Go to top of page

Cloud computing – Questions and answers

17 November 2020

Cloud computing – Questions and answers

We have compiled some of the questions we received during our webinar – Using the cloud.




Code item 6 – confidentiality of client information



What are the benefits of cloud computing?

The cloud offers a number of benefits to businesses, including:

  • Cost – using the cloud presents opportunities to eliminate the expense of buying hardware and software as well as setting up and running on-site servers, or for larger businesses, data centres. Cloud provisioned services provide the opportunity to only pay for what you use, but be aware that with ease of use, costs can increase if you purchase more capacity than you need.
  • Speed - most cloud computing services are provided as self service and on demand, meaning you can access your data almost immediately. This flexibility can enable you to implement your decisions quickly.
  • Performance - the biggest cloud computing services run on a worldwide network of secure data centres, which are regularly upgraded to the latest generation of fast and efficient computing hardware.
  • Reliability - cloud computing makes data backup, disaster recovery and business continuity easier and less expensive.

What is the expectation in regard to the frequency with which tax practitioners should enquire about any changes to service levels/contractual terms?

We would expect tax practitioners to review any changes to contract/services terms and consider if these changes are relevant to their obligations under the Code of Professional Conduct (Code), and in particular Code item 6 which relates to client confidentiality.

Our Practice Note on cloud computing contains a list of considerations for tax practitioners to take into account in relation to cloud arrangements. The list would be a good starting point for tax practitioners in considering if a contractual term that has been updated is relevant to their obligations under the Code, and if the cloud arrangement continues to be appropriate, and/or if additional consent should be sought from affected or relevant clients.

Back to Top ↑


If we are using standard services like Microsoft, Adobe or Xero for cloud storage how do we know that they meet the necessary security requirements?

To understand the security of cloud services like Microsoft Office 365, Adobe and Xero, the Small Business Cyber Security Guide from the Australian Cyber Security Centre (ACSC) will help.

We are in the process of collaborating with the Australian Taxation Office (ATO) and ACSC to provide some further guidance to tax practitioners. Keep an eye on our website and TPB eNews over coming months.

I've heard that Virtual Private Networks (VPN's) are no longer secure, is that true?

VPNs seem like the perfect tool for the job – they encrypt and anonymise our data, keeping it secure and away from prying eyes. But things can get complicated, any technology poorly implemented or maintained can create security risks that the user didn’t intend. It’s worth ensuring you have engaged a trustworthy partner to help with your cloud security solutions. If you see something or aren’t sure about your or your client’s security, it’s important to ask.

If a client has set-up cloud-based accounting software that the tax practitioner then uses, how does that relate to our security requirements?

If the tax practitioner is inputting (and as such, disclosing) client information, they still have a responsibility to obtain the client’s consent to disclose the information to the third party (in this case, the cloud service provider) disclosure is authorised and should take into account the considerations set out in our cloud computing Practice Note.

Back to Top ↑


Is there one cloud provider that the TPB prefers or recommends?

Unfortunately, we can’t recommend a cloud provider. This is a business decision and you will need to research providers and consider things such as:

  • What privacy provisions are in place?
  • What would happen in the unfortunate event of a breach?
  • Who owns the data?
  • Who has access to the data?
  • Where is the data stored and backed-up?
  • What service and support is offered?
  • Does the provider comply with Australian privacy laws?
  • Under what circumstances would the provider access your data or disclose it to a third party?
  • Will you be notified if your data has been lost, breached or its security compromised?
  • How much the cloud service costs?

If in doubt, you should seek advice from the Office of Australian Information Commissioner.

Would you consider using a cloud document service like Google Drive, Dropbox or Box.com offshoring?

We cannot speak about Google Drive, Dropbox or Box.com, but any service that holds the data outside of Australia and its territories would be seen as offshore data storage.

To what extent is it reasonable to rely on a third-party provider's security measures? How can we determine the level of their security reliably?

This may be a matter that you consult with an IT consultant/expert about prior to engaging a software provider.

Back to Top ↑

Code item 6 – confidentiality of client information

Under Code item 6 – confidentiality of client information, if the ATO asks for client information do I need to get the clients approval before we provide the ATO with any details?

Under Code item 6 you cannot disclose client information to a third party unless you have their permission or there is a legal duty to do so. A ‘third party’ is any entity other than you and your client and includes the ATO.

Information or documents can be provided to the ATO under a notice pursuant to section 353-10 in Schedule 1 of the Taxation Administration Act 1953 concerning taxation laws. This requirement is subject to that material being properly withheld by the registered agent under legal professional privilege.

Importantly, if you are concerned whether there is a legal duty to disclose client information to a third party, you should consider seeking independent legal advice.

In relation to Code item 6, does this mean that if I invite my software company in via remote access to support an issue I will be in breach as they potentially have access to client data? If so, how do I deal with this?

You will need your client’s permission before disclosing any information to a third party, which would include a software company in this scenario.

If our engagement letter states that the client's information is being accessed by overseas providers and the client agrees to that – does this comply with Code item 6?

Permission may be given using a signed letter of engagement, signed consent or other communication with the client. In all cases, the relevant communication should outline the disclosures to be provided, as well as information about the entity or entities that will have access to the client information.

For further information see our Information Sheet on confidentiality of client information.

Back to Top ↑


Can DocuSign or email be used for client authorisations?

Yes, as long as the client has acknowledged receipt and acceptance of the terms of your engagement and the use of cloud computing this provides you with protection.

Email confirmation is accepted under the Electronic Transaction Act 1999 as evidence ‘in writing’.

If the cloud-based software a tax practitioner uses doesn’t have a function for their clients to make a declaration, does the tax practitioner still have to get the authorisation, and if so, how?

The Taxation Administration Act 1953 requires you to have first received a signed declaration in writing from your client each time you lodge an approved form on behalf of your clients. This only applies to lodgement of approved forms such as activity statements and tax returns. It does not mean you require authorisation each time you contact the ATO to act on your client’s behalf.

If you are using cloud-based accounting software that doesn’t have functionality for a declaration to be made, we recommend a separate declaration be made via email or letter, clearly stating which document is being authorised for lodgement.

Your client should keep the declaration (or a copy) for up to five years. We recommend you also keep a copy of the declaration for your own records. The copy can be stored electronically, regardless of whether it was received by email or in paper form.

If the cloud servers are overseas is it a breach of TFN protections to store this information here?

Questions in relation to the laws relating to tax file number (TFN) disclosure should be directed to the Office of the Australian Information Commissioner (OAIC) and ATO, as they are primarily responsible for the administration of these laws.

Is the TPB doing anything to prevent accountants claiming a lien over client data when a client leaves?

Whether a tax practitioner can retain client data after a client has left will depend on the circumstances of the engagement and the type of data in question. Our Information Sheet on claiming a lien over client property sets out the circumstances in which it would generally be appropriate for a tax practitioner to retain client property (including client data), through exercising a valid lien. Generally, to exercise a valid lien:

  1. The tax practitioner must be claiming the lien in their own right, and not merely as an agent of a third person.
  2. The tax practitioner must have actual or constructive possession of the client’s property.
  3. The outstanding debt or demand must be connected to the property over which the lien is being claimed.

Further, it is widely accepted that tax practitioners can only claim a lien over property upon which they have expended labour and made more valuable. Therefore, a lien could only attach to electronic property such as a software data file where the tax practitioner has expended labour and made the property more valuable.

Back to Top ↑

Last modified: 17 November 2020