HMRC walking in unannounced and disappearing with computers

A better solution to using usb sticks is to put your client data on a separate partition of your hard drive and encrypt it, making it completely unreadable to anyone who doesn't have the password.

I do this on my laptop in case I leave it behind in a taxi one day and it works a treat.

If only HMRC would do the same when sending disks of highly confidential data through the post to the National Audit Office ...

This is, in my view, a disgraceful ruling by the judge, which I understand is set to be challenged in the Supreme Court.However, on a practical note there are steps which can be taken. 1)      Keep all client records on an external hard drive – the ruling specifically relates to “computers” it does not extend to other electronic storage media. Better still store client’s files on an online storage facility. You are under no obligation to supply them with passwords etc. (don’t write them down).  2)      Use an encryption programme for all stored files. 3)      If you have an ongoing court case ensure all files relating to it are stored on the computer. That immediately attaches legal privilege to the computer upon which it is stored and taking the computer would be a contempt of court.  4)      Challenge their actions under Article 8 HRA which offers protection for a person’s private and family life, home and correspondence from arbitrary interference by the state. http://www.yourrights.org.uk/yourrights/privacy/article-8-the-right-to-respect-for-private-and-family-life-home-and-corresp.html  5)      Another consideration is the fact that the information held on your computer may, and in all probability would, form part of the defence against any accusations subsequently made. By accessing that information by seizure HMRC are effectively breaching the pre-action protocol (and HRA Article 6) so any subsequent criminal charges could be resisted on that basis. More practically of course you could quite easily state that whilst in their possession they had altered/erased vital documents – could they prove otherwise?  6)      I mention this in view of the increasing number of cases where computers are “tampered” with. http://www.legalbrief.co.za/article.php?story=20100804101234795 http://www.framedforchildporn.com/1-23-10.php?SessionID=5a60850b4c2cfe5112193  7)      If you work from home and your computer is your “home computer” HMRC’s powers are different and they will need a court order. I would always physically resist any attempt to force an entry as, at the very least, should an HMRC inspector lay hands on you there is an immediate claim for assault.  In practice they will not physically force access and will await the arrival of police – which gives you ample time to prepare a copy (memory stick) of that client’s information to offer them. Should they refuse to accept this and seize the computer you then have a claim to place before a court that their actions were unreasonable and unnecessary.

Yes. HMRC do now have the power to walk in and remove computers. This HMRC decision to uplift computers has been challenged a couple of times by Judicial Review and on each ocassion the tax payer has lost. You need to bear in mind that HMRC usually take this drastic action in areas of perceived high tax risk. Currently HMRC perceive excise traders i.e. those dealing in alcohol such as cash and carry wholesalers as high risk. They recently announced a 'Renewal of the Tackling of Alcohol Fraud' Straetgy. It is no doubt that HMRC having closed the doors on mobile phone 'carousel fraud' have realised that huge amounts of excise duty and VAT are being lost through excise diversion fraud.  In a similar fashion HMRC allege that alcohol is 'carouselling' in and out of the UK.

HMRC now try to recover losses/debts by using their power to confiscate assets [i.e. seizing alcohol goods] and issuing winding up orders.  The latter being very difficult to defend as  the directors are removed from the company and a 'liquidator' appointed by HMRC who often expresses no interest in defending the company against HMRC assessments.

For the majority of the trading population, there is very little to unduly worry about, although it is sensible practice to regularly back up your files.

Malcolm McFarlin

www.mandrtaxadvisers.com

I incline to the view above ie these are specific situations in a specific area of fraud and not something that is very likely be generalised for the purposes of reviewing SA returns and similar by HMRC - and I am also sure as CD says there would be grounds for HRA challenge if not others - though we may need a Supreme Court ruling first.

HOWEVER and perhaps CD can comment on this - does an accountant owe his client a duty of care in this area eg if HMRC were to take a sole practitioner's one PC to review the accounts of that individual personally and it happened that all his client papers were on there as well so HMRC took a look at them too - would the accountant have breached his duty of care or any professional responsibilities - or indeed the terms of his PI insurance - by not ensuring they were encrypted as above?

Indeed should one be doing this anyway ie over and above basic pass word protection and back up - in the event computers were stolen and the basic passwords got round?

HOWEVER and perhaps CD can comment on this - does an accountant owe his client a duty of care in this area eg if HMRC were to take a sole practitioner's one PC to review the accounts of that individual personally and it happened that all his client papers were on there as well so HMRC took a look at them too - would the accountant have breached his duty of care or any professional responsibilities - or indeed the terms of his PI insurance - by not ensuring they were encrypted as above?

Posted by Anthony123 on Wed, 11/08/2010 - 13:48

The accountant would not be breaching his duty of care as he has not handed the records over - they were taken from him - however, HMRC WOULD be abusing their powers if they viewed any records other than those for which the computer was seized.  Certainly any accountant placed in this position should insist that their computer be returned not to them but direct to an independent court recognised expert to ascertain the last dates all files had been accessed.  

If ANY file other than those specifically relating to the client under investigation can be shown to have been accessed whilst the computer was in HMRC's possession (and I absolutely guarantee they will have been), then HMRC are open to claims under Data Protection breaches, etc.  This also of course applies to the accountant's own personal files.

Should HMRC subsequently take proceedings against one of these "other" clients the illegality of their evidence gathering would become an issue in court and the court would almost certainly not allow its use, or, the use of anything flowing from that unlawfully gathered information.

Of course this relies on the accountant being smart enough to realise the potential counter claims and arrange an expert before HMRC return the computer.  You should also insist on a timed receipt when the computer is removed from your premises.

As regards PI insurance - that is a very interesting point. The insurers cannot place terms on their policy which seek to restrict HMRC's legal rights. (car insurers for instance could not insist that you must drive at 40 in 30 limits). Therefore, the insurers would need to show that HMRC had taken & accessed the computer illegally.  This of course is exactly what you want them to do. :)

First off:

The writer of the article notes that: "Although Glenn & Co (Essex) Ltd concerned different statutory provisions, the reasoning of the judge in that case is equally applicable to inspections carried out by HMRC under Schedule 36 of FA 2008."

I am not sure about that comment because any court is going to conside the actual statutory provisions so when different rules apply then different reasoning and argument will also apply - hence there will need to be a case testing Sch 36 before we really know where we are going.

S114 FA 2008 permits HMRC to examine a computer, so in most cases HMRC can and will do that. What sorts out "the wheat from the chaff" is that it is expensive for HMRC to undertake this type of fishing exercise and so it will be carefully targetted.

In short, most people have little to fear, HMRC does not have the resources to try and interogate everyone's computers.

Virtual Tax Support for accountants: www.rossmartin.co.uk

In passing a link for advisers: http://www.rossmartin.co.uk/index.php/penalties-a-compliance/230-tax-compliance-powers-to-inspect-businesses

surely this applies to documents "produced by the taxpayer" so our files would be a completely different matter...?

if section 118 is analogous to s36 then you do not have to invite them in anyway if they turn up announced without a warrant...there can be a penalty for that but the advice we got from our protection insurers was to brief clients on that basis to buy time and consider the matter...however they did say if they did turn up like like then the matter would probably be pretty heavy so tread carefully...

Also there is the matter of the meaning of "produced by the taxpayer"....I understood this to mean that if a filing drawer is shut then they cannot do anything but if you open it for them then they have access...surely the same applies for computers and you would have to "produce them" i.e. identify them for HMRC as "business records"...

sounds to me like in this case the taxpayer tried to shut the door long after it had bolted...

The advice I give everyone whether dealing with HMRC or police (or anyone else such as benefits agencies etc) is that you must always remember that they are NOT trying to get to the truth - they have already decided that you are "guilty", what they are doing is trying to find evidence with which to bury you.

Therefore the last thing anyone should do is assist them in this quest.  "No comment" police interviews are extremely frustrating for instance, and very useful in court.  The law is that the moment a police officer is satisfied that he has sufficient evidence to charge he must cease questioning and charge the suspect. Now, if he interviews you he clearly does not have "sufficient evidence" - therefore by refusing to answer his questions you place him in a difficult position.

1. If he charges then he must explain what "evidence" he obtained from a "no comment" interview.
2. He cannot say your refusal to explain added to his suspicion because there is no legal obligation to prove your innocence.
3. If he says he had sufficient evidence anyway, then he is admitting the interview was illegal.

Once an interview is shown to be illegal the entire investigation can often be discredited.

Similarly HMRC are governed by the same rules of evidence.

Following a seach by HMRC we would always demand full disclosure including sworn statements of everyone who was there.  Again this is often a fruitful source, for example we had a case 2-3 years ago of a search by police.  One officer stated that he noted the presence of a computer but did not touch it.  Another officer stated that he saw officer one "remove the side panel of the computer".  This threw sufficient doubt on officer one's testimony to allow us to totally discredit him in court.  In that particular case there were so many discrepancies (lies) in police statements that the IPCC carried out a major investigation into the force concerned.

I would advise encrytion of all data, strong password protection, and non admission without a warrant (or police presence which will take them time).

I think CD you are missing the point the way HMRC act in these isolated cases. HMRC have, in the past, turned up at a trader's premises with a liquidator in tow. They have issued an assessment usually over £350K; advised the director of the company that as they are unable to pay the assessment then the company will be placed in liquidation. The liquidator on the day of the raid takes over the operation of the company -literally kicking out the directors and employees. HMRC remove the computers. HMRC instruct private external firms of solicitors/liquidators to immediately act for them. The only legal recourse open to companies is to apply for Judicial Review which is expensive and not always a speedy method.  The liquidator will immediately freeze all company bank accounts via an application to the High Court and in some cases freeze personal bank accounts of the Directors.  I think any arguments about Human Rights will get short shrift from the solicitors appointed by HMRC.

 I have personal knowledge of a number of these cases and most of those companies are now in liquidation.  Please see our latest news article dated 20/07/10 on our website for the latest developments in these matters.

Malcolm McFarlin

www.mandrtaxadvisers.com

aiwalters, 

If you are asking this, then might I suggest that you seriously think about "cloud computing", because that way you are only using your computer as a vehicle to access someone else's server.

Quite where this will get you when HMRC then request the password/login is another matter. HMRC have the power to fine you for obstruction, so if you fail to unencrypt your own data that might be an offence.

If the data is stored somewhere else and not on your premises then HMRC will have to try its luck at eeking the details under its third party information powers from the service provider. No doubt this is something that we will see a lot of when (and if) people get into the idea of software as a service, methinks it is surely just a matter of time.

Virtual Tax Support for accountants: www.rossmartin.co.uk

Nichola Ross-Martin makes a very valid point about considering cloud computing.  However, if you do need to encrypt data then I personally use TrueCrypt, which is free.

http://en.wikipedia.org/wiki/TrueCrypt

You can encypt up to a strength of 256 bit using the Advanced Encryption Standard (AES) or other standards if you prefer.  According to Wikipedia, the Americans consider 192 bit or 256 bit AES sufficient to encrypt information classified as "Top Secret".  The bit strength signifies how many different combinations there are to crack the encyption using "brute force" (every single combination).  256 bit means there are 2 to the power of 256 combinations - an incredibly big number.  I believe 64 bit is the highest strength that has ever been cracked - although it took some very powerful computers several years to do it.

As long as you encrpt above 64 bit and use a good password (i.e. not a dictionary word and preferably something including numbers and symbols) then the data should be safe from any prying eyes.

512 bit encrytotion AND hides encryted files.

What they cant find and cant see they cant ask for the password to :)

I think any arguments about Human Rights will get short shrift from the solicitors appointed by HMRC.

Posted by Malcolm McFarlin on Wed, 11/08/2010 - 16:53

Fortunately arguments about human rights are decided by the courts, NOT HMRC's solicitors (who are not the sharpest knives in the drawer). 

CD in answer to your comment about HMRC solicitors as previously stated in my earlier comment HMRC do not use their own solicitors but external companies such as Howes Percival, Moon Beever. The liquidators appointed by HMRC are from firms such as Deloittes. The charge out rate quoted by the partner at Deloittes is £900.00 per hour.

HMRC have very deep pockets unlike most companies.

Malcolm McFarlin

CD in answer to your comment about HMRC solicitors as previously stated in my earlier comment HMRC do not use their own solicitors but external companies such as Howes Percival, Moon Beever. The liquidators appointed by HMRC are from firms such as Deloittes. The charge out rate quoted by the partner at Deloittes is £900.00 per hour.

 Posted by Malcolm McFarlin on Thu, 12/08/2010 - 08:33

I'm well aware of who they use - and they in turn are only as good as the invariably faulty information supplied to them by HMRC.   We have had many cases against HMRC and the terms "fish" & "barrel" come to mind.

Incidently charge out rate is not an indication of ability, merely of greed. I would however suggest that in the current financial climate a government department incurring £900/hour fees is a clear waste of taxpayers money and this should be brought to the attention of the government and indeed the press.  

Is their site down, or do I need to be a subscriber?

I have not been able to find the story via Google 

On the PI issue, liability being attached to should or should not an accountant encrypt sensitive data is very much a moot point. An insurer would certainly not look to avoid a policy on this basis as the ICAEW minimum wording, and vast majority of accountants policies out their will be a civil liability policies. If the accountant could show reasonable skill and care in protecting the data he would have a very good defence, regardless of if the decided to encrypt or not. By having a secure computer should be sufficient as the advanced protection turns you into an IT professional not an accountant! (Maybe not a bad idea to have an IT professional come in and set something up for you) Insurers would only ask questions if for example you were leaving files in the local pub whilst you were getting a pint or emailing your entire address book a client’s audit! Quite clearly they would be a way below the duty of care!

On the point of revenue powers - for accountants who are not 100% sure on how to deal with their new powers and the can and cant dos, having a expert opinion is vital as without it you may not be acting in the clients best interest if the inspector is pushing their luck and your client gets hit with a penalty that could have been avoided. This is a PI client that we see quite often.

One of the best solutions is a fee protection product that you can have a tax helpline to ask these questions to someone who deals with investigations frequently and may have already seen a similar situation. We work very closely with Professional Fee Protection and they have a fantastic claims team who would know how to respond to the above and help you though any investigation.

If you would like any more info see www.accountants.aon.co.uk

Don't you have to enter a password every time you want to access a file?  Or can you just do it each time you boot up?

strongly with the comment about PFP ...their cover now covers interventions in such cases and it is certainly worth a penalty to stall HMRC although as previously stated if HMRC do take such drastic action then its likely the client is in trouble...

Not really.  With the program I use, I encrypt a partition on my laptop hard drive.  Any data put into that partition is encrypted.  You just enter one password to access all of the data in that partition and don't have to enter any passwords again until you reboot the machine.  The partition looks just like and works like any other shared drive.

As I say, it works fine for laptop security.  I'm not sure how comfortable I would feel about encrypting all of my client data on the server ... but if you are paranoid that the Revenue may kick your door down and take away your server then maybe its worthwhile - or at least put any of the potentially "dodgy" clients in the encrypted partition.

... how encryption helps.

I would have thought that HMRC needs then only to serve a notice under Para 1(1)(a) Sch 36 requiring you to provide the password, and you are back to square 1?

With kind regards

Clint Westwood

Assuming each clients files are in separate folders (which presumably everyone would do), then HMRC can ONLY demand access to the client in question.  It stops them going on a general fishing expedition through all your client's files.

Also, any notice served can be resisted and challenged in the courts forcing HMRC to explain to a court the basis for their demand, and they will need to have reasonable grounds, not mere suspicion or a desire to go fishing.

... that HMRC is able to persuade the tribunal that, on the balance of propabilities, the computer contains information reasonably required for the assessment of a tax liability.  then if you attempt to resist access on the grounds that it also happens to contain information that is not of relevance, well, good luck with that.

With kind regards

Clint Westwood

You're missing the point.

By encryting files - and having separate passwords for each client's folder, you are only required to give the password for that particular client's file. This stops HMRC trawling through every other client's files in the hopes of finding something.

As for "resist access on the grounds that it also happens to contain information that is not of relevance", if you can make the case that anywhere at all on that computer hard disk there is data which attracts legal privalege in current court proceedings then HMRC have zero chance of obtaining an order. It need not even involve that specific client.

Further, if you turn up at the court with the client's files copied onto a memory stick unencryted then HMRC have a further problem. They can either accept it, or, they can call you a liar and claim there are other files you have not copied (personally I'd take a printed copy too) - difficult if not impossible for HMRC to prove there are other files and a very serious accusation for them to make.  One which would have me preparing the claim forms the same day. 

... I suppose you could use a different password to encrypt each individual file, even within a specified client.  After all, HMRC's information request will generally be somewhat focused, ie limited to a particular year.  But let's get practical.

With kind regards

Clint Westwood

The practicalities are that Labour handed unacceptable powers to HMRC (and others) to allow them to snoop on and criminalise honest citizens.  The abolition of the law on double jeopardy in "serious" cases and the misuse of RIPA being just two examples.  Professional advisors owe a duty of care to their clients to take all reasonable (and legal) steps to protect them from this state spying.

We have always kept each client's records in it's own dedicated folder and I would assume that 99% of accountants would use the same basic file structure separating clients files.  It is simple if using a good encrytion programme to assign each client his/her own password.  This has the further advantage of restricting access by staff to the files of only those clients that they deal with.

As stated, by using such a system, should the proverbial hit the fan and HMRC demand access to the files, only the files of the particular client concerned are made available to them.

Many encrytion programmes, such as NOK Vault, use 512 bit encrytion, and, actually hide encryted files.

I would like to do this, but how do you keep track of so many passwords? 

Thanks aiwalters; simple but effective. Now I just have to work out how to think up dozens of 15-digit passwords including non-alpha-numeric symbols.

Alternatively use something logical - clients have names, each letter has a place in the alphabet (a-1, Z-26 etc), phone numbers translate into letters (0-A, 3-D etc) - I'm sure you keep a written phone book with clients phone numbers in it - which doubles up nicely as a reference.  

 Great ideas. Thank you.

By the way, 15 seems like a lot. What is the minimum number of characters I can use and still be safe from someone outside of GCHQ? 

I vaguely recall a seminar I attended in the nineties regarding the various powers Customs & Excise had. We were told that Customs, because they dealt with Excise, drug control etc, had greater powers of entry to buildings than the police, needing no search warrants. These powers were not diluted when HMRC was created as it would reduce the effectiveness of Customs in reducing drug crime, illegal imports etc.

I do believe however that password protecting everything on your computers would inevitably lead to HMRC assuming you had something to hide. Different passwords for every client would appear to be overkill. Also if you had such a simple methodology as allocating numbers to letters and letters to numbers, once HMRC had requested the password to one client and you had given it to them, it would take considerably less time to crack the rest.

All you would do with such an intense system is slow down the way you work, by implementing draconian security procedures whcih the vast majority of your customers would consider over the top.

Surely HMRC would have given some prior communication with the clients concerned and hence you would be aware there may be a problem prior to them just turning up and taking equipment.

If you are so worried, the best course of action would be to dump the dodgy clients, rather than passwording every file on your computer.

I agree with Derek's comments and the reaction to encypting computers is over the top. As an ex-VAT investigator of over 20 years these sort of cases, as per my earlier comments, are very isolated.  HMRC will normally operate a softly softly approach with accountants and simply ask for the business records of the client from the accountant. HMRC are collecting evidence and there would be very little additional evidence on an accountant's computer that they had not already been able to retrieve from a client's computers.  HMRC, in these cases, will be more interested in using accoutants as witnesses rather than defendants.  I am aware of a number of cases where HMRC have physically removed clients computers but have not used the same powers against their accountants.

Malcolm McFarlin

www.mandrtaxadvisers.com 

Password protecting each client does not cause any appreciable extra work, and, when dealing with sensitive legal data as we often do, I consder it essential.

HMRC are not really a consideration, but client confidentiality is, and the primary reason for protecting date is one of security from hackers. I am aware of at least 5 cases where police officers (corrupt ones) have had computers hacked to try to get at details of defence evidence.

It is of course up to everyone to consider what kind of clients they have and whether its necessary - but do you really know that all your clients are honest ?  If you have one client who, rightly or wrongly, is suspected of terrorism you can wave goodbye to your computers. And yes - the security services do hack any computer system they think might hold clues to help find terrorists. 

Big brother is already with us - and I believe we all have a duty to protect our clients, and indeed our own data, from being accessed and potentially manipulated by "the state".  Not long ago I posted a link to a recent case where pornography was planted on an innocent man's computer to facilitate a false conviction.