API risk ratings

• Access is only to generic data or data that is intended to be publicly available.

• Apply for advice or ruling.
• View Australian Business Register (ABR) data.

• An initial registration, where the request or submission results in creating registration data in the client register or ATO systems. This may include personal, sensitive or private data with the initial creation.
• A request or submission results in, or could result in:
• viewing or updating registration data in/from the client register or ATO systems. Data excludes personal, sensitive or private data
• providing account data attached/captured in the client register or ATO systems such as lodge Single Touch Payroll pay event or dividend/interest report.
• A user response does not contain personal, sensitive or private client data, such as a tax file number (TFN) or name, nor confirm through validation.

• Add a tax role
• View activity statement role
• Apply for Australian Business Number (ABN)
• Check ABN registration progress
• Third party transfer of data to ATO
• Tax file number declarations
• Taxable payments annual report (TPAR)
• Payment summary.

• A request or submission results in, or could result in viewing or updating account data in/from the client register or ATO systems. For example, returning an account/transaction list or updating a credit or debit position on an account.
• A response contains or could contain personal, sensitive or private client data that was provided as part of the users’ request. For example, a TFN is provided in the users request and is confirmed in the user response.
• A response validates by way of interaction with the client register or ATO systems personal, sensitive or private client data. For example, validating a TFN, address or financial institution account (FIA) in ATO systems.

• Account list
• Transaction list
• Lodgment list
• Fund validations service list
• Outcome of assessment data
• Lodge an activity statement or excise return.

• A request or submission results in, or could result in updating personal, sensitive or private client data in the client register or ATO systems.
• A response contains, or could contain personal, sensitive or private client data that was not provided as part of the users request. For example, additional information such as a TFN or FIA is provided in the user response.

• View and update address, contacts and FIA
• Get communication view
• Make payment plan (could update FIA)
• Lodge Income Tax Return (could update FIA and name)
• Lodge Fringe Benefits Tax Return (could update FIA and name)
• SuperTICK
• EmployerTICK
• Client pre-fill data.

Type of data contained in the  API

The type of data contained in an API can be classified into four groups:

• Public - considered to be generic and readily available in the public domain. For example, ABR public data.
   
• Registration - considered to be creating or updating the tax and/or super profile of the client. For example, applying for an ABN, adding or updating a GST or Excise registration.
   
• Account - considered to be any financial or non-financial data about the tax and/or super profile of the client. For example, reportable income, deductions, payments, offsets etc.
   
• Personal, sensitive or private - considered to be information about an identified individual or entity which could be used to identify who the client is or proof of record ownership (PORO). For example, TFN, address, FIA, contacts and non-public information from the ABR. See the Office of the Australian Information Commissioner (OAIC) website for more information. 

Type of data contained in the API response

For example, the response contains:

• only generic messaging or public data e.g. successful transmission or an ABN
• non interactive message validation without confirming client data
• interactive message validation confirming client data
• tax or super registration data
• tax or super account data
• personal or sensitive client data that was provided in the request
• personal or sensitive data that was not provided in the request.

Resulting action in the client register or ATO systems, based on the API request or submission

Examples include:

• information is provided and is only attached or captured against the client record
• the client record is updated
• information from the client record is returned to the user.

• Identity theft – for example, obtaining personal or sensitive information to steal or sell an identity.
• Personal gain – for example, obtaining personal or sensitive information to gain power or knowledge of another person.
• Commercial advantage – for example, obtaining business information to gain power or knowledge of a competitor.

• Directly obtaining refund – for example, updating FIA to obtain a refund.
• Indirectly obtaining refund – for example, adding a tax registration that could lead to a lodgment with a refund.

• Individual hack – for example, a malicious actor creates incorrect records on a client account to cause harm or nuisance.
• System hack – for example, malicious attempt to crash a service or system (denial of service attack).