You must not disclose information relating to a client’s (or a former client's) affairs to a third party unless you have:

This is one of the obligations (item 6) under the Code of Professional Conduct (Code).

‘Information’ refers to knowledge you have acquired or derived about a client, whether directly or indirectly. It is only necessary that the information relates to the affairs of a client. Further, the information does not have to necessarily belong to the client or have been directly provided by the client to you.

Who is a 'third party'?

A ‘third party’ is any entity other than you and your client and could, for example, include the following:

• entities to which you outsource your tax or BAS agent services (including (financial) advice services)
• entities within the same service trust structure, unless the client is defined (for example, in the engagement letter) as the whole structure
• a related entity of your practice or the client - for example, if you are an authorised representative, a third party includes your Australian financial services (AFS) licensee and vice versa
• if you are an AFS licensee – it could include other AFS licensees, authorised representatives, para-planners, product providers and advisers, insurance brokers and technical teams and advisers.
• maintaining offsite data storage systems (including ‘cloud storage’).

We recognise that tax practitioners are increasingly engaging in outsourcing or cloud storage arrangements. However, the obligations under Code item 6 have not changed – you must ensure confidentiality of client information, including appropriate disclosure of such arrangements to your clients to ensure you comply with your obligations under this Code item.

For AFS licensees and their authorised representatives

We recognise that:

• in an AFS licensee/authorised representative relationship, the use of ‘fact finds’ or other documents facilitate the flow of client information from the authorised representative to the AFS licensee
• the Corporations Act 2001 requires an authorised representative of an AFS licensee to provide information to the AFS licensee if requested.

Obtain client permission first

Before disclosing any information relating to your client’s affairs to a third party, you should clearly inform your client that such disclosure will be made and obtain their permission. You should advise your client:

• what client information is to be disclosed; and
• to whom and where the disclosure will be made.

This permission may be by way of a signed letter of engagement, signed consent or other communication with the client.

For AFS licensees and authorised representatives

If you are an AFS licensee or an authorised representative, other ways to obtain client permission may also include: 

• a relevant ‘fact find’ and consent
• a relevant Financial Services Guide (FSG) and consent
• a relevant Statement of Advice (incorporating an ‘authority to proceed’) signed by the client 
• a privacy declaration and consent form 
• a privacy acknowledgement and consent 
• a relevant product disclosure statement and consent, or
• an appropriately authorised confirmation email.

Legal duty to disclose information

You may disclose information relating to your client’s affairs to a third party without your client’s permission if you have a legal duty to do so.

Some examples of these circumstances include providing information to:

• the TPB upon a notice issued under section 60-100 of the Tax Agent Services Act 2009 (TASA)
• a court or tribunal under a direction, order, or other court process
• the Australian Taxation Office (ATO) upon a notice issued under section 353-10 in Schedule 1 to the Taxation Administration Act 1953 concerning taxation laws (subject to that material being properly withheld under legal professional privilege)
• AUSTRAC to meet reporting obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.
• your AFS licensee (if you are their authorised representative) under section 912G of the Corporations Act 2001.

If you are concerned as to whether there is a legal duty to disclose client information to a third party, you should seek independent legal advice.

Inadvertent disclosure

You need to ensure there are appropriate arrangements to prevent inadvertent disclosure of client information. Some examples of situations where you must ensure there are appropriate controls to prevent third parties from viewing or accessing client information include:

• the use of mobile temporary booths in shopping centres
• the use of recycled paper which includes personal details of other clients
• disposing of IT equipment that contains/stores data of clients
• the use of shredding or data disposal services
• the use of external service providers such as IT consultants and cleaners.

Failure to maintain confidentiality

If you disclose information relating to a client’s affairs to a third party without the client’s permission or a legal duty to do so, we may find that you have breached the Code and impose sanctions for that breach.

Whistleblower protection

If you qualify for whistleblower protection, you may be able to make a disclosure of information about a client's affairs to us and/or the ATO and not be subject to disciplinary action by us under Code item 6. For further information, see Whistleblower legislation.

Breach reporting requirements

Notifications to us and recognised professional associations under the breach reporting regime may involve the disclosure of client information. However, as these disclosures are required by law under the TASA, they will generally be covered by the legal duty exception. As such, breach reporting disclosures will be in compliance with Code item 6. For further information, see TPB Information Sheet TPB(I) D53/2024 Breach reporting under the Tax Agent Services Act 2009. 

Examples involving confidentiality