SBR Privacy Policy

The SBR Channel enables you to lodge reports with SBR Agencies directly from your SBR-enabled software. SBR Agencies will also communicate with you or provide information to you via the SBR Channel, such as an acknowledgment of a report's receipt.

We aim to minimise the collection of personal information when you use the SBR Channel and have implemented various safeguards to help keep personal information secure.

If you choose to use the SBR Channel you will also need to go through the process of customer identification and registration in order to receive an AUSkey. Please refer to the privacy policy for AUSkey at the Australian Business Register website. The AUSkey or 'electronic identity' is authenticated (i.e. checked for validity and currency) by the Government Authentication Service when you need to send a message via the SBR Channel. Please refer to the privacy policy for the Government Authentication Service.


For the purposes of this Privacy Policy, the following definitions apply:

  • Government Authentication Service means the authentication service of the Department of Innovation, Industry, Science and Resources. This service is used to authenticate the AUSkey on behalf of the SBR Channel.
  • SBR means the Standard Business Reporting Program.
  • SBR Agency means each of the Australian Securities and Investments Commission (ASIC), the Australian Taxation Office (ATO) and each State and Territory Government represented by the agency and office holder responsible for payroll tax in that State or Territory.
  • SBR Channel means the set of capabilities hosted by the ATO that, together, will deliver the integration, consistency, availability, reliability and security necessary for businesses, and those that report on their behalf, to interact electronically with SBR Agencies for the submission of reports and information via SBR-enabled software.
  • We means the Commonwealth of Australia acting through and represented by the Australian Taxation Office ABN 51 824 753 556 (or any other agency responsible for administering the SBR Channel).

What personal information we will collect

During transmission:

Just like any other reports you submit to SBR Agencies via other channels (such as sending paper forms directly to an SBR Agency), the contents of a report submitted to an SBR Agency via the SBR Channel may contain personal information. The SBR Channel will not open or read the contents of any report. However, the SBR Channel will only briefly (ie during transmission) collect the ABN of the senders business (which may be personal information) and for a Standard AUSkey and an Administrator AUSkey the user name, email address and unique identifier of the sender individual. This information is not stored after the transmission.

Audit logs:

The SBR Channel audit logs will collect the ABN of the senders business (which may be personal information) and for a Standard AUSkey and an Administrator AUSkey the unique identifier of the sender individual.

How we will use personal information

When you choose to use the SBR Channel to lodge a report or request information from an SBR Agency, we will use the personal information stored in the AUSkey to validate the sender of the report, to maintain the integrity of the message and to direct messages between you and the SBR Agencies with which you seek to communicate or lodge reports and information.

We will use the personal information in the audit logs to answer user support or systems and to diagnosis questions about who sent a particular message, the time and destination of the message and the type of report. We may also use the audit records to derive de-identified statistical information, which will not include any personal information.

What personal information we will keep

The SBR Channel does not access or store the content of the reports you lodge, or what business they are about. It will only hold data long enough for the life of the transaction, which is measured in seconds and is the time it takes for the message to be delivered or to send an error message to you, for example if the SBR Agency is unable to receive a message. The audit logs will store the unique identifier of the sender individual and the ABN of the senders business.

How we will keep personal information secure

We take the safeguarding of personal information very seriously. In order to help keep personal information secure, we have implemented the following safeguards:

  • a report will only be held by the SBR Channel in memory long enough for the message to be delivered, or to send an error message to the business user;
  • electronic communications between the software and the SBR Channel, and between the SBR Channel and each of the SBR Agencies, will be passed through secure encrypted channels over the internet;
  • where possible, we will maintain operational separation. This means that individuals and contractors with other roles or with access to other data within the ATO, who is the operator of the SBR Channel, should not have access to the SBR Channel and its audit logs, and vice versa;
  • we will also comply with the ATO National IT Security Guidelines for Audit Logging, Account and Password Management and IT Security Management; and
  • the SBR Channel uses secure internet gateway infrastructure built and operated in accordance with the Australian Government Information Security Manual requirements.

We are also committed to following the Privacy Commissioner's guidelines on notification of serious data breaches and, depending on the severity of a data security breach, may also notify the Defence Signal Directorate.

When we might disclose personal information

We will disclose the personal information collected during transmission to the relevant SBR Agency for the purposes of that SBR Agency verifying the authority of the sender to lodge the information on behalf of the business.

We may disclose audit records: to the SBR Agencies and their contracted service providers for the purpose of administering the SBR Channel; to the Commonwealth Auditor-General or any State or Territory Auditor-General; or where such information is otherwise authorised or required by a Commonwealth, State or Territory law to be disclosed. As such, you should be aware that audit logs may be disclosed to third parties, such as law enforcement agencies, if allowed or required under law. As the law and the circumstances about when we may disclose personal information will depend on the particular SBR Agency your reports and information were sent to, please contact that SBR Agency for more information on the disclosure arrangements for that SBR Agency.

How to gain access to the personal information we hold

If your request is about the personal information held in relation to reports and information you have sent or received via the SBR Channel, please approach the SBR Agency your reports and information were sent to/from for more information including details regarding access fees, timeframes and when access may be refused. If your requirements are not met, please contact the SBR Privacy Officer as below.

For more information

If you need more information or have any concerns about how we have handled personal information, please contact the SBR Privacy Officer:

  • Telephone: 1300 488 231 between 8.00 am - 7.00 pm AEDT
  • Email: SBRprivacy [at]
  • Post: SBR Privacy Officer, SBR Services & Operations Branch, PO Box 9990 ACT 2600

If we are unable to resolve your concerns or if you have any complaints about how we have handled personal information, please contact the Privacy Commissioner:

  • Website:
  • Telephone enquiries: 1300 363 992
  • Post: GPO Box 5218 Sydney NSW 2001
Last updated: 
7 April 2014
Page ID: