As part of the accreditation process to become fully Gatekeeper accredited, the Australian Taxation Office (ATO) Public Key Infrastructure (PKI) was required to provide a suite of supporting policy documents. These documents include a privacy policy which is detailed in nine policy documents PC01-PC09.
This document sets out the ATO PKI’s Security Safeguards in relation to personal information. The Information Privacy Principle (IPP) relevant to this policy is IPP4 which requires the ATO to ensure that personal information it collects is stored and kept secure against loss; unauthorised access, use, modification and disclosure; and other misuse.
As a Commonwealth Agency, the ATO is required to comply with the Privacy Act 1988. It is also required to comply with the secrecy provisions in the taxation legislation. As part of its normal administrative practices, the ATO has privacy and security polices and practices in place. This document outlines ATO PKI specific additional measures taken as a requirement for gaining Gatekeeper full accreditation.
There are two registration processes as follows:
- The automated PKI Registration Process
- The manually assisted Electronic Commerce Registration (ECRS) Process
The data supplied by the business Entity in the application for an Australian Business Number (ABN) is entered and stored on the Australian Business Register on the ATO Integrated System (AIS). Any additional information or amendments to the ABN registration are also stored on the AIS. For each nominated Certificate Holder the data recorded contains:
- The data provided in the application for an ABN
- Additional data held within the AIS
A formatted text file is created and placed in a known location on AIS and contains all of the data required to issue Keys and Certificates for the nominated Certificate Holder.
The Automated Registration Process of the ATO PKI retrieves the formatted text file from the known location in AIS and processes each request. It generates a Certification Authority Reference Number (CARN) for each request and then places it into an appropriate table in the Certificate Management Table (CMT) database.
Periodically, the Key Generation System polls the relevant table in the CMT database to determine if there are new entries to be processed.
- ATO Registry Division (RD) staff enter:
- An ABN
- Client Activity Centre (CAC) numeral. A CAC is used to identify business Entities with geographically dispersed sub-units where a unique numeral is assigned to each sub-unit
- Data relating to the ABN and CAC are retrieved from the AIS and used to populate the on-screen form on the ECRS.
- RD staff enter the nominated Certificate Holder's name and then send the data to the CMT where it populates appropriate tables on the CMT database.
- Periodically, the Key Generation System polls the relevant tables in the CMT database to determine if there are new entries to be processed.
The AIS is subject to the normal security controls that apply to the ATO’s Mainframe Computer Systems. The only additional information that is collected for the PKI project is the Certificate Holder’s e-mail address which is needed for electronic communication between the ATO and the Certificate Holder.
The ATO PKI functions are mostly automated and centralised. The ATO PKI uses the following systems:
- Australian Business Number (ABN) registration. The ABN Registration system has data capture functions sited at Albury, Penrith, Canberra and Brisbane.
- Data entered and stored on the ATO Integrated System (AIS). The AIS is run on the mainframe complex in Burwood Sydney.
- Services provided by the ATO Business Registration Service (RD) sited at Chermside, Brisbane.
- Components within the ATO PKI located at Bruce in the ACT.
The ATO’s end to end registration process is spread across many different ATO sub-systems. This section provides a high level overview of the registration process and the subsequent certification process.
The following flow diagram provides a high level view of the process flow in order for registration to occur. This diagram does not delve into the detail of the processing that occurs at each stage, but mainly attempts to provide the reader with a cohesive understanding of the interaction of the various sub-systems which perform registration and certificate generation.
- An Entity applies to the ATO for an ABN by filling in a form. As well as other details, this form prompts the Entity to provide the data about the nominated Certificate Holder required for the issue of Keys and Certificates. The Entity elects to deal with the ATO electronically within this form.
- The ATO data capture process extracts the data from the form and populates the AIS data storage with the data. If the Entity elected to deal with the ATO electronically (and not through a Tax Agent) or the Entity is required to deal with the ATO electronically certain triggers within the ATO’s data storage systems are set.
- Periodically, the PKI data capture processes read these triggers.
- The PKI data capture processes forward the details of any Entity to the PKI data store as requests for Keys and Certificates for the nominated Certificate Holder.
- The data within the PKI data store is read periodically by the components within the ATO PKI. Essentially, the request for Keys and Certificates results in Keys and Certificates being generated for the nominated Certificate Holder.
- The Keys and Certificates are temporarily stored within the PKI data store in encrypted form while they are waiting to be downloaded by the Certificate Holder.
- The Keys and Certificates are ready for delivery to the Certificate Holder. There are two methods of delivery as follows:
- Collection by the Certificate Holder from the ATO PKI Keys and Certificates web site
- On diskette posted to the Certificate Holder via Australia Post
- The PKI dispatch process removes and deletes the Keys and Certificates from the PKI data store once they are downloaded or written to diskette for diskette distribution.
Note that, once the Certificate Holder has received the Keys and Certificates, he or she must use the ECI Client software to import the Keys and Certificates and thereafter deal with the ATO electronically.
The ATO PKI does not hold copies of a Certificate Holder’s private keys and therefore it cannot make them available to any officer of the ATO or law enforcement authority.
To maintain an arms length relationship with the Certification Authority, the ATO has out sourced its Certification Authority function to Certificates Australia Pty Ltd (CAPL). CAPL are contractually obliged to abide by the ATO privacy code of conduct and there are audit processes to ensure that this occurs.
- The data about natural persons that is recorded on the certificates is not regarded as private and therefore not in need of protection in the case of transmission
- The processes ensure that the ATO does not hold any private keys nor any private information in the facilities managed by CAPL, except for the public key information and certificate information legitimately recorded in the X.500 directory
- Absolutely no private key is held by the AIS. EOI data is held on the AIS and is accessed by RD staff and other ATO staff where protection is provided by normal ATO organisational protection for sensitive data
The keys for Certificate Holders are produced and supplied through systems that ensure that the ATO will not be able to access the Certificate Holders' private keys.
Keys and Certificates will be distributed over the Internet, however the ATO PKI can provide a diskette distribution as an alternative where required.
Web distribution ensures the integrity of a Certificate Holder’s Keys and Certificates when they are initially downloaded by the Certificate Holder over the Internet. Web distribution has the following main features:
- A random 8 character password for web access is generated
- A randomised web location is created
- An electronic mail message is generated and sent to the Certificate Holder to notify the web location where the Keys and Certificates are located
- The password for web access and a Personal Identification Code (PIC) for decryption of the Keys and Certificates, after they are downloaded, is posted to the Certificate Holder via Australia Post
- The Certificate Holder connects to the ATO PKI web site and goes to the web location where the Keys and Certificates are located and enters a password in order to download the Keys and Certificates
- Once the Certificate Holder has downloaded the Keys and Certificates file, the copy on the web server is deleted
- The Certificate Holder uses the PIC that was mailed to get access to and decrypt the Keys and Certificates that were downloaded. Immediately the Keys and Certificates are decrypted by entering the PIC, the Certificate Holder is prompted to provide a new password to encrypt the Keys and Certificates that were imported into the ECI Client
The required set of Keys and Certificates is stored on a diskette which is dispatched to Australia Post for delivery to the Certificate Holder.
- A PIC for decryption of the Keys and Certificates is separately sent to the Certificate Holder via Australia Post
- The Certificate Holder uses the PIC that was mailed to access and decrypt the Keys and Certificates that are on the diskette. Immediately the Keys and Certificates are decrypted by entering the PIC, the Certificate Holder is prompted to provide a new password to encrypt the Keys and Certificates that were imported into the ECI Client
By using the Keys and Certificates, the Certificate Holder and the Entity agree to be bound by the continuing responsibilities, obligations and duties imposed on them by the Conditions of Use.
The site location of the ATO PKI is in a secure operating environment at the ATO Computer Centre at Bruce in the ACT.
The ATO PKI is operated within secure physical environments within the areas that meet the standards required by ACSI 33 CR2 as required by the Defence Signals Directorate (DSD). The security of the location has been reviewed by ASIO T4 and it complies with Gatekeeper requirements.
The ATO PKI permits entry to their secure operating areas only to authorised personnel, and to authorised visitors under the constant supervision of an authorised person. The number of personnel authorised to enter the area is kept to a minimum and a log is maintained of all accesses.
The secure operating areas are connected to a standard power supply. All critical components are connected to uninterrupted power supply (UPS) units, to prevent abnormal shutdown in the event of a power failure.
The areas have an air conditioning system to control the heat and humidity that is independent of the building air conditioning system.
The secure operating areas are protected against water exposure by being located on an above ground floor of an office building that is not in a flood zone and has a built-in raised floor.
Suitable fire extinguishers are maintained in the secure operating areas, to guard against the possibility of fire.
All magnetic media containing ATO Organisation Certification Authority (OCA) information, including backup media, is stored in containers, cabinets or safes with fire protection capabilities and is located either within the service operations areas or in secure off-site storage areas.
Paper documents and magnetic media containing the ATO OCA Private Key or commercially sensitive or confidential information are securely disposed of by:
- In the case of magnetic media: physical damage to, or complete destruction of the asset.
- In the case of printed material: shredding, or destruction by an ATO approved service.
Certificate Holders are encouraged to follow similar procedures.
ATO endorsed off-site storage agents are used for the storage and retention of backup ATO PKI software and data.
- Is available to authorised personnel 24 hours per day seven days per week for the purpose of retrieving software and data.
- Has appropriate levels of Physical Security in place and staff in Positions of Trust.
In order to ensure that one person acting alone cannot circumvent the entire system, the area where the servers and work stations required to operate the ATO PKI are located is a declared no lone zone where two people are required to carry out an operation.
To gain access to a machine two keys are required to be inserted and turned simultaneously to open the cabinet securing the machine. A video camera captures who carried out actions in the vicinity of the open cabinet.
When gaining access to a work station a password is entered. Once the person has logged on and access is gained to the work station one person performs the task while the other audits the task performance to ensure it is done properly. All keystrokes typed on a keyboard attached to a machine after the log-on are captured and recorded in an audit log.
At a minimum, the following roles are established:
- System administrator.
- Security administrator.
Separate individuals fill each of the roles described above. This provides the maximum security and affords the opportunity for the greatest degree of checks and balances over system operation. However:
- A single individual may assume the role of the System Administrator.
- The Security Administrator remains separate from the System Administrator in order to provide an independent review of the audit log.
- Any task requiring the creation, backup or importation into a database of the ATO OCA’s Private Key involves two trusted persons, one performing the function and the second fulfilling a security monitoring role.
Persons filling trusted roles undergo a formal vetting process conducted by the Australian Security Vetting Service, designated Position of Trust.
The recruitment and selection practices for ATO PKI services personnel takes into account the background, qualifications, experience and clearance requirements of each position, which is compared against the profiles of potential candidates.
Background checks by the Australian Security Vetting Service (ASVS) are conducted on all persons selected to take up a trusted role in accordance with the designated security screening procedure for a Position of Trust, prior to the commencement of their duties.
All ATO PKI services personnel staff are trained in:
- Basic PKI concepts.
- The use and operation of the Certification Authority, Organisation Certification Authority and Registration Authority software, as certified by DSD.
- Documented ATO PKI procedures.
- Privacy legislation and practices within the ATO.
- ATO's confidentiality requirements for the protection of taxpayer information including the requirements in the taxation legislation and the Crimes Act 1914 (Commonwealth).
- Computer security awareness and procedures.
- How to explain to Certificate applicants the responsibilities adhering to the possession, use and operation of their key pairs.
- The meaning and effect of the ATO’s Certification Policy, and the Certification Policy Statements. required for the operation of the ATO PKI.
ATO PKI services personnel staff receive a security briefing update at least once a year.
Training in the use and operation of the Certification Authority, Organisation Certification Authority and Registration Authority software is provided when new versions of the software are installed.
Remedial training shall be completed as required or when recommended by audit comments.
The ATO PKI may implement formal job rotation practices (for example through formal reliefs). Where formal job rotation is not implemented, cross-training activities shall be conducted to ensure operations continuity.
Unauthorised actions by ATO PKI services personnel staff shall be submitted to appropriate authorities including, but not limited to, the Security Administrator for further investigation and any appropriate action.
ATO PKI services personnel may be contractors with the required security clearance and who shall be appointed in writing and given written notification of the terms and conditions of their position.
The ATO PKI has introduced a number of measures to reduce or limit its risk. They include the following:
- Inhibit misuse of PKI resources by authorised personnel
- Prohibit access to PKI resources by unauthorised individuals
- These measures include but are not limited to:
- Identifying contingency events and appropriate recovery actions in a Disaster Recovery and Business Continuity Plan
- Performing regular system data backups
- Performing a backup of the current operating software and certain software configuration files
- Storing all backups in secure local and offsite storage
- Maintaining secure offsite storage of other material needed for disaster recovery
- Periodically testing local and offsite backups to ensure that the information is retrievable in the event of a failure
- Periodically reviewing its Disaster Recovery and Business Continuity Plan, including the identification, analysis, evaluation and prioritisation of risks
- Periodically testing uninterrupted power supplies
The ATO OCA has been granted Gatekeeper full accreditation by the CEO, NOIE in accordance with the Gatekeeper criteria and following evaluation by a team of independent evaluators.
The evaluation criteria have been defined by the CEO, NOIE and may be found on the NOIE web site, http://www.noie.gov.au.
The ATO PKI will be audited from time to time to ensure compliance with the policies documented in the ATO’s Certification Policy.
Any person engaged to perform an audit on the ATO PKI will have a security clearance at the appropriate level and sufficient experience in the application of PKI and cryptographic technologies. Where audits are required under the conditions of Gatekeeper accreditation the auditors will be selected by NOIE.
Aside from the audit function, the auditor and audited party shall not have any current or planned financial, legal or other relationship that could result in a conflict of interest.
The evaluation criteria includes an audit of the following against the background of the Gatekeeper accredited documentation:
- Physical Security.
- Documentation and process.
- Vetting of operations personnel.
- Technology.
- Privacy, including compliance with Information Privacy Principles set out in section 14 of the Privacy Act 1988.
Copies of the audit report must be submitted in confidence to both of the following:
- The Commissioner of Taxation
- The CEO, NOIE
When irregularities are found, Commissioner of Taxation shall promptly oversee or implement appropriate corrective action and report publicly on matters as appropriate to ensure that trust in the operation of the ATO PKI is maintained.
While most aspects of the audit results will be made public in the usual way, some material may need to be treated as commercial-in-confidence. The amount of that material will be reduced as much as possible. However the normal restrictions upon the release of ATO clients information will apply as appropriate.
If a third party is contracted to carry out some ATO functions, for example the processing of some types of forms, the contractor and its employees are bound by the secrecy provisions of the tax laws when dealing with your information.
The Privacy Commissioner has issued guidelines for use by Commonwealth Government agencies suggesting clauses to be put into outsourcing contracts. These clauses are designed to ensure that the contractor protects the privacy of an individual’s information. The ATO includes these clauses in outsourcing contracts.
For example, in respect to the arrangement that the ATO has with CAPL to outsource the Facility Management of the ATO PKI, CAPL has agreed to be bound by the following clause where CAPL is referred to as the Contractor and the ATO is referred to as the Customer:
13.12 Privacy Act 1988 (Commonwealth)
The Contractor agrees to comply with the provisions of the Privacy Act 1988 (Commonwealth) as if it were included in the definition of 'agency' under that Act. The Contractor also agrees to comply with privacy provisions in legislation that affects or is administered by the Customer and any directions made by the Privacy Commissioner, the privacy procedures stated in the Contract Details and any other reasonable direction given by the Customer. The Contractor's obligations in this clause are in addition to, and do not restrict, any obligations it may have under the Act as amended from time to time.
Copies of the Taxpayers’ Charter and explanatory booklets are available on the Internet at http://www.ato.gov.au. You can also ring the ATO's distribution service on 1300 720 092 (for the cost of a local call).
Step 1: The Certificate Holder retrieves a customised e BAS (electronic Business Activity Statement) from the ATO.
Step 2: The Certificate Holder completes the e BAS by entering the required data. The completed document is referred to as the main document.
Once the Certificate Holder has completed the e BAS it is ready to send to the ATO.
Step 3: The Certificate Holder does the following:
- Starts the ECI Client application
- Selects the completed e BAS and starts the process to send this electronic document to the ATO
The following description explains the activities carried out by the ECI Client application that occur in the computer system mostly unseen and unknown to the Certificate Holder.
Step 4: The ECI Client application calculates a hash value for the e BAS and appends it to the document. A hash is an algorithm that provides a fixed-length digital fingerprint (or hash) of a file or message. A hash of a file changes significantly if the file is altered in any way. It is impossible to work backwards from the hash to the original file.
Step 5: The ECI Client application encrypts the calculated hash value with the Certificate Holder's Authentication Private Key. This encrypted hash value constitutes the Certificate Holder's digital or electronic signature.
Step 6: The ECI Client application generates a once off session key to encrypt the main document.
Step 7: The ECI Client application uses the session key to encrypt the main document.
Step 8: The ECI Client application appends the session key to the document.
Step 9: In the hand shaking with the ECI Server, the ECI Client application obtains the ATO Confidentiality Public Key and uses it to encrypt the session key.
Step 10: The ECI Client application sends the e BAS via the Internet to the ATO.
This process is automated and not visible.
Step 11: The ATO receives the e BAS via the Internet.
Step 12: The ATO uses its Confidentiality Private Key to decrypt the session key.
Step 13: The ATO uses the session key to decrypt the main document.
Step 14: the ATO uses the Certificate Holder's Authentication Public Key to decrypt the encrypted hash value.
Step 15: The ATO calculates a new hash value and checks that this value matches the hash value that was appended to the document. If the hash values match, the main document has not changed since the Certificate Holder applied his or her digital signature.
Steps 14 and 15 are used to check the digital signature in the e BAS.
- The fact that the hash value was decrypted using the Certificate Holder's Authentication Public Key implies that the e BAS was signed by the Certificate Holder's Authentication Private Key
When the ATO calculated hash value matches the decrypted hash value that was appended to e BAS the conclusion is that the document received is [pagebreak]exactly the document that was sent by the Certificate Holder
A record-keeper who has possession or control of a record that contains personal information shall ensure:
- That the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and
- That if it is necessary for the record to be given to a person in connection with the provision of a service to the record keeper, everything reasonably within the power of the record-keeper is done to prevent unauthorised use or disclosure of information contained in the record.
Last Modified: Wednesday, 14 April 2004
Subscribe
