Cloud accounting has transformed how bookkeepers work — but uploading client financial data to third-party platforms introduces data security obligations under Australian privacy law that go well beyond choosing a strong password, and the consequences of a breach can include mandatory disclosure to regulators and affected clients.
This post covers the Privacy Act obligations most relevant to bookkeepers, what the Notifiable Data Breaches scheme requires, and the data residency questions you should be asking before choosing a cloud platform.
The Privacy Act and Bookkeeping Practices
The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) apply to organisations with an annual turnover of more than $3 million, as well as to businesses of any size that provide health services, trade in personal information, or are a contracted service provider to a government agency.
Many bookkeeping practices fall below the $3 million threshold. However, there are two important qualifications:
-
Voluntary opt-in: Businesses below the threshold can voluntarily opt in to Privacy Act coverage — and some clients (particularly government agencies, health sector clients, or large corporates) require their service providers to be Privacy Act compliant as a contractual condition.
-
State privacy legislation: Several state jurisdictions have their own privacy frameworks that may apply regardless of turnover. Businesses in the ACT, NSW, and Victoria that handle government data may be covered.
Even if the Privacy Act does not apply to your practice directly, the cloud platforms you use to store client financial data (accounting software, document management, email) are almost certainly covered — and their obligations flow through to your practice via their terms of service.
Treat the APPs as best-practice minimum standards regardless of whether strict legal compliance is required. APP 11 (Security of Personal Information) requires taking reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access. For a bookkeeping practice, this means:
- Strong, unique passwords and multi-factor authentication on all cloud platforms
- Role-based access controls limiting who can see which client data
- Secure disposal of electronic records when retention periods expire
- A documented incident response procedure
The Notifiable Data Breaches Scheme
Part IIIC of the Privacy Act establishes the Notifiable Data Breaches (NDB) scheme, which came into effect in February 2018. Under the scheme, organisations covered by the Privacy Act must notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach is likely to result in serious harm.
What triggers the notification obligation?
A notifiable data breach occurs when:
- There is unauthorised access to, or disclosure of, personal information held by the entity (or information is lost in circumstances where access is likely)
- A reasonable person would conclude that the breach is likely to result in serious harm to any of the individuals whose information was involved
- The entity has not been able to prevent the likely risk of serious harm through remedial action
For bookkeepers, client financial data — including ATO records, payroll data, bank account details, tax file numbers, and business financial statements — is exactly the kind of information that, if disclosed without authorisation, is likely to cause serious harm. Identity theft, financial fraud, and reputational damage to clients are foreseeable consequences of a financial data breach.
What bookkeepers must do if a breach occurs:
-
Assess the breach promptly: You have 30 days from becoming aware of a potential breach to determine whether it is a notifiable data breach. Failure to assess within 30 days or to notify when required can itself be a breach of the Privacy Act.
-
Notify the OAIC: Notify the Information Commissioner using the data breach notification form on the OAIC website. The notification must include the nature of the breach, the types of information involved, and the steps taken in response.
-
Notify affected individuals: Notify affected clients as soon as practicable, including a description of the breach, the kinds of information involved, and recommended steps the individual should take. This notification must be direct (email, letter, or phone) — a notice on your website is not sufficient.
-
Document the response: Maintain a record of what happened, when you became aware, what assessment was done, and what notifications were made. This is required under APP 11 and protects you in the event of regulatory scrutiny.
If you are not directly covered by the Privacy Act but use cloud platforms that are, you may still have contractual obligations to notify the platform provider and assist in their breach response. Check your service agreements.
Data Residency: Where Is Your Client Data Stored?
Data residency refers to the geographic location where data is physically stored on servers. For Australian bookkeepers, data residency matters for two reasons:
Privacy Act APP 8 compliance: When personal information is sent offshore (including to cloud servers located outside Australia), the Privacy Act requires you to take reasonable steps to ensure the overseas recipient does not breach the APPs. This effectively means confirming the overseas jurisdiction has comparable privacy protections, or obtaining the individual's consent to the transfer.
ATO and regulatory data: The ATO does not prohibit the use of overseas-hosted software, but it requires that tax records be accessible in Australia for inspection. If your cloud provider suffers an outage or becomes insolvent, your ability to produce records for the ATO must not be impaired.
Questions to ask your cloud accounting provider:
- In which country or countries is our data stored?
- Can we opt in to Australian-only data residency?
- What happens to our data if we terminate the subscription?
- What are the provider's notification obligations in the event of a breach affecting our data?
Most major Australian cloud accounting platforms (including Xero and MYOB) offer Australian data residency options or host data primarily in Australian data centres. For document management tools, practice management software, and communication platforms, data residency is often less transparent — check the privacy policy and service agreement.
Practical Security Measures for Cloud Bookkeeping Practices
Multi-factor authentication (MFA): Enable MFA on every cloud platform that holds client financial data. A compromised password without MFA is sufficient for an attacker to access years of client financial records. Many major accounting platforms now make MFA mandatory — do not disable it.
Least-privilege access: Grant staff only the permissions they need to do their job. A junior bookkeeper processing payroll does not need access to client tax returns or BAS history. Review and revoke access when staff leave.
Regular access audits: At least quarterly, review who has access to each client's data in your cloud platform. Remove former employees, contractors who have completed their work, and any accounts that are no longer recognisable.
Incident response plan: Document what you will do if you discover a data breach. Who is your first call? Who handles notification? What records will you create? A written plan reduces the chance of a panicked and non-compliant response.
Client data inventory: Know what personal information you hold, where it is stored, and how long you are required to keep it. This inventory is the foundation of both your retention policy and your breach response capability.
The combination of Privacy Act obligations, the NDB scheme, and clients' reasonable expectations of data security means that data protection is now a core professional responsibility for Australian bookkeepers — not an IT afterthought.