Under the Privacy (Tax File Number) Rule 2015, which regulates the collection, storage, use, disclosure, security and disposal of individuals’ Tax File Number (TFN) information, six specified Australian Government agencies have obligations to make a range of information publicly available in relation to how TFN information is to be handled.
These agencies include the:
- Commissioner of Taxation/Australian Taxation Office (CoT)
- Australian Prudential Regulation Authority (APRA),
- Department of Human Services (DHS),
- Department of Education and Training (DET),
- Department of Veterans’ Affairs (DVA) and
- Department of Social Services (DSS).
In 2016–17 the OAIC conducted an assessment which looked at how well these agencies meet their obligations to publish specified information under TFN Rules 13 and 14. The assessment involved a desktop review of each agency’s website and a targeted survey questionnaire sent to each agency.
During the assessment, the OAIC identified non-compliances relating to:
- publication of information about the prohibitions on the collection, recording, use and disclosure of TFN information (Rules 13(1)(d) and 14(1)(b))
- publication of information about the penalties that apply to unauthorised acts and practices relating to TFNs and TFN information (Rules 13(1)(e) and 14(1)(c))
- publication of information about where to find further detail about the matters set out in Rules 13(1) and 14(1) (Rules 13(1)(f) and 14(1)(d)).
The OAIC’s findings at the time of the assessment are summarised in the following table.
Rule | CoT | APRA | DHS | DSS | DET | DVA |
---|---|---|---|---|---|---|
13(1)(a),(b) Classes of recipients | Compliant | Compliant | n/a | n/a | n/a | n/a |
13(1)(c)/14(1)(a) Specific purposes | Compliant | Compliant | Compliant | Compliant | Compliant | Compliant |
13(1)(d)/14(1)(b) Prohibitions | Compliant | Steps taken to reach compliance[1] | Steps taken to reach compliance | Steps being taken to reach compliance[2] | Steps taken to reach compliance | Steps being taken to reach compliance |
13(1)(e)/14(1)(c) Penalties | Steps taken to reach compliance | Steps taken to reach compliance | Steps taken to reach compliance | Steps being taken to reach compliance | Steps taken to reach compliance | Steps being taken to reach compliance |
13(1)(f)/14(1)(d) Further info | Compliant | Steps taken to reach compliance | Compliant | Steps being taken to reach compliance | Steps taken to reach compliance | Compliant |
13(2)/14(2) Amendments | Compliant | Compliant | Compliant | Compliant | Compliant | Compliant |
13(3) Prescribed practices | Compliant | Compliant | n/a | n/a | n/a | n/a |
The OAIC has made recommendations to these agencies to ensure they meet their obligations to publish the specified information required by TFN Rules 13 and 14. The OAIC followed up with these agencies on their recommendations in 2018.
Footnotes
[1] ‘Steps taken to reach compliance’ means that the agency has already taken action to address the OAIC’s recommendation(s) after the assessment has concluded.
[2] ‘Steps being taken to reach compliance’ means that the agency is in the process of or will be taking action to address the OAIC’s recommendation(s) after the assessment has concluded.