The Tax Practitioners Board (TPB) has released a practice note which deals with cloud computing and the way tax practitioners can ensure they are able to still adhere to the Code of Professional Conduct. TPB practice note practitioners, cloud computing and the code of conduct Agreements between users of cloud computing services are as variable as the businesses involved, which has led the government to the realisation that the ongoing adoption of cloud-based business solutions has brought with it a need for a whole-of-government approach to the issues that can surface. The TPB paper is part of the ongoing efforts initiated by government agencies.

The TPB says that when entering into cloud arrangements, various factors will need to be considered, depending on the nature of the particular cloud arrangement and also the circumstances of the registered tax practitioner. However, as a starting point, the TPB says registered tax practitioners may wish to consider a number of general factors including:

what are the details of any limitation of liability arrangements (for example, clauses contained in the terms and conditions of the cloud provider agreement(s) or terms of use)?whether the provider is allowed to unilaterally change relevant terms of the agreement (that is, without input from the registered practitioner), including in relation to how or where data is stored or managed?how is the information being transferred between systems and data integrity being maintained?how is the information being stored?whether information is being held offshore (that is, information that is stored or processed in equipment not located in Australia) and, if so, the consequences (including relevant additional legislative and regulatory requirements that the information may be subject to)?what processes does the cloud provider have in place in relation to the backup and archiving of information (such as multiple backup servers)?what security controls are the registered practitioner and provider responsible for (such as issues around passwords, encryption and backups)?what protections are in place to prevent service access being disrupted?what processes are in place for managing and resolving disputes in relation to access to client information?what processes are in place when the arrangement ends (including, for example, the return of or access to data held in the cloud)?

Concerning the Code of Professional Conduct, the TPB says practitioners need to be mindful of item six of the code, which provides that a registered practitioner must not disclose any information relating to a client’s affairs to a third party without the client’s permission, unless there is a legal duty to do so.

The TPB says a third party is any entity other than the client and the registered practitioner — this includes entities that maintain offsite data storage systems (including “cloud storage”), recognising that there is a distinction between data storage that a third party cannot effectively access (for instance, through the use of encryption) and disclosure to a third party.

The TPB says it is important to remember that it is only necessary that the information relates to the affairs of a client. Therefore, the information does not have to belong to the client, or have been directly provided by the client to the registered practitioner.

The Practice Note says registered practitioners must obtain permission from each client before divulging client information to a third party (including cloud service providers). It says client permission may be by way of a signed letter of engagement (refer to the TPB information sheet Letters of engagement), signed consent, or other communication such as a relevant “fact find” and consent.

The Practice Note is based on the Tax Agent Services Act 2009. It is also available as a PDF to download (337 KB).

#[code of conduct], [practicing accountant], [registered BAS agent], [tax agent regime], [tax agents], [tpb]