Illegal emails and tax returns

Illegal emails and tax returns

Didn't find your answer?

A colleague was at a seminar recently (I'll not say which organisation hosted it) during which she was advised by the speaker that it was now illegal for accountants to email tax returns to clients, and had become so in the last six months.  Instead, we should only be using online portals, so that we can upload tax returns etc. for the client to then download securely.

We have used email to send tax returns (as a PDF attachment) for years and is clearly very useful, especially if clients are on the move a lot or live overseas where mail can take an age to arrive if at all, and of course, in the last few weeks of January each year, emailing returns slashes the turnaround time for those dillatory last minute clients that we all have.

So, when I heard this may now be illegal, I tried to find out more, but I've not been able to find anything else on the matter.  There are a number of articles written about the use of portals and that they may offer higher levels of security (I'm told that pretty much anything online can be accessed if the third party is determined to do it) but nothing to say it's illegal.  I understand that in some US states it has been made illegal to use email in this way, but not the UK.  If it were, who would police such a system? - I assume it would be down to the intended recipient to take the legal action if they discovered that their tax return had been emailed rather than uploaded.

We do have an online portal facility but clients don't seem too keen - probably as it involves setting up passwords and looking out for separate notifications being sent when something is ready to be downloaded.

Has anyone else heard about this, or is it a bare faced sales pitch to get people to sign up to the portal services that were also being offered at the same seminar? 

Cheers

Ian

   

Replies (27)

Please login or register to join the discussion.

avatar
By Roland195
07th Nov 2012 10:07

Data Protection Act

From the top of my head, I believe that there is some way to run afoul of the DPA by emailing client information but I had understood it to apply only when outside of the EU.

I would agree that it is more than likely just a salesman's pitch but there could be a kernel of truth in it somewhere.

Thanks (0)
avatar
By Maslins
07th Nov 2012 10:23

Every action breaks a law somewhere these days

...as there's so many stupid laws which all conflict with each other.  Like you suggest, nobody polices the more ridiculous ones (thankfully).

Is it illegal?  I have no idea.  Do we email tax returns?  Yes.  Will we stop following reading the above?  No.

Thanks (6)
By petersaxton
07th Nov 2012 10:58

Don't believe sales people

Most of them say anything to get a sale.

If it was illegal you would be able to find something about it by doing a search on Google.

Thanks (1)
Locutus of Borg
By Locutus
07th Nov 2012 12:22

This may be my last posting ...

If it's illegal then given the number of tax returns I've sent by e-mail over the past 10 years this may be the last posting I write before I'm sent to Ford Open Prison!

Seriously, though, I personally regard surface mail as even less secure than e-mail, as a higher percentage of that gets lost, posted in the wrong door or intercepted by crooked sorting office staff (like my credit card at Christmas!)

If a client ever asked for a more secure e-mail solution then there are far cheaper and easier ways to send encrypted e-mails and attachments than buying the secure portal thingy that the nice gentleman at the seminar was probably trying to sell your colleague.

Thanks (10)
Teignmouth
By Paul Scholes
07th Nov 2012 12:31

Data Protection

Similar to others the first I heard of this was a few years back when it was announced that as some US states have made emailing data illegal it will arrive here soon enough.

More recently, with the move to online storage, companies have highlighted the risk, from Data Protection law, of storing data outside the EU, for example on DropBox or Google and have even tried to make the point that when you send an email to your client 5 miles away you should check that it doesn't go via a server outside the EU (silly).

From what I can tell it is the storage on a non-EU server that might put you at risk but, given that two years ago that same data may well have been on your local leaky PC or server, I'm not losing sleep.

It's worth a read of the ICO guidance if you haven't done so for a time.  In our case we identified emails as being less than secure and so for a couple of years merely send encrypted PDFs if it's sensitive data.

By the way, if you want 1GB of free "dear old Blighty" secure storage for sharing data with your clients, Iris now offer it to any accountant as Iris Openspace.

Thanks (4)
Woolpit Gus
By nutwood
07th Nov 2012 12:41

CSA won't send emails because they say they're insecure.

Had a call yesterday from CSA office wanting to send me a form to be completed with details of client's income.  They wanted to fax it, but we junked the fax two years ago when we realised that only one client still had a fax machine and he had only sent us one fax in the previous two years.  Told CSA to email the form but was advised they couldn't as it was not secure.

I can't really understand this as it is just as easy to misdial a fax number as to type an incorrect email address.  In addition, instead of the fax going to someone's mail box, it would just sit in the fax tray and could be picked up by anyone.

I was further bemused because I imagine the form in question is blank as they expect me to fill in the details.

They're putting it in the post instead.

Thanks (1)
By ianthetaxman
07th Nov 2012 14:37

Many thanks for the comments made.  I do think the spokesperson was probably on a sales push, as something like this would have come up a lot sooner and with much more publicity if it were the case.

I think we will continue as before until such time as the professional bodies come out with a definitive statement telling us not to do it.

Thanks (0)
avatar
By Healthpay
07th Nov 2012 23:00

CSA won't send emails?

Use a fax to email gateway.Then the CSA can fax to their heart's content, and you receive emails. No fax machine and very modest charges via TTNC - www.ttnc.co.uk

Thanks (0)
Replying to sash100:
Woolpit Gus
By nutwood
08th Nov 2012 00:15

Thanks. A neat solution but

Healthpay wrote:

Use a fax to email gateway.Then the CSA can fax to their heart's content, and you receive emails. No fax machine and very modest charges via TTNC - www.ttnc.co.uk

Thanks.  A neat solution but a tad expensive to receive one fax in three years.

Thanks (0)
avatar
By HUGH W DUNLOP
09th Nov 2012 00:58

e mail tax returns

Before we e mail tax returns they are encrypted in the normal way, clients are given the encryption code when they register which lets them to the door of their account.,They are then given a password for their account. Each client is given the encryption code, together with their own entry code. No client can access another client's recods

Thanks (0)
By Paul Holborow
09th Nov 2012 08:54

Illegal emails & tax returns...what you should know

As an accountant who has worked in developing an information security programme now being rolled out to accountants in Scotland through ICAS and to lawyers in England with Oyez, I can comment on this, especially as the ICO has already ruled on emailing payslips.

There is nothing in the DPA that says you should specifically encrypt tax returns, BUT the Act says: "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data…. appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage to personal data".

In May 2012 the ICO has ruled, in the Holroyd Howe case, that when emailing payslips they should be encrypted. This is what he said, referring to payslips sent unencrypted, in his undertaking issued to Holroyd: "Appropriate security measures are taken to protect personal data sent by email; in particular, sensitive personal data shall not be transmitted by email across the internet unless encrypted to current standards". Note he says ‘encrypted’, not password protected.

Further, the ICO has a "top tip" to protect personal data that includes "Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen."

In interpreting and enforcing the Act the ICO has issued hefty fines where data subjects suffer distress knowing personal data may be accessed by third parties (Welcome Financial Services July 2012-£120k) and where sensitive emails go to the wrong recipient (Stoke City Council October 2012-£120k, Prudential Assurance October 2012 - £50k).

Your tax & payroll departments need to understand tax returns, payslips, pension, RTI Alignment files - they are all sensitive and personal data. No client would want their tax affairs in the public domain. They would suffer distress and be open to identity theft in just the same way as in these cases. Most partners would want to avoid paying a fine and would want to protect their reputation.

The ICO also look at the technology available. It doesn't have to be a portal but note, as it can cost about the cost of a Mars bar a week to provide an employee with some simple encryption software that gives users options over encryption by email, to USB/DVD, via FTP, and with audit and access controls, and that’s free for the recipient, he will regard this as "appropriate".

Feel free to contact me on or off-line for more information. Paul Holborow.

http://www.iaaitc.org/  or http://www.r-m-t.co.uk/it-technology/information-security/

Thanks (9)
avatar
By pauljohnston
09th Nov 2012 13:03

Emailing personal data

 

There could well be truth in the salesman's pitch but not yet.  If memory serves me correctly it is a directive from the EU.  I understand that the directive, yet to be enacted is similar to those in some USA states.  It prevents sensitive information being sent by email.

The way forward is probaly a portal such as DOCsafe..  I am not sure that ideas such as dropbox with be sufficient.  Also what is not clear is whether the recepient can give you authority to forward items by email and thus avoid the directive.

 

No doubt time will tell.

 

Thanks (0)
By Paul Holborow
09th Nov 2012 13:56

Illegal emails - what you should know

I don't know which seminar Ianthetaxmans colleague was at but the ICO is already making rulings to enforce the current legislation so I suspect many firms aren’t encrypting payslips or tax returns, when the ICO would say they should be. So there is a large element of truth in the pitch. 

For those that are interested, take a look here & scroll down to the monetary penalty notices

http://www.ico.gov.uk/what_we_cover/taking_action/dp_pecr.aspx

- the Prudential case on 6 November might come close to what could happen in an accounting firm, as could Holroyd 23 May 2012.

The proposed EU General Data Protection Regulation is still in consultation and may be a year or 2 away.

One final point – remember your engagement letters? They probably say you comply with the DPA.

 

 

Thanks (2)
avatar
By The Black Knight
09th Nov 2012 15:05

Simples don't email

Just another excuse for the IT profession to get excited about billing you so you can provide an undervalued service.

Just goes to show paper is best.

all that is left of the UK is service industry billing service industry financed by tax credits and government debt, no wonder it is all spiraling down the plughole.

I wonder what new service industry the idiots will design next.

There come a point where you need to get on with your life and ignore the stupid rules or die.

Thanks (1)
avatar
By The Black Knight
09th Nov 2012 15:19

Lets hope all this data

lets hope all this data is not being processed by Al Qaida in India.

Thanks (0)
avatar
By The Black Knight
09th Nov 2012 15:30

Look at the penalties!!

Mainly billed by the government to the government?

How does that work then?

Wonder if it's just me?

Thanks (1)
Replying to Together We Count:
avatar
By Roland195
09th Nov 2012 16:39

Ask the Isle Of Wight Council

The Black Knight wrote:

Mainly billed by the government to the government?

How does that work then?

Wonder if it's just me?

 

Also, do you suppose HMRC pay the PAYE/NIC on it's on staff's salaries on time? What happens if they don't?

Thanks (1)
Replying to sushi_ginger:
avatar
By The Black Knight
09th Nov 2012 16:59

Trick Question

Roland195 wrote:

[

Also, do you suppose HMRC pay the PAYE/NIC on it's on staff's salaries on time? What happens if they don't?

Is that a trick IR35, umbrella company question?

Thought they had outsourced the perpetual ever increasing virtual non payment credits system so it appeared in GDP so they could borrow more to fund the expansion! LOL

 

An Enronism ? but bigger?

 

Thanks (0)
avatar
By frauke
09th Nov 2012 19:20

That explains it

I took over a client whose previous accountant died, and it seemed to be pretty straight forward sole trader. Until I found out recently he was a partner elsewhere when HMRC questioned why I (and his previous accountant) had not put his partnership income on his return.

The previous accountant, as I had included the money received from the partnership as the clients sole trader income.  When I ask the client why he had not told me about the partnership he told me he did not know he was in one!  I managed to get hold of the Accountants details who prepared the partnership accounts & return to be told it had been going a few years and that my client had been sent the details of the partnership for approval.

When I questioned my client he said he had never seen anything, and to be honest he didn't understand what he had to do etc etc...... to access the information he had been sent for approval, which I guess was encrypted and he just could not find or figure out how to use the information on how to access it.

I have to admit I now have a word document, which is saved in a dropbox with every single login information I need to access anything now. I have to constantly refer to it.  I just think if someone managed to access this document I would be in trouble, but I have so many different types of logins, passwords etc now, and I can't afford to get locked out of any of these accounts. Its a bit of a joke, and I am often tempted to go back to pre-internet facilities.

 

 

Thanks (0)
Replying to extrafisher:
avatar
By Healthpay
09th Nov 2012 21:00

Which is why.....

Which is why I use Lastpass

Thanks (0)
avatar
By pauljohnston
10th Nov 2012 14:44

Lasspass gets

my vote to.

www.lasspass.com

 

Thanks (0)
avatar
By ugdiv
11th Nov 2012 11:55

Keepass is simpler (open source and free)

I use Keepass.

The program is less than 1Mb and can be run from a USB stick.

It does not require a log-on to any site and is not dependent on a browser.

You can have multiple database files, and can rename them anything you like to disguise them (e.g. picture.jpg). You can even use a combination of a password and a data file.

http://keepass.info/index.html

 I suggest the earlier version 1.x  otherwise you need Microsoft .net framework 2.0 or above.

 

Thanks (0)
avatar
By Halex
12th Nov 2012 08:06

Or try 1password

It works on your ipad/iphone too.

Thanks (0)
avatar
By pauljohnston
12th Nov 2012 09:53

For me a free

option could be  dangerous.  Because I am concerned about my client's data I prefer to use a UK based solution and nothing is free.  For others a free solution may be very acceptable.

 

Thanks (0)
Replying to DJKL:
pic
By jndavs
13th Nov 2012 11:51

"and nothing is free"

What?

Never heard of opensource?

There are literally thousands of high quality applications available, just look at Firefox, Scribus, Libre Office, GIMP etc.

In this case something like Password Safe http://passwordsafe.sourceforge.net/ or KeePass mentioned above will look after passwords for you.

Thanks (0)
Teignmouth
By Paul Scholes
12th Nov 2012 15:27

Keepass

Paul, just to say I have a client who writes IT security systems and he swears by Keepass, have to say though I found it confusing and so use the PDF encryption in Acrobat or Winzip

Thanks (0)
avatar
By daveforbes
13th Nov 2012 12:23

encrypted emails

Most email programs provide a facility to encrypt emails.

The recipient in his email program generates a digital ID (also known as certificate) and then sends to you a "signed" email. In your email program, if the option to add senders certificates to address book is ticked, then this certificate is stored.

When you send, the email (and attachments) is encrypted with that persons digital id picked up from your address book, and no one can read it except them. No passwords to remember and it it is all done by your email program.

 

 

Thanks (6)