Tax agents and privacy – don't stick your head in the sand!
written by Robert Deutsch CTA *
A number of members of The Tax Institute have commented upon the Privacy Amendment (Notifiable Data Breaches) Act 2017 (‘the Act’) which commences to formally operate on 22 February 2018.
This is an important Act which has significant potential implications for tax practitioners.
The Act, while mercifully brief (coming to a mere 22 pages), is accompanied by an explanatory memorandum which runs to 104 pages. The explanatory memorandum's length in part explains some of the complexities that arise in the context of this legislation.
Who does the notifiable data breaches scheme apply to?For our immediate purposes, the critical point to understand is that the notifiable data breaches scheme which is introduced by this legislation applies to Tax File Number (TFN) recipients in relation to their handling of TFN information.
A TFN recipient is any person who is in possession or control of a record that contains TFN information, and TFN information is information that connects a TFN with the identity of a particular individual.
What are the effects of the notifiable data breaches scheme?The net effect of the existing privacy laws and the laws that will come into effect on 22 February is that tax practitioners (who are handling documents which contain a TFN and connects that TFN to a particular person) will need to take extra care to ensure that:
- they have taken all reasonable steps to handle personal information, including information pertaining to TFNs to protect that personal information from misuse, interference or loss, and from unauthorised access, modification or disclosure
- if there is a suspected or known breach, to take immediate steps to limit any further access or distribution of the affected personal information or possible compromise of any information
- if there are reasonable grounds to believe that the data breach is likely to result in serious harm to any individuals whose information is involved, the person responsible must notify the individual concerned and the Australian Information Commissioner of the eligible data breach.
In determining whether it is so likely to result in serious harm, you must have regard to:
- the kind of information
- its sensitivity
- whether the information is protected by security measures
- whether any security measures in place to protect the information could be compromised
- who has obtained or could obtain the information
- whether a person could have obtained information or knowledge which could circumvent the relevant security technology or methodology
- the nature of the harm
- any other relevant matter (see s26WG of the Act).
Non-compliance could result in heavy penalties.
What does the scheme mean for tax professionals?What does all this mean for a registered tax agent who is communicating with their client and others in circumstances where documents are passing between them, where a TFN and the relevant person to whom the TFN pertains is identified?
In a practical sense, what it means is that first you have to take reasonable care to ensure that information is appropriately protected. Clearly, this would include taking reasonable steps to protect electronic records in relation to all known problems such as invasive computer viruses. Appropriate, up-to-date software protection is essential.
Secondly, as a result of the new legislation, a practitioner who knows that there has been a compromise of the privacy of the information, or who recklessly fails to discover such a compromise in circumstances where by taking reasonable steps it would have been discovered, is likely to be in breach of the legislation.
This does not mean that information containing TFNs and their connection to the referable individual cannot be passed between the agent and others. It does, however, mean that care needs to be taken to ensure that it is appropriately protected information, and that if there is a breach for whatever reason, that the agent should have known about by making reasonable enquiries, they will have a problem.
In most cases, there will be no problem unless an agent either deliberately ignores what is a clear breach of the privacy of the individual concerned, or sticks their head in the sand and, by so doing, deliberately sets about not detecting a breach.
Reasonable steps taken by agents to detect and discover a breach should ensure compliance with the legislation.
* Robert Deutsch is The Tax Institute’s Senior Tax Counsel. This article was first published in the 9 February 2018 issue of the Institute’s member-only TaxVine newsletter.