Disclosing client data – Compliance with the Privacy Act is not enough! Part 1

Prepared by Julia Winzar

The Tax Practitioners Board has released an information sheet for tax (financial) advisers clarifying its expectations for maintaining confidentiality of client information. These requirements will apply to limited ASFL holders.

Under the Code of Professional Conduct, limited ASFL holders (and other entities registered as tax agents) are required to obtain consent from their clients before disclosing any information about the client’s affairs to a third party. Third parties include any related entities and third party service providers such as cloud storage providers, para-planners or insurance brokers.

This obligation goes beyond the requirements set out in the Privacy Act. Under the Privacy Act you can make a disclosure to a third party without the individual’s consent if the disclosure is for the primary purposes for which the information was collected or for a secondary, related purpose and the individual would reasonably expect such a disclosure to occur. So unfortunately, even if you are compliant from a Privacy Act perspective, you will need to implement some additional processes to ensure you are compliant with the Code of Professional Conduct.

In addition, the obligation to obtain client consent before disclosing their information to third parties has implications for limited ASFL holders when entering into cloud arrangements. We discuss the consent requirements and implications for cloud arrangements over three short articles.