Data breach guidance for tax professionals

Data breaches and client protection

Tax professionals who experience a data breach may discover their client's identities have been stolen, and refund fraud committed in the client's name.

A data breach occurs when confidential taxpayer information has been accessed by an unauthorized third party.

If you have experienced a breach we recommend the following actions:

  • Contact us as soon as practicable on 1800 467 033 Monday to Friday.

  • Review this guidance material External Link on the Office of the Australian Information Commissioner (OAIC) website.

  • Inform impacted clients and the staff of the data breach.

  • Contact your software provider (if you suspect the breach may have originated in one of their service offerings).

  • Consider what information was accessed during the breach and take steps to safeguard this where necessary.

  • Take steps to secure the information in your business by ensuring all security software and controls are up-to-date.

  • Review systems access and remove it for people who no longer require it.

  • Continue to follow security the best practice.

How will we protect clients affected by a data breach?

We protect the privacy of client records by our proof of record ownership processes.

Treatment options

Additional proof of identity

We may issue an alert to our staff requiring them to seek additional proof of record ownership from your client.

The requirement will apply when your client interacts with us. The alert prompts our staff to ask additional questions when validating your client’s identity.

Asking questions only the genuine client will know assures us we are dealing with the actual client, and not an unauthorized third party.

Your client may also elect to have a secret password created on their ATO record. Secret passwords validate a client’s identity when they deal with us.

If a client fails to establish proof of identity with us, we will ask them to attend one of our shopfronts to supply full proof-of-identity documentation or complete a tax file number inquiry form on the Australia Post website.

Additional monitoring processes

If we identify any irregular activity, we may contact you or your client to ensure the activity is legitimate. This may delay our processing of income tax returns and other forms.

Additional security measures

We may also apply additional security measures within our systems. These measures prevent particular activity where we perceive increased risk to clients, government revenue or both. What these means for your client:

  • the client record may not be accessible through our online channels or myGov

  • pre-fill data may not be available

  • we may prevent business activity statements from issuing automatically; you or your client will need to contact us before each lodgment so we can generate these statements.

  • we may stop income tax returns and other forms for verification; this may delay our processing of these forms.

Appointment of a data breach manager

In some cases we may assign a data breach manager who will assist you in the management of data breaches within your practice.


For the latest advice, information and resources, go to

Feel free to contact us at or (08) 9345 0499.

#gordonqcduandassociates #gordondu #protect #databreach #access #security #confidential #information


Recent Posts

See All