The Notifiable Data Breaches (NDB) scheme came into effect on 22 February, requiring agencies, organisations and certain other entities to provide notice to the Office of the Australian Information Commissioner (OAIC) and affected individuals of a data breach.
The NDB scheme has significant application to tax professionals as it covers individuals who receive and handle tax file numbers (TFN), as well as entities covered by the Privacy Act.
While the TPB does not administer the new provisions, it has announced that tax practitioners who fail to comply with the NDB scheme will face possible sanctions from the body, on top of severe penalties issued by the OAIC.
“If tax practitioners fail to comply with the new NDB scheme there may be implications in relation to the Tax Agent Services Act 2009 (TASA),” the TPB said in a statement.
“Such a failure may be considered by the TPB in determining whether you have breached the TASA, including the Code of Professional Conduct (Code).
“If a practitioner has been incompetent or reckless regarding IT controls, and this has resulted in a breach of confidentiality because of a cyber incident, the TPB may impose one or more administrative sanctions for breach of the Code.”
According to TASA, the TPB may issue a written caution, issue an order, suspend a registration, or terminate a registration, for failure to comply with the Code of Professional Conduct.
“Head in the sand”
The Tax Institute senior tax counsel Professor Robert Deutsch says practitioners can no longer afford to be oblivious or deliberately ignore the security of their information.
“In a practical sense, what it means is that first you have to take reasonable care to ensure that information is appropriately protected,” said Mr Deutsch.
“[Also], as a result of the new legislation, a practitioner who knows that there has been a compromise of the privacy of the information, or who recklessly fails to discover such a compromise in circumstances where by taking reasonable steps it would have been discovered, is likely to be in breach of the legislation.
“In most cases, there will be no problem unless an agent either deliberately ignores what is a clear breach of the privacy of the individual concerned, or sticks their head in the sand and, by so doing, deliberately sets about not detecting a breach.”