The Notifiable Data Breaches (NDB) scheme came into effect on 22 February, requiring agencies, organisations and certain other entities to provide notice to the Office of the Australian Information Commissioner (OAIC) and affected individuals of a data breach.
Entities that are already covered by the Privacy Act must comply with the NDB scheme. This includes Australian Privacy Principle (APP) entities, as well as tax file number (TFN) recipients to the extent that TFN information is involved in a data breach.
Last month, the TPB released guidance announcing that tax practitioners who failed to comply with the NDB scheme could face possible sanctions from the body, on top of severe penalties issued by the OAIC.
“If tax practitioners fail to comply with the new NDB scheme there may be implications in relation to the Tax Agent Services Act 2009 (TASA),” the TPB said in a statement.
“Such a failure may be considered by the TPB in determining whether you have breached the TASA, including the Code of Professional Conduct (Code).
“If a practitioner has been incompetent or reckless regarding IT controls, and this has resulted in a breach of confidentiality because of a cyber incident, the TPB may impose one or more administrative sanctions for breach of the Code.”
The TPB also notes that each situation will be considered on a case-by-case basis, including the circumstances of the data breach and the steps taken to report and rectify the problem.
Factors considered by the TPB will include if the tax practitioner had taken reasonable steps to have sufficient IT controls in place, and if the practitioner was reckless in their approach to cyber security.
According to the TASA, the TPB may issue a written caution, issue an order, suspend a registration, or terminate a registration, for failure to comply with the Code of Professional Conduct.