CH218400 - How to do a compliance check: records: reviewing records: powers to check computer systems
Most businesses now hold some or all of their records on a computer.
Modern programmable tills, stand alone PC's, networked systems, tablet computers and even some smart mobile phones, are all examples of computer systems that may hold data that you need to examine.
Legal powers
The power to obtain information or documents
Paper copies of electronic records and documents will usually be sufficient to enable you to carry out your compliance check. You can use our information and inspection powers in the normal way to obtain either the printed documents or copies of the electronic records, whatever format they are held in. Our information powers to do this, and penalties for non-compliance, are governed by specific information and inspection powers legislation for each tax regime. See CH23200+.
These powers are supported by FA08/S114 when information and documents are held electronically, and apply to all regimes administered by HMRC. S114 gives the definition of a document as ‘anything in which information of any description is recorded’ and a copy of a document is ‘anything onto which information recorded in the document has been copied, by whatever means and whether directly or indirectly’. For further guidance see CH23360.
FA08/S114 does not, in itself, give any powers to inspect, take extracts from, make copies of, or remove any document.
However, you may decide, during an authorised inspection, that a need exists to remove the computer containing the data in the same way as any other document. Removal will be governed by our information powers for a particular regime, whereas any subsequent access to the computer should only be by an “authorised person”, as defined in s114. In any event, removal of a computer should be reserved for the most serious cases only and you should seek the assistance of an appropriately trained specialist before removing any equipment. You must also be able to demonstrate that this action is both reasonably required and proportionate.
The computer should only be retained for the time that is strictly necessary for a computer specialist to make copies of the relevant material.
The power to check the operation of a computer system
If you need to check how a computer stores and processes information, for example, in order to address a risk, then only an ‘authorised person’ has the power to access computer equipment in order to check its operation. An ‘authorised person’ may also require the person who is entitled to operate the equipment, to provide them with any “reasonable assistance” they need. Any request for assistance should be proportionate to the scope of the planned audit and should not impose an undue burden on the customer or the person involved in the operation of the computer.
The customer may argue that the cost of providing reasonable assistance is in itself unreasonable. Some businesses choose to out-source their Information Technology requirements to an outside agency, which may be located outside of the UK, and pay the agency for this service. Other businesses may choose to retain this service in house. In either case, our rights to request information from the business remain the same.
If a business fails to comply with a request for reasonable assistance they are liable to a penalty of £300.
Authorised Persons
An authorised person under FA08/S114 is any person, not necessarily an HMRC officer, authorised by the Commissioners. This allows our power to be used by third party specialists employed by HMRC.
Within HMRC an authorised person will be someone who has received appropriate training in the examination of computer systems. Authorised persons in this context are:
- LB Auditors (This content has been withheld because of exemptions in the Freedom of Information Act 2000)
- Digital Forensic Group
- Systems and Data Compliance Team
- WMBC Audit Specialists (This content has been withheld because of exemptions in the Freedom of Information Act 2000)
Note that as new groups of authorised persons are identified the above list will be updated.
If you are not an ‘authorised person’ then you must seek the assistance of an authorised person and must not attempt to inspect the operation of, or gain access to, a computer system. However, if you think you may qualify as an ‘authorised person’ in this context, you must consult your line manager before taking any action.
S114 does not apply when dealing on a third party basis with computer manufacturers or software houses, for example when examining the operation of equipment or conducting software package reviews. Any assistance received from such persons will be on a voluntary basis.