ato logo
Search Suggestion:

How we undertake data matching on crypto assets

Find out about the systems and processes in data-matching activities around crypto assets.

Published 25 April 2024

Data-matching process

When required, our data-matching process uses both mainframe-based and mid-range applications that comply with an ATO-designed software solution (technical standard). The technical standard supports all our data-matching programs and aligns with OAIC guideline 4.7External Link.

We use over 60 sophisticated identity-matching techniques to ensure we identify the correct taxpayer when we obtain data from third parties. These techniques use multiple identifiers to obtain an identity match. The identity-matching process appends matching information to the original reported transaction to include an ATO identifier number and a 3-character outcome code that indicates to the user the level of matching confidence for the transaction. For example, where a name, address and date of birth are available, all items are used in the identity-matching process. Very high confidence matches will occur where all fields are matched.

Additional manual processes may be undertaken where high confidence identity matches don't occur or a decision taken to destroy data no longer required. Our manual identity-matching process involves an ATO officer reviewing and comparing third-party data identity elements against ATO information on a one-on-one basis, seeking enough common indicators to allow confirmation (or not) of an individual's identity. We commonly call this process manual uplifting.

Data analysts use various models and techniques to detect potential discrepancies, such as under-reported income or over-reported deductions. Higher risk discrepancy matches will be loaded to our case management system and allocated to compliance staff for actioning. Lower risk discrepancy matches will be further analysed, and a decision made to take some form of compliance or educational activity, or to destroy the data.

To maintain integrity of the administration of the tax and super systems, only staff with a direct and genuine ‘need to know’ can access the technical standards for our identity and discrepancy matching solutions.

Where administrative action is proposed, additional checks will take place to ensure the correct taxpayer has been identified. The taxpayers will be provided with the opportunity to verify the accuracy of the information before any administrative action is taken.

How we amend a return

We may use data to provide tailored messages for individual taxpayers in our online services. This will prompt taxpayers to check they are correctly meeting their reporting obligations.

In limited circumstances where we identify inadvertent mistakes, we may amend a tax return with the correct data that is available to us.

If you disagree with the decision we made about your information, you can request a review by lodging an objection.

After a return is lodged, where we identify a discrepancy that requires verification, we will contact the taxpayer usually by phone, letter or email. Taxpayers will have up to 28 days to verify the accuracy of the information and respond before we take administrative action.

For example, where discrepancy-matching identifies that a taxpayer may not be reporting all their income, but it appears they're reporting the income in another taxpayer's return, they will be given the opportunity to clarify the situation.

The data may also be used to ensure taxpayers are complying with their other tax and super obligations, including registration requirements, lodgment obligations and payment responsibilities.

In cases where taxpayers fail to comply with these obligations, after being reminded of them, we may instigate prosecution action in appropriate circumstances.

Where a taxpayer has correctly met their obligations, the use of the data will reduce the likelihood of contact from us.

In limited circumstances we may use data from a data-matching program to correct mistakes without notifying individuals in advance. When we do so, we will seek an exemption from the Australian Information Commissioner.

Making a privacy complaint

Our privacy policy outlines how we collect, hold and disclose data and explains what you can do if you're not satisfied with the way your information has been treated.

If you're not satisfied with how we have collected, held, used or disclosed your personal information, you can make a formal complaint.

For more information, see how we protect your privacy.

If you're not satisfied with the outcome of the privacy complaint, you can make a privacy complaint with the Office of the Australian Information CommissionerExternal Link.

QC101717