Australian Business Register (ABR) protected information

If you have access to ABR protected information you are an entrusted person

What is ABR protected information

The ABR is the register of Australian business numbers (ABN) and the information associated with the ABN. The information that is entered into the ABR when an entity obtains an ABN is ABR protected information (also referred to as ABR data). These details include the:

• name of the entity 
• ABN 
• principal place of business 
• description of the business activities.

Who is an ‘entrusted person’

An ‘entrusted person’ is a person who: 

• is employed by a Commonwealth, state, territory or local governing body, and
• receives protected information in the course of their employment. 

The Registrar of the ABR is an entrusted person. When the Registrar discloses ABR protected information to eligible government agencies, the heads of those agencies also become entrusted persons. If you are given access to ABR data for work purposes, you will also become an entrusted person.

What an entrusted person can do with ABR protected information

An entrusted person who is not the Registrar can only use, record or disclose ABR protected information in the course of their employment. For example, an entrusted person can use ABR data to: 

• check the accuracy of information held in their agency’s databases
• validate business information provided to the agency from other sources
• carry out compliance or procurement activities
• assist with planning for infrastructure and services
• support disaster response and recovery.

ABR data may be shared with a contractor engaged for the purposes of carrying out the functions of the agency. Those contractors will become entrusted persons and you must ensure they are aware of their obligations under the A New Tax System (Australian Business Number) Act 1999 (ABN Act).

What an entrusted person can’t do with ABR protected information

An entrusted person must not record or disclose ABR data to anyone else unless it is done in the course of their employment. The law provides a heavy penalty (2 years imprisonment) for breaching this condition.

An entrusted person can’t: 

• disclose non-public ABR data to other government agencies
• disclose non-public ABR data on any forms or applications available outside of your agency
• disclose ABR data to Commonwealth, state or territory ministers or other elected members of a body that has been established under a law of a state or territory
• on-sell ABR information
• use ABR information for spamming or telemarketing purposes
• use ABR data for a purpose that may result in commercial advantage.

Your responsibilities

Security of ABR protected information

If you are given access to ABR protected information, you must ensure that: 

• ABR data is only accessed where you have a legitimate ‘need to know’ and you are using it for the purposes of carrying out the functions of your agency or body
• you are aware of your obligations under the ABN Act and relevant privacy laws for your agency
• your access is removed when you no longer need to access ABR data to carry out your duties
• ABR data is not transferred to, or allowed to be accessed by, persons outside Australia without our prior approval in writing
• you are compliant with the Australian Government Protective Security Policy Framework and Information Security Manual 
• we are advised immediately of any breach that results in ABR information being inappropriately released to a third party. 

Information about responsible use of ABR data is available on the ABR website.

What we ask of you

Data ethics

Data ethics principles, practices and procedures guide our actions to ensure we manage data ethically throughout the data lifecycle. Our data ethics principles explain our standards to ensure clients have confidence in how we collect, manage, share and use their data. We expect that partner agencies understand, apply and meet these ethical standards.

Data ethics should also be applied when sharing ABR data with a third party for the purposes of carrying out the functions of your agency or body. 

Storage, retention and disposal

We expect that all Australian government entities understand and conform to information and data management responsibilities governed by legislation, policies, standards and advice.

Information management and destruction may be governed through application of:

• National Archives of Australia guidelines, or
• specific information and records management authority governance guidelines of an agency or body.

Cyber security incidents

Your agency must tell us, and all required external bodies, of any cyber security incidents or breaches to your agency’s information and communication technology (ICT) systems that affect either or both the:

• services for any system that stores, processes or communicates ABR data
• confidentiality or integrity of ABR data.

Where a cyber security incident occurs, your agency must:

• report the incident within 4 hours
• provide a preliminary report within 3 business days
• provide a final report within 5 business days.

That is unless otherwise agreed in writing.

Information the Registrar makes available to the public

Public ABR data

The law allows the Registrar to make some protected information about an entity available to the public. These details include: 

• name of the entity 
• ABN 
• any business name registered to the entity 
• the postcode and state or territory of the entity’s principal place of business. 

ABR public information is available on ABN Lookup.

Non-public ABR data

ABR non-public data details that the Registrar is not allowed to make available to the public, include: 

• the entity’s postal address 
• principal place of business address 
• contact details for the business 
• ANZSIC code relating to the entity’s business activity. 

The law allows the Registrar to disclose these details with eligible government agencies to help them carry out their functions.

For more information about public and non-public ABR data, see Your ABN details on the ABR.