Unfortunately, the only way to absolutely protect data and prevent all possibility of cyber-attacks is to have that data completely locked away and inaccessible to everyone, and that just wouldn’t be practical at all. Choosing the best balance between accessibility and security is an important challenge for all businesses today. However, you can put in place mitigation strategies according to your practice needs. You may also seek expert advice from cyber security professionals to find a solution that can help protect your practice and client information.  

For some helpful information, refer to: 

• Top cyber security tips for businesses on the Australian Taxation Office (ATO) website 

• Security advice for tax professionals on the ATO website 

• Protect your practice from cyber-attacks  

• Essential Eight Maturity Model on the Australian Cyber Security Centre (ACSC) website. ext

We do not endorse particular products or solutions, however we do support the use of tools that provide extra layers of cyber protection. You should read and understand the solution the desired tool or app provides, any additional features that aren’t installed by default, and current research on the products. Choose products and apps that come with positive feedback from respected sources. 

We suggest you visit the ACSC website which provides some helpful tips on what you should look for when choosing a password manager. 

We are unable to recommend insurance providers for cyber cover. If you are a member of a professional association, you may contact them to see if they have any recommendations. 

Refer to the Security Tips for Social Media and Messaging Apps on the ACSC website for some helpful information.  

Refer to the Guidelines for cyber security incidents on the ACSC website which provide some ways you can detect cyber security incidents. Many password managers also have features that enable you to check if any of your credentials have been compromised and published on the dark web. 

A secure website is a website that uses encryption for all communications via your browser. This can be spotted by the ‘https’ at the front of a domain name within a site’s URL, and a lock symbol next to the URL in your browser. Common browsers only trust unexpired encryption keys provided by reputable firms who verify the identity of the website owner. Encryption offers a level of protection to communication between the website and user by making it less accessible to cyber criminals. This prevents hackers from reading or interfering with the information whilst it’s in transit.

Before using a shredding service for client information, you would need to seek your client’s permission to disclose their information to the shredding service (which is a third party). You should advise your client what information is being disposed of and the agency that is being used. The permission may be by way of a signed engagement letter, signed consent or other communication with the client. 

We would not recommend that you receive or send client’s sensitive personal information by email as this is not considered to be a secure method of transmission. You should advise your clients to send this information to you through secure ways, such as a secure website, secure online mailbox or secure messaging as discussed in our proof of identity guidelines. 

The Office of the Australian Information Commissioner (OAIC) provides guidance on email security on its website. It provides that email is not a secure form of communication and you should develop procedures to manage the transmission of personal information via email. Emails can be easily intercepted by third parties when sent over the internet. 

You may refer to the Guide to securing personal information released by the OAIC on their website for information about email security. You may also refer to Email Security information available on the ACSC website. 

The Notifiable Data Breaches (NDB) scheme requires ‘eligible’ data breaches to be reported. An eligible data breach occurs when 3 criteria are met: 

1. there is unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds 

2. this is likely to result in serious harm to one or more individuals, and 

3. the entity has not been able to prevent the likely risk of serious harm with remedial action. 

Refer to the Notifiable Data Breaches scheme information on our website and Identifying eligible data breaches information on the OAIC website for further information. The ACSC website also has a handy factsheet to learn more about when you should report about a cybercrime. 

We do not require or recommend that you retain copies or originals of identification documents used as evidence to establish the identity of a client or their individual representative. This is because we recognise these documents may be at risk of being stolen through cyber-attacks or even physical break-ins at your business premises.  

What we require you to do is maintain a contemporaneous record, such as a checklist, as soon as you complete any proof of identity checks. This record should include information such as: 

• the date and time when the proof of identity checks were undertaken 

• the name and position of the person that performed these checks 

• the types of documents that were sighted and whether these were original or certified copies – please note here that we do not recommend that you record the identity document numbers.  

• how you sighted these documents - whether in person or electronically 

• whether the documents were clear and legible and there was no reason to question the authenticity of the identity documents. 

We’ll accept this record as evidence that you have completed POI checks on your clients. You should keep this record for at least 5 years after your client engagement has ceased. 

No, you do not have to meet clients face-to-face to verify their identity. If you are engaging a client and/or their individual representative remotely you may choose to use videoconferencing facilities. In this situation, our requirements remain the same as for registered tax practitioners who engage with clients face-to-face. If you sight original or certified identification documents through videoconferencing or with the use of a webcam, you should record details of identity checks undertaken as soon as you complete them. Refer to our guidelines for further information.

The factsheet that summarises our proof of identity requirements is available on our website.

If you have a secure online mailbox, website or messaging arrangements for your practice, you should encourage your clients to send sensitive information and documents through these means.  

If your client chooses to send information via email, ensure you make a note on your records and destroy these documents as soon as POI checks are completed. 

As soon as you complete the director identification process for your clients, you should return any original documents back to clients and destroy any copies of documents securely that need not be returned to clients.

We have provided guidance of what identity details and types of documents you need to verify for your clients in our POI guidelines available on our website. 

It is sufficient to record details of checks undertaken as explained in an earlier question above.

You should ask the client to send any sensitive information to you: 

• via a secure website, secure online mailbox or secure messaging 

• as an encrypted or password protected attachment to an email.  

This should help minimise any risk of interception of sensitive information during email transmission.   

Alternatively, refer to the ATO’s guidelines which provide information on how to undertake client verification checks using ATO or Document Verification Service (or DVS) sources. 

For a not-for-profit organisation, you should undertake similar checks as you would for a non-individual client. Refer to our POI guidelines regarding our requirements for undertaking proof of identity on a non-individual client.  

No, it is enough if you make a contemporaneous record of the identity checks you have undertaken on your client as soon as you complete them.

Where you must store sensitive client data, you must secure your business premises and systems. The ATO provides security guidance for tax professionals. You may also seek expert advice from cyber security professionals to find a solution that can help protect your practice and client information.  

For some helpful information refer to: 

• Top cyber security tips for businesses on the ATO website 

• Security advice for tax professionals on the ATO website 

• Protect your practice from cyber-attacks on the TPB website.

You should use your professional judgement in situations where you have reasons to believe that the evidence provided by client is not genuine. You may need to ask additional questions or evidence, or use ATO or DVS sources to verify their identity. 

When dealing with your existing clients, it may not be appropriate or necessary to undertake POI on them as you may consider their identity is well-established. Ultimately, we expect that you exercise your professional judgement in these situations. Refer to ‘Well-established clients’ section in our POI guidelines for further information.