Don’t leave protection to chance

WITH DATA PROTECTION laws getting tougher, accountants need to find new ways of communicating securely with clients

According to the recent IT in Accountancy Practices survey carried out by the ICAEW, 75% of firms are still not encrypting financial statements, tax returns or other financial information when they communicate with their clients by email. That fact was the jumping off point for a recent IT Faculty webinar, which aimed to dispel confusion regarding the current legal framework for client confidentiality in electronic communication.

Data protection law is tough – and set to become tougher in the next two years. The Information Commissioner’s Office (ICO) has already said that sensitive personal data should not be transmitted by email across the internet unless encrypted to current standards – so it is essential to adopt more secure processes. “Protection cannot be left to chance and it is no longer enough to do only the bare minimum necessary to comply with the law: proper safeguards have to be built in from the first principles, not bolted on inadequately as an afterthought,” ICO states in its recommendations.


Accountants handle sensitive personal information for their clients on a daily basis and are legally obliged to protect their clients’ data in accordance with the Data Protection Act.

While financial information falls outside the official definition of ‘sensitive personal data’ it is important for accountants to bear in mind what their clients would regard as sensitive. If a draft tax return falls into the wrong hands, this would undoubtedly cause distress to the client so the ICO features this ‘top ‘tip’ on their website:

‘Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen’.

New EU rules are likely to be introduced in 2014 and although it is not yet known whether these will be in the form of a regulation or a directive or both, the prognosis is for tougher sanctions with fines of up to 2% of turnover. Likely changes are set to include:

• Broader definition of personal data
• Explicit consent
• ‘Right to be forgotten’
• Notification of breaches
• Tougher sanctions – possibly up to 2% of global turnover

This could have a significant impact on firms that do not abide by the rules. So what should accountants be doing to ensure that their electronic communication is secure?


One option is to not use email at all. A secure portal for document exchange will encrypt every item of data going being shared between client and practice to the highest levels – as used by the governments and banks. The data and all files transmitted are encrypted in storage – in the cloud – making it all but impossible for hackers to penetrate.

Any file is securely uploaded to a hosted environment and an email notification is sent to the client advising them that there is a document for their attention. So the portal acts both as secure document storage and a mechanism for sharing, distribution and workflow between companies and individuals.
Users can approve and change the status of portal documents as well as responding to them. This rapidly becomes second nature, with digital/electronic signatures providing a seamless end-to-end sign off process.

Prime Accountants is a two-office accountancy firm based in the Midlands employing 60 staff. Laurence Moore, chairman says: “It had been too easy for us to send emails to clients and attach documents without taking security measures. Now we have the portal in place, electronic document exchange is the default.”

The firm gives clients the option to still receive their documents by post although this is only a small number. He added: “It’s all a matter of efficiency and improving services. The portal is part of our strategy to embrace technology and it is a strong differentiator. We are finding that clients are moving to us because we are promoters of cloud accounting and we support new aspects of technology that make it easier for us to do business with them. It’s important to be up to speed and one step ahead.”

“The electronic exchange of documents allows us to be consistent and to provide a standardised approach to client service.”


In short, then, the streamlining and securing of client communication cannot be left to chance. The Data Protection Act states that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” While the law doesn’t say e-mailing is illegal, if something goes wrong and the latest advice from the ICO has not been complied with, the accountant is more likely to be found to be at fault.

Use of a portal demonstrates that security is being taken seriously and ensures a secure end-to-end automated document delivery process that enables the legally admissible digital sign-off of documents.

This is an abridged version of a whitepaper by Lindenhouse Software

Related reading