TPB Information Sheet TPB(I) 21/2014
Code of Professional Conduct – Confidentiality of client information
This information sheet is also available as a PDF, download TPB(I) 21/2014 Code of Professional Conduct - Confidentiality of client information (431 KB).
This is a Tax Practitioners Board (TPB) Information sheet (TPB(I)). It is intended to be for information only. It provides information regarding the TPB’s position on the application of subsection 30-10(6) of the Tax Agent Services Act 2009 (TASA), containing one of the obligations of registered agents under the Code of Professional Conduct (Code).
While it seeks to provide practical assistance and explanation, it does not exhaust, prescribe or limit the scope of the TPB’s powers in the TASA.
In addition, please note that the principles, explanations and examples in this TPB(I) do not constitute legal advice and do not create additional rights or legal obligations beyond those that are contained in the TASA or which may exist at law. Please refer to the TASA for the precise content of the legislative requirements.
The TPB released this document as a draft information sheet in the form of an Exposure draft on 17 March 2014. The TPB invited comments and submissions in relation to the information in it. The closing date for submissions was 16 April 2014. The TPB considered the submissions made and now publishes the following TPB(I).
Issued: 4 August 2014
- This Information Sheet (TPB(I)) has been prepared by the Tax Practitioners Board (TPB) to assist registered tax agents and BAS agents (registered agents) to understand their obligations under subsection 30-10(6) of the Tax Agent Services Act 2009 (TASA) (Code Item 6), which is one of the obligations of registered agents under the Code of Professional Conduct (Code). 
- Code Item 6 states that:
'Unless you have a legal duty to do so, you must not disclose any information relating to a client’s affairs to a third party without your client’s permission.’
- In this TPB(I), you will find the following information:
- what is Code Item 6
- how to comply with Code Item 6
- privacy considerations
- consequences for failing to comply with Code Item 6
- practical examples involving Code Item 6.
- The TPB has previously published an explanatory paper that sets out its view on the application of the Code, including Code Item 6. 
What is Code Item 6?
- As per paragraph 2 above, Code Item 6 provides that, unless there is a legal duty to do so, registered agents must not disclose any information relating to a client’s affairs to a third party without the client’s permission.
- Therefore, any disclosure of information relating to a client’s affairs to a third party without the client’s permission will be a breach of Code Item 6, unless there is a legal duty on the registered agent to disclose the information.
How to comply with Code Item 6?
What is ‘information’?
- Information refers to the acquiring or deriving of knowledge and includes, but is not limited to, capturing information known about a client. This information could be acquired directly or indirectly.
What is ‘information relating to a client’s affairs’?
- It is only necessary that the information relates to the affairs of a client. The information does not have to belong to the client, or have been directly provided by the client to a registered agent.
What is a ‘third party’?
- A third party is any entity other than the client and the registered agent.
- In relation to a registered agent that outsources a component of the tax agent services to another entity (for example, another registered agent, a legal practitioner, or an overseas or offshore entity), the third party would include that other entity.
- Disclosure to a third party would also include disclosure of information relating to one entity within a service trust structure to another entity within the same service trust structure, unless the client is defined, for example in the engagement letter, as the whole structure. 
- Further, a third party may also include entities that maintain offsite data storage systems (including ‘cloud storage’).
In what circumstances can a registered agent disclose information relating to a client’s affairs to a third party?
- A registered agent may only disclose information relating to a client’s affairs to a third party if:
- the registered agent has the client’s permission; or
- there is a legal duty to do so.
(i) Client’s permission
- Where information relating to a client’s affairs is to be disclosed by a registered agent to a third party, the registered agent should, prior to any disclosure, clearly inform the client that there will be such disclosure and obtain the client’s permission. This permission may be by way of a signed letter of engagement, signed consent or other communication with the client.
- A letter of engagement will typically outline the services to be provided by the registered agent to their client, as well as information about the entity/entities that will provide those services. For further information on engagement letters, refer to TPB(I) 01/2011 Letters of engagement.
- A registered agent should ensure that they inform their clients about any client information  they are disclosing, and to whom and where the disclosure will be made.
- In relation to outsourcing arrangements and cloud storage arrangements, the TASA does not specifically prohibit these activities. However, registered agents must consider their obligations under Code item 6 in relation to these arrangements to ensure confidentiality of client information, including appropriate disclosure in regard to where data is being sent and stored.
- The Accounting Professional and Ethical Standards Board (APESB) has released APES GN 30 Outsourced Services, which applies to members of relevant professional bodies that have adopted it. While not binding on all registered agents, it provides useful guidance on what steps an agent may take when providing or utilising outsourced services.
- The TPB strongly suggests that if any component of a client’s tax work is to be completed overseas, a registered agent should be very clear in communicating this to the client and obtaining the necessary permission to make the disclosure.
- Ultimately, the onus is on the registered agent to exercise appropriate due diligence when outsourcing work, including ensuring appropriate disclosure. Outsourcing may also give rise to other obligations under the TASA, including ensuring that tax agent services are provided to a competent standard, and that there are adequate supervision and control arrangements.
(ii) Legal duty to do so
- A registered agent may disclose information relating to a client’s affairs to a third party without the client’s permission if the registered agent has a legal duty to disclose the information.
- Examples of circumstances where a registered agent may have a legal duty to disclose client information to a third party include:
- providing information to the TPB under a notice issued pursuant to section 60-100 of the TASA
- providing information to a court or tribunal pursuant to a direction, order, or other court process, to provide that information
- providing information or documents to the Australian Taxation Office (ATO) under a notice pursuant to section 353-10 in Schedule 1 to the Taxation Administration Act 1953 concerning taxation laws. This requirement is subject to that material being properly withheld by the registered agent under legal professional privilege.
- The TASA, including Code item 6, does not affect the law relating to legal professional privilege (LPP) . LPP protects confidential communications between a lawyer and their client from compulsory production. Therefore, under LPP a lawyer may, in certain circumstances, lawfully withhold documents or not provide information without breaching Code Item 6.
- If a registered agent is concerned as to whether there is a legal duty to disclose client information to a third party, the registered agent should consider seeking independent legal advice.
- Registered agents also need to ensure that they have appropriate arrangements to prevent inadvertent disclosure through recklessness. In this regard, the following are some examples of where registered agents need to be particularly mindful of their obligations:
- the use of mobile temporary booths in shopping centres, ensuring there are appropriate controls to prevent third parties from viewing client information
- the use of recycled paper which includes personal details concerning other clients
- leaving client information in unsecured locations which may be accessed by third parties
- the use of external service providers which may include, for example, IT consultants and cleaners.
- In addition to a registered agent’s obligations under Code Item 6, the Privacy Act 1988 (Cth) sets out a number of Privacy Principles which govern the use of, storage and disclosure of personal information and other conduct by organisations. Some of these privacy principles may have a direct impact on the requirement to obtain consent (express or implied) from clients.
- Registered agents should seek their own advice about whether the provisions of the Privacy Act 1988 apply to them. Information about obligations under the Privacy Act 1988 is provided by the Privacy Commissioner and is accessible from the Office of Australian Information Commissioner’s website at www.oaic.gov.au
Consequences for failing to comply with Code Item 6
- If a registered agent discloses information relating to a client’s affairs to a third party without the client’s permission or without a legal duty to do so, the TPB may find that the registered agent has breached the Code and may impose sanctions for that breach.
- If a registered agent breaches the Code, the TPB may impose one or more of the following sanctions:
- a written caution
- an order requiring the registered agent to do something specified in the order
- suspension of the registered agent’s registration
- termination of the registered agent’s registration.
Practical examples involving Code Item 6
- The following are indicative examples which illustrate the general application of Code Item 6. In all cases, consideration will need to be given to the specific facts and circumstances.
Example 1 – Client permission to disclose information to an overseas third party
Lilly & Co is a large accounting firm and a registered tax agent. To minimise its operating costs, Lilly & Co. enters into an agreement with a bookkeeping/data processing firm in Hong Kong, Zheng & Co, that Zheng & Co will perform the bookkeeping and data processing work for Lilly & Co’s clients.
Obtaining client permission
In order to send the clients’ information to Zheng & Co for processing, Lilly & Co discloses its arrangement with Zheng & Co in its letter of engagement with clients and obtains its clients’ explicit permission by way of a signed client engagement letter to disclose the information to Zheng & Co.
Subject to the terms in the letter of engagement, Lilly & Co will have primary responsibility for the provision of the relevant tax agent services, including the bookkeeping and data processing work undertaken by Zheng & Co.
Example 2 – Legal duty to disclose information to a third party
The ATO is conducting an audit on Patricia’s income tax return from the previous financial year, but Patricia does not have all of her receipts and payment summaries. As her registered tax agent, Edward, prepared and lodged her income tax return for the previous financial year, the ATO has issued a notice under section 353-10 in Schedule 1 to the Taxation Administration Act 1953 (TAA 1953) for Edward to provide it with all relevant information regarding Patricia’s income tax return from the previous financial year.
Legal duty to disclose
Although Edward is required to maintain the confidentiality of the information relating to the affairs of his client, Patricia, the ATO’s notice creates an overriding legal obligation and Edward therefore has a legal duty to disclose the information requested in the notice to the ATO. 
Alternatively, if the ATO did not make a request pursuant to section 353-10 in Schedule 1 to the TAA 1953 and instead made a general request, Edward would not have a legal duty to disclose the information to the ATO. It is also noted that the requirement under Code Item 6 is subject to material being properly withheld under legal professional privilege.
Example 3 – Client permission to disclose information to another registered agent third party
Jackie runs a local coffee shop in Melbourne. Jackie engages Tony’s Tax Services, a registered tax agent, to prepare and lodge her outstanding business activity statements and also to provide tax advice regarding the proposed sale of her coffee shop. Tony’s Tax Services separately engages Bella, a registered BAS agent, to prepare the outstanding business activity statements.
Obtaining client permission
In order to send Jackie’s information to Bella to enable Bella to prepare the outstanding business activity statements, Tony’s Tax Services discloses its arrangement with Bella in its letter of engagement with Jackie. Tony’s Tax Services obtains Jackie’s explicit permission by way of a signed client engagement letter to disclose the information to Bella.
Example 4 – Client permission to disclose information to an external IT provider third party
Victor & Paulson is a mid-sized registered tax agent partnership that provides tax agent services to various large corporations and other sophisticated clients. Victor & Paulson enters client data into its accounting software programs using cloud computing hosted by an external IT provider.
Obtaining client permission
In order to enter client data into its accounting software programs, Victor & Paulson discloses its cloud computing arrangements in its client engagement letters. Victor & Paulson obtains a signed client engagement letter from each client to disclose the information to the external IT provider.
Example 5 – Client permission to disclose information to a financial institution third party
Olivia is a registered BAS agent. Olivia is contacted by the International Bank, a financial institution, requesting certain financial information relating to Greg, who is one of her clients. The International Bank explains that the information is required to support Greg’s finance application for a new car.
Obtaining client permission
Before providing Greg’s financial information to the International Bank, Olivia contacts Greg and seeks his permission to disclose the information to the International Bank.
Example 6 – Client permission to disclose information to a new registered agent
Jessica is a registered BAS agent who receives a phone call from Noelene, another registered BAS agent, advising that she has been approached to take over one of Jessica’s clients and is seeking a transfer of the client’s files.
Obtaining client permission
Before transferring the client’s files over to Noelene, Jessica obtains permission from her client.
-  The TPB intends to release further information, in due course, specifically regarding the obligations of registered tax (financial) advisers under the Code.
-  Refer to paragraphs 78 to 92 of TPB(EP) 01/2010 Code of Professional Conduct.
-  Paragraph 3.38 of the Explanatory Memorandum to the Tax Agent Services Bill 2008.
-  For the purposes of this TPB(I), ‘client information’ means information relating to a client’s affairs under Code Item 6.
-  See section 70-50 of the Tax Agent Services Act 2009.
- ‘Organisation’ is defined in section 6C of the Privacy Act 1988 and excludes certain small business and small business operations; see further section 6D of the Privacy Act 1988.
-  Note: It is also observed that subsection 30-10(11) of the Tax Agent Services Act 2009 states that registered agents must not knowingly obstruct the proper administration of the taxation laws.