Guidance

Terms of Collaboration between HM Revenue and Customs and software developers

Updated 26 March 2018

This version is no longer being updated, but is here to give background information for the new version, now known as the Terms of Use.

HMRC and the software developers do not intend any part of this document to create legal relations or to be construed as creating legal relations between HMRC and any software developer.

About this document

Making Tax Digital (MTD) will help give businesses a modern, streamlined system to keep their tax records and give information to HMRC. Millions of businesses already bank, pay their bills and interact online. Digital record keeping is the next step and is one that many businesses have already taken.

HMRC has been developing a close and collaborative joint working partnership with commercial software developers. By sharing its application programme interfaces (APIs), HMRC will enable developers to build digital tools that will interact directly with HMRC’s own systems and provide a joined-up customer experience.

HMRC does not plan to produce its own digital tools and will not endorse any such products produced by anyone else. But we will work closely with developers and give them the support they need to design and develop digital tools that will enable HMRC’s customers to comply quickly, easily and securely with their obligations to account for tax digitally. See more information about Making Tax Digital for Business.

This document (including annexes A, B and C) sets out what software developers can expect from HMRC and what HMRC expects from software developers. It applies to HMRC’s Making Tax Digital reforms as well as to wider initiatives where the API strategy is used.

In this document:

• ‘we’ means HMRC
• ‘you’ means software developers
• ‘software developers’ means commercial providers of digital tools
• ‘digital tool’ means any accounting software, app or similar product provided by a software developer to enable a customer to comply with their MTD obligations
• ‘customer’ means a business or individual who uses your digital tool to comply with their MTD obligations
• ‘end user’ means ultimate user of the software, whether an HMRC customer or an intermediary or agent acting on their behalf
• ‘digital record’ means the creation within the software or application of the date, amount and description of transaction
• ‘application programme interface’ (API) means a set of clearly defined methods of communication between various software components, HMRC shares its APIs with software developers to enable them to produce digital tools that integrate with HMRC systems
• ‘production credentials’ means two key pieces of information, the ‘client ID’, a unique identification method, and the ‘client secret’, a secret pass phrase by which an application is authorised
• ‘free software’ means basic versions of digital tools provided free by the software developer industry to the smallest businesses with the most straightforward affairs, as defined in Annex C

You accept the provisions of this document by registering on the HMRC Developer Hub.

To build digital tools you need to register on the HMRC Developer Hub to get access to our APIs. By registering on the Hub you accept the provisions contained in this document. You also accept that we may carry out background checks on your business.

You can register using the Developer Hub where there’s step-by-step guidance. Once you’ve registered on the Hub, if we make changes to these provisions, including any of the annexes, we’ll let you know.

What you can expect from us

We will:

• provide a robust test environment offering a range of scenarios to enable you to prove that your digital tools can successfully integrate with HMRC systems

• give you at least 6 months’ notice of major changes to API documentation on the Hub (any minor changes will be notified immediately but will always be backwards compatible, once our APIs become stable they should not change frequently, but APIs in beta status may change fairly rapidly)

• warn you in advance if an API is to be removed, giving the date of removal

If there’s any disagreement between you and us that cannot be resolved, we reserve the right to temporarily or permanently remove your access to our APIs. For more about this see Annex B (Issues Arising and Reaching Effective Solutions).

What we expect from you

The security of data and its proper management, handling, storage and processing is a top HMRC priority. HMRC takes the protection of its customers’ data very seriously and expects developers to do the same and to comply with data protection law.

To connect to, and use the APIs, you must protect your security assets, cloud security and internet security in line with industry standards and best practice.

To help you do this, you must read the following guidance as a minimum:

• the latest Information Commissioner’s Office guidance
• the National Cyber Security Centre principles
• Transport Layer Security 1.2 or above for encryption of data in transit
• the Government digital service standards as described in the guidance published by the Government Digital Service and the National Cyber Security Centre

We have a number of further security requirements and recommendations at Annex A.

You must also:

• protect your customers in line with:

  • the Data Protection Act 1998 and any relevant current or future regulations issued under that Act

  • the General Data Protection Regulation which takes effect from May 2018

  • the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) also known as the ‘PECR’ or ‘e-privacy directive’ that complements the Data Protection Act 1998

  • the Equality Act 2010

• register with the Information Commissioner’s Office if your software or digital tool processes personal data

• provide access to your customers’ data both to the customer and to HMRC, where a customer loses access to a digital tool (for example because they move to another provider, or your business or theirs closes) you should give them access to all their data, so they can retrieve it and promptly export it to meet their legal requirements to HMRC

• comply with advertising and marketing standards, you must make sure any advertising appearing in your digital tools follows:

  • the Advertising Standards Authority CAP Code

  • UK regulations on marketing

The digital tool should not contain advertising with ‘adult’, ‘dating’ or gaming themes.

• not share your customers’ data for marketing purposes without their express, valid, consent, as defined in the PECR Direct Marketing Guidance produced by the Information Commissioner’s Office

• make the terms of the licence agreement between yourself and your customer very clear

• provide software support to your customers

• meet our compliance requirements, this includes:

  • technical specifications and requirements relating to our compliance activity covering audit data formats, system identification, communications with taxpayers and the assessment of software performance will be set out in the Developer Hub

  • data retention, data and business records should be retained as specified by law

  • error prevention (designing-in compliance and pre-population), common errors and methods of helping customers get their tax affairs correct will be set out in the Developer Hub

• make sure your digital tools meet the Web Content Accessibility Guidelines (WCAG) 2. AA as a minimum or higher in line with the Equality Act 2010. You must make it clear whether your product meets WCAG 2. AA, to help customers make an informed choice on whether it meets their needs, where we publish lists of digital tools we will also make this clear, we may ask you to provide evidence to support your claim

The following annexes are also part of this document:

Annex A: Confidentiality of customer data and information including data hosting and storage

HMRC takes the confidentiality of customer data very seriously and expects that all third party developers will take the confidentiality of customer data equally seriously. HMRC and the software developers are responsible for ensuring they each meet their own obligations under data protection law.

1. You will need to ensure that HMRC customers have confirmed they have authorised your software or digital tool before they try to send information to HMRC using your software, and have authorised you to access their personal data from HMRC where applicable.

2. Your customers will have to provide separate consent to allow you to use their personal data for testing in the live pilot. Your customers must also acknowledge that during the live pilot period they will continue to submit returns to and correspond with HMRC if they have not successfully done so through your software as normal. We will log this confirmation as part of our standard audit data.

3. Where you are storing and processing customer data, you must ensure that all customers using your software understand that you will process their personal data and are responsible for protecting it. You must make clear to customers if you intend to store their personal data outside of the EEA and you must comply with the eighth data protection principle of the Data Protection Act 1998.

4. We recommend you have Cyber Essentials or Cyber Essentials Plus certification or demonstrate adherence to Cyber Essentials principles.

5. We recommend you read and consider using the Open Web Application Security Project (OWASP) design principles for security. OWASP is an open community dedicated to enabling organisations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools and documents are free and open to anyone interested in improving application security.

6. In line with industry best practice, we expect software to have been assessed for vulnerabilities through secure development practices and pre-release testing. Any open source or reused proprietary code should be checked utilising sources like the Common Vulnerabilities and Exposures (CVE) database, to ensure vulnerabilities are not written into the software.

7. In line with industry best practice, we expect software providers to monitor and react quickly to remedy vulnerabilities in their code and to have a patching policy in place to ensure that vulnerabilities are remediated in their customer base in a timely manner. When re-releases or upgrades are required they should also follow secure development practices and pre-release testing.

8. In line with industry best practice, we expect you to monitor for indications of suspicious attempts to gain access to or manipulate end-user accounts, and block them. This may include unusual devices being used, indications of client-side malware manipulating the session data, indications of unusual remote desktop access to the interacting machine, etc.

9. In the event of any customer data breach or any other issues concerning customer data, we would expect you to inform us immediately by emailing SDSTeam@hmrc.gov.uk.

Annex B: Issues arising and reaching effective solutions

1. In the event of any dispute between HMRC and you on any of the provisions of this document, the parties agree that they will work together in good faith to reach a solution acceptable to both parties. HMRC will act fairly, reasonably and proportionately in resolving all operational issues and any disputes. Furthermore HMRC will in every dispute situation where reasonably possible seek to resolve the dispute through collaboration and negotiation.

2. Should HMRC become aware, or your clients notify us, of an issue which affects HMRC or your clients and their ability to meet their MTD obligations, then HMRC will contact you to raise this issue and seek resolution. If the issue is within your control, we would expect you to resolve this immediately.

3. If you do not, or are unable to, resolve the issue immediately, both HMRC and you agree that the dispute shall be referred to the Managing Director or Accountable Officer of your organisation and a member of the HMRC Senior Civil Service.

4. If, following detailed discussions, no agreement is reached, HMRC may take further action as set out in paragraph 5.

5. Where you commit a serious breach of the provisions of this document which cannot be effectively resolved, HMRC will act to remove your access to HMRC’s API platform either on a temporary or permanent basis.

6. Should this happen, HMRC will notify all your end users, and allow them reasonable time to make alternative arrangements to submit their updates or end of period submissions. During this period these end users will not be subject to any penalties and interest for late submissions of their quarterly updates or end of period submissions.

7. The following is a non-exhaustive list of the type of situations where HMRC may remove your access to HMRC’s API platform:

   7a. Where you have used information supplied by your client for a purpose which is not necessary to fulfil your client’s MTD obligations and for which your client has not consented.

   7b. In the event HMRC has serious data or cybersecurity concerns relating to HMRC systems or to HMRC customer data, HMRC will act immediately to take all necessary and appropriate action to protect HMRC systems and HMRC customer data.

   7c. Where you repeatedly fail to maintain and support your solution to enable your clients to meet their MTD obligations.

   7d. Where HMRC is aware you’re in breach of your obligations relating to the payment of taxes or social security contributions, supported by a final UK court decision (or the equivalent for the country in which you’re based) or where HMRC can demonstrate by any appropriate means that you’re in breach of your obligations relating to the payment of taxes or social security contributions.

   7e. HMRC will not seek to remove your access to HMRC’s API platform in accordance with 7d if you have repaid everything you owe (plus any interest and fines) or have made arrangements with HMRC to pay any outstanding amount.

8. HMRC will maintain a software developer register on GOV.UK and we may remove your listing if you do not behave in accordance with the spirit of this document.

Annex C: Making Tax Digital for Businesses (MTDfB): Free software: HMRC’s minimum standards and eligibility (MTDfB only)

Minimum standards

Any free software product you provide to businesses must:

• enable customers to meet the income tax and NIC obligations of a business operating using the cash basis – there is no requirement for VAT, Corporation Tax or PAYE functionality

• include free digital record keeping, free quarterly updates and free end of period statement activity

• enable the provision of a dataset that correlates to the current SA103S (self-employment supplementary page) (short) (2016-17 version)

• enable the provision of a dataset that correlates to the current SA105 UK property pages (2016-17 version) where the number of properties does not exceed one

• provide help and support in line with your new or existing entry level product (for example, webchat, email support between 9am and 5pm)

• include relevant built-in prompts and nudges as provided by HMRC in the Developer Hub

• allow the end user to own and have access to all their records created using the software product (past and present) to enable them to retrieve data and promptly export it if necessary

• be free for the business to use to comply with their MTDfB obligations for a full annual accounting period on the understanding the business continues to meet the qualifying criteria below

Eligibility for free software will apply where the business meets all these conditions:

• they’re unincorporated (for example self-employed persons or landlords)
• they have a turnover, within the scope of MTDfB, below the VAT threshold
• they have no employees
• they use cash basis accounting

Other Considerations

HMRC would not require free software to link or integrate with an Agent product