Schedule 23 bulk data-gathering powers: policing the gig economy

The evolution of the so-called ‘gig’ and ‘sharing’ economies is changing the traditional model of the economy but also risks undermining the UK tax system. Workers in this new economy range from freelancers to online traders. They have varied structures for engagement, but large numbers are self-employed and many are part time. The 2017 NatCen report for HMRC, The hidden economy in Great Britain, estimated that 11% of the working age population in Britain participate in the sharing economy. The traditional model of employers collecting tax through PAYE is ineffective for such workers; instead, HMRC must increasingly rely on self-assessment. However, reports, such as the Institute for Fiscal Studies’ Briefing note BN218, suggest that as much as £8bn in revenue is being lost each year due to inaccurate self-assessment returns. This raises a difficult issue for HMRC. How does it establish who is working in the gig economy and whether those workers are paying the right amount of tax?

One of HMRC’s answers to this lies in the bulk data-gathering powers contained in FA 2011 Sch 23. Schedule 23 can be seen as part of wider picture of HMRC relying on ‘big business’ to plug the information and tax gap, and as part of a deliberate policy of shifting the risk of non-compliance on to bigger businesses within a supply chain. We have seen similar moves with the corporate criminal offence of failure to prevent tax evasion, the proposed IR35 changes for 2020 and the VAT split payment proposals.

Overview of Schedule 23

Schedule 23 expands upon HMRC’s existing FA 2008 Sch 36 information powers. HMRC’s aim is to gather information on particular groups of people for use in risk analysis. It also views the rules as a deterrent to non-compliance, as would-be tax evaders may be discouraged from concealing their income if they know that information about their activities is likely to end up in HMRC’s hands.

Schedule 23 enables HMRC to issue a ‘data-holder notice’ to a ‘relevant data-holder’ requiring the relevant data-holder to provide ‘relevant data’ to HMRC. Relevant data-holders are identified by reference to defined categories of activities specified in Sch 23. These include, for example, merchant acquirers; providers of electronic stored-value payment services; money service businesses, dealing in securities; insurance activities; investment plans; business intermediaries and charities. The list is eclectic, but all entries have one thing in common: holding information on third parties.

The ‘relevant data’ for each relevant data-holder is specified in the Data-gathering Powers (Relevant Data) Regulations, SI 2012/847 (the ‘regulations’). So, for example, where someone ‘effects or is a party to securities transactions wholly or partly on behalf of others (whether as agent or principal)’ they would be a ‘relevant data-holder’ within Sch 23 para 19. If so, HMRC could, under reg 17, require the data-holder within para 19 to supply to HMRC ‘information and documents relating to securities transactions in respect of which that person is a relevant data-holder’. However, if the data-holder carries on a business of effecting public issues or placings then it must provide ‘information relating to the issue, allotment or placing’. As always with Sch 23, definitions are crucial.

Information can only be requested where an officer has reason to believe that the data could ‘have a bearing on chargeable or other periods’ ending within a window of four years going back from the date the notice is issued.

Penalties can be imposed for failure to comply with a data-holder notice, including daily penalties for continued non-compliance and penalties for providing inaccurate data. The recipient of a data-holder notice can appeal to the First-tier Tribunal (FTT) on the grounds that:

• the notice is unduly onerous to comply with;
• the data requested is not relevant; or
• the recipient is not a relevant data-holder (Sch 23 para 28(1)).

HMRC’s data-gathering powers go much further than the ‘identity unknown’ third party notices available under Sch 36 para 5. An identity unknown notice can require a third party to provide information about a person or class of persons unknown to HMRC but such notices require pre-approval by the FTT. Furthermore, the FTT can only give its approval if:

• there are reasonable grounds for believing that the persons in question have acted unlawfully in relation to tax, leading to serious prejudice in the collection of tax; and
• the information is not readily available from another source (Sch 36 para 5(4)).

Schedule 23 is also a form of third party notice, but there is no need for prior FTT approval, and the officer merely needs to be satisfied the information ‘has a bearing’ on chargeable periods; not a very high threshold. For checking large populations of unknown taxpayers, Sch 23 is therefore of much more use to HMRC than Sch 36.

A weakness of Sch 23 is that it applies to defined categories. HMRC has therefore been tinkering with Sch 23 as it spots other areas of interest. These include adding money services businesses in 2017 and the recent changes to add postal operators as a category of data-holder in readiness for the operation of the new registration regime after Brexit.

How has HMRC been using these powers in practice?

While Sch 23 has been in place for a number of years, HMRC has been increasingly ready to make use of these powers across all business sectors, in particular to police the gig economy. HMRC’s approach is to pull in data and compare that to tax returns to identify risk areas for underpayment. Businesses ranging from online platforms to engagers of off-payroll personal service companies have been on the receiving end. Wherever there are populations of taxpayers for whom HMRC finds it difficult to gather tax specific information, HMRC will look to apply Sch 23, and to do so for the full four years.

HMRC cannot exercise its data-gathering powers in place of the Sch 36 powers as a means for checking the data-holder’s own tax position (para 2(3)). However, once the information is in HMRC’s hands, its usage of that data is not restricted. A potential use of Sch 23 is that the data obtained can give HMRC a useful insight into how effective a corporate data-holder has been in preventing tax evasion. If it transpires that a large proportion of a data-holder’s customers have been evading tax, HMRC may question the data-holder’s position in respect of the corporate criminal offence of failure to prevent the facilitation of tax evasion under the Criminal Finances Act 2017 Part 3. Readers will no doubt have reasonable prevention procedures in place, but there may be other data-holders who do not. HMRC cannot set out with the initial intention to use Sch 23 to find out who those data-holders are, but it is an obvious avenue for HMRC to explore once the data is in.

Issues for the recipient

Most large corporates are good corporate citizens and are keen to be seen as such by HMRC. Their instinctive reaction may be to give HMRC whatever it asks for. However, businesses should tread carefully, as they owe obligations not just to HMRC but also to anyone whose data they hold, normally their customers.

Customer data will almost certainly comprise ‘personal data’ which must be processed lawfully, fairly and transparently, in accordance with article 6 of the General Data Protection Regulation (GDPR) which came into force last year. This would generally prohibit disclosure to third parties without specific consent. The consequences for failure to comply with the GDPR can be severe in terms of both reputational damage and potentially significant financial penalties. The Data Protection Act 2018 Sch 2 para 5 provides an exemption ‘where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal’.

Businesses could ask for customer consent but that may be unrealistic, and such consent may not be forthcoming in any event. Businesses would typically therefore rely on the fact that they are under a legal obligation to supply the information to HMRC as a result of the data-holder notice. However, a data-holder notice that does not comply with Sch 23 (for instance, because the recipient is not a relevant data-holder or the data requested is not relevant data as defined for that category), does not enable the recipient to benefit from this exemption.

Businesses will also be mindful of their commercial relationship with those whose data they hold. Customers place a large amount of trust in businesses when they hand over their personal data. They are entitled to expect that their personal data will not be divulged if it need not have been: the damage to reputation as a result of improper disclosure can be significant. There may, therefore, be some element of needing to contain and manage the timing of any disclosure, so that the business can put in place some communications with the customer base.

If a data-holder notice was pre-approved by the FTT, the GDPR risk associated with the notice is likely to be limited (although even these notices should be reviewed carefully). Where the notice has not been pre-approved, however, the recipient of the notice should carefully consider its validity. In particular, he or she should ask whether the data is relevant. Has it been requested on the right basis and under the right category? Does the recipient meet the statutory definition of a relevant data-holder in relation to the activity in question?

When issuing data-holder notices, HMRC, in our experience, often succumbs to the temptation to err on the side of seeking data beyond that permitted by the legislation. Further, HMRC can make mistakes about the category of relevant data-holder which applies. In the only reported case on Sch 23 (Wilsons Solicitors LLP v HMRC [2018] UKFTT 627 (TC)), the alleged data-holder successfully argued that it was not a relevant data-holder because it did not ‘maintain a register’ for the purposes of Sch 23 para 17. That HMRC saw fit to serve the notice at all on these facts perhaps indicates its enthusiasm for stretching Sch 23 powers beyond their limitations.

There are two other areas to consider. The first is whether the recipient (as opposed to another group company, for example) holds the data at all (for documents, Sch 23 imports the ‘possession or power’ test). The second involves the practicalities of collating the requested information. The recipient may challenge the notice if it is ‘unduly onerous’ to comply. However, inconvenience is not enough, particularly for large businesses, and there will need to be some evidence to persuade HMRC or, eventually, the FTT.

Arguing with HMRC over the scope of the data-holder notice may seem an unattractive proposition. Tax directors are usually keen to build a cooperative relationship with HMRC where possible. However, for many recipients, this request is likely to be repeated in the future as HMRC seeks to track the changing third party population, and so any disruption, cost or damage to customer relations is likely to reoccur. Further, faced with GDPR and reputational risks, there may be no choice but to challenge the scope of the Sch 23 notice.

HMRC recognises the difficulties faced by recipients. HMRC will negotiate on Sch 23 notices either because there are only limited categories of evidence it really wants or because the business produces evidence of how difficult it will be to collate the information. HMRC may also need educating as to what data the business actually holds. A sensible two-way discussion is therefore to be encouraged. However, if, for whatever reason, HMRC digs its heels in, the only solution may be to seek a decision from the FTT.