Data breach notification laws came into effect on February 22, and they require agencies, organisations and certain other entities to provide notice to the Office of the Australian Information Commissioner (OAIC) and affected individuals of a data breach.
Entities that are already covered by the Privacy Act must comply with the new scheme. This includes Australian Privacy Principle (APP) entities, as well as tax file number (TFN) recipients to the extent that TFN information is involved in a data breach.
Since the laws came into effect, tax agents have been hit with warnings from the regulators about the potential penalties for non-compliance with the new rules. For example, the the Tax Practitioners Board (TPB) released guidance last month announcing that tax practitioners who failed to comply with the NDB scheme could face possible sanctions from the body.
Senior tax adviser at the IPA, Tony Greco, would first like to see more official and practical guidance handed to tax agents before they are hit with major “ad dramatic” warnings.
“Accountants need to be told, in black and white, what is reasonable and what they need to do,” Mr Greco told SMSF Adviser.
“The penalties are there for good reason, but our members need to be told how to avoid getting there in the first place,” he said.
Consistent with messaging from industry and the regulators, Mr Greco’s sense is that those captured by the laws are in “catch up mode” as they come to grips with the enormity of cyber security in practice management.
“Most people need to be aware that a cyber breach is now a case of when, not if,” Mr Greco said.