Guidance

Corresponding with HMRC electronically — CC/FS83

Updated 23 June 2026

We take the security of personal information very seriously. It’s very important you understand the risks of corresponding electronically before you use it for personal or sensitive data.

We may offer you different methods to correspond electronically with us. The methods we can offer will depend on the circumstances and what information and documents we need you to share.

The main methods we’ll offer are email and Dropbox. We won’t email you or use Dropbox unless you agree and tell us you understand and accept the risks first.

You can use the information in this factsheet to help you decide whether you want to correspond with us by email or Dropbox.

Email

Email is useful for corresponding with us but it’s not secure. The main risks that concern us are:

• confidential information shared through an insecure network could be intercepted and altered
• email addresses could be shared by others or changed, leading to unauthorised people getting access
• email attachments or links could contain a virus or malicious code.

To reduce the risks, we:

• hide some sensitive information – for example, by only quoting part of any unique reference numbers
• only communicate with established contacts at their correct email addresses
• sometimes use encryption
• carry out regular assurance to make sure all precautions are being followed.

Dropbox

We may sometimes invite you to use Dropbox to send large amounts of information.

Dropbox is more secure than email but still has risks. The main risks that concern us are:

• unauthorised access to data held in Dropbox
• scammers posing as HMRC to get customers to upload data to them.

To reduce the risks, we:

• restrict access to named licence holders only
• hold data in secure storage – it’s only held in Dropbox for 24 hours
• send you a link to upload your files from an official HMRC email address
• only allow you 48 hours to use the Dropbox link we’ve sent
• send you an email confirming receipt and retrieval of your files.

If you want to use email, Dropbox or both

We need your agreement in writing. You can usually send this by post or email. You need to confirm you:

• understand and accept the risks of using email, Dropbox or both
• are content for financial information and attachments to be sent by email, Dropbox or both.

You may also want to consider:

• encrypting your emails or hiding certain details – for example, only providing the last 3 digits of a unique reference or account number
• checking your junk mail filters are not set to automatically reject or delete HMRC emails.

If you’re a business, we may need you to give us the names and email addresses of all people you would like us to use email or Dropbox with. For example, you, your staff, your representative.

If you have an authorised agent or tax adviser acting for you, they can give us confirmation on your behalf. You need to tell them you understand and accept the risks of using email or Dropbox with us.

How we use your agreement

We’ll hold your written confirmation on file and apply it to future correspondence. We’ll review it at regular intervals to make sure there are no changes. We’ll also ask you to confirm you still understand and accept the risks.

We’ll only email you about a tax matter if you have given us your agreement to do so. If you have any doubt an email has come from HMRC, do not click on any links, give any personal details, or reply to the email. You should forward the email to us at phishing@hmrc.gov.uk

For more information about HMRC’s privacy policy, go to GOV.UK and search ‘HMRC Privacy Notice’.

What if you change your mind

You can opt out of using email, Dropbox or both at any time by letting us know. We’re still happy to contact you in writing by post or, where appropriate, by telephone.