Inquiry into the External Scrutiny of the Australian Taxation Office — submission to Standing Committee on Tax and Revenue

10 March 2016

Our reference: D2016/001241

Committee Secretary
Standing Committee on Tax and Revenue
PO Box 6021
Parliament House
Canberra ACT 2600

Dear Mr van Manen

Inquiry into the External Scrutiny of the Australian Taxation Office

I welcome the opportunity to provide this brief submission to the Standing Committee on Tax and Revenue’s Inquiry into the External Scrutiny of the Australian Taxation Office.

The Australian Information Commissioner (the Information Commissioner) has a range of functions and powers conferred by the Privacy Act 1988 (Cth) (the Privacy Act) and the Freedom of Information Act 1982 (Cth) (the FOI Act), which give the Information Commissioner an oversight role over the Australian Taxation Office’s (ATO) personal and other information handling practices.

OAIC’s privacy regulatory role with respect to the ATO

The ATO holds 19.8 million TFN registrations for individuals,[1] representing vast amounts of personal information. Like many government agencies, the ATO is bound by the Australian Privacy Principles (APPs) contained in the Privacy Act. The Office of the Australian Information Commissioner’s (OAIC) main regulatory activities with respect to the ATO include:

  • receiving, conciliating and investigating complaints made against the ATO by individuals under the Privacy Act[2]
  • conducting Commissioner initiated investigations of information handling practices that may breach the Privacy Act[3]
  • undertaking privacy assessments (formerly audits) to determine how well the ATO is meeting its obligations under the Privacy Act and assist the ATO to improve its information handling practices[4]
  • the Information Commissioner issuing rules concerning the collection, storage, use and security of tax file numbers information[5]
  • providing advice to the ATO on the application of the Privacy Act and related instruments, such as the Privacy (Tax File Number) Rule 2015[6]
  • providing advice to the ATO on the compliance of its data-matching activities with the Privacy Act and the OAIC’s Guidelines on Data Matching in Australian Government Administration.[7]

In respect of this last point, I anticipate that the OAIC will also work with the ATO in relation to the Enhanced Welfare Payment Integrity initiative, announced by the Government in the 2015–16 Mid-Year Economic and Fiscal Outlook.[8] This initiative, which will be run out of the Department of Human Services, the Department of Social Services, and the ATO, will use data matching processes to detect and respond to discrepancies in welfare payments and income. The OAIC will have oversight of the privacy issues arising from these data matching activities.

OAIC’s FOI role with respect to the ATO

The OAIC is also responsible for conducting Information Commissioner reviews of decisions made by agencies, including the ATO, under the FOI Act. This involves conducting an administrative review of the ATO’s FOI decision making in particular matters with respect to appropriate information release. Where the OAIC forms the view that the ATO decision is not correct, the Information Commissioner can issue a decision overturning the ATO’s initial FOI decision. In this way, the OAIC oversights the ATO’s release of information to the community through the FOI scheme.

Importance and uniqueness of OAIC’s role

The OAIC’s role with respect to the ATO is generally distinct from the roles of other oversight bodies. The OAIC’s focus is on the protection and proper handling of personal information by the ATO under the Privacy Act and the appropriate release of information under the FOI Act.

In terms of personal information, while ATO officers are also subject to the confidentiality provisions of the Taxation Administration Act 1953 (Cth),[9] those provisions relate only to the disclosure of information and provide criminal penalties for individuals that breach them. In contrast, the Privacy Act regulates the full life-cycle of personal information, and includes obligations relating to:

  • the open and transparent management of personal information, including having a privacy policy
  • the collection of solicited personal information and receipt of unsolicited personal information, including giving notice about collection
  • how personal information can be used and disclosed, including cross-border disclosure
  • maintaining the quality of personal information
  • the security of personal information
  • rights for individuals to access and correct their personal information.

This ensures that individuals’ privacy is protected throughout the information life-cycle and at an organisational level.

The OAIC also has a unique function in receiving and conciliating individuals’ complaints, and awarding individual remedies where appropriate.[10] The OAIC’s oversight and complaint-handling role is particularly important given the vast amounts of personal information handled by the ATO, and the sensitive nature of that information.

Should the Committee require any further information, please contact Ms Este Darin-Cooper, Director, Regulation and Strategy Branch, on [contact details removed].

Yours sincerely

Timothy Pilgrim PSM
Acting Australian Information Commissioner

10 March 2016


[1] Australian Taxation Office 2015, Commissioner of Taxation Annual Report 2014–15, p 31.

[2] See ss 36, 40, 40A of the Privacy Act.

[3] See s 40(2) of the Privacy Act.

[4] See s 33C of the Privacy Act.

[5] See s 17 of the Privacy Act.

[6] See ss 17, 28B of the Privacy Act.

[7] See s 28A(2) of the Privacy Act.

[8] Commonwealth of Australia 2015, Mid-Year Economic and Fiscal Outlook 2015–16, p 211.

[9] See division 355 of the Taxation Administration Act 1953 (Cth), and in particular s 355-25.

[10] See s 52 of the Privacy Act.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at