5 minute read
TOP TIPS for dealing with HMRC furlough enquiries DON’T PANIC! LATEST GUIDANCE ON DATA SCRAPING FOR ONLINE
In late August, 12 data protection authorities based around the world (the DPAs) – including the UK’s Information Commissioner’s Office – issued a joint statement that advises social media companies and website operators to implement “multi-layered and procedural controls” to prevent unlawful data scraping and to encourage compliance with applicable laws on protecting personal data.
The Coronavirus Job Retention Scheme (CJRS), commonly referred to as ‘furlough’ was introduced by the UK Government in March 2020. While relatively unheard of prior to the pandemic we have, since March 2020, been consistently hearing or using this word.
• increasing user awareness and understanding of the privacy settings they can activate when visiting/using their websites the furlough scheme to help retain their employees during the pandemic may receive queries from HMRC. These could even be in cases where only legitimate furlough claims had been made.
In this article Sheetul Sowdagar from Russell-Cooke gives some top tips to wrap your head around furlough fraud and dealing with enquiries.
“Data scraping” generally involves the automated extraction and re-use of data from the web – often relating to personal information that is “publicly available” on social media websites or other online sources. Organisations may use computer programmes such as “spiders” or “bots” for such purposes.
You may or may not know that the Oxford English Dictionary defines furlough as “to give somebody permission to leave their duties for a period of time”.
However, data scraping can be used for illegitimate means – from cases reported to the DPAs over recent years, they have identified a number of data privacy concerns arising from use of data scraping technologies (particularly those that have the capacity to collect vast amounts of personal data).
In the press, we have seen increasing mention of ‘furlough fraud.’ It has recently been estimated that the UK Government is likely to write off £4.3 billion pounds in furlough fraud.
More broadly, data scraping techniques (like other technologies) are dynamic and evolving - businesses must therefore remain vigilant to new opportunities where unlawful data scraping can compromise the privacy rights of individual users. While these measures seek to prevent unlawful data scraping, it will likely have implications on businesses that use scraping for legitimate, commercial purposes. For example, a business that carries out research & analysis may use scraped data to identify trends/behaviours among individual users.
These include exploiting scraped personal information for targeted cyberattacks, identity fraud, profiling and surveillance, unauthorised political or intelligence gathering and unwanted direct marketing or spam. In such cases, the individuals concerned were unaware that their data was scraped from their accounts/profiles on social media (or other) websites, which can undermine their trust in the organisations that run these sites.
What is furlough fraud?
show your intention of being cooperative, but will also help address any issues, without the need for escalation.
For further details, go to https://ico.org.uk/media/about-the-ico/ documents/4026232/joint-statement-data-scraping-202308.pdf to access the joint statement.
Tip 3: Make sure you review your records and keep copies.
Data scraping: other legal implications for data scrapers
Help – I’ve had a query from HMRC
Below are some practical tips to help you respond to any queries received.
Any business which hosts data online is at risk of third parties scraping their data.
Examples of furlough fraud could include:
Tip 1: Do not panic!
Recommendations from the DPAs for website operators at risk of scraping
• Furloughed staff being asked to continue to work;
To tackle unlawful scraping, the data protection authorities have recommended that website operators apply a “combination” of technical and procedural controls that is “proportionate to the sensitivity of the information” that they hold. For example, businesses who host data at risk of scraping may want to consider:
• Claiming furlough pay for staff who did not qualify for the scheme;
• Claiming furlough pay for ‘made up’ staff;
• Over-claiming furlough pay;
Understand that HMRC may be following up leads or simply asking questions to ensure that all claims made were done so properly.
This will allow you to refresh your memory and more importantly have all your documents ready to disclose to HMRC if needed.
Data scraping can be carried out for legitimate purposes, but use of scraping does present a number of risks. Aside from privacy concerns, data scraping may have other legal implications for businesses that use these practices –for example:
• where the scraping involves the extraction and re-publishing of a substantial part of someone else’s material (e.g. text, drawings, logos, songs etc.) then that could constitute infringement of copyright. Similar considerations will apply even where businesses “link” or “frame” information set out on another website
Tip 4: Be transparent.
In the event you realise that a mistake has been made, or any overpayments have occurred, make sure you promptly inform HMRC.
• the scraped data may have come from an original source that contains copyright-infringing content
Tip 2: Do not bury your head in the sand.
• setting up a team or specific roles within their organisations to protect against, monitor for, and respond to scraping activities
• identify data scraping activity (e.g. bots), such as by using CAPTCHAS, and blocking the IP address where such activity is detected. A CAPTCHA is a Completely Automated Public Turing test that tells computers apart from humans – a common example is where a user is required to look at a set of pictures and identify the ones which contain a specific object
• Not passing the full amount of furlough pay to the furloughed employees;
• Deliberately providing false information to receive furlough pay from HMRC.
• limiting access per hour or day by one account or other account profiles, or from where unusual activity is otherwise detected
While it is understood that only a very small minority intended to defraud HMRC, it is known that HMRC have started ramping up their investigations and actively following up on tip-offs received. Many business owners in the UK who had accessed
While it is easy to get distracted in keeping the business running, it is important to understand that this is not going to go away. If you cannot find time yourself to engage with HMRC, then make sure you instruct an adviser who can do so on your behalf.
• making use of legal actions such as having terms and conditions that require consent before data can be scraped, or “cease and desist” letters to enforce deletion of scraped information (and confirmation of the same)
• where the scraped data involves a compilation of information that is arranged in a systematic or methodical way, this may constitutes a “database”, whereby the original database maker has a claim against the business carrying out such data scraping. This is known as the “sui generis database right” which is exists independently of copyright
Tip 5: Keep records for a minimum of six years. Even if you were successful in addressing any queries and the matter was subsequently resolved, do keep your records for a minimum of six years to assist you with any potential future queries.
As highlighted above, website operators may contain strict and enforceable terms of use which prohibit unauthorised data scraping from their websites. In summary, there are various legal requirements and restrictions which businesses must bear in mind in the context of data scraping.
We can help
Get in touch
It is often too easy to say that we ‘will deal with this later’ and soon enough a month or more has gone by. It is always better to be proactive and start engaging with HMRC as soon as possible. This will not only
4806
If you have any questions in relation to this article, or are seeking legal advice on a data scraping matter, please contact Imanpreet Suthar on imanpreet.suthar@russell-cooke.co.uk
It goes without saying that if any actions are being taken against you by HMRC, please seek independent legal advice urgently. Contact our senior associate Sheetul Sowdagar in our professional regulation team, for help.
