Watch the small print

25 January 2017

Andrew Hubbard 

We have discussed HMRC’s digital strategy many times, and with HMRC’s summary of responses to the consultations I am sure that we will return to it more than once in the coming months. I want today to pick up on one of the major concerns: security.

In any form of communication there is a trade-off between ease of access and security. Only recently I was reading of cases where fraudsters had managed to infiltrate email between clients and their solicitors and had run off with money which the clients thought they were sending to the lawyer as a deposit on a house purchase. This is not just an electronic problem of course – stories emerge from time to time of postmen stealing from the mail – but the sheer speed and volume of electronic communication create so many more opportunities for fraud.

In a world where virtually all interaction between the taxpayer and HMRC will be in cyberspace, data security will be paramount. Although HMRC will require taxpayers to use electronic forms of communication, it has been quite explicit in saying that it will not be providing the software tools to enable taxpayers do to this and it will be for commercial suppliers to produce the necessary products. Furthermore, HMRC has made it quite clear that responsibility for data security will be entirely the responsibility of those third party providers.

At the moment HMRC publishes a list of software which can carry out basic record keeping tasks (nobody has yet produced software which is fully compliant with Making Tax Digital – something you might think alarming giving that it the system is meant to be up and running next year). This was updated recently. The list is quite extensive but what interested me was the disclaimer at the end:

'Support and security for commercial software

HMRC has not carried out any testing of the listed applications and do not carry out any form of security testing of developer products or services. Customers are encouraged to ask their suppliers for information about the security aspects of the products and services they provide.’

For the moment you could argue that this is a reasonable position for HMRC to take, because there is no legal requirement for anybody to use software products: the use of a pencil and paper is not yet illegal! But when digital communication becomes compulsory the position is very different. HMRC should not be allowed simply to sit back and throw the problem at suppliers: at the very least it should be prepared to evaluate the security of software and endorse products as being sufficiently robust for use by taxpayers. Individuals should not be left to fend for themselves.

In its recent report on Making Tax Digital the Treasury Committee said:

‘HMRC will need to provide adequate assurance about the security of customer’s data held by software providers’.

I couldn’t agree more.

If you would like to discuss any of the points raised above, please contact Andrew Hubbard or your usual RSM contact.

Related services