A client has just forwarded me a (genuine) email chain from HMRC.
Is this them trying to break GDPR by getting my client’s permission? I didn’t think that was allowed - come 25 May are HMRC breaking the law, or can I do this as well?
The thread began:
”
Thank you for your time on the phone today. I have been instructed to ensure that we have on record confirmation from yourself that you are content for us to use email. I would therefore be grateful if you could take note of the following and respond accordingly. HMRC takes the security of personal information very seriously. The main risks of using email that concern HMRC are as follows.
Confidentiality/privacy - there is a risk that email sent over the internet may be intercepted.
Confirming your identity - it is crucial that we only communicate with established business contacts at their correct email addresses.
There is no guarantee that an email received over an insecure network, like the internet, has not been altered during transit.
On the understanding that you would wish me to respond to you by email, we are required to obtain confirmation that you have a clear understanding and acceptance of the risks associated with email and that you are content for us to send information concerning your business details. If you would prefer us not to respond to your enquiry by email, for example because other people may have access to your email account, we are happy to send the information by post.
Confirmation that you acknowledge the foregoing would be appreciated. This confirmation will be held on file and will apply to all future email correspondence until we are notified otherwise.
For more information, see HMRC's privacy policy (web).
Replies (6)
Please login or register to join the discussion.
Not sure why you think this would be breaking GDPR
It strikes me as eminently sensible. Contrary to what some 'experts' may say, GDPR does NOT preclude the use of unencrypted email.
However, pending clarification from the ICO, it is currently considered best practice to ensure you have clients' permission to send personal data by unencrypted email after 25 May 2018.
So, absolutely, HMRC are doing the right thing with that message.
By the way, if you'd like a copy of my list of the docs you might need to create to ensure you are GDPR compliant, it's freely available here: http://bookmarklee.co.uk/gdpr-documents-list/
In my experience, many organisations are pre-empting the introduction of GDPR and seeking advance permission of how their contacts prefer to be contacted.
I'm not, however, suggesting that HMRC are that forward thinking!
I had to do this before the RTI dispute resolution team could send me their spreadsheets for comparison
Thank you for the link, Mark. It looks like HMRC are doing the right thing here by making it clear to the client that they are consenting to emails from HMRC. I presume there is an 'unsubscribe link' on their emails so clients can ‘opt out’ after the fact.