A warning on hoarding data: Your clients are in danger

This article was current at the time of publication.

Data is widely regarded as the “new gold” because of the wealth of insights it can reveal. But Matthew Prouse, President of the association of Digital Service Providers Australia New Zealand (DSPANZ), believes it’s time to view it as uranium.

“Data is like uranium, because you don't need a lot of it to do a lot of harm, and you want to know that the people who handle it are qualified to do so,” he says. “You also want to know where it is at all times, and you want to have a pathway to store it safely and, ultimately, dispose of it.”

Recent high-profile data breaches at companies like Optus and Medibank in Australia and Latitude Financial in New Zealand illustrate the dangers of hanging on to data that you don’t really need. 

“Professional accounting firms are in a fairly precarious position because, as a general rule, they like to hold on to data,” says Prouse, who adds some accountants are used to retaining paper client data in filing cabinets, rather than digitally. 

How much client data should you hold onto, and for how long? How can you safely get rid of what you no longer need?

Data dilemma

Research from IBM shows the global average cost of a data breach in 2023 was A$7 million. 

“The security risk is real if you hold on to more data than you need,” says Prouse. “There’s also the brand damage that comes with retaining data that you no longer require or retaining data for inactive or non-paying customers.”  

DSPANZ recently released a Data Minimisation & Retention guide, which sets out the record-keeping requirements for taxpayers, tax practitioners and digital service providers (DSPs) who offer software solutions to taxpayers to manage their business and financial affairs. The guide is currently in draft form and open for public comment. 

Prouse notes that DSPs currently don’t have specific legislative or regulatory obligations to retain customer data under Australian or New Zealand tax or employment law. 

“Our paper sets out to establish the minimum and maximum retention periods for the software industry with respect to taxpayer information,” he says. 

“For the past decade, cloud computing has become so cheap, so it’s been easy for everyone to keep everything, but there are serious cyber security concerns that we have to address.”

What data should you keep?

As taxpayers and employers, public practitioners have record-keeping obligations. For example, as a rule, employers must keep employee-related records for seven years, but there are circumstances where records must be kept longer, for example, to calculate long service leave entitlements.

In New Zealand, requirements around data protection are outlined in the Privacy Act 2020, which states that companies must not keep personal information for longer than they actually need it. 

Australian taxpayers typically need to keep their tax returns for five years, while those in New Zealand are required to keep them for seven years. 

The Australian Securities and Investment Commission (ASIC) requires Australian Financial Services Licensees, who provide personal advice to retail clients, to keep records for at least seven years from the day after the advice was provided.

Prouse notes that tax practitioners in Australia have no additional client record-keeping requirements under the Tax Agent Services Act 2009, but it’s recommended that they keep copies of signed “authority to lodge” documents for insurance and compliance purposes. 

The Tax Practitioners Board also requires tax practitioners to keep a record of client proof-of-identity checks for at least five years after the engagement with a client ends. However, Prouse says they only need to keep a record of conducting these checks and should not store originals or copies of identity documents.

“The current law and policies make very clear that it’s the taxpayer’s obligation to keep records, not the tax agent,” says Prouse. 

“It is only the role of the tax agent to effectively retain enough documents to confirm that they were engaged to prepare and submit the tax returns. They don’t have to keep all of the evidence behind the work.”

Disposing of old data

Depending on the amount of unnecessary data you hold, data erasure software, such as BitRaser File Eraser or Blancco Data Eraser, can be used to delete it in a secure way.

Before disposing of data that you don’t need, Prouse recommends developing data hygiene processes.

“This includes disposing of data as part of a change-management process,” he says. “When you offboard a customer from one piece of software to another, for example, you should export the tax records that you need from the old system. Then, once you've got the information that you must have, you then follow the processes provided by the software vendor to remove the historical data and delete your account.”

Prouse says it’s important to choose reputable software vendors with clear data retention and deletion policies as part of their terms and conditions. Software providers who are required to comply with international data security standards like ISO 27001 or the European Union’s General Data Protection Regulation (GDPR) must have a data management process in place.

“Any software company governed by these standards and regulations must have a data deletion process, which is audited and verified as part of the process,” says Prouse.

Data hygiene processes also extend to deleting emails that you don’t require.

“You don't need 20 years of email,” says Prouse. 

“Data is highly valuable, and the bad guys are looking for it. Stealing identities is much easier when people leave old, inactive systems running. When staff members leave and you don't delete their accounts properly and reset passwords, malicious third parties could use them to access information. 

“To be safe, hold on to the minimum amount of data that your practice needs to do its job,” adds Prouse. “That's the maximum amount of data you should retain and keep it for as little time as possible.”

For more insights and resources visit CPA Australia's cyber security hub.