Go to top of page

Exposure Draft TPB(I) D50/2022 Code of Professional Conduct - Confidentiality of client information

Exposure Draft
TPB Information Sheet TPB(I) D50/2022
Code of Professional Conduct – Confidentiality of client information

This exposure draft is also available as a PDF, download TPB(I) D50/2022 Code of Professional Conduct – Confidentiality of client information (PDF, 411KB)

Contents

Introduction

What is Code Item 6?

How to comply with Code Item 6?

Other considerations

Consequences for failing to comply with Code Item 6

Practical examples involving Code Item 6

 

Tax Practitioners Board exposure draft

The Tax Practitioners Board (TPB) has released this draft Information Sheet (TPB(I) D50/2022) as an exposure draft. This draft is an update to the existing TPB Information Sheet TPB(I) 21/2014 Code of Professional Conduct – Confidentiality of client information. The TPB has now included guidance on how the confidentiality obligations apply to tax practitioners when they disclose information under the tax whistleblowing laws and non-compliance with laws and regulations (NoCLAR) framework – see paragraphs 29 to 41 and Examples 7 and 8 in this draft Information Sheet.

The TPB invites comments and submissions in relation to the updated information contained in it within 42 days. The closing date for submission is 12 September 2022. The TPB will then consider any submissions before settling its position, undertaking any further consultation required and finalising the TPB(I). 

Written submissions should be made via email at tpbsubmissions [at] tpb.gov.au or by mail to:

Tax Practitioners Board
GPO Box 1620
Sydney NSW 2001

Disclaimer

This document is in draft form, and when finalised, will be intended as information only. It provides information regarding the TPB’s position on the application of subsection 30-10(6) of the Tax Agent Services Act 2009 (TASA), containing one of the obligations of tax and BAS agents (collectively referred to as ‘tax practitioners’) under the Code of Professional Conduct (Code).

While it seeks to provide practical assistance and explanation, it does not exhaust, prescribe or limit the scope of the TPB’s powers in the TASA.

In addition, please note that the principles, explanations and examples in this draft TPB(I) do not constitute legal advice and do not create additional rights or legal obligations beyond those that are contained in the TASA or which may exist at law. Please refer to the TASA for the precise content of the legislative requirements.
 

Document History

This draft TPB(I) was issued on 1 August 2022 and is based on the TASA as at 7 February 2022. Once finalised, the TPB Information Sheet TPB(I) 21/2014 Code of Professional Conduct – Confidentiality of client information will be updated. 

Issued: 1 August 2022


Introduction

  1. The Tax Practitioners Board (TPB) has prepared this draft Information Sheet (TPB(I)) to assist registered tax agents and BAS agents (collectively referred to as ‘tax practitioners’) to understand their obligations under subsection 30-10(6) of the Tax Agent Services Act 2009 (TASA) – Code of Professional Conduct (Code) Item 6.  
  2. Code Item 6 states that:

Unless you have a legal duty to do so, you must not disclose any information relating to a client’s affairs to a third party without your client’s permission.’

  1. In this TPB(I), you will find the following information:
    • what is Code Item 6 (paragraphs 5 to 6)
    • how to comply with Code Item 6 (paragraphs 7 to 26)
    • other considerations including privacy and tax whistleblowing (paragraphs 27 to 41)
    • consequences for failing to comply with Code Item 6 (paragraphs 42 to 44)
    • practical examples involving Code Item 6 (paragraph 45).
  2. The TPB has previously published an explanatory paper that sets out its view on the application of the Code, including Code Item 6.[1]

Back to Contents ↑

What is Code Item 6?

  1. As per paragraph 2 above, Code Item 6 provides that, unless there is a legal duty to do so, tax practitioners must not disclose any information relating to a client’s affairs to a third party without the client’s permission.
  2. Therefore, any disclosure of information relating to a client’s affairs to a third party without the client’s permission will be a breach of Code Item 6, unless there is a legal duty on the tax practitioner to disclose the information.


How to comply with Code Item 6?

What is 'information'?

  1. Information refers to the acquiring or deriving of knowledge and includes, but is not limited to, capturing information known about a client. This information could be acquired directly or indirectly from the client or other sources.

What is 'information relating to a client's affairs'?

  1. It is only necessary that the information relates to the affairs of a client. The information does not have to belong to the client, or have been directly provided by the client to a tax practitioner.

What is a 'third party'?

  1. For the purposes of Code Item 6 and the TASA, a third party means any entity other than the client and the tax practitioner.
  2. In relation to a tax practitioner that outsources a component of the tax agent services to another entity (for example, another tax practitioner, a legal practitioner, a contractor or an overseas or offshore entity), the third party would include that other entity.
  3. Disclosure to a third party would also include disclosure of information relating to one entity within a service trust structure to another entity within the same service trust structure, unless the client is defined, for example in the engagement letter, as the whole structure.[2]
  4. Further, a third party may also include entities that maintain offsite data storage systems (including ‘cloud storage’).

Back to Contents ↑

In what circumstances can a tax practitioner disclose information relating to a client’s affairs (or a former client’s affairs) to a third party?

  1. A tax practitioner may only disclose information relating to a client’s affairs (or a former client’s affairs) to a third party if:
    • the tax practitioner has the client’s (or former client’s) permission, or
    • there is a legal duty to do so.

(i) Client’s permission

  1. Where information relating to a client’s affairs is to be disclosed by a tax practitioner to a third party, the tax practitioner should, prior to any disclosure, clearly inform the client that there will be such disclosure and obtain the client’s permission. This permission may be by way of a signed letter of engagement, signed consent or other communication with the client. In all cases, the relevant communication should outline the disclosures to be provided, as well as information about the entity/entities that will have access to the client information.
  2. A letter of engagement will typically outline services to be provided by the tax practitioner to their client, as well as information about entities that will provide those services. For further information on engagement letters, refer to TPB Practice Note TPB(PN) 3/2019 Letters of engagement.
  3. A tax practitioner must ensure that they inform their clients about any client information[3] that may be disclosed. In this regard, it is recommended that a tax practitioner include information in relation to whom and where the disclosure will be made. A general authority consenting to disclosure to third parties may also be acceptable.
  4. However, even in the context of a general disclosure, a tax practitioner should require a positive step from their client to authorise the requisite disclosure. This may include an appropriate ‘opt-in’ type approach,[4] including in conjunction with reviewing an engagement letter. Further, a tax practitioner is not excused from taking steps to protect information just because it would be inconvenient, time-consuming or costly to do so.[5]  
  5. While there is no set formula or methodology used to obtain client permission, the TPB suggests that tax practitioners be clear in explaining to their client where information may be disclosed (including, among other things, where a component of work or add-on activity will be completed). For example, to avoid any likelihood of your practices being seen as misleading, we suggest that you do not imply or state that all your work is completed in Australia, if that is not the case.
  6. In relation to outsourcing arrangements and cloud storage arrangements, the TASA does not specifically prohibit these activities. However, tax practitioners must consider their obligations under Code item 6 in relation to these arrangements to ensure confidentiality of client information, including appropriate disclosure in regard to where data is being sent and stored.[6]
  7. While not binding on all registered tax agents, further useful guidance on what steps an agent may take when providing or utilising outsourced services may be found in specific Accounting Professional and Ethical Standards Board (APESB) guidance.[7] It is also noted that TPB accredited recognised professional associations may be able to assist in providing practical guidance, while recognising that there is not a default one-size-fits-all template and that arrangements will need to be mindful of the particular circumstances.[8] 
  8. Ultimately, the onus is on the tax practitioner to exercise appropriate due diligence when outsourcing work, including ensuring appropriate disclosure. Outsourcing may also give rise to other obligations under the TASA, including ensuring that tax agent services are provided to a competent standard, and that there are adequate supervision and control arrangements.

(ii) Legal duty to do so

  1. A tax practitioner may disclose information relating to a client’s affairs to a third party without the client’s permission if the tax practitioner has a legal duty to disclose the information.
  2. Examples of circumstances where a tax practitioner may have a legal duty to disclose client information to a third party include:
    • providing information to the TPB under a notice issued pursuant to section 60-100 of the TASA
    • providing information to a court or tribunal pursuant to a direction, order, or other court process to provide that information
    • providing information to AUSTRAC in accordance with reporting obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)[9]
    • providing information or documents to the Australian Taxation Office (ATO) under a notice pursuant to section 353-10 in Schedule 1 to the Taxation Administration Act 1953 concerning taxation laws. 
  3. The TASA, including Code item 6, does not affect the law relating to legal professional privilege (LPP).[10] LPP protects confidential communications between a lawyer and their client from compulsory production. Therefore, under LPP a lawyer may, in certain circumstances, lawfully withhold documents or not provide information without breaching Code Item 6.
  4. If a tax practitioner is concerned as to whether there is a legal duty to disclose client information to a third party, the tax practitioner should consider seeking independent legal advice.

Back to Contents ↑

Inadvertent disclosure

  1. Tax practitioners also need to ensure that they have appropriate arrangements[11] to prevent inadvertent disclosure. In this regard, the following are some examples of where tax practitioners need to be particularly mindful of their obligations:
    • the use of mobile temporary booths in shopping centres, ensuring there are appropriate controls to prevent third parties from viewing client information
    • the use of recycled paper which includes personal details concerning other clients
    • leaving client information in unsecured locations which may be accessed by third parties
    • disposing (such as trading in or selling to a second-hand market) of IT equipment that contains / stores data that may be accessible by third parties
    • the use of shredding and data disposal services
    • the use of external service providers which may include, for example, IT consultants and cleaners
    • disclosing a client’s TFN in correspondence to a financial institution (e.g. an ATO income tax assessment notice provided in support of a loan application)
    • the use of virtual meetings to discuss client information when third parties may be in attendance
    • the use of public Wi-Fi when providing services for a client.[12] 


Other considerations

Privacy

  1. In addition to a tax practitioner’s obligations under Code Item 6, the Privacy Act 1988 (Cth) sets out a number of Privacy Principles which govern the use of, storage and disclosure of personal information and other conduct by organisations.[13] Some of these privacy principles may have a direct impact on the requirement to obtain consent (express or implied) from clients.
  2. Tax practitioners should seek their own advice about whether the provisions of the Privacy Act 1988 apply to them. Information about obligations under the Privacy Act 1988 is accessible from the Office of the Australian Information Commissioner’s website at www.oaic.gov.au.[14]

Back to Contents ↑

Tax whistleblowing

  1. Whistleblower laws[15] legally protect people who ‘blow the whistle’ about an entity that is not complying with the tax laws.

Eligible whistleblower

  1. To be eligible for whistleblower protection, the whistleblowing entity must be, or have been, in a relationship with the entity it is reporting about.[16] This can include being:
    • an employee or former employee
    • a dependent or spouse
    • individuals who supply services or goods to the entity (such as tax practitioners).

Eligible recipient

  1. To qualify for protection as a whistleblower the disclosure must be made to an eligible recipient.[17] Eligible recipients include:
    • the Commissioner of Taxation (if it assists in the performance of functions and duties under a taxation law), or
    • any other person that is in a position to take appropriate action (usually internal action).
  2. Disclosures can also be made to other persons that are in a position to take appropriate action, including recipients appointed by an entity to receive disclosures from whistleblowers. An eligible recipient may be:
    • an auditor, or a member of an audit team conducting an audit of the financial or tax affairs of an entity, or
    • a registered tax agent or BAS agent who provides services to the entity.
  3. The TPB is not an eligible recipient.

Whistleblower protections for tax practitioners

  1. It is illegal for someone to disclose the identity, or information that may lead to the identity, of an eligible whistleblower who has made a disclosure to an eligible recipient under the whistleblower protections.
  2. Further, whistleblowers are not subject to civil, criminal or administrative liability for making a disclosure and an entity cannot be sued for a breach of a confidentiality clause in a contract. For tax practitioners, this means that you cannot be sanctioned if you disclose information about your client pursuant to the whistleblower protections.
  3. Further information on making a disclosure to the Commissioner of Taxation can be found on the ATO’s website.

Back to Contents ↑

Responding to non-compliance with laws and regulations (NoCLAR)

  1. The Accounting Professional & Ethical Standards Board’s (APESB) APES 110: Code of Ethics for Professional Accountants include the Non-compliance with laws and regulations (NoCLAR) framework. This framework provides standards for APESB members on how best to act in the public interest when they become aware of NoCLAR.
  2. This framework applies to all members of Chartered Accountants Australia & New Zealand, CPA Australia, and Institute of Public Accountants.
  3. NoCLAR is any intentional or unintentional act of omission or commission, that is committed by a client or employer[18] which is contrary to prevailing laws or regulations.
  4. Under the NoCLAR framework, APESB members are expected to consider whether disclosure to an appropriate authority about NoCLAR or suspected NoCLAR is an appropriate course of action in the circumstances. However, a disclosure that is contrary to a law or regulation, such as Code item 6, is not required or permitted under the NoCLAR framework.
  5. This means that, in complying with the NoCLAR framework, APESB members that are also tax practitioners must ensure that they continue to comply with the Code and the TASA, and in particular Code item 6 (noting the whistleblower protections that may be applicable – see paragraphs 29 to 36 above).


Consequences for failing to comply with Code Item 6

  1. If a tax practitioner discloses information relating to a client’s affairs to a third party without the client’s permission or without a legal duty to do so, the TPB may find that the tax practitioner has breached the Code and may impose sanctions for that breach.
  2. Ultimately, determining whether a tax practitioner has complied with their obligations under Code Item 6 will be a question of fact. This means that each situation will need to be considered on a case-by-case basis having regard to the particular facts and circumstances.
  3. If a tax practitioner breaches the Code, the TPB may impose one or more of the following sanctions:
    • a written caution
    • an order requiring the tax practitioner to do something specified in the order
    • suspension of the tax practitioner’s registration
    • termination of the tax practitioner’s registration.

Back to Contents ↑

Practical examples involving Code Item 6

  1. The following are indicative examples which illustrate the general application of Code Item 6. In all cases, consideration will need to be given to the specific facts and circumstances.

Example 1 – Client permission to disclose information to an overseas third party

Situation

Lilly & Co is a large accounting firm and a registered tax agent. To minimise its operating costs, Lilly & Co. enters into an agreement with a bookkeeping/data processing firm in Hong Kong, Zheng & Co, that Zheng & Co will perform the bookkeeping and data processing work for Lilly & Co’s clients.

Obtaining client permission

In order to send the clients’ information to Zheng & Co for processing, Lilly & Co discloses its arrangement with Zheng & Co in its letter of engagement with clients and obtains its clients’ explicit permission by way of a signed client engagement letter to disclose the information to Zheng & Co.

Subject to the terms in the letter of engagement, Lilly & Co will have primary responsibility for the provision of the relevant tax agent services, including the bookkeeping and data processing work undertaken by Zheng & Co.

Example 2 – Legal duty to disclose information to a third party

Situation

The ATO is conducting an audit on Patricia’s income tax return from the previous financial year, but Patricia does not have all of her receipts and payment summaries. As her registered tax agent, Edward prepared and lodged her income tax return for the previous financial year. The ATO has issued a notice under section 353-10 in Schedule 1 to the Taxation Administration Act 1953 (TAA 1953) for Edward to provide it with all relevant information regarding Patricia’s income tax return from the previous financial year.

Legal duty to disclose

Although Edward is required to maintain the confidentiality of the information relating to the affairs of his client, Patricia, the ATO’s notice creates an overriding legal obligation and Edward therefore has a legal duty to disclose the information requested in the notice to the ATO.[19] Edward also decides to inform Patricia of his decision to disclose the information to the ATO.

Alternatively, if the ATO did not make a request pursuant to section 353-10 in Schedule 1 to the TAA 1953 and instead made a general request, Edward would not have a legal duty to disclose the information to the ATO. It is also noted that the requirement under Code Item 6 is subject to material being properly withheld under legal professional privilege.

Example 3 – Client permission to disclose information to another tax practitioner third party

Situation

Jackie runs a local coffee shop in Melbourne. Jackie engages Tony’s Tax Services, a registered tax agent, to prepare and lodge her outstanding business activity statements and also to provide tax advice regarding the proposed sale of her coffee shop. Tony’s Tax Services separately engages Bella, a registered BAS agent, to prepare the outstanding business activity statements.

Obtaining client permission

In order to send Jackie’s information to Bella to enable Bella to prepare the outstanding business activity statements, Tony’s Tax Services discloses its arrangement with Bella in its letter of engagement with Jackie. Tony’s Tax Services obtains Jackie’s explicit permission by way of a signed client engagement letter to disclose the information to Bella.

Example 4 – Client permission to disclose information to an external IT provider third party

Situation

Victor & Paulson is a mid-sized registered tax agent partnership that provides tax agent services to various large corporations and other sophisticated clients. Victor & Paulson enters client data into its accounting software programs using cloud computing hosted by an external IT provider.

Obtaining client permission

In order to enter client data into its accounting software programs, Victor & Paulson discloses its cloud computing arrangements in its client engagement letters. Victor & Paulson obtains a signed client engagement letter from each client to disclose the information to the external IT provider.

Back to Contents ↑

Example 5 – Client permission to disclose information to a financial institution third party

Situation

Olivia is a registered BAS agent. Olivia is contacted by the International Bank, a financial institution, requesting certain financial information relating to Greg, who is one of her clients. The International Bank explains that the information is required to support Greg’s finance application for a new car.

Obtaining client permission

Before providing Greg’s financial information to the International Bank, Olivia contacts Greg and seeks his permission to disclose the information to the International Bank.

Example 6 – Client permission to disclose information to a new tax practitioner

Situation

Jessica is a registered BAS agent who receives a phone call from Noelene, another registered BAS agent, advising that she has been approached to take over one of Jessica’s clients and is seeking a transfer of the client’s files.

Obtaining client permission

Before transferring the client’s files over to Noelene, Jessica obtains permission from her client.

Example 7 – Tax whistleblowing disclosure made without client permission or legal duty

Situation 

Sharon is a registered tax agent and an APESB member subject to the NoCLAR framework in APES 110: Code of Ethics for Professional Accountants. She identifies a client’s non-compliance with a taxation law. Sharon applies the NoCLAR framework and concludes that disclosure to the Commissioner of Taxation is the appropriate course of action. NoCLAR does not create a legal duty to disclose this information to the Commissioner and Sharon has not received her client’s permission to disclose the information.

Disclosure without client permission or legal duty to disclose 

After considering her position under the NoCLAR framework and seeking legal advice to confirm that she is an eligible whistleblower, Sharon decides to disclose her client’s non-compliance of tax liabilities to the Commissioner, who is an eligible recipient under the whistleblower protections. As an eligible whistleblower, Sharon will not be subjected to any findings or sanctions under the TASA for disclosing confidential information about her client to the Commissioner.

Example 8 – Tax whistleblowing fraudulent arrangements

Situation

Andrew is a registered BAS agent. His long-time client, Claire runs a gardening business and has requested assistance in seeking cashflow boost (CFB) entitlements. Claire asks Andrew to lodge an amended business activity statement (BAS) for her business to report false amounts of salary and wages and PAYG withholding. When Andrew queries the legitimacy of the amounts that Claire is seeking to have included in the amended BAS, Claire advises that if Andrew is not willing to lodge an amended BAS for her business as instructed, she will find another BAS agent who will.   

Declining engagement and making a disclosure to the Commissioner of Taxation

Andrew declines Claire’s engagement. Whilst Andrew has not received Claire’s consent to disclose this information to the Commissioner of Taxation, he decides to do so under the tax whistleblowing protections. Because Andrew is an eligible whistleblower and the Commissioner of Taxation is an eligible recipient, Andrew will not be subjected to any findings or sanctions under the TASA for disclosing confidential information about Claire to the Commissioner of Taxation.

Back to Contents ↑


[1]Refer to TPB(EP) 01/2010 Code of Professional Conduct and TPB(I) 32/2017 Code of Professional Conduct – Confidentiality of client information for tax (financial) advisers

[2]Paragraph 3.38 of the Explanatory Memorandum to the Tax Agent Services Bill 2008

[3]For the purposes of this TPB(I), ‘client information’ means information relating to a client’s affairs under Code Item 6.

[4]The Macquarie Dictionary (2022) defines opt in as ‘to elect to participate’.

[5]See also, e.g., Office of the Australian Information Commissioner Guide to securing personal information.

[6]See also TPB Practice Note TPB(PN) 1/2017 - Cloud computing and the Code of Professional Conduct.

[7]See, in particular, APES Guidance Note GN 30 - Outsourced Services. This guidance note applies to members of relevant professional bodies that have adopted it.

[8]See also TPB Practice Note TPB(PN) 2/2018 Outsourcing and offshoring of tax services – Code of Professional Conduct considerations.

[9]The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) imposes transaction and compliance reporting obligations on reporting entities when they provide designated services; the requirements set rules with respect to customer due diligence, identification, record keeping and reporting. For further information on complying with obligations under the AML/CTF Act, refer to the AUSTRAC compliance guide (Chapter 7 provides an overview of the AML/CTF Act reporting obligations) available at www.austrac.gov.au.

[10]See section 70-50 of the Tax Agent Services Act 2009.

[11]The term ‘appropriate arrangements’ is consistent with the OAIC’s APP 11 which states that an entity must take reasonable steps to protect personal information from unauthorised disclosure: see Chapter 11: APP 11 — Security of personal information - Home (oaic.gov.au).

[12]For further information on digital services, refer to TPB (I) 09/2011 Digital service providers and the Tax Agent Services Act 2009.

[13]‘Organisation’ is defined in section 6C of the Privacy Act 1988 and excludes certain small business and small business operations; see further section 6D of the Privacy Act 1988.

[14]If tax practitioners are providing services to clients who are overseas, tax practitioners should also ensure they are complying with relevant applicable laws that apply in that jurisdiction.

[15]Whistleblower protections and remedies are provided in Part IVD of the Taxation Administration Act 1953 (TAA 1953).

[16]For further information on ‘eligible whistleblowers’ refer to section 14ZZU of the TAA 1953.

[17]For further information on ‘eligible recipients’ refer to section 14ZZV of the TAA 1953.

[18] including by management or by others working for or under the direction of the client or employer

[19]Note: It is also observed that subsection 30-10(11) of the Tax Agent Services Act 2009 states that tax practitioners must not knowingly obstruct the proper administration of the taxation laws.