Loading component...
Shades of client confidentiality: Staying on the right side of the equation
Content Summary
- Ethics
Loading component...

The article is relevant to members in Australia and was current at the time of publication.
Recent high-profile breaches of confidentiality have practitioners reviewing their own confidentiality procedures.
“The rules around confidentiality are strong,” says Neville Birthisel FCPA Policy Adviser, Regulations and Standards, CPA Australia.
“Under subsection 114 of the APES 110, together with Part 3, section 310.11, practitioners are required to keep client information confidential unless they have client permission or are legally or professionally compelled to disclose.”
As firms increasingly adopt AI-enabled software, engage third-party providers and move to anti-money laundering and counter-terrorism financing (AML/CTF) obligations, practitioners face a growing range of confidentiality risks.
Practitioners who breach confidentiality obligations may face disciplinary action from CPA Australia, as well as sanctions from the Tax Practitioners Board (TPB), which is responsible for ensuring compliance with the Tax Agent Services Act 2009 (TASA). Other statutory obligations such as the Tax Admin Act, have criminal penalties for breaching taxpayer secrecy.
“Practitioners need to ask themselves whether they are compelled to reveal financial information or whether it is simply at their discretion?” says Belinda Zohrab, CPA Australia’s Regulations and Standards Lead.
“Breaching confidentiality can have consequences not only for the practitioner but for the client and the industry.”
Zohrab advises that engagement letters should be reviewed and updated regularly to ensure clients understand how information may be shared.
Here are some common confidentiality pitfalls.
Using AI without disclosure
Failure to disclose AI usage may occur when employees upload a client document to ChatGPT to clarify the tax implications of a transaction.
“This can happen without ill intent, but it is still a breach of APES 110,” says Jodie Smith FCPA, Best Practice Program Manager at CPA Australia.
“Unless your firm is subscribing to a paid AI model with appropriate privacy controls, that data may be [inadvertently] shared.”
Practitioners should also remember that AI functionality is increasingly embedded within everyday software platforms.
“Most now contain some form of AI, for example, Microsoft has Copilot and Google has Gemini, and any option that involves data sharing or machine learning needs to be turned off.
“Firms should also have a clear governance policy covering employee use of AI and disclose to clients what tools form part of their service delivery.”
Confidentiality is a major concern around new technology, she says.
“Additionally, practitioners must review and verify any information generated by AI tools. AI is never accountable for errors – that risk sits with practitioners.”
Birthisel adds that the TPB has released draft guidance on the use of AI by registered tax practitioners.
Everyday interactions that create risks
Confidentiality breaches often occur in everyday interactions rather than formal disclosures, Zohrab says.
“If it’s a small industry, it is not difficult to work out who someone is talking about when confidential details are discussed with a partner, friend or colleague.”
Seeking reassurance from peers can also create risks.
“Bouncing an issue off someone in another firm may seem harmless, but it can be very easy to inadvertently disclose information that should remain confidential.”
Public spaces present another danger.
“Who hasn’t sat next to someone on a flight with their laptop open?” Zohrab says.
“At the office, documents pinned to a wall during a project may be an issue. People forget what is in the background.”
Data and cyber security remain constant risks, she adds.
Disclosing financial information to former owners or family members
Longstanding relationships can sometimes blur professional boundaries.
“In a generational business, a parent may have transferred ownership to the next generation and no longer have a legal interest in the business,” Birthisel says.
“Even if you have known that person for many years, you cannot share information about the business’s financial affairs unless you have authority from the current owner.”
Such disclosures may breach APES 110 and could also raise issues under TASA relating to confidentiality and conflicts of interest.
Another risk arises when a former director, shareholder or family member continues to exert influence after formally stepping away from a business, Birthisel says.
Revealing a Tax File Number without client authorisation
TFNs are among the most sensitive pieces of information handled by tax practitioners.
“A breach of the Privacy (Tax File Number) Rule 2015 and APES 110 can occur if a practitioner shares a Tax File Number (TFN) without the client’s authorisation,” Smith says.
“This could be something as simple as providing a Notice of Assessment to an unauthorised person.”
Because tax practitioners are TFN recipients under the legislation, they can only disclose TFNs in limited circumstances and with appropriate authority. TFNs should not be disclosed through unsecured services such as email.
Using client information for personal gain
If a practitioner learns that a client is considering investing in a start-up and decides to invest personally before the client acts, this is more than a confidentiality issue, Birthisel says.
“It is a breach of integrity, objectivity and professional behaviour under APES 110.”
The TPB Code of Professional Conduct also requires practitioners to act honestly, with integrity and in their clients’ best interests.
Breaching confidentiality around Tranche 2 reforms
The new AML/CTF Tranche 2 reforms, which apply to many accounting services from 1 July 2026, may require practitioners to collect more information about clients, including beneficial ownership and source of funds information.
“Accountants who are now part of the AML/CTF regime will find they have obligations under The Privacy Act 1988,” Zohrab says.
Birthisel describes the reforms as “a massive change for the industry” with significant sanctions.
“For our members who are compliant with APES and TASA, a system of quality management is already in place. But good governance remains critical.”
Reviewing and monitoring your risks and systems helps support practitioners to maintain compliance, adds Smith.
Loading component...
Discover more
Ethical leadership for finance and accounting professionals
18 June 2025 | Learn from real examples of ethical failures and why APES 110 code is key.
- Ethics
22 min listening timePublished onEveryday ethics: Conflicts of interest
8 May 2024 | In serving the public interest, professional accountants are required to put aside their own, but conflicts may still arise.
- Ethics
Published on5 min read timeAccounting internships: what you need to know
We quiz a Christchurch-based practitioner who, after the 2011 earthquake, found her firm ready for a pandemic. test again
- Ethics
article·Published onMember access onlyAPES 110 Code of Ethics for Professional Accountants (including Independence Standards) ('The Code')
- Ethics
APES 225 Valuation Services
This overview is not a replacement of the standard and therefore should be used in conjunction with, and not instead of, the standard
- Ethics
APES 110 Code of Ethics for Professional Accountants Part 2
- Ethics
