Donate Child Support Calculator
Skip navigation

Privacy breach by CSA

Add Topic

What to do now?

This question is in regards to documentation sent by the CSA to the SSAT and the parties involved.

The CSA has included ATO information which includes our tax agents name, address and phone number as well as tax information about the payer's spouse including full name and date of birth.

Correct me if I'm wrong, but surely this information cannot be sent to the other party involved, right?

Anything we can or need to do?

Thanks so much for your help.

CSA breach 'client' privacy

You know, I keep on hearing about these little errors by CSA.  On the surface, clearly a breach of your privacy.  They have probably also breached their own secrecy laws as well (the difference is subtle yet significant).  If they have released your TFN they would have also breached tax law.

How do you deal with it?  You write them a short and to the point letter headed Privacy Complaint.

If they haven't responded (well they won't) within 28 days you have every right to report to and ask the Privacy Commissioner to investigate.

You should also point out to the SSAT member at your preliminary conference that this has happened.

This is another example of why you should give them nothing in terms of personal information.  They cannot be trusted with it.

CSA, if you are reading this can you tell us when you are going to fix up your appalling and extremely lax procedures around personal information?

CSA cannot be trusted

Thanks Bigred for the info.

We actually did not provide this information to the CSA. They got this from the ATO, outlining all the expenses and tax deductions. It looks like a print out of the ATO system or the CSA system, not sure.

They also sent the tax info for the payee, but she did not use a tax agent. It looks like the TFNs are removed (at least from the pages I just looked at).

I feel we have to also advise our tax agent as there is potential that the payee or someone she knows can ring up and pretend to be me or my husband.

This is scary stuff.

Additionaly, the name of our health fund and our membership number, not to mention that the name of the city my husband attended the CSA conference in, is written up several times.

The SSAT has told us the initial form to apply for a review with them would not be sent to the payee and guess what, CSA has sent it and only partially removed our contact details.

If they were open I would call them right now and not hold back … morons!

An extract from the CSA Guide 6.3.1 Privacy Act

IPP 2 Where CSA collects personal information from a person about themselves, it must take reasonable steps to ensure the person knows why CSA is seeking the information; the law that requires CSA to collect the information; and any person or other organisation CSA usually gives the information to.

IPP 3 As far as possible, when CSA solicits personal information, it must ensure that the information is relevant to the purpose for which it is collected; that the information is up-to-date and complete; and that collecting the information does not unreasonably intrude on the personal affairs of the person concerned.

IPP 4 CSA must take reasonable steps to ensure that information is protected against loss and unauthorised access, use, modification or disclosure.

IPP 10 CSA cannot use personal information for a purpose other than that for which it was collected except:
  • with the consent of the individual concerned
  • where CSA believes on reasonable grounds that use of the information for that purpose is necessary to prevent a serious and imminent threat to someone's life or health
  • where required or authorised by law
  • where reasonably necessary to enforce criminal law, a law imposing a pecuniary penalty, or for the protection of the public revenue
  • for a purpose directly related to the purpose for which it was collected.
IPP 11 CSA must not disclose personal information to a person other than the individual concerned unless:
  • one of the exceptions (but not the directly related purpose exception) in IPP 10 is made out, or
  • the person concerned is reasonably likely to have been aware, or made aware under IPP 2, that information of that kind is usually passed to that person, body or agency.

I only mention IPP2 because I would think from your shock at what happened you were not aware of information of this nature being collected. You obviously weren't informed also.

The Privacy Commission office told me that the CSA had a right to reply to any allegations to a breech of privacy, which I did.

The CSA's reply will most likely be a total whitewash to anything you submit. This is based on my experience only. I suppose you will have the 28 days to investigate the Privacy Act if you are wanting to go further. I would suggest that they will not resolve anything to your satisfaction.

Make an application under the Freedom Of Information Act which may verify what actually was sent to the other party if you don't already know. What the CSA sent to SSAT may have been permitted under law.

Your complaint is a double edged sword by way of CSA sending the information to the SSAT and it being on-forwarded. Maybe address the collection and disclosure with CSA and just the Disclosure with the SSAT. Ensure you get advise and clarify who can do what and who is ultimately responsible for breeches to the Privacy Act. Avoid being bounced between agencies.

I would suggest reading the CSA Guide on Privacy. The Guide though only tells you the CSA's version and you will find unbiased information on the Privacy Commission Website. They seem to have revamped it and it is quite easy to navigate with a lot of information.

Before speaking with the CSA or sending a letter call the PC. Give them a clear picture of what happened. All the information you provide is noted and logged as a case with them.

Plug me back into the Matrix
Thanks heaps, wozza, very helpful and comprehensive.

We understood that there would be a lot of information and recorded conversations in the pack to the SSAT. We gathered a lot of information about this on the website here where on person even had bank statements included. Tax or financial information I can see the relevance of, but name and address of tax agent, health fund name and membership number, I can't. Spouse had not given permission to disclose tax return information either.

The CSA sends out copies of the signed COA form to the other party. Potentially they can do a lot of damage copying this signature and misusing the information they have received.

Another piece of information we or the other party should not have is the name of the employer. Is it right that we now have the name of the payee's employer and vice versa? Surely not.

And I agree wozza, the CSA will just give us the runaround.

I will call the PC today.
Without knowing the reason for the CSA's investigation or the appeal to the SSAT it would be difficult to comment on the justification of their collection of information. Regardless, it is their responsibility to ensure the privacy of this information. They must also show just reason and that information is relevant for the purpose for which it was collected.

I would not think any result from this privacy breech will affect the SSAT decision unless you can prove it had a direct and negative influence on the outcome.

The CSA is required to comply with all relevant legislation and Acts. The Privacy Act is one that is mentioned.

It may also pay for you to look at the APS Code of Conduct if you are looking to pursue a complaint directly against the person responsible for the violation of your privacy.

As to the Payee's Employer this could be deemed a fact that complies with IPP 11. In my opinion the cat is out of the bag with this and would not cause you any negative impact. Tax file numbers could be a different matter. Sensitive information on Bank Statements such as Account Numbers are not allowed to be forwarded and I would go as far to suggest some of the Transaction Details could be confidential too.

I am happy to provide leads on where to look for information but I have little experience in getting results in these matters. I would suggest getting feedback here from more knowledgeable forum members or seeking professional advise.

Plug me back into the Matrix
That's right, wozza, the information will not be used to make a decision in the case and is really irrelevant.

Privacy commission rep has advised to call the CSA and possibly prevent this information to be sent out, but CSA did not tell me whether it had been sent or not.

In a nutshell CSA told me that SSAT legislation overrides the CSA legislation and they are required to provide the SSAT with all information they have received or collected. I did point out that I had not provided any of this information, had not given permission and by the way, spouse is a third party and shouldn't be mentioned anyway with full name and dob.

PC did recommend to go through the motion with CSA even if the damage is done, as they will be responsible if any misuse happens. Fair enough, it will also possibly improve the measurements CSA takes to act in accordance with privacy act.

Health fund and tax agent have recommeded to set up a password, which will be required when we ring up and request information.
Update: This is starting to get very interesting.

Tax agent advised me to call the ATO and find out why my tax information was passed on to the CSA in the first place as spousal income is not relevant to cs case. It turns out that my tax file account has no authority to provide CSA with tax info and an obvious breach in privacy has occured there. Complaints officer is looking into it and will provide explanation. Mh, can't wait to hear that!
Actually, thinking some more here it seems CSA may have breached the secrecy provisions in the tax law by accessing and using your spouses information.  This means that there are serious (ie criminal) sanctions that can be applied on the individual officers.  CSA, hope you are reading this.
They have done similar to me with accessing joint bank accounts. They would just blame the bank for disclosing the information.

I have checked into the guidelines for CSA employee punishment and it is pretty weak.

They need to be held to account on all matters but I wouldn't expect even an apology from them. I have read a section where their legislation even allows them to make a mistake. Just can't put my finger on it.

This is a bit about Tax File numbers for your information. 16B (2)(a) is of interest even if they ask you for your TFN.

16B Registrars power to request tax file numbers
(1) This section applies to a person in Australia if the person is a payer
or a payee in relation to a registrable maintenance liability.
(2) The Registrar may request, but not compel, the person:
(a) to give the Registrar a written statement of the persons tax
file number; or
(b) if the person does not have a tax file numberto apply to the
Commissioner for a tax file number and to give to the
Registrar a written statement of the persons tax file number
after the Commissioner has issued it.

Plug me back into the Matrix
Bigred, are you saying that CSA can just automatically access ATO information seeing that they are part of the tax office, I believe? It does look like spouse tax info was included in the husband's tax information that CSA would need to have to calculate cs.
Guest, they are part of the Department of Human Services these days.  They have unfettered access to the ATO systems.  But, that doesn't mean they can access records that are not relevant to the task.  

I would suggest that accessing your partner's record is not authorised by law, nor is its further distribution. Thus my view, is that there is a breach of the tax law.  I would suggest you send the ATO Commissioner a note on this because I suspect that the relationship between the departments isn't that great.
BigRed, they actually use the ATO's mainframe(s) and have to get a RACF (Resource Access Control Facility) userid from the ATO.
MikeT, Exactly.  I tried to explain this in plain english.  The issue here is they have on the face of it abused the access arrangements hence my comment about asking the ATO to look.
I actually have called the ATO and guess what, when you tick the box "do you have a spouse", your spousal tax information is in fact included in your own tax return. CSA accesses payer tax return info, hence the spousal info is included in that and in our case has been passed on to SSAT and payee without blacking it out. Very interesting, as the ATO confirmed that this is the case for all CSA customers. 
Big Red, is this an emerging issue matter to be taken up? What amendments to the data being requested, need to be made?

Last edit: by Secretary SPCA

Executive Secretary - Shared Parenting Council of Australia
 Was my post helpful? If so, please let others know about the FamilyLawWebGuide whenever you see the opportunity
SecSPCA, been offline the last few days.  I will do a bit of research on this - my early thoughts are ATO need to be challenged on this info being freely available.  My sense is the right people in ATO would be receptive to such an approach.  In addition, this info should NOT be available to CSA for a COA.
Funny cos that brings me to the question I had when I first joined these forums - can CSA take into account a new partners income when working out payments and the answer is no, however feedback at the time was that if u unwittingly supplied info re partner income CSA DID take it into account and it was difficult to get it taken out.

This thread here raises that very same question and it appears people may be forced into paying more child support based on spousal income.

When you are swimming down a creek and an eel bites your cheek, that's a Moray.
I started this topic as "Guest" and finally found my login again.

I have finally received a letter from the CSA Privacy Officer in regards to my breach in Privacy complaint. Of course they did not address the specific questions I asked, except that they confirmed that the spousal tax information was part of the payer's tax info they have to calculate cs. And of course they denied any breach in privacy. They tried to explain that this information was relelvant and they have to pass everything on to the SSAT.
My husband (payer) has also filed a complaint and pretty much got the same form letter back. Funny enough though in that form letter they point out what they cannot pass on, which is for example employer details. Well, unfortunately that is exactly what they have done, so off to the Privacy Commissioner we go.

I am perplexed that they have the nerves to completely ignore the situation and send a form letter. Unbelievable.
1 guest and 0 members have just viewed this.

Recent Tweets