It is no secret that public practice firms and their clients are relying on accounting, tax, and audit software more than ever. In fact, many firms now operate in a paperless or semi-paperless environment, which is a big change from just a decade ago. As a result, the amount of data that is stored and transferred electronically is growing exponentially. Of course, much of that data is confidential and susceptible to being hacked or intercepted. Now is the time to consider whether your firms’ policies concerning the protection of your client’s privacy and confidential information are sufficient.
Transferring Documents via Email
Businesses still rely primarily on email for electronic communication and transfer of data. Recent surveys conducted by various global accounting bodies have found that up to three quarters of the public practice firms surveyed do not encrypt financial statements, tax returns, or other financial information when communicating by email. One survey conducted by CPA Canada that focused on small to medium-sized public practice firms found that 43% of these firms reported having suffered a security breach that affected their business.
Sending confidential information via email has two significant problems. First, information sent via unsecure email is relatively easy to access. Second, it is very easy to accidentally send an email to the wrong person. CPA firms can mitigate some of these risks, however, by using an encrypted email services, as well as complying with clear firm policies and protocols on transmitting data via email.
Code of Professional Conduct
The CPA profession has specific rules for maintaining client confidentiality. Rule 208 of the Code of Professional Conduct provides clear requirements on registrants (meaning members, registered firms, and students) regarding confidentiality of information. Specifically, Rule 208.3 states that:
A registrant shall:
- take appropriate measures to maintain and protect confidential information of any client, former client, employer or former employer, as the case may be and to ensure that access to such information by another person is limited to those with legitimate purpose to access the information; and
- obtain the written agreement of any such person to carefully and faithfully preserve the confidentiality of any such information and not to make use of such information other than as shall be required in the performance of appropriate professional services.
As you head into tax season, be sure to communicate your firm’s policies on client confidentiality and privacy to your staff, along with the measures you expect them to take to safeguard client information.
The provincial privacy legislation, Personal Information Protection Act, has been in place since January 1, 2004. Members are reminded that the legislation requires all private sector businesses that collect personal information to develop policies on the collection, use, and disclosure of that personal information. For accounting firms, it is appropriate to develop a separate policy for client and for employee information.
To assist members, CPABC has included two sample privacy policies. These two sample policies are provided for illustrative purposes only and are not an official position of CPABC. They are not intended as legal advice nor do we suggest that the use of these sample policies will ensure compliance with the privacy legislation requirements.
These sample policies were based on information in “A Guide for Businesses and Organizations to British Columbia’s Personal Information Protection Act” from the Office of the Information & Privacy Commissioner. This guide is in its 5th publication which was last updated in October 2015 and can be downloaded here.
For more information on privacy legislation and a copy, please visit its website at: www.oipc.bc.ca.