Tax practitioners and the NDB scheme

Entities that are already covered by the Privacy Act must comply with the NDB scheme. This includes Australian Privacy Principle (APP) entities, as well as tax file number (TFN) recipients to the extent that TFN information is involved in a data breach.

Registered tax practitioners already have obligations to protect TFN information under Privacy (Tax File Number) Rule 2015 and the Taxation Administration Act 1953.

If tax practitioners fail to comply with the new NDB scheme there may be implications in relation to the Tax Agent Services Act 2009 (TASA). Such a failure may be considered by the TPB in determining whether you have breached the TASA, including the Code of Professional Conduct (Code).

In particular, Code item 6 (confidentiality) requires that a registered tax practitioner must not disclose information relating to a client's affairs to a third party without the client's permission or without a legal duty to do so.

Factors to be considered include:

• has the tax practitioner taken reasonable steps to have sufficient IT controls in place?

• was the practitioner reckless in their approach to cyber security?

If a practitioner has been incompetent or reckless regarding IT controls, and this has resulted in a breach of confidentiality because of a cyber incident, the TPB may impose one or more administrative sanctions for breach of the Code.

Each situation will be considered on a case-by-case basis, including the circumstances of the data breach and the steps taken to report and rectify the problem.

For further TPB guidance read protect your practice from cyber-attacks.

Complying with the NDB scheme

The OAIC expects organisations to develop their own procedures for assessing a suspected data breach. Examples of a data breach may include:

• data or records containing customers' personal information is lost or stolen

• a database containing personal information is hacked

• a cyber-attack results in personal information being disclosed

• personal information is mistakenly provided to the wrong person.

The TPB recommends all tax practitioners review their practices, procedures and systems for securing personal information to comply with these new provisions. You should consider:

• reviewing current information security practices, procedures and systems to ensure they are adequate, including taking steps to ensure all security software and controls are up to date, and to remove accesses from people who no longer require these accesses

• preparing a data breach response plan (or updating a current plan) to ensure the ability to respond quickly to suspected data breaches

• providing training to relevant staff as to any role they may have in responding to data breaches.

Refer to the OAIC website for guidance on what to do in the event of a data breach. Keep up to date with the latest developments by subscribing to the OAIC newsletter.

Notifying affected individuals about an eligible data breach

The NDB scheme requires organisations covered by the Privacy Act to notify any individuals likely to be at risk of serious harm by a data breach. Advice must include recommendations about the steps that should be taken in response to the data breach.

An eligible data breach occurs when three criteria are met:

1. there is unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds

2. this is likely to result in serious harm to one or more individuals, and

3. the entity has not been able to prevent the likely risk of serious harm with remedial action.

Further guidance on this issue is available on the OAIC website.

Support available in the event of a data breach

Data breaches are often a precursor for refund fraud. The ATO can help you in the event of a data breach and may apply measures to protect your business, staff and clients where necessary.

For more information on data breaches and support available for tax professionals, refer to the ATO website.