With data protection laws getting tougher, accountants need to find new ways of communicating securely with clients
According to the recent IT in Accountancy Practices survey carried out by the ICAEW, 75% of firms are still not encrypting financial statements, tax returns or other financial information when they communicate with their clients by email. That fact was the jumping off point for a recent IT Faculty webinar, which aimed to dispel confusion regarding the current legal framework for client confidentiality in electronic communication.
Data protection law is tough – and set to become tougher in the next two years. The Information Commissioner’s Office (ICO) has already said that sensitive personal data should not be transmitted by email across the internet unless encrypted to current standards – so it is essential to adopt more secure processes. “Protection cannot be left to chance and it is no longer enough to do only the bare minimum necessary to comply with the law: proper safeguards have to be built in from the first principles, not bolted on inadequately as an afterthought,” ICO states in its recommendations.
Accountants handle sensitive personal information for their clients on a daily basis and are legally obliged to protect their clients’ data in accordance with the Data Protection Act.
While financial information falls outside the official definition of ‘sensitive personal data’ it is important for accountants to bear in mind what their clients would regard as sensitive. If a draft tax return falls into the wrong hands, this would undoubtedly cause distress to the client so the ICO features this ‘top ‘tip’ on their website:
‘Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen’.
New EU rules are likely to be introduced in 2016 and although it is not yet known whether these will be in the form of a regulation or a directive or both, the prognosis is for tougher sanctions with fines of up to 5% of turnover. Likely changes are set to include:
- Broader definition of personal data
- Explicit consent
- Right to be forgotten’
- Notification of breaches
- Tougher sanctions – possibly up to 5% of global turnover
This could have a significant impact on firms that do not abide by the rules. So what should accountants be doing to ensure that their electronic communication is secure?
They should be using the cloud solution offered by X509. This means that there are no changes to existing work practices. Employees send email in the normal fashion and the emails can be automatically scanned to see if they include content that should be encrypted. It is simply the easiest way to become compliant easily.
Charges are not expensive. Practices with up to:
- 8 email addresses £399 per year
- 15 email addresses £ 599 per year
- 35 email addresses £ 899 per year
- 50 email addresses £ 1599 per year
For companies with more than this, please contact us as you may prefer to have your own email encryption gateway deployed within your own IT infrastructure.
Serious about security
In short, then, the streamlining and securing of client communication cannot be left to chance. The Data Protection Act states that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” While the law doesn’t say e-mailing is illegal, if something goes wrong and the latest advice from the ICO has not been complied with, the accountant is more likely to be found to be at fault.
Use of a portal demonstrates that security is being taken seriously and ensures a secure end-to-end automated document delivery process that enables the legally admissible digital sign-off of documents.