MTD Ethics & Data Stewardship for Accountants

Professional ethics and data stewardship for accountants under MTD

The rollout of Making Tax Digital for Income Tax Self Assessment (MTD ITSA) brings technical change, but it also raises important ethical and professional responsibilities for accountants and bookkeepers. From April 2026 the staged requirement for quarterly digital updates begins for higher-earning sole traders and landlords, so firms must be confident not only in their software but in the way they handle client data and manage potential conflicts of interest.

Why ethics and data stewardship matter with MTD ITSA

MTD ITSA makes record-keeping and reporting more continuous and transparent. That improves the accuracy and timeliness of tax reporting, but it also increases the flow of sensitive client data through cloud systems, integration platforms and third-party apps. Good ethics and robust data stewardship protect clients and safeguard the professional reputation of the practice.

Key dates you must plan for

• April 2026: MTD ITSA applies to individuals and landlords with income over £50,000.
• April 2027: threshold reduces to income over £30,000.
• April 2028: threshold reduces to income over £20,000.

These staged dates give practices time to embed new processes. Use the timeline to triage clients by risk and complexity and to ensure ethical safeguards are in place before their first quarterly submission.

Foundations of professional ethics under MTD

Your professional duties do not change because filing is digital. The core principles — integrity, objectivity, professional competence and due care, confidentiality and professional behaviour — remain central. Practically this means:

• only accessing client information for authorised purposes;
• maintaining independence where required and declaring conflicts early;
• keeping records accurate and complete; and
• ensuring staff and sub‑contractors understand their obligations.

Client confidentiality and data protection (GDPR)

Confidentiality and data protection are intertwined. The GDPR and UK Data Protection Act impose legal duties; professional codes add ethical expectations. Under MTD ITSA you should:

• have a clear privacy notice that explains how client data is processed for MTD compliance;
• conduct lawful basis assessments — typically contract performance or legal obligation — and record them;
• limit access to client data on a need-to-know basis and use role-based permissions in software;
• use data minimisation: only keep the personal data necessary for tax reporting and statutory retention periods;
• secure client consent when integrating third-party apps that process personal data outside the practice’s direct control;
• maintain records of data sharing agreements and Data Processing Agreements (DPAs) with cloud providers and subcontractors.

Choosing and using MTD-compatible software with ethics in mind

Not all software is equal for confidentiality and stewardship. Look for products that offer:

• strong encryption in transit and at rest;
• granular user permissions and activity logs;
• UK or EU data hosting options if clients prefer data residency;
• a clear DPA and demonstrable compliance with ISO 27001 or similar standards;
• secure API authorisation such as OAuth — avoid sharing raw credentials between systems;
• audit trails for submissions to HMRC and for client authorisations.

Document your rationale for software choices. That helps if a client questions why a particular cloud solution was used or if you need to demonstrate due care to a regulator.

Managing third parties and integrations

MTD ITSA workflows often involve bank feeds, receipt-capture apps and payroll providers. Each integration is a potential privacy and conflict vector.

• Map data flows: know which data leaves your practice and where it goes.
• Use DPAs: have written agreements with suppliers setting out responsibilities and security measures.
• Limit live access: where possible use extract-only feeds rather than shared accounts with full access.
• Review vendors annually and after any security incident.

Conflict of interest: be pragmatic and transparent

Conflicts arise when a practitioner’s duties to one client conflict with duties to another, or when personal interests influence professional judgement. Under MTD these situations can become more acute because you may be asked to prepare or view contemporaneous business data more frequently.

• Screen new clients for potential conflicts before acceptance and keep records of checks.
• If a conflict exists, consider whether it can be managed — for example, by information barriers — or whether you must decline or withdraw.
• Disclose relevant conflicts to affected clients promptly and in writing.
• Use internal procedures to escalate and resolve conflicts, with clear decision records.

Agent authorisations and permissions

Many practices use agent services with HMRC to act on clients’ behalf. Ensure authorisations are current and limited to the services required. Regularly verify that HMRC agent permissions match the services you provide and remove access when a client relationship ends.

Practical data security measures

Technical measures protect confidentiality, while policies and culture sustain them:

• use multi-factor authentication for all practice accounts and insist clients do the same for their online portals;
• encrypt devices and enforce secure backups, stored separately from live systems;
• segregate client data on a logical basis so that one client’s records cannot be accidentally accessed by another;
• patch and update software promptly; run vulnerability scans and consider periodic penetration testing;
• limit administrative privileges and review them quarterly;
• implement clear bring-your-own-device (BYOD) policies if staff use personal devices.

Responding to data breaches and incidents

Despite precautions, breaches can occur. A clear incident response plan reduces harm and meets legal obligations:

• have a named incident lead and an incident response checklist;
• contain the breach, preserve evidence and assess what data was involved;
• notify the Information Commissioner’s Office (ICO) within 72 hours when required by law;
• inform affected clients promptly and provide clear steps they can take to protect themselves;
• record lessons learned and update procedures and training.

Record keeping, retention and disposal under MTD

MTD requires digital records of transactions that support quarterly updates. Ethically and legally you should:

• retain records for the statutory periods (typically six years for tax records) or longer where litigation risk exists;
• keep both the digital originals and a reliable backup strategy;
• ensure secure disposal of data when retention periods expire, using secure deletion tools and documented disposal logs;
• ensure that archived records remain accessible and readable for the required period — do not rely on obsolete software formats.

Client communications: transparency builds trust

Clients must understand how their data is used. Clear, plain-English communications reduce misunderstandings and strengthen the client relationship:

• explain why MTD means more frequent data processing and what that will look like in practice;
• set expectations on response times for queries arising from quarterly updates;
• provide short guides on how to upload receipts securely and which information to redact (e.g. unnecessary bank details);
• obtain written consent for data-sharing with third-party apps where needed and keep copies on file.

Training, supervision and professional development

Ethical practice depends on people as well as systems. Make training a continuous effort:

• deliver mandatory annual training on data protection, client confidentiality and conflict management for all staff;
• use scenario-based learning to illustrate common MTD challenges (e.g. handling client data on holiday or in transit);
• ensure supervisors regularly review junior staff work, especially early in the MTD reporting cycle;
• keep CPD records and align training to the firm’s risk profile.

Working with clients who prefer spreadsheets

Many clients still want to use spreadsheets. That is permitted under MTD if the spreadsheet is part of a compliant digital record-keeping workflow and can submit data digitally via MTD-compatible software. From an ethics perspective you should:

• advise clients of the risks of manual spreadsheets (errors, weak access controls) and offer migration support;
• where you accept spreadsheets, insist on version control, access restrictions and a clear handover process;
• avoid sole reliance on spreadsheets for high-volume clients or those with complex transactions.

Practical checklist for firms ahead of each MTD cohort

• identify clients impacted by the April 2026 / 2027 / 2028 thresholds and prioritise engagement;
• review and update privacy notices and DPAs;
• audit software stack for encryption, permissions and DPA coverage;
• run vendor due diligence and update contracts where necessary;
• refresh incident response plan and hold a tabletop exercise;
• update client engagement letters to reflect quarterly update workflows and data handling procedures;
• establish conflict screening on client onboarding and at key milestones;
• train staff on new workflows, security and client communications.

When to involve external specialists

If you encounter high-risk situations — complex cross-border data flows, major cybersecurity incidents, or significant conflicts of interest — engage specialised counsel or forensic IT experts. That protects clients and helps you meet professional duties to report and remediate.

Record of decisions and auditability

Under MTD, the fluidity of data increases the importance of audit trails. Keep contemporaneous records of professional judgments, fee decisions, conflict resolutions and data-sharing consents. If a client query or regulator review arises, documented decisions demonstrate due care.

Final thoughts: make ethics operational

Ethics and data stewardship are not abstract checkboxes — they must be operational. Integrate them into your software choices, client letters and daily routines. Small, disciplined actions (regular permission reviews, simple client explanations, timely training) make a large difference in both compliance and client confidence.

Quick action plan

• By Q2 2026: confirm which clients fall into the first MTD cohort and send tailored guidance.
• By Q3 2026: complete vendor DPAs and run a live incident response exercise.
• Ongoing: review permissions and conflicts quarterly and update client records.

Making Tax Digital should make compliance easier for clients. As accountants, our role is to make that transition as safe and straightforward as possible — protecting confidentiality, managing conflicts, and keeping clear records so clients and regulators alike can have confidence in the work we do.