πωχ
Australian Taxation Office
SBR Authentication
DRAFT Privacy Impact
1982
Assessment
Phase 1: High Level Design
Act
November 2008
FOI Office
under
Taxation
Released
Australian
Liability limited by a scheme approved under Professional Standards Legislation.
1982
Act
FOI Office
under
Taxation
Released
Australian
Contents
1
Executive Summary
3
2
SBR Authentication Project
6
2.1
Project Purpose
6
2.2
Stage of Project Development
6
1982
2.3
Project Significance
6
2.4
Quantity of Personal Information Handled
6
2.5
Sensitivity of Personal Information
7
2.6
Interaction with Other Agencies
7
Act
2.7
Use of Third Parties (Outsourcers)
7
2.8
New Technology
7
2.9
New Collection of Personal Information
8
2.10
New Use of Personal Information
8
FOI Office
3
Threshold Assessment
9
3.1
Context
9
3.2
Project Overview
9
3.3
Use of Personal Information
10
3.4
Privacy Risks
11
3.5
Further discussion regarding proposed EOI standards
13
3.6
Conclusion
14
under
4
Information Flows
15
5
Treatment and Controls
18
Taxation
6
Appendix A Areas Requiring Finalisation
19
7
Appendix B Documents Reviewed
20
This report has been prepared for the Australian Taxation Office. It should not be circulated to any other parties without
written permission from PricewaterhouseCoopers, and no one other than the Australian Taxation Office should rely on this
report for any purpose.
Released
Australian
Privacy Impact Assessment Report – SBR Authentication
Draft v1.2
2
1
Executive Summary
Scope
This draft report presents the Australian Taxation Office’s (Tax Office) findings of the
preliminary Privacy Impact Assessment (PIA) conducted over the high level design of the
Standard Business Reporting (SBR) Authentication solution.
The PIA process was conducted in accordance with the agreed scope as defined by IT 06-125
Official Order 14 and with reference to government and best practice security guidelines
including:
1982
• Australian Government Information and Communications Technology Security Manual
(ACSI 33);
• Protective Security Manual (2005);
• ISO standards including 27001;
• Office of the Privacy Commissioner’s Privacy Assessment Guide (2006) and related
Act
guidelines as applicable;
•
Privacy Act (Cth) 1988 and associated Information Privacy Principles; and
• Tax Office and Commonwealth Government security policies and guidelines.
Background
Office
Whilst a PIA is not a requirement under the
Privacy Act (1988), it is generally accepted as
FOI
better practice that a PIA be conducted for projects that collect, use or disclose personal
information. The results of a PIA may assist in the identification of a project’s impacts and risks
to privacy, and ensure that such implications are appropriately mitigated and/or managed.
PIA Process
At a high level, the process undertaken for this PIA included the following key activities:
• determining the nature of the project;
•
under
conducting a Threshold Assessment in order to confirm that a PIA is required;
• mapping the flow of personal information apparent in the high level design of the
authentication solution; and Taxation
• identifying treatments and controls to mitigate privacy risks.
As the SBR Authentication project is at a stage of high level design, not all personal
information requirements of key processes have been defined. We have highlighted in
Appendix A the areas of the high level design that require finalisation to enable a more
thorough PIA to be performed.
Providing this information is determined within appropriate timeframes, a more comprehensive
privacy impact analysis will be undertaken upon completion of the detailed design in February
2009. This will include the Information Privacy Principles Compliance Checklist components
of the PIA Guide.
Released
Threshold Assessment
Although some details of the authentication project have not been finalised, the threshold
assessment has found that the extent of collection and use of personal information apparent in
Australian
the high level design is sufficient to confirm that a PIA is indeed appropriate.
Privacy Impact Assessment Report – SBR Authentication
Draft v1.2
3
1982
Act
FOI Office
under
Taxation
Released
Australian
1982
Act
FOI Office
under
Taxation
Released
Australian
2
SBR Authentication Project
2.1
Project Purpose
The SBR Authentication Project aims to provide a multi-agency authentication solution to
support Business-to-Government online interaction. The project is being coordinated by the
Tax Office. Other federal agencies are expected to develop future projects to leverage the
authentication solution for the purpose of streamlining Business-to-Government reporting by
reducing reporting requirements of business.
1982
2.2
Stage of Project Development
The SBR Authentication project is currently at a conceptual stage of development. The high
level design and architecture, and use cases in relation to the registration of a credential have
been proposed.
Act
2.3
Project Significance
The SBR Authentication Project is a significant element of the SBR Program, which in turn has
a significant impact to the Australian business community. As a key enabling technology for
the SBR Program, the SBR Authentication project provides a secure, reliable mechanism by
which business can identify themselves to government, and vice versa.
Office
FOI
2.4
Quantity of Personal Information Handled
The SBR Program will have a significant impact to the Australian business community, with an
estimated peak take-up of 60% of the target business population (1.5 million businesses)
within four years of implementation. With multiple credentials per business, this represents a
large user base (i.e. a large number of SBR credential-holders), and thus, a large volume of
personal information that will be collected and used in the process of registering for
credentials.
under
Whilst the amount of a participant’s personal information that is collected and maintained by
SBR Authentication is limited (refer to Section 2.5), the volume of information collected
significantly increases the privacy risks of the project.
Taxation
Personal user data is collected during the registration process. Details including TFN, name
and date of birth are recorded in a data store within the RA subsystem until the registration
request has been validated by an administrator. Once credentials have been issued the user’s
name and email address and the ABN are passed to a data store within the Trust Broker
subsystem in the VANguard environment. While it appears that the RA subsystem is intended
to hold these details on a temporary basis only, their deletion may impact on fulfilment of
legal/forensic traceability requirements.
Released
Australian
Privacy Impact Assessment Report – SBR Authentication
Draft v1.2
6
2.5
Sensitivity of Personal Information
The SBR Authentication solution includes the collection of individuals’ information for the
purposes of validating their identity, such that they can be issued a credential. Participation in
SBR is on a voluntary basis; information is only collected for individuals representing
businesses that have selected to participate in SBR. The personal information of SBR
participants that will be collected as a part of the online SBR Authentication registration
process includes their:
• name;
• date of birth;
• ABN;
1982
• personal Tax File Number;
• email address; and
• phone number.
Act
From the personal information above, elements of higher sensitivity include an individual’s
name, date of birth and personal Tax File Number. This combination of personal information
enables a single individual to be uniquely identified. Further privacy implications are
introduced in the instances of suppressed ABNs.
Note: A manual Evidence of Identity (EOI) checking process will be in place when online
Office
registration is unable to complete. As the SBR Authentication project is in a stage of high level
FOI
design, processes relating to the manual EOI check, and the nature and privacy impact of any
personal information that will be collected in these processes, are yet to be defined.
2.6
Interaction with Other Agencies
The SBR program must be extensible to support existing Business to Government channels
outside of SBR. This includes thin-client applications such as the existing ATO Tax Agent and
Business Portals, ECI thick client applications and any other online business services offered
by the Tax Office and other government agencies.
under
Personal information provided by SBR participants is validated against information already
retained by the Tax Office. SBR Authentication interfaces with the VANguard system which is
maintained and operated by the Department of Innovation, Industry, Science and Research.
Taxation
2.7
Use of Third Parties (Outsourcers)
The collection and handling of SBR participants’ personal information will be performed by Tax
Office systems. However, the use of outsourced service providers to manage and support the
SBR IT infrastructure would provide indirect access to the personal information that is
processed and/or stored on such infrastructure.
2.8
New Technology
The SBR Authentication solution is a new system encompassing people, process and
technology, that enables the issuing, management and use of credentials for business clients
Released
and intermediaries. The following components, or subsystems, of the SBR Authentication
system will handle and/or store personal information:
•
Credential Management subsystem: Provides self-service functions to the client,
including the credential management website. These services are used by the client to
Australian
request new credentials and to manage credentials for themselves or their business.
•
Registration Authority subsystem: Provides Registration Authority (RA) functions for
credential lifecycle management. This subsystem performs POI checks by calling ATO
Privacy Impact Assessment Report – SBR Authentication
Draft v1.2
7
Records and ABR Records subsystems, provides functions for manual credential
management, and provides information to the VANguard Trust Broker subsystem
about credential holders. Clients’ personal information is stored on a database in this
subsystem.
•
ICP subsystem: The ICP subsystem is used for SBR Authentication workflow
management.
Note: At the time of this assessment, the extent of involvement of the
ICP subsystem in the SBR Authentication project was yet to be determined.
•
ATO Records subsystem: The ATO Records subsystem is used to check a client’s
name / date of birth and Tax File Number against Tax Office records, in order to verify
the client’s individual identity.
1982
•
ABR Records subsystem: The ABR Records system is used to check a client’s
authority to represent the business, through checking if the client is listed as a
Business Associate on ABR records.
•
Trust Broker subsystem: The Trust Broker subsystem (within the VANguard solution)
receives the name and email address of each SBR client from the Registration
Authority subsystem.
Act
2.9
New Collection of Personal Information
Personal information about individuals registering for a credential will be stored in a new
database (“SBR”) in the Registration Authority subsystem of the SBR Authentication system.
Office
The personal information that will persist in this database is as follows:
FOI
• name;
• email address; and
• phone number.
In the time that an individual applies for an SBR credential until the request is approved (either
through an EOI check, or by a person in the business with Administrator privileges), the
following information is stored in this same database:
• name;
under
• email address;
• date of birth;
Taxation
• ABN;
• personal Tax File Number; and
• phone number.
2.10 New Use of Personal Information
The proposed method of validating personal information provided by SBR Authentication
applicants against existing Tax Office records is new. Such a method of validating an
individual’s identity does not currently comply with secrecy provisions in the various taxation
laws, which states that Tax Office records may only be used for taxation-related purposes.
Released
Refer to Section 2.8 for further details. We understand that amendments are currently being
considered to ABR legislation to enable the use of TFNs and Tax Office records in the manner
proposed by SBR Authentication.
Australian
Privacy Impact Assessment Report – SBR Authentication
Draft v1.2
8
3
Threshold Assessment
3.1
Context
This Threshold Assessment relates to the Standard Business Reporting (SBR) Program.
PricewaterhouseCoopers is assisting the Australian Taxation Office with preparation of a
Threshold Assessment and Privacy Impact Analysis. The Threshold Assessment serves to
provide an understanding of the project and to confirm that a PIA should be performed.
3.2
Project Overview
1982
Standard Business Reporting (SBR)
Current reporting requirements impose a significant burden on business - a burden that the
Australian Government is committed to reducing.
Act
SBR is a multi-agency initiative that will simplify business-to-government reporting by:
• making forms easier to understand;
• using accounting/record keeping software to automatically pre-fill government forms;
and
Office
• introducing a single secure way to interact on-line with participating agencies.
FOI
As a result, businesses and their intermediaries will have a faster, more efficient reporting
mechanism. Key benefits to business will include:
• reduced time and effort spent preparing reports for government by businesses,
accountants and bookkeepers;
• reduced time and effort spent filing reports for government; and
• reduced time and effort spent dealing with errors.
under
SBR is expected to save Australian businesses $795 million per year on an ongoing basis,
freeing up resources for more profitable activities. In addition, accountants, bookkeepers, tax
professionals and software developers will have access to a powerful system for improving
service delivery and productivity.
Taxation
SBR Authentication
The SBR Authentication project aims to provide a multi-agency authentication solution to
support the SBR program. This means that it must be extensible to support existing Business
to Government channels outside of SBR. This includes thin-client applications such as the
existing ATO Tax Agent and Business Portals, ECI thick client applications and any other
online business services offered by government agencies.
The SBR Authentication scope covers all of the interactions and components that are involved
in issuing, managing and using credentials for Business clients and intermediaries to deal
Released
electronically with the Australian Government. This includes client self-management services,
Registration Authority (RA), Certification Authority (CA) and client-side software components
and services.
Australian
The SBR Authentication scope does not include components that are related to authorisation,
including delegated authorisation (where an intermediary such as a Tax Agent is authorised to
act on behalf of another business).
Privacy Impact Assessment Report – SBR Authentication
Draft v1.2
9
1982
Act
FOI Office
under
Taxation
Released
Australian
1982
Act
FOI Office
under
Taxation
Released
Australian
1982
Act
FOI Office
under
Taxation
Released
Australian
3.5
Further discussion regarding proposed EOI standards
In order for the SBR Authentication Solution to be relied upon by agencies, the solution must
provide comfort that firstly the physical person is appropriately bound to the credential holder’s
name, and secondly that the credential holder’s name is appropriately bound to the organisation
that they purport to represent.
The proposed standard to make this first binding differs from existing identity strategies and
guidelines applicable to Federal Government organisations. The 2004 Standing Committee of
1982
Attorneys-General endorsed agencies’ use of an Evidence of Identity (EOI) framework that requires
validation of identity documents to confirm the identity has: commenced within Australia; is active in
the community; and is linked to the applicant. This framework forms a part of the National Identity
Security Strategy, which the Tax Office has endorsed as part of its 2008-09 compliance program.
The Gatekeeper framework provides for differing types of EOI checks, but all must provide
reasonable confidence that the physical person and the credential holder’s name relate to the
Act
same identity.
The set of persons holding data sufficient to provide EOI under the proposed standard include
current and past employers, financial institutions, superannuation funds, share registries, other
government organisations delivering services to individuals, the individual, their family members
and the individual’s tax agent. The number of potential threat sources that could provide sufficient
Office
evidence of identity increases the likelihood of users being inappropriately registered for an
FOI
Administrator level credential by other persons, without the knowledge of the legitimate individual.
To increase the likelihood that the applicant is who they claim to be, consideration should be given
to reducing the number of threat sources by using additional EOI information. However, any
requirement for additional information should be kept to a minimum so as to maintain usability. For
example, information contained within a Tax Office-issued Notice is likely to only be known to a
subset of the parties named in the preceding paragraph. Providing such additional information is
currently required in order to access a range of other Tax Office services, such as those in Table 4
below.
Whilst stringent penalties currently exist in relation to the misuse of an individual’s TFN, it is also
under
germane to consider the impact on usability if a TFN had been subject to identity theft or fraud. In
the case that the Tax Office detected that a TFN had been illegally used, then the TFN must be
cancelled/revoked, and all related accounts and registration details are frozen to ensure no
Taxation
updates can be made. Where the TFN is related to an ABN, the ABN itself must also be cancelled
as is any credential that is connected with it. This would not only have serious impact on the
business concerned but also damage the reputation of the credential issuing authority and SBR
agencies. For this reason the integrity of the identity verification process at registration must be
sound.
Given that SBR functionality is likely to evolve, it would be prudent to adopt a sufficiently robust
registration to ensure that future services are supported. As with any risk, management may
determine that the residual exposure is sufficiently low to warrant acceptance.
However, requiring one additional item of EOI present on a Tax Office-issued Notice is believed to
have a minor impact on the individuals concerned, but would bring a significant benefit in reducing
the likelihood of Administrator identity theft in the SBR environment.
Released
Australian
Privacy Impact Assessment Report – SBR Authentication
Draft v1.2
13
1982
Act
FOI Office
under
Taxation
Released
Australian
1982
Act
FOI Office
under
Taxation
Released
Australian
1982
Act
FOI Office
under
Taxation
Released
Australian
1982
Act
FOI Office
under
Taxation
Released
Australian
1982
Act
FOI Office
under
Taxation
Released
Australian
6
Appendix A
Areas Requiring Finalisation
As the SBR Authentication project is at a stage of high level design, not all processes have
been defined. In particular, the areas below require finalisation in order for a more
comprehensive PIA to be conducted.
Use cases
• UC802 – TFN EOI check fails [Manual EOI processing]
• UC803 – ABR check fails [Manual EOI processing]
The business processes relating to the following use case scenarios have not yet been
1982
formally documented:
• Download credential to portable device
• User authenticates with credential through browser
• User authenticates with credential through business software
Act
• Administrator requests cancellation of device credential
• Administrator accesses Credential Manager to change details
• User accesses Credential Manager to change details
• Organisation no longer has registered administrator
Office
• Failed activation codes.
FOI
Interfaces
Further detail (such as the information being transferred across the interface, the security
requirements of the interface, the protocols used, and the mechanisms used to secure the
interface) is required in the description of the following interfaces in the SBR Authentication
subsystem:
• Interface between the Credential Management and RA subsystems
• Interface between the RA and ICP subsystems
under
• Interface between the RA and ATO Records subsystems
• Interface between the RA and ABR Records subsystems
•
Taxation
Interface between the RA and Trust Broker subsystems
Other
• An end-to-end process for managing suppressed ABNs should be defined. This
process should outline the registration, maintenance and use of an SBR credential for
individuals representing an organisation with a suppressed ABN.
• The interaction between the ICP system and the SBR Authentication system should
be determined.
• The user consent disclaimer statement should be defined, including to explain the
purpose for personal data collection and to address other privacy and legal
considerations.
Released
• The manual processes for EOI should be defined (if any), including the processes to
be used when a user declines to provide a TFN or when automated EOI verification
fails.
• Incident response procedures should be defined to mitigate the impact of a privacy
Australian
breach.
• The process for retaining and disposing of personal information should be defined.
Privacy Impact Assessment Report – SBR Authentication
Draft v1.2
19
7
Appendix B
Documents Reviewed
In preparation of this PIA, the following documents were reviewed:
• SBR HLD-02 v0.8 Working Draft – SBR Authentication Design Blueprint
• SBR HLD004 Use Cases v0.2 Draft – SBR Authentication Project Use Cases and Use
Case Diagrams High Level Design
• SBR HLD006 System Architecture v0.2 Draft – SBR Authentication Project High Level
Design
1982
• AUTH UC001 v0.3 Draft – Business Associate Applies for own credential as part of
ABN application
• AUTH UC002 v0.3 Draft – Business Associate from existing Business applies for their
own credential
• AUTH UC003 v0.3 Draft – Business Associate Nominates another user as the first
Act
credential holder
• AUTH UC004 v0.3 Draft – User initiates registration for own credential
• AUTH UC005 v0.3 Draft – Administrator initiates registration of User credential without
administration privileges
Office
• AUTH UC006 v0.4 Draft – Administrator initiates registration of user credential with
FOI
administration privileges
• AUTH UC007 v0.3 Draft – Administrator initiates registration for Device credential
• AUTH UC008 v0.3 Draft – Administrator initiates bulk registration of User credentials
without administration privileges
• AUTH UC009 Draft – Administrator assigns Administrator privileges to a User
• AUTH UC010 v0.3 Draft – Administrator removes Administrator privileges from a User
• AUTH UC201 v0.3 Draft – Renew credential
under
• AUTH UC401 v0.3 Draft – Request Credential cancellation through the Credential
Manager
Taxation
• AUTH UC402 v0.3 Draft – Request Credential cancellation outside Credential
Manager
• AUTH UC403 v0.3 Draft – Custodial requests revocation of device credential
Released
Australian
Privacy Impact Assessment Report – SBR Authentication
Draft v1.2
20