HMRC/GDPR?

Are they using this as a get out clause?

Didn't find your answer?

A client has just forwarded me a (genuine) email chain from HMRC.

Is this them trying to break GDPR by getting my client’s permission? I didn’t think that was allowed - come 25 May are HMRC breaking the law, or can I do this as well?

The thread began:

Thank you for your time on the phone today. I have been instructed to ensure that we have on record confirmation from yourself that you are content for us to use email. I would therefore be grateful if you could take note of the following and respond accordingly. HMRC takes the security of personal information very seriously. The main risks of using email that concern HMRC are as follows.

 

Confidentiality/privacy - there is a risk that email sent over the internet may be intercepted.

 

Confirming your identity - it is crucial that we only communicate with established business contacts at their correct email addresses.

 

There is no guarantee that an email received over an insecure network, like the internet, has not been altered during transit.

 

On the understanding that you would wish me to respond to you  by email, we are required to obtain confirmation that you have a clear understanding and acceptance of the risks associated with email and that you are content for us to send information concerning your business details. If you would prefer us not to respond to your enquiry by email, for example because other people may have access to your email account, we are happy to send the information by post. 

 

Confirmation that you acknowledge the foregoing would be appreciated. This confirmation will be held on file and will apply to all future email correspondence until we are notified otherwise. 

 

For more information, see HMRC's privacy policy (web).

Replies (6)

Please login or register to join the discussion.

Mark Lee headshot 2023
By Mark Lee
22nd Mar 2018 11:02

Not sure why you think this would be breaking GDPR

It strikes me as eminently sensible. Contrary to what some 'experts' may say, GDPR does NOT preclude the use of unencrypted email.

However, pending clarification from the ICO, it is currently considered best practice to ensure you have clients' permission to send personal data by unencrypted email after 25 May 2018.

So, absolutely, HMRC are doing the right thing with that message.

By the way, if you'd like a copy of my list of the docs you might need to create to ensure you are GDPR compliant, it's freely available here: http://bookmarklee.co.uk/gdpr-documents-list/

Thanks (1)
By ireallyshouldknowthisbut
22nd Mar 2018 11:11

GDPR isnt in yet
That is a standard email disclaimer they have been using for some time.

Thanks (1)
Replying to ireallyshouldknowthisbut:
ALISK
By atleastisoundknowledgable...
22nd Mar 2018 11:32

Didn’t know that. I have GDPR in my head so much I just made 2&2=5.

Thanks (0)
Replying to ireallyshouldknowthisbut:
Oaklea
By Chris.Mann
22nd Mar 2018 11:38

In my experience, many organisations are pre-empting the introduction of GDPR and seeking advance permission of how their contacts prefer to be contacted.
I'm not, however, suggesting that HMRC are that forward thinking!

Thanks (0)
By Marion Hayes
22nd Mar 2018 13:57

I had to do this before the RTI dispute resolution team could send me their spreadsheets for comparison

Thanks (0)
counting
By Counting numbers
26th Mar 2018 17:06

Thank you for the link, Mark. It looks like HMRC are doing the right thing here by making it clear to the client that they are consenting to emails from HMRC. I presume there is an 'unsubscribe link' on their emails so clients can ‘opt out’ after the fact.

Thanks (1)