CH214100 - How to do a compliance check: records: copying electronic documents and records and removing computers

A document is defined in law as ‘anything in which information of any description is recorded’, see CH214000. This means that a computer recording business information is considered a document.

You may copy, make extracts from or remove inspected documents, see CH25320.

The following groups are authorised to access, inspect and check the operation of computers or Electronic Cash Registers (ECRs) and any associated apparatus or material which is, or has been, used in connection with business documents:

  • Data Led Compliance (DLC) Team
  • Systems and Data Compliance (S&DC)
  • FIS Digital Forensic Group
  • ECR accredited officers
  • LB Audit Specialists

These groups can interrogate electronic data and collaborate with caseworkers to review the electronic records of companies, non-incorporated businesses and employers.

You can ask these specialists to make copies of relevant information recorded on an inspected computer, server or other electronic media, where you can demonstrate that this is necessary and an efficient or practical way to proceed with your check. This can include information recorded on a till or copied from a till to a computer. Specialists can use whatever method of copying the data is appropriate in those circumstances. They may selectively copy specific files or tables, or take copies of entire drives or systems.

Wherever possible the data should be copied on the premises. Where copying cannot be done on the business premises you can remove the computer or till. This should only be done in exceptional circumstances.

If you believe that business records may be held on personal devices such as a laptop or tablet and you are unable to copy the records on the premises you must record why you have decided that removal is the only way to secure the records. Computers removed from premises must not be retained longer than is strictly necessary to copy the data required.

If businesses state that the computer or media contains non-business records, you should consider the circumstances and decide whether it would be efficient, sensible and proportionate to include these records when copying from the relevant media. You can then check to ensure that the records are genuinely personal records, and exclude them from your compliance check.

Once the computer and data have been secured either by copying the data or removing the computer/media, you must ensure that any personal data is handled in agreement with the General Data Protection Regulation (GDPR).

All data must be handled in agreement with HMRC data procedures.