Live · Sat, Jul 18, 2026 · 02:06 UTC Block 843,917 Fees 14 sat/vB Fear & Greed 72 · Greed
Newsletter Pro Terminal Sign in
ITop Field News.
Subscribe →
Live · 02:06 UTC Block 843,917 F&G 72
Government & public sector IT Government & public sector IT desk

myGov and the ATO digital experience: how Australia's tax portal actually works

myGov and the ATO's online services are among the most used government digital platforms in Australia, touching nearly every adult at tax time. Here is how the architecture works and what is still being rebuilt.

Close-up of a hand on tax form 1040 with a calculator on a desk.

Photo by Nataliya Vaitkevich on Pexels

Every year, around tax time, tens of millions of Australians log into myGov to lodge their returns, check their super, and access a dozen other government services from a single sign-in. For most users, the experience is unremarkable: you log in, you link your services, you file. But behind that routine interaction sits one of the most complex digital integrations in Australian government IT. Understanding how myGov and the ATO's digital platform actually work matters not just for IT professionals building adjacent systems, but for any organisation dealing with government data exchanges, identity verification, or compliance obligations.

What myGov actually is

myGov is not a government department. It is a digital gateway, managed by Services Australia, that federates access to member services including the ATO, Medicare, Centrelink, My Health Record, and several others. Each member service retains its own systems and data; myGov provides the identity layer and the navigation shell. When you authenticate through myGov and click into the ATO's services, you are being handed off to the ATO's own platform via a token-based assertion. The ATO does not actually run inside myGov: it runs alongside it.

The myID credential (formerly myGovID) sits at the core of the authentication stack. myID is an OIDC-compliant identity provider managed by the ATO, not Services Australia, which makes the division of responsibility more complex than it first appears. Individuals use myID primarily for ATO and business portal access. The broader myGov sign-in for consumers still uses a separate credential, though the Australian government has been working toward a unified identity model under the national digital identity framework for several years.

The ATO's platform: what lives under the hood

The ATO is one of the most digitally mature agencies in Australian government. Its technology stack spans decades of investment and overhaul, from the legacy RAPID systems that once underpinned core tax processing to the contemporary cloud-based infrastructure now handling individual lodgements, business activity statements, and super fund reporting in near-real-time.

The ATO's online services sit on a modernised web platform that was progressively rebuilt through the 2010s and into the 2020s. Key capabilities include pre-fill, where the ATO pulls employer payment summaries, bank interest data, health fund premiums, and share dividend records directly into your tax return, and the lodgement pipeline that routes assessed returns to the ATO's compliance and payment processing engines. The agency processes hundreds of millions of data transactions per year across individual, business, and super fund reporting.

Single Touch Payroll (STP) is probably the most significant platform extension the ATO has run in recent years. By requiring employers to report payroll events directly to the ATO at the time of each pay run, STP transformed the data flows the agency works with. Pre-fill became considerably more accurate, compliance checking moved closer to real time, and the need for end-of-year payment summaries largely disappeared. STP Phase 2, which expanded the reporting fields, was progressively mandated from 2022 onward and most medium and large employers are now compliant.

Where the user experience still struggles

For most individual taxpayers, the experience of lodging online is genuinely fast, especially if you have a simple return. But the system shows its seams in several places.

Linking services in myGov remains more friction-heavy than it should be. First-time linking requires identity verification steps that vary by service and can trip up users who do not have the relevant reference documents to hand. The linking process for Medicare requires a Medicare card number, for example, while the ATO linking requires a separate set of reference points. For users who have changed names, moved frequently, or hold non-standard document combinations, the process often ends in a phone call.

The business portal and Online services for agents (the tool used by tax agents and BAS agents) have historically been separate surfaces with different interfaces and different feature sets. The ATO has been progressively consolidating these under Online services for business and Online services for agents, but migration has been gradual and some legacy features remain on older interfaces.

The myGov inbox, which receives official government correspondence from multiple agencies, is a persistent point of frustration. Users frequently report difficulty distinguishing real notifications from unread items they have already actioned, and the inbox search and filtering capabilities have lagged behind what most people expect from a consumer application. The ATO does allow direct email and SMS alerts, but correspondence is still formally routed through the myGov inbox, which creates a dual-notification model that confuses some users.

API access and third-party integrations

Beyond the consumer-facing portal, the ATO operates a substantial B2B API layer that accounting software vendors, payroll providers, and super funds use to lodge and query data programmatically. Standard Business Reporting (SBR2) is the protocol underpinning most of these integrations. Vendors must be registered with the ATO's software developer program to access production systems, and they go through a formal test environment and credential process before live lodgement is permitted.

The SBR2 ecosystem is reasonably mature, which is why products like Xero, MYOB, and QuickBooks can lodge activity statements and tax returns directly. From the vendor's perspective, the ATO behaves like a government-grade API endpoint: stable, but not especially modern. The protocol is SOAP/XML-based rather than REST/JSON, which adds friction for newer developers used to contemporary API conventions. The ATO has signalled interest in evolving the interface layer but has not committed to a REST migration path at this stage.

Security architecture and known risks

myGov and the ATO are high-value targets. Tax identity fraud, where attackers file fraudulent returns using stolen credentials to redirect refunds, has been a persistent problem in Australia and comparable tax systems globally. The ATO has invested heavily in behavioural analytics, device fingerprinting, and out-of-band verification to detect anomalous lodgement activity, but the attack surface is large.

myID uses the device-based credential model, which offers stronger phishing resistance than password-only authentication. But the broader myGov consumer credential (username and password plus a second factor) remains a weaker link, and credential stuffing against myGov accounts is a known threat vector. The move toward stronger identity assurance under the national digital identity framework should help here, but the transition will take time given the scale of the enrolled user base.

For IT teams building systems that connect to or process ATO data, the practical security implications are significant. Super fund administrators, payroll vendors, and registered agents all hold ATO credentials with elevated access. The ATO's guidelines on credential management, machine credentials for software, and audit logging are worth treating as a baseline rather than a ceiling, particularly given the obligations under the Notifiable Data Breaches scheme if ATO-related data is compromised.

What the ongoing modernisation program means for IT teams

The ATO has been running one of the longer-running digital transformation programs in Australian government. The shift from mainframe tax processing to cloud-native infrastructure is not complete, and the agency has been careful to sequence the migration to avoid disruption to critical processing windows around tax time and the end of the financial year.

For IT teams working in adjacent sectors, the practical implications are mostly about keeping pace with the ATO's evolving APIs, reporting obligations under STP and SuperStream, and the expanding scope of real-time data exchanges the agency expects. The STP Phase 2 transition in particular required significant work from payroll vendors and their enterprise customers.

Watching the broader digital government agenda in Australia matters here too. The DTA's platform work, the myID expansion, and the Services Australia transformation program all intersect with how the ATO's digital services will evolve. Organisations that rely heavily on ATO data flows or government identity services should be tracking these developments as infrastructure decisions, not just policy ones.

The bottom line

myGov and the ATO's digital platform are more architecturally separate than they appear to end users, and both carry legacy constraints that shape what is possible. The consumer experience has improved considerably over the past decade, but friction remains at the edges, particularly around identity linking, correspondence management, and agent tooling. For IT professionals, the most relevant surfaces are the SBR2 integration layer, the myID credential model, and the security posture expected of registered software developers and tax agents. These are not set-and-forget integrations: they require active maintenance as the ATO continues to evolve its platform.

→ The Confirmations · Daily newsletter

One email at 06:00 UTC. Six minutes. The only digest written for desks, not for retail.