Many small business owners assume that they do not have any obligations under the Privacy Act 1988 (Cth) on account of the size of their annual turnover. However, in certain circumstances, small businesses do have legal obligations regarding privacy. One such situation is when a small business collects tax file number information. This article discusses privacy and small business in the context of collecting tax file number information and what businesses must do to comply with the Privacy Act.

Small Business and Privacy Obligations

Under section 6C of the Privacy Act 1988 (Cth) (the Act), small businesses that meet the definition of ‘small business’ operators are not considered organisations under the Act. As such, they do not need to comply with the Australian Privacy Principles (APP). However, a small business can still have legal obligations regarding privacy. In particular, if a small business is a recipient of tax file number (TFN) information it must comply with the Privacy (Tax File Number) Rule 2015 (TFN Rule). Responsibilities under the TFN Rule apply in addition to any other privacy obligations that a small business must meet. For example, if a small business is a credit reporting business under the Act, it must comply with Division 2, Part IIIA of the Act and the APP.

Section 17 of the Act gives the Privacy Commissioner the authority to make rules about the management of tax file number information. The Act defines tax file number information as information (regardless of whether compiled lawfully or unlawfully) that records the tax file number of an individual such that it can be connected to the person’s identity. It is immaterial whether or not the information is recorded in a material form (written down on paper). The TFN Rule, which replaced the Tax File Number Guidelines 2011, regulates the collection, storage and use of tax file number information concerning individuals. It also governs how entities can disclose, secure and dispose of such information. Significantly, the TFN Rule does not apply to the management of tax file number information about other entities, such as corporations and trusts. As the TFN Rule is a legislative instrument, any breach of it will constitute an interference with privacy.

Of course, the TFN Rule is not the only legislation governing the handling of tax file number information that is potentially applicable to small businesses. The Tax Administration Act 1953 makes it an offence for a person to request or record tax file number information without authorisation. Other statutes that regulate tax file number information include the Income Tax Assessment Act 1936 (Cth) and the Data-matching program (Assistance and Tax Act) 1990 (Cth). Similarly, the Superannuation Industry (Supervision) Act 1993 governs the management of tax file number information in the context of superannuation.  

When Must a Small Business Comply?  

A small business must comply with the TFN Rule if it is a ‘TFN Recipient’. A TFN Recipient (which has the same meaning as file recipient under the Act) includes:

  • The Commissioner of Taxation;
  • An Assistance Agency;
  • An Approved Recipient;
  • An Authorised Recipient; and
  • The Trustee of a superannuation fund.

While the term assistance agency refers to particular government departments, if a small business is an authorised or approved recipient or the trustee of a super fund, it has obligations under the TFN Rule. These responsibilities apply irrespective of the fact that it is a small business. As outlined above, they also apply in addition to any other privacy obligations of the entity.  

Small businesses are most likely to be required to comply with the TFN Rule as authorised or approved recipients. An authorised recipient is an entity that can lawfully request tax file number information under taxation law, personal assistance law or superannuation law. The rule specifies those laws that make up personal assistance law, taxation law and superannuation law under the TFN Rule. For example, personal assistance law includes the Paid Parental Leave Act 2010 (Cth). The Superannuation Industry (Supervision) Act 1993 is also one of the statutes that make up superannuation law under the TFN Rule.

Section 13 of the TFN Rule obliges both the Commissioner of Taxation and the Australian Prudential Regulation Authority (APRA) to make available information about those classes of TFN recipients who can request tax file numbers under taxation and superannuation law. They must also detail the purposes for which recipients can apply for the information, any prohibitions on the collection of such data and the penalties for contravening the TFN Rule. Most relevantly for small business owners, APRA and the Commissioner of Taxation consider employers as authorised recipients in certain situations. These include when an employer:

    • Makes a payment to an employee (for example, wages, salary or commissions) and withhold an amount as per the PAYG Withholding Scheme;
    • Collects tax file number information to pass on to a superannuation fund when they make an employer contribution on behalf of an employee;
    • Is an Employee Share Scheme Provider; and
    • Has obligations under the Small Superannuation Accounts Act 1995 (Cth).

An employer who uses the Small Business Superannuation Clearing House could also be an authorised recipient. Employers can only disclose this information to specific organisations, typically the Australian Taxation Office. However, collecting tax file number information for the purpose of making an employer contribution allows employers to disclose the information to a superannuation fund.  

An approved recipient is an entity engaged to provide services to an authorised recipient where it is reasonably necessary that it has access to TFN information. An approved recipient also includes TFN recipients that have received an individual’s consent to access their TFN. Such consent is given to enable the recipient to assist the person in managing their taxation, superannuation or personal assistance affairs. Examples include solicitors, tax agents or accountants.

Obligations for TFN Recipients

The TFN Rule reminds all TFN recipients that individuals are not legally required to quote their TFN. Nonetheless, it notes that certain consequences follow when a person chooses not to supply it. Section 8 of the Rule only permits TFN recipients to request or collect TFN information from individuals or other TFN recipients for authorised purposes. That is, those purposes authorised in the statutes comprising taxation law, personal assistance law or superannuation law. When a TFN recipient requests TFN information, it must take reasonable steps to make sure that the person knows the specific law which authorises the collection of their TFN information and the purpose for which the recipient collects it. The entity collecting the information must also inform the individual that it is not an offence not to give their TFN as well as explain the consequences of not doing so.

When the TFN recipient collects the information, it must do so in a way which does not unreasonably intrude on a person’s affairs. A TFN recipient can only collect the information that is necessary and relevant to the purpose specified in the authorising law. On this point, Section 9 provides that if an individual gives their TFN for a purpose that the relevant authorising law does not specify, he or she can remove that information. If the person does not, the recipient cannot use or disclose the information inconsistently with the TFN Rule or the Tax Administration Act 1953 (Cth).

A TFN recipient cannot use or disclose the TFN information for any purpose contrary to the authorising legislation. However, it can disclose to an individual the information it holds about him or her. All TFN recipients must take reasonable steps to protect the information they have from misuse or loss. They must also protect against unauthorised access to or use, modification or disclosure of the information. Only employees who need to handle TFN Information for a legally authorised purpose can have access to it. A TFN recipient is obliged to take reasonable steps to destroy securely or permanently de-identify their information when:

  • The law no longer requires its’ retention; or
  • The entity no longer requires it for its lawful purpose.

TFN recipients must also take reasonable steps to ensure that staff understands the need to protect privacy when handling TFN information. Training must cover those circumstances when an entity can collect TFN information and prohibitions on its use and disclosure. The training should re-iterate the need to protect privacy when handling TFN information and the penalties for contravening the TFN Rule or other applicable privacy obligations. Importantly, the requirement to undertake employee training includes the element of reasonableness. As such, the training must be tailored to the needs and capabilities of each business.

Key Takeaways

A small business may have privacy obligations under the Privacy (Tax File Number) Rule 2015. This rule concerns how certain entities manage tax file number information. The Rule is a legislative instrument – contravention is an interference with privacy. Businesses have the responsibility to know its privacy obligations and fulfil them.

If you would like one of our lawyers to assist you and your business with meeting its privacy obligations, give us a call on 1300 544 755 today or fill out the form on this page.

Carole Hemingway

Next Steps

If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.