The cloud offers a number of benefits to businesses, including:

• Cost – using the cloud presents opportunities to eliminate the expense of buying hardware and software as well as setting up and running on-site servers, or for larger businesses, data centres. Cloud provisioned services provide the opportunity to only pay for what you use, but be aware that with ease of use, costs can increase if you purchase more capacity than you need.

• Speed - most cloud computing services are provided as self service and on demand, meaning you can access your data almost immediately. This flexibility can enable you to implement your decisions quickly.

• Performance - the biggest cloud computing services run on a worldwide network of secure data centres, which are regularly upgraded to the latest generation of fast and efficient computing hardware.

• Reliability - cloud computing makes data backup, disaster recovery and business continuity easier and less expensive.

We would expect tax practitioners to review any changes to contract/services terms and consider if these changes are relevant to their obligations under the Code of Professional Conduct (Code), and in particular Code item 6 which relates to client confidentiality.

Our Practice Note on cloud computing contains a list of considerations for tax practitioners to take into account in relation to cloud arrangements. The list would be a good starting point for tax practitioners in considering if a contractual term that has been updated is relevant to their obligations under the Code, and if the cloud arrangement continues to be appropriate, and/or if additional consent should be sought from affected or relevant clients.

To understand the security of cloud services like Microsoft Office 365, Adobe and Xero, the Small Business Cyber Security Guide from the Australian Cyber Security Centre (ACSC) will help.

We are in the process of collaborating with the Australian Taxation Office (ATO) and ACSC to provide some further guidance to tax practitioners. Keep an eye on our website and TPB eNews over coming months.

VPNs seem like the perfect tool for the job – they encrypt and anonymise our data, keeping it secure and away from prying eyes. But things can get complicated, any technology poorly implemented or maintained can create security risks that the user didn’t intend. It’s worth ensuring you have engaged a trustworthy partner to help with your cloud security solutions. If you see something or aren’t sure about your or your client’s security, it’s important to ask.

If the tax practitioner is inputting (and as such, disclosing) client information, they still have a responsibility to obtain the client’s consent to disclose the information to the third party (in this case, the cloud service provider) disclosure is authorised and should take into account the considerations set out in our cloud computing Practice Note.

Unfortunately, we can’t recommend a cloud provider. This is a business decision and you will need to research providers and consider things such as:

• What privacy provisions are in place?

• What would happen in the unfortunate event of a breach?

• Who owns the data?

• Who has access to the data?

• Where is the data stored and backed-up?

• What service and support is offered?

• Does the provider comply with Australian privacy laws?

• Under what circumstances would the provider access your data or disclose it to a third party?

• Will you be notified if your data has been lost, breached or its security compromised?

• How much the cloud service costs?

If in doubt, you should seek advice from the Office of Australian Information Commissioner.

We cannot speak about Google Drive, Dropbox or Box.com, but any service that holds the data outside of Australia and its territories would be seen as offshore data storage.

This may be a matter that you consult with an IT consultant/expert about prior to engaging a software provider.

Under Code item 6 you cannot disclose client information to a third party unless you have their permission or there is a legal duty to do so. A ‘third party’ is any entity other than you and your client and includes the ATO.

Information or documents can be provided to the ATO under a notice pursuant to section 353-10 in Schedule 1 of the Taxation Administration Act 1953 concerning taxation laws. This requirement is subject to that material being properly withheld by the registered agent under legal professional privilege.

Importantly, if you are concerned whether there is a legal duty to disclose client information to a third party, you should consider seeking independent legal advice.

You will need your client’s permission before disclosing any information to a third party, which would include a software company in this scenario.

Permission may be given using a signed letter of engagement, signed consent or other communication with the client. In all cases, the relevant communication should outline the disclosures to be provided, as well as information about the entity or entities that will have access to the client information.

For further information see our Information Sheet on confidentiality of client information.

Yes, as long as the client has acknowledged receipt and acceptance of the terms of your engagement and the use of cloud computing this provides you with protection.

Email confirmation is accepted under the Electronic Transaction Act 1999 as evidence ‘in writing’.

The Taxation Administration Act 1953 requires you to have first received a signed declaration in writing from your client each time you lodge an approved form on behalf of your clients. This only applies to lodgement of approved forms such as activity statements and tax returns. It does not mean you require authorisation each time you contact the ATO to act on your client’s behalf.

If you are using cloud-based accounting software that doesn’t have functionality for a declaration to be made, we recommend a separate declaration be made via email or letter, clearly stating which document is being authorised for lodgement.

Your client should keep the declaration (or a copy) for up to five years. We recommend you also keep a copy of the declaration for your own records. The copy can be stored electronically, regardless of whether it was received by email or in paper form.

Questions in relation to the laws relating to tax file number (TFN) disclosure should be directed to the Office of the Australian Information Commissioner (OAIC) and ATO, as they are primarily responsible for the administration of these laws.

Whether a tax practitioner can retain client data after a client has left will depend on the circumstances of the engagement and the type of data in question. Our Information Sheet on claiming a lien over client property sets out the circumstances in which it would generally be appropriate for a tax practitioner to retain client property (including client data), through exercising a valid lien. Generally, to exercise a valid lien:

1. The tax practitioner must be claiming the lien in their own right, and not merely as an agent of a third person.

2. The tax practitioner must have actual or constructive possession of the client’s property.

3. The outstanding debt or demand must be connected to the property over which the lien is being claimed.

Further, it is widely accepted that tax practitioners can only claim a lien over property upon which they have expended labour and made more valuable. Therefore, a lien could only attach to electronic property such as a software data file where the tax practitioner has expended labour and made the property more valuable.