Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

Communicate securely with clients: Top tips

by
4th Feb 2013
Save content
Have you found this content useful? Use the button above to save it to your profile.

While online filing removes the pressure of being bogged down with paperwork, it does throw up another concern - client data security.

Many tech-savvy accountants have moved on from email to online portal facilities in which they store and share documents with clients. But during self assessment season, questions continued to be raised on Any Answers how accountatns can ensure clients’ personal tax returns and other confidential information are safe, especially if you still send them via email?

Emailing client tax returns: frowned upon or illegal?

Post can be costly, unreliable and slow, particularly during tax season so email is an obvious way to send accounts and tax returns to clients. But email also arouses security concerns - highlighted on occasion by software salespeople who claim that it's illegal to send confidential personal information this way.

AccountingWEB member ianthetaxman started the ball rolling in November on this subject when he queried whether sending returns really was a breach of the Data Protection Act (DPA) and if there was anything he could do to increase the security. And shogun revived the issue just before Christmas.

Commenting on the query of legality, accountant Paul Holborow, who has experience in developing a new information security programme for accountants and lawyers, said there was no law that says you can’t email client returns.

However, he said to be aware of the law in this area:

  • According to the DPA:  "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
  • The Information Commissioner’s Office (ICO) recommends that accountants: "Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen."
  •  The ICO issues “hefty” fines in cases where emails containing sensitive data are send to the wrong person or may be accessed by a third party 

Having some kind of encryption, online portal or secure document exchange facility would be beneficial to both clients and their firms in this instance, Holborow said: "No client would want their tax affairs in the public domain. They would suffer distress and be open to identity theft in just the same way as in these cases. Most partners would want to avoid paying a fine and would want to protect their reputation."

Client data should only be emailed when strictly necessary and should contain some form of encryption or security, which can costs less than a bar of chocolate a week to run, he added.

According to the Information Commisoner, any any personal information held electronically that would cause damage or distress if it were lost or stolen should be encrypted. Yet an ICAEW survey found that 75% of firms questioned don’t encrypt financial statements or tax returns when communicating with clients via email. For those who would like to investigate encryption tools - or more fully featured secure web portal systems, here are some security solutions suggested by members: 

Signatures on tax returns: original or electronic?

One thing you cannot email is the client's physical signature - unless you ask them to scan the signed page of their tax return and send it back.  This issue popped up again as the self assessment deadline loomed in January, with questions from Eddystone and shogun again about whether original signatures are required for tax returns, or whether digital substitutes can be accepted.

Numerous acceptable suggestions were put forward by members, including emailing the documents to clients and asking them to forward them back stating their approval of the attached documents, but Nogammonsinanun commented that when a client was arrested for fraud this year, "I cannot tell you how relieved were to be able to produce on request tax returns containing his original signature."

In last year's article on automating the tax workload, document management discussion group leader Charles Verrier confirmed that email authorisations are adequate. “You don't need the signed pages, an email is fine. While there are ways of faking them, the practical reality is that emails are accepted by (Civil) courts every day of the week," he said.

The IR Mark issued by HMRC is based on an algorithm calculated from the data contained in the version of the return submitted. Tax software can also generate the code so the reference will confirm that the client's authorisation relates to the return filed.

Verrier continued: “As the mark changes when any of the return's content changes, you can use this to show that your filing was identical to the copy that the client saw and approved.” 

Lindenhouse e-guide: A digest

David Owen, from document management specialst Lindenhouse joined the thread to put the case for using secure online portals. In tandem with the ICAEW IT Faculty, Lindenhouse has been running a series of seminars on the subject and produced an e-guide called Streamlining and Securing Client Communication

The downloadable document answers many questions of the questions raised about the legal situation and confidential document storage options. Although the DPA does not explicitly ban email transmissions, new European data protection laws are set to come be unveiled in 2014. The provisions are not set in stone yet, but are likely to include:

  • Broader definition of personal data
  • Explicit consent
  • ‘Right to be forgotten’
  • Notification of breaches
  • Tougher sanctions – possibly up to 2% of global turnover.

The e-guide also advises accountants to be aware that there is a difference between password protecting and encrypting files. Unlike emails, secure online document exchange portals encrypt data at source and online storage makes it more secure.

Aside from regulatory compliance, there is also a client care dimenstion to using the latest technologies, explained Prime Accountants chairman Laurence Moore in the e-guide: "The electronic exchange of documents allows us to be consistent and to provide a standardised approach to client service."

For further reading on this topic, see: 

Replies (4)

Please login or register to join the discussion.

avatar
By Ian McTernan CTA
05th Feb 2013 11:12

Online 'security'

Anything you transmit can be intercepted, decoded and read.  Using a 'secure online portal'  just puts another layer of 'security' between you and the potential hacker.

As 250,000 FaceBook users can now attest, storing details online on a supposedly 'secure, highly encripted, firewalled blah blah' isn't as safe as people would make you believe.

If a hacker knows that you proudly announce to your clients that you use 'XYZ secure online portal' then they already know where all your information is heading, held, etc and it makes their job easier if they are targeting a specific data set.

Bear in mind also that staff need to be trained to use whatever system you impose and will usually seek to make it as easy as possible so that it takes as little of their time as possible to send/receive information- possibly even using the same password as others or even the same password as that person who was made redundant a few weeks ago.

Data security is an area where there can be many weak links and it only takes one for determined people to be able to access the information you are trying so hard to protect.

By all means use whatever system makes you feel you have done all you can to protect client details but remember to pay for decent training and regular update sessions (with tests!) on the system you decide to use to ensure that staff are using it properly- otherwise it can all be a huge waste of money.

Remember also that emailing any sort of password, decryption key or any other means to access the data at the other end means that all that wonderful encryption, secure online storage etc has all been for nothing, as all it takes is for the email to be intercepted and hey presto the hackers are in.

Thanks (0)
By Paul Holborow
05th Feb 2013 12:24

Online security

Deciding whether to use a portal is a big step and as some firms might outsource this to a third party this brings its own security issues which I suspect most firms aren't aware of. See the ICO guidance on outsourcing for example - you need to be sure the provider has good security. If they foul up , who do you think is liable?!

Seeing as Rachel mentioned some products in her article, if you are a firm of accountants or run a payroll bureau for example, you could look at Egress for policy driven file and email encryption - recipients need to enter a PIN code or give answers to questions only they would know the answers to in order to decrypt messages. Contact me for more info. or www.egress.com

Thanks (0)
avatar
By k.bonney2
06th Feb 2013 10:32

What do clients want?

Don't accountants excel at agonising over matters such as this?  Has anybody stopped to ask themselves what clients want?  And do they even care?

For the last two years I have asked every client of mine whether they want me to password protect the tax returns I email out to them.  In year 1 only two clients out of 200 responded in the affirmative.  In year 2 no clients responded in the affirmative and the two who had previously asked for password protection rang me to ask me to remind them what the agreed password was!

I conclude this isn't something which keeps clients awake at night.  So let's not get hung up about it.

Thanks (0)
avatar
By thelma65
19th Feb 2013 19:18

dpa 2014

the point being is that dpa is changing

so YOU will have to adhere one way or the other - actually clients do want portals and we are attracting better IT savvy clients because we do offer a portal!!!

really you need to just tell clients this is how its going to be - and they generally accept the new way of working theones that dont - well probably they are the most hassle anyway - and they can pay for ther paper copies of TR's every year!

 

portals are a must for the future and for any practice that wants to be ahead of the game

Thanks (0)