Go to top of page

Code of Professional Conduct – confidentiality of client information exposure draft TPB(I) D31/2015

Exposure draft TPB Information Sheet
TPB(I) D31/2015

Code of Professional Conduct – Confidentiality of client information for tax (financial) advisers

This exposure draft is also available as a PDF – Download link at end of page.

Introduction

What is Code Item 6?

How to comply with Code Item 6

Privacy considerations

Consequences for failing to comply with Code Item 6

Practical examples involving Code Item 6

Tax Practitioners Board exposure draft

The Tax Practitioners Board (TPB) has released this draft Information Sheet as an exposure draft and invites comments and submissions in relation to the information contained in it within 60 days. The closing date for submissions is 19 February 2016. The TPB will then consider any submissions before settling its position, undertaking any further consultation required and finalising the Information Sheet.

Written submissions should be made via email at tpbsubmissions [at] tpb.gov.au or by mail to:

Tax Practitioners Board
GPO Box 1620
SYDNEY NSW 2001

Disclaimer

This document is in draft form, and when finalised, will be intended as information only. While it seeks to provide practical assistance and explanation, it does not exhaust, prescribe or limit the scope of the TPB’s powers in the Tax Agent Services Act 2009 (TASA). The principles and examples in this paper do not constitute legal advice. They are also only at a preliminary stage. The TPB’s conclusions and views may change as a result of comments received or as other circumstances change.

Document history

This draft Information sheet was issued on 21 December 2015 and it is based on the TASA as at 1 April 2015.

Introduction

  1. This draft Information Sheet (TPB(I)) has been prepared by the Tax Practitioners Board (TPB) to assist registered tax (financial) advisers to understand their obligations under subsection 30-10(6) of the Tax Agent Services Act 2009 (TASA) - (Code of Professional Conduct (Code) Item 6).  
  2. In this draft TPB(I), you will find the following information:
    • What is Code Item 6? (paragraphs 4 to 5)
    • How to comply with Code Item 6 (paragraphs 6 to 28)
    • Privacy considerations (paragraphs 29 to 30)
    • Consequences for failing to comply with Code Item 6 (paragraphs 31 to 33)
    • Practical examples involving Code Item 6 (paragraph 34).
  3. The TPB has previously published explanatory guidance that sets out its view on the application of the Code to tax and BAS agents, including on Code Item 6.[1]  

What is Code Item 6?

  1. Code Item 6 provides that, unless there is a legal duty to do so, tax (financial) advisers must not disclose any information relating to a client’s affairs to a third party without the client’s permission. A number of potential options might be used to obtain the necessary client permission. For further information in relation to client permission, including examples of options that might be used to obtain permission, refer to paragraphs 15 to 23 below.

Comparison with the Corporations Act 2001

  1. While no similar obligation exists in the Corporations Act 2001, it is noted that Australian Privacy Principle (APP) 6.1 in the Privacy Act 1988 (Cth) requires that you do not use personal information about an individual that was collected for a particular purpose (primary purpose) or for another purpose (secondary purpose) unless the individual has consented to the use or disclosure of the information.

How to comply with Code Item 6

What is ‘information’?

  1. Information refers to the acquiring or deriving of knowledge and includes, but is not limited to, capturing information known about a client. This information could be acquired directly or indirectly.

What is ‘information relating to a client’s affairs’?

  1. It is only necessary that the information relates to the affairs of a client. The information does not have to belong to the client, or have been directly provided by the client to a tax (financial) adviser.

Who is a ‘third party’?

  1. A third party is any entity other than the client and the tax (financial) adviser.  
  2. A third party includes a related entity of the client and/or tax (financial) adviser. For example, in the case of a tax (financial) adviser that is an authorised representative of an Australian financial services (AFS) licensee, a third party includes the AFS licensee, and vice versa (see also paragraph 12 below).  
  3. In relation to a tax (financial) adviser that outsources a component of a tax (financial) advice service[2] to another entity (for example, another registered tax practitioner, a legal practitioner, or an overseas or offshore entity), the third party would include that other entity.  
  4. Further, a third party may also include entities that maintain offsite data storage systems (including ‘cloud storage’).  
  5. Depending on the relevant contractual arrangements, a third party may also include other AFS licensees, authorised representatives, para-planners, product providers and advisers, insurance brokers and technical teams.

In what circumstances can a tax (financial) adviser disclose information relating to a client’s affairs to a third party?

  1. A tax (financial) adviser may only disclose information relating to a client’s affairs to a third party if:
    • the tax (financial) adviser has the client’s permission; or
    • there is a legal duty to do so.
  2. The TPB recognises that there are obligations associated with being a member of an Australian Securities and Investments Commission (ASIC) approved external dispute resolution (EDR) scheme[3] and also where financial services are covered by the Superannuation Complaints Tribunal (SCT).[4] Further, it is recognised that an AFS licensee may need to obtain legal advice in respect of dealing with a complaint and defending a claim.

(i) Client’s permission

  1. Where information relating to a client’s affairs is to be disclosed by a tax (financial) adviser to a third party, the tax (financial) adviser should, prior to any disclosure, clearly inform the client that there will be such disclosure and obtain the client’s permission. This permission has to be relevant to the engagement and may be by way of a signed letter of engagement, signed consent, or other communication with the client which may include, in certain circumstances:
    • a relevant Financial Services Guide and consent
    • a relevant Statement of Advice (incorporating an ‘authority to proceed’) signed by the client
    • a privacy declaration and consent form
    • a privacy acknowledgment and consent
    • a relevant product disclosure statement and consent, or
    • an appropriately authorised confirmation email.

         In all cases, the relevant communication should outline the services to be provided, as well as information about the entity/entities that will provide those services.

  1. A tax (financial) adviser should ensure that they inform their clients about any client information[5] they are disclosing, and to whom and where the disclosure will be made. It is recognised that a disclosure document can include a listing of multiple entities. However, where third parties are known, it is insufficient to simply just note that there may be general disclosure to third parties in relation to a service you are involved in or in relation to a service provided by a third party to you.  
  2. Tax (financial) advisers should require a positive step from their client to authorise the requisite disclosure; this may include an appropriate ‘opt-in’ type approach. Subject to paragraph 18 below, the TPB is of the view that tax (financial) advisers must not employ an ‘opt-out’ approach where it is implied that a client consents to their information being disclosed to third parties (including where it is claimed to be for a related purpose).  
  3. It is noted that while the Code comes into effect immediately upon registration with the TPB, the TPB is mindful of arrangements that were in place prior to tax (financial) advisers entering the TASA regime and accepts that it will take time for tax (financial) advisers to update their processes, policies and procedures to reflect relevant TPB guidance. Therefore, the TPB will apply a pragmatic approach in this regard, but expects that tax (financial) advisers will update their processes, policies and procedures as soon as practicable.  
  4. A tax (financial) adviser is not excused from taking steps to protect information just because it would be inconvenient, time-consuming or costly to do so.[6]  
  5. While there is no set formula or methodology used to obtain client permission, the TPB suggests that tax (financial) advisers be clear in explaining to their client where information may be disclosed (including, among other things, where a component of work or add-on activity is completed elsewhere). For example, to avoid any likelihood of your practices being seen as misleading, we suggest that you must not imply or state that all your work is completed in Australia, if that is not the case.  
  6. In relation to outsourcing arrangements and cloud storage arrangements, the TASA does not specifically prohibit these activities. However, tax (financial) advisers must consider their obligations under Code Item 6 in relation to these arrangements to ensure confidentiality of client information, including appropriate disclosure in regard to where data is being sent and stored.  
  7. While not binding on all tax (financial) advisers, further useful guidance on what steps a tax (financial) adviser may take when providing or utilising outsourced services may be found in specific Australian Prudential Regulation Authority (APRA) guidance.[7] It is also noted that TPB accredited recognised professional associations may be able to assist in providing practical guidance, while recognising that there is not a default one-size-fits-all template and that arrangements will need to be mindful of the particular circumstances.  
  8. Ultimately, the onus is on the tax (financial) adviser to exercise appropriate due diligence when outsourcing work, including ensuring appropriate disclosure. Outsourcing may also give rise to other obligations under the TASA, including ensuring that tax (financial) advice services are provided to a competent standard, and that there are adequate supervision and control arrangements.

(ii) Legal duty to do so

  1. A tax (financial) adviser may disclose information relating to a client’s affairs to a third party without the client’s permission if the tax (financial) adviser has a legal duty to disclose the information.  
  2. Examples of circumstances where a tax (financial) adviser may have a legal duty to disclose client information to a third party include:
    • providing information to the TPB under a notice issued pursuant to section 60-100 of the TASA
    • providing information to a court or tribunal pursuant to a direction, order, or other court process
    • providing information to AUSTRAC in accordance with reporting obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)[8]
    • providing information to the Australian Securities and Investments Commission (ASIC) pursuant to ASIC’s powers under the Australian Securities and Investments Commission Act 2001 or the Corporations Act 2001
    • providing information or documents to the Australian Taxation Office (ATO) under a notice pursuant to section 353-10 in Schedule 1 to the Taxation Administration Act 1953.[9]
  3. The TASA, including Code Item 6, does not affect the law relating to legal professional privilege.[10] Legal professional privilege protects confidential communications between a lawyer and their client from compulsory production. Therefore, under legal professional privilege a lawyer may, in certain circumstances, lawfully withhold documents or not provide information without breaching Code Item 6.  
  4. If a tax (financial) adviser is concerned as to whether there is a legal duty to disclose client information to a third party, the tax (financial) adviser should consider seeking independent legal advice.

Inadvertent disclosure

  1. Tax (financial) advisers also need to ensure that they have appropriate arrangements to prevent inadvertent disclosure through recklessness. In this regard, the following are some examples of where tax (financial) advisers need to be particularly mindful of their obligations:
    • the use of external service providers which may include, for example, IT consultants and cleaners
    • leaving client information in unsecured locations which may be accessed by third parties
    • the use of shredding and data disposal services.

Privacy considerations

  1. In addition to a tax (financial) adviser's obligations under Code Item 6, the Privacy Act 1988 sets out a number of Australian Privacy Principles (APPs) which govern the use of, storage and disclosure of personal information and other conduct by organisations.[11] Some of these APPs may have a direct impact on the requirement to obtain consent (express or implied) from clients.  
  2. Tax (financial) advisers should seek their own advice about whether the provisions of the Privacy Act 1988 apply to them. Information about obligations under the Privacy Act 1988 is provided by the Privacy Commissioner and is accessible from the Office of the Australian Information Commissioner’s website.

Consequences for failing to comply with Code Item 6

  1. If a tax (financial) adviser discloses information relating to a client’s affairs to a third party without the client’s permission or without a legal duty to do so, the TPB may find that the tax (financial) adviser has breached the Code and may impose sanctions for that breach.  
  2. Ultimately, determining whether a tax (financial) adviser has complied with their obligations under Code Item 6 will be a question of fact. This means that each situation will need to be considered on a
    case-by-case basis having regard to the particular facts and circumstances.  
  3. If a tax (financial) adviser breaches the Code, the TPB may impose one or more of the following sanctions:
    • a written caution
    • an order requiring the tax (financial) adviser to do something specified in the order
    • suspension of the tax (financial) adviser’s registration
    • termination of the tax (financial) adviser’s registration.

Practical examples involving Code Item 6

  1. The following are indicative examples which illustrate the general application of Code Item 6. In all cases, consideration will need to be given to the specific facts and circumstances of each matter.

Example 1 – Client permission to disclose information to an online broker

Situation

Drew approaches Kylie, a registered tax (financial) adviser, to provide tax (financial) advice services. As part of the tax (financial) advice services provided, Kylie advises Drew to participate in an upcoming float, which is only available through a particular online broker.

Drew confirms that he wishes to participate in the upcoming float and instructs Kylie to organise a $50,000 investment.

Obtaining client permission

Before organising the $50,000 investment in the float, Kylie sends Drew an email confirming among other things, the nature of the investment and the potential risks. Further, in her email, Kylie requests Drew’s permission (via return email) to disclose his information to the online broker to complete the application for the float.[12]

Example 2 – Client permission to disclose information to an insurer

Situation

Betty approaches Stephen, a registered tax (financial) adviser, to provide tax (financial) advice services. As part of the initial scaled engagement, Betty seeks a recommended product in relation to life risk advice and provides her adviser with key relevant information (including her finances and circumstances).

Stephen assesses Betty’s situation and liaises with various insurers that he interacts with on a regular basis.

Stephen will also receive an ongoing trailing commission from the relevant chosen insurer in the event that Betty proceeds to purchase a particular product.

Obtaining client permission

As Stephen already knows of the insurers that he will be liaising with, he requests Betty’s permission (via signed disclosure statement) to disclose specific information (relating to Betty’s circumstances and needs) to the particular insurers for the purpose of providing recommendations on what will work best for Betty in meeting her needs. This permission is obtained prior to Stephen disclosing information to the insurers.

Stephen also discloses that he will receive an ongoing trailing commission from the relevant chosen insurer in the event that Betty proceeds to purchase a particular product.

Example 3 – Client permission to disclose information to an external IT provider

Situation

Zincorppe is a mid-sized registered tax (financial) adviser company that provides tax (financial) advice services to various clients. Zincorppe enters client data into its software programs using cloud computing hosted by an external IT provider.

Obtaining client permission

In order to enter client data into its software programs, Zincorppe discloses its cloud computing arrangements in an email. Further, Zincorppe obtains a confirmation email from each client to disclose the information to the external IT provider.

Example 4 – Client permission to disclose information to a legal firm

Situation

Patricia engages Manu, a registered tax (financial) adviser, to provide tax (financial) advice services. As part of the tax (financial) advice services provided, Manu advises Patricia to set up an investment structure including a unit trust. To establish the unit trust, Manu engages a legal firm to prepare the necessary documentation.

Failing to obtain client permission

Manu confirms with Patricia that she wishes to proceed with the unit trust structure and merely advises Patricia that he will arrange to prepare all the necessary documentation. However, Manu does not obtain Patricia’s permission to disclose her information to the legal firm to prepare the necessary documentation.

Manu is considered to have breached Code Item 6 by failing to obtain Patricia’s permission to disclose her information to a third party (being the legal firm).

Example 5 – Client permission to disclose data to an overseas third party

Situation

Vee Co is a large financial services firm and a registered tax (financial) adviser. To minimise its operating costs, Vee Co enters into an agreement with a data processing firm in Vietnam, Nguyen & Co, that Nguyen & Co will perform the data processing work for Vee Co’s clients.

Obtaining client permission

In order to send the clients’ information to Nguyen & Co for processing, Vee Co discloses its arrangement with Nguyen & Co in its letter of engagement with clients and obtains its clients’ explicit permission by way of a signed client engagement letter to disclose the information to Nguyen & Co.

Subject to the engagement terms, Vee Co will have primary responsibility for the provision of the relevant tax (financial) advice services, including data processing work undertaken by Nguyen & Co.

[1] Refer to TPB(I) 21/2014 Code of Professional Conduct - Confidentiality of client information and TPB(I) 01/2010 Code of Professional Conduct. While TPB(I) 21/2014 is aimed specifically at registered tax and BAS agents, it provides useful guidance for all registered tax practitioners.

[2] For information on the meaning of ‘tax (financial) advice service’, refer to TPB(I) 20/2014 What is a tax (financial) advice service?

[3] The two ASIC-approved EDR schemes that currently operate in the Australian financial and credit industries are the Financial Ombudsman Service Limited (FOS) and the Credit and Investments Ombudsman (CIO) (formerly the Credit Ombudsman Service Limited). For further information, refer to ASIC Regulatory Guide 165 - Licensing: Internal and external dispute resolution., ASIC Regulatory Guide 139 - Approval and oversight of external dispute resolution schemes, and the FOS and CIO websites available at www.fos.org.au and www.cio.org.au respectively.

[4] It is recognised that there is not a requirement to join an approved EDR scheme if all of the financial services provided are covered by the SCT (which must act in accordance with the Superannuation (Resolution of Complaints) Act 1993. For further information, refer to www.sct.gov.au

[5] For the purposes of this TPB(I), ‘client information’ means information relating to a client’s affairs under Code Item 6.

[6] See also, e.g., Office of the Australian Information Commissioner Guide to securing personal information

[7] See, in particular, APRA Prudential Standards CPS 231 Outsourcing and SPS 231 Outsourcing, APRA Information Paper: Outsourcing involving shared computing services (including cloud).

[8] The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) imposes ongoing transaction reporting obligations and compliance reporting obligations on reporting entities when they provide designated services; the requirements set rules with respect to customer due diligence and identification, and generally concern the AFS licensee in the context of financial planning. For further information on complying with obligations under the AML/CTF Act, refer to the AUSTRAC compliance guide (Chapter 7 provides an overview of the AML/CTF Act reporting obligations).

[9] Section 353-10 of the Taxation Administration Act 1953 permits the Commissioner to issue a Notice requiring a person to furnish such information to the Commissioner and to attend and give evidence concerning a named person’s income or assessment or to produce documents (including electronic records) etc. in the person’s custody or control. In this regard, it is noted that Treasury Legislation Amendment (Repeal Day) Act 2015 No. 2, 2015 expanded the scope of section 353-10 of Schedule 1 to the Taxation Administration Act 1953 to cover any taxation law, and repealed the corresponding provisions in various Acts including section 264 of the Income Tax Assessment Act 1936.

[10] See section 70-50 of the Tax Agent Services Act 2009.

[11] 'Organisation’ is defined in section 6C of the Privacy Act 1988 and excludes certain small business and small business operations; see further section 6D of the Privacy Act 1988.

[12] 'Organisation' is defined in section 6C of the Privacy Act 1988 and excludes certain small business and small business operations; see further section 6D of the Privacy Act 1988.