Exposure draft TPB Information Sheet
Cloud computing and the Code of Professional Conduct
This exposure draft is also available as a PDF – Download link at the end of page.
Tax Practitioners Board exposure draft
The Tax Practitioners Board (TPB) has released this draft Information Sheet as an exposure draft and invites comments and submissions in relation to the information contained in it within 60 days. The closing date for submissions is 19 February 2016. The TPB will then consider any submissions before settling its position, undertaking any further consultation required and finalising the Information Sheet.
Written submissions should be made via email at tpbsubmissions [at] tpb.gov.au or by mail to:
Tax Practitioners Board
GPO Box 1620
SYDNEY NSW 2001
This document is in draft form, and when finalised, will be intended as information only. While it seeks to provide practical assistance and explanation, it does not exhaust, prescribe or limit the scope of the TPB’s powers in the Tax Agent Services Act 2009 (TASA). The principles and examples in this paper do not constitute legal advice. They are also only at a preliminary stage. The TPB’s conclusions and views may change as a result of comments received or as other circumstances change.
This draft Information sheet was issued on 21 December 2015 and it is based on the TASA as at 1 April 2015.
- This draft Information Sheet (TPB(I)) has been prepared by the Tax Practitioners Board (TPB) to assist registered tax agents and BAS agents (registered agents) to understand their obligations in the Code of Professional Conduct (Code), as contained in section 30-10 of the Tax Agent Services Act 2009 (TASA), in relation to the use of cloud computing.
- It is recognised that registered agents are operating in a digital environment, including choosing to use software that is served from the ‘cloud’. Registered agents must ensure they comply with their obligations under the Code when entering into such arrangements.
- In this draft TPB(I), you will find the following information:
- What is cloud computing? (paragraphs 4 to 7)
- Key considerations in ensuring an appropriate cloud arrangements (paragraphs 8 to 30)
- Consequences for failing to comply with the Code (paragraph 31)
- Example scenarios involving cloud computing (paragraph 32).
- Cloud computing at a broad level, is the provision of information technology resources as a service through a network (including storing, managing and processing data), typically over the internet, instead of using a local server or a personal computer.
- Services can range from data storage to the use of software programs, with data being stored and processed by a cloud service provider. It can include applications, databases, email and file services, and entrusts remote services with a user’s data, software and computation. In particular, cloud computing services are usually grouped into the following categories:
- software as a service – the provision of software over a network rather than the software being loaded directly onto a locally available computer
- platform as a service – the provision of computing platforms that create the environment for other software to run (for example, operating systems) over a network rather than being loaded directly onto a locally available computer
- infrastructure as a service – the provision of access to computer infrastructure (for example, data storage or processing capability) over a network that is used to complement local platform resources. Outsourced cloud storage services may involve sharing, creating or storing information on remote servers accessed through the internet. The data can be stored either onshore or offshore depending upon what contractual agreement the client reaches with the provider
- combination of the above.
- These services are generally operated from machines located in premises remote from the places where the data was created. All information stored in a cloud service is physically located somewhere in a data centre or multiple data centres.
- From a practical perspective, it is recognised that registered agents may use cloud computing for a range of purposes, such as information storage, lodgment of returns, digital signatures, client information portals and practice management software.
- A registered agent must know and understand the nature of any cloud computing arrangements they enter into, particularly in the context of how these arrangements impact upon the tax agent services being delivered to their client.
- The TPB is of the view that a registered agent must only enter into arrangements where the risks are adequately understood and managed (for example, not allowing unfettered access to client data). In particular, although there is no specific Code obligation requiring a registered agent to assess a third party’s controls (for example, a software provider’s data sets and security procedures), a registered agent should have due consideration to who actually performs the services, data management practices and security controls.
- A registered agent should consider the following non-exhaustive list of factors when entering into cloud computing arrangements, recognising that the relevance and importance of considerations will vary in accordance with the nature, usage and risk profile of the shared computing services involved:
- What are the details of any limitation of liability for work performed under the engagement?
- Does the entity subcontract to or use the resources of other parties to perform its services and, if so, how do they protect data (including your client data)?
- Are there any clauses allowing the provider to change the terms of the agreement at any time at their sole discretion (that is, without input from the registered agent)?
- What occurs when there is a change of control (for example, can the registered agent control whether to allow another entity to obtain control of the initial provider)?
- What records are being kept where and how will data be returned to the registered agent?
- Where information is held offshore, what additional legislative and regulatory requirements of other jurisdictions is the information subject to, including how this may affect security and disclosure of data?
- What processes are in place to have appropriate backups of relevant files, including backup and archiving of information on a regular basis?
- What security controls are the registered agent and the provider entity and/or its subcontractors responsible for?
- What protections are in place to ensure service access is not disrupted - does the service provider possess appropriate business continuity and data recovery plans?
- What arrangements are in place for managing and resolving disputes?
- What arrangements are in place for ending the arrangement, including the right to terminate and disengagement/transition of services?
- It is recommended that relevant information about the cloud computing arrangements is disclosed to clients through an engagement letter or other communication as appropriate. It is also noted that TPB accredited recognised professional associations may be able to assist in providing a practical list of information that a registered agent should seek from a cloud service provider, while recognising that there is not a default one-size-fits-all template and that arrangements will need to be mindful of the particular circumstances.
- The Code, as contained in section 30-10 of the TASA, regulates the personal and professional conduct of registered agents. These obligations include honesty and integrity, independence, confidentiality, competency, and other obligations.
- In relation to cloud arrangements, it is recognised that services will continue to evolve. However, it is important that registered agents remain mindful that their obligations under the Code will not change and cannot be abrogated when entering into these arrangements.
- In relation to operating in the cloud environment, it is important to be particularly mindful of Code Item 6 which provides that a registered agent must not disclose any information relating to a client’s affairs to a third party without the client’s permission, unless there is a legal duty to do so.
- A third party is any entity other than the client and the registered agent. This includes entities that maintain offsite data storage systems (including ‘cloud storage’); however, it is recognised that there is a distinction between data storage that a third party cannot effectively access (for instance, through the use of encryption) and disclosure to a third party.
- In particular, it is noted that it is only necessary that the information relates to the affairs of a client. Therefore, the information does not have to belong to the client, or have been directly provided by the client to the registered agent.
- Relevant factors to consider in ensuring compliance with this Code obligation include, among other things:
- Prior to disclosure of any information relating to a client’s affairs to a third party (including cloud service providers), the registered agent should clearly inform the client about any client information they are disclosing (including noting to whom and where the disclosure will be made, and where data will be stored) and obtain the client’s permission.
- Registered agents must obtain permission from each client prior to divulging information to a third party (including cloud service providers).
- Client permission may be by way of a signed letter of engagement, signed consent or other communication.
- There should be appropriate controls to maintain confidentiality and integrity to avoid any information leakage, including as a result of:
- inadvertent disclosure
- any change in IT assets (such as portable storage devices, software configurations and data fixes)
- data corruption and accidental deletion.
- There are a number of controls that could be employed for the purpose of maintaining and protecting the confidentiality, integrity and availability of data, such as:
- an appropriate confidentiality agreement between the registered agent and their cloud service provider (including in relation to storing, accessing, receiving and protecting data), and
- other appropriate protocols, such as:
- use of a secured website and encrypted network traffic
- security credentials
- access controls ensuring unauthorised persons do not have access to data
- standardised reporting
- audit trails
- appropriate segregation of duties, and
- approval and review of data changes.
- For further information, including in relation to ‘permission’ and ‘legal duty’, refer to the TPB information sheet TPB(I) 21/2014 Code of Professional conduct – Confidentiality of client information.
- The Code outlines the following obligations in relation to independence:
- It is important to be appropriately mindful of actual, potential or perceived conflicts and to ensure adequate disclosure. For instance, a registered agent receiving a benefit from a software company, such as free practice management solutions in return for having a certain number of clients using particular software, should ensure appropriate management of the arrangement, including through adequate disclosure and informed client consent. While Code Item 5 does not prohibit registered agents from having conflicts of interest, it does create an obligation to appropriately manage conflicts that arise or may arise in relation to activities that are undertaken in the capacity of a registered agent.
- Ultimately, registered agents are required to ensure their objectivity is not impaired by a conflict of interest.
- For further information, refer to TPB information sheet TPB(I) 19/2014 Code of Professional Conduct – Managing conflicts of interest and TPB explanatory paper TPB(EP) 01/2010 Code of Professional Conduct.
- The Code also provides some guidance in relation to the meaning of competence. In particular, subsections 30-10(7) to (10) of the TASA, which all fall under the key principle of ‘competence’, require that:
- You must ensure that a tax agent service you provide, or that is provided on your behalf, is provided competently.
- You must maintain knowledge and skills relevant to the tax agent services you provide.
- You must take reasonable care in ascertaining a client’s state of affairs, to the extent that ascertaining the state of those affairs is relevant to a statement you are making or a thing you are doing on behalf of the client.
- You must take reasonable care to ensure that taxation laws are applied correctly to the circumstances in relation to which you are providing advice to a client.
- While technology can assist registered agents (including in relation to real-time information management, automation and decision rules), it is important to recognise that the technology does not in itself satisfy the registered agent’s obligation to exercise reasonable care.
- For instance, where using outsourced cloud storage, data processing and/or software services that involve creating information through automated decision rules, there is a risk in relation to registered agents not turning their mind appropriately to the client’s particular circumstances. Further, if a software provider has indicated that they do not consider themselves to be a registered agent and are conducting themselves in a manner to ensure they are not required to be a registered agent, it would be inappropriate for the registered agent to consider that they can rely on the relevant information provided by the software provider to be correct.
- For further information, refer to the following TPB information products:
- TPB(I) 17/2013 Code of Professional Conduct – Reasonable care to ascertain a client’s state of affairs
- TPB(I) 18/2013: Code of Professional Conduct – Reasonable care to ensure taxation laws are applied correctly
- TPB(I) 23/2014: Sufficient number requirement for partnership and company registered tax (financial) advisers
- TPB(EP) 04/2012: Continuing professional education policy requirements for registered tax and BAS agents
- TPB(EP) 06/2014: Continuing professional education policy requirements for registered tax (financial) advisers
- TPB(I) 09/2011: Software providers and the Tax Agent Services Act 2009
In addition to their obligations under the Code in the TASA, registered agents should also be aware that the Privacy Act 1988 (Privacy Act) sets out a number of Australian Privacy Principles (APPs) which govern the use of, storage and disclosure of personal information and other conduct by organisations. Some of these privacy principles may have a direct impact on the requirement to inform and obtain consent (express or implied) from clients.
- In particular, the Privacy Act generally requires an Australian Privacy Principle (APP) entity to ensure that an overseas recipient will handle an individual’s personal information in accordance with the APPs, and makes the APP entity accountable if the overseas recipient mishandles the information.
- Registered agents should seek their own advice about whether the provisions of the Privacy Act apply to them. Information about obligations under the Privacy Act is provided by the Privacy Commissioner and is accessible from the Office of the Australian Information Commissioner’s website
- If a registered agent breaches the Code, the TPB may impose one or more of the following sanctions:
- a written caution
- an order requiring the registered agent to do something specified in the order
- suspension of the registered agent’s registration
- termination of the registered agent’s registration.
- The following are indicative examples which illustrate the general application of the Code in relation to interacting with the cloud environment. In all cases, consideration will need to be given to the specific facts and circumstances of each individual situation.
Luke, a registered BAS agent, is engaged by Greg to provide a BAS service. Luke uses cloud computing software to store all of Greg’s information, data and files on servers located in Australia, but operated by a third party foreign company.
Obtaining client permission
Prior to using his cloud computing software to store Greg’s information, data and files, Luke obtains signed written consent from Greg authorising Luke to make the appropriate disclosures to the third party foreign company. In particular, Luke arranges for Greg to sign a letter of engagement which sets out, among other things, precisely which entities will have access to Greg’s information, data and files as part of Luke’s cloud computing arrangements.
Luke has complied with his obligations under the Code, and in particular Code Item 6.
Instead of using servers located in Australia, the cloud computing software sends Greg’s information, data and files to a small private server out of an unsecured location. Luke does not know exactly where Greg’s information, data and files is being sent and stored and has no adequate contractual measures in place to protect Greg’s information. Further, Luke fails to disclose his cloud computing arrangements to Greg.
Luke has breached the Code (in particular, Code Item 6) by failing to adequately disclose his cloud computing arrangements to Greg, and failing to obtain Greg’s permission before disclosing his information, data and files to a third party via the use of the cloud computing software.
Lance operates a small retail business and wishes to purchase a software package to assist him in managing his business affairs. Lance seeks advice from his long serving registered tax agent, Pop about a suitable software package.
Pop advises Lance to purchase ABCD Technology’s ‘evolution software package’, a cloud-based software system. Pop receives a commission from ABCD Technology for every client that Pop refers to purchase one of ABCD Technology’s software packages.
Conflict of interest
Pop has a financial incentive in referring Lance to purchase one of ABCD Technology’s software packages as opposed to another entity’s software package and, therefore, has a conflict of interest in the circumstances.
Managing the conflict of interest
Pop appropriately discloses his conflict to Lance by advising him that he will receive a commission if he purchases ABCD Technology’s evolution software package.
In this case, Pop has satisfied his obligations under Code Item 5 by disclosing his conflict of interest to Lance when referring him to ABCD Technology.
 While principles in this draft TPB(I) will also be relevant to registered tax (financial) advisers, the TPB intends to release further information specifically regarding the obligations of registered tax (financial) advisers under the Code. It is also recognised that there are standards that apply to entities regulated by the Australian Prudential Regulation Authority (APRA), including a requirement to notify APRA after entering into a ‘material outsourcing agreement’.
 See, for example, Accounting Professional & Ethical Standards Board Limited (APESB) APES Guidance Note GN 30: Outsourced Services and the Australian Prudential Regulation Authority (APRA) Information Paper: Outsourcing involving shared computing services (including cloud), 6 July 2015.
 ‘Information’ refers to the acquiring or deriving of knowledge and includes, but is not limited to, capturing information known about a client. This information could be acquired directly or indirectly.
 By way of example, data management includes (among other things) marking data for deletion, permanent data deletion, restoration, backup, indexing, retrieval (including ascertaining how far back data is recoverable and any testing), archiving, importing, exporting or other data copying, moving or protecting services.
 For further information in relation to a list of potential questions to ask a potential cloud service provider, see for example, the Department of Communications consumer factsheets Cloud computing and privacy and Questions to ask your cloud service provider. For further guidance on general considerations (including governance arrangements, risk considerations and assurance mechanisms) when assessing the use of Cloud services, see, for example, the Australian Prudential Regulation Authority Information Paper: Outsourcing involving shared computing services (including cloud),6 July 2015. For further information in relation to a checklist of some legal issues to consider and address in contemplating a cloud computing arrangement, see for example, the Department of Finance Better Practice Guide: Negotiating the cloud – legal issues in cloud computing agreements Version 1.1, February 2013, page 20.
 By way of example, a registered agent could consider either deleting the right or making the right subject to the registered agent’s agreement to any change, or ensure that the provider is obliged to notify the registered agent well in advance of any changes and give the registered agent the right to terminate the agreement if it does not agree to the changes.
 These are arrangements in which the information is stored or processed in equipment that is located outside of Australia.
 See also the later sections in this paper for further information in relation to confidentiality and privacy.
 For further information in relation to security considerations, see for example, Department of Defence (Cyber Security Operations Centre) Cloud Computing Security Considerations September 2012. For further information in relation to privacy and cloud computing (including a guiding summary of checkpoints), see for example, the Department of Finance Better Practice Guide: Privacy and Cloud computing for Australian government agencies, Version 1.1, February 2013; and the Office of the Australian Information Commissioner
 By way of example, considerations include where the provider does not meet the agreed requirements, terminating for general convenience (and whether there are associated fees and data retrieval issues), and whether there is sufficient period to find a suitable alternative provider.
 For further information regarding Code Item 6, refer to the TPB information sheet TPB(I) 21/2014 Code of Professional conduct - Confidentiality of client information
 A consideration in relation to cloud and offshore offerings is where that data is stored and how it can be accessed, recognising that data in the cloud can potentially be located anywhere in the world and in more than one data centre.
 For the purposes of this TPB(I), ‘client information’ means information relating to a client’s affairs under Code Item 6.
 It is also noted that organisations could use a cloud service that has been assessed and endorsed by the Australian Signals Directorate (ASD) Information Registered Assessors Program and/or has been certified and accredited against the ASD Information Security Manual at an appropriate classification level. For further guidance in relation to managing security risk, see for example APRA Prudential Practice Guides PPG 234 – Management of security risk in information and information technology and CPG 235 Data retention controls. For further information in relation to ATO portal access and Standard Business Reporting, refer to www.ato.gov.au and www.sbr.gov.au
 Section 30-10(4) of the TASA.
 Section 30-10(5) of the TASA.
 Section 30-10(7) of the TASA.
 Section 30-10(8) of the TASA.
 Section 30-10(9) of the TASA.
 Section 30-10(10) of the TASA.
 ‘Organisation’ is defined in section 6C of the Privacy Act 1988 and excludes certain small business and small business operations; see further section 6D of the Privacy Act 1988. For more information in relation to questions to ask a client service provider in relation to privacy and security, refer to the Australian Government Department of Communications consumer factsheet on Cloud computing and privacy
 In particular, see APP 1.4 and APP 5.
 ‘APP entity’ and ‘Personal information’ is defined in subsection 6(1) of the Privacy Act 1988.