The following is the submission we made to the Information Commissioner.
The Australian Taxation Office (ATO) is seeking approval for the sharing economy - accommodation data-matching program 2016–17 to 2019–20 to vary from one or more of the conditions detailed in Guideline 10 of the Office of the Australian Information Commissioner’s (OAIC) (2014) Guidelines on data matching in Australian government administration (the Guidelines).
We are seeking to retain each financial year’s data for 5 years from receipt of the final instalment of verified data files from the data providers. We consider that a variation from the usual retention periods for this data-matching program is in the public interest as:
The retention period sought aligns with the requirement for taxpayers to keep their records.
This program will be subject to an evaluation within 3 years which is consistent with the requirements of Guideline 9.
Additional information justifying this variation is included in the tables below:
This section outlines matters considered against the requirements of Guideline 10.2 in seeking this variation.
Table 1: matters considered in accordance with Guideline 10.2Guideline | Matter considered | Consideration |
---|
10.2.1 | The effect of not abiding by the specified requirements of the Guidelines would have on individual privacy | - Retaining data for a period of 5 years increases the risk that an individual’s privacy could be breached. To diminish this risk the ATO has in place very secure processes for the handling and storage of data. Once acquired, all data will be stored on our secure computer systems where access is strictly controlled and full audit logs maintained.
- The ATO and our staff operate under stringent privacy and secrecy legislation that prohibits the improper access to or disclosure of protected information. These obligations are supported by significant penalties, including imprisonment. This substantially mitigates the risks of breaches of privacy.
|
10.2.2 | The seriousness of the administrative or enforcement action that may flow from the data-matching program | - An extension of the retention period will not affect the seriousness of the administrative action that may flow from the match, but will assist in detecting non-compliance or taxation fraud.
- Where we propose to take administrative action where a taxpayer may have reported incorrectly, we will differentiate between those that try to do the right thing and those that set out to deliberately avoid their obligations. Documented procedures, including the Taxpayers’ Charter and compliance model will be followed to ensure fairness and consistency.
|
10.2.3 | The effect that not abiding by the specified requirements of the Guidelines would have on the fairness of the program – including its effect on people’s ability to find out the basis for decisions that affect them and their ability to dispute those decisions | - There will be no effect on the fairness of the program or the ability of taxpayers to find out the basis of decisions that impact them or their ability to dispute those decisions.
- Before any administrative action is undertaken, taxpayers will be given at least 28 days to verify the accuracy of the information that has been derived from this data-matching program.
- Where administrative action is to be undertaken, we will adhere to the principles established in the Taxpayers’ Charter and compliance model to ensure an equitable and consistent approach is taken.
- If a taxpayer does not agree with an assessment, they maintain the right to dispute the decision. They also have the legal right to appeal against those decisions through the courts and tribunals.
|
10.2.4 | The effect that not abiding by the specified requirements of the Guidelines would have on the transparency and accountability of government operations | - There will be no adverse effects on the transparency and accountability of government operations.
- A program protocol is submitted to the Office of the Australian Information Commissioner and we will strictly adhere to the commitments in that document.
- We will publish a notice with general information about the program in the Federal Register of Legislation - Gazettes before administrative action commences. We will also make a copy of the program protocol available on our website.
|
10.2.5 | The effect that not abiding by the specified requirements of the Guidelines would have on compliance of the proposed program with the Australian Privacy Principles in the Privacy Act 1988 | - There will be no effect on compliance with the Australian Privacy Principles contained in Schedule 1 to the Privacy Act 1988 due to longer retention of the data. The data is collected solely for the stated objectives established in the data-matching program protocol.
|
10.2.6 | The effect that abiding by all of the requirements of the Guidelines would have on the effectiveness of the proposed program | - The effectiveness of the program would be reduced if the data retention period is not extended.
- There would be a significant reduction in our ability to detect incorrect reporting and taxation fraud without assessing trends in the data collected.
- The destruction of the data in accordance with the current guidelines would impact the integrity of the taxation system by:
- limiting our ability to identify taxpayers who may be subject to administrative action
- resulting in the loss of revenue
|
10.2.7 | Whether complying fully with the Guidelines could jeopardise or endanger the life or physical safety of information providers or could compromise the source of information provided in confidence | - Not abiding by all the requirements of the Guidelines would not influence or affect the personal safety of any individual identified as part of the program or compromise the source of the information provided in confidence.
|
10.2.8 | The effect that abiding by all the requirements of the Guidelines would have on public revenue – including tax revenue, personal benefit payments, debts to the Commonwealth and fraud against the Commonwealth | - Not allowing the variation to the data retention period of the current program would cause us to miss potential breaches of taxation laws and subsequent non-payment of tax. This would result in the Commonwealth foregoing taxation revenue.
- There are risks to the integrity of taxation system when people fail to comply with their obligations. Abiding by all of the requirements of the guidelines will reduce the effectiveness of the proposed compliance activity. We would miss the opportunity to educate those taxpayers trying to do the right thing, and deter those that are non-compliant from repeating the behaviour.
- The effect of abiding by all of the requirements in the guidelines could negatively impact both public revenue and the confidence the public and government have in the ATO as the administrator of the taxation system. Maintaining community and government confidence in the taxation system is critical to our ongoing role.
|
10.2.9 | Whether abiding by all of the requirements of the Guidelines would involve the release of a document that would be an exempt document under the Freedom of Information Act 1982 | - Upon receipt of a freedom of information request only information relating to the taxpayer’s own affairs will be released to the taxpayer concerned.
|
10.210 | The legal authority for conducting the proposed program in a way inconsistent with the specified requirements of the Guidelines | - There is no specific legislative power authorising the conduct of this program inconsistent with the Guidelines.
- The Commissioner of Taxation, or his authorised representative, has formed the opinion that this data is required to enable us to effectively and efficiently carry out its legislated functions under the general powers of administration contained in:
- Section 3A of the Taxation Administration Act 1953
- Section 8 of the Income Tax Assessment Act 1936
- Section 1–7 of the Income Tax Assessment Act 1997
- Section 356–5 in Schedule 1 of the Taxation Administration Act 1953
- The reasons for proposing to operate outside requirements of the Guidelines are detailed above.
|
This section outlines where we are being consistent with the requirements of the Guidelines.
Table 2: consistency with requirements of the GuidelinesGuideline | Purpose | Action taken/To be taken |
---|
Paragraph 6 | Status of the Guidelines | The commitment to complying with the Guidelines is embedded in our data management policies and principles and clearly stated in the chief executive instruction. |
Guideline 1 | Application of the Guide | We apply the guidelines for all data-matching programs where it is anticipated the program will include records of 5,000 or more individuals. We recognise that programs where there are multiple data sources but with common objectives and algorithms are treated as a single data-matching program. |
Guideline 2 | Considerations before conducting a data-matching program | We conduct a cost-benefit analysis and consider alternate methods prior to proposing to conduct a data-matching program. Further, we have rigorous governance arrangements, processes and system controls in place to protect the privacy of individuals. |
Guideline 3 | Prepare a program protocol | Prior to conducting a data-matching program, we prepare a data-matching program protocol, submit this to the Office of the Australian Information Commissioner and make a copy publicly available on the ATO website. When elements of a data-matching program change, the protocol is amended; a copy of the amended protocol is provided to the Office of the Australian Information Commissioner and updated on our website. |
Guideline 4 | Technical standards report | Documentation is prepared and maintained so as to satisfy the requirements of a technical standards report. |
Guideline 5 | Notify the public | We publish notification of our intention to undertake a data-matching program in the Federal Register of Legislation - Gazettes prior to the commencement of the program. This notice will include the following information as required by the Guidelines: - a brief description of the objectives of the data-matching program
- the matching agency and description of the data source involved in the data-matching program
-
- a description of the data contained in the data set involved in the data-matching program
- the categories of individuals about whom personal information is to be matched
- the approximate number of individuals affected
- reference to our privacy policy.
- Notification of the program is also published on our website and data providers are advised they can advertise their participation in the data-matching program.
|
Guideline 6 | Notify individuals of proposed administrative action | Prior to taking any administrative action as a result of the data-matching programs, individuals and other entities are given at least 28 days to verify the accuracy of the information provided to us by third parties. |
Guideline 7 | Destroy information that is no longer required | We are seeking to vary from this requirement. |
Guideline 8 | Do not create new registers, datasets or databases | We do not create new registers or databases using data obtained in the course of a data-matching program. |
Guideline 9 | Data-matching program evaluations | Programs are evaluated within 3 years of the commencement of the data-matching program. These evaluations are provided to the Office of the Australian Information Commissioner on request. |
Guideline 10 | Variations to guideline requirements | When we intend to vary from the requirements of the Guidelines we seek the approval of the Office of the Australian Information Commissioner and provide documentation to support the variance. |
Guideline 11 | Data matching with entities other than agencies | We undertake our own data-matching programs. This function is not outsourced. Where data is obtained from an entity other than an individual, we usually do so using our formal information gathering powers. In these instances the entities are advised they are able to notify their clients of their participation in the data-matching program. |
Guideline 12 | Data matching with exempt agencies | We do not usually undertake data matching with agencies that are exempt from the operations of the Privacy Act 1988 under section 7 of that Act and that are subject to the operation of the Guidelines (i.e. any data matching undertaken with an exempt agency would usually be for fewer than 5,000 individuals). In the event a data-matching activity would otherwise be subject to these Guidelines except for the exemption status, we still adhere to the principles of the Guidelines and prepare a program protocol, seeking to vary from the Guidelines by not publicly notifying of the program and publishing the protocol. We would still lodge a copy of the protocol with the Office of the Australian Information Commissioner. |
Guideline 13 | Enable review by the Office of the Australian Information Commissioner | We would not prevent the Office of the Australian Information Commissioner from reviewing our data-matching activities and processes. These activities and processes have been reviewed by the Australian National Audit Office and Inspector-General of Taxation. |