We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy.

News Join our team Contact us

  • On this page

Published:  

Part 1: Executive Summary

This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of the Australian Tax Office (ATO) in its role as operator of the myGovID mobile application (myGovID) and its compliance with requirements under Australian Privacy Principles (APPs) 1.2 and 11.2.

1.2 myGovID forms part of the Australian Government’s Digital ID System (AGDIS). Digital Identity (also known as Digital ID) is a voluntary way for Australians to prove their identity online and access a range of Government services.

1.3 The objective of this assessment is to determine whether the ATO is taking reasonable steps to destroy or de-identify biometric information in accordance with APP 11.2. The assessment has also sought to determine whether the ATO is taking reasonable steps as required under APP 1.2 to ensure compliance with APP 11.2.

1.4 Specifically in relation to the ATO’s role as the operator of myGovID, and as an identity and credential provider in the AGDIS, the assessment has focussed on the following matters:

  • The steps being taken by the ATO and relevant contracted service providers to destroy or de-identify biometric information in accordance with APP 11.2.
  • The steps undertaken by the ATO to implement practices, procedures and systems under APP 1.2 to ensure compliance with APP 11.2 in relation to biometric information. This includes a review of information handling arrangements relevant to the destruction or de-identification of biometric information by the ATO and relevant contracted service providers, such as related practices, policies, procedures, systems, governance, risk management and training.
  • Compliance with the Trusted Digital Identity Framework (TDIF), particularly requirements surrounding the retention and destruction of biometric information.

1.5 The assessment has found that the ATO is destroying biometric information in accordance with APP 11.2 and the TDIF requirements. Furthermore, the ATO has the relevant TDIF exemptions where required.

1.6 This assessment has found that the ATO largely has practices, procedures and systems in place to implement the destruction of biometric information in line with the TDIF and APP 11.2. However, the OAIC has identified one medium privacy risk associated with APP 1.2 and APP 11.2 and has made one recommendation to address this privacy risk.

1.7 The OAIC has recommended that the ATO must update the Systems Security Plan (SSP) to specify how biometric materials (including biometric information) are destroyed and outline security features employed to ensure their destruction.

Part 2: Introduction

Background

The AGDIS, ATO and myGovID

2.1 The AGDIS is an optional network of trusted and TDIF[1] accredited entities who work together to provide a safe, secure, and convenient method for individuals to prove who they are online.[2] The AGDIS is delivered by several Australian Government agencies including Services Australia and the ATO. At the time of the assessment, the system was comprised of the myGovID system[3] and the Relationship Authorisation Manager (RAM)[4] service, both operated by the ATO. Services Australia operate the Identity Exchange. The Department of Finance and the Attorney-General’s Department oversee various technological, administrative, policy, and (following the commencement of draft legislation)[5] legal measures which ensure the effective operation of the system.

2.2 The ATO has been onboarded onto the AGDIS as the operator of myGovID and in this capacity has received TDIF accreditation as an identity provider and credential provider. The ATO also performs the function of an attribute provider for the AGDIS via its TDIF accredited RAM service (out of scope of this assessment).

Previous digital identity assessments

2.3 The OAIC received funding in 2022-23 and 2023-24 to conduct privacy assessments of the AGDIS and to develop relevant guidance material. This funding was provided to assist in mitigating privacy risks within the AGDIS and to provide assurance to the Australian public about the privacy protections built into the system.

2.4 The OAIC’s first digital identity assessment commenced in February 2022 and examined whether Services Australia, in its capacity as the operator of the Identity Exchange for the AGDIS, was handling personal information in accordance with APP 1.2. The report for this assessment was published on 16 February 2023.[6]

2.5 This report is for the OAIC’s second digital identity assessment.

2.6 A third OAIC digital identity assessment commenced in February 2024 and is scheduled to be finalised in 2024-25.

Part 3: Observations

Collection of biometric information

3.1 myGovID is delivered in the form of an app that individuals download onto their smart device to prove their identity when accessing a range of government online services.

3.2 As an identity provider, the ATO, through myGovID, creates, maintains, or manages information about an individual’s identity and offers identity-based services. myGovID helps to boost relying parties’ confidence in an individual’s digital identity by collecting, verifying, and validating attributes that confirm an individual’s identity to an appropriate level, known as identity proofing level (IP).

3.3 The ATO is accredited under TDIF for IP 1 (basic, which involves self-asserted identity), IP 2 (standard, requires 2 or more identity documents to verify an identity), and IP 3 (strong, requires verification of 2 or more identity documents plus biometric matching against an Australian Passport image). IP3 is required for services where the risks of getting identity verification wrong will have high consequences to the individual or the service, for example access to welfare and related government services. At the time of the assessment, the ATO was the only identity provider for the AGDIS.

3.4 The ATO, also through its myGovID system, is a credential provider,[7] as it generates, binds (process of linking the credential with the digital identity) and distributes credentials to individuals or can bind and manage credentials generated by individuals.[8] For digital services in which the digital identity can be reused and return visits to a particular service relying on the digital identity are applicable, successful authentication of myGovID provides risk-based assurances that the individual accessing the service today is the same individual who accessed the service previously. The robustness of this confidence is described by a credential level (CL) categorisation in TDIF, of which there are 3 levels. The ATO is accredited for CL2 (requires proof of possession and control of 2 different authentication factors – also known as multi-factor authentication) and provides a medium level of confidence that the individual controls a credential bound to their Digital Identity. At the time of the assessment, the ATO was the only credential provider for the AGDIS.

3.5 In August 2021, the ATO entered into a participation agreement with the Department of Home Affairs (HA) to use their Face Matching Services (FMS)[9]. The FMS involves the Facial Verification Service (FVS) biometrically matching the individual’s image against a specific government record. For example, using myGovID an individual may be able to electronically verify their identity by comparing their facial image and personal information against their Australian passport held by the Department of Foreign Affairs and Trade (DFAT).

3.6 In February 2021, the ATO entered into a contract with iProov Limited (iProov) as the preferred vendor to supply the ATO with the liveness detection software to support biometric matching through facial verification in myGovID. Also known as ‘anti-spoofing’ or ‘liveness checking’, biometric liveness testing describes a range of techniques used to ensure that a digital identity system is reading a true biometric source - for example, an actual eye, thumbprint, or human face that is live and present at the time of capture rather than a false or recreated biometric source. Biometric images and photographs are also disclosed to third party providers as part of the verification process and are destroyed within 14 days.

3.7 With respect to myGovID, a ‘liveness stream’ is taken via the use of the camera on an individual’s mobile device. The application of this is two-fold:

  • the stream both verifies that the image is coming from a true biometric source; and
  • a still image is taken from this stream for verification purposes.

3.8 The image taken from the liveness stream is temporarily held for the purpose of comparison to the passport photograph, held by DFAT. The ATO advised that at  no time does the ATO hold the image data from the passport photograph: the image data taken via the liveness stream is provided to HA, which in turns sends an affirmative or negative response to the ATO via the myGovID app.

3.9 The image used from the liveness stream is held in a separate database, which runs parallel to the main database (holding all other components used for the functioning of the app). The parallel database is not subject to backups.

Destruction of biometric information

3.10 The ATO advised that:

  • Once verification has taken place, the affirmative or negative response is retained by the ATO and the image data from the liveness stream image is destroyed.
  • iProov may hold biometric information for 14 days in circumstances where the image is suspicious or inconclusive. If the image is held in these circumstances, iProov may use it for performance validation and testing purposes. Both the ATO and iProov have been granted an exemption by the Interim Oversight Authority for the AGDIS (at the time of the assessment, the Department of Finance) from TDIF privacy requirement PRIV-03-08-02(a), which states that an identity service provider must destroy biometric information it collected for identity proofing purposes, immediately after the process is complete. This exemption allows the ATO and iProov to hold biometric information collected throughout the verification process for up to 14 days.
  • The ATO has received advice that biometric information collected in relation to myGovID does not constitute a ‘Commonwealth record’, as defined in s 3 of the Archives Act 1983 (Cth) (Archives Act), and therefore the ATO is required to take reasonable steps to destroy or de-identify the personal information under APP 11.2. The ATO considers that the liveness stream image falls under it’s ‘Normal Administrative Practice – ‘Destroying Low Value Information Policy’.
  • Amazon Web Services (AWS) provides the IT infrastructure for the myGovID app. An AWS snapshot occurs every 5 minutes. This snapshot is a point-in-time copy of the data held for the purposes of myGovID, and can be used to enable disaster recovery, migrate data across regions and accounts, and improve backup compliance. This holistic snapshot is deleted every 14 days. This snapshot would only contain biometric information in the event a user was midway through the facial verification process when the snapshot was taken.
  • The parallel database in which the ATO holds biometric information is also subject to a daily ‘scan’ to ensure it is empty and that no biometric information has inadvertently been retained.

Part 4: Findings

4.1 The OAIC has found that the image from the liveness stream is held by iProov and the ATO during the verification process. The ATO provided evidence that iProov retains an image from the liveness stream in circumstances where authentication is not effectively completed. The image is retained to assess whether there may be an attack on the system. Accordingly, it can be said to be ‘held’ for the purposes of APP 11.2.[10]

4.2 The OAIC is satisfied that the ATO and iProov are satisfactorily destroying the biometric information they hold in line with APP 11.2 and the TDIF requirements. The ATO provided evidence that the images retained during the authentication process are destroyed within 14 days. Further measures, such a recurrent data sweep of the location where the images are held, also ensures that the biometric information is destroyed.

4.3 The risks surrounding the use of a contractor (iProov) are being appropriately managed by a number of measures, including:

  • Frequent data sweeps of biometric information held by iProov
  • Access controls in place in accordance with the iProov Access Control Policy. This includes the use of Virtual Private Network sessions, unique credentials and restricted access amongst other measures
  • Audits such as the IRAP Assessment Report supplied by the ATO. These audits also include security testing
  • Contract management of the contract between the ATO and iProov

4.4 The ATO has largely implemented practices, procedures and systems in order to ensure compliance with APP 11.2 and the TDIF in accordance with APP 1.2. These are outlined in the aforementioned policies and measures as well as the ATO policies and procedures supplied to the OAIC in the course of this assessment. However, the OAIC has identified one medium privacy risk associated with APP 1.2 and APP 11.2.

4.5 The TDIF protective security requirement PROT-04-01-11a(b) requires identity service providers to include in their SSP:

“…strategies to implement Cyber Security Risk management and maintain a positive Cyber Security Risk culture.”

4.6 The TDIF accreditation process and compliance with TDIF privacy and protective security requirements will be considered by the OAIC as a reasonable step under the APPs, especially considering proposed digital identity legislation will likely make these requirements legally binding.

4.7 Further, the destruction of biometric information in line with APP 11.2 acts as a means of managing cyber security risks. Destruction of biometric information is referred to in several of the provided system, process and architectural documents. However, the specific steps taken in order to ensure that the AWS snapshots (which may include biometric information) are not inadvertently retained, are not outlined. While measures are in place to ensure that this snapshot is not retained (i.e. data sweeps), the process itself is undocumented. Failure to outline this specific process in their SSP increases the risk that the ATO will miss the important step of destroying these materials. The ATO, as the operator of the myGovID app is handling a large amount of sensitive biometric information which is no longer required once a match has been verified. Failure to destroy this information raises the risk of the information being subject to an unauthorised use or disclosure and will likely have an adverse or negative impact upon the handling of many individuals’ personal information.

4.8 Clearly documenting how biometric material is disposed of, and the checks in place to ensure this destruction, will ensure specific privacy measures are in place to manage the risks associated with handling biometric information. It will also enable knowledge sharing and create consistency in the management of this information. The SSP should outline:

  • the locations where biometric information may be held
  • how and when this information is destroyed; and
  • the checks and audits that are in place to ensure the biometric information is destroyed and the frequency of these checks and audits.

4.9 These changes to the SSP may increase the security classification of the SSP.

4.10 The OAIC has made one recommendation below to address this privacy risk.

Recommendation 1: The ATO must update the Systems Security Plan (SSP) to specify how biometric materials (including biometric information) are destroyed and outline security features employed to ensure their destruction.

Part 5:  Recommendations and responses

Recommendation 1: The ATO must update the Systems Security Plan (SSP) to specify how biometric materials (including biometric information) are destroyed and outline security features employed to ensure their destruction.

5.1 ATO Response:

Recommendation: Accepted.

The SSP was previously updated to reflect the destruction of biometric information, however this will now be strengthened to reflect the intent of the findings.

The update will provide the following detail:

  • the locations where biometric information may be held
  • how and when this information is destroyed; and
  • the checks and audits that are in place to ensure the biometric information is destroyed and the frequency of these checks and audits.

Timing: End of October 2024.

Part 6: Description of assessment

Objective and Scope

6.1 The objective of this assessment was to determine whether the ATO, in its role as the operator of the myGovID is taking reasonable steps to destroy or de-identify biometric information in accordance with APP 11.2. The assessment also sought to determine whether the ATO is taking reasonable steps as required under APP 1.2 to ensure compliance with APP 11.2.[11]

6.2 Specifically in relation to the ATO’s role as the operator of the myGovID app, and as an identity and credential provider in the AGDIS, the assessment focussed on the following matters:

  • The steps being taken by the ATO and relevant contracted service providers to destroy or de-identify biometric information in accordance with APP 11.2.
  • The steps undertaken by the ATO to implement practices, procedures and systems under APP 1.2 to ensure compliance with APP 11.2 in relation to biometric information. This included a review of information handling arrangements relevant to the deletion or de-identification of biometric information by the ATO and relevant contracted service providers, such as relevant practices, policies, procedures, systems, governance, risk management and training.

6.3 The assessment’s scope did not include:

  • a physical review or testing of the technical controls and capabilities of the ICT systems used by the ATO or contracted service providers to operate or support myGovID
  • examination of the acts and practices of the ATO as an attribute provider in the AGDIS, specifically its RAM service
  • identity (documents or biometrics) verification services operated by the Attorney-General’s Department (AGD) and leveraged by the AGDIS.

6.4 When assessing the reasonable steps required under APP 11.2, the assessment considered relevant obligations under the ATO’s TDIF accreditation with respect to myGovID.

Privacy risks

6.5 Where the OAIC identified privacy risks and considered those risks to be high or medium risks, according to OAIC guidance (see Appendix A), the OAIC makes recommendations to the ATO about how to address those risks. These recommendations are set out in Part 5 of this report.

6.6 The OAIC assessments are conducted as a ‘point in time’ assessment; that is, our observations and opinions are only applicable to the time period in which the assessment was undertaken.

6.7 For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’. Chapter 9 of the OAIC’s Guide to privacy regulatory action provides further detail on this approach.

Conduct of the assessment

6.8 The OAIC conducted a risk-based assessment of the ATO in its role as the operator of the myGovID in accordance with APP 11.2.

6.9 The assessment involved the following:

  • review of relevant documents provided by the ATO
  • fieldwork, which included virtual interviews of key members of staff through videoconferencing platforms in July 2023.

Reporting

6.10 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.

Assumptions and Caveats

6.11 This report is not an endorsement of the myGovID app by the OAIC, or any other ATO product or service.

Part 7: Appendices

Appendix A – Privacy risk guidance

Privacy risk rating

Entity action required

Likely outcome if risk is not addressed

High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy and related legislation

Immediate management attention is required

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

  • Likely breach of relevant legislative obligations (for example, APP, TFN, Credit, privacy safeguard, or not likely to meet significant requirements of a specific obligation, for example, an enforceable undertaking)
  • Likely adverse or negative impact upon the handling of individuals’ personal information
  • Likely violation of entity, policies or procedures
  • Likely reputational damage to the entity, such as negative publicity in national or international media
  • Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
  • Likely ministerial involvement or censure (for agencies)

Medium risk

Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy and related legislation

Timely management attention is expected

This is an internal control or risk management issue that may lead to the following effects

  • Possible breach of relevant legislative obligations (for example, APP, TFN, Credit privacy safeguard or meets some (but not all) requirements of a specific obligation)
  • Possible adverse or negative impact upon the handling of individuals’ personal information
  • Possible violation of entity policies or procedures
  • Possible reputational damage to the entity, such as negative publicity in local or regional media
  • Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities
  • Possible ministerial involvement or censure (for agencies)

Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy and related legislation

Management attention is suggested

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed

  • Risks are limited, and may be within acceptable entity risk tolerance levels
  • Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit privacy safeguard, Part VIIIA)
  • Minimum compliance obligations are being met

[1] The TDIF is an accreditation framework for digital ID services. It sets out the requirements that applicants need to meet to achieve accreditation. The accreditation framework and process ensure all identity providers meet strict rules and standards for usability, accessibility, privacy, security, risk management, and fraud control. Further information about the TDIF accreditation program can be read here: Trusted Digital Identity Framework (TDIF) | Digital Identity .

[5] On 16 May 2024, the House of Representatives passed the Digital ID Bill 2024 and Digital ID (Transitional and Consequential Provisions) Bill 2024. The Bills received Royal Assent on 30 May 2024 and the Acts are expected to commence by 30 November 2024. The new legislation essentially legislates the TDIF and includes additional measures to strengthen the voluntary Accreditation Scheme for digital ID service providers that wish to demonstrate compliance with best practice privacy, security, proofing and authentication standards. The new law will legislate and enable expansion of the AGDIS for use by the Commonwealth, state and territory governments and eventually private sector organisations. It will also embed strong privacy and consumer safeguards, in addition to the Privacy Act to ensure users are protected strengthen governance arrangements for the Accreditation Scheme and the AGDIS, including by establishing the Australian Competition and Consumer Commission (ACCC) as the Digital ID Regulator, and expanding the role of the Information Commissioner to regulate privacy protections for digital IDs. For more detail see: https://www.digitalidentity.gov.au/legislation.

[7] Credentials are pieces of evidence that confirm an individual's claimed identity. For example, a driver's license or an online ID and password tie the credential owner to his or her identity. The TDIF defines ‘credential’ as the technology used to authenticate a user’s identity and this may involve a memorised secret (e.g., password or PIN), cryptographic key, or other form of secret. See TDIF Glossary at: TDIF 01 Glossary of Abbreviations and Terms (digitalidentity.gov.au).

[8] Credential or authentication management systems can involve the application of 3 factors: something you know (e.g., password), something you have (e.g., ID badge or cryptographic key) or something you are (e.g., a fingerprint or other biometric data). Multi-factor authentication (MFA) refers to the use of more than one of these factors. The strength of a credential system is largely determined by the number of different factors applied by the system – the more factors applied, the more robust a system.

[9] The FMS hub is one of the identity verification facilities under the Identity Verification Services Act 2023 (Cth) which is now managed by the Attorney-General’s Department.

[10] An entity holds personal information ‘if the entity has possession or control of a record that contains the personal information’ (s 6(1)). The term ‘holds’ extends beyond physical possession of a record to include a record that an APP entity has the right or power to deal with. Whether an APP entity ‘holds’ a particular item of personal information may therefore depend on the particular information collection, management and storage arrangements it has adopted. For example, an entity that outsources the storage of personal information to a third party, but retains the right to deal with that information, including to access and amend it, holds that personal information.

[11]APP 1.2 - An APP entity must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the entity’s functions or activities that:

  1. will ensure that the entity complies with the Australian Privacy Principles and a registered APP code (if any) that binds the entity; and
  2. will enable the entity to deal with inquiries or complaints from individuals about the entity’s compliance with the Australian Privacy Principles or such a code.

APP 11.2 - If:

  1. an APP entity holds personal information about an individual; and
  2. the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under this Schedule; and
  3. the information is not contained in a Commonwealth record; and
  4. the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information;

the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia