The Tax Practitioners Board's Code of Professional Conduct is binding on every registered tax agent and BAS agent in Australia. It includes specific obligations around client data and confidentiality that every practitioner needs to understand.

The relevant sections

The Code is structured around five principles: honesty and integrity, independence, confidentiality, competence, and other responsibilities. The confidentiality obligations are under Principle 3.

Specifically, the Code requires that tax practitioners:

Do not disclose client information to third parties without the client's permission (or legal compulsion)
Take reasonable care to maintain the confidentiality of client information
Ensure that agents, employees, contractors, and other persons who handle client information on their behalf are subject to appropriate obligations

What "reasonable care" means in practice

The Code doesn't specify technical controls. "Reasonable care" is measured against current professional standards. The TPB's guidance is that you should implement controls proportionate to the sensitivity of the information and the risk of unauthorised access.

In 2026, a TPB investigator assessing a confidentiality breach would likely consider: Did the firm have access controls on sensitive documents? Were team members trained on secure handling? Were there audit trails showing who accessed what? Were departing staff properly offboarded? Were third-party subcontractors bound by confidentiality obligations?

The third-party problem

The Code makes you responsible for third parties you engage — bookkeepers, software vendors, offshore preparers, outsourced admin. If your data is processed by a company in Manila, and that company has a data breach, you're still on the hook for the confidentiality failure. This is why your engagement with any third party handling client data needs specific confidentiality terms and ideally evidence of their own controls.

Disciplinary consequences

A confidentiality breach can result in: a caution, a requirement to take specific action, a suspension, or termination of registration. In serious cases, the TPB can publish the disciplinary outcome on its public register. For a professional whose livelihood depends on their registration, this is material risk.

Practical steps for compliance

The practical steps to demonstrate "reasonable care" are well understood. Move client document sharing off email and onto a controlled platform. Enable two-factor authentication on all practice management accounts. Review staff access quarterly. Document your policies. Train the team. Log access to sensitive files. None of this is expensive or difficult, and all of it is what the TPB expects to see if a complaint is ever investigated.

This isn't legal advice. For specific guidance on your situation, contact the TPB or your professional association.