Last updated February 2024
- How we collect personal information
- How we hold personal information
- Information we collect, hold, and use
- Information we use and disclose
- How you can access, or correct personal information held about you
- Making a FOI request under the FOI Act
- Enquire or complain about a suspected breach
myGovID is the Australian Government’s Identity Service Provider. The ATO delivers and administers the myGovID system as a secure digital environment for individuals to establish and verify their identity for authenticated access to participating online services.
The ATO complies with the requirements of the Privacy Act 1988 (Privacy Act). The act incorporates both:
- the Australian Privacy Principles (APPs), and
- the Australian Government Agencies Privacy Code (APP Agency Code).
The myGovID service is accredited by the Trusted Digital Identity Framework about the information it manages when you use the myGovID system.
You can find out more information about privacy rights and responsibilities at the website of the Office of the Australian Information Commissioner.
- our collection, storage, access to, use and disclosure of personal and sensitive information
- your rights to access and correct information we hold about you
- how you can make a complaint if you feel your privacy has been interfered with or if you feel we have breached an APP or the APP Code.
How we collect personal information
We collect personal information, in accordance with APP 3 – collection of solicited personal information:
- directly from you
- indirectly from you
- from third parties.
This information is collected for the purpose of:
- providing myGovID digital identity services to you
- monitoring and improving the security and performance of the myGovID system.
Directly from you
We will collect personal information directly from you when you use the myGovID system to:
- register and create an account for your myGovID
- increase the identity strength associated with your myGovID account
- update your personal information on your myGovID account.
If you do not consent to share your personal information, you will not be able to verify your identity to create a myGovID account.
If you cannot create a myGovID account, alternative options will be available from the service you are attempting to access from the appropriate agency.
Indirectly from you
We collect information about your device and system interactions:
- when you access the myGovID service to manage your account or update your details
- to monitor myGovID application use and system performance
- when we investigate and verify the operation of the myGovID service/ app and system.
From third parties
We collect your personal information from Commonwealth and state government authorities to verify and validate the identity documents you provide to create your myGovID account, authenticate or increase your identity strength level.
For example, we will verify:
- Australian Passport or travel documents with the Department of Foreign Affairs and Trade
- Driver’s licences with the state or territory roads and traffic authority that issued the document
- Medicare cards with Services Australia
How we hold personal information
We protect your personal information held for the myGovID system against loss, inference, misuse; or unauthorised access, modification or disclosure.
We use a range of physical and technological controls to ensure that your personal information is only accessed by staff who need it.
We apply industry-best security methods to protect the personal information we hold, including:
- information technology and physical security audits
- penetration testing
- industry best practice risk management
- system security technologies
Your personal information collected for the purpose of myGovID will be stored separately from other records the ATO holds and securely in Australia.
We will retain records of information associated with your myGovID while your registration remains active.
The personal information we collect about you will, in almost all cases, be treated as a Commonwealth record. We are bound by the Archives Act 1983 to retain Commonwealth records until we can lawfully dispose of them.
Information we collect, hold, and use
We collect personal information about you for the purpose of administration of the myGovID system.
Personal information is information that identifies you or is reasonably capable of identifying you.
The types of personal information collected by myGovID is:
- your name
- date of birth
- contact details, including email address and phone number
- details contained in Australian Government issued identity documents, such as, but not limited to:
- the type of document
- document issuer
- document numbers
- effective dates
- photographic images of you
- biometric images of your face (see Biometric matching for further details).
Personal information may also include information about the myGovID service:
- information about services you have accessed or attempted to access
- information on the method of access
- the date and time your identity was verified
When we have validated your identity documents, we will keep a record of:
- the document type used
- the information that was verified
- your consent
- the result of the document verification outcome.
When personal and sensitive information is collected as part of the operations of myGovID system, it will be managed and destroyed in accordance with the law.
We collect personal information about your myGovID system use to;
- confirm your identity
- compile statistics and reports to enhance our systems and services
- identify and respond to issues that indicate authentication integrity risks
- analyse, detect, manage and investigate fraudulent activity which may lead to criminal prosecution.
Personal information also collected about your myGovID system use that will be logged includes:
- information about your device and browser, such as your operating system and user session
- your internet provider number (IP address)
- the date and time of your use of the authentication service
- successful and unsuccessful attempts at authenticating.
We may share this information with other Digital Identity system (the System) participants, if we are authorised or required to by l
Biometric verification or identification
Verifying your photo is optional, it can help protect your identity, and when used to set up a Strong myGovID, it allows you to access more services online.
We use the Face Verification Service to electronically compare your personal information and facial image against a specific government record to verify your identity.
For example, to verify your identity in the myGovID app using your Australian passport, we electronically compare the facial image and personal information from the Australian passport you provided with your passport records held by the Department of Foreign Affairs and Trade.
The Face Verification Service can measure the biometric information for your facial image by using measurements or calculations about your physical appearance.
To verify your photo, you need to take a photo of yourself (a selfie) in the myGovID app. The technology scans your face while taking the photo. This one-off process checks that you’re:
- a real person – the technology checks for impersonation attempts, for example wearing masks
- the right person – it compares your image to the photograph on your passport
- verifying in real-time – that you’re present and taking the photo, for example check that a video isn't being scanned.
Biometric images and photographs disclosed to third party providers as part of the verification process are destroyed within 14 days.
Biometric images and photographs are collected as part of the operations of the myGovID system and will be managed and destroyed in accordance with the Archives Act 1983 Cth.
If you use your fingerprint or facial image as a secure login method on your device, this biometric function is restricted to the device itself which uses that technology to access your apps and personal information stored on your device. We do not collect or store your fingerprints or facial images used to access your device during myGovID registration or authentication processes.
We will only collect biometric information with your consent.
We may de-identify your personal information, to compile reports and analyse statistical data related to using the myGovID system. We will use this data to understand use across the community and to enhance the myGovID service, but no individual will be reasonably identifiable.
Information we use and disclose
We use and disclose your personal information in accordance with APP 6 – Use or disclosure of personal information.
We will use and disclose your personal information for the purpose of verifying, validating or authenticating your identity and to ensure the operational function of the myGovID service.
This may include disclosures of your personal information to other Digital Identity System participants such as:
- the Digital Transformation Agency Department of Finance in their capacity as the System Oversight Authority
- Services Australia in their capacity as the System Interim Oversight Authority.
We will not disclose your personal information without your consent with:
- third parties including the document issuer
- the identity exchange
- the online services you attempt to access.
When you do consent, the information is disclosed for the purposes of:
- verifying your identity documents
- authenticating your identity
- confirming the outcome of any authentication attempts.
Your personal information will be stored securely in Australia.
If you do not provide or share your personal information, you will be unable to create a myGovID account or achieve the necessary identity strength required to access some services.
If you will not or cannot verify your identity by creating a myGovID account, alternative options will be available from the agency or service you are attempting to access.
We provide personal information to our contracted service providers, such as our telecommunications and cloud service partners, to enable us to provide the myGovID services.
We will not use or disclose your personal information for any other purpose unless:
- you have consented, or
- we are required or authorised to do so under an Australian law (such as to an enforcement body for enforcement related activities) or a court/tribunal order.
You can delete or uninstall the myGovID app from your device, however this will not delete your myGovID account. If you no longer consent to your digital identity being used, you can contact the myGovID support line to discuss other options that are available.
You can withdraw your consent for the use of myGovID at anytime; however, some personal information may be retained as required by the Archives Act 1983. By withdrawing your consent, you will no longer be able to use myGovID to access participating online services.
We will not disclose personal information to overseas recipients or use or disclose personal information for the purpose of direct marketing.
How you can access or correct personal information held about you
You can access and correct personal information we hold about you, through your myGovID account or by asking us.
We will take reasonable steps to correct personal information that we hold about you when you ask us to, having regard to the purpose of why we hold it. We take reasonable steps to ensure the information we hold is accurate, up to date, complete, relevant and not misleading.
If you are unable to access and correct your personal information via myGovID or by contacting us, you can lodge a request under Australian Privacy Principle (APP) 12 or the Freedom of Information Act 1982 (FOI Act).
Access to personal information – Australian Privacy Principle 12
You have a right to request access to your own personal information under APP 12.
We will respond to your request for access to your personal information within 30 days.
We will not charge you for making a request or for giving you access to your own personal information.
However, if the FOI Act or any other Commonwealth Act requires or authorises us to refuse access to your request, we do not have to give you access to the personal information under APP 12.
In circumstances where we refuse to provide you with access to your own personal information, we will give you a written notice that sets out the reasons for the refusal (unless unreasonable to do so).
We will advise you how to make a complaint about a refusal.
Correction of personal information – Australian Privacy Principle 13
You have a right to request correction of your personal information under APP 13.
We will respond to an amendment request within 30 days.
We will not charge you for making an amendment request or for correcting personal information about you.
We will take reasonable steps to correct personal information that we hold about you, having regard to the purpose for why we hold it, to ensure it is accurate, up to date, complete, relevant, and not misleading.
If we refuse your correction request, we will give you a written notice that sets out the reasons for the refusal, except when it’s unreasonable to do so.
We will advise you how to make a complaint about a refusal.
Making a request under the FOI Act
You can make a Freedom of Information (FOI) request where you cannot access your personal information in the ways listed above.
The FOI Act gives you the right to:
- access copies of documents (apart from exempt documents) held by us
- ask for information about you to be amended or annotated if it is incomplete, out of date, incorrect, or misleading
- seek a review of our FOI decision not to allow you access to a document or not to amend your personal record (this review can be done by us or by the Information Commissioner.
A FOI request must:
- be in writing
- state that the request is an application for the purposes of the FOI Act
- provide such information concerning the document requested as is reasonably necessary to enable a taxation officer to identify it
- provide details of how notices under the FOI Act may be sent to you (for example, by providing an email or postal address for correspondence).
You can send your request to us:
- by email at FOI@ato.gov.au
- with your name and the words FOI REQUEST in the subject line.
- using the FOI application form available on ato.gov.au.
For more information about FOI requests please see accessing information under the FOI Act.
Enquire or complain about a suspected breach
If you have a general question about privacy or wish to report a possible breach of your privacy, you can call our Privacy Hotline on 1300 661 542 and speak to a taxation officer.
If the officer is not available to speak with you, leave a message and an ATO officer will contact you to respond to your question or to get more information.
If you are not satisfied with how we have collected, held, used or disclosed your personal information, or another matter in relation to the APPs or the Australian Government Agencies Privacy Code 2017, you can make a formal complaint.
You can lodge a complaint by:
- using the online complaints form available on the ATO website
- phoning the complaints hotline on 1800 199 010 and clearly state your complaint is about myGovID and your privacy
- phoning the National Relay Service on 13 36 77 (if you have a hearing, speech, or communication impairment)
- phoning the Translating and Interpreting Service (for people of non-English speaking backgrounds) on 13 14 50
- sending us a fax on 1800 060 063
- writing to:
PO Box 1271
ALBURY NSW 2640
We treat complaints seriously and try to resolve them fairly and quickly.
If you make a complaint, we aim to contact you within three working days. We will work with you to resolve your complaint and keep you informed of its progress.
If you are not satisfied with how we deal with your complaint, the Privacy Commissioner at the Office of the Australian Information Commissioner may be able to help you.
Visit the Office of the Australian Information Commissioner website for more information, or phone 1300 363 992.