Security

Security monitoring is considered a joint responsibility between the ATO and DSPs. Where a system you develop or administer experiences a data or identity breach, you must notify us immediately. We will work with you to minimise the impact and help protect client information.

A data or identity security breach may include:

  • Identity details being accessed or seen by an unauthorised third party.
  • Identity details being lost or stolen due to illegal access by a third party activity (e.g. common online threats such as malware, spyware or ransomware).
  • Mistakenly providing information to the wrong person, for example sending details out to the wrong email address.
  • A breach of a third party product or service which integrates with a DSP's API (application programming interface).

The ATO must be notified immediately, where a DSP identifies a breach through their own monitoring controls or have been informed directly by a client or third party. To report a breach, you can contact us via Online Services for DSPs or by emailing DPO@ato.gov.au.

You will need to provide the following information to assist us in taking immediate action to limit the damage and identify the source of the threat.

  • appropriate contact person (specialist IT security/fraud representative)
  • nature of the incident
  • number of affected records
  • date and timestamp
  • session ID reference
  • host Services (Internet Service Provider/IP address)
  • device ID (ESID) if available
  • TFN information
  • non-TFN information (name/address/biographical information)
  • product name and type (desktop or cloud)
  • data file format (CSV or encrypted)

Awareness of other obligations

In addition to the requirements of the Framework, DSPs need to be aware of their obligations under: