Royal commission recommends the government check that information sharing with Services Australia is lawful.
Robodebt report casts doubt on legality of ATO data exchanges
The Robodebt report has called into question the legality of data exchanges between the ATO and Services Australia and recommended tighter controls over data-matching programs.
The Royal Commission report, handed down on Friday, said income data supplied by the ATO to the then Department of Human Services was crucial to the automated process that scrutinised payments to almost 900,000 taxpayers from 2010–13.
“DHS would obtain information from the ATO as to what a benefit recipient’s employers had returned as the income earned by the recipient in the relevant financial year (‘PAYG data’), compare it through an automated system with what had been declared to DHS by the recipient, and in the event of discrepancy would require the recipient to go online to explain it,” the report said.
It said data matching was already being used by the DHS to identify mismatches but under the Robodebt scheme, which began in 2015, PAYG data became the “primary source” of information about earned income “which could be acted on to raise debts although unconfirmed by the employer or the recipient”.
Where data matching found discrepancies, the onus fell on payment recipients to account for the difference or Robodebt automatically raised a penalty against them.
The system also used an averaging method that failed to reflect actual income and conducted the whole process online, removing personal conduct with compliance officers with “the aim being to reduce (and preferable obviate) human involvement at the DHS end”.
The report said a final key difference under Robodebt was its scrutiny of five years prior to the program, ignoring the fact that “20,000 or so files involving discrepancy which had already been reviewed for each of those years had probably already yielded the bulk, in monetary terms, of overpayments for those years”.
The scheme was eventually extended to financial years 2017–18 and after coming under media scrutiny and legal challenge, was finally wound up in June 2020.
The report said the ATO initially raised concerns about how its data was being used by the DHS in late 2016, in response to a spike in media reports and complaints about Robodebt.
The report identified multiple issues with the way DHS was handling the data, including a failure to destroy information after it was used, a lack of compliance with relevant protocols, mistaken identity matches, inadequate risk management and potential privacy breaches.
Crucially, it contests the ATO’s claim that it acted lawfully in supplying data because “an ATO officer could not be lawfully satisfied that the use of the information disclosed to DHS was ‘for the purposes of administering … the social security law’ without being informed by DHS of how the information was to be used”.
It said the ATO was frustrated by a lack of transparency at the DHS and the prevailing protocol did not accurately describe how it was using the information.
“In these circumstances, the Commission considers that there is a serious question as to whether information was lawfully disclosed by the ATO to DHS for the purpose of data matching under the scheme.”
The Royal Commission report makes two recommendations about data exchange and matching that question the legality of the practice and whether sufficient safeguards exist.
“Recommendation 16.1: Legal advice on end-to-end data exchanges
The Commonwealth should seek legal advice on the end-to-end data exchange processes which are currently operating between Services Australia and the ATO to ensure they are lawful.
“Recommendation 16.2: Review and strengthen governance of data-matching programs
The ATO and DHS should take immediate steps to review and strengthen their operational governance practices as applied to jointly conducted data-matching programs. This should include:
- Reviews to ensure that all steps and operations relating to existing or proposed data-matching programs are properly documented.
- A review of all existing framework documents for existing or proposed data-matching programs.
- a review of the operations of the ATO/DHS Consultative Forum and the ATO/DHS Data Management Forum.
- A review of the existing head agreement/s, memoranda of understanding and services schedule.
- A joint review of any existing or proposed data-matching program protocols to ensure they are legally compliant in respect of their provision for the data exchanges contemplated for the relevant data-matching program.”
The report summed up Robodebt as “a crude and cruel mechanism, neither fair nor legal, and it made many people feel like criminals.
“In essence, people were traumatised on the off-chance they might owe money. It was a costly failure of public administration, in both human and economic terms.”
An ATO spokesperson said: "The ATO acknowledges the importance of the Royal Commission’s report to the Australian community. The government is considering all recommendations as part of its response."
As many as 20 people are believed to have been referred by the royal commission for civil and criminal prosecution.