Your practice and the Notifiable Data Breaches scheme

The Tax Practitioners Board (TPB) holds regular consultative forums, which are attended by Registered Tax Agent Associations such as Tax & Super Australia as well as other various stakeholders. At its latest meeting, the TPB observed that the mandatory Notifiable Data Breaches (NDB) scheme commenced on 22 February 2018 (we reported this in early February).

The Chair of the TPB, Ian Taylor, recommends that tax practitioners review their practices, procedures and systems for securing personal information for adequacy.

It was also noted at the latest TPB consultative forum that a failure to comply with the scheme may be considered in determining whether a practitioner has breached the Tax Agent Services Act 2009. On this point, the TPB says that consideration will be given to each particular circumstances on a case-by-case basis.

The TPB recommends that practitioners should consider, for themselves and their business:

  • taking steps to ensure all security software and controls are up to date, and to remove access for those who no longer require it
  • preparing and/or updating a data breach plan to ensure the ability to respond quickly to suspected data breaches
  • providing training to relevant staff as to any role they may have in responding to data breaches.

The TPB also advises that the Office of the Australian Information Commissioner (OAIC) has continued to release NDB scheme guidance on its website. This includes a useful one-page flowchart that summarises what to do in the event of a data breach (download it here). The OAIC has also published a notification guide that practitioners can access on its website (which is also available in printed form from the above web page).

Ultimately, the OAIC has relevant jurisdiction of the Privacy Act and is responsible for administration of the NDB scheme. However, as pointed out above, the TPB retains the option to de-register or take other disciplinary action should a registered practitioner be found to have failed to comply with the NDB scheme.