ECSH111000 - Contact with businesses: email
Corresponding with businesses via email is often one of the easiest and most direct ways of contacting them. Within Economic Crime-Supervision (EC-S) there are two types of email correspondence to businesses:
- Direct to individual businesses or their representative – these are email exchanges between a named HMRC employee and an individual business or their representative, which the business has agreed to conduct by email. We cannot send emails to businesses or their representatives without the consent of the business – even if the business or representative makes the initial contact. The individual, business or representative must be made aware of and accept the risks when agreeing we can communicate by email. Where the business operates through an agent, the principal business must agree to the risks and accept them before we can communicate with any of their agents by email.
- Personalised bulk emails to businesses (HMRC system-generated) – these are direct messages that go to business email addresses, for example to remind them about deadlines, informing them of changes that might affect them, or asking them to check their government gateway account.
See also ECSH112000 on Secure Communications.
Risks of contacting businesses by email
The main risks associated with using email that concern HMRC are:
- Confidentiality and privacy – there’s a risk that emails may be intercepted as they are sent over the internet.
- Confirming business identity – it’s crucial that we only communicate with established contacts at their correct email addresses.
- There is no guarantee that an email received over an insecure network, like the internet, has not been altered during transit.
- Attachments could contain a virus or malicious code.
To reduce these risks:
- We can desensitise information, for example by only quoting part of any unique reference numbers.
- We can also use encryption and can discuss how they may do the same but still give the information we need.
- We can undertake regular assurance to make sure all precautions are being followed.
Data protection
When contacting businesses by email we must ensure we adhere to the data protection policy. This is available in ECSH10500.
Security Classification
It is important to comply with security classifications when sending information by email.
For more information on security classifications please see the HMRC Government Security Classifications and Asset Control Policy and Cabinet Office Government Security Classifications Policy.
Business agreement to corresponding by email
The individual, business or representative must be told about the risks when agreeing to communicate by email. Always check that direct email to individual businesses or representatives has been authorised before sending emails to businesses.
Link to factsheet CC/FS72 DSC1, ‘Corresponding with HMRC by email’.
Before we can use email to contact the business, their representative or any agent used by the business, they must read the risks detailed below and confirm in writing by post or email:
- That they understand and accept the risks of using email.
- That they’re content for financial information to be sent by email.
- That attachments can be used.
The business should also send us the names and email addresses of all the people they would like us to use email with – for example, their staff, their representative, their agent.
Confirm they’ve made sure that their junk mail filters are not set to reject and/or automatically delete HMRC emails.
Confirmation will be held on file and will apply to future email correspondence and the agreement should be reviewed at regular intervals to make sure there are no changes.
Opting out
The business may opt out of using email at any time by letting us know. Once they have opted out, we should not contact them via email.
The business may prefer that we do not respond by email, for example because other people have access to their email account. If so, we’re happy to respond by another method. We’ll agree this with them either by telephone or in writing via post.
External email automated disclaimer:
Emails sent from HMRC email addresses to external email addresses contain the following disclaimer automatically:
“The information in this e-mail and any attachments is confidential and may be
subject to legal professional privilege. Unless you are the intended recipient
or his/her representative you are not authorised to, and must not, read, copy,
distribute, use or retain this message or any part of it. If you are not the
intended recipient, please notify the sender immediately.
HM Revenue & Customs computer systems will be monitored and communications
carried on them recorded, to secure the effective operation of the system and
for lawful purposes.
The Commissioners for HM Revenue and Customs are not liable for any personal
views of the sender.”