The Tax Practitioners Board (TPB) has finalised guidance on the “supervisory arrangements requirements under the Tax Agent Services Act 2009 (TASA)”. The TPB’s draft guidance was released for public consultation on 31 May 2021.

The TASA requires all partnership and company entities to meet the ‘sufficient number’ requirement. The guidance will assist these entities to understand what this requirement means and what they need to do to meet this requirement.

The guidance includes helpful measures that will assist tax practitioners to ensure they have adequate supervisory arrangements in place, including where remote work arrangements exist. Tax practitioners can also apply these measures in franchise arrangements to ensure effective supervision is provided.


Registered tax practitioners already have obligations to protect TFN information under the Privacy (Tax File Number) Rule 2015 and the Taxation Administration Act 1953.

A failure by a tax practitioner to comply with the Notifying Data Breaches (NDB) scheme may be considered by the TPB in determining whether they have breached the Tax Agent Services Act 2009 (TASA), including the Code of Professional Conduct (Code). Item 6 of the Code (about confidentiality) requires that a registered tax agent must not disclose information relating to a client’s affairs to a third party without the client’s permission or without a legal duty to do so.

If a registered tax agent has been incompetent or reckless regarding IT controls, and this has resulted in a breach of confidentiality because of a cyber incident, the TPB may impose one or more administrative sanctions for breach of the Code.

The TPB recommends all tax practitioners review their practices, procedures and systems for securing personal information to comply with NDB scheme. The TPB recommends that you consider:

  • reviewing current information security practices, procedures and systems to ensure they are adequate, including taking steps to ensure all security software and controls are up to date, and to remove accesses from people who no longer require these accesses;
  • preparing a data breach response plan (or updating a current plan) to ensure the ability to respond quickly to suspected data breaches;
  • providing training to relevant staff as to any role they may have in responding to data breaches.