Publication date: 7 July 2020

Assessment undertaken: March-April 2019
Draft report issued: 24 February 2020
Report published: 7 July 2020

Part 1: Executive summary

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of the Australian Taxation Office’s (ATO) handling of personal information under the Privacy Act 1988, conducted in March and April 2019.

1.2 This assessment was conducted under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the Australian Privacy Principles (APPs).

1.3 The purpose of this assessment was to establish whether the ATO is taking reasonable steps under APP 11 to secure personal information handled by the Pay-As-You-Go (PAYG) and Non-Employment Income Data Matching (NEIDM) programs. APP 11 requires an entity to take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.

1.4 The assessment found that the ATO has taken steps to secure personal information that it holds. However, the OAIC also identified privacy risks associated with the PAYG and NEIDM programs and has made three recommendations in the report to address these risks.

1.5 The OAIC recommends that the ATO:

  • in consultation with the Department of Human Services (DHS), updates its Head Agreement and where applicable any other associated documents which govern the overarching service delivery arrangements with DHS to include privacy obligations under the Notifiable Data Breaches (NDB) scheme and the Australian Government Agencies Privacy Code (Privacy Code)
  • regularly reviews its internal policy documents to ensure that they are up-to-date and reflect changes in the current risk environment. This includes updating its:
    • accreditation documentation to incorporate new developments and practices
    • policies to highlight the operational relationship between Cyber Security and Privacy functions as well as the roles and responsibilities of each area in the event of a cyber security incident or eligible data breach
  • implements multi-factor authentication (MFA) for all administrative accounts, especially for privileged and/or higher risk users.

Part 2: Introduction

Background

2.1 Data matching is the bringing together of at least two data sets that contain personal information from different sources, and the comparison of those data sets with the intention of producing a match.[1] Entities must comply with the Privacy Act and this encompasses the data matching related activities that they undertake. In addition to their Privacy Act obligations, government agencies such as the ATO who conduct data matching activities can voluntarily adopt the OAIC’s Guidelines on Data Matching in Australian Government Administration.

2.2 The OAIC was funded to provide regulatory oversight of privacy implications arising from increasing data matching activities using new methodologies amongst government agencies, for the period 1 January 2016 to 30 June 2019. This funding is part of the ‘Enhanced Welfare Payment Integrity – non-employment income data matching’ 2015-16 budget measure.

2.3 The ATO assists the Department of Human Services (DHS)[2] with compliance activities through data matching programs to ensure and to maintain the integrity of customer payments and services.

Overview of data matching

2.4 The scope of this assessment focuses on the privacy risks associated with the secure handling of personal information for the following two data matching programs which the ATO partakes in with DHS:

  • the PAYG program, which matches PAYG taxation data from the ATO with information that DHS collects from customers about their income. The PAYG program began with a pilot program in 2001, and formally commenced in 2004. The PAYG program focuses on identifying discrepancies between the employment income that customers report to DHS, and the PAYG payment summary information that employers provide to the ATO.[3] Where a discrepancy is identified, compliance action may be taken.
  • the NEIDM program, which matches non-employment income data from the ATO with information that DHS collects from customers about their income. The NEIDM program began in 2016 and focuses on identifying discrepancies between income reported by customers to Centrelink and to the ATO. This includes declared earnings, compensation payments and real estate income.[4] Where a discrepancy is identified, compliance action may be taken.

2.5 The OAIC understands that the ATO internally refers to the NEIDM and PAYG data matching programs as the Annual Investment Income Report (AIIR) and Payment Summary Annual Report (PSAR) data exchanges respectively. However, this report will refer to the two data matching programs as NEIDM and PAYG to be consistent with the terminology used in the data matching protocols for both programs.

2.6 For the NEIDM program, the data is sourced from selected labels on income tax return forms. This includes both employment income (such as salary and wages) and non-employment income (such as interest and dividends). For the PAYG program, the data is sourced from the PSAR, which includes payment summaries issued by an employer.

2.7 All data matching activities related to the NEIDM and PAYG programs are carried out in the ATO’s Mainframe system (Mainframe), which is a department-wide system used for other activities. Consequently, the OAIC considered department-wide documentation where appropriate in this assessment in relation to functions that contribute to the NEIDM and PAYG programs.

2.8 The data matching process begins with DHS transferring an ‘Annual Compliance Extract’ (ACE) file (which contains information on its customers) to Mainframe through a secure Optus Evolve link (Evolve link). The ATO creates a link file for every ACE file received from DHS. The link file contains customer reference numbers (CRNs), which are unique identifiers attached to DHS customers. The link file undergoes the identity matching process through the ATO’s Client Identification Compliance (CIDC) application software, which sits on Mainframe. This is an automated process that produces high-confidence matched data.

2.9 ICT specialists extract the matched data and attach tax file numbers (TFNs) and resolution codes as a part of internal processes. The Quality Assurance team conducts quality checks before removing the TFNs and sending the final data in bulk back to DHS through the Evolve link.

2.10 The data matching process concludes with DHS using the matched data to identify discrepancies and undertake appropriate compliance action as required. This assessment report does not consider DHS’s personal information handling practices.

2.11 The ATO has plans to replace the CIDC system with a new off-the-shelf system, Matching Client ID (MCID).

2.12 An overview of the ATO system and identity matching process used for the NEIDM and PAYG programs at the time of the assessment, is outlined at Figure 1 below.

Figure 1 represents the data matching process described at paragraphs 2.8 to 2.10.

Figure 1 — Overview of the NEIDM and PAYG data matching information flows

Part 3: Findings

Our approach

3.1 The key findings of the assessment are set out below under the following headings:

  • governance, culture and training
  • internal practices, procedures and systems
  • risk management
  • ICT security
  • access security
  • third party providers
  • data breach response
  • physical security
  • destruction and de-identification.

3.2 For each issue, we have outlined a summary of the OAIC’s observations, the privacy risks arising from these observations, followed by recommendations or suggestions to address those risks.

3.3 As part of this assessment the OAIC has considered the:

  • APP Guidelines, which outline the mandatory requirements of the APPs, the way in which the OAIC will interpret the APPs and matters the OAIC may take into account when exercising functions and powers under the Privacy Act
  • OAIC’s Guide to Securing Personal Information, which provides guidance on reasonable steps and strategies entities may take to protect personal information in accordance with APP 11. The headings in this section of the report follow the structure of the reasonable steps set out in the Guide
  • OAIC’s Data breach preparation and response guide, when assessing the ATO’s data breach response plan. This guide assists Australian Government agencies, such as the ATO, with the management of data breaches in accordance with the Privacy Act
  • Australian Government’s Information Security Manual (ISM), which is issued by the Australian Signals’ Directorate, and is designed to assist Australian Government agencies such as the ATO in ‘using their risk management framework to protect their information and systems from cyber threats’.[5] The OAIC considers that complying with relevant standards, such as the ISM, is a reasonable step for an entity to take to meet its obligations under APP 11. Where an entity decides not to adopt a widely-used standard, the reasons for this decision should be clearly documented.[6]

3.4 What is ‘reasonable’ for the purposes of APP 11 will depend on the circumstances of each individual case. Given the scale and sensitivity of personal information that the ATO collects and retains, the OAIC considers it is reasonable to expect that the ATO will have a robust and comprehensive approach to protecting personal information.

Governance, culture and training

Oversight, accountability and decision-making

3.5 Entities should establish clear procedures for oversight, accountability and lines of authority for decisions regarding personal information security.

3.6 The ATO’s functions fall under five core Groups. The Client Engagement Group (CEG) undertakes the compliance function, which includes Memorandum of Understanding (MOU) obligations between the ATO and DHS. The CEG is also responsible for data governance and this function is specifically handled by the Data Management Branch.

3.7 The General Counsel, who is also the ATO’s Privacy Officer, handles day-to-day privacy matters and sits within ATO Corporate, under the Enterprise Strategy & Corporate Operations Group. Privacy matters are escalated from the Privacy Officer to the risk owner for privacy (SES Band 1[7]), who reports to the Privacy Champion (SES Band 2). The appointment of a Privacy Officer and Privacy Champion is considered a good accountability measure as it demonstrates the ATO’s commitment to privacy matters and compliance with the Australian Government Agencies Privacy Code (Privacy Code).

3.8 The ATO has a Privacy Network, comprised of representatives from across the agency, which meets every three to six months to discuss privacy matters. Each business line has a Privacy Network member who is the first point of contact for staff on privacy matters including complaints and incident reports on potential breaches.

3.9 Cyber security risks are owned by the Second Commissioner and Chief Information Officer (CIO), within the Enterprise Solutions & Technology (EST) Group. The Chief Information Security Officer (CISO) reports to the CIO, who chairs the ATO’s Security and Business Continuity Management Committee (Security Committee) and has overall oversight over ICT security. The Security Committee is comprised of senior managers from different business lines who meet monthly to discuss risk management and security matters.

3.10 The ATO advised that while the Privacy Champion is not a member on the Security Committee Charter, communications between Privacy and Cyber Security business areas are carried out regularly in practice. However, the OAIC considers that there is a low risk that privacy staff are excluded from some important security conversations without formal representation on the Security Committee. Therefore, the OAIC suggests that the ATO includes privacy representation on the Security Committee to ensure privacy staff are aware of important risk management and security matters discussed by the Security Committee.

Data matching relationship between the ATO and DHS

3.11 The ATO and DHS broadly manage their overarching service delivery arrangements through a Head Agreement. This is supported by a number of Service Schedules, which detail the governance and management of specific arrangements, including data exchange.

3.12 The Service Schedule for Data Exchange manages data transfers between the ATO and DHS, and outlines terms for complaints handling, reporting responsibilities, information management and risk management. This is accompanied by Abridged Arrangements, where specific details of data exchange arrangements are documented.

3.13 At an operational level, representatives from both the ATO and DHS manage day-to-day issues as a part of the Data Management Forum (Forum), such as assisting parties to monitor their performance and meet the obligations under the Service Schedule. The Forum reports to the Governance Committee, also known as the Consultative Forum, established under the Head Agreement.

3.14 The ATO advised during fieldwork that the Head Agreement was under review and the NEIDM and PAYG data matching protocols were also being amended to reflect the ATO as the source agency and DHS as the matching agency, in accordance with definitions set out in the OAIC’s Guidelines on Data Matching in Australian Government Administration. Noting that updates are underway, the OAIC suggests that, going forward, the ATO liaises proactively with DHS to ensure that data matching protocols and, if appropriate, the Head Agreement or associated documents, are up-to-date and accurately reflect the shared data matching responsibilities of the two agencies before the documents are finalised and in the case of the protocols published online.

3.15 At the time of this assessment, the Head Agreement did refer to the handling of security breaches and the undertaking of privacy impact assessments (PIAs). However, both the Head Agreement and the data exchange schedules did not mention the NDB scheme or the Privacy Code requirements (including the requirement to undertake PIAs for ‘high risk’ projects), which commenced on 22 February 2018 and 1 July 2018 respectively. This represents a medium risk that privacy obligations are not appropriately managed according to current legislative requirements.

3.16 The OAIC recommends that the ATO, in consultation with DHS, updates its Head Agreement and where applicable any other associated documents which govern the overarching service delivery arrangements with DHS to include privacy obligations under the NDB scheme and the Privacy Code.

Recommendation 1

The OAIC recommends that the ATO, in consultation with DHS, updates its Head Agreement and where applicable any other associated documents which govern the overarching service delivery arrangements with DHS to include privacy obligations under the Notifiable Data Breaches (NDB) scheme and the Australian Government Agencies Privacy Code (Privacy Code).

Personnel security, training and culture

3.17 All ATO staff undergo a pre-engagement integrity check upon commencement of employment, which grants them access to unclassified information (including ‘Sensitive’ information).[8] Staff, including contractors who require access to classified information (PROTECTED and above), undergo a formal security vetting process, conducted by the Australian Government Security Vetting Agency. For example, most staff in the MOU and Data Governance team, who handle the NEIDM and PAYG programs, have a minimum of Baseline security clearance, which allows them access to information up to PROTECTED. Access administrators require a Baseline security clearance as a minimum.

3.18 ATO managers complete a checklist of induction activities for all on-boarding staff, which includes the mandatory ‘Security Privacy and Fraud Awareness’ training module to be completed within one week of commencement of employment and prior to accessing any taxpayer records. Staff need to achieve at least 70% for the e-assessment component of the module to pass. The training module was recently revised to be more interactive and engaging. The module covers a range of topics, including general concepts of security and privacy, the APPs, fraud, secure usage and sharing of information as well as reporting of suspicious incidents.

3.19 The Internal Fraud Prevention and Internal Investigations Branch (Internal Fraud Branch) also offers face-to-face fraud awareness training to new staff and/or anyone with a business need.

3.20 The refresher privacy and fraud training was recently amended to be undertaken annually as opposed to every two years. Managers are notified if their staff have not completed the training before the due date.

3.21 General privacy and security awareness is promoted by the Communications team in the form of news articles and pop-up messages as staff log into their accounts and on SharePoint[9] sites. Senior managers liaise across the ATO to raise awareness of fraud and corruption risks. There are communication campaigns that coincide with Privacy Awareness Week, informing staff about their obligations under the Privacy Code.

3.22 The ATO appears to have good privacy and security governance processes in place to foster a privacy and security-aware culture.

Internal practices, procedures and systems

3.23 The ATO provided a snapshot of the internal and external communication activities that were used to inform ATO staff of their Privacy Code obligations. The effectiveness of internal communications is evaluated on a quarterly basis, which details the number of views where information on the Privacy Code has featured in the ATO’s online platforms. It is good practice that the ATO is taking proactive measures to ensure continued effectiveness of its communication strategies.

Cyber security and privacy documentation

3.24 Entities should document the internal practices, procedures and systems that are used to protect personal information. This documentation should outline the personal information security measures that are established and maintained against the risks and threats to personal information. These documents should be regularly reviewed and updated to ensure they reflect current practices.

3.25 The OAIC reviewed several ICT security and privacy related documents before and after fieldwork. These documents included policies and instructions relating to access controls, incident and data breach management. Most of the documents were reviewed within the last 15 months and some documents were under review at the time of the assessment, following recent updates to the ISM.

3.26 The ISM states that agencies should review information security documentation at least annually or in response to significant changes in the environment, business or system. It is also considered a reasonable step under APP 11 to regularly review and update documents to ensure that they reflect current information handling practices. The OAIC found one document on systems accreditation[10] that was last updated in 2014, which was over five years ago at the time of the assessment. Given the rapidly evolving and dynamic nature of the ICT security space, security documentation should be regularly reviewed and updated to incorporate new developments and practices. The ATO’s outdated accreditation documentation represents a medium risk that considerations for the current risk environment is not reflected in its internal practices and procedures. The OAIC recommends that the ATO reviews and updates its accreditation documentation to incorporate new developments and practices.

3.27 As required under the Privacy Code, the ATO has a Privacy Management Plan (PMP) based on the OAIC’s template and maintains a record of personal information holdings, which details all ATO systems that contain personal information, associated access controls and responsible officers. The PMP identifies specific and measurable privacy goals and senior management are routinely informed about privacy issues in quarterly conformance reports. The ATO also provided a Personal Information Data Breach Response Plan (DBRP), which is discussed in greater detail in the ‘Data breach response’ section of this report.

3.28 The OAIC notes that the operational relationship and coordination between Cyber Security and Privacy functions are not formally documented in current internal policies. While privacy documentation, such as the PMP and DBRP, lists Cyber Security contacts as stakeholders, ICT security documentation does not mention any interactions with the General Counsel or Privacy Officer if an incident impacts on privacy. Given the overlap between the two business areas in terms of breach management and mitigation, this represents a medium risk that the appropriate action and escalation processes are not followed in the event of a suspected data breach or security incident.

3.29 The OAIC recommends that the ATO reviews and updates its internal policies to highlight the operational relationship between Cyber Security and Privacy functions as well as the roles and responsibilities of each area in the event of a cyber security incident or eligible data breach.

Recommendation 2

The OAIC recommends that the ATO regularly reviews its internal policy documents to ensure that they are up-to-date and reflect changes in the current risk environment. This includes updating its:

  • accreditation documentation to incorporate new developments and practices
  • policies to highlight the operational relationship between Cyber Security and Privacy functions as well as the roles and responsibilities of each area in the event of a cyber security incident or eligible data breach.

Risk management

3.30 The implementation of privacy and security risk management processes is integral to establishing robust and effective privacy and security practices, procedures and systems. These risk management processes allow an entity to identify, assess, treat and monitor privacy risks related to its activities. Good privacy risk management informs and triggers changes to practices, procedures and systems to better manage privacy risks.

3.31 Day-to-day risks at the ATO are assessed at the staff level in accordance with the risk management framework and escalated depending on the likelihood of impact. Every business line has its own risk register. High-risk items are reported up to senior management. The ATO advised that the Standing Risk Committee is the risk owner.

Security risk assessments and privacy impact assessments (PIAs)

3.32 The ATO conducts privacy threshold assessments (PTAs) to assess the need for a PIA on large projects, in accordance with the Privacy Code. The ATO maintains two PIA registers – one on the public-facing website and another for internal use. Staff can find guidance material on PIAs and conducting PIAs through the General Counsel’s SharePoint page.

3.33 Staff can view all the projects that they are involved in through the online PIA register. The ATO showed the OAIC, during fieldwork, a copy of the PIA template that is currently in use, which includes a summary, recommendations, relevant APPs and project description. Sign-off from senior management is required before projects are recorded on the PIA register.

3.34 In 2017, the ATO completed an in-house security risk assessment against the ISM requirements on the new MCID system that will replace the current CIDC system, which is used to conduct data matching for the NEIDM and PAYG programs (noted at paragraph 2.11). This risk assessment identified security control gaps, which were analysed and decisions were made to rectify the gaps within the CIDC system.

3.35 The OAIC notes that the ATO has comprehensive processes in place to assess and manage security and privacy risks, including PTAs, PIAs and ISM security assessments on the data matching systems used for the NEIDM and PAYG programs. However, in view of the complexity of the current risk environment and framework, the OAIC suggests that the ATO continues to regularly evaluate its risk management policies and practices to ensure their continued effectiveness. Additionally, where new practices evolve, the OAIC suggests that these practices, and the reasons behind them, are appropriately documented.

ICT security

3.36 ICT security measures help mitigate the risks of internal and external attackers and the damage caused by malicious software such as malware, computer viruses and other harmful programs. ICT security measures should also ensure that the hardware, software and personal information stored on it remain accessible and useful to authorised users.

Software security and patching

3.37 The ATO has several ICT security policies which mandate the usage of application hardening,[11] whitelisting,[12] anti-virus scanning and endpoint firewalls[13] to secure its software environment.

3.38 The ATO conducts data matching on the NEIDM and PAYG programs using Mainframe, which is a legacy system.[14] Mainframe operates in a highly controlled software environment, running a specialised operating system, where little development work is carried out.

3.39 The ATO uses a combination of desktop and laptop computers for its staff and these devices run a Standard Operating Environment (SOE)[15] that is identical across multiple devices. The SOE was designed and tested by the ATO and its service provider to meet government security requirements. The ATO also uses an Intrusion Prevention System to detect malicious activities and anti-virus software to detect malicious software. These are good security measures in accordance with the ISM and are also considered reasonable steps under APP 11 to safeguard information against cyber threats.

3.40 The ATO automates client patching[16] which allows patching to be coordinated and helps to ensure patches are applied consistently across all assets.

3.41 The ATO appears to have adequate systems in place to detect and manage information security vulnerabilities that relate to systems used for the PAYG and NEIDM programs. The OAIC suggests that the ATO continues to regularly monitor the operation and effectiveness of their software security measures to ensure that they remain responsive to changing threats and vulnerabilities and other issues that may impact the security of personal information.

Encryption

3.42 Encryption is important in many circumstances to ensure that information is stored in a form that cannot be easily understood by unauthorised users or entities. Encryption methods should be reviewed regularly to ensure they continue to be relevant and effective and are used where necessary.

3.43 NEIDM and PAYG data is transferred between the ATO and DHS via a secure Evolve link where encryption is implemented at each end. This means all traffic via this link is encrypted which prevents interception by a third party. In the event that the Evolve link does not work, the ATO advised that the data is transferred using password-protected Zip files[17] via a secure facility for organisations to reliably and securely transfer files. The transfer of information via this method has been risk-assessed against ISM requirements.

3.44 The ATO uses a secure primary encryption algorithm, known as Advanced Encryption Standard (AES256), and a secondary Data Encryption System (DES) as the fallback. DES is no longer considered a secure encryption algorithm and if an attack or system issue results in using the fallback algorithm, data on the Evolve link is more likely to be compromised. While there is a low risk of compromise as an attacker would have to wait for the system to use the fallback algorithm or tamper with communications to make the system use the fallback algorithm, the OAIC suggests that the ATO considers implementing a more secure secondary encryption algorithm or removing the Evolve link’s ability to use weak secondary encryption algorithms such as DES.

Network security

3.45 Entities must have appropriate security controls in place to protect their network. This may include using firewalls, which control the incoming and outgoing network traffic, and software applications, such as filtering, that monitor network or system activities for malicious activities, anomalous behaviour, or policy violations.

3.46 The exterior of the ATO network is protected by firewalls which reduces the number of ways that an attacker could compromise the system. The ATO segregates the internal and external networks using internal firewalls. Traffic from external-facing systems must pass through a secure gateway before travelling to external networks.

3.47 The ATO laptops and computer devices can access the internal network only when they are docked at a desk. Personal laptops or computers are prohibited from accessing the ATO network. For all other connections, including wireless connections in meeting rooms, a remote access program and virtual desktop environments[18] are used to access systems. Remote access sessions do not allow any data to be copied to a computer’s local storage. This reduces the risk of personal information, such as data from the NEIDM and PAYG programs, leaving the ATO network and becoming compromised.

3.48 The OAIC observed the virtual log-in process during fieldwork, which requires MFA.[19] The first step involves username and password, followed by an additional security code that is sent to a phone or laptop. The virtual desktop automatically times out after three minutes of inactivity.

3.49 The NEIDM and PAYG data exchanges are tightly controlled because Mainframe cannot be easily exported and loaded into another location such as a data warehouse. Specific workstations allow information to be downloaded from Mainframe, using an encrypted password, but ATO noted that those circumstances are rare.

3.50 In the context of the NEIDM and PAYG programs, the OAIC did not identify any privacy risks in relation to the ATO’s network security and programs which facilitate remote access.

Whitelisting and Blacklisting

3.51 Whitelisting and blacklisting are ways of controlling the content, applications or entities that are allowed to run on or access a device or network. Both can prevent potentially harmful material from accessing a particular system.

3.52 The ATO’s System Security Management instruction describes the requirement to use application whitelisting. Whitelisting is installed on all ATO workstations and exposed servers, such as those handling email or web connections.

3.53 The ATO network is protected by website whitelisting and blacklisting applications. The lists used for whitelisting and blacklisting are reviewed at least annually. Staff may receive an exemption to web filtering[20] controls if they have a business need and these exemptions are reviewed at the same time as the lists are audited.

3.54 Based on limited observations, the ATO appears to have adequate controls in place to protect the network used for the NEIDM and PAYG programs through application whitelisting.

Testing

3.55 The ATO’s Information Technology Security regulation document states that software used in the ATO must be assessed and tested for security before being used in the production environment. [21] The ATO has implemented a separate development environment, which prevents development systems from accessing the rest of the ATO network. Testing is only performed on test systems and never with production systems. Data sets are created for testing either by generating the data to match known patterns or by taking production data and perturbing it to remove the ability to retrieve personal information from the data.

3.56 The System Security Management instruction states that the ATO’s ICT systems should undergo vulnerability assessment before going into production and following a major change. Mainframe, which is used for the processing of the NEIDM and PAYG data matching programs, underwent testing over 30 years ago when the system was first developed. Vulnerability scans[22] and penetrations tests[23] were also undertaken. These are examples of good privacy practices under APP 11 to test for security weaknesses before systems become operational to all users.

3.57 The ISM states that not conducting vulnerability scanning and/or penetration testing on systems for over a year increases the chance that vulnerabilities will go undetected, leading to system compromise. The ATO was unable to provide evidence of recent vulnerability scanning or penetration testing of NEIDM and PAYG systems. While the risk of compromise is low as the ATO’s information security framework and in-house assessment capability is likely to detect system vulnerabilities in a timely manner, the OAIC suggests that the ATO conducts a vulnerability scan at least annually for the systems used for the processing of NEIDM and PAYG data.

Backing up

3.58 Entities should make copies of important files that they hold and store them on a physical device or online using a cloud-based storage solution, to prevent personal information being lost.

3.59 Mainframe’s production system is distributed across two data centres, with processing moving from the primary data centre to the secondary data centre in the case of a disaster. Some applications share processing across sites, which allows data to be processed at either site and synchronised to ensure the information stays consistent. Other applications normally process data at only one site and data is replicated to the other site, so that processing can continue if the first site stops operating.

3.60 The ATO’s user files and emails are backed up several times a day and fully backed up each weekend. All objects on Mainframe are backed up using a combination of full backups and differential backups[24] that are stored in the virtual tape system.[25] The backups made on Sundays are copied to tape and stored offsite.

3.61 The ATO appears to have adequate security measures in place to ensure that the systems used for the NEIDM and PAYG programs are regularly backed up and continue to be accessible in the event of primary systems being destroyed or there being a security breach or incident.

Email security

3.62 The ATO corresponds with most external agencies, such as DHS, via a secure email channel called GovLink (formerly Fedlink).[26] This may include one-off deliveries of personal information if there is a need due to specific arrangements or client needs. Special use cases are discussed with the Cyber Security business area before being implemented to make sure the information security risks are understood.

3.63 For the NEIDM and PAYG programs, the ATO verifies the number of matched records sent to and subsequently received by DHS. Incoming email is scanned using an email security and content management gateway application, which blocks threats such as spam emails and viruses. All outgoing email is checked for prohibited file types, attachment size, malicious software and keywords or information classification.

3.64 The OAIC did not identify any privacy risks in relation to the ATO’s email security used for the correspondence between the ATO and DHS on the NEIDM and PAYG programs.

Access security

3.65 Access security and monitoring controls help entities protect against internal and external risks by ensuring that personal information is only accessed by authorised users.

Trusted insider risk

3.66 Entities need to guard against internal threats such as unauthorised access or misuse of personal information by staff, including contractors.

3.67 Access to ATO systems is based on the position number, not the individual, as outlined in the ATO’s Access Control and Delegated Rights baseline document. When staff change positions within the organisation, they assume a new position number, which allows them access to systems that are attached to the new position. This is logged in the human resources (HR) system, which keeps track of who occupied each position at any given time so that privileges at a point in the past can be ascertained.

3.68 Access to systems and resources in Mainframe is controlled by Resource Access Control Facility, which is a security software product used to assign access based on user identities (user IDs) and on a need-to-know basis.

3.69 While managers can grant access to core systems, additional access, such as restricted roles, require an online application which justifies the business need and is subject to third party approval. Restricted roles have a 12-month expiry. One month prior to expiry, managers will receive an email reminder to review if access is still required.

3.70 ATO customers with a high level of public interest, such as high-wealth individuals or public figures are in lockdown to restrict access. While those clients are included in some data exchanges, such as the NEIDM and PAYG programs, access is restricted to selected staff with Baseline security clearance and above.

3.71 The ATO has an audit process that identifies accounts that need to be reviewed and passes this list to the appropriate manager for review. In addition to the checks by the manager, an independent team also audits accounts for appropriate levels of access.

3.72 Access to all systems are deactivated when a staff member leaves the agency or goes on leave for more than six weeks. The manager inputs the date of notification and sends the completed separation form, which automatically triggers a number of emails to different areas of the ATO, including telephony, ICT, guard desk and HR. While this process is supplemented by account audits, the manual nature of the process represents a low risk that access privileges may not be revoked when an individual ceases employment at the ATO. Therefore, the OAIC suggests that the ATO automates or integrates systems to reduce reliance on manual processes for exiting staff.

Administrator access, identity management and authentication

3.73 Entities should have processes in place to identify individuals accessing particular systems and control their access by associating user rights and restrictions with their identity. This will ensure that only authorised users can access particular systems.

3.74 The policy for account management is described in the ATO’s Account and Password Management instruction. The ATO advised that user IDs are never recycled, including those assigned to exiting staff members. All identities are therefore linked to a person and there is no sharing of accounts.

3.75 Automatic rules have been set up so that accounts that have been inactive for 90 days are disabled. Administrative accounts are granted for a maximum of 12 months and will automatically be disabled if not reviewed.

3.76 The Information Technology Security Access Control and Delegated Rights baseline document states that, where possible, MFA must be used for system administrator access, remote access and other higher risk accounts. System administrator access allows a user to access systems and information without going through the usual approval channels or to alter the operation of the system and reduce its level of security. A malicious user with administrator access may be able to compromise a large number of systems or information.

3.77 While access to the virtual desktop environment requires MFA (noted at paragraph 3.48), the ATO advised that the general application of MFA for administrative access is not yet implemented. Despite plans to widen the implementation of MFA usage, at the time of the assessment, the ATO’s lack of widespread use, especially among privileged users, represents a medium risk that access security could be compromised. The implementation of MFA is also considered a reasonable step under APP 11 to limit and control access to a system or network, and also to the information contained within it.[27] Therefore, the OAIC recommends that the ATO implements MFA for all administrative accounts, especially for privileged and/or higher risk users.

Recommendation 3

The OAIC recommends that the ATO implements multi-factor authentication (MFA) for all administrative accounts, especially for privileged and/or higher risk users.

Passwords

3.78 Entities should use passwords and passphrases to identify that users requesting access to any particular systems are authorised users.

3.79 The Account and Password Management instruction contains requirements for passwords at the ATO. This is reinforced in the ‘Security Privacy and Fraud Awareness’ training module. Account passwords for all ATO domains must be at least nine characters long and meet complexity requirements. The only exception is Mainframe where passwords must be a minimum of six and a maximum of eight characters due to limitations of a legacy system. The ATO advised that this is a known issue and there are no plans to change password rules for Mainframe as the system is expected to be replaced in the next 15 months.

3.80 User workstations automatically lock after 15 minutes of inactivity and a password is required to unlock the computer. Virtual log-in sessions will timeout after three hours, however, exceptions can be granted if there is a business need.

3.81 The ATO’s use and enforcement of complex passwords to identify that users requesting access to its systems are authorised users is a good privacy protective measure. Therefore, the OAIC encourages the ATO to continue the enforcement of password and account lock-out rules to protect user access and accounts.

Audit logging and monitoring

3.82 Unauthorised access of personal information can be detected by reviewing a record of system activities, such as an audit log. The use of proactive monitoring to identify possible unauthorised access or disclosure, including breaches, is considered a reasonable step under APP 11 to safeguard personal information.

3.83 The Audit Logging instruction states that logging is performed on all ATO systems, including Mainframe. Audit logs are reviewed periodically, analysed in a timely manner, and archived in a manner that maintains their integrity in accordance with the Archives Act 1983. System logs are designed to not contain any personal information, which reduces the risk of unauthorised access to logs or a data breach involving logged information.

3.84 The ATO logs security events such as user log-on, user log-off, permission changes and password failures. While Mainframe is a legacy system, the ATO advised that it has well-developed security monitoring tools where all activities are logged and staff require specialised knowledge on coding as well as the appropriate access level to utilise the system. In addition, applications have their own audit logging plan which describes logging requirements and the storage of logs, such as in the Central Audit Logging (CAL) system or another facility.

3.85 The CAL system provides a central point for the storage and protection of logging information and is composed of dedicated servers with a heightened level of protection which the ATO advised is in accordance with ISM requirements. The ATO implements the CAL system at two sites and data is replicated from the primary site to the secondary site within minutes. Each day, both sites are fully backed up to backup servers.

3.86 The Risk team within the Internal Fraud Branch runs monthly detection scans of audit logs and the results are used for further investigation and handling as required. Managers can also request specific scans on individual staff if they detect suspicious behaviour.

3.87 The OAIC notes that the ATO engages in proactive real time audit logging and monitoring of systems access to Mainframe to mitigate and manage the risks of unauthorised access to systems used for the NEIDM and PAYG programs. The OAIC suggests that the ATO continues to review and update current processes to ensure that they remain effective.

Third party providers

3.88 APP 11 imposes obligations on the ATO to protect personal information it holds, including where that personal information is being handled by a third party. Reasonable steps can include influencing the third party’s conduct. Section 95B of the Privacy Act also imposes obligations for agencies to ensure that a contracted service provider (as defined in s 6 of the Privacy Act) does not do an act, or engage in a practice, that would breach an APP.

3.89 This assessment did not focus on the ATO’s relationship with third party providers. However, the OAIC made some brief observations during fieldwork where appropriate.

3.90 The ATO advised that it uses an algorithm[28] for its data matching activities, including the NEIDM and PAYG programs, which is supplied by a third-party vendor, who is responsible for maintenance and support only when there is an issue with the algorithm. The relationship between the ATO and third-party vendors is managed in accordance with existing ATO contractual arrangements. The ATO advised that there have been no occurrences to date where the vendor has been contacted for support.

3.91 In the context of the NEIDM and PAYG programs, the OAIC has not identified any privacy risks associated with the ATO’s management of third-party providers.

Data breach response

3.92 In the event of a data breach, having a response plan that includes procedures and clear lines of authority can assist an entity to contain the breach and manage the response. Ensuring that staff (including contractors) are aware of the plan and understand the importance of reporting breaches is essential for the plan to be effective.

3.93 The ATO has a streamlined approach to the reporting of cyber security and privacy incidents. Incidents are logged via an online ‘security incident form’ on the intranet. The Information Security & Response team (within the Information and Cyber Security Branch) will triage the incident and follow the guidelines to make a determination on the severity of the risk. If there is a breach of personal information, the incident is referred to the ATO’s Rapid Response Group (RRG).

3.94 The RRG is comprised of members from a number of business lines who will analyse the eligible data breach and determine the appropriate remediation action. The RRG will also consult the Privacy Officer who will determine if the NDB threshold is reached and report to the OAIC accordingly. After containing the incident, the RRG consolidates the learnings and inputs recommendations to be added to its program of work to mitigate future incidents.

3.95 The OAIC observed the process of lodging an online incident form during fieldwork. Both the data breach and security incident webpages direct staff to the same online ‘security incident form’. Staff will need to select the type of security incident in the drop-down menu, such as compromise of information, identity theft, scam or unauthorised access, and input the date, location, incident details, activity logs and attachments (if any).

3.96 There is a separate reporting process when an eligible data breach is identified through an internal fraud audit or investigation. The Internal Fraud Branch will manage the case, consider requirements under the NDB scheme and take appropriate action to contain the risk.

3.97 The SharePoint site has various resources on data breach notifications and is reviewed annually. At the time of this assessment, the General Counsel’s privacy SharePoint page includes information on the Privacy Act, APPs, NDB scheme, the Privacy Code and PIAs, as well as additional links to the OAIC homepage.

3.98 The OAIC reviewed the ATO’s DBRP (noted at paragraph 3.27), which outlines the legal obligations under the mandatory NDB scheme and the Privacy Act. The DBRP also sets out the steps to identifying and escalating an eligible data breach with reference to the OAIC at a high level. However, it is not clear in the DBRP how and when the Information Security & Response team should engage the Privacy Officer. The OAIC suggests that the ATO clarifies the interaction between Cyber Security and Privacy functions in the incident management and escalation process, as noted earlier under Recommendation 2 of this report. The OAIC also suggests that the ATO regularly reviews, tests and updates the DBRP to ensure its continued effectiveness.

Physical security

3.99 Physical security is an important part of ensuring that personal information is not inappropriately accessed. Entities should consider whether their workplace is designed to facilitate good privacy practices.

3.100 The ATO has a number of documents which describe the physical security of information, networks assets and ICT equipment, in accordance to the Australian Government’s Protective Security Policy Framework and ISM requirements for the protection of ICT facilities and network devices. It is also a reasonable step under APP 11 to ensure that provisions are made for securing physical files containing personal information.

3.101 As mentioned earlier in the ‘ICT Security’ section of this report, the ATO systems used for data matching are housed in two data centres. The data centres contain equipment belonging only to the ATO and other government agencies which reduces the complexity of security requirements and minimises the risk of non-Government staff having access to the sites. The ATO advised that both data centres are assessed and certified to an appropriate standard and at least one of the data centres has obtained a Zone 4[29] rating.

3.102 At all three ATO offices visited during fieldwork, the reception was staffed by one or more security guards that ensure visitors are approved and can provide photo identification. Swipe cards for visitors control access to the office area and must be surrendered when leaving the site. The OAIC was advised that computer rooms and communications rooms have access limited to those staff with the need to access those areas.

3.103 Based on the limited observations made by the OAIC, no privacy risks were identified with regards to the ATO’s physical security measures used for the NEIDM and PAYG programs.

Destruction and de-identification

3.104 APP 11.2 requires an APP entity to take reasonable steps in the circumstances to destroy personal information that it holds about an individual or to ensure that the information is de-identified, if:

  • the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under the APPs
  • the information is not contained in a Commonwealth record[30]
  • the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information.

3.105 The ATO has data retention policies which apply to the entire organisation. The How Long to Keep Records intranet page outlines the business, legislative and accountability requirements for the retention of records as well as considerations for extending beyond the minimum retention period. Additionally, the ATO Records Authorities intranet page describes records and retention periods for different types of information that the ATO collects and stores.

3.106 For the NEIDM and PAYG programs, the ATO advised that the raw data transferred from DHS is stored for 12 months and then deleted. The ATO also does not retain a copy of the matched data that is sent to DHS as the information already exists in the ATO’s database. However, the link files that are created from DHS’s raw data and contain additional data elements prescribed by the ATO (noted at paragraph 2.8) are stored permanently in Mainframe.

3.107 At the time of the assessment, the ATO destroyed data matching related records in line with General Disposal Authority 24 – Records relating to Data Matching Exercises,[31] which authorised the disposal of Commonwealth records relating to data matching under the Archives Act.

3.108 The OAIC did not identify any privacy risks associated with the ATO’s destruction and de-identification processes of NEIDM and PAYG data.

Part 4: Recommendations and responses

Recommendation 1

OAIC recommendation

4.1 The OAIC recommends that the ATO, in consultation with DHS, updates its Head Agreement and where applicable any other associated documents which govern the overarching service delivery arrangements with DHS to include privacy obligations under the Notifiable Data Breaches (NDB) scheme and the Australian Government Agencies Privacy Code (Privacy Code).

Response by ATO to the recommendation

4.2 Agreed. These additions will be made to the Head Agreement as part of the annual review process that is scheduled to be completed by September each calendar year.

Recommendation 2

OAIC recommendation

4.3 The OAIC recommends that the ATO regularly reviews its internal policy documents to ensure that they are up-to-date and reflect changes in the current risk environment. This includes updating its:

  • accreditation documentation to incorporate new developments and practices
  • policies to highlight the operational relationship between Cyber Security and Privacy functions as well as the roles and responsibilities of each area in the event of a cyber security incident or eligible data breach.

Response by ATO to the recommendation

4.4 Agreed. Document owners will work to ensure internal policy documents are updated in accordance with the recommendation.

Particular focus will be given to highlighting the operational relationship, roles and responsibilities of the Cyber Security and Privacy functions in the following documents:

  • [ITS-R02] IT Security Regulation - IT Security Governance (page 5)
  • [ITS-I26] - Information Technology Security Instruction - System Security Management (pages 7-8)
  • [ITS-B01] IT Security Access Control and Delegated Rights Baseline (page 9)
  • Reporting a security incident –myATO
  • Incident Response Plan

Recommendation 3

OAIC recommendation

4.5 The OAIC recommends that the ATO implements multi-factor authentication (MFA) for all administrative accounts, especially for privileged and/or higher risk users.

Response by ATO to the recommendation

4.6 Agreed. MFA is planned to be deployed to all administrative accounts, including privileged and higher risk users in our 2020-2021 IT deployment schedule.

Part 5: Description of assessment

Objective and scope of the assessment

5.1 This assessment was conducted under s 33 C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the APPs.

5.2 The objective of this assessment was to determine whether the ATO is taking reasonable steps to secure personal information, under the NEIDM and PAYG programs, in accordance with its obligations under the APPs.

5.3 The scope of this assessment was limited to the consideration of the ATO’s handling of personal information against the requirements of APP 11 (security of personal information).

Privacy risks

5.4 Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance (Appendix A refers), the OAIC made recommendations to the ATO about how to address those risks. These recommendations are set out in Part 4 of this report.

5.5 The OAIC assessments are conducted as a ‘point in time’ assessment; that is, our observations and opinion are only applicable to the time period in which the assessment was undertaken.

5.6 For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’. Chapter 7 of the OAIC’s Guide to privacy regulatory action provides further detail on this approach.

Timing, location and assessment techniques

5.7 The OAIC conducted a risk-based assessment of the ATO’s data matching programs and focused on identifying privacy risks to the secure handling of personal information in its relation to the APPs.

5.8 The assessment involved the following:

  • review of relevant policies and procedures provided by the ATO
  • fieldwork, which included interviewing key members of staff at three ATO offices on 25 – 27 March 2019 (Canberra), 11 April 2019 (Brisbane) and 16 April 2019 (Sydney).

5.9 The OAIC engaged an ICT consulting firm, Security Centric, to assist with assessing the technical aspects of this assessment. The OAIC considered Security Centric’s findings and recommendations in the process of writing this report.

Reporting

5.10 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.

Appendix A: Privacy risk guidance

Privacy risk rating Entity action required Likely outcome if risk is not addressed

High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy legislation

Immediate management attention is required.

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

  • Likely breach of relevant legislative obligations (for example, APP, TFN, Credit) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
  • Likely adverse or negative impact upon the handling of individuals’ personal information
  • Likely violation of entity policies or procedures
  • Likely reputational damage to the entity, such as negative publicity in national or international media.
  • Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
  • Likely ministerial involvement or censure (for agencies)

Medium risk

Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy legislation

Timely management attention is expected.

This is an internal control or risk management issue that may lead to the following effects

  • Possible breach of relevant legislative obligations (for example, APP, TFN, Credit) or meets some (but not all) requirements of a specific obligation
  • Possible adverse or negative impact upon the handling of individuals’ personal information
  • Possible violation of entity policies or procedures
  • Possible reputational damage to the entity, such as negative publicity in local or regional media.
  • Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities.
  • Possible ministerial involvement or censure (for agencies)

Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy legislation

Management attention is suggested.

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed.

  • Risks are limited, and may be within acceptable entity risk tolerance levels
  • Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit)
  • Minimum compliance obligations are being met

Footnotes

[1] Office of the Australian Information Commission Guidelines on Data Matching in Australian Government Administration, June 2014.

[2] The Department of Human Services (DHS) has since been renamed Services Australia. However, this report refers to DHS throughout, as it was known at the time this assessment was conducted.

[3] Department of Human Services, PAYG Data-Matching program protocol, May 2017, p.4.

[4] Department of Human Services, NEIDM Data-Matching program protocol, August 2016, p.22.

[5] See Australian Government Information Security Manual, 2019, p.6.

[6] See the ‘Standards’ section in the OAIC’s Guide to Securing Personal Information.

[7] In Australian Public Service (APS) agencies, most of the senior leadership group are Senior Executive Service (SES) employees, employed under the Public Service Act 1999. For further information see the Australian Public Service Commission website at www.apsc.gov.au.

[8] For further information on the classification of information, refer to Policy 8 Sensitive and classified information.

[9] SharePoint is a secure intranet and content management system that entities use to store, organise, share and access information.

[10] Accreditation provides assurance for compliance with Government regulations and highlights ICT security risks within a system.

[11] Application hardening is the process of making a finished application more difficult to reverse engineer and tamper.

[12] Whitelisting on servers allows only authorised software to run.

[13] A firewall is a network security system that monitors and controls incoming and outgoing network traffic.

[14] A legacy system is an old technology, application or computer system which is still in use and continues to serve critical business needs.

[15] Standard Operating Environment (SOE) refers to a computer’s operating system and its associated hardware and software applications.

[16] Patching involves making changes to software which is designed to update, fix or improve it, for example to fix bugs or security vulnerabilities.

[17] Zipped files are compressed and therefore take up less storage space and can be transferred to other computers more quickly than uncompressed files.

[18] A virtual desktop environment means that a user’s desktop environment (the icons, wallpaper, windows, folders etc.) is stored remotely rather than on a physical computing device.

[19] ‘Multi-factor authentication’ (MFA) is a process used to identify and control access of individuals by associating user rights and restrictions with their identity. MFA requires two of three factors to be presented — something one knows (such as a password or code), something one has (a physical token, such as a bank card, security pass, or a mobile phone to receive SMS confirmation), or something one is (biometric information such as a fingerprint). See Guide to securing personal information, p. 29.

[20] A web filter is software that restricts access to certain websites that might contain harmful malware.

[21] The development environment is where changes to software are developed. Once the developer thinks it is ready, the product is copied to a testing environment, to verify it works as expected. If testing is successful, the product is deployed to a production environment, making it available to all users of the system.

[22] Vulnerability scanning is an inspection of the potential system weaknesses on a computer or network.

[23] Penetration testing is the practice of testing a computer system, network or web application to find security weaknesses that a hacker could exploit and identify areas to improve.

[24] A differential backup is a type of backup that copies all the data that has changed since the last full backup.

[25] A virtual tape system is a cloud or virtual data storage and backup system.

[26] For more information see GovLink.

[27] See Guide to securing personal information, p. 29.

[28] A programming algorithm is a computer procedure that specifies a series of steps to perform a particular task.

[29] Zone 4 areas are restricted to access by authorised personnel with the appropriate security clearance and escorted visitors. For further information on security zones, refer to Policy 16 Entity facilities.

[30] Archives Act 1983 (Cth), s 3.

[31] The General Disposal Authority 24 has since been revoked by the National Archives of Australia.