Go to top of page

Confidentiality of client information information sheet TPB(I) 21/2014

TPB Information Sheet TPB(I) 21/2014

Code of Professional Conduct – Confidentiality of client information

This information sheet is also available as a PDF, download TPB(I) 21/2014 Code of Professional Conduct - Confidentiality of client information (178 KB).

DISCLAIMER

This is a Tax Practitioners Board (TPB) Information sheet (TPB(I)). It is intended to be for information only. It provides information regarding the TPB’s position on the application of subsection 30-10(6) of the Tax Agent Services Act 2009 (TASA), containing one of the obligations of registered agents under the Code of Professional Conduct (Code).

While it seeks to provide practical assistance and explanation, it does not exhaust, prescribe or limit the scope of the TPB’s powers in the TASA.

In addition, please note that the principles, explanations and examples in this TPB(I) do not constitute legal advice and do not create additional rights or legal obligations beyond those that are contained in the TASA or which may exist at law. Please refer to the TASA for the precise content of the legislative requirements.

Document History

The TPB released this document as a draft information sheet in the form of an Exposure draft on 17 March 2014. The TPB invited comments and submissions in relation to the information in it. The closing date for submissions was 16 April 2014. The TPB considered the submissions made and published the TPB(I) on 4 August 2014.

The document was subsequently reviewed and updated to align with the separate information sheet for tax (financial) advisers (on subsection 30-10(6) of the TASA) that was published on 5 May 2017.

Issue date: 4 August 2014

Last modified: 5 May 2017

Introduction

  1. This Information Sheet (TPB(I)) has been prepared by the Tax Practitioners Board (TPB) to assist registered tax agents and BAS agents (registered agents) to understand their obligations under subsection 30-10(6) of the Tax Agent Services Act 2009 (TASA) (Code Item 6), which is one of the obligations of registered agents under the Code of Professional Conduct (Code).
  2. Code Item 6 states that:

    'Unless you have a legal duty to do so, you must not disclose any information relating to a client’s affairs to a third party without your client’s permission.’

  3. In this TPB(I), you will find the following information:
    • what is Code Item 6 (paragraphs 5 to 6)
    • how to comply with Code Item 6 (paragraphs 7 to 26)
    • privacy considerations (paragraphs 27 to 28)
    • consequences for failing to comply with Code Item 6 (paragraphs 29 to 31)
    • practical examples involving Code Item 6 (paragraph 32).
  4. The TPB has previously published an explanatory paper that sets out its view on the application of the Code, including Code Item 6.[1]

What is Code Item 6?

  1. As per paragraph 2 above, Code Item 6 provides that, unless there is a legal duty to do so, registered agents must not disclose any information relating to a client’s affairs to a third party without the client’s permission.
  2. Therefore, any disclosure of information relating to a client’s affairs to a third party without the client’s permission will be a breach of Code Item 6, unless there is a legal duty on the registered agent to disclose the information.

How to comply with Code Item 6?

What is ‘information’?

  1. Information refers to the acquiring or deriving of knowledge and includes, but is not limited to, capturing information known about a client. This information could be acquired directly or indirectly from the client or other sources.

What is ‘information relating to a client’s affairs’?

  1. It is only necessary that the information relates to the affairs of a client. The information does not have to belong to the client, or have been directly provided by the client to a registered agent.

What is a ‘third party’?

  1. For the purposes of Code Item 6 and the TASA, a third party means any entity other than the client and the registered agent.
  2. In relation to a registered agent that outsources a component of the tax agent services to another entity (for example, another registered tax practitioner, a legal practitioner, a contractor or an overseas or offshore entity), the third party would include that other entity.
  3. Disclosure to a third party would also include disclosure of information relating to one entity within a service trust structure to another entity within the same service trust structure, unless the client is defined, for example in the engagement letter, as the whole structure.[2]
  4. Further, a third party may also include entities that maintain offsite data storage systems (including ‘cloud storage’).

In what circumstances can a registered agent disclose information relating to a client’s affairs to a third party?

  1. A registered agent may only disclose information relating to a client’s affairs to a third party if:
    • the registered agent has the client’s permission; or
    • there is a legal duty to do so.

(i) Client’s permission

  1. Where information relating to a client’s affairs is to be disclosed by a registered agent to a third party, the registered agent should, prior to any disclosure, clearly inform the client that there will be such disclosure and obtain the client’s permission. This permission may be by way of a signed letter of engagement, signed consent or other communication with the client. In all cases, the relevant communication should outline the disclosures to be provided, as well as information about the entity/entities that will have access to the client information.
  2. A letter of engagement will typically outline services to be provided by the registered agent to their client, as well as information about entities that will provide those services. For further information on engagement letters, refer to TPB(I) 01/2011 Letters of engagement.
  3. A registered agent must ensure that they inform their clients about any client information [3] that may be disclosed. In this regard, it is recommended that a registered agent include information in relation to whom and where the disclosure will be made. A general authority consenting to disclosure to third parties may also be acceptable.
  4. However, even in the context of a general disclosure, a registered agent should require a positive step from their client to authorise the requisite disclosure. This may include an appropriate 'opt-in' type approach, including in conjunction with reviewing an engagement letter. Further, a registered agent is not excused from taking steps to protect information just because it would be inconvenient, time-consuming or costly to do so.[4]
  5. While there is no set formula or methodology used to obtain client permission, the TPB suggests that registered agents be clear in explaining to their client where information may be disclosed (including, among other things, where a component of work or add-on activity is completed elsewhere). For example, to avoid any likelihood of your practices being seen as misleading, we suggest that you must not imply or state that all your work is completed in Australia, if that is not the case.
  6. In relation to outsourcing arrangements and cloud storage arrangements, the TASA does not specifically prohibit these activities. However, registered agents must consider their obligations under Code item 6 in relation to these arrangements to ensure confidentiality of client information, including appropriate disclosure in regard to where data is being sent and stored.[5]
  7. While not binding on all registered agents, further useful guidance on what steps an agent may take when providing or utilising outsourced services may be found in specific Accounting Professional and Ethical Standards Board (APESB) guidance.[6] It is also noted that TPB accredited recognised professional associations may be able to assist in providing practical guidance, while recognising that there is not a default  one-size-fits-all template and that arrangements will need to be mindful of the particular circumstances.
  8. Ultimately, the onus is on the registered agent to exercise appropriate due diligence when outsourcing work, including ensuring appropriate disclosure. Outsourcing may also give rise to other obligations under the TASA, including ensuring that tax agent services are provided to a competent standard, and that there are adequate supervision and control arrangements.

(ii) Legal duty to do so

  1. A registered agent may disclose information relating to a client’s affairs to a third party without the client’s permission if the registered agent has a legal duty to disclose the information.
  2. Examples of circumstances where a registered agent may have a legal duty to disclose client information to a third party include:
    • providing information to the TPB under a notice issued pursuant to section 60-100 of the TASA
    • providing information to a court or tribunal pursuant to a direction, order, or other court process to provide that information
    • providing information to AUSTRAC in accordance with reporting obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)[7]
    • providing information or documents to the Australian Taxation Office (ATO) under a notice pursuant to section 353-10 in Schedule 1 to the Taxation Administration Act 1953 concerning taxation laws. This requirement is subject to that material being properly withheld by the registered agent under legal professional privilege.
  1. The TASA, including Code item 6, does not affect the law relating to legal professional privilege (LPP)[8]. LPP protects confidential communications between a lawyer and their client from compulsory production. Therefore, under LPP a lawyer may, in certain circumstances, lawfully withhold documents or not provide information without breaching Code Item 6.
  2. If a registered agent is concerned as to whether there is a legal duty to disclose client information to a third party, the registered agent should consider seeking independent legal advice.

Inadvertent disclosure

  1. Registered agents also need to ensure that they have appropriate arrangements to prevent inadvertent disclosure. In this regard, the following are some examples of where registered agents need to be particularly mindful of their obligations:
    • the use of mobile temporary booths in shopping centres, ensuring there are appropriate controls to prevent third parties from viewing client information
    • the use of recycled paper which includes personal details concerning other clients
    • leaving client information in unsecured locations which may be accessed by third parties
    • disposing (such as trading in or selling to a second-hand market) of IT equipment that contains/stores data that may be accessible by third parties
    • the use of shredding and data disposal services
    • the use of external service providers which may include, for example, IT consultants and cleaners.

Privacy considerations

  1. In addition to a registered agent’s obligations under Code Item 6, the Privacy Act 1988 (Cth) sets out a number of Privacy Principles which govern the use of, storage and disclosure of personal information and other conduct by organisations.[9]  Some of these privacy principles may have a direct impact on the requirement to obtain consent (express or implied) from clients.
  2. Registered agents should seek their own advice about whether the provisions of the Privacy Act 1988 apply to them. Information about obligations under the Privacy Act 1988 is provided by the Privacy Commissioner and is accessible from the Office of Australian Information Commissioner’s website at www.oaic.gov.au

Consequences for failing to comply with Code Item 6

  1. If a registered agent discloses information relating to a client’s affairs to a third party without the client’s permission or without a legal duty to do so, the TPB may find that the registered agent has breached the Code and may impose sanctions for that breach.
  2. Ultimately, determining whether a registered agent has complied with their obligations under Code Item 6 will be a question of fact. This means that each situation will need to be considered on a case-by-case basis having regard to the particular facts and circumstances.
  3. If a registered agent breaches the Code, the TPB may impose one or more of the following sanctions:
    • a written caution
    • an order requiring the registered agent to do something specified in the order
    • suspension of the registered agent’s registration
    • termination of the registered agent’s registration.

Practical examples involving Code Item 6

  1. The following are indicative examples which illustrate the general application of Code Item 6. In all cases, consideration will need to be given to the specific facts and circumstances.

    Example 1 – Client permission to disclose information to an overseas third party

    Situation

    Lilly & Co is a large accounting firm and a registered tax agent. To minimise its operating costs, Lilly & Co enters into an agreement with a bookkeeping/data processing firm in Hong Kong, Zheng & Co, that Zheng & Co will perform the bookkeeping and data processing work for Lilly & Co’s clients.

    Obtaining client permission

    In order to send the clients’ information to Zheng & Co for processing, Lilly & Co discloses its arrangement with Zheng & Co in its letter of engagement with clients and obtains its clients’ explicit permission by way of a signed client engagement letter to disclose the information to Zheng & Co.

    Subject to the terms in the letter of engagement, Lilly & Co will have primary responsibility for the provision of the relevant tax agent services, including the bookkeeping and data processing work undertaken by Zheng & Co.

    Example 2 – Legal duty to disclose information to a third party

Situation

The ATO is conducting an audit on Patricia’s income tax return from the previous financial year, but Patricia does not have all of her receipts and payment summaries.  As her registered tax agent, Edward, prepared and lodged her income tax return for the previous financial year, the ATO has issued a notice under section 353-10 in Schedule 1 to the Taxation Administration Act 1953 (TAA 1953) for Edward to provide it with all relevant information regarding Patricia’s income tax return from the previous financial year.

Legal duty to disclose

Although Edward is required to maintain the confidentiality of the information relating to the affairs of his client, Patricia, the ATO’s notice creates an overriding legal obligation and Edward therefore has a legal duty to disclose the information requested in the notice to the ATO. [10]

Alternatively, if the ATO did not make a request pursuant to section 353-10 in Schedule 1 to the TAA 1953 and instead made a general request, Edward would not have a legal duty to disclose the information to the ATO. It is also noted that the requirement under Code Item 6 is subject to material being properly withheld under legal professional privilege.

Example 3 – Client permission to disclose information to another registered agent third party

Situation

Jackie runs a local coffee shop in Melbourne. Jackie engages Tony’s Tax Services, a registered tax agent, to prepare and lodge her outstanding business activity statements and also to provide tax advice regarding the proposed sale of her coffee shop. Tony’s Tax Services separately engages Bella, a registered BAS agent, to prepare the outstanding business activity statements.

Obtaining client permission

In order to send Jackie’s information to Bella to enable Bella to prepare the outstanding business activity statements, Tony’s Tax Services discloses its arrangement with Bella in its letter of engagement with Jackie. Tony’s Tax Services obtains Jackie’s explicit permission by way of a signed client engagement letter to disclose the information to Bella.

Example 4 – Client permission to disclose information to an external IT provider third party

Situation

Victor & Paulson is a mid-sized registered tax agent partnership that provides tax agent services to various large corporations and other sophisticated clients. Victor & Paulson enters client data into its accounting software programs using cloud computing hosted by an external IT provider.

Obtaining client permission

In order to enter client data into its accounting software programs, Victor & Paulson discloses its cloud computing arrangements in its client engagement letters. Victor & Paulson obtains a signed client engagement letter from each client to disclose the information to the external IT provider.

Example 5 – Client permission to disclose information to a financial institution third party

Situation

Olivia is a registered BAS agent. Olivia is contacted by the International Bank, a financial institution, requesting certain financial information relating to Greg, who is one of her clients. The International Bank explains that the information is required to support Greg’s finance application for a new car.

Obtaining client permission

Before providing Greg’s financial information to the International Bank, Olivia contacts Greg and seeks his permission to disclose the information to the International Bank.

Example 6 – Client permission to disclose information to a new registered agent

Situation

Jessica is a registered BAS agent who receives a phone call from Noelene, another registered BAS agent, advising that she has been approached to take over one of Jessica’s clients and is seeking a transfer of the client’s files.

Obtaining client permission

Before transferring the client’s files over to Noelene, Jessica obtains permission from her client.

[1] Refer to TPB(EP) 01/2010 Code of Professional Conduct and TPB(I) 32/2017 Code of Professional Conduct - Confidentiality of client information for tax (financial) advisers

[2] Paragraph 3.38 of the Explanatory Memorandum to the Tax Agent Services Bill 2008.

[3] For the purposes of this TPB(I), ‘client information’ means information relating to a client’s affairs under Code Item 6.

[4] See also, e.g., Office of the Australian Information Commissioner Guide to securing personal information.

[5] See also TPB Practice Note TPB(PN) 1/2017 - Cloud computing and the Code of Professional Conduct.

[6] See, in particular, APES Guidance Note GN 30 - Outsourcesd services. This guidance note applies to members of relevant professional bodies that have adopted it.

[7] The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) imposes transaction and compliance reporting obligations on reporting entities when they provide designated services; the requirements set rules with respect to customer due diligence, identification, record keeping and reporting. For further information on complying with obligations under the AML/CTF Act, refer to the AUSTRAC compliance guide (Chapter 7 provides an overview of the AML/CTF Act reporting obligations) available at www.austrac.gov.au

[8] See section 70-50 of the Tax Agent Services Act 2009.

[9] ‘Organisation’ is defined in section 6C of the Privacy Act 1988 and excludes certain small business and small business operations; see further section 6D of the Privacy Act 1988.

[10] Note: It is also observed that subsection 30-10(11) of the Tax Agent Services Act 2009 states that registered agents must not knowingly obstruct the proper administration of the taxation laws.