Issued: 27 April 2023
Last modified: 15 June 2023
View the resources for our webinar, Using the cloud.
This webinar will provide you with the opportunity to learn about your responsibilities in relation to client confidentiality and what you need to consider if you are using a cloud service provider to store and manage client records.
Resources
Webinar recording
Using the cloud webinar recording
Questions and answers
We have compiled some of the questions we received during the webinar.
Outsourcing and offshoring
Does the TPB have a view on outsourcing and processing client information offshore?
The most important consideration with offshore processing is that many countries that may process and have access to your data are not bound by Australian privacy laws. For this reason, many companies choose to ensure their data is processed and stored within Australia.
We have an employee that relocated overseas and now works remotely. Are there any issues with this in relation to third parties?
An employee of a registered tax practitioner's business, who is located overseas, does not constitute an arrangement with a third party. However, you would also need to consider if that employee is required to use any offsite data storage systems (such as cloud storage) to perform their duties.
If the employee is involved in the provision of tax agent services (including BAS services) on your behalf, you will need to ensure that you have adequate supervisory arrangements in place to enable you to ensure that those services are being provided to a competent standard.
Check out our outsourcing and offshoring practice note for more information.
What if an Australian accounting firm contracted staff to work from Asia. Is this offshoring?
Yes, any process, function, service or activity that is transferred to a country other than Australia is offshoring. Check out our outsourcing and offshoring practice note for more information.
Is it still okay to use an on-premises server for a small practice?
Yes, it certainly is, but there are risks with all IT solutions you need to be mindful of and mitigate, including when using an on-premises server. Risks with an on-premises server concern physical security of the server and backup, which are both more challenging to manage on site.
Is there a preference on the part of TPB to use cloud providers onshore?
We don’t recommend or have a preference on providers. This is a business decision, and you will need to research providers. You can consider things such as:
-
What privacy provisions are in place?
-
What would happen in the unfortunate event of a breach?
-
Who owns the data?
-
Who has access to the data?
-
Where is the data stored and backed-up?
-
What service and support is offered?
-
Does the provider comply with Australian privacy laws?
-
Under what circumstances would the provider access your data or disclose it to a third party?
-
Will you be notified if your data has been lost, breached or its security compromised?
If in doubt, you should seek advice from the Office of Australian Information Commissioner.
What to ask online providers
Is there a check list we can use to help us with the questions we should ask online providers?
In the context of cloud arrangements, you may wish to consider these questions:
-
what are the details of any limitation of liability arrangements (for example, clauses contained in the terms and conditions of the cloud provider agreement(s) or terms of use)?
-
is the provider allowed to unilaterally change relevant terms of the agreement (that is, without input from the tax practitioner), including in relation to how or where data is stored or managed?
-
how is the information being transferred between systems and data integrity being maintained?
-
how is the information being stored?
-
is the information being held offshore (that is, information that is stored or processed in equipment not located in Australia) and, if so, the consequences (including relevant additional legislative and regulatory requirements that the information may be subject to)?
-
what processes does the cloud provider have in place in relation to the backup and archiving of information (such as multiple backup servers)?
-
what security controls are the tax practitioner and provider responsible for (such as issues around passwords, encryption and backups)?
-
what protections are in place to prevent service access being disrupted?
-
what processes are in place for managing and resolving disputes in relation to access to client information?
-
what processes are in place when the arrangement ends (including, for example, the return of or access to data held in the cloud)?
The answers to these questions should help you determine if an arrangement will satisfy your Code obligations.
Does the TPB have a standard template for tax practitioners to consider when signing up with cloud service providers?
Unfortunately, we cannot provide a template as each business needs to assess the provider according to their business needs also taking into consideration the legal obligations they have. We recommend seeking advice from the Office of Australian Information Commissioner.
Information disclosure or authorisation
Often when my software is not working, the software provider logs into my software to fix the problem. This means the software provider is seeing clients’ information while they fix the issue. Where do I stand in this situation? Am I breaching the Code?
Code item 6 states that unless you have a legal duty to do so, you must not disclose any information relating to a client’s affairs to a third party without your client’s permission. A third party includes any party other than the client and the tax practitioner, so this would include your software provider. To ensure you meet your Code obligations, you should seek permission from your clients prior to any disclosure. This can be done using a signed letter of engagement at the commencement of engaging that client, or another form of signed consent. Refer to Confidentiality of client information for more information.
What if a tax agent uses a service for clients to sign documents. Is this a third-party disclosure?
You would need to consider the specific facts and circumstances, but if the service to sign documents includes disclosure of information relating to the client's affairs (i.e. a tax return) to the service provider, this would constitute disclosure to a third party. To ensure that you comply with your obligations to maintain client confidentiality under Code item 6, you must ensure that you have obtained your client's permission for use of that service prior to any disclosure to a third party. Refer to Confidentiality of client information for more information.
If you engage a third-party cloud software provider, do you have to obtain written approval prior to signing with the third party?
Yes, you will need to obtain written consent from your clients prior to disclosing any information relating to their affairs, for example, before you use the service to store your client's data. This permission may be obtained through a signed letter of engagement, signed consent or other communication with the client.
Storing information
How long should a tax practitioner store client data?
Under the Taxation Administration Act 1953, tax practitioners should retain client information for a period of 5 years.
Notifiable data breaches
What if there is a data breach from an offshore contractor?
The Notifiable Data Breaches (NDB) scheme applies to eligible data breaches. Under the NDB scheme, any organisation or agency the Privacy Act 1988 covers (including registered tax practitioners) must notify affected individuals (i.e. the relevant clients) and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to an individual whose personal information is involved. Check out our information on the NDB scheme for more.
What is our liability as tax practitioners if we receive a tax file number from a client over email and it gets stolen?
To determine if the communication of a client’s tax file number (TFN) in an email breaches the relevant legislation, we would need to consider the facts and circumstances of the disclosure. This would include if the tax practitioner had taken reasonable steps to have ICT controls in place to protect the security of the TFN.
According to the OAIC’s guidance, the reasonable steps ultimately depend on the circumstances of the tax practitioner, which include:
-
the nature of the tax practitioner entity
-
the amount and sensitivity of the personal information held by the tax practitioner (for example, if a tax practitioner holds TFN information relating to a significant number of clients, they should adopt more rigorous and reliable security measures to safeguard electronically secured and communicated information)
-
the possible adverse consequences for an individual in the case of a breach (in relation to any resulting loss or misuse of TFN information, these consequences include the risk of identity theft)
-
the practical implications (such as time and cost) involved in implementing the security measure
-
if the security measure itself is privacy invasive.
Liability
If we use popular websites to store our data such as Microsoft OneDrive, are we covered?
To understand the security of services like Microsoft Office, the Small Business Cyber Security Guide from the Australian Cyber Security Centre (ACSC) will help.
If a client wants to use cloud-based applications for bookkeeping, what are the BAS agent’s obligations?
You need to confirm with the client that they are providing you with their consent to disclose their information before you provide or input the information into the cloud-based application.
Professional indemnity insurance
Is a tax practitioner expected to take out cyber insurance to cover themselves against data breaches incurred by a third-party accounting software provider they use for a client?
We recommend you consider taking out additional cyber insurance cover to assist with first party losses arising from a cyber-attack. For further information refer to our Explanatory paper.
Cyber security
Can the cloud be switched off or taken control of by a cybercriminal?
As always with all IT solutions, there are risks that you need to assess and mitigate. Yes, cloud providers can go offline and can have their security infiltrated. While no set of mitigation strategies are guaranteed to protect against all cyber threats, the ACSC recommends to implement eight essential mitigation strategies.
As most software like MYOB requires a working internet connection and/or cloud access, how can tax practitioners avoid cyber-attacks? Should we use a firewall?
As a minimum, we consider the following to be best practice:
-
install and maintain anti-virus software on your workplace computers
-
deploy firewalls on your workplace computers and/or workplace networks
-
ensure that your computer operating systems and programs always have the latest security patches
-
protect client records or files using encryption where possible
-
regularly change your passwords
-
consider using a second form of authentication (for example, SMS) to protect your online accounts (for example, email) where possible.
You may wish to seek expert advice from an IT security provider to determine what software suits your commercial needs while meeting your Code obligation to protect client confidentiality.
What are signs that you have been impacted by a cyber-attack?
Refer to the Guidelines for cyber security incidents on the ACSC website which provide some ways you can detect cyber security incidents. Many password managers also have features that enable you to check if any of your credentials have been compromised and published on the dark web.
What is the TPB prepared to do to help small tax practitioner businesses stay cyber safe? We need help with practical courses and resources.
We have various resources on our website to help tax practitioners stay cyber safe. You can also view our webinar recording Prevention is better than cure – assess your cyber risk! to learn how to assess any potential cyber risk to your business and what steps you can take to protect your practice and client information. We have also compiled some answers to questions we received during the webinar that you can find on our webinar resources hub.
We are in the process of collaborating with the Australian Taxation Office and ACSC to provide some further guidance to tax practitioners. Keep an eye on our website and TPB eNews over coming months.