It does apply in some circumstances. The Privacy Act 1988 (Privacy Act) generally applies to Australian Government agencies and organisations with an annual turnover of more than $3 million as well as some other organisations, subject to certain exceptions.

An ‘organisation’ refers to an individual (including a sole trader) not acting in their own capacity, a body corporate, partnership, other unincorporated association or trust. It does not include a small business operator, registered political party, agency, state or territory authority or prescribed instrumentality.

However, the Privacy Act also applies to some ‘small business operators’ with an annual turnover of $3 million or less, including :

• private sector health service providers 

• a business that sells or purchases personal information

• credit reporting body

• contracted service provider for an Australian Government contract

• employee association, registered or recognised under the Fair Work (Registered Organisations) Act 2009

• a business that holds accreditation under the Consumer Data Right System

• a business that has opted into the Privacy Act  

• a business related to another business covered by the Privacy Act or prescribed by the Regulations.

The Office of the Australian Information Commissioner (OAIC) regulates the Privacy Act and provides guidance on the privacy laws under that Act. To find out more about who the Privacy Act applies to, check out the OAIC website.

There are no mandatory requirements for record keeping, including minimum retention periods, imposed on tax practitioners under the Tax Agent Services Act 2009 (TASA).

However, clients need to comply with prescribed requirements for keeping tax records under the taxation laws, administered by the Australian Taxation Office (ATO).

The records that must be kept, how long they need to be kept, and when that time runs from, may vary depending on the type of client, record and tax law involved. For more information about record keeping obligations under the tax laws, refer to the ATO website.

Tax practitioners should discuss record keeping arrangements with their client and ensure they understand their obligations. The letter of engagement with the client may also cover arrangements for keeping records or making copies that tax practitioners need to follow. 

It’s important that tax practitioners comply with their obligations under the Code of Professional Conduct in the TASA when advising their client about record-keeping responsibilities and making record-keeping arrangements to help them comply. 

The TPB also requires tax practitioners to keep a record of proof of identity checks they undertake in relation to each client for a minimum of 5 years after the engagement with the client has ceased. 

The TPB cannot comment on the security of using particular online platforms, such as Dropbox or Google Drive, for document storage. 

However, there are several factors tax practitioners should consider when considering cloud arrangements for data storage. 

One factor is whether the information is being held offshore (that is, being stored or processed in equipment not located in Australia) and if so, the consequences, including additional legislative and regulatory requirements the information may be subject to.

From a TPB perspective, tax practitioners need to ensure they are complying with their obligations under the Code of Professional Conduct in the Tax Agent Services Act 2009 when entering and maintaining cloud arrangements for data storage, in particular, Code item 6 relating to confidentiality of client information.

For more information about cloud computing, the factors to consider when entering into these arrangements and relevant Code obligations, refer to our practice statement. 

The Australian Cyber Security Centre (ACSC) recommends against outsourcing information technology services and functions outside of Australia, unless organisations are dealing with data that is all publicly available. The ACSC strongly encourages organisations to choose either a locally owned vendor or a foreign owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australian borders. Note that foreign owned vendors operating in Australia may be subject to foreign laws such as a foreign government’s lawful access to data held by the vendor.

For further information refer to the ACSC information on Cloud Computing Security Considerations.

Tax practitioners should also consider whether the requirements in the Privacy Act governing the use, storage and disclosure of personal information apply to the storage arrangement. For more guidance on cloud arrangements and privacy laws refer to the OAIC website.

Under Code item 6 of the Code of Professional Conduct in the TASA, you must not disclose client information to a third party (including a new tax practitioner) unless you have a legal duty to do so, or without your client’s permission. 

When deciding whether you can disclose client information to another practice, you need to make sure you comply with Code item 6, and obtain the client’s permission first if you have not already done so. 

For more information about confidentiality of client information, and your obligations under Code item 6, refer to our guidance.

You also need to comply with privacy laws governing the use, storage and disclosure of personal information under the Privacy Act. For more information about privacy laws, refer to the OAIC website.

The use, storage and disclosure of TFNs and TFN information is primarily governed by privacy and confidentiality laws administered by the OAIC and ATO. 

This includes the Privacy Act (and Australian Privacy Principles), Privacy (Tax File Number) Rule 2015, and provisions of the Taxation Administration Act 1953.

We expect you to comply with all relevant privacy and confidentiality laws, when including TFNs or TFN information in email communications, and consider whether the practice is appropriate and secure. This is particularly the case given the risk of inadvertent disclosure to third parties when communicating via email.

From a TPB perspective, you must also ensure you comply with your obligations under the Code of Professional Conduct in the TASA, including Code item 6, when sending emails. Under Code item 6, you must not disclose client information to a third party unless you have a legal duty to do so, without your client’s permission. 

As email is not considered a secure form of communication, you still need to have appropriate arrangements in place to protect your client’s TFN information and prevent inadvertent disclosures when emailing your clients directly. 

To minimise the risk of a breach of Code item 6 when using email, we recommend you remove any identifying client information to ensure any personal information is not accidentally disclosed if the email is received by an unauthorised person.

We also recommend you seek your client’s consent through a letter of engagement before sending information electronically.

For more guidance on using and disclosing a client’s TFN and TFN information in email communications refer to our Practice Note. For more information about relevant privacy and confidentiality laws refer to the OAIC and ATO websites.

Our TFN guidance will assist you in avoiding the risk of misuse. 

From a TPB perspective, you need to ensure you are complying with your obligations under the Code of Professional Conduct (Code) in the Tax Agent Services Act 2009 when entering and maintaining cloud arrangements, in particular, Code item 6 relating to confidentiality of client information.

We’ve released a practice note on cloud computing and obligations under the Code. It provides practical guidance to assist you to comply with the Code obligations, sets out factors you should consider when entering into cloud arrangements, and outlines where you can find further information. 

As a starting point, there are some general factors you may wish to consider:

• How is the information being stored and how will it be returned?

• Whether information is being held offshore (that is, information that is stored or processed in equipment not located in Australia) and, if so, the consequences (including relevant additional legislative and regulatory requirements that the information may be subject to)?

• What processes exist in relation to backup and archiving of information?

• What security controls are the registered practitioner, provider and/or subcontractors responsible for?

• What protections are in place if service access is disrupted?

• What arrangements are in place for managing and resolving disputes?

• What arrangements are in place for ending the arrangement? 

The Privacy Act, administered by OAIC, also governs the storage, use of and disclosure of personal information. You should consider whether the privacy laws in the Privacy Act apply to you. For more information refer to the OAIC website.