Wendy Bradley is concerned that HMRC is going beyond its remit in demanding more information than the law requires taxpayers to submit.
Where to begin
Let us start with the legislation which gives HMRC the power to compel us to make tax returns: "a return of … income, computed in accordance with the Income Tax Acts and specifying each separate source of income and the amount from each source." (TMA 1970, s 8).
I want to know: How do we get from being required to return our income to being required to tell HMRC the sort code and account number of our bank accounts?
I completed my SA tax return for 2016/17 online and I was not due a tax rebate. But I found a stumbling block to submitting my return on the page concerning overpaid tax. I could not progress beyond this page without either letting HMRC have my bank account details or making an incorrect return by claiming not to have a bank account at all.
As Rebecca Cave has pointed out, there is no independent oversight of HMRC's software and its compliance with the legislation, and this is one section of the electronic SA return that I would like to see reviewed. I believe it represents a civil liberties infringement: the SA return can’t be completed without complying with a request (for a bank account number), which, arguably, HMRC have no right to make.
Here is the screen to be completed:
This is what happens if you try to short-circuit the process by pressing "send" without completing either your bank details or the incorrect statement that you do not have one:
You could argue that this is a relatively minor infringement of my civil liberties. Giving an organisation the name, sort code and number of your bank account does not allow them access to the information about the contents of this account, let alone to any money it might contain.
Yet in a world where we are perpetually told to be wary of online fraudsters trying to glean our bank details, it seems bizarre that HMRC acts in this way. My point is that HMRC should not be compelling us to hand over information that it has no statutory right to acquire.
When the GDPR comes into force on 25 May, will HMRC need to review its actions? The guidance from the ICO is clear that the potential to exempt "taxation matters" from the transparency obligations and individual rights guaranteed by the regulation exists, but only if this exemption "respects the essence of the individual’s fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society".
Do we accept that HMRC can harvest our bank details via their software design, rather than by a statutory power given through legislation? I have given HMRC my bank details before when I was expecting a repayment; where's the harm in handing them over again?
This is an "if you have nothing to hide you have nothing to fear" argument: the state does not have an untrammelled right to collect information about us without oversight.
Do we also accept that HMRC may make a voiceprint from our telephone conversations with the department, and use that voice print to identify us in the future?
This is not science fiction: this is already happening. For the past year, HMRC has been offering people who ring the tax credits and SA helplines the opportunity to record their voice and have their voiceprint used to identify them in future. This sounds like a whizzy customer service initiative when it is described as:
"HMRC will be encouraging customers who call to take advantage of the Voice ID service, but they can choose to opt-out and continue to use HMRC’s services in the usual way if they prefer".
But I challenge this statement.
When I found myself in the automated system and was asked to repeat the phrase to be recorded, I could not identify a means to refuse to give consent or to opt out, or indeed any explanation that I could deny consent. I was reduced to repeating "no!" instead of the requested phrase until the automated system, more in sorrow than in anger, explained that it couldn't complete the transaction, but I would be offered the opportunity the next time I rang.
HMRC has recently published its policy regarding the data protection legislation, but will it be in compliance when the legislation is updated?
I hope HMRC's entry in the ICO's data protection register has been compiled from a drop-down menu with limited options, or else how do you explain it describing its core activity as "general business"? When HMRC updates its ICO entry by May 2018 to comply with the GDPR regime, I hope it will have someone on its staff who understands the concept of consent.
Protection v liberty
HMRC has, rightly, powerful tools at its disposal to identify and combat tax fraud and protect the public purse. It needs to understand that equally this does not give it the right to take liberties with the rights of the vast majority of ordinary taxpayers.
Should we all make individual subject aspect requests for sight of the data HMRC holds on us, and then ask for it to be deleted?