation Office's (ATO) Investment Industry — Guidance on the Preparation of Tax File Number Forms.

Back to Contents

15. Is there a difference between how TFNs are handled by superannuation funds compared to other investment bodies?

Yes.

The collection of TFNs by the trustees of superannuation funds and Retirement Savings Account Providers (RSA providers) is authorised under Part 25A of the SIS Act and Part 11 of the RSA Act respectively. These Acts provide clear limitations on the use of TFNs and also outline details about the recording and destruction of TFN information.

In addition, APRA has issued legally binding legislative instruments which approve the manner of quoting, requesting and transferring TFNs for the purposes of Part 25A of the SIS Act and various sections of the RSA Act.

The SIS Act and the RSA Act apply to the handling of TFNs regardless of whether they are provided to the superannuation fund or RSA provider by the member, the member's employer or the Commissioner of Taxation.

Superannuation laws allow superannuation fund trustees and RSA providers to use TFNs to locate member accounts and to facilitate the consolidation of multiple member accounts held by the same individual in the same superannuation fund and accounts held across multiple superannuation funds.

However, these laws do not alter an individual's right to choose not to quote a TFN, nor is the superannuation fund trustee or RSA provider allowed to use TFNs to replace their existing account identification methods (such as account or membership numbers). This ensures that the superannuation fund trustees' or RSA providers' use of TFNs operates in accordance with Australian Privacy Principle 9, which generally prevents private sector entities from adopting an Australian Government related identifier (eg a TFN) for an individual as its own.

In addition, regulations made under these laws impose requirements on superannuation funds and RSA providers that ensure a member's consent is obtained before consolidation of accounts can occur.

Examples:

  • Consolidation within a fund
    Cassandra is not aware that she has two superannuation accounts with Fund A. Fund A is permitted to match Cassandra's TFN and consolidate the two accounts provided the conditions in the regulations are met, such as seeking Cassandra's consent before consolidating accounts.
  • Consolidation between funds
    Muhammad holds a superannuation account with Fund A and suspects that he may hold an account in Fund B. The regulations provide conditions relating to member consent that superannuation fund trustees must follow before consolidating accounts. Provided Muhammad consents to the consolidation and the other conditions in the regulations are met, the trustee of Fund A may use the TFN to facilitate the consolidation of the accounts.

Back to Contents

16. How must TFN recipients collect TFNs in relation to investments?

Application forms and prospectuses for new facilities must clearly state which taxation law authorises the collection of TFN information and that quoting a TFN is optional. In some circumstances an investor is not required to quote, or may choose not to quote, a TFN. It should also be clear that an investor who is exempt from quoting a TFN can claim that exemption rather than quoting. Information on the circumstances where an investor can claim an exemption from quoting a TFN is available from the ATO website.

When requesting an individual's TFN, the investment body must take reasonable steps to ensure that application forms and prospectuses for new facilities are positioned in reasonable proximity to each other, are clearly distinct from other information requested, and have the following elements included:

  • a statement referring to the taxation law that authorises the investment body to request the TFN and the purpose for which the TFN is collected
  • a statement that the quotation of the TFN is not compulsory but that tax may be taken out of the individual's dividend/interest/distribution if they do not quote their TFN
  • the option for the individual to quote a TFN or exemption for the first time/apply a TFN or exemption already quoted/decline to apply a TFN already quoted
  • if the option to apply a TFN or exemption already quoted is offered, then the default assumption, if no indication is given, must be non-application of the TFN or exemption already quoted
  • if quotation is invited for an investment facility, an explanation must be given of the consequences in terms of automatic application of the TFN to subsequent investment under the facility
  • where to find further information.

If completed forms containing TFNs are intended to be retained and accessed for purposes unrelated to the authorised purpose of collection, then they should be designed to allow prior deletion or removal of the TFN. Access to the TFN must be restricted to staff who require it to carry out their role.

More information on the preparation of TFN forms is contained in the ATO's Investment Industry — Guidance on the Preparation of Tax File Number Forms.

Back to Contents

17. Do investment bodies need to ask for an individual's TFN at the time each new investment is taken out?

Generally yes.

However, there are examples of common investment arrangements whereby an individual is not making specific decisions about each investment of money (i.e. an investment facility, where an agreement is made as to the terms, conditions and elections for a series of future investments, either over a fixed period of time or indefinitely). Under these circumstances, an individual may perceive a facility, within which a succession of separate investments are made, as being merely separate deposits within the one facility.

In such cases, it is not necessary to offer individuals the opportunity to quote their TFN for each new investment under the facility. The TFN may be automatically applied to subsequent investments. It would be impractical for individuals to be asked to decide whether to quote their TFN at the time each new investment of this kind is made.

However, investment bodies must allow the individual to choose to quote the TFN in the first instance in relation to some investments. When inviting an investor to quote their TFN, a clear explanation should be provided to the individual that the TFN will be automatically used for future investments within the terms of the facility, unless the investor indicates at any time that they do not wish for their TFN to be applied to a particular investment.

Examples:

  • common fund investments by trustees
  • sub-accounts offered by credit unions to members under a single membership/account number
  • term deposits offered by financial institutions.

Back to Contents

18. What options should be made available to investors when they are asked to quote their TFNs for investments that are not parts of the one facility?

For new and existing investments, it is necessary for investment bodies to take into account individuals who choose not to quote their TFN. The following options should be made available to individuals when they are asked to quote their TFNs for investments that are not parts of the one facility:

  • authorising the application of the TFN to all investments held in the individual's name
  • authorising the application of the TFN to specific investments
  • declining to quote the TFN.

However for new investments, individuals must have the option of declining to quote their TFN. Additionally, individuals should be able to authorise the investment body to use the TFN already on file.

Examples:

  • Where the investment body already holds a TFN for previous investments by the same client, investment bodies may use an opt-out, ie a question, which, if not answered, implies consent:
    "Please tick the box if you do not wish your TFN to be applied to this investment."

    However, the form will need to provide for the first-time quotation of the TFN for new clients.

The information provided in this resource is of a general nature. It is not a substitute for legal advice.

Back to Contents