TAXPAYERS submit voluminous information annually and upon request to the Inland Revenue Board (IRB). This is done through the filing of annual tax returns by taxpayers, employer returns (Forms E and EA), information provided at the point of deducting withholding taxes, information provided via transfer pricing documentation, and information requested during audits and investigations.
Over the years, the powers provided to the IRB to collect information and records have been gradually expanded such that they allow it practically full access to any locations where such books and documents are kept. The IRB can make copies and extracts of all or most of your information.
It is common during an audit or investigation for the IRB to download/make a copy of the information in your computers and cloud. Its powers are extensive. The issue on whether such actions have gone beyond the ambit of Sections 80 and 81 of the Income Tax Act has not been fully tested in the courts.
Obligation of the IRB to keep such information confidential
The IRB has an obligation under Section 138 to keep all information confidential. It cannot disclose such information to anyone except where it is needed in the courts for pursuing a prosecution of any offence committed in relation to any tax matters, or to the Auditor General for the exercise of his duties. The Director General can publicise information in respect of any person who has been found guilty or convicted of an offence under the Income Tax Act.
Any official who breaches or contravenes the secrecy provisions in the Income Tax Act will be charged in court, and, if found guilty, will be liable to a fine not exceeding four thousand ringgits, or to imprisonment for a term not exceeding one year, or to both.
Conflict between PDPA and Income Tax Act
Where there is a conflict or inconsistency between the Personal Data Protection Act (PDPA) and the Income Tax Act 1967, the PDPA prevails over the ITA provisions.
In the Genting Malaysia vs KPHDN case, the High Court ruled that the PDPA was applicable to the IRB since it was a body corporate merely providing service to the government for the collection of taxes and was not as an agency tasked with the prevention, investigation, or detection of criminal activities, and was not a federal or state government.
What happens in anti-money laundering cases?
Where cases are taken up under the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act (Amla) for failure to submit tax returns or give notice of chargeability, for making incorrect returns by omitting or understating income, or giving incorrect information in relation to determining the chargeability of tax, or any person who wilfully evades taxes or any other persons who assist the taxpayer evade taxes, information from the IRB can be shared with the other authorities who are working together on Amla cases.
Do we know how the IRB keeps our information secret?
There is no information on how the IRB meets the secrecy requirements. So far, we have not heard of any serious breach of the secrecy provisions or data leaks. The presumption therefore is the IRB has control over this area.
It is time for the IRB to give us assurance and be more transparent on how it is protecting our data and maintaining the secrecy from any encroachment by external hackers, and internally restricting the access of taxpayer’s data to only specified officials dealing with the cases.
Questions that need to be answered include: What kind of firewalls and protection measures the IRB has in place to protect the data from external attacks; equally important to taxpayers is what protocols are there to prevent data being visible to anyone working in the IRB, especially when IRB has more than 10,000 staff.
This is extremely important since if such information leaks out, it will breach not only personal confidential information, but it will also have serious negative consequences on businesses.
This article is contributed by Thannees Tax Consulting Services Sdn Bhd managing director SM Thanneermalai (www.thannees.com).