25 Aug Helping Superannuation Firms Meet their TFN Obligations
By Rob Meredith ( Principal Consultant)
Australian tax file numbers (TFNs) are one of the most regulated items of personal information commonly collected by superannuation companies outside of health information.
Superannuation firms have to collect TFNs as part of their core business, but collection, use, retention and destruction of TFN data must comply with requirements from multiple Commonwealth acts, including the Taxation Administration Act, the Privacy Act, and the Superannuation Industry (Supervision) Act, as well as APRA’s guidelines and standards on information security, and data and operational risk.
This includes destruction of TFN data as soon as practicable after an individual ceases to be an applicant or beneficiary of the firm.
The Challenge
TFNs can end up in many places: application forms, documents, emails, core registry systems, secondary systems and databases, and shadow IT systems. The compliance challenge, therefore, is knowing where TFNs exist across the information landscape so that they can be secured, used in a compliant manner, and destroyed after their retention period has ended.
Poor information architecture documentation, shadow systems and the challenges of managing both structured and unstructured data make knowing where TFNs are held incredibly difficult. Even well documented structured databases may not pick up on TFNs in free-text fields, data extracts, forms and documents. As for shadow IT systems, rogue databases and unstructured data in documents and files, just knowing that these assets exist can be a challenge.
How Can We Help?
InfoCentric has a proven track record in helping organisations manage data risk by automatically locating and scanning information assets for sensitive information. This includes personal information such as government-related identifiers like TFNs. Our InfoSure Data Protection Service can:
- Securely locate structured and unstructured information assets across your organisation’s environments and establish a risk-prioritised list for investigation
- Scan those assets using contextual AI and pattern matching techniques, designed from the ground up for Australian data, to identify TFNs and other sensitive content within the data
- Generate metadata and document the location of sensitive data, integrating with your existing data catalogue and information classification framework
- Provide findings and insights to deal with false positives and focus efforts on real threats
- Develop a remediation approach based on quantified risk exposure, retention and destruction regimes, and risk appetite
- Supplement remediation with data governance strategies and targeted stakeholder education
- Establish on-going data risk controls and mitigants post-remediation
Benefits:
- Find TFNs wherever they are recorded, whether confirming known or suspected locations, or discovering them in locations not previously known
- Comply with regulatory obligations requiring the ability to locate, properly use and diligently destroy TFN records
- Reduce data risk exposure by disposing of data past its retention period
- Establish an acceptable baseline level of residual data risk, laying the groundwork for on-going data risk control and mitigation, including managing breaches if they occur by knowing what sensitive information was or was not exposed.
By leveraging InfoSure Data Protection, superannuation firms can transform TFN compliance from a daunting challenge into a structured, manageable process. With greater visibility over where sensitive data resides, stronger safeguards for regulatory compliance, and a clear roadmap for remediation and governance, organisations can reduce risk while building trust with members and regulators alike. Ultimately, adopting proactive TFN management not only ensures compliance but also strengthens overall information security resilience.