How the ATO handles your information to operate the myID system.
On this page
- About this privacy policy
- How we collect personal information
- How we hold personal information
- Information we collect, hold and use
- Information we use and disclose
- How you can access or correct personal information held about you
- Making a request under the FOI Act
- Enquire or complain about a suspected breach
Last updated December 2024
The purpose of this privacy policy is to explain how the Australian Taxation Office (ATO) handles your personal and sensitive information to operate the myID system, according to the Australian Privacy Principles in the Privacy Act 1988 (Privacy Act), the Digital ID Act 2024 and Digital ID Accreditation Rules 2024.
About this privacy policy
myID (previously known as myGovID) is the Australian Government’s Digital ID Service Provider. The ATO delivers and administers the myID system as a secure digital environment for individuals to establish and verify their identity for authenticated access to participating online services.
The ATO complies with the requirements of the Privacy Act, which incorporates both the:
The myID service is accredited under section 15 of the Digital ID Act 2024 for the information it manages when you use the myID system.
The use of the Document Verification Service (DVS) and the Face Verification Service (FVS) is subject to the Identity Verification Services Act 2023 (IVS Act).
You can find more information about privacy rights and responsibilities at the Office of the Australian Information Commissioner.
This privacy policy deals with:
- our collection, storage, access to, and use and disclosure of personal and sensitive information
- your rights to access and correct information we hold about you
- how you can make a complaint if you're concerned that
- your privacy has been interfered with
- we have breached an APP or APP Code.
We review this privacy policy regularly and will update it with relevant changes to keep you informed.
How we collect personal information
We collect personal information (in accordance with APP 3 – Collection of solicited personal information):
- directly from you
- indirectly from you
- from third parties.
This information is collected for the purpose of:
- providing myID Digital ID services to you
- monitoring and improving the security and performance of the myID system.
Directly from you
We will collect personal information directly from you when you use the myID system to:
- register and create an account for your myID
- increase the identity strength associated with your myID account
- update your personal information on your myID account.
If you don't provide your express consent to share your personal information, you won't be able to verify your identity to create a myID account.
If you can't create a myID account, alternative options may be available from the agency or service you are attempting to access.
Indirectly from you
We collect information about your device and system interactions:
- when you access the myID service to manage your account or update your details
- to monitor myID application use and system performance
- when we investigate and verify the operation of the myID service, app and system.
From third parties
We collect your personal information from government authorities to verify and validate the identity documents you provide to create your myID account, authenticate or increase your identity strength level.
For example, we will verify:
- Australian passports and travel documents with the Department of Foreign Affairs and Trade
- drivers licences with the state or territory roads and traffic authority that issued the document
- Medicare cards with Services Australia.
How we hold personal information
We protect your personal information held for the myID system against:
- loss, interference or misuse
- unauthorised access, modification or disclosure.
We use physical and technological controls to ensure that your personal information is only accessed by staff who need it.
We apply industry-best security methods to protect the personal information we hold, including:
- information technology and physical security audits
- penetration testing
- industry best practice risk management
- system security technologies.
We store your personal information collected for the purpose of myID separately from other records we hold. We hold it securely in Australia.
We will retain records of information associated with your myID while your registration remains active.
The personal information we collect about you will, in almost all cases, be treated as a Commonwealth record. We are bound by the Archives Act 1983 to retain Commonwealth records until we can lawfully dispose of them.
Information we collect, hold and use
Personal information
We collect personal information about you for the purpose of administration of the myID system.
Personal information is information that identifies you or is reasonably capable of identifying you.
The types of personal information collected by myID includes your:
- name
- date of birth
- address
- contact details, including email address and phone number
- details contained in Australian Government issued identity documents, such as
- type of document
- document issuer
- document numbers
- effective dates
- photographic images of you
- signatures
- biometric images of your face.
Personal information may also include information about the myID service, including:
- information about services you have accessed or attempted to access
- information on the method of access
- date and time your identity was verified.
When we have validated your identity documents, we will keep a record of the:
- document type used
- information that was verified
- express consent you provide
- document verification outcome.
When we collect personal and sensitive information as part of operating myID, it will be managed and destroyed in accordance with the law.
We collect personal information about your myID system use to:
- verify your identity
- compile statistics and reports to enhance our systems and services
- identify and respond to issues that indicate authentication integrity risks
- analyse, prevent, detect, manage and investigate fraudulent activity that may lead to criminal prosecution.
Personal information collected about your myID system use that will be logged also includes:
- information about your device and browser, such as your operating system and user session
- your internet protocol number (IP address)
- date and time of your use of the authentication service
- successful and unsuccessful attempts at authenticating.
We may disclose this information with other Digital ID System participants, if we are authorised or required to by law.
Biometric verification or identification
Verifying your photo is optional. It can help protect your identity and, when used to set up a Strong myID, allows you to access more services online.
We use the Face Verification Service to electronically compare your personal information and facial image against a specific government record to verify your identity.
For example, to verify your identity in the myID app using your Australian passport, we electronically compare the facial image and personal information from the Australian passport you provided with your passport records held by the Department of Foreign Affairs and Trade.
The Face Verification Service can measure the biometric information for your facial image by using measurements or calculations about your physical appearance.
To verify your photo, you need to take a photo of yourself (a selfie) in the myID app. The technology scans your face while taking the photo. This one-off process checks that you’re:
- a real person – by checking for impersonation attempts, such as wearing a mask
- the right person – by comparing your image to the photograph on your passport
- verifying in real-time – by checking that you’re present and taking the photo, and not (for example) someone trying to scan a video.
We will only collect biometric information with your express consent.
If you decline to provide your express consent to verify your facial image, you can continue to set up your myID account to a Standard identity strength but will not be able to create a Strong identity strength myID account.
Biometric images and photographs used by third-party providers as part of the verification process are destroyed within 14 days. For more information about the operation and management of the Face Verification Service and Document Verification Service, see Access our services | IDMatch.
If you use your fingerprint or facial image as a secure login method on your device, this biometric function is restricted to the device itself that uses that technology to access your apps and personal information stored on your device. We do not collect or store your fingerprints or facial images used to access your device during myID registration or authentication processes.
De-identified information
We may de-identify your personal information to compile reports and analyse statistical data related to using the myID system. We will use this data to understand use across the community and to enhance the myID service, but no individual will be reasonably identifiable.
Information we use and disclose
We use and disclose your personal information in accordance with APP 6 – Use or disclosure of personal information.
We will use and disclose your personal information for the purpose of verifying, validating or authenticating your identity and to ensure the operational function of the myID service.
This may include disclosures of your personal information to other Digital ID System participants such as:
- the Australian Competition and Consumer Commission (ACCC) in its role as the Digital ID Regulator for the Australian Government Digital ID System (AGDIS)
- the Office of the Australian Information Commissioner (OAIC), in its role as the Privacy Regulator for the AGDIS
- Services Australia in its capacity as the System Administrator of the AGDIS
- Treasury, in its capacity as the Data Standards Body for the AGDIS.
We won't disclose your personal information without you providing your express consent to:
- third parties, including the document issuer
- the identity exchange
- the online services you attempt to access.
When you do provide your express consent, the information is disclosed for the purposes of:
- verifying your identity documents
- authenticating your identity
- confirming the outcome of any authentication attempts.
Your personal information will be stored securely in Australia.
If you don't consent to provide or share your personal information, you will be unable to create a myID account or achieve the necessary identity strength required to access some services.
If you won't or can't verify your identity by creating a myID account, alternative options may be available from the agency or service you are attempting to access.
We may share personal information to our contracted service providers, such as our telecommunications and cloud service partners, to enable us to provide myID services.
We won't use or disclose personal information:
- to overseas recipients
- for the purpose of direct marketing.
We won't use or disclose your personal information for any other purpose unless either:
- you have provided express consent
- we are required or authorised to do so under an Australian law (such as to an enforcement body for enforcement related activities) or a court or tribunal order.
You can delete or uninstall the myID app from your device, however this won't delete your myID account. If you no longer consent to your Digital ID being used, you can contact the myID support line to discuss other options available.
You can withdraw your express consent by deleting your myID at any time; however, some personal information may be retained in accordance with the Digital ID Act 2024 and the Archives Act 1983. By withdrawing your express consent, you will no longer be able to use myID to access participating online services.
How you can access or correct personal information held about you
You can access and correct personal information we hold about you, through your myID account or by asking us.
We will take reasonable steps to correct personal information we hold about you when you ask us to, having regard to the purpose of why we hold it. We take reasonable steps to ensure the information we hold is accurate, up to date, complete, relevant and not misleading.
If you are unable to access and correct your personal information through myID or by contacting us, you can lodge a request under Australian Privacy Principle (APP) 12 or the Freedom of Information Act 1982 (FOI Act).
Access to personal information – Australian Privacy Principle 12
You have a right to request access to your own personal information under APP 12.
We will respond to your request for access to your personal information within 30 days.
We won't charge you for making a request or for giving you access to your own personal information.
If the FOI Act or any other Commonwealth Act requires or authorises us to refuse access to your request, we don't have to give you access to the personal information under APP 12.
If we refuse to provide you with access to your own personal information, we will give you a written notice that sets out the reasons for the refusal (unless unreasonable to do so).
We will advise you how to make a complaint about a refusal.
Correction of personal information – Australian Privacy Principle 13
You have a right to request correction of your personal information under APP 13.
We will respond to an amendment request within 30 days.
We won't charge you for making an amendment request or for correcting personal information about you.
We will take reasonable steps to correct personal information we hold about you, having regard to the purpose for why we hold it, to ensure it is:
- accurate
- up to date
- complete
- relevant
- not misleading.
If we refuse your correction request, we will give you a written notice that sets out the reasons for the refusal, except when it’s unreasonable to do so.
We will advise you how to make a complaint about a refusal.
Making a request under the FOI Act
You can make a freedom of information (FOI) request where you can't access your personal information in the ways listed above.
The FOI Act gives you the right to:
- access copies of documents (apart from exempt documents) held by us
- ask for information about you to be amended or annotated if it is incomplete, out of date, incorrect, or misleading
- seek a review of our FOI decision not to allow you access to a document or not to amend your personal record (this review can be done by us or by the Information Commissioner).
An FOI request must:
- be in writing
- state that the request is an application for the purposes of the FOI Act
- provide such information concerning the document requested as is reasonably necessary to enable ATO staff to identify it
- include details of how notices under the FOI Act may be sent to you (for example, by providing an email or postal address for correspondence).
You can send your request to us:
- by email at FOI@ato.gov.au, with your name and the words FOI REQUEST in the subject line
- using the FOI application form.
For more information about FOI requests, see Accessing information under the FOI Act.
Enquire or complain about a suspected breach
General questions
If you have a general question about privacy or wish to report a possible breach of your privacy, you can phone our privacy hotline on 1300 661 542 and speak to an ATO staff member.
If an ATO staff member is not available to speak with you, leave a message and we will contact you to respond to your question or to get more information.
Privacy complaints
If you aren't satisfied with how we have collected, held, used or disclosed your personal information, or another matter in relation to the APPs or the Australian Government Agencies Privacy Code 2017, you can make a formal complaint.
You can lodge a complaint by:
- using the online complaints form available on the ATO website
- phoning the complaints hotline on 1800 199 010 and clearly state your complaint is about myID and your privacy
- phoning the National Relay Service on 13 36 77 (if you have a hearing, speech, or communication impairment)
- phoning the Translating and Interpreting Service (for people of non-English speaking backgrounds) on 13 14 50
- sending us a fax on 1800 060 063
- writing to
ATO COMPLAINTS
PO BOX 1271
ALBURY NSW 2640
We treat complaints seriously and try to resolve them fairly and quickly.
If you make a complaint, we aim to contact you within 3 working days. We will work with you to resolve your complaint and keep you informed of its progress.
If you aren't satisfied with how we deal with your complaint, the Privacy Commissioner at the Office of the Australian Information Commissioner may be able to help you.
Visit the Office of the Australian Information Commissioner website for more information, or phone 1300 363 992.
This privacy policy is available at no cost. If you need access to this policy in an alternative format, contact us by email at support@myid.gov.au.