Guidance

Corresponding with HMRC electronically — CC/FS83

Published 22 May 2024

Use the following information to decide whether you want to deal with HM Revenue and Customs (HMRC) electronically using email or Dropbox. We take the security of personal information very seriously. Email is useful for corresponding with us, but is not secure. Dropbox is useful for sending us information and is more secure, but still has risks. It’s very important that you understand the risks of each before you use them to correspond with us.

Before we can use email or Dropbox for your personal or sensitive data, you must read the risks detailed below and confirm in writing that you understand and accept them.

Email

The main risks associated with using email that concern HMRC are:

• confidentiality and privacy – there’s a risk that emails sent over the internet may be intercepted
• confirming your identity – it’s crucial that we only communicate with established contacts at their correct email addresses
• there’s no guarantee that an email received over an insecure network, like the internet, has not been altered during transit
• attachments could contain a virus or malicious code

To reduce the risks:

• we’ll desensitise information, for example by only quoting part of any unique reference numbers
• we can also use encryption, we can discuss how you may do the same but still give the information
  we need
• HMRC undertake regular assurance to make sure all precautions are being followed

Dropbox

The main risks associated with using Dropbox are:

• unauthorised access to data held in Dropbox
• scammers posing as HMRC to get customers to upload data to them

To reduce the risks:

• access to Dropbox is restricted to named licence holders
• Dropbox data is held in secure storage and is not held in Dropbox for more than 24 hours
• a link to upload your files will be sent to you via an HMRC email address
• time to upload your files to Dropbox via the link will be restricted to 48 hours
• once the files are received HMRC will confirm receipt and retrieval of the data by email

If you do not want to use email or Dropbox

You may prefer that we do not respond by email, for example because other people have access to your email account. If so, we’re happy to respond by another method. We’ll agree this with you either by telephone or in writing via post.

If you do want to use email and/or Dropbox

If you would like to use email or Dropbox as one of the ways HMRC will contact you, we’ll need you to confirm in writing by post or email:

• that you understand and accept the risks of using email and/or Dropbox
• that you’re content for financial information to be sent by email and/or Dropbox
• the attachments can be sent with email

If you’re the authorised agent or representative we’ll need you to confirm in writing by post or email that your client understands and accepts the risks.

Please also:

• send us the names and email addresses of all people you would like us to use email with — for example, yourself, your staff, your representative, your agent
• confirm you’ve made sure that your junk mail filters are not set to reject and/or automatically delete HMRC emails

How we use your agreement

Your confirmation will be held on file and will apply to future email or Dropbox correspondence. We’ll review the agreement at regular intervals to make sure there are no changes.

Opting out

You may opt out of using email and/or Dropbox at any time by letting us know.

More information

You can find more information on HMRC’s privacy policy. Go to www.gov.uk and search for ‘HMRC Privacy Notice’.