The purpose of this privacy policy is to explain how the Australian Taxation Office (ATO) handles your personal information to operate the myGovID system, according to the Australian Privacy Principles in the Privacy Act.
About this privacy policy
myGovID is the Australian Government’s Identity Service Provider. The ATO delivers the myGovID system as a secure digital environment for individuals to establish and verify their identity for authenticated access to participating agencies’ online services.
The ATO complies with the requirements of the Privacy Act 1988External link (Privacy Act). The act incorporates both:
- the Australian Privacy Principles (APPs)External link, and
- the Australian Government Agencies Privacy Code.
The myGovID service is also subject to the Trusted Digital Identity FrameworkExternal link about the information it manages when you use the myGovID system.
You can find out more information about privacy rights and responsibilities at the website of the Office of the Australian Information CommissionerExternal link.
This privacy policy deals with:
- our collection, storage, access to, use and disclosure of personal information
- your rights to access and correct information we hold about you
- how you can make a complaint if you feel your privacy has been interfered with.
This privacy policy is available at no cost. If you need access to this policy in an alternative format, contact us by email at digitalidentity@ato.gov.au.
We review this privacy policy from time to time to keep it up to date. Check this policy periodically for changes.
How we collect personal information
We collect personal information, in accordance with APP 3 – collection of solicited personal information:
- directly from you
- indirectly from you
- from third parties.
We collect your personal information only when it is necessary for, or directly related to, our functions and activities, including:
- providing myGovID digital identity services to you
- monitoring the security and performance of the myGovID system.
We will only collect sensitive information with your consent.
Directly from you
We will collect personal information directly from you when you use the myGovID service to:
- register for your myGovID
- increase the identity strength associated with your myGovID account
- update your personal information.
If you do not consent to provide or share your personal information, you will not be able to create a myGovID account.
If you will not or cannot verify your identity by creating a myGovID account, alternative options will be available from the agency or service you are attempting to access.
Indirectly from you
We will record information about your device and system interactions when you use the myGovID service to:
- manage your myGovID account
- monitor application use and system performance
- investigate and verify the operation of the myGovID system.
From third parties
We collect your personal information from federal and state government authorities to verify and validate the identity documents you provide to register your myGovID account or increase your identity strength level.
For example, we will verify:
- Australian Passport or travel documents with the Department of Foreign Affairs and Trade
- Driver’s licences with the state or territory roads and traffic authority that issued the document
- Medicare cards with Services Australia
How we hold personal information
We protect your personal information held for the myGovID system against loss, unauthorised access, use modification or disclosure and other misuse.
We use a range of physical and technological controls to ensure that only staff who need to access your personal information perform the task.
We apply industry-best security methods to protect the personal information we hold, including:
- information technology and physical security audits
- penetration testing
- industry best practice risk management
- system security technologies
To protect the confidentiality of your personal information, the personal information used to create, verify, authenticate and manage your myGovID account is stored separately from other records the ATO holds about you, such as your tax records.
Your personal information will be stored securely in Australia.
We will retain records of information associated with your myGovID while your registration remains active.
The personal information we receive about you will, in almost all cases, be treated as a Commonwealth record. We are bound by the Archives Act 1983 to retain Commonwealth records until we can lawfully dispose of them.
Information we collect, hold, and use
Personal information
We collect and verify your personal information when you use the myGovID system, including when you choose to:
- register for myGovID
- increase the identity strength associated with your myGovID account
- update your personal information.
Personal information is information that identifies you or is reasonably capable of identifying you.
Depending on how you use the myGovID system, this may include:
- your name
- date of birth
- address
- contact details, including email address and phone number
- details contained in Australian Government issued identity documents, such as, but not limited to:
- the type of document
- document issuer
- document numbers
- effective dates
- photographic images of you
- signatures
- biometric images of your face (see Biometric matching for further details).
When we have validated your identity documents, we will keep a record of:
- the document type used
- the information that was verified
- your consent
- the result of the document verification outcome.
When personal and sensitive information is collected as part of the operations of myGovID system and will be managed and destroyed in accordance with the law.
We also collect personal information about your system use to:
- confirm your identity
- compile statistics and reports to enhance our systems and services
- identify and respond to issues that indicate authentication integrity risks
- detect, manage and investigate fraudulent activity which may lead to criminal prosecution.
Personal information about your system use that will be logged includes:
- information about your device and browser, such as your operating system and user session
- your internet provider number (IP address)
- the date and time of your use of the authentication service
- successful and unsuccessful attempts at authenticating.
We may share this information with other Digital Identity systemExternal link (the System) participants, if we are authorised or required to by law.
Biometric matching
Biometric matching refers to the use of a Face Verification Service to electronically compare your personal information and facial image against a specific government record to verify your identity. We need your consent to do this.
For example, to verify your identity in the myGovID app using your Australian passport, we electronically compare the facial image and personal information from the Australian passport you provided with your passport records held by the Department of Foreign Affairs and Trade.
The Face Verification Service can measure the biometric information for your facial image. This means measurements or calculations about your physical appearance.
Biometric images and photographs disclosed to third party providers as part of the verification process are destroyed within 14 days.
Biometric images and photographs are collected as part of the operations of the myGovID system and will be managed and destroyed in accordance with the law.
If you use your fingerprint or facial image as a secure login method on your device, this biometric function is restricted to the device used to access your apps and personal information stored on your device. We do not record or store your fingerprints or facial images used to access your device during registration or authentication processes.
Unidentified information
We may de-identify your personal information, to compile reports and analyse statistical data related to using the myGovID system. We will use this data to understand use across the community and to enhance the myGovID service, but no individual will be reasonably identifiable.
Information we use and disclose
We hold, use and disclose your personal information in accordance with APP 6 – Use or disclosure of personal information.
We will use and disclose your personal information for the purpose of verifying, validating or authenticating your identity and ensure the operation of the myGovID service.
This may include disclosures to other Digital Identity system participants such as:
- the Digital Transformation Agency in their capacity as the System Oversight Authority
- Services Australia in their capacity as the System Interim Oversight Authority
We will not share your personal information without your consent with:
- third parties including the document issuer
- the identity exchange
- the online services you attempt to access.
When you consent, the information is shared for the purpose of:
- verifying your identity documents
- authenticating your identity
- confirming the outcome of any authentication attempts.
Your personal information will be stored securely in Australia.
If you do not provide or share your personal information, you will be unable to create a myGovID account.
If you will not or cannot verify your identity by creating a myGovID account, alternative options will be available from the agency or service you are attempting to access.
We also share personal information with our contracted service providers, such as our telecommunications and cloud service partners, to the extent that is necessary to provide you with myGovID services.
We will not use or disclose your personal information for any other purpose unless:
- you have consented, or
- we are required or authorised to do so under an Australian law or a court/tribunal order.
We will not disclose personal information to overseas recipients. We will not use or disclose personal information for direct marketing.
How you can access or correct personal information held about you
You can access and update certain information we hold about you, through your myGovID account or by asking us.
We will take reasonable steps to correct personal information that we hold about you when you ask us to. We want to ensure the information we hold is accurate, up to date, complete, relevant and not misleading.
If you are unable to access personal information about yourself via myGovID or from us, you can lodge a request for those documents under Australian Privacy Principle (APP) 12 or the Freedom of Information Act 1982 (FOI Act).
We will respond to a request within 30 days.
If we refuse your request to correct or amend your information, we will give you a written notice that sets out the reasons for the refusal, unless it is unreasonable to do so.
We will advise you how to complain about a refusal.
We will not charge you for making an amendment request or for correcting personal information about you.
Making a request under the FOI Act
The FOI Act gives you the right to:
- access copies of documents (apart from exempt documents) held by us
- ask for information about you to be amended or annotated if it is incomplete, out of date, incorrect, or misleading
- seek a review of our decision not to allow you access to a document or not to amend your personal record (this review can be done by us or by the Information CommissionerExternal link).
A FOI request must:
- be in writing
- state that the request is an application for the purposes of the FOI Act
- provide such information concerning the document requested as is reasonably necessary to enable a taxation officer to identify it
- provide details of how notices under the FOI Act may be sent to you (for example, by providing an email or postal address for correspondence).
You can send your request to us:
- by email at FOI@ato.gov.au
- with your name and the words FOI REQUEST in the subject line.
- using the FOI application formExternal link available on ato.gov.au.
We prefer email but you can also send your FOI request to the postal address of our central or regional offices as given in a current telephone directory, clearly marked FOI REQUEST on the envelope and on the enclosed request.
For more information about FOI requests please see accessing information under the FOI ActExternal link.
Source – https://www.mygovid.gov.au/mygovid-privacy-policy#Biometricmatching