Confidentiality and conflicts - what to do!

Webinar

Issued: 15 February 2022

Last modified: 15 February 2022

View the resources from our webinar Confidentiality and conflicts - what to do! held 15 February 2022. In this webinar we discussed your responsibilities under the Code of Professional Conduct for protecting client information and effectively managing conflicts of interest that may arise.

Resources

Webinar recording

Confidentiality and conflicts - what to do! Webinar recording

Questions and answers

Confidentiality of client information

In the webinar, you spoke about not being able to disclose your client’s information to a third party without their permission, does that include an employee of the tax practitioner?

Yes, a third party is any entity other than the client and the registered tax practitioner. This means that you should obtain permission from the client prior to disclosing their information to employees. You may choose to do this via a letter of engagement.

Does another entity or third party include sending tax information overseas to have tax returns done?

Yes, any entity other than the client and the registered tax practitioner is a third party. For more information, see our outsourcing and offshoring Practice Note.

Is a verbal phone call ok for permission to give out client bank information?

We recommend written consent is obtained from the client to avoid any confusion or future claims that consent was not provided.

To what extent do we need to advise the client of the third parties we use? For example, if we store information in Dropbox or Outlook Calendar or use a billing program or digital signing program, do we need to advise the client of every individual program we use?

Yes, you should inform the client about any client information that may be disclosed. In this situation, we recommend you include information in relation to who and where the disclosure will be made, such as any third party software provider.

Do I need to get permission from my clients to upload their receipts and invoices to their accounting software programs?

If the software is hosted externally by a third party, for example in the cloud environment, then you will need to obtain the client’s permission before disclosing their information to the third party software provider.

If a client sends us an invite to access their accounting software is this sufficient evidence to prove the client has given consent to disclose their information?

While there is no set formula for obtaining the client’s permission, we recommend obtaining the client’s written permission prior to disclosing their information to a third party to ensure that you comply with Code item 6 – Confidentiality of client information.

If I have a client that moves to another tax practitioner and the new practitioner sends a professional letter asking for the client records, do I need consent from the client to provide information to the new tax practitioner?

Yes, you would need to obtain permission from your former client to transfer their records to the new tax practitioner.

Does a client’s authority to disclose personal information have to be signed even if they authorise it via email?

The client’s permission may be obtained via email.

If I store files offsite, do I need to have the client’s permission before moving their files?

Yes, you will need to obtain the client’s permission if third parties will have access to the client’s information. If third parties do not have access, we would recommend advising your client, possibly in the letter of engagement, that you use offsite storage to store their records.

If an engagement is between a tax agent company and the client does this cover all partners and staff of the practice? Or do we need to have a new engagement agreement for each new employee?

Yes, a general authority covering partners and employees could be used rather than seeking permission when a new employee is on-boarded at the practice.

Letters of engagement

If you are lodging monthly or quarterly Business Activity Statements, do you need a letter of engagement each time?

While letters of engagement are not a specific requirement of the Code of Professional Conduct (Code), they are an important and effective mechanism to assist tax practitioners in ensuring they comply with the requirements of the Code.

In relation to recurring or ongoing engagements, we recommend the letter of engagement is reconfirmed or reviewed with the client regularly (preferably annually), however the frequency of this depends on the circumstances, for example if there has been a:

significant change to the client’s relevant personal circumstances
change to the management, ownership and or structure of the client (particularly relevant to corporate entities and clients that are part of a corporate group)
change in the nature or size of the client’s business.

Do you need to obtain a new authority letter of engagement each time you use a new online computer programme or can you have a general agreement to use online services?

You may need a new letter of engagement if there has been changes in the terms of scope of the engagement, or a change to the third party recipients of client information (which requires prior client consent in accordance with Code item 6 – confidentiality of client information).

If all client files are held within the same computing program, for example Microsoft One Drive, do we need to get an annual letter of engagement from clients?

If the third party receiving the client’s information and the nature of the information being disclosed has not changed, we recommend an annual review or confirmation of the letter of engagement, however the frequency of this review depends on the nature and circumstances of your engagement with the client.

Conflicts of interest

Some software providers charge tax practitioners a wholesale price for recommending and using their software. The tax practitioner can then on sell the software to their clients at a discounted rate above the wholesale price - consequently earning a small commission. Should this arrangement be disclosed?

Yes, the commission is a financial incentive and would give rise to a conflict of interest in relation to the activities that the tax practitioner undertakes. This conflict of interest should be disclosed to the client and the disclosure should:

be made at the earliest possible opportunity
be specific and meaningful to the client
occur before or when the tax agent service is provided, but in any case, at a time that allows the client a reasonable time to assess its effect, and
refer to the specific service to which the conflict relates.

Cloud computing

Tax practitioners have no control over the security of a cloud environment, so if appropriate client authority was obtained to store data in the cloud and the cloud was subject to a malicious attack where client data was lost and used inappropriately, would the tax practitioner have any liability?

We cannot talk to liability generally, but in order to comply with your confidentiality obligations, you will need to have obtained permission from your client to disclose their information to a cloud service provider. You also need to ensure you have appropriate controls in place to maintain confidentiality to avoid any information leakage.

There are a number of controls that could be employed to assist in maintaining and protecting the confidentiality, integrity and availability of data. Our cloud computing Practice Note has more information.

If a registered tax practitioner has been incompetent or reckless regarding IT controls, and this has resulted in a breach of confidentiality because of a cyber incident, we may impose one or more administrative sanctions. Each situation will be considered on a case-by-case basis, including the circumstances of the data breach and the steps taken to report and rectify the problem.

Registered tax practitioners should also consider whether they have any obligations under the Privacy Act 1988, including the Notifiable Data Breaches scheme.