TPB Information Sheet
Code of Professional Conduct – Confidentiality of client information for tax (financial) advisers
This information sheet is also available as a PDF, download TPB(I) 32/2017 Code of Professional Conduct - Confidentiality of client information for tax (financial) advisers (225 KB)
This is a Tax Practitioners Board (TPB) information sheet (TPB(I)). It is intended to be for information only. While it seeks to provide practical assistance and explanation, it does not exhaust, prescribe or limit the scope of the TPB’s powers in the Tax Agent Services Act 2009 (TASA).
In addition, please note that the principles and examples in this TPB(I) do not constitute legal advice and do not create additional rights or legal obligations beyond those that are contained in the TASA or which may exist at law.
This Information Sheet was originally issued as an Exposure Draft TPB(I) D31/2015 Code of Professional Conduct – Confidentiality of client information for tax (financial) advisers on 21 December 2015. The TPB invited comments and submissions in relation to the information contained in it by 19 February 2016 and then held a further round of consultation.
The TPB considered all the comments and submissions received and now publishes the following TPB(I). It is based on the TASA as at 15 March 2017 (latest version available at time of publication).
Issued: 5 May 2017
Last updated: 10 October 2018
- This Information Sheet (TPB(I)) has been prepared by the Tax Practitioners Board (TPB) to assist registered tax (financial) advisers to understand their obligations under subsection 30-10(6) of the Tax Agent Services Act 2009 (TASA) (Code of Professional Conduct (Code) Item 6).
- In this TPB(I), you will find the following information:
- what is Code Item 6, including comparison with the Corporations Act 2001 (paragraphs 4 to 5)
- how to comply with Code Item 6 (paragraphs 6 to 26)
- privacy considerations (paragraphs 27 to 28)
- consequences for failing to comply with Code Item 6 (paragraphs 29 to 31)
- practical examples involving Code Item 6 (paragraph 32).
- The TPB has previously published explanatory guidance that sets out its view on the application of the Code to tax and BAS agents, including on Code Item 6.
What is Code Item 6?
- Code Item 6 provides that, unless there is a legal duty to do so, tax (financial) advisers must not disclose any information relating to a client’s affairs to a third party without the client’s permission. A number of potential options might be used to obtain the necessary client permission. For further information in relation to client permission, including examples of options that might be used to obtain permission, refer to paragraphs 15 to 21 below.
Comparison with the Corporations Act 2001
- While no similar obligation exists in the Corporations Act 2001, it is noted that Australian Privacy Principle (APP) 6.1 in the Privacy Act 1988 (Cth) requires that you do not use personal information about an individual that was collected for a particular purpose (primary purpose) for another purpose (secondary purpose) unless:
- the individual has consented to the use or disclosure of the information, or
- one of the exceptions in APP 6.2 applies.
How to comply with Code Item 6
What is ‘information’?
- Information refers to the acquiring or deriving of knowledge and includes, but is not limited to, capturing information known about a client. This information could be acquired directly or indirectly from the client or other sources.
What is ‘information relating to a client’s affairs’?
- It is only necessary that the information relates to the affairs of a client. The information does not have to belong to the client, or have been directly provided by the client to a tax (financial) adviser.
Who is a ‘third party’?
- For the purposes of Code Item 6 and the TASA, a third party means any entity other than the client and the tax (financial) adviser.
- A third party includes a related entity of the client and/or tax (financial) adviser. For example, in the case of a tax (financial) adviser that is an authorised representative of an Australian financial services (AFS) licensee, a third party includes the AFS licensee, and vice versa. However, the following is also recognised:
- in the context of an AFS licensee/authorised representative relationship, it is understood that authorised representatives (who are registered practitioners) often use ‘fact finds’ or other documents to obtain consent from clients and therefore facilitate the flow of client information to the AFS licensee from the authorised representative (see also paragraph 15 below)
- a provider of personal advice who is an authorised representative of an AFS licensee is required to provide information to the AFS licensee pursuant to s912G of the Corporations Act 2001 (Corporations Act), as inserted by Australian Securities and Investments Commission (ASIC) Class Order [CO 14/923] Record-keeping obligations for Australian financial services licensees when giving personal advice, which requires an authorised representative of an AFS licensee to give records to the AFS licensee if requested by the AFS licensee, provided the request is made:
- in connection with the obligations imposed on the AFS licensee under Chapter 7 of the Corporations Act; and
- within seven years after the day on which the personal advice was provided to the client (see also paragraph 23 below).
- In relation to a tax (financial) adviser that outsources a component of a tax (financial) advice service to another entity (for example, another registered tax practitioner, a legal practitioner, contractor or an overseas or offshore entity), the third party would include that other entity.
- Further, a third party may also include entities that maintain offsite data storage systems (including ‘cloud storage’).
- Subject to the relevant contractual arrangements, a third party may also include other AFS licensees, authorised representatives, para-planners, product providers and advisers, insurance brokers, and technical teams and advisers.
In what circumstances can a tax (financial) adviser disclose information relating to a client’s affairs (or a former client's affairs) to a third party?
- A tax (financial) adviser may only disclose information relating to a client’s affairs (or a former client's affairs) to a third party if:
- the tax (financial) adviser has the client’s (or former client's) permission; or
- there is a legal duty to do so.
- The TPB recognises that there are obligations associated with being a member of an ASIC approved external dispute resolution (EDR) scheme and also where financial services are covered by the Superannuation Complaints Tribunal (SCT). Further, it is recognised that an AFS licensee may need to obtain legal advice in respect of dealing with a complaint and defending a claim.
(i) Client’s permission
- Where information relating to a client’s affairs is to be disclosed by a tax (financial) adviser to a third party, the tax (financial) adviser should, prior to any disclosure, clearly inform the client that there will be such disclosure and obtain the client’s permission. This permission has to be relevant to the engagement and may be by way of a signed letter of engagement, signed consent, or other communication with the client which may include, in certain circumstances:
- a relevant ‘fact find’ and consent
- a relevant Financial Services Guide (FSG) and consent
- a relevant Statement of Advice (incorporating an ‘authority to proceed’) signed by the client
- a privacy declaration and consent form
- a privacy acknowledgment and consent
- a relevant product disclosure statement and consent, or
- an appropriately authorised confirmation email.
In all cases, the relevant communication should outline the disclosures to be provided, as well as information about the entity/entities that will have access to the client information.
- A tax (financial) adviser must ensure that they inform their clients about any client information that may be disclosed. In this regard, it is recommended that the tax (financial) adviser include information in relation to whom and where the disclosure will be made. A general authority consenting to disclosure to third parties may also be acceptable.
- However, even in the context of a general disclosure, tax (financial) advisers should require a positive step from their client to authorise the requisite disclosure. This may include an appropriate ‘opt-in’ type approach. Further, a tax (financial) adviser is not excused from taking steps to protect information just because it would be inconvenient, time-consuming or costly to do so.
- While there is no set formula or methodology used to obtain client permission, the TPB suggests that tax (financial) advisers be clear in explaining to their client where information may be disclosed (including, among other things, where a component of work or add-on activity is completed elsewhere). For example, to avoid any likelihood of your practices being seen as misleading, we suggest that you must not imply or state that all your work is completed in Australia, if that is not the case.
- In relation to outsourcing arrangements and cloud storage arrangements, the TASA does not specifically prohibit these activities. However, tax (financial) advisers must consider their obligations under Code Item 6 in relation to these arrangements to ensure confidentiality of client information, including appropriate disclosure in regard to where data is being sent and stored.
- While not binding on all tax (financial) advisers, further useful guidance on what steps a tax (financial) adviser may take when providing or utilising outsourced services may be found in specific Australian Prudential Regulation Authority (APRA) guidance.It is also noted that TPB accredited recognised professional associations may be able to assist in providing practical guidance, while recognising that there is not a default one-size-fits-all template and that arrangements will need to be mindful of the particular circumstances.
- Ultimately, the onus is on the tax (financial) adviser to exercise appropriate due diligence when outsourcing work, including ensuring appropriate disclosure. Outsourcing may also give rise to other obligations under the TASA, including ensuring that tax (financial) advice services are provided to a competent standard, and that there are adequate supervision and control arrangements.
(ii) Legal duty to do so
- A tax (financial) adviser may disclose information relating to a client’s affairs to a third party without the client’s permission if the tax (financial) adviser has a legal duty to disclose the information.
- Examples of circumstances where a tax (financial) adviser may have a legal duty to disclose client information to a third party include:
- providing information to the TPB under a notice issued pursuant to section 60-100 of the TASA
- providing information to a court or tribunal pursuant to a direction, order, or other court process
- providing information to AUSTRAC in accordance with reporting obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) 
- providing information to an AFS licensee pursuant to s912G of the Corporations Act 2001 (Corporations Act), as inserted by ASIC Class Order [CO 14/923] Record-keeping obligations for Australian financial services licensees when giving personal advice, which requires an authorised representative of an AFS licensee to give records to the AFS licensee if requested by the AFS licensee, provided the request is made:
- in connection with the obligations imposed on the AFS licensee under Chapter 7 of the Corporations Act; and
- within seven years after the day on which the personal advice was provided to the client
- providing information or documents to the Australian Taxation Office (ATO) under a notice pursuant to section 353-10 in Schedule 1 to the Taxation Administration Act 1953.
- The TASA, including Code Item 6, does not affect the law relating to legal professional privilege. Legal professional privilege protects confidential communications between a lawyer and their client from compulsory production. Therefore, under legal professional privilege a lawyer may, in certain circumstances, lawfully withhold documents or not provide information without breaching Code Item 6.
- If a tax (financial) adviser is concerned as to whether there is a legal duty to disclose client information to a third party, the tax (financial) adviser should consider seeking independent legal advice.
- Tax (financial) advisers also need to ensure that they have appropriate arrangements to prevent inadvertent disclosure. In this regard, the following are some examples of where tax (financial) advisers need to be particularly mindful of their obligations:
- the use of external service providers which may include, for example, IT consultants and cleaners
- the use of recycled paper which includes personal details concerning other clients
- leaving client information in unsecured locations which may be accessed by third parties
- disposing (such as trading in or selling to a second-hand market) of IT equipment that contains/stores data that may be accessible by third parties
- the use of shredding and data disposal services.
- In addition to a tax (financial) adviser's obligations under Code Item 6, the Privacy Act 1988 (Cth) sets out a number of Australian Privacy Principles (APPs) which govern the use of, storage and disclosure of personal information and other conduct by organisations. Some of these APPs may have a direct impact on the requirement to obtain consent (express or implied) from clients.
- Tax (financial) advisers should seek their own advice about whether the provisions of the Privacy Act 1988 apply to them. Information about obligations under the Privacy Act 1988 is provided by the Privacy Commissioner and is accessible from the Office of the Australian Information Commissioner’s website at www.oaic.gov.au
Consequences for failing to comply with Code Item 6
- If a tax (financial) adviser discloses information relating to a client’s affairs to a third party without the client’s permission or without a legal duty to do so, the TPB may find that the tax (financial) adviser has breached the Code and may impose sanctions for that breach.
- Ultimately, determining whether a tax (financial) adviser has complied with their obligations under Code Item 6 will be a question of fact. This means that each situation will need to be considered on a case-by-case basis having regard to the particular facts and circumstances.
- If a tax (financial) adviser breaches the Code, the TPB may impose one or more of the following sanctions:
- a written caution
- an order requiring the tax (financial) adviser to do something specified in the order
- suspension of the tax (financial) adviser’s registration
- termination of the tax (financial) adviser’s registration.
Practical examples involving Code Item 6
- The following are indicative examples which illustrate the general application of Code Item 6. In all cases, consideration will need to be given to the specific facts and circumstances of each matter.
Example 1 – Client permission to disclose information to an online broker
Drew approaches Kylie, a registered tax (financial) adviser, to provide tax (financial) advice services. As part of the tax (financial) advice services provided, Kylie advises Drew to participate in an upcoming float, which is only available through a particular online broker.
Drew confirms that he wishes to participate in the upcoming float and instructs Kylie to organise a $50,000 investment.
Obtaining client permission
Before organising the $50,000 investment in the float, Kylie sends Drew an email confirming among other things, the nature of the investment and the potential risks. Further, in her email, Kylie requests Drew’s permission (via return email) to disclose his information to the online broker to complete the application for the float.
Example 2 – Client permission to disclose information to an insurer
Betty approaches Stephen, a registered tax (financial) adviser, to provide tax (financial) advice services. As part of the initial scaled engagement, Betty seeks a recommended product in relation to life risk advice and provides her adviser with key relevant information (including her finances and circumstances).
Stephen assesses Betty’s situation and liaises with various insurers that he interacts with on a regular basis.
Stephen will also receive an ongoing benefit from the relevant chosen insurer in the event that Betty proceeds to purchase a particular product.
Obtaining client permission
As Stephen already knows of the insurers that he will be liaising with, he requests Betty’s permission (via signed disclosure statement) to disclose specific information (relating to Betty’s circumstances and needs) to the particular insurers for the purpose of providing recommendations on what will work best for Betty in meeting her needs. This permission is obtained prior to Stephen disclosing information to the insurers.
Stephen also discloses that he will receive an ongoing benefit from the relevant chosen insurer in the event that Betty proceeds to purchase a particular product.
Example 3 – Client permission to disclose information to an external IT provider
Zincorppe is a mid-sized registered tax (financial) adviser company that provides tax (financial) advice services to various clients. Zincorppe enters client data into its software programs using cloud computing hosted by an external IT provider.
Obtaining client permission
In order to enter client data into its software programs, Zincorppe discloses its cloud computing arrangements in an email. Further, Zincorppe obtains a confirmation email from each client to disclose the information to the external IT provider.
Example 4 – Client permission to disclose information to a legal firm
Patricia engages Manu, a registered tax (financial) adviser, to provide tax (financial) advice services. As part of the tax (financial) advice services provided, Manu advises Patricia to set up an investment structure including a unit trust. To establish the unit trust, Manu engages a legal firm to prepare the necessary documentation.
Failing to obtain client permission
Manu confirms with Patricia in writing that she wishes to proceed with the unit trust structure and merely advises Patricia that he will arrange to prepare all the necessary documentation. However, Manu does not obtain Patricia’s permission to disclose her information to the legal firm to prepare the necessary documentation.
Manu is considered to have breached Code Item 6 by failing to obtain Patricia’s permission to disclose her information to a third party (being the legal firm).
Example 5 – Client permission to disclose data to an overseas third party
Vee Co is a large financial services firm and a registered tax (financial) adviser. To minimise its operating costs, Vee Co enters into an agreement with a data processing firm in Vietnam, Nguyen & Co, that Nguyen & Co will perform the data processing work for Vee Co’s clients.
Obtaining client permission
In order to send the clients’ information to Nguyen & Co for processing, Vee Co discloses its arrangement with Nguyen & Co to its clients and obtains its clients’ explicit permission by way of a relevant ‘fact find’ and consent to disclose the information to Nguyen & Co.
Subject to the engagement terms, Vee Co will have primary responsibility for the provision of the relevant tax (financial) advice services, including data processing work undertaken by Nguyen & Co.
 Refer to TPB(I) 21/2014 Code of Professional Conduct – Confidentiality of client information and TPB(EP) 01/2010 Code of Professional Conduct. While TPB(I) 21/2014 is aimed specifically at registered tax and BAS agents, it provides useful guidance for all registered tax practitioners.
 For information on the meaning of ‘tax (financial) advice service’, refer to TPB(I) 20/2014 What is a tax (financial) advice service?
 The two ASIC-approved EDR schemes that currently operate in the Australian financial and credit industries are the Financial Ombudsman Service Limited (FOS) and the Credit and Investments Ombudsman (CIO) (formerly the Credit Ombudsman Service Limited). In particular, it is recognised that when a consumer lodges a dispute with FOS, they are permitting both FOS and the relevant financial services provider to collect, use and disclose relevant information for the purposes of resolving their dispute. For further information, refer to ASIC Regulatory Guide 165 – Licensing: Internal and external dispute resolution, ASIC Regulatory Guide 139 – Approval and oversight of external dispute resolution schemes, and the FOS and CIO websites available at www.fos.org.au and www.cio.org.au respectively.
 It is recognised that there is not a requirement to join an approved EDR scheme if all of the financial services provided are covered by the SCT (which must act in accordance with the Superannuation (Resolution of Complaints) Act 1993. For further information, refer to the SCT website at www.sct.gov.au
 For the purposes of this TPB(I), ‘client information’ means information relating to a client’s affairs under Code Item 6.
 See also TPB Practice Note TPB(PN) 1/2017 Cloud computing and the Code of Professional Conduct.
 See, in particular, APRA Prudential Standards CPS 231 Outsourcing and SPS 231 Outsourcing, APRA Information Paper: Outsourcing involving shared computing services (including cloud).
 The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) imposes ongoing transaction reporting obligations and compliance reporting obligations on reporting entities when they provide designated services; the requirements set rules with respect to customer due diligence and identification, and generally concern the AFS licensee in the context of financial planning. For further information on complying with obligations under the AML/CTF Act, refer to the AUSTRAC compliance guide (Chapter 7 provides an overview of the AML/CTF Act reporting obligations) available at www.austrac.gov.au
 Section 353-10 in Schedule 1 to the Taxation Administration Act 1953 permits the Commissioner to issue a Notice requiring a person to furnish such information to the Commissioner and to attend and give evidence concerning a named person’s income or assessment or to produce documents (including electronic records) etc. in the person’s custody or control. In this regard, it is noted that Treasury Legislation Amendment (Repeal Day) Act 2015 No. 2, 2015 expanded the scope of section 353-10 in Schedule 1 to the Taxation Administration Act 1953 to cover any taxation law, and repealed the corresponding provisions in various Acts including section 264 of the Income Tax Assessment Act 1936.
 See section 70-50 of the Tax Agent Services Act 2009.
 ‘Organisation’ is defined in section 6C of the Privacy Act 1988 and excludes certain small business and small business operations; see further section 6D of the Privacy Act 1988.
 For the purposes of this example, the TPB has used ‘email communication’ as the relevant mode of communication to illustrate how the tax (financial) adviser satisfies their obligations under Code Item 6. This does not mean that other modes of communication cannot be used to satisfy the obligation under Code Item 6.