Guidance

Protocols for using electronic data transfer

Published 30 October 2020

Using electronic data transfer

HMRC takes the security of personal information very seriously. To keep risks to a minimum, the preferred method of data transfer for HMRC is Dropbox.

There is a risk attached to all forms of electronic data transfer and some still remain with Dropbox which include:

  • unauthorised access to data held in Dropbox
  • scammers posing as HMRC to get customers to upload data to them

To minimise these risks, HMRC has processes in place that include:

  • access to Dropbox is restricted to named licence holders
  • data is held in secure storage. Data is not held in Dropbox for more than 24 hours
  • access to Dropbox will be sent to you via an HMRC e-mail address
  • time to access Dropbox via the link will be restricted to 48 hours
  • once the files are received HMRC will confirm receipt and retrieval of the data by e-mail
  • regular assurance to make sure that all precautions are being followed

As long as you are willing to send the requested information by Dropbox, we need you to confirm that you have a clear understanding and accept the risks involved.

The data will be stored temporarily on Dropbox’s servers in the European Union. This is in line with the General Data Protection Regulations (GDPR).

Sending your confirmation

If you want to use Dropbox, you must tell us you accept the risks, including:

  • you have a clear understanding and accept the risks associated with Dropbox
  • details of the names and email address of staff within your organisation that HMRC may contact regarding the use of Dropbox
  • if you would like us to contact authorised representatives of your organisation’s Agents, details of their names and email addresses

If you want to find out more about how HMRC will protect your data, read HMRC’s privacy policy

If you have any doubt about the authenticity of an email you receive which claims to come from HMRC, forward it to us at phishing@hmrc.gsi.gov.uk.

You must not:

  • follow any links within the email
  • disclose any personal details
  • respond to it