To explore PIIs for subcontractors, contact CPA Australia`s preferred broker in Australia, Fenton Green co., at [email protected] or CPA Australia`s preferred broker in New Zealand, Apex Insurance, at apexinsurance.co.nz/CPAmember . Check the subcontractor`s written instructions and training materials to maintain confidentiality. Training materials should include ethical behaviour and a response when unethical acts or behaviours are observed. An “open door” policy is desirable to encourage disclosure of concerns about employee behaviour or misconduct without fear of reprisal. Example. GMR Transcription Services (GMR) employed a subcontractor called Fedtrans to transcribe audio files from GMR customers. Fedtrans downloaded the GMR files, transcribed them and put the transcripts back on the network. Due to a subcontractor error, the transcripts were indexed by a large Internet search engine and made public by anyone using the search engine. The files contained detailed information from medical examinations on psychiatric disorders, alcohol consumption and other confidential patient information.
The Federal Trade Commission (FTC) conducted an investigation and criticized GMR for failing to take adequate and proportionate measures to prevent the subcontractor from accessing personal data. The conditions of the comparison with the FTC required the GMR to submit evaluations and reports on their information security program for about 20 years for two years. (Federal Trade Commission, Provider of Medical Transcript Services Settles FTC Charges That It Failed to Protect Adequately Protect` Personal Information, available at ftc.gov.) IRC Sec. 7216 imposes criminal penalties on tax returners who deivate or misuse tax data. The IRS rules and guidelines require tax return creators to seek specific consent from the subject before disclosing tax return information to subcontractors (and other third parties) and to require the use of “adequate data protection protection” when tax information is sent to a refund advisor outside the United States (Regs). 301.7216-3 and Rev. Proc. 2013-14, No. 5, modified by Rev. Proc.
So what should CPA companies do? Relying on the good faith of subcontractors is not a viable solution. On the contrary, a CPA company should consider implementing appropriate risk reduction strategies. CPA companies often use subcontractors to provide payroll, tax, accounting and auditing services, or to provide administrative assistance to the company. The provision of these services allows subcontractors to have access to a large amount of confidential customer data. For example, subcontractors are part-time assistants who are hired in high season, other accounting firms that help establish tax returns, or even businesses that provide mail-order or office cleaning services. Contractual provisions may be important in defending the action of a CPA company in the event of a regulatory investigation or action in relation to the breach of a subcontractor`s privacy. Enter into a written contract with the subcontractor regarding privacy and security policies, compensation, privacy breach protocol and insurance coverage, and ask your lawyer to verify the contract before being executed.