Security monitoring is considered a joint responsibility between the ATO and DSPs. Where a system you develop or administer experiences a data or identity breach, you must notify us immediately. We will work with you to minimise the impact and help protect client information.

A data or identity security breach may include:

  • Identity details being accessed or seen by an unauthorised third party.
  • Identity details being lost or stolen due to illegal access by a third party activity (e.g. common online threats such as malware, spyware or ransomware).
  • Mistakenly providing information to the wrong person, for example sending details out to the wrong email address.
  • A breach of a third party product or service which integrates with a DSP's API (application programming interface).

The ATO must be notified immediately, where a DSP identifies a breach through their own monitoring controls or have been informed directly by a client or third party. To report a breach, you can contact us via Online Services for DSPs or by emailing

You will need to provide the following information to assist us in taking immediate action to limit the damage and identify the source of the threat.

  • appropriate contact person (specialist IT security/fraud representative)
  • nature of the incident
  • number of affected records
  • date and timestamp
  • session ID reference
  • host Services (Internet Service Provider/IP address)
  • device ID (ESID) if available
  • TFN information
  • non-TFN information (name/address/biographical information)
  • product name and type (desktop or cloud)
  • data file format (CSV or encrypted)

Awareness of other obligations

In addition to the requirements of the Framework, DSPs need to be aware of their obligations under:

Last modified date