written by Robert Deutsch CTA *
A number of members of The Tax Institute have commented upon the Privacy Amendment (Notifiable Data Breaches) Act 2017 (‘the Act’) which commences to formally operate on 22 February 2018.
This is an important Act which has significant potential implications for tax practitioners.
The Act, while mercifully brief (coming to a mere 22 pages), is accompanied by an explanatory memorandum which runs to 104 pages. The explanatory memorandum's length in part explains some of the complexities that arise in the context of this legislation.
For our immediate purposes, the critical point to understand is that the notifiable data breaches scheme which is introduced by this legislation applies to Tax File Number (TFN) recipients in relation to their handling of TFN information.
A TFN recipient is any person who is in possession or control of a record that contains TFN information, and TFN information is information that connects a TFN with the identity of a particular individual.
The net effect of the existing privacy laws and the laws that will come into effect on 22 February is that tax practitioners (who are handling documents which contain a TFN and connects that TFN to a particular person) will need to take extra care to ensure that:
In determining whether it is so likely to result in serious harm, you must have regard to:
Non-compliance could result in heavy penalties.
What does all this mean for a registered tax agent who is communicating with their client and others in circumstances where documents are passing between them, where a TFN and the relevant person to whom the TFN pertains is identified?
In a practical sense, what it means is that first you have to take reasonable care to ensure that information is appropriately protected. Clearly, this would include taking reasonable steps to protect electronic records in relation to all known problems such as invasive computer viruses. Appropriate, up-to-date software protection is essential.
Secondly, as a result of the new legislation, a practitioner who knows that there has been a compromise of the privacy of the information, or who recklessly fails to discover such a compromise in circumstances where by taking reasonable steps it would have been discovered, is likely to be in breach of the legislation.
This does not mean that information containing TFNs and their connection to the referable individual cannot be passed between the agent and others. It does, however, mean that care needs to be taken to ensure that it is appropriately protected information, and that if there is a breach for whatever reason, that the agent should have known about by making reasonable enquiries, they will have a problem.
In most cases, there will be no problem unless an agent either deliberately ignores what is a clear breach of the privacy of the individual concerned, or sticks their head in the sand and, by so doing, deliberately sets about not detecting a breach.
Reasonable steps taken by agents to detect and discover a breach should ensure compliance with the legislation.
* Robert Deutsch is The Tax Institute’s Senior Tax Counsel. This article was first published in the 9 February 2018 issue of the Institute’s member-only TaxVine newsletter.