TPB Practice Note
Cloud computing and the Code of Professional Conduct
This exposure draft is also available as a PDF, download TPB(PN) D37/2016 Cloud computing and the Code of Professional Conduct (64KB)
Tax Practitioners Board Exposure Draft
The Tax Practitioners Board (TPB) has released this draft Practice Note to provide practical guidance and assistance to registered tax practitioners in understanding their obligations under the Code of Professional Conduct in relation to the use of cloud computing.
The TPB invites comments and submissions in relation to this draft Practice Note. The comment period is open for 45 days with the closing date for submissions being 28 November 2016.
The TPB will then consider any submissions before settling its position, undertaking any further consultation required and finalising the Practice Note.
Written submissions should be made via email at tpbsubmissions [at] tpb.gov.au or by mail to:
Tax Practitioners Board
GPO Box 1620
SYDNEY NSW 2001
This document is in draft form, and when finalised, will be intended as information only. While it seeks to provide practical assistance and explanation, it does not exhaust, prescribe or limit the scope of the TPB’s powers in the Tax Agent Services Act 2009 (TASA). In addition, please note that the principles and examples in this paper do not constitute legal advice. They are also at a preliminary stage only. The Board’s conclusions and views may change as a result of the comments the Board receives or as other circumstances change.
This draft Practice Note was issued on 13 October 2016 and is based on the TASA as at 5 March 2016.
Issue date: 13 October 2016
- This draft Practice Note has been prepared by the Tax Practitioners Board (TPB) to provide practical guidance and assistance to registered tax agents, BAS agents and tax (financial) advisers (registered practitioners) to understand their obligations under the Code of Professional Conduct (Code), as contained in section 30-10 of the Tax Agent Services Act 2009 (TASA), in relation to the use of cloud computing.
- In this draft Practice Note, you will find the following information:
- what is cloud computing (paragraphs 3 to 6)?
- factors to consider when entering into cloud arrangements (paragraphs 7 to 16)
- consequences of having inadequate cloud arrangements (paragraph 17 and 18)
- where to find further information (paragraph 19).
What is cloud computing?
- Cloud computing, at a broad level, is the provision of information technology resources as a service through a network (including storing, managing and processing data), typically over the internet, instead of using a local server or a personal computer.
- Services can range from data storage to the use of software programs, with data being stored and processed by a cloud service provider. It can include applications, databases, email and file services, and entrusts remote services with a user’s data, software and computation. In particular, cloud computing services are usually grouped into the following categories:
- Software as a service – the provision of software over a network rather than the software being loaded directly onto a locally available computer.
- Platform as a service – the provision of computing platforms that create the environment for other software to run (for example, operating systems) over a network rather than being loaded directly onto a locally available computer.
- Infrastructure as a service – the provision of access to computer infrastructure (for example, data storage or processing capability) over a network that is used to complement local platform resources. Outsourced cloud storage services may involve sharing, creating or storing information on remote servers accessed through the internet. The data can be stored either onshore or offshore depending upon what contractual agreement the client reaches with the provider.
- Combination of the above.
- These services are generally operated from facilities located in premises remote from the places where the data was created. All information stored in a cloud service is physically located somewhere in one or more data centres. Information refers to the acquiring or deriving of knowledge (directly or indirectly) and includes capturing information known about a client.
- Registered practitioners may use cloud computing for a range of purposes, such as information storage, lodgment of returns, digital signatures, client information portals and practice management software.
Factors to consider when entering into cloud arrangements
- When entering into cloud arrangements, various factors will need to be considered, depending on the nature of the particular cloud arrangement and also the circumstances of the registered tax practitioner. However, as a starting point, registered tax practitioners may wish to consider the following general factors:
- Whether the provider is allowed to unilaterally change relevant terms of the agreement (that is, without input from the registered practitioner), including in relation to how or where data is stored or managed?
- How is the information being transferred between systems and data integrity being maintained?
- How is the information being stored?
- Whether information is being held offshore (that is, information that is stored or processed in equipment not located in Australia) and, if so, the consequences (including relevant additional legislative and regulatory requirements that the information may be subject to)?
- What processes does the cloud provider have in place in relation to the backup and archiving of information (such as multiple backup servers)?
- What security controls are the registered practitioner and provider responsible for (such as issues around passwords, encryption and backups)?
- What protections are in place to prevent service access being disrupted?
- What processes are in place for managing and resolving disputes in relation to access to client information?
- What processes are in place when the arrangement ends (including, for example, the return of or access to data held in the cloud)?
- When entering into cloud arrangements, registered practitioners should also be mindful of their obligations under the Code. The Code, as contained in section 30-10 of the TASA, regulates the personal and professional conduct of registered practitioners, and contains obligations in relation to honesty and integrity, independence, confidentiality, competency, and other obligations, such as responding to requests from the TPB.
- In particular, it is important to be mindful of Code Item 6 which provides that a registered practitioner must not disclose any information relating to a client’s affairs to a third party without the client’s permission, unless there is a legal duty to do so.
- A third party is any entity other than the client and the registered practitioner. This includes entities that maintain offsite data storage systems (including ‘cloud storage’), recognising that there is a distinction between data storage that a third party cannot effectively access (for instance, through the use of encryption) and disclosure to a third party.
- It is only necessary that the information relates to the affairs of a client. Therefore, the information does not have to belong to the client, or have been directly provided by the client to the registered practitioner.
- Relevant factors to consider in ensuring compliance with Code Item 6 include, among other things:
- Registered practitioners must obtain permission from each client prior to divulging client information to a third party (including cloud service providers). When obtaining this permission, it is recommended that the registered practitioner clearly inform the client about the proposed disclosure (including noting to whom and where the disclosure will be made, and where data will be stored).
- Client permission may be by way of a signed letter of engagement (refer to TPB(I) 01/2011 Letters of engagement), signed consent, or other communication such as a relevant ‘fact find’ and consent.
- There should be appropriate controls to maintain confidentiality and integrity (such as encryption) to avoid any information leakage, including as a result of:
- inadvertent disclosure
- any change in IT assets (such as portable storage devices, software configurations and data fixes)
- data corruption and accidental deletion.
- There are a number of controls that could be employed to assist in maintaining and protecting the confidentiality, integrity and availability of data, such as:
- an appropriate confidentiality agreement between the registered practitioner and their cloud service provider
- other appropriate protocols, such as:
- use of a secured website and encrypted network traffic
- security credentials
- access controls ensuring unauthorised persons do not have access to data
- standardised reporting
- audit trails
- appropriate segregation of duties
- approval and review of data changes.
- For further information, including in relation to ‘permission’ and ‘legal duty’, refer to the TPB information sheet TPB(I) 21/2014 Code of Professional Conduct – Confidentiality of client information.
- In addition to their obligations under the Code in the TASA, registered practitioners should also be aware that the Privacy Act 1988 (Cth) sets out a number of Australian Privacy Principles (APPs) which govern the use of, storage and disclosure of personal information.
- Registered practitioners should seek their own advice about whether the provisions of the Privacy Act apply to them. Information about obligations under the Privacy Act is provided by the Privacy Commissioner and is accessible from the Office of Australian Information Commissioner’s website at www.oaic.gov.au.
Consequences of having inadequate cloud arrangements
- If a registered practitioner breaches the Code, including in the context of cloud arrangements, the TPB may impose one or more administrative sanctions, including issuing a written caution or order or suspending or termination of a registered practitioner’s registration.
- In addition to the above consequences of any breach of the Code, or any other relevant statutory consequences (such as, from the Privacy Act), a registered practitioner should also consider relevant commercial consequences such as legal action for damages.
- Outlined below is a listing of reference material that may provide further guidance in relation to what is cloud computing, general considerations and issues to consider in contemplating a cloud computing arrangement:
Purpose of document
Tax Practitioners Board
Further information regarding Code item 6 in the Tax Agent Services Act 2009 – confidentiality.
|TPB Information sheet TPB(I) 01/2011 Letters of engagement||Further information regarding engagement letters.|
TPB(I) 19/2014: Code of Professional Conduct - Managing conflicts of interest for registered tax and BAS agents
|Further information regarding Code item 5 in the Tax Agent Services Act 2009 - having adequate arrangements for managing conflicts of interest for registered tax and BAS agents.|
TPB information sheet TPB(I) 30/2016 Code of Professional Conduct - Having adequate arrangements for managing conflicts of interest for tax (financial) advisers
|Further information regarding Code item 5 in the Tax Agent Services Act 2009 - managing conflicts of interest for tax (financial) advisers.|
|Accounting Professional & Ethical Standards Board
|Guidance Note GN 30: Outsourced Services||Provides information in regard to managing risks associated with providing or utilising outsourced services.|
|Australian Prudential Regulation Authority||Information Paper: Outsourcing involving shared computing services (including cloud)||Includes guidance on general considerations - including governance arrangements, risk considerations and assurance mechanisms - when assessing the use of Cloud services.|
Prudential Practice Guide: PPG 234 - Management of security risk in information and information technology
|Includes guidance in relation to managing security risk.|
|Prudential Practice Guide: CPG 235 - Data retention controls||Includes guidance in relation to managing security risk.|
|Australian Taxation Office||
ATO portal access and Standard Business Reporting, refer to www.ato.gov.au and www.sbr.gov.au
|For further information in relation to ATO portal access and Standard Business Reporting.|
|Department of Communications||Consumer factsheet Cloud computing and privacy||Includes information in relation to privacy.|
|Consumer factsheet Questions to ask your cloud service provider||Includes information in relation to a list of potential questions to ask a potential cloud service provider in relation to privacy and security.|
|Department of Defence (Cyber Security Operations Centre)||Cloud Computing Security Considerations||Includes information in relation to security considerations.|
|Department of Finance||Australian Government Cloud Computing Policy||Includes information about the Government cloud computing policy.|
|Better Practice Guide: Negotiating the cloud - legal issues in cloud computing||Includes information in relation to a checklist of some legal issues to consider and address in contemplating a cloud computing arrangement.|
|Better Practice Guide: Privacy and Cloud computing for Australian government agencies||Includes information in relation to privacy and cloud computing, including a guiding summary of checkpoints.|
|Department of the Prime Minister and Cabinet||Australia's Cyber Security Strategy||Notes themes of action for Australia's cyber security.|
|Office of Australian Information Commissioner||Guide to securing personal information||Provides guidance on protecting personal information and in relation to destroying or de-identifying personal information once information is no longer needed.|
|Australian Privacy Principle Guidelines||Outlines requirements of the Australian Privacy Principles (APPs), how the OAIC will interpret the APPs, and matters the OAIC may take into account when exercising|