The Privacy (Tax File Number) Rule 2015 and the protection of tax file number information
Publication date: August 2015
This resource provides a number of steps an agency or organisation should consider taking to protect the privacy of Tax File Number (TFN) information, and ensure they comply with the binding Privacy (Tax File Number) Rule 2015 (TFN Rule) issued under s 17 of the Privacy Act 1988 (Privacy Act).
Questions 14 to 18 are for investment bodies only.
The information provided in this resource is of a general nature. It is not a substitute for legal advice.
1. What is a TFN recipient?
Under the TFN Rule, ‘TFN recipient’ has the same meaning as ‘file number recipient’ in s 11 of the Privacy Act and covers any person, agency, organisation or other entity that is (whether lawfully or unlawfully) in possession or control of a record that contains TFN information.
A TFN recipient includes:
- the Commissioner of Taxation (ie the ATO)
- the following government assistance agencies:
- the Department of Human Services (DHS) (which administers the Centrelink, Child Support and Medicare Programs)
- the Department of Social Services
- the Department of Education and Training
- the Department of Veterans' Affairs
- an authorised recipient, ie lawful TFN recipients who are authorised by taxation, personal assistance or superannuation law to receive TFNs, such as:
- employers in their capacity as employee share scheme (ESS) providers
- higher education providers (such as universities)
- investment bodies
- an approved recipient, ie lawful TFN recipients who are engaged by authorised recipients to provide services where it is reasonably necessary to have access to TFN information or who have obtained an individual's consent to access their TFN to help manage that individual's taxation, superannuation or personal assistance affairs. This can include the following:
- tax agents
- share registries and agents of ESS providers
- the trustee of a superannuation fund. Trustees, other than those of a superannuation fund are also able to collect and use TFNs where this is authorised by taxation law.
2. What is TFN information and what does the TFN Rule protect?
The TFN Rule protects the TFN information of individuals only. The TFN Rule is not intended to protect TFN information relating to other entities, such as corporate entities, partnerships, superannuation funds and trusts.
Where TFNs are assigned to individuals, TFN information is information that connects a TFN with the identity of a particular individual (for example, a database record that links a person’s name and date of birth with the person’s TFN).
Under the TFN Rule, a TFN recipient must not record, collect, use or disclose TFN information unless this is permitted under taxation, personal assistance or superannuation law.
In addition to the TFN Rule, TFN recipients must also abide by the Taxation Administration Act 1953 (TAA). However, the TAA protects all TFNs, including of individuals and other entities. Sections 8WA and 8WB of the TAA create offences for unauthorised requirements or requests that a person’s TFN be quoted, and the unauthorised recording, maintaining a record of, use or disclosure of an individual’s TFN respectively, unless an exception applies.
3. Why is it important to protect the privacy of TFNs?
It is important to protect the privacy of TFNs because they are unique identifiers which are issued to individuals for life.
Some of the privacy concerns associated with TFNs include:
- they could potentially be used by all TFN recipients as part of a national identification system
- they could be used to match or link records of personal information held by many different TFN recipients, which could:
- enable a TFN recipient to look up detailed information about a person just by knowing their TFN
- increase the risk of serious breaches of personal privacy if data is lost or misused
- increase the risk of identity theft
4. Can anyone ask for and receive an individual's TFN?
There are very strict rules about who is lawfully allowed to ask for and receive TFNs. The TFN Rule only allows certain people, agencies, organisations and other entities that are authorised by taxation, personal assistance or superannuation law to ask for and receive TFN information — they are known as authorised or lawful TFN recipients.
It is generally a criminal offence under the TAA and a breach of the TFN Rule for anyone else to request an individual's TFN.
The ATO and the Australian Prudential Regulation Authority (APRA) are required under the TFN Rule to maintain a list of the classes of people, agencies, organisations and other entities allowed to ask for and receive TFNs, what they will do with them and who they can give them to. This list is known as the Classes of Lawful Tax File Number Recipients document. More information regarding whether an agency or organisation is an authorised or lawful TFN recipient is available from the ATO.
5. Do individuals need to provide their TFN to an authorised TFN recipient?
There is no law in Australia that says individuals must give an authorised TFN recipient their TFN if they are asked for it.
This forms the basis of what is known as the 'voluntary quotation principle', which recognises that taxation, personal assistance, or superannuation laws do not make the quotation of a TFN a requirement. However, the financial consequences of not quoting a TFN can be significant. For example, under personal assistance law, the quotation of a TFN is a condition for the receipt of personal assistance payments.
6. What happens when an authorised TFN recipient collects an individual's TFN?
When an authorised TFN recipient requests an individual's TFN they:
- must tell the individual the name of the law (or laws) that authorises them to collect the TFN, the purpose for which the TFN is collected, that it is not an offence to refuse to provide a TFN and the consequences of refusing to provide a TFN
- must take reasonable steps to ensure that the manner of collection does not unreasonably intrude on the individual's affairs
- must take reasonable steps to ensure that they only request or collect information that is necessary and relevant to the purpose of collection under applicable taxation law, personal assistance law or superannuation law.
The obligations on a TFN recipient relating to the collection of TFNs under the TFN Rule are in addition to responsibilities under the Australian Privacy Principles and other legislation e.g. taxation laws, superannuation laws, personal assistance laws and secrecy laws.
An agency or organisation that requests an individual's TFN can keep the description of the purposes for collection reasonably general as long as the description is adequate to ensure that the individual is aware of what the law authorises the TFN recipient to do with the TFN.
Mary works for an agency which is authorised to collect an individual's TFN under a personal assistance law. Mary's responsibilities include collecting clients' TFNs so that her agency may make personal assistance payments to those individuals. She usually collects a client's name, postal address and TFN.
Under the TFN Rule, Mary may collect clients' TFNs if she gives them a form which explains that she is authorised to collect this information under the particular personal assistance law, that she is collecting this information so that her agency can make personal assistance payments to the individual, that it is not an offence to refuse to provide this information, but that an individual may not receive personal assistance payments if they decide not to provide this information.
She may also request the individual's name and address to ensure that she can record the TFN against the correct record.
7. How does the TFN Rule interact with other privacy obligations?
The obligations on an agency or organisation relating to the handling of TFNs under the TFN Rule are in addition to responsibilities under other laws, including:
- the Australian Privacy Principles (for example, when requesting an individual's TFN, agencies and organisations also need to consider the notice obligations under Australian Privacy Principle 5)
- the TAA, including offences for the unauthorised use, disclosure, collection, or requests for TFNs
- Part VA of the Income Tax Assessment Act 1936, which contains provisions related to the handling of TFNs
- Part 25A of the Superannuation Industry (Supervision) Act 1993 (SIS Act) and Part 11 of the Retirement Savings Accounts Act 1997 (RSA Act), which provide for the collection of TFNs by the trustees of superannuation funds and retirement savings account providers.
- the Data-matching Program (Tax and Assistance) Act 1990 (Data-matching Act) which provides for, and regulates, the matching of records between the ATO and assistance agencies (ie DHS, DSS, DET and DVA) that use the TFN in a data-matching process.
8. What should TFN recipients do if a person provides information which includes a TFN?
Under the TFN Rule, a TFN recipient must not record, collect, use or disclose a TFN unless this is permitted under taxation, personal assistance or superannuation law.
If an individual provides information to a TFN recipient for a purpose not connected with the operation of a taxation, personal assistance or superannuation law and that information incidentally contains a TFN, the individual providing the information may remove the TFN.
If the individual does not remove the TFN, the TFN recipient must not use or disclose the TFN or record the TFN in a way that is inconsistent with the TAA or the TFN Rule.
Unauthorised use or disclosure of TFNs can be an offence under the TAA, as well as constituting a breach of the TFN Rule. Specifically, sections 8WA and 8WB of the TAA create offences for unauthorised requirements or requests that a person's TFN be quoted, and the unauthorised recording, maintaining a record of, use or disclosure of an individual's TFN respectively, unless an exception applies.
An agency or organisation may receive and scan inbound correspondence that incidentally contains TFN information. This would likely occur prior to the correspondence being identified as containing an individual's TFN information. The TFN information would then be 'recorded' even if there is no intention by the agency or organisation to retain this information. Where an individual provides TFN information incidentally in this way, the agency or organisation needs to undertake its own risk assessment to determine whether it is handling the TFN information lawfully.
9. When can an agency or organisation lawfully use or disclose an individual’s TFN?
Under the TFN Rule, an individual's TFN information can only be used or disclosed for the purpose of facilitating the effective administration of taxation law, certain aspects of personal assistance and superannuation law and to assist with the identification of individuals for other purposes.
For example, the ATO and other lawful TFN recipients may use a TFN to identify an individual when they:
- lodge a tax return
- apply for income assistance or support payments, such as pensions or benefits from DHS (which administers the Centrelink, Child Support and Medicare Programs) or the Department of Veterans' Affairs
- start a new job or change jobs
- have savings accounts or investments that earn income, for example, interest or dividends
- receive a payment under the Higher Education Loan Program
- join a superannuation fund
TFNs may not be used:
- by a financial institution to confirm an individual's identity
- as part of a national identification system (unless this is authorised by taxation, personal assistance or superannuation law)
- to match personal information about an individual unless it is authorised by taxation, personal assistance or superannuation law or by the Data-matching Act 1990
The Commissioner of Taxation and APRA identify the types of entities who may request TFNs under taxation and superannuation law. The main way they make this information available is by maintaining a list of those people, agencies, organisations and other entities allowed to ask for and receive TFNs, what they will do with it and who they can disclose it to. This list is known as the Classes of Lawful Tax File Number Recipients document, and it is published on the OAIC website.
Examples of lawful TFN recipients include:
- the ATO
- DHS is an agency that has authority to request a TFN from recipients of personal assistance payments such as pensions, benefits and allowances
- an employer
- banks and other financial institutions
- superannuation funds
- higher education providers
- tax agents, accountants and solicitors
The TFN Rule also explicitly authorises the use and disclosure of TFN information by a TFN recipient for the purpose of giving an individual any TFN information that they hold about an individual.
10. How can an agency or organisation protect the security of TFNs?
Under the TFN Rule, TFN recipients must take reasonable steps to safeguard TFN information from loss, unauthorised access, use, modification, disclosure or other misuse, whether the information is stored in physical or electronic form. This means that appropriate security measures for protecting TFN information need to be considered in regards to all of your agency or organisation’s acts and practices.
TFN recipients must restrict access to records containing TFN information to staff who need to handle this information under taxation, personal assistance or superannuation law.
Australian Government agencies who are TFN recipients will also need to comply with other relevant laws, government policies and standards regarding the security of information. Furthermore, agencies or organisations that are subject to the Australian Privacy Principles will need to consider their obligations under APP 11 — Security of personal information.
The OAIC’s Guide to Securing Personal Information provides guidance on steps and strategies that you should consider taking to secure personal information. Examples from the guide include:
- Governance, culture and training — to foster a privacy and security aware culture among your staff — such as:
- privacy and personal information security steps and strategies being driven by your senior executives
- clear procedures for oversight, accountability and lines of authority for decisions related to personal information security
- providing staff with training on physical and ICT security and the handling of personal information, including TFN information
- Access security — to ensure that TFNs are only accessed by authorised persons — such as:
- limiting access to TFN information to those staff who need to handle it to enable the agency or organisation to carry out its functions and activities
- using audit logs and audit trails and monitoring access by both internal and external persons
- enforcing password or passphrase complexity. For example, including uppercase characters, lowercase characters, punctuation, symbols, and/or numbers
- ICT security — to protect both your hardware and software from misuse, interference, loss, unauthorised access, modification and disclosure — such as:
- software testing to ensure that there are no flaws which can result in privacy breaches
- ensuring the latest versions of software and applications are in use
- employing and maintaining an intrusion prevention and detection system and regularly analysing event logs
- developing procedures to manage the transmission of TFNs via email, as email is not a secure form of communication
- Physical security — to ensure that TFN information is not inappropriately accessed — such as: ◦having work areas with access to TFN information being physically segregated from other areas of business
- considering privacy and security when designing the workspace
- making provisions for securing physical files containing TFN information
What qualifies as reasonable steps to ensure the security of TFN information depends on the circumstances of the TFN recipient.
11. What is involved in securely destroying and de-identifying TFN information?
Under the TFN Rule, TFN recipients must take reasonable steps to securely destroy or permanently de-identify TFN information when they are no longer required by law to retain the information or the TFN information is not necessary for a purpose under taxation, personal assistance or superannuation law (including the administration of such law). If the TFN information is contained in a Commonwealth record, the agency is not required to destroy or de-identify that information under the TFN Rule. The agency will instead need to comply with the provisions of the Archives Act 1983 in relation to those records.
Agencies or organisations that are subject to the Australian Privacy Principles will need to consider their obligations under APP 11 – Security of personal information.
The OAIC’s Guide to Securing Personal Information contains guidance on securely destroying and de-identifying personal information. The following information is extracted from the guide.
Personal information, including TFN information, is destroyed when it can no longer be retrieved. The steps that are reasonable for an agency or organisation to take to destroy TFN information will depend on whether the TFN information is held in hard copy or electronic form. Where TFN information is contained in hard copy records and disposed of through garbage or recycling collection, it should be destroyed through a process such as pulping, burning, pulverising, disintegrating or shredding.
Hardware containing TFN information in electronic form should be properly ‘sanitised’ to completely remove the stored TFN information. Where it is not possible for an agency or organisation to irretrievably destroy TFN information held in electronic format, reasonable steps to destroy it would include putting the TFN information ‘beyond use’. For example, this could include where technical reasons may make it impossible to irretrievably destroy the TFN information without also irretrievably destroying other information held with it.
What qualifies as reasonable steps to securely destroy or permanently de-identify TFN information depends on the circumstances of the TFN recipient.
12. How can an agency or organisation make staff aware of their obligations under the TFN Rule?
Appropriate staff awareness activities may include:
- conducting regular staff training sessions
- reminding staff who regularly handle TFN information of their obligations under the TFN Rule and the TAA during staff meetings, by email or in a staff bulletin
- requiring staff to review the TFN Rule, the Classes of lawful tax file number recipients document and this fact sheet
13. How do the ATO, APRA and assistance agencies make information about their TFN handling practices publicly available?
Under the TFN Rule, the ATO, APRA and assistance agencies need to issue publicly available information about:
- the purposes for which TFNs may be requested
- when TFN information may not be collected, recorded, used or disclosed
- penalties applying to unauthorised handling of TFNs
- where to find further detail about these matters
The ATO and APRA may use their websites and other publications to make this information available.
Also, APRA has issued legally binding legislative instruments which approve the manner of quoting, requesting, and transferring TFNs for the purposes of Part 25A of the SIS Act and various sections of the RSA Act.
- The ATO has comprehensive information concerning TFNs on its website.
- Guidance on the collection of TFNs is also available on APRA's website.
- Both the ATO and APRA have issued the following guidance: Classes of Lawful Tax File Number Recipients document
14. Can investment bodies collect an individual's TFN?
However, under the TFN Rule no-one is required by law to quote their TFN in relation to investments, although there may be financial consequences for individuals who do not.
The collection, use and disclosure of TFNs by investment bodies to build up a database or to cross-match personal information is not permitted.
The legal basis for collection must always be made clear, including the law (or laws) that allows the investment body to request or collect the TFN and the purpose for which the TFN is requested or collected. The description of the purpose for collection can be reasonably general as long as it is adequate to ensure that the individual is aware of what the law authorises the investment body to do with the TFN. Collection includes when individuals give their TFN either in written form or over the telephone.
Remember: the forms used to collect TFN information should comply with the Australian Taxation Office's (ATO) Investment Industry — Guidance on the Preparation of Tax File Number Forms.
15. Is there a difference between how TFNs are handled by superannuation funds compared to other investment bodies?
The collection of TFNs by the trustees of superannuation funds and Retirement Savings Account Providers (RSA providers) is authorised under Part 25A of the SIS Act and Part 11 of the RSA Act respectively. These Acts provide clear limitations on the use of TFNs and also outline details about the recording and destruction of TFN information.
In addition, APRA has issued legally binding legislative instruments which approve the manner of quoting, requesting and transferring TFNs for the purposes of Part 25A of the SIS Act and various sections of the RSA Act.
The SIS Act and the RSA Act apply to the handling of TFNs regardless of whether they are provided to the superannuation fund or RSA provider by the member, the member's employer or the Commissioner of Taxation.
Superannuation laws allow superannuation fund trustees and RSA providers to use TFNs to locate member accounts and to facilitate the consolidation of multiple member accounts held by the same individual in the same superannuation fund and accounts held across multiple superannuation funds.
However, these laws do not alter an individual's right to choose not to quote a TFN, nor is the superannuation fund trustee or RSA provider allowed to use TFNs to replace their existing account identification methods (such as account or membership numbers). This ensures that the superannuation fund trustees' or RSA providers' use of TFNs operates in accordance with Australian Privacy Principle 9, which generally prevents private sector entities from adopting an Australian Government related identifier (eg a TFN) for an individual as its own.
In addition, regulations made under these laws impose requirements on superannuation funds and RSA providers that ensure a member's consent is obtained before consolidation of accounts can occur.
Consolidation within a fund
Cassandra is not aware that she has two superannuation accounts with Fund A. Fund A is permitted to match Cassandra's TFN and consolidate the two accounts provided the conditions in the regulations are met, such as seeking Cassandra's consent before consolidating accounts.
Consolidation between funds
Muhammad holds a superannuation account with Fund A and suspects that he may hold an account in Fund B. The regulations provide conditions relating to member consent that superannuation fund trustees must follow before consolidating accounts. Provided Muhammad consents to the consolidation and the other conditions in the regulations are met, the trustee of Fund A may use the TFN to facilitate the consolidation of the accounts.
16. How must TFN recipients collect TFNs in relation to investments?
Application forms and prospectuses for new facilities must clearly state which taxation law authorises the collection of TFN information and that quoting a TFN is optional. In some circumstances an investor is not required to quote, or may choose not to quote, a TFN. It should also be clear that an investor who is exempt from quoting a TFN can claim that exemption rather than quoting. Information on the circumstances where an investor can claim an exemption from quoting a TFN is available from the ATO website.
When requesting an individual's TFN, the investment body must take reasonable steps to ensure that application forms and prospectuses for new facilities are positioned in reasonable proximity to each other, are clearly distinct from other information requested, and have the following elements included:
- a statement referring to the taxation law that authorises the investment body to request the TFN and the purpose for which the TFN is collected
- a statement that the quotation of the TFN is not compulsory but that tax may be taken out of the individual's dividend/interest/distribution if they do not quote their TFN
- the option for the individual to quote a TFN or exemption for the first time/apply a TFN or exemption already quoted/decline to apply a TFN already quoted
- if the option to apply a TFN or exemption already quoted is offered, then the default assumption, if no indication is given, must be non-application of the TFN or exemption already quoted
- if quotation is invited for an investment facility, an explanation must be given of the consequences in terms of automatic application of the TFN to subsequent investment under the facility
- where to find further information
If completed forms containing TFNs are intended to be retained and accessed for purposes unrelated to the authorised purpose of collection, then they should be designed to allow prior deletion or removal of the TFN. Access to the TFN must be restricted to staff who require it to carry out their role.
17. Do investment bodies need to ask for an individual's TFN at the time each new investment is taken out?
However, there are examples of common investment arrangements whereby an individual is not making specific decisions about each investment of money (i.e. an investment facility, where an agreement is made as to the terms, conditions and elections for a series of future investments, either over a fixed period of time or indefinitely). Under these circumstances, an individual may perceive a facility, within which a succession of separate investments are made, as being merely separate deposits within the one facility.
In such cases, it is not necessary to offer individuals the opportunity to quote their TFN for each new investment under the facility. The TFN may be automatically applied to subsequent investments. It would be impractical for individuals to be asked to decide whether to quote their TFN at the time each new investment of this kind is made.
However, investment bodies must allow the individual to choose to quote the TFN in the first instance in relation to some investments. When inviting an investor to quote their TFN, a clear explanation should be provided to the individual that the TFN will be automatically used for future investments within the terms of the facility, unless the investor indicates at any time that they do not wish for their TFN to be applied to a particular investment.
- common fund investments by trustees
- sub-accounts offered by credit unions to members under a single membership/account number
- term deposits offered by financial institutions.
18. What options should be made available to investors when they are asked to quote their TFNs for investments that are not parts of the one facility?
For new and existing investments, it is necessary for investment bodies to take into account individuals who choose not to quote their TFN. The following options should be made available to individuals when they are asked to quote their TFNs for investments that are not parts of the one facility:
- authorising the application of the TFN to all investments held in the individual's name
- authorising the application of the TFN to specific investments
- declining to quote the TFN
However for new investments, individuals must have the option of declining to quote their TFN. Additionally, individuals should be able to authorise the investment body to use the TFN already on file.
Where the investment body already holds a TFN for previous investments by the same client, investment bodies may use an opt-out, ie a question, which, if not answered, implies consent:
"Please tick the box if you do not wish your TFN to be applied to this investment."
However, the form will need to provide for the first-time quotation of the TFN for new clients.