Photo verification using drivers’ licence is being gradually rolled out in the myID app which will enable more people to obtain a Strong myID. If you hold a Western Australian driver’s licence, you can access the feature now – with more regions being added soon.

Note: you can use an Australian Passport that is current or up to 3 years expired to achieve a Strong identity strength.

Your clients can also increase their online security by using a myID with a Standard identity strength to sign in to ATO online services (through myGov or the ATO app).

For more information refer to: 

• Boost your myID with your drivers licence
• How to set up myID
• Increase your online security with myID

The ATO app is designed for individuals and sole traders, including those that use registered tax practitioners. Tax practitioners have strong relationships with their clients and are often ideally placed to inform their clients of tools that can help them best manage their tax and super.

The ATO website sets out information for tax practitioners to understand the new security features and help clients protect their tax and superannuation information.

Mobile applications are the industry standard when it comes to managing personal and financial data. App stores regulate the publishing of apps and verify them as genuine. This means they cannot be easily impersonated or intercepted. 

ATO app security messages provide an extra layer of visibility for taxpayers regarding activity on their ATO account and include real-time notification of new myGov links to an ATO account and ATO app registration on a new or additional device. 

With the ATO App, taxpayers also have the ability to lock their ATO account in real time if they are concerned about unauthorized access or see unauthorized access or changes. 

The ATO recommend clients upgrade their sign-in method. myID provides the most secure access to ATO online services (through myGov or the ATO app). For the best protection – they should set up their myID to the highest identity strength they can. Once they use it to sign in, their identity strength becomes their online access strength. They’ll then need to use their myID with the same (or higher) identity strength for all future access – helping secure them from fraudsters trying to impersonate them or access their account. 

ATO accounts locked by the taxpayer using the ATO app can be unlocked by taxpayers using the ATO app on the same device used to lock (it cannot be unlocked through ATO online services).

Taxpayers who have had their accounts locked by the ATO due to a high risk of, or confirmed identity theft or fraud, may have had their access to ATO online services or the ATO app restricted. Where the taxpayer is able to set up a Strong myID they can then use the Strong myID to log into ATO online services or the ATO app to regain access to these services.

For more information see the ATO website.  

Mobile devices allow you to navigate between applications without progress being impacted. This means you can open the ATO app and the myID app at the same time, and navigate between them to sign in.

Relationship Authorisation Manager (RAM) is an authorisation service that allows people to act on behalf of a practice online, ensuring the right people have the right access to the right services on behalf of a business. As the ATO app is for individuals and sole traders it does not require RAM functionality. 

Yes, you can register up to 3 devices using the ATO app. Importantly, if you lock your ATO account via the ATO app you must unlock it with the same registered device. 

To comply with Code item 6, tax practitioners must not disclose information relating to a client (or former client) to a third party unless they have obtained the client’s permission, or they have a legal duty to do so. 

Information refers to knowledge acquired or derived about a client, directly, and includes giving a third party access to client information. A ‘third party’ is any entity other than the tax practitioner and the client and would include a third party software provider.

Before giving a third party software provider access to any information relating to a client’s affairs you must inform the client about the disclosure and obtain their permission. In this situation, you should specify what information will be disclosed, and who and where the disclosure will be made.

Commercial Virtual Private Networks (VPN) are effective at encrypting data in transit, reducing the risk of interception on public or unsecured networks. However, they do not protect data at rest (information stored on your computer) or prevent malware infections. To fully safeguard sensitive information, organisations should adopt a layered security approach, including the Essential Eight controls such as patching systems, enabling multi-factor authentication, and maintaining backups. VPN use supports compliance and client trust, but it should complement, not replace, other critical security measures.

To learn more about the Essential Eight requirements we recommend taking a look at the Australian Signals Directorate. 

Assuming you are mitigating virus risk by using a reputable antivirus tool, but the virus is new, the best way to protect yourself is to:

• Update antivirus definitions daily to ensure the latest protection.
• Maintain multiple backup cycles. For example:
  • keep the last 7 days of backups
  • retain end-of-week backups for several weeks or months. 

These measures help you recover quickly if a virus occurs. Additionally, implementing the other elements of the Essential Eight will further limit the damage a virus (or any other attack) can cause.

No, not everything on the cloud is safe. Secure use of cloud services depends on 3 major considerations: 

1. Choose a reputable, Australian hosted provider (providers in other countries are not covered by Australian law).
2. Configure the service wisely, for example by enabling all available security features.
3. Educate yourself and your staff on how to use the service securely.

We recommend reviewing the information on the Office of the Australian Information Commissioner’s website for more detail. However, in short, email is not a secure form of communication and can be easily intercepted by third parties when sent over the internet.