ABR security policy

Scope

The Australian Taxation Office (ATO) operates the Australian Business Register (ABR) website. A range of security controls is applied to protect the website from unauthorised access and information is protected while it is collected by, stored on or passing through the ABR website.

In spite of these protections, users should be aware that the world wide web is an insecure public network that gives rise to a potential risk of a user’s transactions being viewed, intercepted or modified by third parties or that files which the user downloads may contain computer viruses, disabling codes, worms or other devices or defects.

The ABR accepts no liability for any interference with or damage to a user’s computer system, software or data occurring in connection with or relating to this website or its use. Users are encouraged to take appropriate and adequate precautions to ensure that whatever is selected from this site is free of viruses or other contamination that may interfere with or damage the user’s computer system, software or data (see also the Disclaimer statement).

Where connection to a system outside the control of the ABR website compromises the objectives of this statement, the ABR personnel will take steps to rectify the situation.

Online security

Learn how to protect yourself against security scams and transact safely online.

Confidentiality and integrity

The ABR website has two forms of protection:

• SSL (Secure Socket Layer): encryption, which provides the secure connection between the user and the ABR Web server. Users seeking more information about SSL in general are referred to W3C ‘The world wide web consortium’ where a search on the word ‘SSL’ or browsing the Security FAQs will provide current information.
• PKI (Public Key Infrastructure): a digital certificate, used to verify that the user is who they claim to be which helps ensure the security of electronic transactions with the ABR.
• You can use an ABR AUSkey or ATO digital certificate to login to the ABR website www.abr.gov.au

Precautions are taken to help ensure the confidentiality and integrity of the data transmitted to and from the ABR’s web servers. Users can be confident that the information supplied is unlikely to be read by anyone other than ABR personnel or tampered with while in transit to the ABR. Information will be only used for the purposes which the law authorises (see also the Privacy statement).

User awareness of location

It is intended that users of the ABR website will be able to determine whether, at any given time, they are interacting with ABR website.

A user can confirm they are interacting with the ABR website by checking the digital certificate used to provide SSL encryption. This can be checked by clicking on the SSL padlock located along the bottom of the browser window. The user should confirm the following:

• the certificate has been issued to 'abr.gov.au'
• the certificate has been issued by 'Thawte Server CA'
• the certificate has a validity period of two years
• the certificate path/hierarchy shows only 'Thawte Server CA' followed by 'abr.gov.au'.

How these details are displayed depends on the type of browser being used.

Accountability

Some transactions will provide the user with a 'receipt' after a transaction is submitted. The receipt is intended to inform the user that the transaction has been successfully processed by the ABR site to which it has been sent. Transactions which provide receipts are clearly identified at the outset, so that the user will know what kind of receipt to expect and what to do if one is not received.

ABR personnel will undertake auditing and logging of all security related events, including the recording of all necessary information to identify the causes of an event and the person or entity which was responsible for the event. Where a malicious event occurs, steps will be taken to minimise the risk of such an event from occurring in the future. Such steps may lead to further investigation and possible prosecution.

Taxation Acts have secrecy provisions that prohibit ABR Personnel, any officer of the ATO or any other government department from accessing, recording or disclosing anyone's taxation information except in performing their duties or in specific situations permitted by taxation laws. The commonwealth Crimes Act 1914 also governs commonwealth government agencies and their personnel’s use and disclose of information. There are severe penalties for breaking these provisions.

Personal information will not be released unless the law permits it or permission is given. The ABR website is a secure environment and a reliable system but users should be aware that there may be inherent risks associated with the transmission of information via the internet. For those who do not wish to use the internet, there are alternative ways of obtaining and providing information. For more information on these alternative, users can telephone the ATO on 13 28 66.

The electronic version of this document is the only authorised version
Last updated: 24/06/2010

---

Copyright

© Commonwealth of Australia 2010

This work is copyright. You may download, display, print and reproduce this material in unaltered form only (retaining this notice) for your personal, non-commercial use or use within your organisation. Apart from any use as permitted under the Copyright Act 1968 all other rights are reserved. Requests for further authorisation should be directed to the Manager, Legislative Services, AusInfo, GPO Box 1920, Canberra ACT 2601 or by email to Cwealthcopyright@dofa.gov.au