These guidelines are effective April 3 2017.
The Australian Government expects the ATO to create and maintain a security environment to protect its functions and official resources. The Australian Government Protective Security Policy Framework (PSPF) sets out the policies, practices and procedures that all Australian Government departments and agencies must comply with.
The security of our information is critical. Information security requirements apply to all ATO employees, and similar requirements apply to ATO contractors.
These information security guidelines are derived from the minimum mandatory requirements of the PSPF information security management core policy. They explain the practices and procedures contractors must follow to provide adequate security for the ATO information they access, process or store.
Departure from these guidelines must be authorised in writing by ATO Physical Security Management (or ATO IT Security Branch for electronic systems).
See also:
Policy
We are committed to preserving the security, privacy, confidentiality, integrity and availability of all information provided to us, or generated from within. This commitment is vital because:
- our reputation as a responsible custodian of sensitive client information is integral to community confidence in our operations
- the proper administration of the tax system depends on our ability to keep information secure
- legislation administered by the Commissioner of Taxation imposes certain information security obligations
- legislation, such as the Crimes Act 1914 and Privacy Act 1988, require us to safeguard information
- Australian Government policies make certain security procedures mandatory for all government agencies.
Applicability
Procedures within these guidelines apply to all contractors (which includes officers, employees, agents and subcontractors) or any other person or entity acting for the ATO and having custody of or access to ATO information. Use of the word 'contractor' within these guidelines applies equally to all such parties, including consultants and service providers.
Scope
These guidelines will support contractors who access, process, store or otherwise handle ATO information that is either unclassified or warrants a Dissemination Limiting Marker (DLM).
Additional protective security measures apply to security-classified material - ATO Physical Security Management and/or IT Security Branch must be consulted if access to information other than unclassified or that bearing a DLM is required.
The contractor must appoint somebody who is responsible for the security of ATO information.
Contractors must deliver a plan that describes the security architecture of systems that will store, access or transmit ATO information before starting services. This plan must be approved by ATO IT Security.
Contractors must establish an IT security review process that measures compliance of IT systems and operations against the ATO IT Security Policy and the ISM and take corrective actions to address areas of non-compliance.
Defining and assessing ATO information
In the context of these guidelines, 'ATO information' includes data from any source and in any form, which is collected, received, stored or developed by the ATO, or by ATO employees and contractors. Our information may exist in a range of forms, including:
- documents, papers and other printed or written material
- electronic data
- voice communications
- video and audio recordings
- any physical item from which information belonging to the ATO could be derived
- intellectual knowledge.
We assess all of our information according to the degree of harm that may result if it was accessed without authority, lost, damaged, destroyed, altered or otherwise compromised. Based on this assessed degree of harm, or other legislative requirements which restrict the distribution of the information, a protective marking is applied to information. Protective markings include DLMs and security classifications. Authority to downgrade or upgrade the security classification, or remove the protective marking of ATO information, rests exclusively with us.
Further information
Enquiries about these guidelines, or any security matter involving the ATO, should be directed through the relevant contract manager to ATO Physical Security Management (or for electronic systems, ATO IT Security branch).