16.08.2010
Background to the enhanced TFN scheme
30.130 In May 1988, following the demise of the Australia Card scheme, the then Treasurer, the Hon Paul Keating MP, announced that the Australian Government intended to introduce an enhanced TFN scheme.[194] In 1988, legislation establishing such a scheme was passed.[195]
30.131 Before 1988, TFNs were simply numbers used by the ATO to match taxpayers’ returns to the ATO’s computer records.[196] No evidence of identity was required before a TFN was allocated to a taxpayer and there was no widespread use of TFNs by employers or employees.[197] The enhanced TFN scheme was designed to reduce tax evasion by improving the ATO’s ability to match information received from certain sources, such as financial institutions and employers, to individual tax returns.[198]
30.132 At the time the TFN scheme was introduced there were concerns that it would become a ‘de facto national identification scheme’,[199] and the legislation introducing the scheme contained provisions to safeguard against this. For example, it contained a provision making it an offence to require or request a TFN (including the TFN of entities other than natural persons) in unauthorised circumstances.[200] In addition, the Privacy Act, which was passed around the same time as the legislation introducing the enhanced TFN scheme,contained provisions designed to protect the privacy of individuals under the new TFN scheme.
30.133 The TFN scheme has been expanded since it was introduced in 1988. For example, since 1991 individuals have been required to provide their TFNs in order to obtain any federal income support.[201] One commentator has stated that function creep in the TFN scheme demonstrates ‘how privacy promises made in law can be lost over a very short period of time’.[202]
Overview of TFN regulation
Legislation
30.134 The handling of TFNs is regulated under various federal Acts. For example, Part VA of the Income Tax Assessment Act 1936 (Cth) includes provisions allowing the Commissioner of Taxation to supply correct TFNs to financial institutions if a person has quoted an incorrect TFN. The Taxation Administration Act 1953 (Cth) prohibits requirements that TFNs are to be quoted or recorded.[203] Other pieces of legislation regulating TFNs include the Superannuation Industry (Supervision) Act 1993 (Cth), Income Tax (Deferred Interest Securities) (Tax File Number Withholding Tax) Act 1991 (Cth), and the Social Security Act 1991 (Cth).
30.135 The Data-matching Program (Assistance and Tax) Act 1990 (Cth), and guidelines issued under that Act,[204] regulate data-matching using TFNs. Data-matching involves bringing together data from different sources and comparing them. Much of the data-matching done by Australian Government agencies subject to the Privacy Act is to identify people for further action or investigation for overpayment or fraud.[205]
Tax File Number Guidelines
30.136 Section 17 of the Privacy Act enables the Privacy Commissioner to issue legally binding guidelines concerning the collection, storage, use and security of ‘tax file number information’.[206] ‘Tax file number information’ is defined as ‘information … that records the tax file number of a person in a manner connecting it with the person’s identity’.[207] The Privacy Commissioner’s guidelines are binding on all ‘file number recipients’[208]—namely, people who are ‘in possession or control of a record that contains tax file number information’.[209]
30.137 The Privacy Commissioner published Tax File Number Guidelines (TFN Guidelines) in 1992.[210] These Guidelines provide that the TFN scheme is not to be used as a national identification scheme.[211] In no situation is it mandatory for an individual to disclose his or her TFN, although non-disclosure in certain situations may have adverse financial consequences. For example, if an individual chooses not to quote his or her TFN when commencing employment, he or she will be taxed at the maximum applicable tax rate.[212] TFNs can be collected only by certain persons and organisations[213] and must not be used to establish or confirm an individual’s identity for a purpose not authorised by taxation, assistance agency or superannuation law.[214] In addition, TFNs are not to be used to match personal information about an individual except as authorised by taxation, assistance agency or superannuation law.[215]
Fragmentation of regulation
30.138 In IP 31, the ALRC asked whether federal legislation relating to the handling of TFNs and data-matching should be consolidated in the Privacy Act.[216] In DP 72, the ALRC expressed the view that there was no compelling reason to consolidate the federal legislation relating to the handling of TFNs and data-matching of TFNs. The ALRC agreed with the OPC that the consolidation in the Privacy Acts of the various TFN provisions and offenceswould not be a ‘comfortable fit’.[217]
30.139 This issue was not the subject of submissions and consultations in response to DP 72. In the ALRC’s view, the current regulation of TFNs is appropriate.
Effectiveness of current regulation
30.140 In IP 31, the ALRC asked whether the schemes that regulate TFNs remain effective.[218] The Australian Privacy Foundation submitted that there had been developments in data-matching and identity management technology since the introduction of the TFN Guidelines in 1992. There had also been function creep in the TFN scheme.[219] Some stakeholders expressed concern about the burden of compliance associated with TFN regulation.[220]
30.141 In DP 72, the ALRC proposed that the TFN Guidelines should be subject to a review by the OPC. The ALRC agreed with the OPC that such a review would ‘be consistent with good regulatory practice, which holds that regulatory instruments be reviewed at intervals of no more than 10 years’.[221]
Submissions and consultations
30.142 Support for this proposal was widespread.[222] For example, the Investment and Financial Services Association submitted that such a review was necessary because of ‘substantial changes in technology and the processes which industry members use when managing documents containing TFNs’.[223]
30.143 The OPC suggested that the proposed review would provide an opportunity to consult with stakeholders on ways to improve the guidelines.[224] Several stakeholders expressed their willingness to be involved in the review process.[225]
ALRC’s view
30.144 The TFN Guidelines should be subject to a review by the OPC. Such a review could be conducted in consultation with the ATO and other relevant stakeholders, and could consider any relevant developments in technology since the introduction of the TFN Guidelines, and the regulatory burden imposed by current TFN regulation. Any consideration of the compliance burden must be balanced against the policy reasons underpinning the privacy protections afforded to TFNs.
30.145 Further, as discussed in Chapter 47, the TFN Guidelines should be renamed the TFN Rules to reflect that the guidelines are binding and that a breach constitutes an interference with privacy under s 13 of the Privacy Act.[226]
Recommendation 30-7 The Office of the Privacy Commissioner, in consultation with the Australian Taxation Office and other relevant stakeholders, should review the Tax File Number Guidelines issued under s 17 of the Privacy Act.
[194] P Keating (Treasurer), Reform of the Australian Taxation System: Statement by the Treasurer The Hon Paul Keating, 1 September 1985.
[195]Taxation Laws Amendment (Tax File Numbers) Act 1988 (Cth).
[196] Parliament of Australia—Joint Select Committee on an Australia Card, Report of the Joint Select Committee on an Australia Card (1986), [4.8].
[197] Ibid, [4.8].
[198] Commonwealth, Parliamentary Debates, House of Representatives, 1 September 1988, 858 (P Keating—Treasurer).
[199] Parliament of Australia—Senate Standing Committee on Legal and Constitutional Affairs, Feasibility of a National ID Scheme; The Tax File Number (1988), Ch 10.
[200]Taxation Administration Act 1953 (Cth) s 8WA. Section 8WB of the Taxation Administration Act 1953 (Cth) makes it an offence to record, use or disclose a person’s TFN in unauthorised circumstances.
[201] Office of the Federal Privacy Commissioner, Submission to the House of Representatives Standing Committee on Economics, Finance and Public Administration Review of the ANAO Audit Report No. 37 1998–99 on the Management of Tax File Numbers, 1 November 1999, Attachment E.
[202] M Crompton, ‘Proof of ID Required? Getting Identity Management Right’ (Paper presented at Australian IT Security Forum, 30 March 2004), 13.
[203] Subject to exceptions: Taxation Administration Act 1953 (Cth) pt III div 2 subdiv BA.
[204] Office of the Federal Privacy Commissioner, Schedule—Data-matching Program (Assistance and Tax) Guidelines (1997). These Guidelines replaced the Guidelines originally set down in sch 2 to the Privacy Act 1988 (Cth).
[205] Office of the Privacy Commissioner, Data-Matching <www.privacy.gov.au/act/datamatching> at 1 May 2008. Data-matching is also discussed in Chs 9 and 10.
[206] Interim guidelines set out in sch 2 of the Privacy Act applied until the Privacy Commissioner’s guidelines issued under s 17 took effect: Privacy Act 1988 (Cth) s 17(4).
[207] Ibid s 6.
[208] Ibid s 18.
[209] Ibid s 11.
[210] Office of the Federal Privacy Commissioner, Tax File Number Guidelines (1992).
[211] Ibid, 1.1.
[212] M Crompton, ‘Proof of ID Required? Getting Identity Management Right’ (Paper presented at Australian IT Security Forum, 30 March 2004), 12.
[213] The Privacy Commissioner and the former Insurance and Superannuation Commissioner (now the Australian Prudential Regulation Authority (APRA)), have complied a list of ‘Classes of Lawful Tax File Number Recipients’: see Office of the Federal Privacy Commissioner, Tax File Number Guidelines (1992).
[214] Ibid, [2.1], [5.1].
[215] Ibid, [2.3].
[216] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 7–6(g).
[217] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[218] Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 12–2.
[219] See, eg, Australian Privacy Foundation, Submission PR 167, 2 February 2007.
[220] Mortgage and Finance Association of Australia, Submission PR 231, 9 March 2007; Link Market Service, Submission PR 2, 24 February 2006.
[221] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[222] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Investment and Financial Services Association, Submission PR 538, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.
[223] Investment and Financial Services Association, Submission PR 538, 21 December 2007.
[224] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[225] Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Investment and Financial Services Association, Submission PR 538, 21 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007.
[226]Privacy Act 1988 (Cth) s 13(b). See Rec 47–2.