In brief – Make sure any cloud based service you use complies with security and privacy requirements

If you are an accountant considering using a cloud based service to store your client and business data, you should ensure that the provider’s service complies with your clients’ requirements regarding security measures, as well as with all legal requirements, including those imposed by privacy laws.

Cloud-based accounting systems can increase efficiency

The collection of personal and other data from clients is a core component of any accountant’s business. Effective management of collected data is key to producing on time, on budget results. 
Data storage providers including Xero, MYOB, Google and Microsoft offer cloud computing accounting and data management services that offer their accountant customers a hosted environment where their business data can be accessed by all relevant staff in their business, from any location. These cloud services allow both client and accountant to access, update and revise files at the same time. 
Cloud-based accounting systems can increase efficiency by allowing uploads or “live feeds” of bank account and other business data into the accounting stream. As maintenance and support of the cloud based service is handled by the service provider, businesses can have greater confidence that the software programs holding their data will be available around the clock, every day of the year.

Legal considerations related to use of cloud-based services

There are a few important legal considerations to bear in mind when evaluating whether using cloud based service providers is appropriate for your accounting practice. 
First and foremost will be the terms of service offered by the cloud based provider. Careful review of the terms of service and pricing tariffs for those services is mandatory to provide assurance that your business will receive the functionality and data availability that you and your clients expect at an appropriate cost. 
Equally important is whether the service provider offers a service that complies with your client requirements regarding effective security measures, as well as with all legal requirements, including those imposed by privacy laws.

Consent to transfer personal information outside Australia - compliance with privacy legislation

The new privacy laws, the Privacy Amendment (Enhancing Privacy Protection) Act 2012, amend the Privacy Act 1988 and amongst other changes, introduce the Australian Privacy Principles (APPs) which replace the previous National Privacy Principles and Information Privacy Principles. 
Like the prior legislation, the new APPs impose new requirements for the collection and management of personal information in Australia. In addition to revisions of consents required to collect and transfer personal data, new obligations are imposed when businesses expect to transfer personal data outside Australia. 
If your business uses cloud computing services, you should review and confirm that your privacy and data security policies comply with the new legislation, as nearly all cloud computing services will use assets outside Australia to provide all or part of their services. 
Your agreements with your clients may require you either to maintain data only in Australia or to nominate countries where data may be held. These requirements may be impossible to meet due to the nature of some online services.

Security and data control requirements

Your business should ensure and your clients will expect that you will hold all client information in a safe and secure environment. The danger posed by hacking and other malicious and unauthorised access to your data is great. Careful attention must be paid to the security offered by the cloud service provider.
Accountancy practices are well advised to adopt rapid response procedures in the event of actual or suspected unauthorised access to their customer data. Where data is held by third parties such as cloud providers, your agreement with those providers should clearly define steps to be taken to address any such occurrence.

This article first appeared in the June/July 2014 edition of Public Accountant magazine.

This is commentary published by Colin Biggers & Paisley for general information purposes only. This should not be relied on as specific advice. You should seek your own legal and other advice for any question, or for any specific situation or proposal, before making any final decision. The content also is subject to change. A person listed may not be admitted as a lawyer in all States and Territories. © Colin Biggers & Paisley, Australia 2024.

Related Articles