The Tax Practitioners Board Code of Conduct on Client Data

The Tax Practitioners Board's Code of Professional Conduct is binding on every registered tax agent and BAS agent in Australia. Since the 2024 amendments under the Treasury Laws Amendment (Tax Agent Services) Act, the confidentiality and recordkeeping obligations have been expanded and the TPB's enforcement appetite has visibly increased. Every practitioner — including small accounting firms that previously assumed the Code was for the big four — needs to understand what's actually required.

The relevant sections

The Code is structured around five principles: honesty and integrity, independence, confidentiality of client information, competence, and other responsibilities. The confidentiality obligations are under Principle 3 (Items 6 and 7) of the Code, and they were materially strengthened by the 2024 amendments which took effect 1 August 2024.

Specifically, the current Code requires that tax practitioners:

• Do not disclose client information to third parties without the client's permission, or where required by law, or where the information is otherwise lawfully available (Item 6).
• Take reasonable care to maintain the confidentiality of client information (Item 7).
• Ensure that agents, employees, contractors, offshore preparers, and other persons who handle client information on the practitioner's behalf are subject to appropriate confidentiality obligations.
• Have appropriate arrangements to maintain client records and provide them to the ATO on request (the recordkeeping obligation strengthened by the 2024 amendments).

What "reasonable care" means in 2026

The Code doesn't specify technical controls — "reasonable care" is measured against current professional standards. But the TPB's enforcement record makes the operational expectation increasingly clear. A TPB investigator assessing a confidentiality breach would consider, at minimum:

• Did the firm have access controls on documents containing sensitive client information?
• Were team members trained on secure document handling, and is that training documented?
• Were there audit trails showing who accessed what, and do those trails survive the deletion of the underlying record?
• Were departing staff properly offboarded with timely access revocation?
• Were third-party subcontractors (offshore preparers, bookkeepers, software vendors) bound by appropriate confidentiality obligations in writing?
• Did the firm respond appropriately when something went wrong — preserving evidence, notifying affected clients, taking remedial action?

In 2018, defending these questions with "we tried our best" was sometimes enough. In 2026, the bar has moved. Encrypted, audit-traceable, access-controlled document sharing platforms are widely available at SMB pricing. A TPB investigator asking why the firm wasn't using one is now a credible question.

The third-party problem (the most common Code breach)

The Code makes you personally responsible for the conduct of third parties handling client information on your behalf — bookkeepers, software vendors, offshore tax-return preparers, outsourced admin. If your data is processed by a company in Manila and that company has a breach, you (the registered agent) are still on the hook for the confidentiality failure.

This is where the TPB's enforcement actions have been concentrating. Practical implications:

• Every engagement with a third party handling client data needs specific confidentiality terms in writing.
• Ideally those terms include evidence of the third party's own controls (their privacy policy, access controls, audit logging).
• If you use an offshore preparer, you also pick up APP 8 cross-border disclosure obligations on top.
• "We just use them, we don't know what they do with the data" is not a defence. Demonstrable oversight is required.

The expanded recordkeeping obligation (post-2024)

The 2024 amendments added a new section requiring registered agents to maintain client records in a form that allows the agent to comply with their obligations under the Tax Agent Services Act, and to provide those records to the ATO on request. In practice this means:

• Engagement letters, signed authority documents, and TFN declarations must be retrievable.
• Lodgement working papers (the calculations behind each return) must be retained.
• Email correspondence relating to tax positions counts as a record and must be retrievable.
• The retention period aligns with the underlying ATO retention obligation — generally five years, but extended for CGT, depreciation, and trust records (see our tax record retention guide).

Disciplinary consequences

A confirmed Code breach can result in:

• Caution. Recorded against the practitioner's registration but not necessarily public.
• Order to take specific action. Remediation requirements with a deadline, often with reporting back to the TPB.
• Suspension of registration. Practitioner cannot provide tax agent services for the period of suspension. For a firm whose revenue depends on registered agents, this is operationally devastating.
• Termination of registration. Removal from the register. The practitioner cannot reapply for a defined period.
• Public disciplinary register. In serious cases, the TPB publishes the outcome with the practitioner's name on the public register. Clients searching the register before engagement will see it.

The 2024 amendments also strengthened the TPB's investigative powers and removed some prior procedural protections, so the practical risk of an investigation escalating has gone up.

Common mistakes (and how the TPB sees them)

• Emailing client documents to personal addresses for "weekend work." The personal account is outside your firm's controls, so the recipient has no audit trail, and you've created a copy you can't account for.
• Cloud storage configured without per-document access logging. A folder-level share to an entire team means you can't prove who accessed any specific document. The TPB investigator will read this as inadequate "reasonable care."
• Offshore preparer relationships without written confidentiality terms. Particularly common in BAS work. If the offshore provider breaches, you face dual exposure — TPB Code breach AND APP 8 cross-border disclosure.
• No staff offboarding procedure. Departed staff with active access to client systems is the TPB's enforcement-by-easy-targets pattern.
• Treating confidentiality as a compliance afterthought. The TPB's published expectations now include having a written information-security policy. Not having one is itself evidence of failure to take "reasonable care."

Practical steps for demonstrable compliance

The practical steps to demonstrate "reasonable care" in 2026 are well-understood and getting cheaper every year:

• Move client document sharing off email. A purpose-built data room means external sharing happens through authenticated, logged, revocable sessions — not email attachments with no audit trail.
• Enable two-factor authentication on everything. Practice management systems, email, cloud storage, the data room itself.
• Quarterly access review. Pull the list of who has access to sensitive folders. Revoke anything stale. Document the review.
• Written information-security policy. Two pages, named owner, last-reviewed date. Updated annually.
• Confidentiality terms in writing with every third party. Bookkeeper, software vendor, offshore preparer, virtual assistant — all in scope.
• Audit trail on every access. When a complaint is investigated, "we can show you exactly who accessed this document and when" is a dramatically stronger position than "we don't keep that level of detail."
• Australian-resident storage for client information. Removes APP 8 from the compound-obligation problem.

How ShareAndGo helps

ShareAndGo was built with the TPB's "reasonable care" expectations in mind. Sydney-resident storage by default, per-document audit trail that's tamper-evident (SHA-256 hash-chained), email-first recipient access without giving the recipient an admin account in your systems, automatic access expiry, and a workspace structure that mirrors how accountants think about engagements.

For accounting firms specifically we've documented the workflow end-to-end. /use-cases/tax-audit walks through an ATO-facing example. Our piece on small firms adopting VDRs covers the practical adoption pattern.

This isn't legal advice. For specific guidance on your firm's situation, contact the TPB directly (tpb.gov.au) or your professional association.