Version - May 2019
myGovID is the Commonwealth government’s Identity Service Provider. The Australian Taxation Office (ATO) provides the myGovID system as a secure digital environment for individuals to establish and verify their identity for authenticated access to participating agencies’ online services.
The ATO is subject to the Privacy Act 1988 (Privacy Act), incorporating the Australian Privacy Principles (APPs), and the Trusted Digital Identity Framework in respect of personal information it collects and holds about you when you use the myGovID system. More information about Privacy rights and responsibilities is available from the Office of the Australian Information Commissioner.
This policy explains our responsibilities, the information we collect and how we use it, your rights to access and correct information we hold about you and how you can enquire or make a complaint if you feel your privacy has been breached.
Authority to collect and use your personal information
We collect your personal information in accordance with APP 3 – Collection of solicited personal information. We only collect information that is reasonably necessary for, or directly related to, our functions and activities. We only collect sensitive information with your consent.
We will notify you where we collect information from another Federal or State government agency, and where we would usually disclose information to another Federal or State government agency, in accordance with APP 5 – notification of the collection of personal information. This includes information that is necessary to validate and verify your identity for the purpose of providing an authentication credential.
We hold, use and disclose your personal information in accordance with APP 6 – Use or disclosure of personal information. We will use and disclose personal information for the primary purpose of verifying, validating or authenticating your identity and to ensure the operation of the myGovID service. We will not use personal information for any other purpose unless an exception applies in accordance with APP 6. We will not use or disclose personal information for the purpose of direct marketing.
Collection, storage, use and disclosure of information
To create your digital identity, we will collect and verify your personal information when you choose to:
- register for myGovID
- increase the identity proofing level associated with your myGovID account
- update your personal information.
Your personal information is information that identifies you, including:
- your name
- date of birth
- email address
- details from Australian Federal and State Government issued identity documents such as, but not limited to, the type of document, document issuer, document numbers, effective dates, photographic images
- biometric images of your face.
We collect your personal information to:
- verify your identity and validate your details with the government authorities that have issued your identity documents, for example:
- passport or travel documents records – Department of Foreign Affairs and Trade
- driver licence – the state or territory roads and traffic authority that issued your licence
- medicare card – Department of Human Services
- create and manage your myGovID account
- investigate and verify the operation of the myGovID system.
We will not use or disclose your personal information for any other purpose unless you have consented or we are required or authorised to do so under an Australian Law or a court/ tribunal order.
Biometric matching refers to the use of a Face Matching Service, with your consent, to electronically compare your personal information and facial image against a specific government record to verify your identity. For example, if you choose to use your Australian passport or travel document to build your digital identity in the MyGovID App, the facial image and personal information you provide will be electronically compared with your Australian passport photo and records held by the Department of Foreign Affairs and Trade, to establish your identity. The Face Matching Service can measure the biometric information related to your facial image, meaning measurements or calculations related to your physical appearance.
Biometric images and photographs used to verify your identity are immediately destroyed once your myGovID credential is created. Using your fingerprint or facial image as a secure login method on your device is optional. This biometric function is restricted to device use to access your apps and personal information stored on your device. We do not record or store your fingerprints or facial images used to access your device during registration or authentication processes.
We will not share your personal information with third parties including the document issuer, the identity exchange and the online services you attempt to access, without your consent. When you consent, the information is shared for the purpose of verifying the validity of your identity documents, authenticating your identity and confirming the outcome of any authentication attempts. Your personal information will be stored securely in Australia.
If you choose not to provide or share your personal information, you will not be able to create a myGovID account. If you choose not to, or are unable to, verify your identity by creating a myGovID account, alternative options will be available from the agency and/or service you are attempting to access.
We record information about your device, browser, user session (including your IP address), the authentication information you provided, and authentication attempts (successful and unsuccessful).
We may use this information to:
- confirm your identity
- compile statistics and reports to enhance our systems and services
- identify and respond to issues that may indicate authentication integrity is at risk
- detect, investigate, and prosecute criminal offences.
We may share this information with GovPass MOU Participants.
We may use unidentified information such as age and gender to compile reports and analyse statistical data related to the use of myGovID. We will use this data to understand use across the community and to enhance the myGovID service.
When information which identifies an individual is altered or removed from data, the remaining information is considered unidentified. The identity of the individual is protected because the data can no longer be used for the purpose of identifying the individual.
How we hold personal information
We protect your personal information against loss, unauthorised access, use, modification or disclosure and other misuse. We use a range of physical and technological controls to ensure that only staff who need access to your personal information are able to access it.
We apply industry-best security methods, including information technology and physical security audits, penetration testing and industry best practice risk management and system security technologies to protect the personal information we hold.
Personal information used to create, verify, authenticate and manage your myGovID account is stored separately from other records the ATO holds to protect the confidentiality of your personal information.
- retain records of information associated with your myGovID while your registration remains active
- retain or destroy records we hold in accordance with the Archives Act 1983.
Accessing or correcting personal information held about you
Access to or correction of the personal information we hold about you may be permitted in accordance with the Privacy Act 1988 and the Freedom of Information Act 1982 (FOI Act).
We will take reasonable steps to correct personal information that we hold about you in circumstances where you request us to correct the information, and also to ensure that, having regard to the purpose for which the information is held, it is accurate, up to date, complete, relevant and not misleading.
You can also access certain information we hold about you, through your myGovID account profile, or by asking us. If you are unable to access personal information about you in these ways, you can make a request under the FOI Act.
If we refuse access to or correction of your personal information we hold about you, you can:
- seek a review of our decision or appeal our decision under the FOI Act
- make a statement about the requested changes and we will attach this to the record.
Enquire or complain about a suspected breach of the Australian Privacy Principles
If you have a general inquiry or a complaint about your privacy, you may contact us using the following options:
- Online form
- Privacy hotline: phone 1300 661 542
- Your call will be directed to a privacy officer. Please leave a message if your call is not immediately answered and someone will contact you to discuss your question or obtain further information.
- If you have a hearing, speech or communication impairment, use the National Relay Service on 13 36 77
- Writing to:
- ATO Complaints
PO Box 1271
ALBURY NSW 2640
- ATO Complaints
We aim to contact you within three working days of receiving your privacy complaint and resolve most complaints within 30 business days of lodgment. We will work closely with you to resolve your complaint and keep you informed of its progress.
If you are dissatisfied with how we address your privacy complaint, or the outcome, you can refer your complaint to the Office of the Australian Information Commissioner.
Making a request under the FOI Act
The FOI Act gives you the right to request access to copies of documents (apart from exempt documents) held by us, and ask for information concerning you to be amended or annotated if it is incomplete, out of date, incorrect, or misleading. You may also seek a review of our decision not to allow you access to a document or not to amend your personal record.
We may need to establish your identity when correcting or amending your personal information or when providing access to copies of documents.
An FOI request must:
- be in writing
- state that the request is an application for the purposes of the FOI Act
- provide such information concerning the document requested as is reasonably necessary to enable a taxation officer to identify it
- provide details of how notices under the FOI Act may be sent to you (for example, by providing an email address for correspondence).
You can send your request to us by email, using the words FOI REQUEST in the subject line to FOI [at] ato.gov.au, or by sending your FOI request to the postal address of our central or regional offices as given in a current telephone directory, clearly marked FOI Request on the envelope and on the enclosed request. You can choose to use the FOI application form available on the ATO website.
There is no application fee for making a FOI request or for seeking access documents which only contain your personal information. There may be charges, fees or costs applied to provide access or copies of documents which contain information other than your personal information. We will notify you of any proposed charges, fees or costs before processing your request.
When we receive your request, we will notify you within 14 days that we have received it. In most circumstances, we will notify you of our decision to provide access to copies of documents within 30 calendar days or discuss an extension of time to respond to your request.
Your rights and responsibilities and advice about Freedom of information is available from the Office of the Australian Information Commissioner.