We asked the TPB to advise and clarify the Agents obligations. Extracts below.
“We are seeking some clarification from the the TPB on various comments that seem to have been made about Data Breaches.
There is an expectation that the TPB expects Agents would notify the TPB if they suffered a Data Breach. It seems to have been linked to the concept that a Data Breach would align with a breach of the Code requirement as to confidentiality.
We do wonder about the materiality level and also the consequence of such a breach.
When an agent suffers a Breach;
- At what point should they advise the TPB?
- How should they advise the TPB?”
From Ian Taylor, chair of the TPB
“The TPB has never at any stage of the discussion on the NDB scheme indicated that we expect notification to us.
Our role has been and will continue to be to make Agents aware of the new rules and their obligations.
What we have said is that if an Agent was in breach then the TPB may have to consider whether there might be a code breach etc. re confidentiality and competent service.
We have also highlighted that if an Agent took all reasonable precautions to protect and guard against data breach we would be unlikely to apply any sanction.”
If an agent has had a databreach and TFNs are compromised then the ATO is to be informed
any other data breach informed to the OAIC
There is no obligation to notify the TPB!
The only reason the TPB would get involved is if a complaint was made against the agent.
An Agent does need to comply with TPB requirements:
- ensure confidentiality procedures are in place
- you may have to respond to a TPB investigation if someone complains about you