TPB warns on storing client data in the cloud
Advisers should be aware of issues including offshore data storage when using cloud computing systems, the Tax Practitioners Board has warned.
In a discussion paper on the matter, it urges advisers to understand their obligations under the Code of Professional Conduct when using these services.
The regulator has not ruled out the use of cloud computing, but says advisers must consider various factors before signing agreements.
These include terms and conditions concerning liability arrangements; whether the provider can change terms without consultation; data integrity; whether the information is held offshore; and regulatory implications.
The TPB notes advisers are required not to “disclose any information relating to a client’s affairs to a third party without the client’s permission, unless there is a legal duty to do so”.
The paper says entities that maintain data storage are regarded under the code as third parties. But it makes the distinction between encrypted data storage than cannot be read and accessible material. The data must relate to the client only.
The TPB says advisers can use a number of controls to protect data stored on cloud systems, including confidentiality agreements with service providers, encryption, access controls and audit trails.
If an adviser breaches the code, the regulator will issue sanctions including cancelling registration.
TPB Chairman Ian Taylor says cloud computing will continue to evolve and can be beneficial to clients.
“When entering into such arrangements, it is important advisers remain mindful of their obligations under the code,” he said.
Submissions on the paper close on November 28. Mr Taylor says the TPB will hold further discussions based on the feedback, before finalising a practice note.