TDSI Bulletin 25 - 7 February 2008

This bulletin tells you about:


Please ensure the appropriate people in your organisation read this bulletin.

Enquiries about this bulletin should be addressed to the person named in the email that sent it to you.

Data protection and security of returns

Your responsibilities under the Data Protection Act 1998 (DPA)

We do not set any particular security standards for data coming to us from businesses but are happy to work with anyone who needs to send us data to help secure it. Under the DPA, you are responsible for the security of personal data until we have received it. We have an ongoing review into the security of our data transfers out. We currently secure outgoing data to businesses in the following ways and we encourage everyone to be this careful when transferring information to us.

What encryption do HMRC use?

We encrypt data to 256-bit standard with a 20 character complex password onto computer media (normally CD/DVD). A secure courier transports the media in secure and tamper evident packaging. A named individual signs for it when received. We send the password separately.

What encryption can HMRC accept?

You may wish to send us data as password-protected, self-decrypting files on computer disk or tape. We can handle any self-decrypting files that run on Microsoft operating systems. We encourage you to use complex passwords of at least 20 characters and arrange a named person to sign for delivery.

If you are unable to use one of the encryption products below, please contact Dorinda Jack on Tel 0191 225 7016:

  • self-extracting encryption
  • WinZip version 9 or higher
  • PGP self-decrypting files

Your hardware or software might prevent data encryption. In such cases, please contact Eddy Griffin on Tel 0151 472 6041 to arrange alternative physical security measures with us.

Where should I send the password for my self-decrypting file?

Please contact us at the address shown in our section 17 notice to you. Our staff there will arrange everything with you.

Are other methods going to be available?

We know some businesses already use other methods to secure their data transfers.

  • Financial Institutions who use Connect Direct Secure Plus should contact HMRC. We are working to establish the relevant links for the coming filing period.
  • We are working with our IT supplier to agree how we will accept tapes and cartridges containing data encrypted by products like ZIP390 and DF DSS.
  • We will be publishing details of public keys to be used in asynchronous encryption via products like PGP. This will reduce the problems with needing unique password protection for each item of media.

If any of these are your preferred transfer mechanism, please contact Dorinda Jack on Tel 0191 225 7016 so that you can be included in later announcements.