Description: Commonwealth Coat of Arms

 

 

Data-matching Program (Assistance and Tax) Rules 2021

 

  1. Under section 12(2) of the Data-matching Program (Assistance and Tax)
    Act 1990 (Cth), I issue the attached Rules.
  2. These Rules will repeal the Data-Matching Program (Assistance and Tax) Act 1990 - Guidelines issued on 31 October 1994.
  3. The Rules will come into force on the first day on which the
    Rules are no longer liable to be disallowed by Parliament i.e. once 15 sitting days have expired in both Houses after tabling.

ANGELENE FALK
Australian Information Commissioner
Privacy Commissioner


Dated   8 June 2021

 

 

 

 

 

 

 

 

 

Contents

Part 1 – Preliminary

1. Name

2. Commencement

3. Authority

4. Repeal

5. Definitions

6. Scope of Operation

Part 2 – Program protocols

7. Matching agency must maintain a program protocol

8. Public inspection of program protocols

9. Compliance with program protocol

10. Amendments to program protocol

Part 3 – Technical standards

11. Matching agency must maintain a technical standards report

12. Compliance with technical standards report

13. Variation of the technical standards report

Part 4 – Safeguards for affected individuals

14. Confirming validity of matches

15. Notifying individuals

16. Destruction of data where no discrepancy produced

17. Management and destruction of data where discrepancy produced

18. No new registers, data sets or databases to be created

Part 5 – Compliance and reporting

19. Information Commissioner to monitor compliance

20. Agencies to report to Information Commissioner

21. Agencies to report to Parliament

Part 6 – Miscellaneous

22. Operation of this instrument

 

Part 1 – Preliminary

  1. Name

This instrument is the Data-matching Program (Assistance and Tax) Rules 2021.

2.                  Commencement

This instrument commences on the first day on which this instrument is no longer subject to disallowance.

3.                  Authority

This instrument is made under subsection 12(2) of the Data-matching Program (Assistance and Tax) Act 1990.

4.                  Repeal

The Data-Matching Program (Assistance and Tax) Act 1990 - Guidelines (31/10/1994) is repealed.

5.                  Definitions

1)                   Unless stated otherwise, any term used in this instrument has:

  1. where it is defined in the Data-matching Act — that meaning; or
  2. where it is not defined in the Data-matching Act but is defined in the Privacy Act — that meaning.

2)                   In this instrument:

action refers to the actions set out in section 10 of the Data-matching Act, and in the case of the tax agency includes requesting a taxpayer to lodge a return.

Data-matching Act means the Data-matching Program (Assistance and Tax) Act 1990.

discrepancy refers to a result of the program which warrants further action by any relevant source agency for the purposes of giving effect to the program.

dispute refers to any situation where an individual disputes the accuracy of information which forms the basis of a discrepancy and continues to insist his or her view is correct.

final completion of the action has the meaning given in section 17(6) of this instrument.

Information Commissioner has the meaning given in the Australian Information Commissioner Act 2010.

matches undertaken refers to the total number of records received by the matching agency from assistance agencies after they have been separated into individual records for individuals, partners, children, parents and other names used by those individuals.

Privacy Act means the Privacy Act 1988.

program refers to the data matching process described in section 6 of the Data-matching Act.

program protocol refers to the document described in section 7 of this instrument.

Rules means these Data-matching Program (Assistance and Tax) Rules 2021.

technical standards report refers to the document described in section 11 of this instrument.

6.                  Scope of Operation

This instrument applies to, and only to, the matching program referred to in the Data-matching Act.

Part 2 – Program protocols

7.                  Matching agency must maintain a program protocol

1)                   The matching agency must maintain a program protocol in relation to the program.

2)                   The matching agency must develop the program protocol in consultation with the source agencies.

3)                   The program protocol must set out the following information:

  1. an overview of the program;
  2. the objectives of the program;
  3. nature and frequency of the data matching covered by the program;
  4. the matching agency and the source agencies;
  5. in the case of each source agency – the legal authority for any collection, use or disclosure of personal information involved in the program;
  6. an explanation for the use of any identification numbers for the purpose of personal assistance, and in particular tax file numbers;
  7. the measures used to ensure the quality and security of data in the program;
  8. what action may be taken as a result of the program, including the template letters source agencies will use when giving notice under section 11 of the Data-matching Act;
  9. what form of notice has been given, or is intended to be given, to individuals whose privacy is affected by the program; and
  10. any time-limits on the conduct of the program.

4)                   The program protocol must explain the reasons for deciding to conduct the program, including:

  1. the justification for the program;
  2. alternative measures to data matching that were considered, and the reasons why they were discounted;
  3. a statement of the costs and benefits of the program, including the outcomes from the program and the outcomes that would arise in the absence of the program; and
  4. any other measures of effectiveness taken into account in deciding to initiate the program.
  1. Public inspection of program protocols

1)                   The matching agency must provide a copy of the program protocol to the Information Commissioner.

2)                   The matching agency must publish the program protocol and cause a notice to be published in the Gazette unless the Information Commissioner is satisfied that its availability would be or would be likely to be contrary to the public interest (e.g. by prejudicing the integrity of legitimate investigative methods).

 

9.                  Compliance with program protocol

Agencies must comply with the program protocol.

10.              Amendments to program protocol

1)                   Any amendments to the program protocol must be approved by the Information Commissioner, filed with him or her and made available for public inspection.

2)                   Assistance agencies must take all reasonable steps to ensure that individuals are informed that a program protocol which outlines the nature and purposes of the program is available from the Information Commissioner.

 

 

Part 3 – Technical standards

11.              Matching agency must maintain a technical standards report

1)                   Prior to commencing a program, the matching agency must prepare a technical standards report dealing with the matters set out in subsection (2).

2)                   A technical standards report prepared in accordance with subsection (1) must include the following matters:

  1. the nature and quality of data supplied by source agencies, including:

(i)                  key terms and their definitions;

(ii)                the relevance of data collected;

(iii)              the timing of the collection of data; and

(iv)              the scope and completeness of data to be collected; and

b.                   the specification for each matching algorithm or project, including:

(i)                  matching algorithms used;

(ii)                operating procedures for the program;

(iii)              any use of identification numbers for the purpose of personal assistance, especially tax file numbers;

(iv)              the nature of the information being sought through the matching process; and

(v)                the relevant data definitions and the rules for recognising matches; and

c.                    techniques used to ensure the continued integrity of the program including the procedures that have been established to confirm the validity of matching results; and

d.                   techniques adopted to overcome identifiable problems with the quality of data and to standardise data items; and

e.                    security features included in the program to control and minimise access to personal information, including through regular review of the program.

3)                   The matching agency must:

  1. maintain a copy of the technical standards report;
  2. provide a copy of the technical standards report to the Information Commissioner; and
  3. provide copies of the technical standards report to the source agencies.
  1. Compliance with technical standards report

1)                   Agencies must comply with the technical standards report.

13.              Variation of the technical standards report

1)                   The Information Commissioner may require the contents of the technical standards report to be varied.

2)                   Agencies must comply with any variation to the technical standards report.

3)                   A failure to comply with a technical standards report as varied will be taken to be a contravention of this instrument and may be investigated by the Information Commissioner pursuant to section 13(2) of the Data-matching Act.

Part 4 – Safeguards for affected individuals

14.              Confirming validity of matches

1)                   The source agencies must establish reasonable procedures for confirming the validity of results before relying on them as a basis for administrative action against an individual, unless there are reasonable grounds to believe that such results are not likely to be in error.  In forming that view, regard is to be had to the consistency in content and context of data being matched.

15.              Notifying individuals

1)                   If a source agency proposes to confirm the validity of a match only by checking the data with the individual instead of checking the results against the source data, the source agency must give the individual concerned:

  1. reasonable written notice of the relevant matters, including:

(i)                  the match;

(ii)                the initial conclusions the agency has drawn based on the match;

(iii)              an explanation of the techniques used to examine a discrepancy;

(iv)              the administrative action that the agency proposes to take in response to the match; and

(v)                that no check against source data has been performed;

b.                   a reasonable period (at least 28 days from receipt of written notice) in which to respond to that information; and

c.                    notice of the individual’s right to make a complaint under the Privacy Act.

2)                   If there is a dispute as to the accuracy of the data, but the agency considers that administrative action is still warranted, it should inform the individual of their right to lodge a complaint under the Privacy Act.

3)                   Unless required or authorised by law, an agency must not take administrative action that interferes with the individual’s opportunity to exercise any rights of appeal or review.

4)                   If:

  1. an individual has supplied data prior to 1 January 1991; and
  2. that data is to be used, or is likely to be used, in a program;

then:

c.                    the relevant assistance agency must notify the person in writing either before the data is first used, or as soon as practicable after the data is likely to be used for this purpose.

5)                   Written records made in accordance with section 11(5A) of the Data-matching Act must be retained on or linked to the individual's file.

16.              Destruction of data where no discrepancy produced

1)                   If personal information from source agencies is used in a data matching cycle and does not produce a discrepancy, the matching agency must destroy the personal information as soon as practicable after commencing Step 5 in the data matching cycle.

2)                   Destruction of personal information referred to in subsection (1) is to be completed no later than 24 hours after the completion of Step 5 of the data matching cycle, unless additional time is required because of a computer malfunction or industrial action.

17.              Management and destruction of data where discrepancy produced

1)                   In cases where a discrepancy occurs as a result of Steps 1, 4 and 5 in a data matching cycle, the results must be supplied to the relevant source agency within 7 days of completion of the relevant step. 

2)                   Source agencies must deal with the results in accordance with section 10 of the Data-matching Act. 

3)                   If the source agency decides to take no further action in relation to the discrepancy, the information must be destroyed within 14 days where it is reasonably practicable to do so.

4)                   In the case of a discrepancy:

  1. a source agency may refer the discrepancy to another source agency for action in accordance with section 10 of the Data-matching Act; and
  2. subject to section 10(3A) of the Data-matching Act, the agency receiving the discrepancy must commence any action within 12 months from the date of receiving the discrepancy.

5)                   If a source agency receives information from the matching agency or another source agency giving rise to an action within the meaning of section 10(1) of the Data-matching Act, the source agency must destroy that information on final completion of the action.

6)                   For the purposes of subsection (5), ‘final completion of the action’ means:

  1. where the Australian Federal Police has carriage of the matter and the source agency is satisfied with the progress of the matter – when all investigations, legal proceedings and repayment of debts due to the Commonwealth are finalised;
  2. where the Director of Public Prosecutions has carriage of the matter and the source agency is satisfied with the progress of the matter – when all legal proceedings and repayment of debts due to the Commonwealth are finalised;
  3. where a debt due to the Commonwealth remains outstanding and action is being taken to recover it – when the debt is fully recovered, waived or written off;
  4. where the tax agency has issued an assessment or an amended assessment – 90 days after the person's rights of appeal under the Income Tax Assessment Act 1936 have expired; and
  5. in all other situations within 12 months from the date of commencement of action in accordance with section 10(1) of the Data-matching Act.
  1. No new registers, data sets or databases to be created

1)                   Subject to subsection (2), source agencies must not permit the information used in the program to be linked or merged in such a way that a new separate permanent register (or database) of information is created about any, or all of the individuals whose information has been subject to the program.

2)                   Subsection (1) does not prevent a source agency from maintaining a register of individuals in respect of whom further inquiries are warranted following a decision made under section 10 of the Data-matching Act.

3)                   If action is taken in relation to an individual in accordance with section 10 of the Data-matching Act, after completing the action the source agency must delete any information that relates to that action from any register described in subsection (2).

4)                   Subsection (1) does not prevent the creation of a register for the purpose of excluding individuals from being selected for investigation.

5)                   Any register made under subsection (4) must contain only the minimum amount of information required.

 

Part 5 – Compliance and reporting

19.              Information Commissioner to monitor compliance

1)                   The Information Commissioner is to be responsible for monitoring compliance with this instrument and for providing advice to the relevant matching agencies and source agencies in relation to their responsibilities under this instrument.

2)                   The Information Commissioner must include in their annual report an assessment of the extent of the program's compliance with the Data-matching Act, this instrument and the Privacy Act; and to that end, may exercise any of the powers as to investigation and audit contained in the Privacy Act.

20.              Agencies to report to Information Commissioner

1)                   The matching and source agencies must report to the Information Commissioner on a periodic basis as agreed with the Information Commissioner. The Information Commissioner may require an agency to report on any relevant matter, including any of the following matters:

  1. the actual costs and benefits flowing from the program;
  2. any non-financial factors relevant to the program;
  3. any difficulties in the operation of the program and the steps the agency has taken to overcome these difficulties;
  4. any internal audits or other forms of assessment of the program undertaken by the agency, and their outcome;
  5. examples of circumstances in which notice under section 11 of the Data-matching Act would prejudice the effectiveness of an investigation into the possible commission of an offence;
  6. the number of matches produced;
  7. the number and proportion of matches that resulted in discrepancies;
  8. the number and proportion of discrepancies that resulted in the agency giving notice under section 11 of the Data-matching Act;
  9. the number and proportion of discrepancies that resulted in action being taken;
  10. the number of cases where an overpayment was identified;
  11. the number of cases in which action proceeded despite a challenge to accuracy of the data;
  12. the number of cases not proceeded with after contacting the individual who is the subject of the match;
  13. the number of cases where recovery action was initiated; and
  14. the number of cases where a debt was fully recovered.
  1. Agencies to report to Parliament

1)                   Reports prepared for the purposes of section 12(4) and section 12(5) of the Data-matching Act must deal with all of the following matters:

  1. the actual costs and benefits flowing from the program;
  2. any non-financial but quantifiable factors relevant to the program;
  3. any difficulties in the operation of the program and the steps the agency has taken to overcome these difficulties;
  4. any internal audits or other forms of assessment of the program undertaken by the agency, and their outcome;
  5. the number of matches produced;
  6. the number and proportion of matches that result in discrepancies;
  7. the number and proportion of discrepancies that resulted in the agency giving notice under section 11 of the Data-matching Act;
  8. the number and proportion of discrepancies that resulted in action being taken;
  9. the number of cases where an overpayment was identified;
  10. the number of cases in which action proceeded despite a challenge to accuracy of the data;
  11. the number of cases not proceeded with after contacting the individual who is the subject of the match;
  12. the number of cases where recovery action was initiated; and
  13. the number of cases where the debt was fully recovered.

 

Part 6 – Miscellaneous

22.              Operation of this instrument

1)                   Nothing in this instrument is intended to affect the operation of the Privacy Act or the Australian Privacy Principles.