Relationship Authorisation Manager privacy policy

Find out about our privacy policy for Relationship Authorisation Manager (RAM).

Last updated December 2024

On this page

About this privacy policy

The Australian Taxation Office (ATO) handles your personal information to operate the Relationship Authorisation Manager (RAM) service, according to the Australian Privacy Principles in the Privacy Act 1988 (Privacy Act), the Digital ID Act 2024 and Digital ID Accreditation Rules 2024.

RAM is the Australian Government’s attribute service provider. The ATO delivers and administers RAM as part of the Australian Government's Digital ID System. RAM is an authorisation service that allows you to access government online services on behalf of a business.

RAM can be used to:

  • link your Digital ID to your Australian business number (ABN)/business
  • manage your business authorisations in one place
  • grant others authority to act on behalf of your business, when interacting with government online services.

The ATO complies with the requirements of the Privacy Act. This Act incorporates both:

The RAM system is also accredited under section 15 of the Digital ID Act 2024 which governs the ATO’s management of the system.

Find more information about your privacy rights and our responsibilities at the Office of the Australian Information Commissioner.

As set out in this privacy policy:

  • you agree that we may collect, use, and disclose your personal information
  • you can request to access and correct information we hold about you
  • you can make a complaint if you feel your privacy has been interfered with or if you feel we have breached an APP or the APP Code.

We review this privacy policy regularly and will update it with relevant changes to keep you informed.

How we collect personal information

We collect personal information, in accordance with APP 3 – collection of solicited personal information:

  • directly from you
  • indirectly from you
  • from third parties.

This information is collected for the purpose of:

  • providing RAM access to you for your business or businesses
  • monitoring and improving the security and performance of the RAM service.

Directly from you

We will collect personal information directly from you when you use the RAM system to:

  • link your business or businesses
  • view and manage business authorisations
  • review, accept or decline a business authorisation (for another individual).

If you don’t provide your express consent to share your personal information you won’t be able to use the RAM service. To successfully link your businesses in RAM, they must have an active ABN on the Australian Business Register (ABR). If you can’t or won’t link a business in RAM, you will need to contact the agency or service you are attempting to access for assistance.

Indirectly from you

We collect information about your device and system interactions when:

  • you log into the RAM system and manage your authorisations
  • we monitor RAM application use and system performance
  • we investigate and verify the operation of the RAM system.

From third parties

We collect your personal information from other government agencies to verify and validate your authority to act on behalf of the business.

How we hold personal information

We protect your personal information against:

  • loss, interference or misuse 
  • unauthorised access, modification or disclosure.

We use physical and technological controls to ensure that your personal information is only accessed by staff who need it.

We apply industry-best security methods to protect the personal information we hold, including:

  • information technology and physical security audits
  • penetration testing
  • industry best practice risk management
  • system security technologies.

Personal information used in RAM is stored separately from other records the ATO holds to protect the confidentiality of your personal information.

Your personal information collected for RAM purposes will be stored securely in Australia.

We will retain records of information associated with your RAM business account whilst your registration remains active. The personal information we collect and hold about you will, in almost all cases, be treated as a Commonwealth record. We are bound by the Archives Act 1983 to retain Commonwealth records until we can lawfully dispose of them.

Information we collect and hold

We collect personal information about you for the purpose of operating the RAM system.

Personal information is information about you that identifies you or is reasonably capable of identifying you.

The types of personal information collected by RAM include your:

  • full legal name (pre-filled from your Digital ID details)
  • email address
  • date of birth (pre-filled from your Digital ID details)
  • address
  • relationship to the business
  • associate authorisation provided for employee access.

Personal information may also include:

  • information about services you have accessed or attempted to access
  • information on the method of access
  • your internet protocol number (IP address)
  • the date and time your identity was verified. 

This personal information must be collected before you can register a RAM business account to link your Digital ID to your business. RAM will create and store a record of the business, or businesses, that are successfully linked to your Digital ID.

De-identified information

We may de-identify your personal information, to compile and analyse statistical reports related to using the RAM system. We will use this data to understand use across the community and to enhance the RAM system, but no individual will be reasonably identifiable.

Information we use and disclose

We use and disclose your personal information in accordance with APP 6 – Use or disclosure of personal information.

We will use and disclose your personal information for the purpose of creating, verifying, and maintaining the relationship between your Digital ID and your business. This is also for the purpose of creating, validating, and maintaining the authorisations for your business to ensure the operation of the RAM system.

This may include disclosures of your personal information to other Digital ID System participants such as:

  • the Australian Competition and Consumer Commission (ACCC) in its role as the Digital ID Regulator for the Australian Government Digital ID System (AGDIS)
  • the Office of the Australian Information Commissioner (OAIC) in its role as the Privacy Regulator for the AGDIS
  • Services Australia in its capacity as the System Administrator of the AGDIS
  • Treasury in its capacity as the Data Standards Body for the AGDIS.

We also collect personal information about your RAM system use to:

  • compile statistics and reports to enhance our systems and services
  • identify and respond to issues that indicate authentication integrity risks
  • analyse, prevent, detect, manage, and investigate fraudulent activity which may lead to criminal prosecution.

Personal information about your RAM system use may be used for audit purposes including:

  • information about your device and browser, such as your operating system and user session
  • your IP address
  • the date and time of your use of the authentication service
  • successful and unsuccessful attempts at authenticating.

We may disclose this information with other Digital ID System (the System) participants, if we are authorised or required to by law.

We won’t disclose your personal information without you providing your express consent to :

  • third parties
  • the Identity Exchange
  • the online services you attempt to access.

When you do provide your express consent, the information is disclosed for the purposes of:

  • authenticating your identity 
  • validating your authorisations and accesses
  • confirming the outcome of any authentication attempts.

We provide personal information to our contracted service providers, such as our telecommunications and cloud service partners, to enable us to provide the RAM services.

We won’t use or disclose your personal information for any other purpose unless you have provided your express consent, or we are required or authorised by law (such as to an enforcement body for enforcement related activities) or a court or tribunal order.

You can withdraw your express consent by removing your authorisation in RAM at any time; however, some personal information may be retained in accordance with the Digital ID Act 2024 and the Archives Act 1983. By withdrawing your express consent, you will no longer be able to use RAM. It may also affect your ability to enable authorised users and to represent your business or businesses with any government agencies and services.

We won’t disclose your personal information to overseas recipients or use or disclose personal information for the purpose of direct marketing.

How you can access or correct personal information held about you

You can access and correct personal information held about you, through your RAM profile or:

We will take reasonable steps to correct personal information that we hold about you when you ask us; having regard to the purpose of why we hold it. We take reasonable steps to ensure the personal information we hold is accurate, up to date, complete, relevant, and not misleading.

If you are unable to access and correct your personal information as listed, you can make a request under Australian Privacy Principle (APP) 12 or the Freedom of Information Act 1982 (FOI Act).  

Access to personal information – Australian Privacy Principle 12

You have a right to request access to your own personal information under APP 12.

We will respond to your request for access to your personal information within 30 days.

We won’t charge you for making a request or for giving you access to your own personal information.

However, if the FOI Act or any other Commonwealth Act requires or authorises us to refuse access to your request, we don’t have to give you access to the personal information under APP 12.

In circumstances where we refuse to provide you with access to your own personal information, we will give you a written notice that sets out the reasons for the refusal (unless unreasonable to do so).

We will advise you how to make a complaint about a refusal.

Correction of personal information – Australian Privacy Principle 13

You have a right to request correction of your personal information under APP 13.

We will respond to an amendment request within 30 days.

We won’t charge you for making an amendment request or for correcting personal information about you.

We will take reasonable steps to correct personal information that we hold about you, having regard to the purpose for why we hold it, to ensure it is accurate, up to date, complete, relevant, and not misleading.

If we refuse your correction request, we will give you a written notice that sets out the reasons for the refusal, except when it’s unreasonable to do so.

We will advise you how to make a complaint about a refusal.

Making a request under the FOI Act

You can make a Freedom of Information (FOI) request where you can’t access your personal information in the ways listed.

The FOI Act gives you the right to:

  • access copies of documents (apart from exempt documents) held by the ATO
  • ask for information about you to be amended or annotated if it is incomplete, out of date, incorrect, or misleading
  • seek a review of our FOI decision not to allow you access to a document or not to amend your personal record (done by us or by the Information Commissioner).

A FOI request must:

  • be in writing
  • state that the request is an application for the purposes of the FOI Act
  • provide such information concerning the document requested as is reasonably necessary to enable a taxation officer to identify it
  • provide details of how notices under the FOI Act may be sent to you (for example, by providing an email or postal address for correspondence).

You can send your request to us:

For more information about FOI requests, see Accessing information under the FOI Act.

Enquire or complain about a suspected breach

General questions

If you have a general question about privacy or wish to report a possible breach of your privacy, you can call the ATO’s Privacy Hotline on 1300 661 542 and speak to an ATO officer.

If the officer is not available to speak with you, leave a message and an ATO officer will contact you to respond to your question or to get more information.

Privacy complaints

If you aren’t satisfied with how we have collected, held, used or disclosed your personal information, or another matter in relation to the APPs or the Australian Government Agencies Privacy Code 2017, you can make a formal complaint.

You can lodge a complaint by:

  • using the online complaints form available on ato.gov.au
  • phoning the complaints hotline on 1800 199 010 and clearly state your complaint is about RAM and your privacy
  • phoning the National Relay Service on 13 36 77 (if you have a hearing, speech, or communication impairment)
  • phoning the Translating and Interpreting Service (for people of non-English speaking backgrounds) on 13 14 50.
  • sending us a fax on 1800 060 063
  • writing to:
    ATO COMPLAINTS
    PO BOX 1271
    ALBURY  NSW  2640

We treat complaints seriously and try to resolve them fairly and quickly.

If you make a complaint, we aim to contact you within 3 working days. We will work with you to resolve your complaint and keep you informed of its progress.

If you aren’t satisfied with how we deal with your complaint, the Privacy Commissioner at the Office of the Australian Information Commissioner may be able to help you.

For more information see Office of the Australian Information Commissioner or phone 1300 363 992.

This privacy policy is available at no cost. If you need access to this policy in an alternative format, contact us by email at WofGRAMSupport@ato.gov.au.