The ATO’s administrative approach to the disclosure of tax debt information to credit reporting bureaus — submission to the Australian Taxation Office

14 February 2018

Our reference: D2018/000843

Ms Gail Hopley
Director, Transparency of Tax Debt Project
Australian Taxation Office
55 Elizabeth Street

Via email:

Dear Ms Hopley

Submission on consultation paper — The ATO’s administrative approach to the disclosure of tax debt information to credit reporting bureaus

Thank you for the opportunity to provide comments on the Australian Taxation Office’s (ATO) consultation paper, outlining its intended administrative approach towards the Government’s Transparency of Tax Debt measure.[1] This measure would allow the ATO to disclose the tax debt information of business entities to registered credit reporting bureaus for use in the commercial credit reporting system.

I have provided comments to the Treasury on the exposure drafts of the Treasury Laws Amendment (Tax Transparency) Bill 2018: Transparency of taxation debts (the draft Bill) and the associated Tax Debt Information Disclosure Declaration 2018, which I have attached to this submission.

My aim in providing this submission is to ensure that personal information will be afforded appropriate levels of protection under these amendments. As noted in my submission to the Treasury, there could be a risk that tax debt information disclosed by the ATO may fall outside the coverage of the Privacy Act 1988 (Privacy Act) if the recipient is a small business.[2] I have expanded on this risk below, and outlined possible options for mitigating against this risk that the ATO may be able to adopt through its administrative approach.

The protection of personal information under the Privacy Act

The Privacy Act contains 13 Australian Privacy Principles (APPs) that outline how regulated entities must handle, use and manage personal information. These apply to most Australian and Norfolk Island Government agencies, including the ATO; all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses.

Personal information is defined in s 6 of the Privacy Act as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’ (regardless of whether it is true, or recorded in a material form). This can include information about a business, even where the business is not a sole trader.[3]

However, the draft Bill does not include provisions setting out how tax debt information must be handled once it has been disclosed to a credit reporting bureau, or on-disclosed to their customers. I note that the draft Bill’s definition of a credit reporting bureau varies from the definition of a credit reporting body in the Privacy Act.[4] As credit reporting bureaus are recognised by the Commissioner of Taxation, there is the potential for a small business, which would not be covered by the Privacy Act, to be recognised as a credit reporting bureau. A similar situation could arise should a credit reporting bureau on-disclose personal information to a small business.

I understand from the consultation paper that credit reporting bureaus will need to enter into an agreement with the ATO, detailing the terms of reporting, before they can be registered to receive tax debt information.[5] This may provide a mechanism for ensuring that credit reporting bureaus will handle personal information in an appropriate way. For example, credit reporting bureaus that are not subject to the Privacy Act could be required to opt-in to coverage under s 6EA as part of their agreement with the ATO. A comparable requirement exists for research entities that wish to be granted data by the Australian Communications and Media Authority under the Integrated Public Number Database Scheme.[6]

As a further safeguard, I suggest that the ATO considers whether it can include a requirement for credit reporting bureaus to disclose tax debt information to their customers only if those customers have suitable privacy protections in place.

If you would like to discuss these comments or have any questions, please contact Sophie Higgins, Director, Regulation & Strategy, on [contact details removed].

Yours sincerely

Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner

14 February 2018


[1] Announced in the 2016–17 Mid-Year Economic and Fiscal Outlook.

[2] Sections 6C(1) and 6D of the Privacy Act.

[3] More detail about applying this definition is available in What is personal information? <>.

[4] Defined in s 6(1) of the Privacy Act as an organisation, or prescribed agency, which carries on a credit reporting business. A credit reporting business is defined in s 6P as ‘business or undertaking that involves collecting, holding, using or disclosing personal information about individuals for the purpose of, or for purposes including the purpose of, providing an entity with information about the credit worthiness of an individual’.

[5] See heading ‘Registration of CRBs’.

[6] More information about opting-in to Privacy Act coverage is available at Opt-in register <>.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at