Chapter 5: Technology and policy change
5.1 To holistically address the certain opportunities and challenges presented by emerging technologies, a policy response as well as administrative measures may be required. Submissions to this review have identified four main areas which are discussed below. The primary focus of the discussions below are on the impact on the administration of the taxation and superannuation systems, however, additional context is provided in terms of key interactions with other government systems.
A policy framework for dealing with emerging technologies
5.2 Stakeholders have acknowledged the rapid pace of technological advancements which have given rise to many changes including new work patterns such as the gig or sharing economy (Airbnb, Uber, Deliveroo and Airtasker to name a few), cryptocurrencies, online cross-border transactions and mobile ‘app’ developments. However, they believe that advice on the tax treatment of these developments needs to keep pace with the rate of change. For example, questions such as the status of persons operating on new technological platforms, how their transactions are characterised and how they should be taxed have all arisen.
5.3 Stakeholders believe that the ATO and the Government should have a systematic approach to monitor and respond to technological developments and innovation. They have noted examples, such as the tax treatment of Uber drivers and their earnings, where they believe the ATO could have acted more expeditiously and effectively.
5.4 The ATO is made aware of emerging policy, law and administrative issues through various channels, including the day-to-day operations of its business lines, external stakeholders and taxpayers as well as the Treasury and other government agencies.
5.5 Once an idea is identified, responsibility for progressing it is allocated to an officer or a team within the relevant business line to formulate options for change and develop a workable proposal for advocacy.444 In doing so, that business line works collaboratively with the Policy, Analysis and Legislation (PAL) business line which provides advice and advocates for policy change.445 PAL collates the advocacy issues in the Advocacy Register which is maintained by one of its branches, Law and Policy Development (LAPD).446 PAL also works with the Treasury and other government agencies to effect policy and legislative change in relation to matters that pose a risk or require improvements to the tax and superannuation systems.
5.6 The LAPD branch works with the business line that identifies the issue to build a ‘compelling case’ for change, considering evidence from other jurisdictions as well as alignment with government agenda or whole-of-government priorities. The compelling case is set out in an advocacy alert, a two page document representing the ATO’s formal advice to the Treasury for change, which is provided to the Policy and Design Forum (PDF) for consideration.447 The PDF determines whether the matter should be brought to the Treasury’s attention. Issues which do not proceed to the Treasury are placed on the ‘bookshelf’, that is, they become a watching brief.448
5.7 Figure 5.1 below shows the status of the issues in the Advocacy Register as of May 2016 and March 2017.
Figure 5.1: Status of items on the ATO Advocacy Register
Source: IGT created from ATO data.
Note: 2016 figures are accurate as at May 2016 and 2017 figures are accurate as at 7 March 2017.
5.8 Figure 5.1 shows that, within a span of 10 months between May 2016 and March 2017, the total number of issues listed on the Advocacy Register almost doubled from 100 to 187, an increase of 87 per cent.449 There was an even greater increase of
144 per cent in the number of issues in the draft and awaiting ATO approval stage. However, there was only a 59 per cent increase in issues which have been finalised.450 Figure 5.1 also shows that the total number of issues placed on the ‘bookshelf’ for action at a later date decreased from 33 to 29.
5.9 Each of the advocacy issues is prioritised with a risk rating from low to moderate, significant, high, severe or catastrophic. The default treatment for severe and catastrophic issues is to provide an urgent intelligence feed, a policy action brief or a new policy proposal to the Treasury and include it in the ‘Top Tax Issues’ report for Government.451 Figure 5.2 below sets out the priority ratings for the issues placed into the draft or awaiting ATO approval stages.
Figure 5.2: Priority of draft and awaiting approval issues on the ATO Advocacy Register
Source: IGT created from ATO data.
Note: 2016 figures are accurate as at May 2016 and 2017 figures are accurate as at 7 March 2017.
5.10 Figure 5.2 shows that the total number of severe issues has decreased from 4 in 2017 to 2 in 2016, whereas the total issues in the other stages have either stayed the same or increased in the 10 months between May 2016 and March 2017.452
5.11 In addition to advocacy work, the PDF also supports the Policy Design Committee (PDC) which was set up in December 2017 as part of the Enterprise Governance Model453 and chaired by a Second Commissioner. The purpose of the PDC is to develop
well-designed policies and law simplification options to enable the ATO to effectively perform all of its functions.454 A key responsibility of the PDC is to oversee the stock of advocacy proposals and intelligence alerts sent to the Treasury on emerging issues.455
5.12 The ATO also engages with the Treasury through the Treasury and ATO Forum (TAF). One of the functions of the TAF is to identify opportunities for improving the system as well as prioritising policy and administrative issues that need to be addressed. Proposed solutions and recommendations on the direction of both agencies’ work are also considered by the TAF.456
5.13 An example of the ATO’s response to an emerging technology is the guidance paper and draft tax rulings it issued on discrete aspects of its proposed tax treatment of Bitcoin and other crypto-currencies on 20 August 2014. Whilst the ATO’s guidance paper and draft tax rulings provided ‘certainty for the Australian community on the ATO’s treatment of crypto-currencies within the current legislative framework’,457 a significant amount of Bitcoin transactions had already occurred. The ATO did release more fulsome guidance on its proposed tax treatment of Bitcoin transactions in December 2017,458 by which time Bitcoin transactions had increased by almost 600 per cent.459
5.14 The need to support innovation and develop timely regulatory responses is a challenge facing all regulators, some of whom have developed different approaches. For example, ASIC has an innovation hub which assists new businesses to become familiar with ASIC’s regulatory and compliance approach and to design a solution that integrates well with their business. It also assists ASIC to ‘stay on top of laws that have become impractical or inappropriate as the sector moves forward’.460 ASIC has also launched a regulatory ‘sandbox’ which provides options for businesses to test new products or services without having to hold an AFS licence.461 The sandbox is aimed at encouraging Fintech innovation and benefits ASIC by providing it ‘with the opportunity to understand and develop the appropriate regulatory response for these new businesses and innovations’.462
5.15 As the economy becomes increasingly disrupted by technological advances and innovations, regulators or administrators need to be agile, innovative and responsive to remain effective and relevant. A conservative approach which is slow to react, risk averse and process based is no longer fit for purpose, if it ever was. Regulators will need to continuously collaborate with market participants to avoid producing outdated or ineffective policy advice that unnecessarily restricts or otherwise stifles innovation.463
5.16 It has been suggested that guidelines and standards are an appropriate alternative to regulation in a rapidly changing environment as they provide for a flexible framework that can offer clarity and certainty to market participants.464 An example is Australia’s Fintech start-up ‘sandbox’ that promotes innovation by offering licence exemptions that enable start-ups to test the innovation in the real world and enables market insight to be drawn for the necessary regulatory responses. It may be worthwhile expanding the sandbox concept for the tax and superannuation systems to foster market innovation and provide the ATO with the opportunity to develop a regulatory response before the innovation is widely adopted.
5.17 It is pleasing that the ATO has existing structures and procedures to deal with new technologies and innovation once they have been identified. However, there does not appear to be an established whole-of-ATO framework for systematically monitoring and identifying issues that may warrant further consideration. In the absence of such a framework, it is difficult to ensure that all matters are identified and addressed on a timely basis.
5.18 Furthermore, there are a range of different forums that are involved in triaging and prioritising issues for further action. The IGT has been unable to determine the extent to which they share information and interact. For example, given that the PDF selects the issues that proceed to the Treasury, it is likely that the work of the PAL to triage issues that have been brought to its attention would play a substantial role. However, neither the PAL triage process guide nor the PDF Charter clarifies the interaction between the two. The lack of communication between these forums, and others mentioned earlier, may result in either duplication of work or the ATO overlooking some emerging issues. To maintain a robust governance process for identification and response, the IGT believes that the ATO should ensure that its system is cohesive and streamlined.
5.19 The IGT recognises that the Advocacy Register provides visibility of the issues being considered for policy or law change for the various business lines within the ATO. Figure 5.1 above shows there are significantly more advocacy issues being drafted than are being finalised. This may be due to resource constraints at the finalisation stage. It would be useful for the ATO to investigate this matter and reallocate resources as necessary.
The IGT recommends that the ATO review its current framework for monitoring and identifying new or emerging technologies or innovations to ensure that it is able to take prompt action to address any tax implications.
The ATO has recently implemented a refreshed Enterprise Risk Management Framework. Mechanisms to monitor and identify emerging risk, including the technologies or innovations contemplated by this recommendation form part of this framework. While recognising that the ATO considers it has the right framework in place to monitor new or emerging technologies and innovations, work is continuing on how the framework is applied in practice to ensure the ATO takes prompt action to address the tax implications of these technologies and innovations.
Increased data access and optimising automation
5.20 Stakeholders have opined that in using emerging technologies to increase automation within the tax system, access to significantly more reliable data will be required. Such data will have to be provided by third parties, such as banks, whose compliance burden will correspondingly increase.
5.21 The benefits of availability of increased reliable data to the Government and its agencies, such as the ATO, include greater efficiencies and reduced costs. Taxpayers’ compliance costs are also reduced through such initiatives as improved pre-filled returns.
5.22 Stakeholders have also expressed the view that there are limitations to the level of automation that can be achieved in the Australian tax system largely because of its complexity and features such as WRE deductions.
Cost of increased data access
5.23 The cost of providing data to the ATO has previously been raised, notably in response to the 2013-14 Budget Measures to expand the ATO’s data matching capabilities.465 In February 2014, the Government released a discussion paper which identified the information that would be of benefit to the ATO as well as the likely impact on the third parties who would provide that data. With respect to the latter, feedback was sought, noting that:
… a key consideration in developing the proposed third party reporting regimes is minimising the compliance costs for entities that would need to report additional information to the ATO.466
5.24 The discussion paper further recognised that such a regime involves a trade-off between the compliance benefit received by taxpayers and the compliance costs incurred by third parties. It suggested that compliance costs can be minimised in two ways. First, by only imposing reporting obligations on third parties who already collect the relevant information and, secondly, by integrating the reporting obligation into the natural business systems of those third parties.467
5.25 In response to the discussion paper, the Treasury received a number of submissions from local government as well as various stakeholders in the banking, software, financial services, stockbroking, property investment and hospitality industries.468 Among other things, those submissions discussed the costs involved in implementing new systems and process changes needed to comply with the type of information required under the proposed legislation. Brisbane City Council cited an example where they would have to provide TFNs or dates of birth to the ATO, noting that neither pieces of information were captured in its current systems or processes. The latter would need extensive changes to facilitate this requirement and further contact with taxpayers would also be necessary.469 Similarly, the Financial Services Council’s (FSC) submission stated that implementation of changes to a third party’s systems and processes would:
… attract a significant cost as it was not foreseen that [the FSC] would be required to report on specific transactions through bulk reporting. Ongoing costs would continue to be significant as the information requested may be collected through multiple systems, requiring the reporting entities to develop new business processes.470
5.26 The FSC further explained that third parties in the financial services industry do not hold accurate information on the taxable position of individual investors. Specifically, whilst the industry can alert the ATO to a Capital Gains Tax (CGT) event, it cannot provide a quantification of the gain or loss.471
5.27 Submissions from the Australian Custodial Services Association and the Stockbrokers Association of Australia estimated the cost of system and process changes for their members to be $5 to $10 million and $40 million, respectively.472 A number of submissions also noted that even higher compliance costs would be incurred if the ATO required information to be provided more frequently than on an annual basis.473
5.28 As noted earlier, a number of jurisdictions around the world have eliminated the need for their citizens to lodge income tax returns.474 Other jurisdictions have partially adopted such an approach. For example, in the UK, individuals with simple tax affairs are not required to lodge returns.475 Similarly, in New Zealand, most individuals who earn salary and wages need not lodge returns.476 In Singapore, the ‘No-Filing Service’ eliminated the need for 1.39 million taxpayers to lodge in 2015.477
5.29 In 2005, the ATO commenced a pilot to prefill limited data into e-tax,478 the ATO’s self-service software at the time, which allowed taxpayers to lodge their income tax returns electronically. Since then, ATO prefilling has expanded to include information from third parties such as employers, banks, credit unions, share registries, health funds and government agencies as well as a taxpayer’s previous tax activities, tax returns and information from the myDeductions app.479 As a result, over 80 million records were prefilled in the 2016 Tax Time and, as of January 2017, over 3.2 million individuals prepared their own tax return with the use of prefilled data.480 Prefilled data is also made available to tax practitioners to assist them in lodging income tax returns on behalf of their clients.
5.30 Whilst the level of information made available to taxpayers and tax practitioners through prefill is increasing, it is still widely believed that the complexity of the tax system is an obstacle to full automation. The 2009 Australia’s Future Tax System review (AFTS Review) stated:
Under the current framework, there are significant difficulties in correctly quantifying work-related costs, in apportioning expenses between income-earning purposes and private purposes, and in defining and claiming the deductions. These complex arrangements constitute one of the impediments to further pre-filling of tax returns and, ultimately, removing the need to complete a tax return for a large number of employees.481
5.31 The AFTS Review recommended a standard deduction for WREs and the cost of managing tax affairs or actual expenses could be claimed with substantiation if it is above a certain threshold.482 The AFTS Review observed that in comparison to other jurisdictions, Australia provides generous allowances for WREs deductions. With the exception of Denmark which allows fully deductible WREs after a standard deduction is applied, most other OECD countries only allow deductions for a limited and prescribed set of expenses.483 For example, in the UK where simple tax returns are not required to be lodged, there are strict policies which prevent the deduction of many WREs as it must be incurred ‘wholly, exclusively and necessarily in the performance of an employee’s duties’.484 In New Zealand, tax reforms in the 1980s removed WRE deductions in favour of income tax reductions.485 The Australian Treasury has recently opined that the absence of WRE deductions in New Zealand has been a ‘major driver of compliance [cost] savings’.486
5.32 On 11 May 2010, the then Treasurer announced that individuals will be able to claim a standard deduction for WREs and the cost of managing tax affairs. Subsequently on 30 September 2011, the Government released exposure draft legislation and explanatory material for public consultation, which provided a standard deduction of $500 for 2012-13, increasing to $1,000 for 2013-14 and later years. It stated that:
The $500 standard deduction is expected to provide 4.6 million taxpayers a benefit financially and by having simpler tax affairs in 2012-13. In 2013-14 an estimated 6.4 million taxpayers are expected to be better off from the $1,000 standard deduction.487
5.33 Legislation giving effect to the proposed standard deduction was not subsequently introduced in Parliament.
5.34 The concept of standard deductions was also considered in the 2015 Re:think Tax Discussion Paper. It suggested that taxpayers could have the option to ‘tick a box’ to claim a set standard deduction, such as $500. However, the paper noted that this would come at a cost to revenue as people who currently do not have any work-related deductions would be able to make a deduction.488
5.35 The issue was most recently considered in 2017 by the Standing Committee on Economics in the report of its Inquiry into Tax Deductibility.489 The Committee stated that it did not support the proposal to introduce a standard WRE deduction without substantiation. It acknowledged that whilst the proposal will provide simplification, it would likely increase the total cost of WREs claimed which will negatively affect government revenue as taxpayers who did not otherwise claim deductions would do so.490
5.36 Table 5.1 below shows that of the 13,213,814 individuals who lodged their 2015 income tax returns by 31 October 2016, 65.3 per cent claimed a WRE.491 This indicates that 4,589,145 individuals did not claim WREs in that year, representing a decrease in the number of taxpayers claiming WREs from the previous year.
Table 5.1: Percentage and amount of WREs claimed
|Number of returns lodged||13,456,360||13,213,814|
|Number of returns claiming WRE||8,835,108||8,624,669|
|Percentage of returns claiming WRE||65.7%||65.3%|
|Median amount of WRE claimed||$935||$1,040|
Source: ATO Taxation statistics 2014-15.
Note: Data is accurate as at 31 October of the following year.
5.37 Despite the challenges posed by WREs, the ATO will be piloting push returns492 during the 2018 Tax Time for selected individuals as part of its Digital Strategy.493 The ATO has identified 5,605 taxpayers who meet the relevant criteria to be part of the pilot.494
5.38 It is acknowledged that accurate and reliable data is critical to reaping the benefits of technology and automation. The IGT has previously noted that data which is required to be provided to the ATO by law yields more accurate and useful intelligence than data that is otherwise obtained through such means as a memorandum of understanding.495 The IGT has also noted that third parties bear significant compliance costs in providing such data.496 As noted above, the Government is aware of these costs and has consulted widely on these issues. The legislative design process specifically acknowledges the compliance costs and states that costs can be reduced by only imposing the obligation on entities that already collected the information in their ordinary course of business.497
5.39 In addition to the legislative intent to minimise costs incurred by third parties in the provision of data to the ATO, the IGT had observed that the ATO had acknowledged such costs and had a process for reimbursing certain expenses, such as those associated with extraction and formatting.498 The IGT was of the view that the ATO could also consider the benefits of subsidising third parties in changing their natural business systems to accommodate ATO data needs and a recommendation was made to that effect with which the ATO agreed.499 The IGT remains of the view that there would be benefit in the ATO considering such an approach as well as continuing to engage with third parties to forecast future data needs and determining what information may be obtained from natural business systems without requiring significant changes.
5.40 Ultimately, it is important to appreciate that as increasing amounts of reliable data are made available to the ATO, the purpose of a tax return as a means through which the ATO seeks to understand the taxpayer’s position will be diminished. Effectively the lodgment of tax returns would become obsolete. The implications are significant for the ATO and tax professionals. However, given certain features and the complexity of the current system, the IGT does not believe that Australia has reached such a stage and is unlikely to achieve it in the short term without significant reform. Such reform would involve considering the machine-readability of our tax laws and examining features of it such as WRE deductions.
5.41 A number of prior considerations of the way forward with WRE deductions have not borne fruit. The most recent examination has revealed that there is currently little support for any major change such as introducing standard deductions because of the impact on government revenue. It is worthwhile noting that some administrative relief does exist for claims of $300 or below where written evidence is not required to be kept.500
5.42 The concerns regarding impact on Government revenue, identified by the Standing Committee on Economics are borne out by the ATO’s statistics. Based on the number of taxpayers who did not claimed WREs, if a standard deduction of $500 was granted, there would be an additional cost of $2,294,572,500. If the standard deduction was increased to $1,000 then the additional cost would be $4,589,145,000. The calculation is helpful in providing an indicative impact on the revenue which would take the form of reduced taxable income. However, it is important to take account of other considerations such as compliance cost savings for individuals and reduced administrative costs for the ATO. The IGT believes that further cost-benefit analysis would be beneficial in progressing the debate.
5.43 In relation to machine-readability, the CSIRO’s innovation group, Data61, is currently ‘building an open platform based on a machine-readable version of current laws, acts, policies and other regulatory documents’.501 The goal is to make laws and regulation available in a digital, machine-readable format to enable DSPs to introduce their own compliance applications.502 There may be benefits in the ATO and Treasury engaging with Data61 to further understand its progress in this regard and contribute to its work where possible.
The IGT recommends the:
- Government consider reform of the work-related expense deduction regime, having regard to prior reviews in this area, including the possibility of introducing standard deductions with a view to eliminating the need for most individuals to lodge income tax returns; and
- ATO engage with:
- third party data providers to maximise access to reliable information whilst minimising costs and disruption to their business and systems; and
- the CSIRO’s Data61 group on the latter’s work on machine-readability of tax laws.
(a) Matter for Government
(b) (i) Existing Programme of Work
The ATO already engages and works with third party data providers with this aim and will continue to do so.
(b) (ii) Agree
The Law Design and Policy area within the ATO has already undertaken some preliminary work for a proposed project to test and assess the feasibility of using artificial intelligence tools, underpinned by natural language processing techniques, to support the codification of tax law into machine-readable logic. The project team has engaged with the Digital Transformation Agency and Data61 to put together a comprehensive business plan.
Whole-of-government digital innovation
5.44 Stakeholders observed that the DTA provides broad guidance to agencies in seeking to modernise the way taxpayers interact with government through online services that are efficient and cost effective. However it does not direct the manner in which large agencies implement their digital transformation. As a result, stakeholders believe that agencies are adopting different platforms which lead to a range of compliance requirements. They believe that in order to achieve optimal outcomes, there needs to be a more coordinated and consistent approach.
5.45 The DTA was set up in 2015 to assist government agencies and departments in embarking on their digital transformation journeys. In addition to leading transformation across the government, the DTA also plays a role in:503
- leading the digital transformation of government services;
- working in partnership with government agencies to improve how they buy and deliver digital services;
- improving the way government buys and uses technology;
- using agile methods to deliver and continuously improve services for users;
- helping to build digital skills capability across government;
- developing products and platforms for government agencies that can be reused;
- advising government about digital service delivery and shared platforms; and
- providing greater transparency to government on ICT projects, costs, risks and opportunities.
5.46 The DTA’s vision of ensuring that it will be ‘simple and fast to get things done with government through any channel’504 is underpinned by the Digital Transformation Agenda which focuses on changing the way in which government interacts with the community and is aimed at reforming policies that hinder transformation.505 As part of the Digital Transformation Agenda, the DTA will be delivering reusable digital platforms by
mid-2018. The DTA explains that a digital platform is:506
… a system that multiple agencies can use to deliver services to users. By reusing and sharing digital platforms, agencies can reduce duplication of effort and assets. This approach will save money, improve the experience of government services and increase familiarity with government digital systems.
5.47 These platforms are designed for common, commodity services which will facilitate digital transformation within government agencies.507 One such platform is myGov for which the DTA is responsible for governance, strategy, policy, user experience, changes to the current service and onboarding of other government services.508 The DTA’s Secure Cloud Strategy to encourage increased uptake of cloud technology and the previously mentioned Govpass, a simpler and more secure user identification platform, are two other projects currently being pursued by the DTA.509
5.48 The DTA has explained that its main focus is to work with government agencies to determine how the Government, as a whole, can work simpler, clearer and faster. The DTA’s role is not to discourage the update or removal of an agency’s technologies, but rather, to promote the different technologies that are available for agencies to use and to encourage the sharing and re-usability of platforms across agencies.
5.49 The DTA has also released a Digital Service Standard (the Standard) which includes 13 criteria that all government agencies are expected to meet for services designed or redesigned after 6 May 2016. To ensure that these standards are met, the DTA has advised that all new and redesigned services are assessed against the Standard. Amongst others, some of the criteria in the Standard include understanding user needs, making the service secure, building a service using common designs, style guides, open standards and common platforms, testing the service and encouraging users to choose the digital service.510
5.50 The DTA also works with other government agencies in building and delivering online services by challenging the status quo and making improvements. The partnerships created can involve the provision of short-term specialist skills, support and training to long-term relationships in the development and delivery of new online services.511
5.51 The stakeholder concerns in relation to the limited role of the DTA are consistent with findings of the Senate Finance and Public References Committee (SFPRC).512 Amongst other things, the SFPRC has observed that:
There is a clear need for a whole-of-government vision and strategic plan for the digital transformation of government administration. The evidence [received by the SFPRC] is of departments and agencies in silos looking internally and focussing on their own approach to the digital delivery of their particular government service, where in many respects all are facing the same challenges.
In the absence of any central vision, individual departments (and ministers) may end up pursuing projects that run counter to the aims of digital transformation.513
5.52 The SFPRC expressed concern with the limited role played by the DTA, noting that at the time of its creation, it was intended to be a powerful program management office that ‘would track ICT and digital projects across the whole-of-government, stepping in to remediate where things are not working’514 where in reality the SFPRC found that it played only a minor role in the case studies that were examined.515
5.53 Consistent with the feedback received by the IGT from stakeholders, the SFPRC formed the view that:
A cohesive and shared view, driven by a properly resourced and empowered department or agency, would serve to guide policy development and decision making by the bureaucracy and ministers alike.516
ATO’s contributions to the whole-of-government digital transformation
5.54 The ATO has advised that it is working in partnership with the DTA and other government agencies to ensure that digital interactions with the community are simple, clear and fast. The ATO digital program includes a team that liaises with the DTA to ensure that its projects and services meet the Digital Service Standard and leverage linkages to and the efficiencies from other government agencies.517 The ATO is also a member of the Digital Business Council (the Council) which works to deliver solutions to enable the digital exchange of information. The Council brings together representatives from key industry bodies, DSPs and all levels of government to achieve its initial focus on e-invoicing.518
E-invoicing has been estimated to save the Australian economy $7.8 billion annually,519 and is an initiative which both the Australian and New Zealand Governments have committed to jointly pursue.520
5.55 The ATO has also advised that it contributes to whole-of-government digital transformation through initiatives such as the development of RAM or testing Govpass, which are aimed at simplifying taxpayer identification and authorisation when dealing with government agencies as a whole.521
5.56 The ATO is also implementing STP. STP is a Government initiative announced by the Minister for Small Business in December 2014 to ‘cut red tape for employers by simplifying tax and superannuation reporting obligations …’.522 It forms part of the Government’s $254.7 million investment in the Digital Transformation Agenda523 and enables DSPs to produce accounting software solutions that will allow employers to align their reporting obligations with their payroll processes to reduce the need for additional workflows.524 It also provides more timely data for the ATO which are, in turn, made available to taxpayers through myGov to assist them to stay abreast of their entitlements and lodge their income tax returns.525
5.57 The DTA was not established to assess whether an agency’s current systems and platforms align with the Digital Transformation Agenda, nor is its role to make pronouncements on the adequacy of agency systems and require changes or upgrades to those systems. Rather, the DTA aims to explore how new and emerging technologies may be beneficially used by government, promote those technologies and encourage agencies to invest in reusable platforms.
5.58 The IGT acknowledges that a more consistent digital innovation approach across government may yield benefits for taxpayers through reduced compliance costs. However, it is also important to appreciate that it would not be entirely desirable to consolidate every government service into a single system or platform as this creates a risk of mass system failure if there are weaknesses that may be exploited. However, there may be opportunities for large agencies to take the lead in developing or implementing platforms that may be
re-used or redeployed to other agencies which may reduce costs for government. In this regard, the ATO as one of the largest government agencies in Australia, should explore opportunities to lead the way with digital innovation where possible. As noted above, the ATO has already taken some steps to realise whole-of-government outcomes, including through collaborating with and assisting the DTA on certain projects.
5.59 While the IGT believes that there are a range of positive initiatives which have emerged from whole-of-government digital innovation, there may be further opportunities to reap the benefits of digitisation. Having regard to stakeholders’ concerns and the SFPRC’s views that there is no agency ‘at the centre of government thinking on digital transformation’,526 the IGT believes that there may be opportunities for further improvements to be realised if the DTA or another enduring agency were given greater responsibilities with respect to aligning the whole-of-government digital transformation.
The IGT recommends that the Government, in seeking to improve the administration of the tax system as well as public service delivery more broadly, consider whether the Digital Transformation Agency, or a similar agency, should adopt a more comprehensive role in driving the whole-of-government digital transformation.
Matter for Government
Whole-of-government cyber security risk management
5.60 Given recent high profile data breaches and misuse of information as well as
large-scale cyber security attacks, particularly in the USA, concerns about privacy and security are increasingly at the forefront of both government and private sector organisations. Stakeholders have expressed uncertainty as to how the Australian Government and, more specifically, the ATO are responding to these risks.
5.61 In recent years, there have been a number of high profile security incidents or ‘cyberattacks’ internationally, such as those on Yahoo and Equifax, a consumer credit reporting agency in the USA.527 Yahoo revealed that all of its three billion accounts were compromised in a data theft in 2013.528 Equifax’s cyberattack resulted in criminals gaining access to consumer information such as names, social security numbers, dates of birth, addresses, some drivers licence numbers and credit card numbers.529 The total number of consumers affected by the Yahoo and Equifax cyberattacks was 145.5 million.
5.62 Domestically, there have also been reports of government contractors being hacked and significant amounts of restricted information being accessed. The cost of cybercrime to the Australian economy is more than $4.5 billion annually.530 The number of security incidents has risen sharply in recent years, with small businesses being the target of 43 per cent of all cybercrimes.531 It has been reported that in 2016, 59 per cent of Australian organisations experienced a security breach on at least a monthly basis, double the amount reported in 2015.532 Of particular importance, 60 per cent of small businesses who experienced a significant cyberattack went out of business within the following 6 months.533
5.63 The incidence of ransomware attacks, where the systems and data of individuals as well as organisations are held to ransom until a nominated sum of money is paid, has also increased with the consequences being severe and wide reaching. For example, within 48 hours of the WannaCry ransomware attack, more than 130,000 organisations in over 150 countries were compromised.534 It led to over 200,000 victims, over 300,000 infected computers and hundreds of millions of dollars in economic losses.535 The Petya ransomware attack had similar effects.536 In Australia, reports of such activity roughly doubled in 2016 compared to 2015.537 It has been reported that 22 per cent of small businesses that were attacked by ransomware had to immediately cease operations.538
Government initiatives and policies
5.64 In response to the increasing cyber security risks within Australia, the Government established the Australian Cyber Security Centre (ACSC) in 2014 within the Australian Signals Directorate. The ACSC is effectively bringing together the existing cyber security capabilities across Defence, the Attorney-General’s Department, Australian Security Intelligence Organisation, the Australian Federal Police and the Australian Criminal Intelligence Commission.539
5.65 The ACSC aims to ensure Australian networks are robust and difficult to compromise. It has stated that:
… the current hype associated with the proliferation of ‘threat intelligence’ can be a distraction from what really matters: the motivation to allocate effort and resources to improving your cyber security posture by implementing technical controls. If you are relying on threat intelligence to respond to threats already discovered, it is too late for you and your organisation.540
5.66 The ACSC engages and shares information with the private sector, state and territory governments, academia and international partners to ensure the strongest approach to cyber threats possible.541 It is currently in the process of considering a number of models for partnering with industry which will facilitate improved collaboration.542
5.67 In 2016, the Government launched Australia’s Cyber Security Strategy (CSS). At the time, the Prime Minister stated that the CSS:
… will play a key role in securing Australia in the 21st Century. It also represents a significant investment in cyber security. The Government will invest more than $230 million over four years to enhance Australia’s cyber security capability and deliver new initiatives.543
5.68 The CSS establishes five themes of action for Australia’s cyber security through to 2020, each of which is supported by actions that the Government is undertaking, such as the establishment of Joint Cyber Security Centres,544 or will take in future.545
5.69 The CSS is overseen by the Department of Prime Minister and Cabinet (PM&C), with input from the Department of Foreign Affairs and Trade for international engagement and the ACSC to coordinate operations.546
5.70 Furthermore, in 2017 a review into Australia’s intelligence community was completed. It found ‘that the complexity of the geostrategic environment, the pace of technological change, and the broadening scope of security and intelligence challenges facing Australia meant its agencies were increasingly stretched and their efforts to meet these challenges needed to be better integrated.’547 Consistent with the major recommendation of this review, the Government will establish an Office of National Intelligence (ONI) to take the lead on national intelligence issues, including those related to cyber security matters.548 The ONI is expected to commence operation in 2018.549
5.71 In 2018, the Government also took steps to ensure that where Australians may be exposed to data breaches or other cyber crimes, they are appropriately notified and provided with advice on how to proactively protect their information to minimise adverse impacts. This was sought to be achieved through the enactment of the Notifiable Data Breaches scheme which came into effect on 22 February 2018.550
5.72 The ATO holds one of the largest repositories of sensitive personal and financial information in Australia. Accordingly, it is required to have extensive controls to guard against cyber security attacks and data breaches. The ATO has provided the IGT with a significant amount of information regarding processes it has in place to identify and deal with cyber security threats. To avoid compromising the integrity of these systems, not all of this information can be disclosed in this report. However, the brief summary below provides some insights into the measures that the ATO has taken to mitigate risks of cyberattacks and data breaches.
5.73 Broadly, the ATO adopts a multi-layered approach to ensure the security of its systems and the data that it holds. These approaches include protocols at the individual taxpayer, organisation and government-wide levels and include:551
- requiring all taxpayers to pass a proof of record ownership process before they have access to ATO systems and data;
- conformance with the Australian Government Information Security Manual (AGISM)552 issued by the Australian Signals Directorate, the
Attorney-General’s Department’s Protective Security Policy Framework553 and the DTA’s Trusted Digital Identity Framework554;
- utilising a wide range of analytical tools to identify fraudulent behaviour and share data and intelligence with other government agencies;
- developing, maintaining and regulating adherence to a suite of internal policies, guidelines and baselines;
- conducting risk assessments and supporting corporate strategic programs to operate within defined enterprise risk tolerance thresholds; and
- undertaking monitoring activities to survey the digital environment.
5.74 There are a range of different areas within the ATO that have responsibility for monitoring and responding to cyber security risks. These include:
- the ATO Information and Cyber Security (ICS) which is responsible for safeguarding the ATO’s ICT assets and electronic information from cyber security risks;555
- the Cyber Security Operations Centre (within the ICS) which monitors unauthorised activities designed to infiltrate the ATO’s systems556 and works collaboratively with the ATO’s Smarter Data business line and the Application Service Management Monitoring Enterprise Operations Centre to identify breaches in specific tax areas such as superannuation and refund integrity;557
- the Cyber Security Stakeholder Group which facilitates discussion between participants from key tax professional associations, government and industry specific bodies focusing on the reduction and management of risks posed by inappropriate access to tax information and identity theft;558 and
- the Enterprise Service Management Centre as the overarching area responsible for oversight of all security incidents and ongoing improvement of systems security, which maintains an end-to-end Security Incident Response Plan559 that aims to restore normal service operations as quickly as possible, minimising any adverse impact on ATO business operations.560
5.75 Notwithstanding the above centralised approach, the ATO has advised that each area within the ATO is also responsible for monitoring and responding to cyber security incidents as part of their daily activities. An early intervention approach seems to have been adopted which involves educating staff and ensuring appropriate internal polices and guidelines are in place.561 The ATO’s Corporate Plan also states that it is continuing to work with the DTA and other relevant government agencies to improve the management of authentication and authorisation to strengthen the security of digital services.562
5.76 In addition to implementing processes to protect its own systems, the ATO also takes steps to inform and assist tax practitioners on cyber security issues through initiatives such as its Open Forums. For example, during the forum hosted by the ATO on
20 March 2018, the ATO discussed cybercrime, highlighting the importance of having sufficient controls in place to protect the security and confidentiality of client records, recommending certain preventative measures be taken to protect client records, providing an overview of the new Notifiable Data Breaches scheme and recommending steps to take if a data breach is suspected.563
5.77 As noted earlier, the ATO is required to comply with the mandatory requirements set out in the AGISM in undertaking its cyber security work. In 2014, the ANAO undertook a performance audit to examine the implementation of mandatory strategies in the AGISM by several government agencies, including the ATO.564 The ANAO determined that the ATO, as with other government agencies examined, was not compliant with the top four mitigation strategies which are:
- application whitelisting;
- patching applications;
- patching operating systems; and
- minimising administrative privileges.565
5.78 In a subsequent submission to the Joint Committee of Public Accounts and Audit (JCPAA), the ATO provided assurance that it would be compliant with the top four mitigation strategies during 2017.566 On 15 March 2017, the ANAO published an independent follow-up performance audit on three government agencies including the ATO which examined the top four mitigation strategies as well as cyber resilience, the ability to continue delivering services despite adverse cyber events.567 The follow-up review found that ‘of the three entities only the Department of Human Services was compliant with the top four mitigation strategies’568. The ATO was compliant with two of these strategies.569
5.79 In relation to cyber resilience570 the ANAO found:
The Australian Taxation Office … had security controls that provided a reasonable level of protection from breaches and unauthorised disclosures of information from internal sources. However, there was insufficient protection against cyber attacks from external sources. As a result, they remain in the ‘internally resilient’ zone.571
5.80 The ANAO made two recommendations with which the ATO agreed.572 In its response to the ANAO report, the ATO stated:
The ATO is committed to meeting community expectations for data security and privacy protection and to providing improved services.
The review recognised the ATO’s strong general information communications technology controls and we will continue to build upon these and continuously improve our overall cyber security governance arrangements.
While there has been improvement in the overall maturity of the security posture of the ATO, the review clearly highlighted further improvements that are required. The ATO has committed additional resource and focus to address deficiencies and reach a greater level of cyber resilience. Immediate improvements have already been put in place with a commitment to reach cyber resilience status in 2017.573
5.81 While the ATO has publicly stated that it is bolstering the resilience of its IT systems following the systems outages in 2016 and 2017,574 there is no public information as to whether it had attained the cyber resilient status to which it committed in the above response.
5.82 The need to guard against cyberattacks has become almost as important as protecting against physical threats. To a large extent, the responsibility has fallen upon the Government and in the tax sphere, the ATO, to mitigate any risk and ensure adequate protection against cyberattacks and data breaches.
5.83 As explained above, the Government has established key whole-of-government processes, agencies and systems aimed at educating and protecting the community. There are also moves to ensure that Australia becomes an industry leader in the provision of cyber security products through specific government funding.575
5.84 On the ATO’s part, the IGT recognises that in recent years and following reviews such as those undertaken by the ANAO, the ATO has invested a significant amount of resources in the development and maintenance of its tools to both monitor and respond to cyberattacks and data breaches. The information provided to the IGT has been extensive and there are a myriad of internal ATO areas, forums and groups tasked with different aspects of this work.
5.85 Whilst the materials point to a detailed network of expertise and activity, it was not immediately apparent to the IGT how each of these areas interact with each other, share intelligence and deliver a unified and coordinated response. Accordingly, there is a risk that cyber security threats may go undetected, the response to them delayed or work and effort duplicated in addressing those threats.
5.86 It would be beneficial for the ATO to undertake a review of its current arrangements to consolidate and streamline the various areas responsible for monitoring and responding to cyber threats. Such a review should seek to ensure that each area is clear on its mission and intra-agency communication and intelligence sharing channels are firmly established.
5.87 It is also important to acknowledge that, like other threats, there is a whole of community responsibility in being alert to and reporting potential instances of cyber security risks or threats. Due to the unique access that tax practitioners have to sensitive information, it is vital that they also take active steps to ensure that their own identity and confidential information as well as those of their clients are protected. As a whole, they have taken significant steps in this regard. However, there is recognition that more can be done to understand cyber security and implement mitigation strategies as part of their standard operating procedures,576 given their role as trusted advisers to the community.
5.88 The ATO could also use its expertise and experience in this area to assist tax professionals, particularly those operating within smaller practices, as well as taxpayers to guard against cyber security risks.
5.89 In conducting this review, it has become clear to the IGT that some community concerns about the preparedness of the ATO to combat cyber security attacks and data breaches arise from a lack of appreciation about the measures that the ATO has already taken. In this regard, the IGT believes that the ATO could do more to broadly communicate to the public about how it monitors and treats cyber security risks to instil confidence in its management of these risks.
The IGT recommends that the ATO:
- review its current internal arrangements for identifying and responding to cyber security risks to ensure efficiency, effectiveness and, in particular, that responsible areas within the ATO are clear on their remit, communicate and share intelligence appropriately and deliver a unified and coordinated response in addressing the risks;
- assist tax professionals, particularly those operating in small practices, to develop and maintain their own cyber security risk management and response plans; and
- broadly communicate and inform the public about the measures it has implemented to mitigate risks of cyberattacks and data breaches.
The ATO has Cyber Security practices in place to support identification and protection against security threats as well as detection of and response to threats, incidents and breaches to ensure effective management of Cyber risk to our information and infrastructure. Our practices ensure we continually monitor and adapt to the ever-changing nature of the digital environment, take a coordinated approach to our business continuity and shape and deliver ongoing enhancements to further strengthen our security capabilities.
The ATO will continue to provide information and guidance but ultimate responsibility sits with the practitioner to ensure they have sufficient safe guards in their own practice systems.
(c) Existing Programme of Work
The ATO already promotes cyber security regularly and through many channels but will investigate other avenues to inform the public on how they can protect their data as well as report concerns and breaches.
444 ATO, ITD end to end process video, Video 1 – Idea (Undated) [Internal ATO document]; ATO, ITD end to end process video, Video 2 – Formulate (Undated) [Internal ATO document].
445 ATO, Policy, Analysis & Legislation (Undated) [Internal ATO document].
446 ATO, How to advocate for policy or law change (Undated) [Internal ATO document].
447 Above n 466.
448 ATO, Committee Charter (2017) [Internal ATO document]; Above n 466.
449 ATO, Advocacy Scan (7 March 2017) [Internal ATO document]; ATO, LAPD Advocacy Scan (May 2016) [Internal ATO document].
451 ATO, A framework for policy advocacy by the ATO (May 2017) [Internal ATO document].
452 Above n 449.
453 ATO, Corporate Committee Services (Undated) [Internal ATO document].
454 ATO, ATO Enterprise Governance Model (Undated) [Internal ATO document] p 2.
456 Above n 448.
459 Blockchain, Confirmed transactions per day <https://blockchain.info/charts/n-transactions?timespan=all>.
462 Above n 11, p 17.
463 Ibid, p 21.
464 Ibid, p 22.
466 The Treasury, Improving tax compliance – enhanced third party reporting, pre-filling and data matching, (2014) p 3.
467 Ibid, pp 6-7.
469 Brisbane City Council, Submission to The Treasury (Cth), Improving tax compliance – enhanced third party reporting, pre-filling and data matching (11 March 2014) p 3.
470 Financial Services Council, Submission to The Treasury (Cth), Improving tax compliance – enhanced third party reporting, pre-filling and data matching (11 March 2014) p 5.
471 Ibid, pp 3-5.
472 Australian Custodial Services Association, Submission to The Treasury (Cth), Improving tax compliance – enhanced third party reporting, pre-filling and data matching (21 March 2014) p3; Stockbrokers Association of Australia, Submission to The Treasury (Cth), Improving tax compliance – enhanced third party reporting, pre-filling and data matching (11 March 2014) p 2.
473 Australian Bankers’ Association, Submission to The Treasury (Cth), Improving tax compliance – enhanced third party reporting, pre-filling and data matching, 11 March 2014, p 1; Australian Custodial Services Association, Above n 472, p 5; Above n 469, p 3; Above n 470, p 5.
474 Examples discussed above include Russia, Estonia and Singapore. Elliot Wilson,’ Point of no return’ (2016) 17 EY Tax Insights p 46; Above n 106, pp 37, 78; Above n 185.
477 Above n 106, p 37.
478 ATO, Submission to the Standing Committee on Economics, (Cth), Inquiry into Tax Deductibility (9 March 2017) p 11.
480 Above n 478.
481 Australian Government, Australia’s Future Tax System, Final Report, Part 2, December 2009, Vol 1, p 55.
482 Ibid, p 57.
483 Above n 481, p 54.
485 House of Representatives Standing Committee on Economics, Report on the inquiry into tax deductibility (2017) p 36.
486 The Treasury, Submission to the Standing Committee on Economics, (Cth), Inquiry into Tax Deductibility,
(9 March 2017) p 6.
487 Explanatory Materials to the Exposure Draft, Standard deduction for the cost of work -related expenses and the cost of managing tax affairs (2011), pp 2-3.
488 Australian Government, Re:think Tax Discussion Paper (March 2015) p 55.
489 Above n 485.
490 Ibid, p 58.
492 A return fully completed by the ATO for a taxpayer.
493 ATO, ATO Digital Strategy (2016) p 7.
494 ATO, Push assessment 2018 pilot for tax returns) (5 January 2017) [Internal ATO document] p 3.
495 IGT, Review into the Australian Taxation Office’s compliance approach to individual taxpayers – use of data matching (2014) pp 30-33.
496 Ibid, p 9.
497 Explanatory Memorandum, House of Representatives, Tax and Superannuation Laws Amendment (2015 Measures No.5) Bill 2015, p 60.
498 Above n 495, p 9.
499 Ibid, p 43.
504 DTA, Digital transformation agenda (undated) <https://www.dta.gov.au/what-we-do/transformation-agenda/>.
507 Above n 503.
509 DTA, Communication with the IGT (16 January 2017).
512 Senate Finance and Public Administration References Committee, Digital Delivery of Government Services (2018).
513 Above n 512, p 5.
514 Ibid, p 4.
515 Ibid, p 4.
516 Ibid. p 6.
517 ATO, ATO Digital Services (Undated) [internal ATO document].
522 The Treasury, ‘Cutting red tape for employers through Single Touch Payroll’ (Media Release, 28 December 2014).
523 The Treasury, ‘Government moves to get Single Touch Payroll right’ (Media Release, 10 June 2015).
525 ATO, What Single Touch Payroll means for employees (2 July 2018).
526 Above n 512, p 5.
527 “Cyberattacks” refers to a ‘deliberate act through cyberspace to manipulate, disrupt, deny, degrade or destroy computers or networks, or the information resident on them, with the effect of seriously compromising national security, stability or economic prosperity’. See: Australian Cyber Security Centre (ACSC), Australian Cyber Security Centre 2015 Threat Report (2015), p 8.
531 Small business trends, 43% of Cyber Attacks Target Small Business (21 June 2016) <smallbiztrends.com/2016/04/cyber-attacks-target-small-business.html>.
535 Department of the Prime Minister and Cabinet, Silent Dangers – Launch of the Australian Cyber Security Centre’s 2017 Threat Report (10 October 2017).
540 ACSC, Australian Cyber Security Centre 2016 Threat Report, (2016) p 2.
541 Above n 539.
543 Department of Prime Minister and Cabinet, Australia’s Cyber Security Strategy (2016) p 3.
545 Above n 543, p 5.
546 Ibid, p 24.
548 ONA, Ibid.
551 ATO, Submission 15 – Supplementary Submission to the Government Department, Inquiry into Taxpayer Engagement with the Tax System November 2017, p 8. ATO, Communication with the IGT (8 December 2017).
555 ATO, Information & Cyber Security Management (March 2017); The ICS comprises seven areas: Information Management, Security Engagement Policy and Advice, Security Strategy Risk and Assurance, Forensics and Investigations, Vulnerability Management and Research, Cyber Security Operations Centre and Branch Operations & Projects.
556 Commissioner of Taxation, Annual Report 2016-17 (2017) p 79.
557 ATO, Communication to IGT (8 December 2017).
558 ATO, Australian Taxation Office Supplementary Submission – Inquiry into Taxpayer Engagement with the Tax System (November 2017).
559 ATO, ATO Incident Management Process and Procedures (2015) [Internal ATO document].
560 ATO, ATO End-to-End Security Incident Response Plan (2015) [Internal ATO document].
561 ATO, Communication with the IGT (8 December 2017).
562 ATO, ATO Corporate Plan 2016-17 (2017) page 10.
563 ATO, Communication with the IGT (27 March 2018).
564 ANAO, ANAO Report No. 50 of 2013-2014 Cyber Attacks: Securing Agencies’ ICT Systems, (2014), p 42.
565 Ibid, p 19.
566 ATO, Submission to the Joint Committee of Public Accounts and Audit, Cybersecurity Compliance – Inquiry into Auditor General’s report 42 (2016-17) (27 April 2017) p 6.
567 ANAO, ANAO Report No.42 2016-17 Cybersecurity Follow-up Audit, (2017), p 8.
569 Ibid, p 10.
571 Above n 567, p 10.
572 Ibid, p 11.
573 Ibid, p 12.
575 Above n 543, p 4.
576 Sridhar Ramamoorti, Barry Epstein, Dorsey L Baskin and James Wanserski, ‘Managing Risk at the Speed of Change – A New Risk Vocabulary and a Call to the Profession’ (1 June 2017) The CPA Journal 6-9, p 7.