The Privacy Act 1988 (Privacy Act), including privacy principles, generally apply to Australian Government agencies and organisations with an annual turnover of more than $3 million (as well as some other organisations subject to certain exceptions). However, the privacy laws also apply to some 'small business operators' with an annual turnover of $3 million or less. The Office of the Australian Information Commissioner (OAIC) regulates the Privacy Act and provides guidance on the privacy laws. More information about this exception is available on the OAIC website.

To comply with your obligation under Code item 6 of the Code of Professional Conduct, you cannot disclose any information relating to your client’s affairs to a third party without the client’s permission, unless you have a legal duty to do so. You will therefore need your client’s consent to disclose their information to the bookkeeper. More information about client consent can be found on our Confidentiality of client information page. You will also need to ensure you comply with your obligations under the Privacy Act in relation to the use and disclosure of personal information.

Tax practitioners are required to comply with the privacy laws governing the use, storage and disclosure of personal information under the Privacy Act. ‘Personal information’ is information or an opinion about an identified individual, or individual who is reasonably identifiable. Where it is unclear if an individual is reasonably identifiable, you should err on the side of caution and treat the information as if it were personal information.

You can include personal information in an engagement letter, however, make sure you comply with your obligations under the Privacy Act in relation to the use and disclosure of ‘personal information’, and Code item 6. This includes taking reasonable steps to maintain the confidentiality of your client's information and ensuring the engagement letter containing personal information only goes to the client and not unintended recipients. See our guidance for more information on what to include in an engagement letter.

Information shared on social media platforms can be considered personal information under the privacy laws, and information about a client’s affairs for the purposes of the obligation under Code item 6. If the sharing of information involves the use or disclosure of client information, there may be privacy implications, depending on the circumstances. Learn more about by reading guidance on the TPB and the Office of the Australian Information Commissioner (OAIC) websites.

Tax practitioners in this situation must still comply with their obligations under the privacy and confidentiality laws administered by the TPB and the OAIC in relation to the disclosure of client information. 

To ensure you comply with Code Item 6, you can provide the data to the client directly, or, if the client provides you with consent, you can provide the information to the new registered tax practitioner.

Tax practitioners must ensure they comply with the confidentiality and privacy laws administered by the TPB and the OAIC when destroying client’s personal information and disposing of it. This extends to making sure appropriate controls are in place to dispose of information and ensuring it is not able to be accessed. Additional information about the privacy laws, and appropriate controls, can be found on the OAIC website.

You must retain records for at least 5 years after the tax agent service has been provided. A tax agent service is considered to have been ‘provided' from the date the service is complete. When a service is considered complete will be determined based on the facts and circumstances of the engagement. Generally, there are no mandatory requirements to return, destroy or de-identify client records or information after a certain period or an engagement has ended. However, once the 5-year period has lapsed, you should consider whether you need to take steps to return, de-identify and/or destroy records (as appropriate), having regard to any recordkeeping arrangement with the client and relevant privacy laws. For more information read our obligation to keep proper client records page.