Why is tfn confidential?
How the ATO policy details deals with the collection, storage, access to, use and disclosure of personal information.
On this page
Our privacy policy seeks to:
We review our privacy policy regularly and publish it on ato.gov.au. If you would like to access a copy of our privacy policy in another form, or have feedback on our privacy policy, you can contact us.
The Privacy Act 1988External Link (Privacy Act) protects personal information and requires that we comply with the Australian Privacy Principles (APPs) set out in Schedule 1 of the Act in our handling of personal information.
Under the Privacy Act, ‘personal information’ means 'information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether the information is recorded in a material form or not'.
The ATO also complies with the requirements of the Australian Government Agencies Privacy Code 2017External Link which is registered under the Privacy Act.
Under the Privacy Act, we:
We undertake to collect personal information about you in a fair and lawful way and in a manner that is not unreasonably intrusive. This means that we will not use any form of deception or threat when we collect personal information, either from you or from anyone else.
We undertake to respect your privacy and to keep your information confidential. We undertake to handle your personal information as required by the Privacy Act and the Australian Government Agencies Privacy Code 2017.
We will be transparent and open about what personal information we collect, hold, use and disclose, as well as how you can make a complaint if you think your privacy has been interfered with.
In administering the taxation and superannuation laws, we collect, hold, use and disclose a wide range of personal information.
We also collect, hold, use and disclose personal information in relation to our other functions and activities, including:
We collect, hold, use and disclose personal information about individuals and taxpayers that is necessary for or related to the administration of taxation and superannuation laws, and other programs of work the ATO administers.
Personal information includes:
For more information on the different types of personal information in taxpayer records that we collect, hold, use and disclose, see Appendix 1.
We collect, hold, use and disclose personal information about:
A tax file number (TFN) is a unique identifier. We issue TFNs and use them to help us identify you and administer the taxation and super laws.
Sections 8WA and 8WB of the Taxation Administration Act 1953External Link and the Privacy (Tax File Number) Rule 2015External Link protect TFNs. We handle TFN information in accordance with those pieces of legislation.
For further TFN guidance and advice, see The Privacy (Tax File Number) Rule 2015 and the protection of tax file number informationExternal Link.
If you have concerns about the security of your TFN and are concerned that your TFN has been lost, stolen or misused, please refer to our lost or stolen TFN webpage or phone us on 13 28 61 between 8:00 am and 6:00 pm, Monday to Friday.
We are participating in the government's digital identity program, giving Australian citizens and permanent residents a single and secure way to access online government services.
Under this program, we manage both:
Personal information that we collect, hold, use and disclose for the purpose of administering myGovID and the RAM service includes your:
For further information about the collection, use and disclosure of your personal information for these services, see:
We maintain a voiceprint biometric database. With your consent, voice recordings may be used to create a biometric voiceprint that can be used to identify you.
Where you have given your consent, and you have a myGov account linked to the ATO and other myGov Member Services, the ATO may share your voice biometric information with those linked Member Services.
When sharing your voice biometric information with a linked myGov Member Service, the ATO will also share your ATO MBUN. This is a unique number linked to your ATO Member Service that is created when you link your myGov account to the ATO. If you have unlinked then relinked your myGov account to the ATO you will have multiple ATO MBUNs. However, we will only share the MBUN created when you last linked your myGov account to the ATO.
We maintain a record of registered tax and business activity statement agents (tax practitioners) who are authorised to interact with us and undertake transactions on behalf of taxpayers.
Personal information about tax practitioners that we hold includes the:
We hold these records so that we can contact tax practitioners about their clients’ taxation affairs and to monitor lodgment of tax agent prepared returns and business activity statements.
We collect, hold, use and disclose personal information in personnel records that is reasonably necessary for the purposes of discharging the Commissioner of Taxation's employer powers. ‘Employer powers’ means all the rights, duties and powers of an agency head under the Public Service Act 1999.
When you visit ato.gov.au we'll collect information from your browser relating to:
No attempt is made to identify users or their browsing activities except in the event of an investigation where a law enforcement agency may exercise a warrant to inspect our internet web server logs.
When you authenticate with online ATO systems directly or indirectly (for example, through myGov), certain information about your device, your browser and the authentication process will also be logged by us, such as:
We may use this information to:
We don't share this information with other government agencies or other organisations without your permission unless that is required or authorised by law.
Cookies are pieces of information that a website can transfer to an individual's computer hard drive or mobile device for record keeping. Cookies can make websites easier to use by storing information about your preferences on a particular website. The information remains on your device after the internet session finishes.
The first time you visit our website one cookie will be stored on your device. On each visit to our website the system checks whether there is an ato.gov.au cookie on your device. If so, it simply notes its presence and records your visit as a 'previous user'. If not, it will store one and record your visit as a 'first time visitor'. This cookie will be stored permanently unless you choose to delete it. The information is used by us to help improve our website by understanding how it is used. There is no attempt made to identify individual users in any way.
On each use a 'session cookie' is temporarily placed on your device, which is used to maintain navigation information during your site visit. These session cookies are deleted from your device at the end of each internet session.
In addition, we make use of third-party sites such as Twitter, VioStream, Facebook, LinkedIn and YouTube to deliver content. Such third-party sites may send their own cookies to your device. We do not control the setting of third-party cookies and suggest you check the third-party websites for more information about their cookies and how to manage them.
We use Google Analytics to understand how our websites are being used in order to improve the services we offer. Google Analytics uses cookies to analyse how you use our websites. No identifying information is collected by Google Analytics and parts of your IP address are masked so your identity remains anonymous. Data captured by Google Analytics is processed and stored in the USA. If you don’t want your data being used by Google Analytics – when visiting our website – you can opt out by using the opt out service provided by GoogleExternal Link.
You can also disable cookies and JavaScript in your browser. However, this may prevent you from accessing certain services and functionality.
The ATO app includes the myDeductions tool to make it easier and more convenient for you to keep your expense and income records in one place. We have provided myDeductions to you only as a record keeping tool.
If you are an Android user, we have provided you with the option to connect the ATO app to your personal Google Drive account, to make backing up myDeductions records quick and easy. We do not access, collect, use, store or share the personal information you input into the myDeductions tool, or the personal information you back up to your Google Drive account, including your Google user data. Whilst the ATO does not access personal information you input into the myDeductions tool, you can choose to upload myDeductions data to prefill your tax return.
For more information about your privacy when using Google’s services, go to the Google Privacy PolicyExternal Link.
We collect personal information:
We collect personal information when we ask for it, or by using our formal access and information-gathering powers.
If we receive unsolicited information, we will handle it in accordance with Australian Privacy Principle 4.
Tax and super laws allow us to obtain information about you from other parties. We will normally tell you about this before seeking to obtain it.
However, there are some circumstances where it may not be reasonable or practicable in the circumstances to tell you that we are collecting your personal information from a third party. This may include when we collect information about a large number of individuals in similar circumstances, such as when we collect information from:
We take steps to ensure that the personal information we collect about you is accurate, up-to-date and complete. These steps include updating personal information when you tell us that your personal information has changed and at other times as necessary.
We take steps to protect the personal information we hold against:
We apply industry-best security methods, including:
Our staff may not access personal information contained in records we hold unless they are doing so in the course of exercising powers or performing functions under or in relation to the tax, super or other relevant laws.
We must be certain of your identity before we can discuss your tax or super affairs with you. If you contact us to discuss your affairs, you must be able to prove your identity. This ensures that we are able to protect your personal information by only giving it to you or someone who can prove that they are lawfully authorised to act on your behalf.
For example, if you phone us, you can prove your identity by giving us your:
Other information can be used as proof of identity, depending on the circumstances.
If you have a general enquiry that does not involve discussing your personal information, you do not have to provide identification. In these situations, you will be able to deal with us without identifying yourself.
You have the right to be told why we are asking for your personal information and what legal authority we are relying on to request it from you.
Generally, when we collect personal information from you, we will tell you:
We do checks to test whether taxpayers are complying with relevant law. These checks include audit and verification programs and device-based information matching.
This is known as data matching. It allows information from a variety of sources to be brought together, compiled and applied to a range of public policy purposes.
In the ATO, data matching helps us to both identify people who are not complying with their obligations and to detect fraud against the Commonwealth. If we check your information, it doesn’t mean we think you’re dishonest in your tax affairs. But if we find discrepancies, we’ll take follow-up action.
Some of our data sources include investment income information from banks, financial institutions and investment bodies, employment information and welfare payment information. The supply of this data is authorised by law. We match this data with our own information to detect those who may not be correctly reporting all of their income.
We also undertake large scale activities involving information exchange with other government agencies. These exchanges of information are authorised by law. We also undertake data-matching projects relating to particular risks, issues or industries.
We compare externally sourced data with information that we already hold.
We check the external data with information provided to us in tax returns, business activity statements and other forms. We may use this information to detect people who are not in the taxation system or are not meeting other obligations, such as:
The data is also used to check trends within industries and helps us to focus on future compliance risks.
Detailed rules set out in the Data-matching Program (Assistance and Tax) Act 1990 apply to some data-matching activities. To better protect your privacy, we also comply with voluntary guidelines about data matching issued by the Privacy Commissioner.
See our website to learn more about our current data-matching protocols.
For more information on the different types of data-matching records we hold, see Appendix 1.
Sometimes we engage recognised expert advisers from outside the ATO, such as independent legal advisers, for assistance and advice. The taxpayer confidentiality provisions in the tax legislation allow us to disclose personal information to these advisers.
If a third party is contracted to carry out some of our functions, such as processing forms, the contractor and its employees are bound by privacy and taxpayer confidentiality provisions when dealing with your information. We also ensure that the privacy and confidentiality of your personal information is addressed in these contracts.
When we receive personal information about you (whether solicited or unsolicited) the information will, in almost all cases, be treated as a Commonwealth record.
We are bound by the Archives Act 1983 to retain Commonwealth records until we can lawfully dispose of them, generally either in accordance with:
While most of the personal information we collect about you is retained in Australia, there are circumstances where we provide personal information to overseas recipients. We do this in accordance with international tax treaties and tax information exchange agreements.
Tax treaties are also referred to as tax conventions or double tax agreements. The purpose of these agreements is to exchange tax information relevant to the tax administration of the respective countries to the agreement. We do this in order to prevent double taxation, tax fraud and tax evasion.
We also use tax information exchange agreements (TIEA) to combat overseas tax evasion. The agreements allow us to exchange information with our TIEA partners. TIEAs promote fairness and enhance our ability to administer and enforce Australia’s own domestic tax laws.
The countries and other jurisdictions that currently have tax treaties and tax information exchange agreements with Australia are listed in Appendix 2.
You can update your own personal information via our online services.
You can access copies of your personal taxation information via myGov. Personal taxation records that can be accessed include:
Your authorised representative may also have access to your personal information or can request it on your behalf through our Online services for agents. For more information about accessing your personal taxation information through our online services, please refer to our copies of tax documents request webpage.
Where you require access to documents that you cannot obtain through our online services or through our administrative access arrangements, you can lodge a request for those documents under Australian Privacy Principle (APP) 12 or the Freedom of Information Act 1982 (FOI Act).
You have a right to request access to your own personal information under APP 12.
However, if we can refuse to give you access to the requested personal information under the FOI Act or any other Commonwealth Act, we do not have to give you access to the personal information under APP 12.
We will respond to your request for access to your personal information within 30 days.
In circumstances where we refuse to provide you with access to your own personal information, we will give you a written notice that sets out the reasons for the refusal (unless it would be unreasonable to do so).
We will advise you how to complain about a refusal.
We will not charge you for making a request or for giving you access to your own personal information.
We will take reasonable steps to correct personal information that we hold about you to ensure that, having regard to the purpose for which the information is held, it is accurate, up to date, complete, relevant and not misleading. We will also take reasonable steps to correct personal information in circumstances where you request us to correct the information.
We will respond to an amendment request within 30 days.
If we refuse your amendment request, we will give you a written notice that sets out the reasons for the refusal, except to the extent that it would be unreasonable to do so.
We will advise you how to complain about a refusal.
We will not charge you for making an amendment request or for correcting personal information about you.
You can also make a Freedom of Information (FOI) request.
The FOI Act gives you the right to:
A FOI request must:
You can send your request to us by email at FOI@ato.gov.au with your name and the words FOI REQUEST in the subject line. You can use the FOI application form available on ato.gov.au.
We prefer email but you can also send your FOI request to the postal address of our central or regional offices as given in a current telephone directory, clearly marked FOI REQUEST on the envelope and on the enclosed request.
For more information about FOI requests please see accessing information under the FOI Act.
You can enquire or complain about a suspected breach of the APPs or the Australian Government Agencies Privacy Code 2017.
If you have a general question about privacy or wish to report an instance where you think your privacy may have been compromised, you can call our Privacy Hotline on 1300 661 542 and speak to a taxation officer. If the officer is not available to speak with you, please leave a message and an ATO officer will contact you to respond to your question or to obtain further information.
If you are not satisfied with how we have collected, held, used or disclosed your personal information, or another matter in relation to the APPs or the Australian Government Agencies Privacy Code 2017, you can make a formal complaint.
You can lodge a complaint by:
We treat complaints seriously and try to resolve them fairly and quickly.
If you make a complaint, we aim to contact you within 3 working days. We will work with you to resolve your complaint and keep you informed of its progress.
If you are not satisfied with how we deal with your complaint, the Privacy Commissioner at the Office of the Australian Information Commissioner may be able to help you. Visit the Office of the Australian Information Commissioner websiteExternal Link for more information, or you can phone 1300 363 992.
The ATO cares about the privacy of its employees and we take our obligations under the Privacy Act seriously. If you are an ATO employee and wish to make a complaint about a privacy matter relating to your taxation affairs, you may wish to do so using the complaints process described above.
If you are an ATO employee and have concerns that your privacy has been breached at work, or your personal information has not been treated as required under the Privacy Act at work, you can do one or more of the following:
If you are not satisfied with how we deal with your complaint, the Privacy Commissioner at the Office of the Australian Information Commissioner may be able to help you. Visit the Office of the Australian Information Commissioner websiteExternal Link for more information, or you can phone 1300 363 992.
The Australian Business Register (ABR) records unique identifiers called Australian business numbers (ABNs). The ABR also records other identity information about entities that carry on enterprises in Australia or that when they carry on an enterprise; make their supplies in connection with Australia.
The ABR records the details of individuals that a business entity has nominated (called ‘nominated representatives’) or of individuals who carry on a business themselves, to facilitate that business’ electronic dealings with government agencies.
Some of the ABR information is publicly accessible through the ABN Lookup tool at business.gov.au. This is where the public version of the ABR is maintained. A person who does not wish to have their personal details publicly displayed can apply to the Registrar (who is also the Commissioner of Taxation) to not have those details disclosed in ABN Lookup.
Information that is not publicly available may be disclosed to certain government agencies under section 30 of the A New Tax System (Australian Business Number) Act 1999 so that those other agencies can carry out their functions. Personal information contained in the ABR may also be disclosed to courts and tribunals in connection with proceedings under a taxation law.
Director identification numbers (director IDs)The Commonwealth Registers Act 2020 and related amendments to a range of existing laws creates a new Commonwealth business registry regime, the Australian Business Registry Services (ABRS)External Link. The ABRS is administered by the Registrar (who is also the Commissioner of Taxation). The Registrar has support from the ATO to administer registry work. The Registrar maintains its own records, and information about its privacy policy is available Our privacy policy | Australian Business Registry Services (ABRS)External Link .
We investigate fraud and suspected abuses of the tax system. Alleged offenders may be prosecuted.
We maintain a database of prosecution matters for breaches of taxation, superannuation and excise laws.
Personal information collected, held, used and disclosed can include:
We receive requests for personal information from law enforcement agencies in relation to both taxation and non-taxation matters. We disclose personal information to law enforcement agencies according to the legislative provisions that permit these disclosures. We also make disclosures to law enforcement agencies of our own volition and according to these provisions.
We keep a record of law enforcement agency requests for personal information and of the personal information we disclose to law enforcement agencies.
Taxation laws permit the disclosure of personal information to multi-agency prescribed taskforces. Prescribed taskforces are established to address priority issues and must have protecting the public finances of Australia as one of their purposes.
Personal information disclosed to prescribed taskforces includes:
The purpose of these records is to control the manufacture, storage, delivery and movement of excisable goods under the Excise Act 1901. Personal information collected, held, used and disclosed includes:
We also receive information from ASIC, AUSTRAC, the Australian Border Force and the Department of Home Affairs.
We maintain databases and also undertake data-matching related activities which include:
The purpose of these records is to inform improvements to policy and also increase our understanding of the behaviour and compliance profile of businesses and individuals involved in particular industries by:
We record all inbound and outbound telephone calls routed by our call management system within our contact centre environment. The call recording system also contains a screen capture facility. We use this information to assist with the administration of tax and super laws. We may also use call recordings and screen captures for:
We collect, hold and use personal information about tenderers and suppliers to the ATO. The information is used to evaluate responses from tenderers for our procurement requirements and to manage supplier arrangements. Personal information collected, held and used may include:
Some personal information relating to contractors may be published on the Australian government’s procurement information system (AusTender). This will include the names of contractors, how much the contract was awarded for, business address and ABN.
We collect, hold, use and disclose personal information in personnel records for the purpose of discharging the Commissioner's employer powers. ‘Employer powers’ means all the rights, duties and powers of an agency head under the Public Service Act 1999.
Section 103 of the Public Service Regulations 2023 provides that an agency head may use or disclose personal information in their possession or control where the use or disclosure is necessary or relevant to the performance or exercise of the agency head’s employer powers.
Under the TFN Rule, an individual's TFN information can only be used or disclosed for the purpose of facilitating the effective administration of taxation law, certain aspects of personal assistance and superannuation law and to assist with the identification of individuals for other purposes.
