Share this content
AIA

Practical advice on HMRC computer seizures

by
19th Aug 2010
Share this content

A recent Taxation magazine article on the Glenn v HMRC case confirmed HMRC's powers to seize computers from business premises. AccountingWEB.co.uk members responded in Any Answers by looking at how practitioners might cope in a similar situation.

In the article, Jonathan Levy, head of the tax disputes resolution team at Reynolds Porter Chamberlain LLP, and Daniel Hemming set the Glenn case against the backdrop of new powers that HMRC has gained in recent years:

  • FA 2007 introduced a new cross-duty penalty regime for inaccuracies in mainstream taxes
  • FA 2008 included new information and inspection powers for the main taxes and further penalty harmonisation for stamp duties, inheritance tax, insurance premium tax and other less common taxes
  • FA 2009 extended the information and inspection powers, and introduced a new penalty for carelessly or deliberating providing incorrect information in response to an information notice
Computer seizures: Tips

Glenn v HMRC judge ruled that computers fall within scope of Finance Act 2008 powers for HMRC to inspect documents.

Computer seizures are becoming increasingly common, so be aware of your rights and have a clear strategy for dealing with such visits.

Powers of seizure relate to specific clients; you are entitled to protect data stored in other files and if any of these relate to legal proceedings, the computer will attract legal privilege.

● Encrypting client data and storing off site can prevent fishing trips. 

The Glenn case arose when HMRC officers turned up unannounced and without a warrant at the plaintiff's business premises on 4 February 2009. As part of their objective of inspecting business records, they disconnected and removed the company's computer server and 19 desktop PCs to examine their hard drives. The desktop machines were returned the next day and the server was returned on 6 February 2009.

The Glenn case turned on the court's interpretation of HMRC's powers of inspection, information and search at the time under section 118B of the Customs and Excise Management Act 1979 (CEMA 1979), and specifically, whether a computer can be considered a "document" in law.

Section 118(5) says that "if it appears to an officer to be necessary to do so, he may, at a reasonable time and for a reasonable period, remove any document produced [by the taxpayer]". The meaning of "document" was extended by s114 of the Finance Act 2008, but under the law that applied at the time of the raid, the taxpayer argued that s118B of CEMA 1979 did not apply to computers.

Mr Justice Lloyd Jones disagreed, and while conscious that he should give no wider reading to the legislation than Parliament intended, he took the view that since a computer "is a thing in which information is recorded" (as defined in the s114(2) of FA 2008), it fell within the scope of CEMA 1979.
 
"Although Glenn & Co (Essex) Ltd concerned different statutory provisions, the reasoning of the judge in that case is equally applicable to inspections carried out by HMRC under Sch 36 [FA 2008]," Levy and Hemming warned taxpayers and their advisers.

"Taxpayers need to be alive to the possibility of an HMRC inspection, which should be on at least seven days' notice but may be carried out without notice under certain circumstances, and the possibility of computers containing non-relevant information being removed from premises.

"Taxpayers need to consider in advance how they will react to such an inspection and may wish to consider whether they should have in place a clear strategy for dealing with such visits."

Being aware of your rights is the first step to ensuring HMRC does not exceed its powers, particularly where officers may be trying to inspect legally privileged material, the authors added.

Practical responses to computer seizures
These issues were examined at some length by AccountingWEB members in a subsequent Any Answers thread.

Malcolm McFarlin and Nichola Ross Martin urged readers not to worry unduly. "Most people have little to fear," said Ross Martin. "HMRC does not have the resources to try and interrogate everyone's computers. It is expensive for HMRC to undertake this type of fishing exercise and so it will be carefully targeted."

She also noted that while s114 FA 2008 permits HMRC to examine a computer, this power has not been tested before a tribunal.

But Cymraeg_Draig condemned the judge's "disgraceful ruling" in Glenn v HMRC and predicted it would be challenged in the Supreme Court. He and several other members offered suggestions for advisers who might experience the dreaded inspector's knock at their door:

  • Know your rights - Cymraeg_Draig pointed out that any notice served by HMRC can be challenged in court on the basis for the demand, which would force the inspectors to demonstrate reasonable grounds for their search on a specific client. Holding client information in separate, encrypted folders "stops them going on a general fishing expedition through all your clients' files", he added (see below).
  • Co-operate where necessary – HMRC is entitled to see the relevant client's information. If they want it, copy the client files onto an unencrypted memory stick and give it to them.
  • Home computers - If you work from home, HMRC will need a court order to take your computer. Article 8 of the Human Rights Act offers protection for a person's private and family life, home and correspondence from arbitrary interference by the state. You are entitled to resist any attempt to force entry without a warrant, and HMRC will usually wait for police to arrive to gain entry, giving the adviser time to prepare a copy of that client's information to offer them.
  • Monitor file access - HMRC officials would be abusing their powers if they viewed any records other than those for which the computer was seized, so any accountant whose computer is taken should insist it be returned to an independent, court-recognised expert to check the last dates all files were accessed. If any files other than the specified clients' were accessed while the computer is in HMRC's possession, the department would be in breach of the Data Protection Act and could be in contempt of court if any of the files relate to clients under investigation.
  • Legal privilege - If you are involved in any ongoing court cases, storing the files relating to the case on the computer attaches legal privilege to the PC. If the information on your computer was to form part of the defence against any subsequent accusations subsequently made, HMRC would be breaching the Human Rights Act.
  • Encrypting and storing data offsite – The Glenn ruling relates to "computers", but does not extend to other electronic storage media. So keep all client records on an external hard drive, or better still store them in an online storage facility. If you use an encrypted system, you are under no obligation to supply HMRC's inspectors with passwords other than for the client under investigation, explained Cymraeg_Draig [small correction here - see comment below - Ed]. "We have always kept each client's records in its own dedicated folder. It is simple if using a good encryption program to assign each client his/her own password. This has the further advantage of restricting access by staff to the files of only those clients that they deal with." Nichola Ross Martin was less certain about the consequences of withholding passwords from HMRC, which might incur fines for obstruction, but added, "I suggest that you seriously think about Cloud Computing, because that way you are only using your computer as a vehicle to access someone else's server. If the data is stored somewhere else and not on your premises then HMRC will have to try its luck at eking the details under its third-party information powers from the service provider."

Practical considerations
"Is it not inconvenient having all your files encrypted?" asked chatman. But the response from those who do so was reassuring. "With the TrueCrypt program I use [non-Cloud], I encrypt a partition on my laptop hard drive...  You just enter one password to access all of the data in that partition and don't have to enter any passwords again until you reboot the machine. The partition looks just like and works like any other shared drive."

Cymraeg_Draig takes a more thorough approach, entrusting client data to the online NOKvault, which provides 512-bit encryption and hides the files from sight. "What they can't find and can't see they can't ask for the password to," he added.

The difficulty in remembering large numbers of complex passwords was raised by aiwalters, who suggested maintaining a separate file of passwords in several locations, with its own more memorable password: "One way of doing this is by creating a free gmail account and emailing it to yourself."

Cymraeg_Draig suggested a system based on transposing letters in clients' names for numbers (e.g. A=1, Z=26) or phone numbers to letters. A written phone book listing clients' phone numbers doubles up nicely as a reference, he added.

View from PI Insurer
But how supportive would PI insurers be, particularly if you adopted some of the more robust defensive suggestions put forward by AccountingWEB members? On behalf of Aon, Luke Hamm responded that insurers would be unlikely to avoid a policy on the basis of whether or not the accountant encrypted data: "If the accountant could show reasonable skill and care in protecting the data he would have a very good defence, regardless."

On the point of HMRC's new information powers, he added, "for accountants who are not 100% sure on how to deal with their new powers and the can and can't dos, having a expert opinion is vital as without it you may not be acting in the client's best interest if the inspector is pushing their luck and your client gets hit with a penalty that could have been avoided. This is a PI client that we see quite often."

Taxation magazineTaxation magazine
This article includes extracts from a longer piece originally published by Taxation, the market-leading weekly magazine providing news and features on UK tax law, practice and administration. A subscription costs £319 a year and includes full access to the online Taxation archive.

Replies (8)

Please login or register to join the discussion.

avatar
By cymraeg_draig
19th Aug 2010 23:02

Correction

Just a small correction - I dont advocate withholding passwords - but, because eacch client's files have separate passwords, HMRC are ONLY entitled to access that clients files.  Our method keeps all other clients files safely locked away from HMRC.  

More importantly - it makes data safe from hackers.

Thanks (0)
avatar
By nogammonsinanundoubledgame
21st Aug 2010 19:58

re. external hard drives

I am unimpressed by the suggestion that external hard drives are safe from seizure, on the apparent grounds that the Glenn case was restricted to entire computers.  All that that means is that the seizure of hard drives is untested.  To extrapolate from that result that a speculative future seizure of an external hard drive would not go the same way seems premature.

With kind regards

Clint Westwood

Thanks (0)
avatar
By jonbryce
23rd Aug 2010 11:43

Checking file access

"any accountant whose computer is taken should insist it be returned to an independent, court-recognised expert to check the last dates all files were accessed"

It is likely, particularly if the machine was returned within a day or two, that HMRC took the hard drive out of the computer, took an image copy of it, put it back in the machine, returned it, then examined the image at their leisure.  An inspection of the hard drive would show that it was exactly the same as when they took the machine.  The file access dates would be the same as before because HMRC read the filesystem itself rather than individual files.

You would need to look at what they did with the image copy to see which files they accessed.

Thanks (0)
avatar
By lloydsj
23rd Aug 2010 13:05

Client Passwords

An easy and secure way to remember lots of passwords is to put them in Password Safe.

http://passwordsafe.sourceforge.net

The program stores your passwords in a highly encrypted form, with one master password.

It is also free.

 

Thanks (0)
By Mouse007
23rd Aug 2010 21:58

Virtual Server

Our new server has no hard disc in it at all, just a 1G flash pen, how cool is that?

Thanks (0)
avatar
By cymraeg_draig
23rd Aug 2010 23:41

Not a problem - more an opportunity

 

It is likely, particularly if the machine was returned within a day or two, that HMRC took the hard drive out of the computer, took an image copy of it, put it back in the machine, returned it, .

 

Posted by jonbryce on Mon, 23/08/2010 - 11:43

 

 

Actually an expert analysis will show the last time a mirror image was taken of a hard drive and of course as they are only authorised to take copies of the files relating to the client in question, by taking others HMRC would be in very deep you know what.   All sorts of questions about Data Protection, breaches of the HRA, invasion of privacy, unlawful investigative techniques, and if there was a single court file on there - breaches of legal privalege (which courts are very sensitive about) would be raised.  The possibilities for causing HMRC serious grief would be endless.

 

 

Thanks (0)
avatar
By drintoul
25th Aug 2010 15:33

Distribution of Data

There are a few points to be made.

Firstly client data can be in a number of places - e-mail, accounts systems, tax systems, document management, file shares, Payroll. How would you realistically have workable procedures in place to secure individual client records in each of these systems, especially if you are talking about thousands of clients, and are using SQL server to handle some of the data.

Secondly what comeback does the firm have if assets are seized and the business subsequently suffers especially if HMRC find nothing. Commonly systems are now virtualised, so it is impossible to remove just the physical accounts server, as it co-exists with all the other systems. There would be a huge impact on any firm if their systems were down for even a few days, with client service compromised. Suppose you just need to treat it like a business continuity event.

Thanks (0)
avatar
By mikewhit
26th Aug 2010 12:54

Canary

You could always put on your system a "fabricated" document file with some HMRC-infringing material (possibly referring to client Mr. I M A Fake) on it but which was completely unconnected to any of the real clients.

Then if they started to kick up a fuss on the file as a result of their fishing you could hold up the copy of the document in your canary-yellow folder and ask them what they were doing going off-limits.

Just a thought - it's the kind of thing the OS does to spot copies of its maps, they insert some fake feature.

Thanks (0)