Practical advice on HMRC computer seizures

Posted by John Stokdyk PM | on Thu, 19/08/2010 - 16:25 7351 8 comments

A recent Taxation magazine article on the Glenn v HMRC case confirmed HMRC’s powers to seize computers from business premises. AccountingWEB members responded in Any Answers by looking at how practitioners might cope in a similar situation.

Computer seizures: tips

● Glenn v HMRC judge ruled that computers fall within scope of Finance Act 2008 powers for HMRC to inspect documents.

● Computer seizures are becoming increasingly common, so be aware of your rights and have a clear strategy for dealing with such visits.

● Powers of seizure relate to specific clients; you are entitled to protect data stored in other files and if any of these relate to legal proceedings, the computer will attract legal privilege.

● Encrypting client data and storing off site can prevent fishing trips.

The Glenn case arose when HMRC officers turned up unannounced and without a warrant at the plaintiff's business premises on 4 February 2009. As part of their objective of inspecting business records, they disconnected and removed the company’s computer server and 19 desktop PCs to examine their hard drives. The desktop machines were returned the next day and the server was returned on 6 February 2009.

The decision turned on the court’s interpretation of HMRC’s powers of inspection, information and search at the time under section 118B of the Customs and Excise Management Act 1979 (CEMA 1979), and specifically, whether a computer can be considered a “document” in law.

Section 118(5) says that “if it appears to an officer to be necessary to do so, he may, at a reasonable time and for a reasonable period, remove any document produced [by the taxpayer]”. The meaning of “document” was extended by s114 of the Finance Act 2008, but under the law that applied at the time of the raid, the taxpayer argued that s118B of CEMA 1979 did not apply to computers.

Mr Justice Lloyd Jones disagreed, and while conscious that he should give no wider reading to the legislation than Parliament intended, he took the view that since a computer “is a thing in which information is recorded” (as defined in the s114(2) of FA 2008), it fell within the scope of CEMA 1979.

“Although Glenn & Co (Essex) Ltd concerned different statutory provisions, the reasoning of the judge in that case is equally applicable to inspections carried out by HMRC under Sch 36 [FA 2008],” Levy and Hemming warned taxpayers and their advisers.

Practical responses to computer seizures
These issues were examined at some length by AccountingWEB members in a subsequent Any Answers thread.

View from PI Insurer
But how supportive would PI insurers be, particularly if you adopted some of the more robust defensive suggestions put forward by AccountingWEB members? On behalf of Aon, Luke Hamm responded that insurers would be unlikely to avoid a policy on the basis of whether or not the accountant encrypted data: “If the accountant could show reasonable skill and care in protecting the data he would have a very good defence, regardless.”

On the point of HMRC's new information powers, he added, “For accountants who are not 100% sure on how to deal with their new powers and the can and can’t dos, having a expert opinion.” Without being certain of your grounds, he warned, “You may not be acting in the client’s best interest if the inspector is pushing their luck and your client gets hit with a penalty that could have been avoided.”

Continued...

Correction

cymraeg_draig | Thu, 19/08/2010 - 23:02 | Permalink

Just a small correction - I dont advocate withholding passwords - but, because eacch client's files have separate passwords, HMRC are ONLY entitled to access that clients files. Our method keeps all other clients files safely locked away from HMRC.

More importantly - it makes data safe from hackers.

re. external hard drives

nogammonsinanun... | Sat, 21/08/2010 - 19:58 | Permalink

I am unimpressed by the suggestion that external hard drives are safe from seizure, on the apparent grounds that the Glenn case was restricted to entire computers. All that that means is that the seizure of hard drives is untested. To extrapolate from that result that a speculative future seizure of an external hard drive would not go the same way seems premature.

With kind regards

Clint Westwood

Checking file access

jonbryce | Mon, 23/08/2010 - 11:43 | Permalink

"any accountant whose computer is taken should insist it be returned to an independent, court-recognised expert to check the last dates all files were accessed"

It is likely, particularly if the machine was returned within a day or two, that HMRC took the hard drive out of the computer, took an image copy of it, put it back in the machine, returned it, then examined the image at their leisure. An inspection of the hard drive would show that it was exactly the same as when they took the machine. The file access dates would be the same as before because HMRC read the filesystem itself rather than individual files.

You would need to look at what they did with the image copy to see which files they accessed.

Client Passwords

lloydsj | Mon, 23/08/2010 - 13:05 | Permalink

An easy and secure way to remember lots of passwords is to put them in Password Safe.

http://passwordsafe.sourceforge.net

The program stores your passwords in a highly encrypted form, with one master password.

It is also free.

Virtual Server

Mouse007 | Mon, 23/08/2010 - 21:58 | Permalink

Our new server has no hard disc in it at all, just a 1G flash pen, how cool is that?

Not a problem - more an opportunity

cymraeg_draig | Mon, 23/08/2010 - 23:41 | Permalink

It is likely, particularly if the machine was returned within a day or two, that HMRC took the hard drive out of the computer, took an image copy of it, put it back in the machine, returned it, .

Posted by jonbryce on Mon, 23/08/2010 - 11:43

Actually an expert analysis will show the last time a mirror image was taken of a hard drive and of course as they are only authorised to take copies of the files relating to the client in question, by taking others HMRC would be in very deep you know what. All sorts of questions about Data Protection, breaches of the HRA, invasion of privacy, unlawful investigative techniques, and if there was a single court file on there - breaches of legal privalege (which courts are very sensitive about) would be raised. The possibilities for causing HMRC serious grief would be endless.

Distribution of Data

drintoul | Wed, 25/08/2010 - 15:33 | Permalink

There are a few points to be made.

Firstly client data can be in a number of places - e-mail, accounts systems, tax systems, document management, file shares, Payroll. How would you realistically have workable procedures in place to secure individual client records in each of these systems, especially if you are talking about thousands of clients, and are using SQL server to handle some of the data.

Secondly what comeback does the firm have if assets are seized and the business subsequently suffers especially if HMRC find nothing. Commonly systems are now virtualised, so it is impossible to remove just the physical accounts server, as it co-exists with all the other systems. There would be a huge impact on any firm if their systems were down for even a few days, with client service compromised. Suppose you just need to treat it like a business continuity event.

Canary

mikewhit | Thu, 26/08/2010 - 12:54 | Permalink

You could always put on your system a "fabricated" document file with some HMRC-infringing material (possibly referring to client Mr. I M A Fake) on it but which was completely unconnected to any of the real clients.

Then if they started to kick up a fuss on the file as a result of their fishing you could hold up the copy of the document in your canary-yellow folder and ask them what they were doing going off-limits.

Just a thought - it's the kind of thing the OS does to spot copies of its maps, they insert some fake feature.