You now need to take extra care to safeguard the unauthorised disclosure of a client's tax file number (TFN).
On 22 February 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) will take effect to introduce a new notifiable data breach scheme (NDB Scheme) which applies to any entity that holds TFNs and other personal identifier information.
What are the new laws?
Under the NDB Scheme:
- if there is a data breach that is likely to result in serious harm, you must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals;
- unless the data breach can be remedied in circumstances where there is no unauthorised disclosure of TFNs it will be deemed to result in serious harm;
- if you suspect that you may have experienced a data breach, you must quickly assess the situation to decide whether to notify the OAIC;
- the OAIC has wide powers to investigate compliance; and
- a failure to comply may result in fines of up to $2.1 million for corporations and $420,000 for other entities.
What should you do?
Some specific tips to comply with the NDB Scheme include to:
- review and update your policies and procedures for protecting TFNs and other personal information (this will help you if a data breach happens and the OAIC investigates);
- appoint a person (or team) to manage any incident response;
- document a data breach response plan, including guidelines around making a notification;
- review your contractual arrangements where other parties handle TFNs or personal information.
If you use overseas employees to help prepare tax returns, you must use extreme caution and vigilance to ensure the protection of TFNs and personal information.