ATO updates guidance ahead of new data laws

The NDB scheme will commence on 22 February 2018, and will require agencies, organisations and certain other entities to provide notice to the Office of the Australian Information Commissioner (OAIC) and affected individuals of a data breach.

The scheme will cover accountants and tax professionals who deal with tax file numbers, as well as entities that have an annual turnover of more than $3 million.

According to the ATO, tax professionals are a target for identity thefts because of the large amount of client, staff and business information they hold.

“Tax professionals who experience a data breach may discover their client's identities have been stolen, and refund fraud committed in the client's name,” the ATO said.

Examples of breaches include unauthorised access to cloud-based accounting software, unlawful access to payroll information, fraudulent access to taxpayer files, hacking or phishing for information, accidental disclosure of information, and unauthorised removal of data in both paper and digital formats.

Apart from contacting the OAIC to ensure compliance with the NDB scheme, the ATO has also recommended professionals to inform the tax office as soon as practical to ensure measures can be applied to protect their data.

“Tax professionals are encouraged to report data breaches to us to ensure protective measures can be placed on client accounts, protecting them and government revenue from further harm,” the ATO said.

“Data breaches are often a precursor for refund fraud. The ATO has sophisticated mechanisms in place for identifying and protecting against potential refund and superannuation fraud that assist in meeting our obligation to protect government revenue.

“We protect the privacy of client records by our proof of record ownership processes. If a data breach occurs within your practice we may implement a range of additional safeguards to protect clients and government revenue.”

Further, the ATO may assign a data breach manager to assist in the management of data breaches within the practice, providing support to lessen the impact of the data breach on the firm and its clients.