Introduction

1. The Australian Taxation Office (Tax Office) is Australia's principal revenue collection agency. Under Australia's taxation law, individual taxpayers are subject to tax on their world wide income. Globalisation of economic activity has meant that Australians now have considerable opportunities to undertake transactions internationally, especially via the Internet. Over one million Australians, increasing at approximately eight to 10 per cent year on year, derive foreign source income which may be subject to tax in Australia.

2. Double Tax Agreements (DTAs) are negotiated on behalf of the Australian Government by the Department of The Treasury, enacted under the International Tax Agreements Act 1953 (Cth), and once operational are then administered by the Tax Office. Australia has entered into 42¹ DTAs with other jurisdictions. DTAs define which jurisdiction has the right to collect tax in particular circumstances and as such, assist in providing equity to taxpayers by preventing or limiting the double taxation of earnings. DTAs also enable the legitimate exchange of taxpayer information between jurisdictions, including through bulk periodic exchange, known as Automatic Exchange of Information (AEOI).

3. The Tax Office sends AEOI data to the relevant DTA jurisdiction where income is earned in Australia and there may be an obligation to pay tax in the partner jurisdiction. Reciprocally, DTA partners send AEOI data to Australia where an Australian resident has earned income overseas and Australia may have the right to collect tax from that individual.

4. AEOI contributes to the transparency of international taxpayer economic activity. From the perspective of the Tax Office, increased transparency provides an opportunity to better understand and oversee the activities of Australians. AEOI data may also contribute to compliance activities conducted by the Tax Office. This compliance oversight occurs in the context of Australia's self assessment system which requires taxpayers to declare all of their assessable income and claim only those deductions and offsets to which they are entitled.

5. The Tax Office has advised that its compliance programs to date have suggested that the overall risk to voluntary compliance in relation to income derived from overseas sources for some markets is high. Compliance activities can range from targeted correspondence campaigns designed to inform and educate taxpayers and encourage self-disclosure, to complex tax audits.

6. Taxpayer privacy is a significant operational issue for the Tax Office, especially when sending and receiving taxpayer information to external sources. In this regard, the Tax Office has obligations to exchange AEOI data in a manner which is consistent with the Privacy Act 1988 (Cth), and the legislative authority provided through the International Tax Agreements Act 1953 (Cth) covering DTAs.

Audit objective and scope

7. The objective of the audit was to review and assess the use, and management of, automatic exchanges of information under Double Taxation Agreements (DTAs) by the Tax Office.

8. The ANAO considered the strategic directions followed by the Tax Office in setting its business and operational policies in regard to AEOI, as well as the governance arrangements in place. As there is an inherent risk of unauthorised access to, or inappropriate disclosure of, taxpayer information when undertaking international transfers of large quantities of taxpayer data, the ANAO examined the security of AEOI transfers, and considered the obligations of the Tax Office under the Privacy Act 1988 (Cth). The ANAO also considered the effectiveness of the use of AEOI data in the context of compliance activities conducted by the Tax Office.

9. The audit did not examine other additional and complimentary data transfer methods enabled by DTAs which facilitate the transfer of taxpayer information between DTA partners; these methods are outlined in paragraph 1.24.

Conclusion

10. The Tax Office is increasingly reliant on its data matching capabilities as an effective and efficient way to achieve high levels of voluntary compliance by taxpayers under Australia's self-assessment system. DTAs with other jurisdictions, as enacted through Australian legislation, provide a framework that assists the Tax Office's operational capability to assess risks and encourage compliance in relation to the taxation of the worldwide earnings of Australian taxpayers.

11. DTAs outline the rights and obligations of Australia and the relevant co-signatory under the agreement including protocols governing the exchange of taxpayer information between jurisdictions. DTAs provide the potential to assist the Tax Office to identify transactions relating to taxpayers with international economic interests and assess their Australian tax obligations in respect of those transactions. The Tax Office's ability to exchange taxpayer information internationally, and the subsequent use of AEOI data in compliance exercises, also act as a deterrent to non-compliance by taxpayers.

12. The Tax Office faces a number of challenges and limitations in establishing and managing the use of AEOI data as part of its compliance program activity. AEOI transfers occur across international boundaries, resulting in operational complexities, many of which are largely outside the control of the Tax Office. These include: differences in language, legal systems, time zones, financial year-ends and the organisational priority afforded to AEOI in different jurisdictions. These complexities result in impediments to the effective use of AEOI data for compliance activities, both in terms of the Tax Office's ability to match the AEOI record to Australian taxpayers, and being positioned to take full advantage of the data made available.

13. Notwithstanding the challenges and limitations involved in the international transfer of large amounts of taxpayer information, the ANAO concluded that the Tax Office's management of the AEOI program has generally been sound, and that the Tax Office has generally made appropriate use of the bulk taxpayer information that it has received under DTAs. Further, the Tax Office continues to encourage ongoing improvement in the quantity and quality of AEOI transfers with Australia's DTA partners.

14. Efforts to increase AEOI activity by the Tax Office and some DTA partners have occurred over a significant length of time. The Tax Office, for example, participated in trials of a paper-based exchange of taxpayer information in the early 1980's, and exchanged data electronically in 2000. Over time, the Tax Office has increased the quantity and value of the AEOI records which it sends to overseas jurisdictions. The quantity of incoming data has also increased, and the Tax Office's ability to achieve an identity match, necessary for efficient database assisted compliance activity, has improved.

15. The effective use of AEOI data within the Tax Office relies upon the coordination of a range of technological, compliance and administrative capabilities which are distributed throughout the Tax Office. The Tax Office established governance structures which provided coordination and oversight, initially only of AEOI activities, and more recently of a range of exchange of information activities which occur under DTAs, in addition to AEOI.

16. The Tax Office's now superseded AEOI Advisory Committee provided a forum for discussion of AEOI use in compliance activities across the Tax Office. There is scope to further increase the compliance knowledge base by coordinating greater sharing of information relating to DTAs generally and the availability and potential use of AEOI data more specifically through the newly constituted EOI Advisory Committee. This could involve, for example, purposefully scheduling compliance exercises to build on the experience and knowledge already gained by business line areas in using AEOI data.

17. The inherent risk to the Tax Office in the AEOI program is significant, given the likely reaction of taxpayers to a privacy breach involving unauthorised access to, or inappropriate disclosure of, taxpayer information; regardless of whether the AEOI data was being sent or received by the Tax Office. AEOI data may be transferred securely through the use of encryption technologies, reducing the potential for unauthorised access to the data and decreasing the reputational risk to the Tax Office that would result from a breach of taxpayer privacy.

18. The Tax Office transfers the vast majority of data in an encrypted state, although this has not always been the case.² Where data is encrypted, one of the tools the Tax Office used is more susceptible to being used inappropriately, including through weaker password selection and encryption, hence the protection applied to AEOI data is at greater risk of being compromised. The Tax Office could reduce this risk for outgoing data by using alternative technologies where supported by DTA partners. Similarly, the Tax Office may influence, but can not control, the security practices of DTA partners that send AEOI data to it. The ongoing monitoring and reinforcement of DTA partner AEOI security practices by the Tax Office would assist in reducing the risk of privacy breaches resulting from AEOI data loss or compromise.

19. Whilst no instance of a breach of privacy was identified during the audit, and the Tax Office was not aware of any instance, the risk of a privacy breach requires ongoing attention and management. The Tax Office has introduced procedures over the course of this audit to reduce the risks associated with sending AEOI data.

20. The ANAO has made two recommendations directed towards improving the Tax Office's effective use of AEOI data in its compliance activities.

Key findings by chapter

Strategic Directions for International Information Exchanges (Chapter 2)

21. The Tax Office has a long history of developing the operational capabilities and international linkages with DTA partners essential for establishing and expanding the AEOI program. Past government decisions, including the selection of which jurisdictions to enter into DTAs with, determine present day opportunities available to the Tax Office.

22. The volume and dollar value of incoming AEOI data available for use by the Tax Office has been increasing over time. Additionally, the ability to derive a high confidence identity match between the incoming AEOI data and existing Tax Office records has also exhibited a positive trend. These two factors combined mean that there is more AEOI data that is suitable for use in case selection and compliance activities.

23. The use of AEOI data by the Tax Office in compliance exercises has increased from a low base over the last five years. AEOI related work is conducted by a number of Tax Office business line areas, which provides the opportunity to leverage the specialist compliance knowledge that exists within the market segments for example, Individuals and Small to Medium Enterprises.

24. Given the market segment based organisational structure of the Tax Office, there is no specialist AEOI compliance area that focuses solely on leveraging AEOI for compliance purposes. Consequently, advances in AEOI data usage methodologies require deliberate and purposeful sharing of information within the Tax Office. With the increased use of AEOI data by the Tax Office, compliance methodologies have been able to be improved, informed by the experience of previous exercises. The Tax Office could improve the mechanisms for sharing information between the areas which contribute to the effective use of AEOI data, including technical, administrative coordination and compliance areas, by more efficiently capturing information and increasing its accessibility.

25. The Tax Office sends a large number of reports on AEOI data quality to overseas jurisdictions. These standardised reports are an important tool to provide an AEOI users perspective on errors, omissions and means of improvement. The Tax Office receives few standardised feedback reports from overseas DTA partners.

AEOI Governance (Chapter 3)

26. The Organisation for Economic Development (OECD) provides an important international focal point for DTA operational discussion. The OECD has authored a Model Convention³ to assist in the negotiation of new DTAs. The involvement of the OECD assists in the creation of an international framework and an increased degree of standardisation on which international cooperation on tax matters is based. The OECD has also released an information exchange manual⁴ and standardised quality feedback report specifications⁵ to assist DTA partners improve their level of service to each other over time.

27. Within Australia, the AEOI program is governed by the DTAs which are enacted through Schedule amendments to the International Tax Agreements Act 1953 (Cth). Administratively, DTAs are negotiated by the Department of the Treasury (Treasury), on behalf of the Government. The Tax Office provides advice to Treasury on matters of tax administration to inform these negotiations and is responsible for administering the DTAs after they are enacted.

28. Within the Tax Office, the effective use of AEOI relies upon the coordination of a range of distributed technological, administrative coordination and compliance capabilities. Compliance areas using AEOI data are informed by their experiences, gained through their general activities engaging with different market segments of taxpayers.

29. The AEOI function is supported through a cross organisational committee. Historically, the Automatic Exchange of Information Steering Committee has focussed exclusively on AEOI. Much of the committee's efforts were directed at increasing the amount of AEOI exchanged and AEOI data use throughout the Tax Office.

30. In 2009, the Tax Office reconfigured the governance structure and created the Exchange of Information Advisory Committee, providing oversight of all forms of international information exchange occurring under DTAs, including AEOI. The updated Charter for this committee was formally approved during April 2010.

Information Security and Privacy (Chapter 4)

31. The potential reputational risk to the Tax Office inherent in the transfer of data is significant in the event that personal taxpayer information is lost, or accessed by unauthorised parties. This risk is particularly relevant to the AEOI program where large volumes of data are exchanged across international boundaries on a regular basis.

32. AEOI necessarily involves the sending and receipt of taxpayer information between international tax jurisdictions. The Tax Office has an obligation to secure the taxpayer data that it sends. Given that the AEOI data sent to the Tax Office by overseas DTA partners is expected to relate to Australian residents, the Tax Office also has a vested interest in influencing incoming international transfer practices, such that Australian taxpayer data is sent to it securely by DTA partners.

33. There have been occurrences overseas involving bulk data loss by government agencies which has been widely reported in the press⁶ and resulted in public inquiry.⁷ Whilst such instances did not occur within the context of an AEOI program, the public reaction to the security breach provides useful insights into how a breach of AEOI program security may be regarded in the Australian community.

34. AEOI data is sent/received using a number of methods. AEOI data may be transmitted electronically via e-mail⁸, or, transported physically via CD ROM using postal, courier or diplomatic services. Irrespective of how the data is transported, the Advanced Encryption Standard (AES) encryption algorithm may be used to effectively secure AEOI data prior to transmission.

35. When sending AEOI data to DTA partners, the Tax Office primarily utilises two encryption programs to secure it; WinZip and Pretty Good Privacy (PGP⁹). The Tax Office sends the largest volume of data, to a small number of DTA partners, using PGP. Conversely, the Tax Office sends only a small proportion of data by volume, to a large number of DTA partners, using WinZip.

36. Both PGP and WinZip utilise the AES, but WinZip also offers user selected encryption methods which are less secure. WinZip relies on a user-entered password to protect encrypted information, whereas in contrast, PGP relies on a computer generated key. As a result of inadequate training and usage WinZip is more susceptible to poor security outcomes where users make poor password¹⁰ and encryption algorithm choices.

37. The ANAO examined a large number of AEOI records transmitted by the Tax Office to review WinZip password usage. AEOI data had been sent using the same passwords to multiple DTA partners, on multiple occasions. This created a risk of an unauthorised recipient being able to inappropriately access data intended for another DTA partner. In addition, short and non complex passwords had been used providing weakened protections, even when AES is used. However, there was no record on Tax Office registry files that this vulnerability had been exploited.

38. AEOI data has been both sent and received in unencrypted form via the postal service or hand delivery with officers of DTA partners. The risks inherent in AEOI transfer would be minimised if AEOI data was always encrypted when being transported.

39. The password procedures used by the AEOI coordination area were informed by guidance which is more appropriate to a computer logon context; the guidance provided less than optimal protections in the context of AEOI.¹¹ Over the course of this audit, the Tax Office has adopted improved procedures to provide greater assurance that strong encryption is applied and longer, more complex passwords are used. The Tax Office also installed an updated version of WinZip to take advantage of updated application configuration options that further reinforce complex password use guidance.

40. Within the Tax Office, AEOI encryption occurs on a stand-alone computer which is not linked to the main Tax Office network. This computer is able to send/receive encrypted information to external e-mail accounts. At the start of this audit users had administrative access privileges. The Tax Office has since improved computer security by limiting users to non-administrative access privileges.

41. The Tax Office commissioned a general review of information security practices, which pre-dates this ANAO audit, and as a result, the Tax Office implemented an Information Security Risk Manager (ISRM) role. Its purpose is to provide additional assurance of the security procedures that are adopted where information, including AEOI data, is sent from the Tax Office to external recipients. Additionally, the Tax Office instituted an Information Transfer Gatekeeper process. The Gatekeeper process is designed to mitigate against the loss of high risk data sets.

AEOI Usage in Compliance Activities (Chapter 5)

42. Over the past five years, the Tax Office has increased its use of AEOI data. Efficient use of AEOI data in compliance exercises is supported by an identity matching capability which provides a means to match AEOI data to the Tax Office's Tax File Number client register, at an assigned level of confidence. Compliance exercises examined over the course of this audit required a high level of identity matching confidence as a pre-cursor to further case selection refinement. Over time, the proportion of AEOI data which can be matched at a high level of confidence has increased. However, because of DTA partner specific differences, the data matching confidence level which the Tax Office is able to achieve varies significantly between DTA partners.

43. Compliance exercises using AEOI data have been undertaken in four areas of the Tax Office, covering both individuals and corporate entities. Some areas have conducted multiple exercises and have been able to use that experience to improve the effectiveness of AEOI data use.

44. Compliance exercises undertaken to date involving AEOI data have typically achieved low measurable outcomes. Exercises based on correspondence campaigns utilising AEOI data for case selection have been the most efficient.

45. Following completion of ANAO audit fieldwork the Tax Office advised that AEOI data would be manually examined with the intent of referring potentially high risk cases to compliance areas for further action.

46. Given that AEOI compliance exercises are undertaken by a number of different areas within the Tax Office, there are opportunities to increase effectiveness and efficiency by using the AEOI Advisory Committee to consider the methodological basis for compliance activities which intend to use AEOI data, and to facilitate its use with other complementary databases.

47. Sharing information more effectively between compliance areas and between technical areas (for example, risk assessment and identity matching) would better position potential compliance activities. This would result from compliance staff gaining a better understanding of the availability, opportunities and limitations of using AEOI data. Building on existing intranet based solutions may provide a cost effective means to capture and promulgate existing and new knowledge.

Tax Office response

48. The ATO welcomes the Australian National Audit Office's (ANAO) recommendations in relation to its management and use of Double Taxation Agreement information collected through automatic exchange.

49. Automatic Exchange of Information (AEOI) contributes to the transparency of taxpayer's international economic activity. Increased transparency provides an opportunity to ensure that taxpayers are appropriately declaring income derived overseas. AEOI contributes to compliance activities conducted by the Tax Office. In particular I note your finding that:

Over the past five years, the Tax Office has increased its use of AEOI data. Efficient use of AEOI data in compliance exercises is supported by an identity matching capability which provides a means to match AEOI data to the Tax Office's Tax File Number client register, at an assigned level of confidence.

50. This should provide reassurance to the community that it can have confidence in this important aspect of our tax administration.

51. As noted in the report, the Tax Office has a long history of developing the operational capabilities and international linkages with Double Tax Agreement (DTA) partners essential for establishing and expanding the AEOI program. In addition the report acknowledges notwithstanding the challenges and limitations involved in the international transfer of large amounts of taxpayer information, the Tax Office's management of the AEOI program has generally been sound. Further, the Tax Office continues to work with Australia's treaty partners to encourage ongoing improvement in the quantity and quality of AEOI transfers.

52. The Tax Office's response is included in full at Appendix 1.

Footnotes

¹ The Assistant Treasurer, the Hon. Nick Sherry announced (March/April 2010) that new Tax Treaties (DTAs) had been signed with Chile and Turkey. At the time of preparing this report these DTAs are not yet in force and are not counted in the 42 DTAs.

² Evidence existed that unencrypted information had been sent in 2007; ANAO analysis did not extend significantly before this date.

³ OECD Model Tax Convention on Income and on Capital.

⁴ <http://www.oecd.org/dataoecd/61/19/40502506.pdf> [accessed 29 April 2010].

⁵ <http://www.oecd.org/dataoecd/61/19/40502506.pdf> [accessed 29 April 2010].

⁶ See <http://www.oecd.org/dataoecd/61/19/40502506.pdf> and <http://www.oecd.org/dataoecd/61/19/40502506.pdf> [accessed 29 April 2010].

⁷ Independent Police Complaints Commission (2008), “IPCC independent investigation report into loss of data relating to Child Benefit”, United Kingdom. In its 25 June 2008 press release, the IPCC made the following comments “The IPCC's investigation uncovered failures in institutional practices and procedures concerning the handling of data. It revealed the absence of a coherent strategy for mass data handling and, generally speaking, practices and procedures were less than effective. The IPCC found that there was: a complete lack of any meaningful systems; a lack of understanding of the importance of data handling; and a ‘muddle through' ethos. Staff found themselves working on a day-to-day basis without adequate support, training or guidance about how to handle sensitive personal data appropriately.” The full report is available at: <http://www.oecd.org/dataoecd/61/19/40502506.pdf> [accessed 29 April 2010].

⁸ The Australian Government Information and Communications Technology Security Manual (available at <http://www.dsd.gov.au&gt;) states that the Internet is treated as Unclassified network infrastructure. AEOI data is categorised In-Confidence by the Tax Office. Even though AEOI information is categorised by the Tax Office at a higher security level than the security level provided by the Internet it is still possible to transmit it over the internet providing the AEOI data is adequately protected through an appropriate encryption algorithm, such as AES.

⁹ When PGP was piloted by the OECD, Australia was a participant in this initiative.

¹⁰ A poor password would be one which is short, non-complex and/or contains elements which are easily guessed.

¹¹ A computer logon environment generally requires a shorter, less complex password, particularly as it is expected that passwords must be able to be remembered by users. Additional protections are also available in a network environment, which are not available in the AEOI context, such as only allowing a specified number of logon attempts before the user account is frozen. In contrast, should encrypted AEOI data archive fall into the wrong hands, an infinite number of compromise attempts may be made until success is achieved.