This page provides a detailed list of terms applicable to the use of ATO digital wholesale services. This includes services provided through ATO Standard Business Reporting (SBR) and ATO API Portal. Other terms may be contained within service specific documentation. This page is intended for DSPs who are consuming or planning to consume these ATO digital wholesale services.
The Bulk Data Exchange (BDE) platform has a different set of terms and conditions. Developers for this platform should refer to the Data Transfer Facility terms and conditions.
When we say:
- we, us and our – we mean the Australian Taxation Office (ATO)
- you and your – we mean you as the Digital Service Provider (DSP)
- ATO digital wholesale services – we mean the electronic data system that we provide
- End user – we mean business entity and each individual sender
- End user product – we mean a software product created or developed for use by end users, which could include other Digital Service Providers.
Find information about the legislative and operational restrictions on using our digital services including:
- Who can and can’t use our services: legal disclosure of information
- General Terms
- Authentication and Authorisation
- Branding and Copyright
- Service specific terms and conditions
- The next step: register on the ATO support system
- Contact us
Division 355 of the Taxation Administration Act 1953 and Part 1 of the Superannuation Industry (Supervision) Act 1993, prohibits us from disclosing protected information about the tax or superannuation affairs of a particular entity except in certain specified circumstances.
Entities are not able to give consent to protected information being shared with third parties unless they are a covered entity such as a tax agent and in the approved form. Even if an entity gives consent, we cannot disclose their information outside of these circumstances.
We only grant access to our APIs where you provide a service that supports entities to meet their reporting obligations. You must therefore consider the intended business purpose of the proposed service, verifying that the intended client or user will be:
- a business client - for the purpose of managing their taxation, payroll, superannuation, and/or registry affairs
- an intermediary or tax professional (such as a tax agent, BAS agent or Payroll provider) - for the purpose of administering taxation affairs
- a superannuation fund (trustee, or a representative) - for the purpose of administering superannuation obligations.
Who can’t use our services: unsupported business models
Some unsupported business models include providing software services:
- directly to individual taxpayers to lodge their own returns
- interacting with ATO online systems. Systems such as myTax, do not allow and have not been designed for external, third-party software interactions
- directly to a third-party to obtain an individual/businesses ATO data and sharing that data with another entity
- directly to individuals to obtain their own ATO data and share with another entity
Examples of these business models could be software services:
- that enable individuals to lodge a basic income tax return without an agent
- for credit reporting agencies or loan brokers to verify income and employment details
- for financial planners to access ATO data for their clients, when they are not also intending to represent their client as a tax/BAS agent
Conditions of use
You agree to these Conditions of use when you register to be a Digital Service Provider (DSP) with us. They establish:
- the terms under which the ATO makes its developer material available,
- our expectations of you,
- our right to manage our systems, and
- that we have no obligation to provide access to our services.
SBR and ATO API Portal each have their own conditions:
Reasonable Use of ATO digital wholesale services
The Reasonable Use policy outlines the expectations on reasonable use of ATO digital wholesale services. This policy complements service specific usage restrictions described within relevant business implementation guides, to ensure high levels of availability and responsiveness for all users.
Access to ATO digital wholesale services is managed through DSP product whitelisting. Whitelisting grants access to ATO production or test environments. The whitelisting process commences with registration of an organisation in Online Services for DSPs, at which point your representative will make declarations, authorisations, and acknowledgements around the responsible consumption of ATO digital wholesale services. Final whitelisting is dependent upon acceptance of these conditions, and there are requirements to which you must adhere to maintain whitelisted status.
Upon whitelisting, we will provide you with a unique Product ID for each of your products to include in messages transmitted to the ATO. A Product ID should not be used for multiple products. You are issued separate Product IDs for the testing and production environments. These may only be used to access their respective environment. Product IDs must be kept confidential and secure to ensure they are used only for their intended purpose.
De-whitelisting is the process of suspending or revoking access to ATO production or test environments. A product may be de-whitelisted where:
- it is not compliant with our requirements
- the service generates a significant number of unexpected technical errors resulting in data issues, or
- a cyber incident presents a risk to our digital wholesale channel, ATO reputation or taxpayers.
End users of your product/s must accept our End-User Agreement. This agreement sets out the rights and restrictions in using ATO digital wholesale services.
SBR and API Portal each have their own agreements:
ATO Service Support Versioning Strategy
Over time SBR services will change or be replaced to accommodate legislative, policy and technology changes. We will endeavour to work with you to minimise the impact these changes may have on your products. For further details, you should refer to this versioning strategy.
This section provides information on how to interact with our digital wholesale services securely and responsibly.
Our digital services present a range of service opportunities but also pose some risks and security implications. It is crucial that we work in partnership with you to protect the integrity of the tax, super and registry systems for the Australian community.
The ATO DSP Operational Security Framework and industry specific guidelines (such as Essential 8) support the protection of ATO systems and client data against cyber threats. You must provide detail on how your product meets the requirements of the DSP Operational Security Framework.
DSP Operational Security Framework (OSF)
The DSP Operational Security Framework (OSF) sets out a minimum level of security requirements that you must meet to access ATO digital wholesale services.
The OSF uses a risk scaled model to determine the security controls required for your product or service. The following pages provide more information on the risk scaled model, and security control requirements:
- Meeting the requirements | ATO Software Developers
- Requirements for products and services | ATO Software Developers
There are ongoing expectations that you maintain your compliance with the DSP OSF. Requirements for maintaining your compliance include, but are not limited to, that you must:
- notify us as soon as practicable of significant changes to your business or product environment
- hold a current certification (both independent and self-assessed) and take appropriate steps to update and supply us with a current copy of your certification, and
- undertake annual reviews to ensure you remain compliant with the DSP OSF.
Failure to maintain your compliance can result in de-whitelisting. You can find out more about maintaining compliance and what happens if you don’t on the maintaining compliance page.
Where a data breach is identified you must contact us immediately to ensure appropriate action can be taken. A data breach occurs when personally identifiable information (PII) an entity holds is subject to unauthorised access or disclosure to an unknown party. You should refer to the data breaches page for information on reporting data breaches, and our actions.
The security monitoring requirement seeks to minimise the impact of cyber incidents by having controls in place to detect, prevent and respond to cyber-attacks. Monitoring is considered a joint responsibility between you and the ATO. The ATO conducts monitoring at the network, application, and transaction layers. If anomalies or areas of concern are identified, we may re-assess your whitelisting suitability. We will contact you or your representative before making changes to your whitelisted status unless exceptional circumstances apply.
You have a responsibility for supporting clients to maintain the privacy of personal information, including tax file numbers (TFNs).
Under the TFN rule under section 17 of the Privacy Act 1988, sharing an individual’s TFN with a third party is generally not permitted. Office of the Australian Information Commissioner provides guidance on the rule that may assist you.
All ATO digital wholesale services (including SBR and ATO API Portal) use the myGovID Machine Credential to authenticate transactions with the ATO. The myGovID Machine Credential (known hereafter as M2M credential), positively identifies an organisation (with an ABN) that has initiated the transaction to the ATO.
AUSkey Software Developer Kit (ADK) – Developer and End-User Licences
ATO digital wholesale services that use the SBR channel, can use the AUSkey Software Developer Kit (or ‘ADK’) to manage the keystore and generate security tokens using the M2M credential. The ADK includes licences that outline restrictions to the distribution, sub-licencing, modification, or derivation of the source code of the SDK or the Software.
Cloud Software Authentication and Authorisation (CAA)
Software products that do not utilise your client’s M2M credential (such as Software as a Service) must implement the Cloud Authentication and Authorisation (CAA) solution. In addition to a Product ID which identifies your product to the ATO, each subscription or instance of your software also needs an ID to validate the authorisation between the reporting party, the DSP and the ATO.
A Software Subscription ID (SSID), commonly referred to as a Software ID, is a unique ID that is used to identify each unique subscription or instance of software. SSIDs must be kept confidential and secure to ensure they are used only for the purpose of transmitting data securely between the ATO and the product.
You should refer to the information kit for the relevant policies, conditions, requirements, and further information around the implementation and use of SSIDs.
This section provides information on the use of the Australian Government logo, the Commonwealth Coat of Arms, and the ATO’s default copyright license.
The Australian Government Branding Guidelines help departments and agencies ensure consistent application of the Australian Government logo to products such as official documents and publications.
Commonwealth Coat of Arms
The Commonwealth Coat of Arms page provides guidelines for its use, as well as information on its history and significance.
The ATO’s copyright licence sets out the use of certain ATO materials, such as the ATO Digital Services Gateway Mark and SBR Mark. You should refer to this information to understand the authorisations provided for the materials available on ATO websites.
You must be aware of the terms specific to the service/s you are consuming or intend to consume. Many of these can be found on the corresponding SBR and ATO API Portal pages for these services, and the appropriate business implementation guides.
Super services have additional legislation and terms you must be aware of. This includes, but is not limited to:
- the SuperStream legislation, which establishes a framework to implement the super data and payment standards
- the terms and conditions, and user guides for super services offered through ATO digital wholesale services, and
- rules and regulations around providing and using tax file numbers (TFNs) in the super system.
Review the information on Online services for DSPs and register for access to the non‑live test environment, obtain specifications, and access support from the DPO to help guide you through the build process.