Join ABN
Or Call 1300 856 710

Latest News

All the latest news and events from the Bookkeeping Industry

Code Red

The TPB has released a number of Information Sheets about Code of Professional Conduct Items contained within Section 30-10 of the Tax Agents Services Act 2009. In August 2014 they released TPB (1) 21/2014 dealing with code item 6: Confidentiality of

What is client information?

The information Sheet tells us “It is only necessary that the information relates to the affairs of a client. The information does not have to belong to the client, or have been directly provided by the client to a registered agent”. So you need to think of client information a bit more laterally than simply information given to you by your client.

Who are third parties?

The Information Sheet makes it clear that “A third party is any entity other than the client and the registered agent”. That’s pretty broad; so it would seem you need to be careful about disclosing client information to anyone in the world with the exception of the client and you (and presumably your employees). Who therefore are some of the third parties
you might find yourself dealing with re Client Information that you should consider your position under this Information Sheet? Possible examples:

  • Your subcontractors
  • Offshore subcontracted accountants and bookkeepers
  • Cloud solution providers such as offsite data storage systems (including ‘cloud storage’) and cloud accounting and data transfer applications
  • Professionals working for your client (accountants, lawyers, bankers etc.)
  • Subcontractors of the client
  • Employees of the client (Information Sheet is silent on the issue of employees).

There are only two contexts in which you can disclose client information to third parties: one is where you have a legal obligation to do so (primarily government compulsion but see Information Sheet from paragraph 21 for some specifics) and the second is where the client has given permission.

Let’s explore the issue of client permission.

At paragraph 14 of the Information Sheet the TPB advocate the use of “a signed letter of engagement, signed consent or communication with the client” prior to any disclosures to third parties. They also advocate informing the client what information is to be disclosed, where and to whom. Importantly they indicate that the use of outsourcing and
Cloud storage are permitted but caught under Code item 6 leaving you an obligation to “ensure confidentiality of client information, including appropriate disclosure in regard to where data is being sent and stored.” Reference is made in the Information Sheet to APES GN 30 (a Guidance Note) as a useful reference for practitioners dealing with
outsourced services. This Guidance Note was produced by the Accounting Professional and Ethical Standards Board (APESB) – a body formed by the major accounting associations as a reference point for their members on a range of issues. The publication is freely accessible and provides some very useful references (albeit geared at accountants).
Where work is offshored (outsourced to a foreign country) then the agent needs to be “very clear in communicating this to the client”. Perhaps the most poignant sentence at paragraph 20 of the Information Sheet to take to heart is “Ultimately, the onus is on the registered agent to exercise appropriate due diligence when outsourcing work, including ensuring appropriate disclosure.” In other words, the buck stops with you.

The Information Sheet (Paragraphs 26& 27) also makes the point that the Privacy Act 1988 governs the use of, storage and disclosure of personal information and other conduct by organisations and that information about obligations under the Privacy Act 1988 is accessible from the Office of Australian Information Commissioner’s website at
www.oaic.gov.au

Conclusions

To the author the Information Sheet is timely, relevant and in some respects disturbing. The Information Sheet rightfully suggests that there is a strong onus on the agent under code item 6. The author thinks the Information Sheet could have gone further and clarified certain aspects raised in the Information Sheet.
A few general observations about the Information Sheet:

  • It is clear that the TPB are putting the onus on you the agent to ensure that the client’s information is treated confidentially (ethically you can only agree with this principle) when using outsource providers. In some respects this is an onerous undertaking particularly with Cloud storage as you have no direct influence over the Cloud provider or their security procedures. Thus it is imperative that the client has given informed consent to such outsourcing and that you can demonstrate that you have obtained this consent.
  • It would be helpful if the Board could make the outsourcers or Cloud providers more directly accountable for their own security procedures. Unfortunately, however, the provisions of TASA do not extend that far. Perhaps if there was an acceptable independent government standard that such outsourcers could be certified under, then an agent could seek out only certified providers to discharge their Code 6 obligations. It would certainly be more effective than putting the onus on 55000+ agents to assess the security standards of major international Cloud solution providers.
  • The Information Sheet would benefit by clarification and expansion of its references to APES GN 30 and the Privacy Act 1988. Both are sources of very relevant information that an agent should consider when assessing their obligations, so they are excellent references. However significant time is required to navigate to and interpret material from both these reference points. Better linkages to specific documents and sections would help, so too would elaborating on relevant material from these two sources in the body of the Information Sheet itself. The Information Sheet indicates you “should” seek your own advice about whether the provisions of the Privacy Act 1988 apply to you. Advice from who and which aspect of these provisions, and at what cost?

What you should do:

  • Read the Information Sheet and the referred to external material (includes APES GN 30 and Privacy Principles).
  • Review your standard Engagement letter and ensure it captures the known situations where you would be likely to disclose client information as part of your engagement.
  • Review existing Engagement letters and see if they sufficiently disclose the third parties that client data is routinely disclosed to and update them where required. And for those old clients that you have not bothered with an Engagement letter, or it is redundant or lost, then this is another reason to urgently construct a fresh Engagement letter
  • Ensure you have a policy of gaining client consent and importantly leaving a document trail that confirms client consent for disclosure of client information. It could be as simple as an email to/from the client. Often instructions are taken verbally but nothing stops you sending a client an email confirming their instruction and your response/action.



Article written by Australian Bookkeepers Network (ABN)

To find out more about ABN visit www.austbook.net

To read more take a look at the ABN Bookies Bulletin

Category
ABN
Published
30 Jun 2015
NEXT The Importance of Documenting Oral Advice!
PREV The 7 Red Flags of Payroll Fraud
Back to news listing

Click here to subscribe