First, and you may be surprised about this, we have some praise for HMRC. There is no doubt that they got their act together remarkably quickly when the pandemic struck, setting-up the furlough scheme within only four weeks and then a month later getting the SEISS up and running, helping, literally, millions of small businesses, including some of our clients, to survive. This was, by any standard, an impressive technological achievement, involving the efficient processing of an enormous amount of data.
Intriguingly, the Head of HMRC, Jim Harra, reckons that his organisation could have done even better, more quickly, if they had been able to access these data via Making Tax Digital (MTD). Quoted in the FT, he says, “Making Tax Digital for self-assessment means that businesses will be providing us with data about their business income much more frequently than they have been in the past, much more in real time. And yes, if we had that data, we could have helped more people.”
That’s quite possibly true, but Mr Harra also acknowledges that HMRC has a problem convincing people that MTD will not cause lots of businesses grief, additional costs and might be used as a snooping tool to catch people out who believe they are actually operating within the rules. But of more immediate concern, in our view, is the fact that HMRC’s own annual report admits, “We do not operate our security processes and controls or manage our infrastructure and vulnerabilities effectively enough to protect HMRC, our customers, people and assets from harm or misuse.” This open admission that all is not well is further reinforced by the discovery that HMRC has admitted that its data protection compliance is a ‘red’ coded risk – the highest level of risk they have.
The Daily Telegraph’s business pages quote David Davis, the former Cabinet minister, as saying, “The fact that HMRC itself recognises the serious risk to public data means their priorities should not be about digitising systems so much as about making them more secure. Frankly, given my observation of HMRC’s previous investments in digitisation, I would want to see someone other than them audit their security before we start enlarging the extent to which they have got data effectively accessible online.”
We agree. Although Mr Harra told the Financial Times, “We have an extremely low appetite for any risk in relation to our customer data. It’s just something we’re constantly vigilant about,” the fact is that HMRC is dealing with extremely important and confidential data. MTD has been pushed back to 2023, but before it is fully introduced then HMRC’s ‘customers’ will want more than just an assurance that their data is safe with them.
Vivian Linstrom, M&S Accountancy & Taxation