Announcements
We understand that 2020 has been a difficult year but we're here to try and make it a little easier for you during tax time. You can search other people's posts, read our articles or ask your own question.

ATO Community

Re: myGovID and RAM for tax professionals

Highlighted

Newbie

Views 707

Replies 5

It is great that we can be sure people are authenticated and who they say they are when accessing online ATO client data with the new myGovID credential. But since this can be done from anywhere there is an internet connection, then am I correct in thinking that instead of only accessing taxpayer information in our offices (as Auskeys were only installed on work computers) staff can now access it on public transport, at home or in a cafe, where other people can potentially see confidential and sensitive information about our clients - on say ATO Online services for agents if the staff member were to access it? How are we supposed to manage and police this data security risk? Can we lock down RAM authorisation for junior or temporary staff to only certain times e.g. during business hours?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Best answer

Community Manager

Replies 0

Hi DonnaD,

 

You have made some great points, we are going to pass this information onto our myGovID team to check out.

 

If its not in place now it might be something that can be looked at for future updates.

 

KylieS

5 REPLIES 5
Highlighted

Devotee

Replies 0

Good question

ATO Certified

Community Manager

Replies 3

Hi @DonnaD,

 

myGovID is more portable than AUSkey and can be used to log in to Online services for agents or any of the available government Online systems from any device at any time. We recommend that while you are setting up myGovID and RAM in your practice you review your internal practice policies to ensure that your team are aware of your expectations for system access. You can also create custom accesses through RAM and Access Manager to prevent your staff from accessing data you do not wish them to see.

 

We’re still consulting with the tax profession about improvements to the new services and will keep you updated on any developments through the Tax professionals newsletter.

 

Thanks, NateH

Highlighted

I'm new

Replies 1

While internal practice policies can be created around the accessing the online services, I can see no way they can be monitored by the firm to enforce such policies. For example, can we get a report that states where/when each user logged on, by IP address and geo location?


The RAM also does work on "principle of least privilege". We need to be able to assign login times, locations, dates, etc. to each employee as a way of further securing the data. Because at the end of the day the principles of the firm are ultimately responsible for security of their client’s data should there be a breach.


As an IT Professional that supports many Accounting Firms technology needs, how can a firm provide piece of mind to their clients (as some clients of firms are asking about this), that no member of the firms staff will ever use this outside of the four walls of the accounting firm and it can be enforced?

Highlighted

Best answer

Community Manager

Replies 0

Hi DonnaD,

 

You have made some great points, we are going to pass this information onto our myGovID team to check out.

 

If its not in place now it might be something that can be looked at for future updates.

 

KylieS

Highlighted

Newbie

Replies 0

Hi Nate

 

Thank you for your reply. We are more concerned with having more control over when and where people can access ATO data that they are authorised to view. We would really like some tools an RAM to allow us to geographically or time period limit access to data for each employee type i.e. more restrictions on when/where data can be accessed for more junior staff and no restrictions for partner/principal level owners of the practice etc. We would ideally also like some type of reporting so we can audit access logons by staff. It would be nice to trust everyone to follow internal policies, but in reality without a way to audit or police that they are actually being followed, no acceptable level of assurance can be provided and it is an unnecessary risk to client data security.