TPB sanctions on the cards for data law non-compliance

New privacy laws, the Notifiable Data Breaches (NDB) scheme, came into effect on 22 February, requiring entities, agencies, and organisations to provide notice to the Office of the Australian Information Commissioner (OAIC) and impacted individuals in the event of a data breach.

The NDB scheme has significant application to tax professionals as it covers tax file number (TFN) recipients in relation to their handling of TFN information.

Examples of a data breach may include data or records containing customers' personal information being lost or stolen, a database containing personal information getting hacked, a cyber-attack resulting in personal information being disclosed, and personal information mistakenly provided to the wrong person.

While the TPB does not administer the new provisions, it has announced that tax practitioners who fail to comply with the NDB scheme will face possible sanctions from the body, on top of severe penalties issued by the OAIC.

“If tax practitioners fail to comply with the new NDB scheme there may be implications in relation to the Tax Agent Services Act 2009 (TASA),” the TPB said in a statement.

“Such a failure may be considered by the TPB in determining whether you have breached the TASA, including the Code of Professional Conduct (Code).

“If a practitioner has been incompetent or reckless regarding IT controls, and this has resulted in a breach of confidentiality because of a cyber incident, the TPB may impose one or more administrative sanctions for breach of the Code.”

According to TASA, the TPB may issue a written caution, issue an order, suspend a registration, or terminate a registration, for failure to comply with the Code of Professional Conduct.

Institute of Public Accountants execute general manager Vicki Stylianou said accountants needed to ensure they had robust procedures and systems in place to comply with the new provisions.

“The objective of the legislation is to try and get people to be more proactive about their security and to take their data security more seriously so the IPA is looking from the three perspectives of raising awareness, what your obligations are, and then actually being proactive and doing something about it if you haven’t already,” said Ms Stylianou.