Security monitoring is considered a joint responsibility between the ATO and DSPs. Where a system you develop or administer experiences a data or identity breach, you must notify us immediately. We will work with you to minimise the impact and help protect client information.
A data or identity security breach may include:
- Identity details being accessed or seen by an unauthorised third party.
- Identity details being lost or stolen due to illegal access by a third party activity (e.g. common online threats such as malware, spyware or ransomware).
- Mistakenly providing information to the wrong person, for example sending details out to the wrong email address.
- A breach of a third party product or service which integrates with a DSP's API (application programming interface).
The ATO must be notified immediately, where a DSP identifies a breach through their own monitoring controls or have been informed directly by a client or third party. To report a breach, you can contact us via Online Services for DSPs or by emailing DPO@ato.gov.au.
You will need to provide the following information to assist us in taking immediate action to limit the damage and identify the source of the threat.
- appropriate contact person (specialist IT security/fraud representative)
- nature of the incident
- number of affected records
- date and timestamp
- session ID reference
- host Services (Internet Service Provider/IP address)
- device ID (ESID) if available
- TFN information
- non-TFN information (name/address/biographical information)
- product name and type (desktop or cloud)
- data file format (CSV or encrypted)
Awareness of other obligations
In addition to the requirements of the Framework, DSPs need to be aware of their obligations under:
- Notifiable Data Breach scheme under Part IIIC of the Privacy Act 1988 (Privacy Act).
For further information on the Notifiable Data Breach scheme, please refer to https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme - Australian Privacy Principles, contained in schedule 1 of the Privacy Act 1988 (Privacy Act).
For further information on the Australian Privacy Principles, please refer to https://www.oaic.gov.au/privacy-law/privacy-act/australian-privacy-principles