You must not disclose information relating to a client’s (or a former client's) affairs to a third party unless you have:
- obtained the client’s permission, or
- have a legal duty to do so.
This is one of the obligations (item 6) under the Code of Professional Conduct (Code).
‘Information’ refers to knowledge you have acquired or derived about a client, whether directly or indirectly. It is only necessary that the information relates to the affairs of a client. It does not have to belong to the client or have been directly provided by the client to you.
A ‘third party’ is any entity other than you and your client and could include:
- a related entity of your practice or the client - for example, if you are an authorised representative, a third party includes your Australian financial services (AFS) licensee and vice versa
- entities to which you outsource your tax (financial) advice services
- other AFS licensees, authorised representatives, para-planners, product providers and advisers, insurance brokers, and technical teams and advisers
- entities that maintain offsite data storage systems (including ‘cloud storage’).
We recognise that:
- in an AFS licensee/authorised representative relationship, the use of ‘fact finds’ or other documents facilitate the flow of client information from the authorised representative to the AFS licensee
- the Corporations Act 2001 requires an authorised representative of an AFS licensee to provide information to the AFS licensee if requested.
Before disclosing any information relating to your client’s affairs to a third party, you should clearly inform your client that such disclosure will be made and obtain their permission. You should advise your client:
- what client information is to be disclosed
- to whom and where the disclosure will be made.
This permission may be by way of a signed letter of engagement, signed consent or other communication with the client which may include:
- a relevant ‘fact find’ and consent
- a relevant Financial Services Guide (FSG) and consent
- a relevant Statement of Advice (incorporating an ‘authority to proceed’) signed by the client
- a privacy declaration and consent form
- a privacy acknowledgement and consent
- a relevant product disclosure statement and consent, or
- an appropriately authorised confirmation email.
You may disclose information to a third party relating to your client’s affairs without the client’s permission if you have a legal duty to do so.
Some examples of these circumstances include providing information to:
- the TPB upon a notice issued under section 60-100 of the Tax Agent Services Act 2009 (TASA)
- a court or tribunal under a direction, order, or other court process
- AUSTRAC to meet reporting obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006
- your AFS licensee (if you are their authorised representative) under section 912G of the Corporations Act 2001
- the Australian Taxation Office upon a notice issued under section 353-10 in Schedule 1 to the Taxation Administration Act 1953 concerning taxation laws (subject to that matter being properly withheld under legal professional privilege).
If you are concerned as to whether there is a legal duty to disclose client information to a third party, you should seek independent legal advice.
You also need to ensure there are appropriate arrangements to prevent inadvertent disclosure. Some examples of situations where you must ensure there are appropriate controls to prevent third parties from viewing or accessing client information include:
- the use of external service providers such as IT consultants and cleaners
- the use of recycled paper which includes personal details of other clients
- disposing of IT equipment that contains/stores data of clients
- the use of shredding or data disposal services.
If you disclose information relating to a client’s affairs to a third party without the client’s permission or a legal duty to do so, the TPB may find that you have breached the Code and impose sanctions for that breach.
The following examples illustrate how to maintain confidentiality of client information, noting that consideration will need to be given to the specific facts and circumstances.
Example 1 - Client permission to disclose information to an online broker
Drew approaches Kylie, a registered tax (financial) adviser, to provide tax (financial) advice services. As part of the tax (financial) advice services provided, Kylie advises Drew to participate in an upcoming float, which is only available through a particular online broker.
Drew confirms that he wishes to participate in the upcoming float and instructs Kylie to organise a $50,000 investment.
Obtaining client permission
Before organising the $50,000 investment in the float, Kylie sends Drew an email confirming among other things, the nature of the investment and the potential risks. Further, in her email, Kylie requests Drew’s permission (via return email) to disclose his information to the online broker to complete the application for the float.
Example 2 – Client permission to disclose information to an insurer
Betty approaches Stephen, a registered tax (financial) adviser, to provide tax (financial) advice services. As part of the initial scaled engagement, Betty seeks a recommended product in relation to life risk advice and provides her adviser with key relevant information (including her finances and circumstances).
Stephen assesses Betty’s situation and liaises with various insurers on her behalf.
Obtaining client permission
Stephen requests Betty’s permission (via signed disclosure statement) to disclose information relating to Betty’s circumstances and needs to insurers for the purpose of providing recommendations on what will work best for Betty in meeting her needs. This permission is obtained prior to Stephen disclosing information to insurers.
Example 3 – Client permission to disclose information to an external IT provider
Zincorppe is a mid-sized registered tax (financial) adviser company that provides tax (financial) advice services to various clients. Zincorppe enters client data into its software programs using cloud computing hosted by an external IT provider.
Obtaining client permission
In order to enter client data into its software programs, Zincorppe discloses its cloud computing arrangements in an email to clients. Further, Zincorppe obtains a confirmation email from each client to disclose the information to the external IT provider.
Example 4 – Client permission to disclose information to a legal firm
Patricia engages Manu, a registered tax (financial) adviser, to provide tax (financial) advice services. As part of the tax (financial) advice services provided, Manu advises Patricia to set up an investment structure including a unit trust. To establish the unit trust, Manu engages a legal firm to prepare the necessary documentation.
Failing to obtain client permission
Manu advises Patricia in writing that he will arrange the preparation of all the necessary documentation in relation to the investment structure. However, Manu does not obtain Patricia’s permission to disclose her information to the legal firm to prepare the documentation.
Manu is considered to have potentially breached Code Item 6 by failing to obtain Patricia’s permission to disclose her information to a third party (being the legal firm).
Example 5 – Client permission to disclose data to an overseas third party
Vee Co is a large financial services firm and a registered tax (financial) adviser. To minimise its operating costs, Vee Co enters into an agreement with a data processing firm in Vietnam, Nguyen & Co, that Nguyen & Co will perform the data processing work for Vee Co’s clients.
Obtaining client permission
In order to send the clients’ information to Nguyen & Co for processing, Vee Co discloses its arrangement with Nguyen & Co to its clients and obtains its clients’ explicit permission by way of a relevant ‘fact find’ and consent to disclose the information to Nguyen & Co.
Subject to the engagement terms, Vee Co will have primary responsibility for the provision of the relevant tax (financial) advice services, including data processing work undertaken by Nguyen & Co.
- TPB(I) 32/2017 Code of Professional Conduct – Confidentiality of client information for tax (financial) advisers
Last modified: 9 January 2020