Find out about our privacy policy for Relationship Authorisation Manager (RAM).

Last updated February 2023

On this page

• About this privacy policy
• How we collect personal information
• How we hold personal information
• Information we collect and hold
• Information we use and disclose
• How you can access or correct personal information held about you
• Making a request under the FOI Act
• Enquire or complain about a suspected breach

About this privacy policy

The Australian Taxation Office (ATO) handles your personal information to operate the Relationship Authorisation Manager (RAM) service, according to the Australian Privacy Principles in the Privacy Act 1988 (Privacy Act).

RAM is the Australian Government’s attribute service provider. The ATO delivers and administers RAM as part of the Australian Government's Digital Identity System. RAM is an authorisation service that allows you to access government online services on behalf of a business.

RAM can be used to:

• link your digital identity to your Australian business number (ABN)/business
• manage your business authorisations in one place
• grant others authority and customise the level of user access needed to act on behalf of your business, when interacting with government online services.

The ATO complies with the requirements of the Privacy Act. This Act incorporates both:

• the Australian Privacy Principles (APPs) and
• the Australian Government Agencies Privacy Code.

The RAM system is also accredited by the Trusted Digital Identity Framework which governs the ATO’s management of the system.

Find more information about your privacy rights and our responsibilities at the Office of the Australian Information Commissioner.

As set out in this privacy policy:

• you agree that we may collect, use, and disclose your personal information
• you can request to access and correct information we hold about you
• you can make a complaint if you feel your privacy has been interfered with or if you feel we have breached an APP.

We review this privacy policy regularly and will update it with relevant changes to keep you informed.

How we collect personal information

We collect personal information, in accordance with APP 3 – collection of solicited personal information:

• directly from you
• indirectly from you
• from third parties.

This information is collected for the purpose of:

• providing RAM access to you for your business or businesses
• monitoring the security and performance of the RAM service.

Directly from you

We will collect personal information directly from you when you use the RAM system to:

• link your business or businesses
• view and manage business authorisations
• review, accept or decline a business authorisation (for another individual).

If you do not provide consent to share your personal information you won’t be able to use the RAM service. To successfully link your businesses in RAM, they must have an active ABN on the Australian Business Register (ABR). If you can’t or won’t link a business in RAM, you will need to contact the agency or service you are attempting to access for assistance.

Indirectly from you

We collect information about your device and system interactions when:

• you log into the RAM system and manage your authorisations
• we monitor RAM application use and system performance
• we investigate and verify the operation of the RAM system.

From third parties

We collect your personal information from other government agencies to verify and validate your authority to act on behalf of the business.

How we hold personal information

We protect your personal information against loss, unauthorised access, use, modification, or disclosure.

We use a range of physical and technological controls to ensure that your personal information is only accessed by staff who need it.

We apply industry-best security methods to protect the personal information we hold, including:

• information technology and physical security audits
• penetration testing
• industry best practice risk management
• system security technologies.

Personal information used in RAM is stored separately from other records the ATO holds to protect the confidentiality of your personal information.

Your personal information collected for RAM purposes will be stored securely in Australia.

We will retain records of information associated with your RAM business account whilst your registration remains active. The personal information we collect and hold about you will, in almost all cases, be treated as a Commonwealth record. We are bound by the Archives Act 1983 to retain Commonwealth records until we can lawfully dispose of them.

Information we collect and hold

We collect personal information about you for the purpose of operating the RAM system.

Personal information is information about you that identifies you or is reasonably capable of identifying you.

The types of personal information collected by RAM include your:

• full legal name (pre-filled from your digital identity details)
• email address
• date of birth (pre-filled from your digital identity details)
• address.

This personal information must be collected before you can register a RAM business account to link your digital identity to your business. RAM will create and store a record of the business, or businesses, that are successfully linked to your digital identity.

De-identified information

We may de-identify your personal information, to compile and analyse statistical reports related to using the RAM system. We will use this data to understand use across the community and to enhance the RAM system, but no individual will be reasonably identifiable.

Information we use and disclose

We use and disclose your personal information in accordance with APP 6 – Use or disclosure of personal information.

We will use and disclose your personal information for the purpose of creating, verifying, and maintaining the relationship between your digital identity and your business. This is also for the purpose of creating, validating, and maintaining the authorisations for your business to ensure the operation of the RAM system.

This may include disclosures of your personal information to other Digital Identity System participants such as:

• the Digital Transformation Agency in their capacity as the System Oversight Authority
• Services Australia in their capacity as the System Interim Oversight Authority.

We also collect personal information about your RAM system use to:

• compile statistics and reports to enhance our systems and services
• identify and respond to issues that indicate authentication integrity risks

• analyse, detect, manage, and investigate fraudulent activity which may lead to criminal prosecution.

Personal information about your RAM system use may be used for audit purposes including:

• information about your device and browser, such as your operating system and user session
• your internet provider number (IP address)
• the date and time of your use of the authentication service
• successful and unsuccessful attempts at authenticating.

We may disclose this information with other Digital Identity System (the System) participants, if we are authorised or required to by law.

We will not disclose your personal information without your consent with:

• third parties
• the identity exchange
• the online services you attempt to access.

When you do consent, the information is disclosed for the purposes of:

• authenticating your identity 
• validating your authorisations and accesses
• confirming the outcome of any authentication attempts. 

We also use personal information with our contracted service providers, such as our telecommunications and cloud service partners, to assist with providing the RAM services.

We will not use or disclose your personal information for any other purpose unless you have consented, or we are required or authorised by law.

We will not disclose your personal information to overseas recipients.

How you can access or correct personal information held about you

You can access and update personal information held about you, through your RAM profile or:

• Your digital identity provider
• the ABR
• by asking us.

We will take reasonable steps to correct personal information that we hold about you; having regard to the purpose, and when you ask us to. We must ensure the personal information we hold is accurate, up to date, complete, relevant, and not misleading.

If you are unable to access your personal information as listed above, you can make a request for those documents under Australian Privacy Principle (APP) 12 or the Freedom of Information Act 1982 (FOI Act). 

Access to personal information – Australian Privacy Principle 12

You have a right to request access to your own personal information under APP 12.

However, we can refuse to give you access to the requested personal information under the FOI Act or any other Commonwealth Act, we do not have to give you access to the personal information under APP 12.

We will respond to your request for access to your personal information within 30 days.

In circumstances where we refuse to provide you with access to your own personal information, we will give you a written notice that sets out the reasons for the refusal (unless unreasonable to do so).

We will advise you how to make a complaint about a refusal.

We will not charge you for making a request or for giving you access to your own personal information.

Correction of personal information – Australian Privacy Principle 13

We will take reasonable steps to correct personal information that we hold about you to ensure that, having regard to the purpose for which the information is held, it is accurate, up to date, complete, relevant, and not misleading. We will also take reasonable steps to correct personal information in circumstances where you request us to.

We will respond to an amendment request within 30 days.

If we refuse your amendment request, we will give you a written notice that sets out the reasons for the refusal, except when it’s unreasonable to do so.

We will advise you how to make a complaint about a refusal.

We will not charge you for making an amendment request or for correcting personal information about you.

Making a request under the FOI Act

You can make a Freedom of Information (FOI) request if you cannot access your personal information in the ways listed above.

The FOI Act gives you the right to:

• access copies of documents (apart from exempt documents) held by the ATO
• ask for information about you to be amended or annotated if it is incomplete, out of date, incorrect, or misleading
• seek a review of our decision not to allow you access to a document or not to amend your personal record (done by us or by the Information Commissioner).

A FOI request must:

• be in writing
• state that the request is an application for the purposes of the FOI Act
• provide such information concerning the document requested as is reasonably necessary to enable a taxation officer to identify it
• provide details of how notices under the FOI Act may be sent to you (for example, by providing an email or postal address for correspondence).

You can send your request to us:

• by email at FOI@ato.gov.au
• with your name and the words FOI REQUEST in the subject line.
• using the FOI application form available on ato.gov.au.

For more information about FOI requests see accessing information under the FOI Act.

Enquire or complain about a suspected breach

General questions

If you have a general question about privacy or wish to report a possible breach of your privacy, you can call the ATO’s Privacy Hotline on 1300 661 542 and speak to a taxation officer.

If the officer is not available to speak with you, leave a message and an ATO officer will contact you to respond to your question or to get more information.

Privacy complaints

If you are not satisfied with how we have collected, held, used or disclosed your personal information, or another matter in relation to the APPs or the Australian Government Agencies Privacy Code 2017, you can make a formal complaint.

You can lodge a complaint by:

• using the online complaints form available on ato.gov.au
• phoning the complaints hotline on 1800 199 010 and clearly state your complaint is about RAM and your privacy
• phoning the National Relay Service on 13 36 77 (if you have a hearing, speech, or communication impairment)
• phoning the Translating and Interpreting Service (for people of non-English speaking backgrounds) on 13 14 50.
• sending us a fax on 1800 060 063
• writing to:
  ATO Complaints
  PO Box 1271
  ALBURY NSW 2640

We treat complaints seriously and try to resolve them fairly and quickly.

If you make a complaint, we aim to contact you within 3 working days. We will work with you to resolve your complaint and keep you informed of its progress.

If you are not satisfied with how we deal with your complaint, the Privacy Commissioner at the Office of the Australian Information Commissioner may be able to help you.

For more information see Office of the Australian Information Commissioner or phone 1300 363 992.

This privacy policy is available at no cost. If you need access to this policy in an alternative format, contact us by email at WofGRAMSupport@ato.gov.au.