Exposure Draft Information Sheet
Code of Professional Conduct – Confidentiality of client information
This exposure draft is also available as a PDF – Download link provided at end of this page.
Tax Practitioners Board Exposure draft
The Tax Practitioners Board (TPB) has released this draft Information sheet as an Exposure draft and invites comments and submissions in relation to the information contained in it within 30 days. The closing date for submissions is 16 April 2014. The TPB will then consider any submissions before settling its position, undertaking any further consultation required and finalising the Information sheet.
Written submissions should be made by the closing date to Neil Pegg via email at tpbsubmissions [at] tpb.gov.au or by mail to:
Tax Practitioners Board
PO Box 126
HURSTVILLE BC NSW 1481
This document is in draft form, and when finalised, will be intended as information only. While it seeks to provide practical assistance and explanation, it does not exhaust, prescribe or limit the scope of the TPB’s powers in the Tax Agent Services Act 2009 (TASA). The principles and examples in this paper do not constitute legal advice. They are also only at a preliminary stage. The TPB’s conclusions and views may change as a result of comments received or as other circumstances change.
This draft information sheet was issued on 17 March 2014 and is based on the TASA as at 1 January 2014.
- This Information Sheet (TPB(I)) has been prepared by the Tax Practitioners Board (TPB) to assist registered tax agents and BAS agents (registered agents) to understand their obligations under subsection 30-10(6) of the Tax Agent Services Act 2009 (TASA) (Code Item 6), which is one of the obligations of registered agents under the Code of Professional Conduct (Code).
- Code Item 6 states that:
'Unless you have a legal duty to do so, you must not disclose any information relating to a client’s affairs to a third party without your client’s permission.’
- In this TPB(I), you will find the following information:
- what is Code Item 6
- how to comply with Code Item 6
- privacy considerations
- consequences for failing to comply with Code Item 6
- practical examples involving Code Item 6.
- The TPB has previously published an explanatory paper that sets out its view on the application of the Code, including Code Item 6. 
What is Code Item 6?
- As per paragraph 2 above, Code Item 6 provides that, unless there is a legal duty to do so, registered agents must not disclose any information relating to a client’s affairs to a third party without the client’s permission.
- Therefore, any disclosure of information relating to a client’s affairs to a third party without the client’s permission will be a breach of Code Item 6, unless there is a legal duty on the registered agent to disclose the information.
How to comply with Code Item 6?
What is ‘information’?
- Information refers to the acquiring or deriving of knowledge and includes, but is not limited to, capturing information known about a client. This information could be acquired directly or indirectly.
What is ‘information relating to a client’s affairs’?
- It is only necessary that the information relates to the affairs of a client. The information does not have to belong to the client, or have been directly provided by the client to a registered agent.
What is a ‘third party’?
- A third party is any entity other than the client and the registered agent.
- In relation to a registered agent that outsources a component of the tax agent services to another entity (for example, another registered agent, a legal practitioner, or an overseas or offshore entity), the third party would include that other entity.
- Disclosure to a third party would also include disclosure of information relating to one entity within a service trust structure to another entity within the same service trust structure, unless the client is defined, for example in the engagement letter, as the whole structure. 
- Further, a third party may also include entities that maintain offsite data storage systems (including ‘cloud storage’).
In what circumstances can a registered agent disclose information relating to a client’s affairs to a third party?
- A registered agent may only disclose information relating to a client’s affairs to a third party if:
- the registered agent has the client’s permission; or
- there is a legal duty to do so.
(i) Client’s permission
- Where information relating to a client’s affairs is to be disclosed by a registered agent to a third party, the registered agent should, prior to any disclosure, clearly inform the client that there will be such disclosure and obtain the client’s permission. This permission may be by way of a signed letter of engagement, signed consent or other communication with the client.
- A letter of engagement will typically outline the services to be provided by the registered agent to their client, as well as information about the entity/entities that will provide those services. For further information on engagement letters, refer to TPB(I) 01/2011 Letters of engagement.
- A registered agent should ensure that they inform their clients about any client information they are disclosing, and to whom and where the disclosure will be made.
- In relation to outsourcing arrangements and cloud storage arrangements, the TASA does not specifically prohibit these activities. However, registered agents must consider their obligations under Code item 6 in relation to these arrangements to ensure confidentiality of client information, including appropriate disclosure in regard to where data is being sent and stored.
- The Accounting Professional and Ethical Standards Board (APESB) has released APES GN 30 Outsourced Services, which applies to members of relevant professional bodies that have adopted it. While not binding on all registered agents, it provides useful guidance on what steps an agent may take when providing or utilising outsourced services.
- The TPB strongly suggests that if any component of a client’s tax work is to be completed overseas, a registered agent should be very clear in communicating this to the client and obtaining the necessary permission to make the disclosure.
- Ultimately, the onus is on the registered agent to exercise appropriate due diligence when outsourcing work, including ensuring appropriate disclosure. Outsourcing may also give rise to other obligations under the TASA, including ensuring that tax agent services are provided to a competent standard, and that there are adequate supervision and control arrangements.
(ii) Legal duty to do so
- A registered agent may disclose information relating to a client’s affairs to a third party without the client’s permission if the registered agent has a legal duty to disclosure the information.
- Examples of circumstances where a registered agent may have a legal duty to disclose client information to a third party include:
- providing information to the TPB under a notice issued pursuant to section 60-100 of the TASA
- providing information to a court or tribunal pursuant to a direction, order, or other court process, to provide that information
- providing information or documents to the Australian Taxation Office (ATO) under a notice pursuant to section 264 of the Income Tax Assessment Act 1936. This requirement is subject to that material being properly withheld by the registered agent under legal professional privilege
- providing information or documents to the ATO pursuant to section 353-10 of the Schedule 1 to the Taxation Administration Act 1953 concerning indirect taxation laws (including the goods and services tax).
- The TASA, including Code item 6, does not affect the law relating to legal professional privilege (LPP). In short, LPP protects confidential communications between a lawyer and their client from compulsory production.
- If a registered agent is concerned as to whether there is a legal duty to disclose client information to a third party, the registered agent should consider seeking independent legal advice.
- Registered agents also need to ensure that they have appropriate arrangements to prevent inadvertent disclosure through recklessness. In this regard, the following are some examples of where registered agents need to be particularly mindful of their obligations:
- the use of mobile temporary booths in shopping centres, ensuring there are appropriate controls to prevent third parties from viewing client information
- the use of recycled paper which includes personal details concerning other clients
- leaving client information in unsecured locations which may be accessed by third parties.
- In addition to a registered agent’s obligations under Code Item 6, the Privacy Act 1988 sets out a number of Privacy Principles which govern the use of, storage and disclosure of personal information and other conduct by organisations. Some of these privacy principles may have a direct impact on the requirement to obtain informed consent from clients.
- Registered agents should seek their own advice about whether the provisions of the Privacy Act 1988 apply to them.
Consequences for failing to comply with Code Item 6
- If a registered agent discloses information relating to a client’s affairs to a third party without the client’s permission or without a legal duty to do so, the TPB may find that the registered agent has breached the Code and may impose sanctions for that breach.
- If a registered agent breaches the Code, the TPB may impose one or more of the following sanctions:
- a written caution
- an order requiring the registered agent to do something specified in the order
- suspension of the registered agent’s registration
- termination of the registered agent’s registration.
- A registered agent may also be liable to a client [for damages] for any unauthorised disclosure of client information to a third party.
Practical examples involving Code Item 6
- The following are indicative examples which illustrate the general application of Code Item 6. In all cases, consideration will need to be given to the specific facts and circumstances.
Example 1 – Client permission to disclose information to an overseas third party
Lilly & Co is a large accounting firm and a registered tax agent. To minimise its operating costs, Lilly & Co. enters into an agreement with a bookkeeping/data processing firm in Hong Kong, Zheng & Co, that Zheng & Co will perform the bookkeeping and data processing work for Lilly & Co’s clients.
Obtaining client permission
In order to send the clients’ information to Zheng & Co for processing, Lilly & Co discloses its arrangement with Zheng & Co in its letter of engagement with clients and obtains its clients’ explicit permission by way of a signed client engagement letter to disclose the information to Zheng & Co.
Subject to the terms in the letter of engagement, Lilly & Co will have primary responsibility for the provision of the relevant tax agent services, including the bookkeeping and data processing work undertaken by Zheng & Co.
Example 2 – Legal duty to disclose information to a third party
The ATO is conducting an audit on Patricia’s income tax return from the previous financial year, but Patricia does not have all of her receipts and payment summaries. As her registered tax agent, Edward, prepared and lodged her income tax return for the previous financial year, the ATO has issued a notice under section 264 of the Income Tax Assessment Act 1936 for Edward to provide it with all relevant information regarding Patricia’s income tax return from the previous financial year.
Legal duty to disclose
Although Edward is required to maintain the confidentiality of the information relating to the affairs of his client, Patricia, the ATO’s notice creates an overriding legal obligation and Edward therefore has a legal duty to disclose the information requested in the notice to the ATO.
Example 3 – Client permission to disclose information to another registered agent third party
Jackie runs a local coffee shop in Melbourne. Jackie engages Tony’s Tax Services, a registered tax agent, to prepare and lodge her outstanding business activity statements and also to provide tax advice regarding the proposed sale of her coffee shop. Tony’s Tax Services separately engages Bella, a registered BAS agent, to prepare the outstanding business activity statements.
Obtaining client permission
In order to send Jackie’s information to Bella to enable Bella to prepare the outstanding business activity statements, Tony’s Tax Services discloses its arrangement with Bella in its letter of engagement with Jackie. Tony’s Tax Services obtains Jackie’s explicit permission by way of a signed client engagement letter to disclose the information to Bella.
Example 4 – Client permission to disclose information to an external IT provider third party
Victor & Paulson is a mid-sized registered tax agent partnership that provides tax agent services to various large corporations and other sophisticated clients. Victor & Paulson enters client data into its accounting software programs using cloud computing hosted by an external IT provider.
Obtaining client permission
In order to enter client data into its accounting software programs, Victor & Paulson discloses its cloud computing arrangements in its client engagement letters. Victor & Paulson obtains a signed client engagement letter from each client to disclose the information to the external IT provider.
It is presumed that Victor & Paulson will have entered into appropriate confidentiality arrangements with the external IT provider.
 Refer to paragraphs 78 to 92 of TPB(EP) 01/2010 Code of Professional Conduct.
 Paragraph 3.38 of the Explanatory Memorandum to the Tax Agent Services Bill 2008.
 For the purposes of this TPB(I), ‘client information’ means information relating to a client’s affairs under Code Item 6.
 See section 70-50 of the Tax Agent Services Act 2009.
 On 12 March 2014, the National Privacy Principles were replaced by the Australian Privacy Principles.
‘Organisation’ is defined in section 6C of the Privacy Act 1988 and excludes certain small business and small business operations; see further section 6D of the Privacy Act 1988.