The most important consideration with offshore processing is that many countries that may process and have access to your data are not bound by Australian privacy laws. For this reason, many companies choose to ensure their data is processed and stored within Australia.

An employee of a registered tax practitioner's business, who is located overseas, does not constitute an arrangement with a third party. However, you would also need to consider if that employee is required to use any offsite data storage systems (such as cloud storage) to perform their duties. 

If the employee is involved in the provision of tax agent services (including BAS services) on your behalf, you will need to ensure that you have adequate supervisory arrangements in place to enable you to ensure that those services are being provided to a competent standard. 

Check out our outsourcing and offshoring practice note for more information. 

Yes, any process, function, service or activity that is transferred to a country other than Australia is offshoring. Check out our outsourcing and offshoring practice note for more information.

Yes, it certainly is, but there are risks with all IT solutions you need to be mindful of and mitigate, including when using an on-premises server. Risks with an on-premises server concern physical security of the server and backup, which are both more challenging to manage on site.

We don’t recommend or have a preference on providers. This is a business decision, and you will need to research providers. You can consider things such as:

• What privacy provisions are in place?

• What would happen in the unfortunate event of a breach?

• Who owns the data?

• Who has access to the data?

• Where is the data stored and backed-up?

• What service and support is offered?

• Does the provider comply with Australian privacy laws?

• Under what circumstances would the provider access your data or disclose it to a third party?

• Will you be notified if your data has been lost, breached or its security compromised?

If in doubt, you should seek advice from the Office of Australian Information Commissioner.
 

In the context of cloud arrangements, you may wish to consider these questions:

• what are the details of any limitation of liability arrangements (for example, clauses contained in the terms and conditions of the cloud provider agreement(s) or terms of use)?

• is the provider allowed to unilaterally change relevant terms of the agreement (that is, without input from the tax practitioner), including in relation to how or where data is stored or managed?

• how is the information being transferred between systems and data integrity being maintained?

• how is the information being stored?

• is the information being held offshore (that is, information that is stored or processed in equipment not located in Australia) and, if so, the consequences (including relevant additional legislative and regulatory requirements that the information may be subject to)?

• what processes does the cloud provider have in place in relation to the backup and archiving of information (such as multiple backup servers)?

• what security controls are the tax practitioner and provider responsible for (such as issues around passwords, encryption and backups)?

• what protections are in place to prevent service access being disrupted?

• what processes are in place for managing and resolving disputes in relation to access to client information?

• what processes are in place when the arrangement ends (including, for example, the return of or access to data held in the cloud)?

The answers to these questions should help you determine if an arrangement will satisfy your Code obligations.

Unfortunately, we cannot provide a template as each business needs to assess the provider according to their business needs also taking into consideration the legal obligations they have. We recommend seeking advice from the Office of Australian Information Commissioner.

Code item 6 states that unless you have a legal duty to do so, you must not disclose any information relating to a client’s affairs to a third party without your client’s permission. A third party includes any party other than the client and the tax practitioner, so this would include your software provider. To ensure you meet your Code obligations, you should seek permission from your clients prior to any disclosure. This can be done using a signed letter of engagement at the commencement of engaging that client, or another form of signed consent. Refer to Confidentiality of client information for more information.

You would need to consider the specific facts and circumstances, but if the service to sign documents includes disclosure of information relating to the client's affairs (i.e. a tax return) to the service provider, this would constitute disclosure to a third party. To ensure that you comply with your obligations to maintain client confidentiality under Code item 6, you must ensure that you have obtained your client's permission for use of that service prior to any disclosure to a third party. Refer to Confidentiality of client information for more information.

Yes, you will need to obtain written consent from your clients prior to disclosing any information relating to their affairs, for example, before you use the service to store your client's data. This permission may be obtained through a signed letter of engagement, signed consent or other communication with the client.

Under the Taxation Administration Act 1953, tax practitioners should retain client information for a period of 5 years. 

The Notifiable Data Breaches (NDB) scheme applies to eligible data breaches. Under the NDB scheme, any organisation or agency the Privacy Act 1988 covers (including registered tax practitioners) must notify affected individuals (i.e. the relevant clients) and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to an individual whose personal information is involved. Check out our information on the NDB scheme for more. 

To determine if the communication of a client’s tax file number (TFN) in an email breaches the relevant legislation, we would need to consider the facts and circumstances of the disclosure. This would include if the tax practitioner had taken reasonable steps to have ICT controls in place to protect the security of the TFN.

According to the OAIC’s guidance, the reasonable steps ultimately depend on the circumstances of the tax practitioner, which include:

• the nature of the tax practitioner entity

• the amount and sensitivity of the personal information held by the tax practitioner (for example, if a tax practitioner holds TFN information relating to a significant number of clients, they should adopt more rigorous and reliable security measures to safeguard electronically secured and communicated information)

• the possible adverse consequences for an individual in the case of a breach (in relation to any resulting loss or misuse of TFN information, these consequences include the risk of identity theft)

• the practical implications (such as time and cost) involved in implementing the security measure

• if the security measure itself is privacy invasive.

To understand the security of services like Microsoft Office, the Small Business Cyber Security Guide from the Australian Cyber Security Centre (ACSC) will help.

You need to confirm with the client that they are providing you with their consent to disclose their information before you provide or input the information into the cloud-based application.

We recommend you consider taking out additional cyber insurance cover to assist with first party losses arising from a cyber-attack. For further information refer to our Explanatory paper.

As always with all IT solutions, there are risks that you need to assess and mitigate. Yes, cloud providers can go offline and can have their security infiltrated. While no set of mitigation strategies are guaranteed to protect against all cyber threats, the ACSC recommends to implement eight essential mitigation strategies. 

As a minimum, we consider the following to be best practice:

• install and maintain anti-virus software on your workplace computers

• deploy firewalls on your workplace computers and/or workplace networks

• ensure that your computer operating systems and programs always have the latest security patches

• protect client records or files using encryption where possible

• regularly change your passwords

• consider using a second form of authentication (for example, SMS) to protect your online accounts (for example, email) where possible.

You may wish to seek expert advice from an IT security provider to determine what software suits your commercial needs while meeting your Code obligation to protect client confidentiality.

Refer to the Guidelines for cyber security incidents on the ACSC website which provide some ways you can detect cyber security incidents. Many password managers also have features that enable you to check if any of your credentials have been compromised and published on the dark web.

We have various resources on our website to help tax practitioners stay cyber safe. You can also view our webinar recording Prevention is better than cure – assess your cyber risk! to learn how to assess any potential cyber risk to your business and what steps you can take to protect your practice and client information. We have also compiled some answers to questions we received during the webinar that you can find on our webinar resources hub.

We are in the process of collaborating with the Australian Taxation Office and ACSC to provide some further guidance to tax practitioners. Keep an eye on our website and TPB eNews over coming months.