The TPB has prepared a practice note to provide practical guidance and assistance to registered tax practitioners to understand the TPB’s position in relation to the use and disclosure of TFNs and TFN information in email communications.
TFNs and TFN information are protected by obligations under the Privacy Rule 2015 and obligations under the Privacy Act 1988, as well as the Australian Privacy Principles.
While the TPB points out that the inclusion of a client’s TFN in an email by a registered tax practitioner does not necessarily give rise to a breach of a law, if the practitioner has not taken reasonable steps to safeguard the TFN information, they could find themselves in breach of obligations under the Privacy Act and TFN Rule.
As such, the TPB sets out a non-exhaustive list of measures tax practitioners can take to protect TFN information.
These include restricting access to staff who are not required to handle such information and implementing information and communication technology (ICT) security measures such as sending such information as an encrypted or password-protected attachment.
The TPB also recommends that registered tax practitioners install and maintain anti-virus software on workplace computers; protecting client records or files, using encryption where possible; and regularly change passwords.
According to the OAIC’s Notifiable Data Breaches Report for January-June 2020, 17 per cent of data breaches involved TFNs, 34 per cent of data breaches were due to human error, and the top five industry sectors for human error included accounting and management services.
The TPB’s draft practice note is now open for feedback.
