About this policy
The specific legal obligations of the Inspector-General of Taxation and Taxation Ombudsman (IGTO) and her officers when collecting and handling your personal information are outlined in the Privacy Act and the APPs contained in that Act. The IGTO and her officers are also subject to strict secrecy and confidentiality requirements, both within the Inspector-General of Taxation Act 2003 and various pieces of taxation legislation. These regimes operate independently of each other. The OIGTO manages information that we hold in accordance with both, and always to the highest threshold imposed in law.
Outline of this policy
‘Part 1 – Personal Information Management’ provides background on the functions and activities of the OIGTO and explains in general terms the kinds of personal information collected by us, how information is collected and how it is held. It also explains how you can request to see your personal information or to have details of your personal information corrected. This part also explains how you can lodge a complaint if you believe that your personal information has been mishandled, or there has been a breach of your privacy by us.
‘Part 2 – Records’ lists specific kinds of OIGTO records that hold personal information. It explains in further detail the management of personal information by reference to specific IGTO functions and activities, such as complaint handling and investigations. You can find out here what sorts of records we keep, what kinds of personal information are typically collected on these records, and the purpose for which this information is collected, held, used and disclosed.
‘Part 3 – Online’ explains the OIGTO’s personal information handling practices when a person visits our website.
Part 1 – Personal Information Management
Our obligations under the Privacy Act
1.1 The IGTO and her officers must comply with the Australian Privacy Principles (APPs) contained in the Privacy Act which regulate how agencies may collect, hold, use or disclose personal information, and how individuals may access and correct personal information held about them.
1.2 ‘Personal information’ is defined in the Privacy Act as:
…information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether the information is recorded in a material form or not.
1.3 Personal information also includes ‘sensitive information’, which is a particular category of personal information. This might include information relating to your health, racial or ethnic origin, political opinions, association memberships, religious beliefs, sexual orientation, criminal history, genetic or biometric information.
Functions and activities of the IGTO
1.4 The IGTO is empowered to:
- directly assist complainants to navigate the tax system by providing information and assurance about actions of concern by the Australian Taxation Office (ATO) and Tax Practitioners Board (TPB), providing information to complainants and presenting available options and referring matters to the most appropriate agency to assist complainants;
- investigate complaints about actions taken by a tax official that relate to administrative matters under a taxation law;
- investigate systems established by the ATO, or TPB, to administer taxation laws, including systems for dealing or communicating with the public generally or with particular people or organisations in relation to administrative matters under those laws;
- investigate systems established by taxation laws, but only to the extent that the systems deal with administrative matters;
- investigate actions taken by a tax official where they relate to administrative matters under a taxation law;
- investigate actions that are the subject of a complaint transferred to the IGTO by the Commonwealth Ombudsman;
- make recommendations to the ATO, the TPB and the Government in relation to matters that it has investigated; and
- publicly report on review investigations.
1.5 The functions and powers of the IGTO are set out in the Inspector-General of Taxation Act 2003 (IGT Act). The IGT Act refers to certain provisions of the Ombudsman Act 1976.
How does the OIGTO collect personal information?
1.6 We collect personal information primarily from the individual to whom the information relates or their authorised representative.
1.7 However, in our investigation work we have a broad discretion as to how to investigate matters, including the information that we can ask other agencies, persons or private entities to give to us. For example, to investigate a complaint about the ATO or the TPB it is usually necessary to collect personal information from those agencies, either directly from the officers of the agency or by remote access to their databases. If you make a complaint to us and we decide to investigate the complaint then you should expect that your personal information will be collected in this way. As part of this process we may also collect information about a person or entity associated with your complaint.
1.8 In carrying out our functions, we may collect personal information (including sensitive information) about you indirectly from publicly available sources – for example, court or tribunal judgments relating to you and your complaint – or from third parties such as your authorised representative, if you have one.
1.9 We may collect personal information as a result of face-to-face meetings, telephone conversations, in writing by mail, fax or electronic communication, photographs, video or telephone recordings, and through submissions or complaint forms through our website (see Part 3).
1.10 We also collect personal information in records made during complaint or review investigations, and in documents provided by agencies for the purposes of these investigations.
1.11 The OIGTO conducts a number of activities that are incidental to, and necessary for carrying out her statutory functions. These are best described as ‘corporate’ functions and include finance, accounting, procurement, reporting, employment and human resources activities. Therefore in connection with our corporate activities we collect personal information from a wide range of sources including from job applications of prospective staff, directly from our officers, other government agencies and private entities.
How does the OIGTO hold and store personal information?
1.12 We hold personal information that we collect in both electronic and paper records. We maintain a case management system as well as online shared hard drives which are hosted on secured servers. We take steps to ensure that personal information we hold is protected against unauthorised access, use, modification, disclosure, or other interferences. These steps include security clearances for all employees of the IGTO which are vetted by the Australian Government Security Vetting Agency within the Department of Defence. In addition, we use multifactor authentication for accessing our electronic systems, secure our paper files in locked cabinets, safes and secure areas, and adopt physical access restrictions. Access to our physical premises is controlled using identification cards and monitored using CCTV with security guards patrolling as required.
1.13 The case management system stores information in an interconnected fashion. This means that we can access personal information directly by searching for a person’s name, or indirectly, by searching with reference to a specific case number or another search parameters. Many of these search parameters are set up to enable ease of interaction with complainants who use our service as well as to assist the IGTO to comply with her reporting obligations.
1.14 Access to records containing personal information is permitted on a ‘need-to-know’, work-related basis only, and subject to restrictions based on security clearance levels. In some cases access will be more tightly restricted.
1.15 Where appropriate, senior management may authorise the creation of virtual barriers that prevent staff from physically accessing information contained in electronic records.
1.16 When no longer required, personal information is destroyed in a secure manner, or deleted, in accordance with the Archives Act 1983.
1.17 The OIGTO adopts and complies with Commonwealth and industry best practice in Information and Communication Technology (ICT) Security Management, including:
- Australian Cyber Security Centre (ACSC) information security guidelines;
- Digital Transformation Agency (DTA) Protected Utility program:
- Protective Security Policy Framework;
- Australian Government Information Security Manual; and
- ISO/IEC 27001:2013 – Information Technology – Security Techniques – Information Security Management Systems – Requirements
1.18 For the list of mandatory requirements that cover governance, personnel, information and physical security, please visit the Protective Security Policy Framework website.
What kinds of personal information does the OIGTO collect and hold?
1.19 In accordance with the APPs we collect personal information to enable us to carry out the IGTO’s functions and activities. We collect and hold personal information relating to a wide range of people, including taxpayers and tax practitioners.
1.20 In general the kind of personal information we collect about a taxpayer or tax practitioner may include:
- your and/or your client’s name;
- your or your client’s date of birth;
- electronic (email), postal, or street addresses for you and/or your client;
- your or your client’s telephone number;
- your or your client’s occupation; and
- details of the complaint you are lodging which may include other details regarding your tax, business or personal affairs that may be relevant to resolving the complaint.
1.21 We are also authorised to request, but you are not required to provide, your or your client’s tax file number (TFN) to us. We request a TFN so that we can get the complaint matter investigated more promptly. We do this by using it to identify your or your client’s records held by the ATO. We manage your TFN in accordance with the Privacy (Tax File Number) Rule 2015 and Taxation Administration Act 1953.
1.22 You may lodge a complaint with us anonymously or by adopting a pseudonym. However, if you do complain anonymously it may be difficult or impossible for us to investigate your complaint if the complaint relates to your specific tax affairs. We will tell you if we cannot investigate your complaint because you have not supplied sufficient identifying information.
1.23 If you do not supply a valid communication option, and it is not possible to contact you, we will generally not take any further action on your complaint. In these circumstances, any personal information you have supplied to us will be held on our systems in accordance with requirements under the Archives Act 1983.
1.24 We will only collect your sensitive information if:
- you agree to us collecting it and it is reasonably necessary for, or directly related to one of our functions or activities; or
- it is required or authorised by law or an order of a court or tribunal; or
- a ‘permitted general situation’ as defined in the Privacy Act exists.
1.25 From time to time, sensitive information may be made known to us without us requesting the information. In these circumstances, we may clarify with you whether you intended to provide that information and, if so, whether you wish for us to record it as a relevant matter in any complaint or review investigation. For example, as part of a complaint lodged with our office regarding how the ATO has managed your hardship application, you may provide information about health or medical issues.
For what purposes does the OIGTO collect, hold, use and disclose personal information?
1.26 In accordance with the APPs, we collect, hold, use and disclose personal information to enable the IGTO to carry out her functions and activities, including investigating complaints about the administrative actions of the ATO or the TPB.
1.27 We may also use the information to seek feedback from you or to conduct follow-up surveys to identify opportunities to improve the service we deliver. If you do not wish for your information to be used for this purpose, please let us know.
How can I access or correct my personal information held by the OIGTO?
1.28 Under APPs 12 and 13 of the Privacy Act, you have a right to request access to personal information we hold about you, and ask that we correct that information if there are any inaccuracies. The first step is to contact us. In many instances, we will be able to either provide you with access or correct any inaccuracies immediately without you needing to make any formal requests.
1.29 For more extensive requests, including for access to telephone call recordings, we may ask that you submit the request in writing so that we can process it appropriately.
1.30 You can also contact us if you need further advice about how best to request access or corrections to your personal information.
1.31 You also have the right under the Freedom of Information Act 1982 (FOI Act) to request access to documents that we hold and or request that the information we hold about you is changed or annotated, if it is incomplete, incorrect, out-of-date or misleading.
How do I complain about the handling of my personal information by the IGTO?
1.32 We take our privacy obligations seriously and have robust processes in place to protect your personal information. If you have any concerns about the manner in which we collect, hold or use your personal information, you have the right to lodge a complaint with us. We ask that such complaints be made in writing, setting out the reasons why you believe that we have not handled your personal information in an appropriate manner. This will assist us to fully investigate and address your concerns.
1.33 We will acknowledge your complaint within 7 days and investigate and resolve all complaints as soon as possible. Your complaint will be investigated by the Privacy Officer or another senior member of the team who has not been involved in your case and you will be advised of the outcome of the investigation in writing. Our decision will be explained with reference to the relevant APPs. The time this will take will depend on the nature of your complaint and the complexity of the issues raised. Where a matter is likely to take longer than 30 days to resolve, we will inform you of an estimated timeframe for resolution.
1.34 If you are dissatisfied with our response or the way we have handled your personal information complaint or a privacy breach, you may lodge a complaint with the Australian Information Commissioner. Details on how to lodge a complaint with the Australian Information Commissioner can be found at www.oaic.gov.au/privacy/privacy-complaints.
How to contact us
|Telephone:||1300 44 88 29 and ask to speak with the Privacy Officer|
National Relay Service:
Translating and Interpreting Service: 131 450 then ask for 1300 44 88 29.
Apart from the local call cost these are free services for you.
|Post:||GPO Box 551, Sydney NSW 2001|
|Facsimile:||02 8239 2100|
Part 2 – Records
2.1 There are ten (10) specific kinds of records that the OIGTO holds that may include personal information. These are:
a) complaint enquiry and complaint investigation records;
b) review investigation records;
c) miscellaneous contact records;
d) newsletter subscriptions;
e) freedom of information records;
f) voicemail records;
g) photographs and video recordings;
h) personnel records;
i) corporate administrative records including policy records; and
j) strategic agency liaison records.
2.2 These are discussed further below.
A. Complaint handling and investigation records
2.3 These records may contain:
- information such as your name and contact details, TFN or other confidential information related to your tax affairs or your business; and
- details of the complaints or enquiries you are lodging with us; and
- any documents that you have attached or provided to us in support of your complaint or enquiry.
2.4 Personal information described above is collected to enable us to decide whether your complaint is within the IGTO’s jurisdiction, whether there is a reason not to investigate the complaint, the agency about which the complaint is made, and how best to investigate the complaint. It also helps us decide if another body or person could assist you better to resolve your complaint. In some circumstances we may be able to transfer your complaint to the Commonwealth Ombudsman or refer it to another agency that may be better placed to assist you. If we transfer your complaint to another agency, we will not disclose any personal information to that agency unless we have your consent.
2.5 Following a complaint investigation, we will record additional personal information in your complaint investigation record including details of the actions taken by us in relation to your complaint, our findings, evidence and our views on your complaint.
2.6 Information contained in complaint records also assist the IGTO to inform review investigations which aim to improve tax administration for all taxpayers. It also helps to better target review investigations, request relevant information and produce informed reports to government.
2.7 The IGTO may, after conducting the review investigations, report on these matters publicly. However, in doing so, we will remove all individual names. Moreover, where it is necessary, the IGTO will not make any disclosures which would make the identity of the person obvious or lead to the discovery of their identity.
2.8 Personal information of the kinds described above may also be held in relation to someone other than the person who has made the complaint. Other people whose personal information may be held on these files include relatives or friends of the complainant, business associates, staff of other government agencies or staff of government service providers.
B. Review investigation records
2.9 The IGTO may commence a review investigation on her own initiative. This means that the IGTO may investigate or conduct a review into a tax administration issue of interest that relates to ATO or TPB administration without a specific complaint, or in relation to a group of similar complaints.
2.10 The kinds of personal information contained on these files may include information similar to those for complaint enquiry and investigation records (particularly where a taxpayer or tax practitioner draws on their own personal experiences in lodging a submission).
2.11 Other information that may be included on review investigation records include:
- submissions lodged with our office;
- names and contact details of the person lodging the submission;
- names of the professional or industry association involved in the submission;
- case study examples to illustrate issues raised in the submissions – these are typically presented in a redacted format so that the identity of the taxpayer is not disclosed.
2.12 The IGTO has broad powers to conduct own initiative investigations in a manner she determines to be most appropriate, and by obtaining information from a wide range of sources, including individual complaint and investigation records, ATO or TPB systems or through interviews with ATO or TPB officers (and former officers).
2.13 As with complaint enquiry and investigation records, information contained in review investigation records may be disclosed to the agency or agencies in relation to which the investigation or review is being conducted. However, the IGTO does not disclose the identity of any stakeholders who lodge a submission with our office unless they have expressly authorised such disclosure or otherwise made their submission public.
C. Miscellaneous contact records
2.14 The purpose of these records is to record details of approaches made to the OIGTO that do not constitute complaints for the purposes of the IGT Act. Such approaches may be from members of the public, officers of other Australian and foreign agencies, the media and academic researchers. For example, they may include requests from media outlets for the IGTO to make comment on particular issues being reported on.
D. Newsletter subscriptions
2.15 These records are collected directly from individuals subscribing to our newsletter. The limited personal information in these files includes a contact list composed of the name of the subscriber and their email address. In order to subscribe to the mailing list, the subscriber will need to actively confirm their subscription.
2.16 These records are used to send out periodic IGTO newsletters and other updates. The subscriber has the option to unsubscribe to stop receiving these communications from our office.
E. Freedom of Information (FOI) records
2.18 The purpose of these records is to capture all requests for information made to the OIGTO under the FOI Act. These files also record requests for internal review of our FOI decisions, as well as requests for annotation and/or amendment of records. We also record our interactions with the Office of the Australian Information Commissioner in respect of FOI complaints and Information Commissioner reviews.
2.19 Personal information on these records may relate to the person who has made the FOI request, complainants to the OIGTO (whether or not they are also the FOI applicant), our officers, officers of other Commonwealth, State and Territory agencies, and any other person whose personal information is contained in the record to which FOI access has been sought.
F. Voicemail records
2.20 Telephone calls to our 1300 44 88 29 number or, to or from our officers in relation to a complaint, are recorded and callers are informed of the recording. These records are registered on our phone system and case management system. They may include details of the caller’s name, address, telephone number and details of their complaints or other tax administration enquiries.
2.21 Telephone calls to our general line (02 8239 2111) are not recorded but where the caller leaves a message, a voicemail record is created. The personal information contained in these voicemail records may include the name of the caller, their address, telephone number and details of their general or media enquiries.
2.22 Depending on the subject matter of a recording the information contained in it will be placed onto other records either as an audio record or reduced to a written form (not necessarily an exact transcription), and be handled accordingly. For example, where a complainant calls our general line, a written record of that call or a copy of the voicemail record may be transferred to our case management system as a complaint record.
2.23 These records may also be used for training and quality assurance purposes.
G. Photograph and video records
2.24 These records are collected from video surveillance cameras installed at, and in the vicinity, of our offices. The records are used for the purpose of ensuring the safety and security of OIGTO officers and property.
H. Personnel records
2.25 The IGTO has duties and powers as an agency head under the Public Service Act 1999 and has other associated obligations including those arising under the Disability Discrimination Act 1992, the Sex Discrimination Act 1984, the Fair Work Act 2009, the Safety Rehabilitation and Compensation Act 1988, the Superannuation Act 2005, the Long Service Leave (Commonwealth Employees) Act 1976, the Maternity Leave (Commonwealth Employees) Act 1976 and the Work Health and Safety Act 2011. Personnel records are kept to enable the IGTO to carry out her functions, obligations and responsibilities for staff, employees and contractors.
2.26 Personnel records are maintained about all aspects of employment including; recruitment, employment history, payroll, leave, equal employment opportunity data, workplace relations, security clearances, performance, workplace health and safety, rehabilitation and compensation. These records are kept in relation to all permanent, contracted and temporary staff members/employees of the IGTO.
2.27 Access to personnel files is controlled on a ‘need to know’ basis.
2.28 Personal information is disclosed on a ‘need to know’ basis for the purposes of administering our payroll, and to travel providers under the ‘whole of government’ travel arrangements. In addition we are required to give personal information to various bodies including the Australian Public Service Employment Database, the Australian Government Security Vetting Agency, the ATO and Comcare.
I. Corporate administrative records including policy records
2.29 The purpose of administrative records, including policy records is to hold information relating to corporate functions, including office governance, financial management, procurement, legal services, privacy, ICT, public affairs and both physical and information security.
2.30 Such files may contain a range of personal information relating to complainants, contracted service providers, IGTO officers (and officers of other agencies) as well as members of the wider community. Such information is likely to be similar to the kinds described above regarding complaints investigations.
J. Strategic/agency liaison records
2.31 These records include information and activities relating to policy aspects of the OIGTO’s work, for example the development of directions, aids or systems to support our decision-making and the performance of statutory functions. Information on these records may also help us make contributions to policy debates across government.
2.32 Some of these files may include material relevant to closed or ongoing investigations or reviews (where it is related to, or may inform consideration of, a broader policy issue), and include personal information about complainants or agency staff.
2.33 These files may also contain interagency protocols or memoranda of understanding and details of interagency meetings including the names of attendees and their positions within agencies.
3.1 This part applies to your interactions with and through our website (www.igt.gov.au).
3.2 We are committed to the protection of your privacy in accordance with the Australian Information Commissioner’s Guidelines. These guidelines outline the requirements for transparent collection, appropriate and ethical use and secure storage of personal information. Our aim is to provide an online environment which will ensure the information you provide to us is handled in a secure, efficient and confidential manner.
3.3 When visiting our sites, a record of your visit is logged.
3.4 The following information is supplied by your browser (e.g., Chrome, Microsoft Edge, or Safari):
- the user's server address;
- the user's top level domain name (e.g., .com, .edu, .gov, .au, .uk etc);
- the date and time of the visit to the site;
- the pages accessed and the documents downloaded;
- the previous site visited; and
- the type of browser used.
3.5 This information is used for statistical purposes only. No attempt will be made to identify users or their browsing activities except in the unlikely event of an investigation, where a law enforcement agency (or other government agency) exercises a legal authority to inspect Internet Service Provider (ISP) logs (e.g., by valid warrant, subpoena or notice to produce).
3.7 When you e-mail us:
- we will record your e-mail address;
- we will only use your e-mail address for the purpose for which you provided it;
- it will not be added to a mailing list, unless provided by you specifically for that purpose;
- we will not use your e-mail address for any other purpose; and
- we will not disclose it without your consent or otherwise in accordance with the APPs.
3.8 When we email you, we will use the email address that was supplied to us by you unless you advise us that another mode of communication is preferred. As each email provider manages information differently, you may wish to consult the privacy policies of your email service provider to understand their practices.
3.9 You should be aware that there are inherent risks associated with the transmission of information via email.
3.10 We use email as a primary mode of communication with the ATO and the TPB. All email communications passing between our office and the ATO or TPB are sent through secured, encrypted channels.
3.11 In some cases, we may employ a protected email account to communicate with stakeholders. The use of these protected email accounts is limited and only available to senior executives of the OIGTO. They may be used where the subject-matter of the complaint or the enquiry contains highly sensitive information.
3.12 Our website does not generally provide facilities for the secure transmission of information across the Internet. The only exception to this is that users can submit complaints using our online complaint form which utilises end-to-end encryption.
Links to other sites
 Privacy Act 1988, Sch 1, APP 1.3, 1.4, 1.5.
 Inspector-General of Taxation Act 2003, s 37.
 See for example: Taxation Administration Act 1953, Sch 1, Div 355.
 Privacy Act 1988, s 6.
 Privacy Act 1988, s 6.
 Inspector-General of Taxation Act 2003, s 15.
 Privacy Act 1988, Sch 1, APP 3.3.
 Privacy Act 1988, s 16A.