Issued: 13 May 2025
Last modified: 20 June 2025
Keep your client information secure by learning more about the appropriate use and disclosure of client TFNs and TFN information in email communications. We will look at the steps we’d expect you to consider that will assist you to comply with the Code of Professional Conduct.
Resources
Webinar recording
Questions and answers
We have compiled some of the questions we received during our webinar.
Using and disclosing tax file numbers (TFNs)
What are the best methods to communicate with a client if I need to disclose a TFN? Are emails secure? What about applications, such as WhatsApp, SMS and Dropbox?
We do not recommend sending and receiving TFNs by email as this is not considered to be a secure method of transmission.
We strongly recommend using more secure methods such as:
- via a secure website, secure online mailbox or secure messaging
- an encrypted or password protected attachment to an email
- using another secure electronic solution that minimises the risk of interception of the sensitive information, identity document and/or evidence.
While we cannot recommend specific applications, the methods used should have additional security measures, such as encryption, to ensure TFNs and TFN information is protected.
What is the best way to provide a client with their Payment Reference Number (PRN) or an un-redacted Notice of Assessment when the client has requested to receive these via email?
In circumstances, where redacting a TFN is not appropriate, and your client would like to receive information by email, you should take the following steps:
- validating the email address with a recipient to minimise the risk of unauthorised disclosure to a person who is not the intended recipient
- only sending this information by email as an encrypted or password protected attachment
- maintaining records of the email.
Can TFNs be disclosed during phone calls with clients?
While you can disclose a client’s TFN to them and receive a TFN from a client over the phone, you must follow the proof of identity requirements to ensure you ascertain the identity of the person you are speaking with prior to disclosing any information, including TFNs.
If a client moves to another accounting firm and the new tax practitioner asks for the TFN, can we provide the TFN to the new tax practitioner?
As the new tax practitioner is a third party, you must obtain permission from your client prior to providing any client information, including TFNs. When obtaining this permission, it is recommended that you clearly inform the client about the proposed disclosure (including noting to whom and where the disclosure will be made).
Additionally, when disclosing a client’s TFN or TFN information you must take the relevant security precautions such as those outlined in our Practice note to ensure you comply with your broader privacy and security obligations under the Privacy (Tax File Number) Rule 2015 and under the Privacy Act 1988 (Cth) (Privacy Act).
Can the ATO start blocking out TFNs on the Notices of Assessment (NOA)?
We understand that the process of redacting TFNs from ATO letters and notices before forwarding them to clients via unsecured channels, such as email, can be burdensome for registered tax practitioners. Although the ATO’s current systems do not support TFN redaction, they are actively exploring opportunities to incorporate this functionality in future system updates and upgrades. The ATO’s goal is to facilitate a more secure and efficient communication process for both tax practitioners and taxpayers.
Additionally, rather than sending clients a redacted copy of notices and letters, the ATO suggest you can also direct them to download a copy of the document from the client communication history in Online services for agents.
Software
My lodgement software emails draft returns to my clients including the TFN. Should the TFN be hidden in this transmission?
Security precautions should be taken to ensure you comply with legislative requirements if you are sending emails that include TFNs. This could include redacting the TFN or only sending this information by email as an encrypted or password protected attachment.
Regarding cloud storage which may have the client’s TFN included – is that considered disclosing information to the cloud provider?
Yes, a third party is any entity other than the client and the tax practitioner. This includes entities that maintain offsite data storage systems including cloud storage.
You must obtain permission from each client prior to divulging client information to cloud service providers. When obtaining this permission, it is recommended that the tax practitioner clearly inform the client about the proposed disclosure (including noting to whom and where the disclosure will be made, and where data will be stored). A general authority consenting to disclosure to third parties may also be acceptable.
Additionally, when disclosing a client’s TFN and TFN information you must undertake the relevant security precautions to ensure you comply with your broader privacy and security obligations under the Privacy (Tax File Number) Rule 2015 and under the Privacy Act 1988 (Cth) (Privacy Act).
For further information regarding cloud computing and the disclosure of client information, please refer to our Practice note.