Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

We respect your Do Not Track preference.

Deputy Privacy Commissioner Liz MacPherson says she is very disappointed to learn that in at least two instances, identifiable personal information was shared by Inland Revenue with social media platforms.

IR is the custodian of highly sensitive tax information about most New Zealanders. “Given the nature of their work and the fact all New Zealand taxpayers must interact with them it’s important IR upholds the very highest privacy and confidentiality standards.”

“What is particularly concerning in this case is that IR apparently had no idea that these incidents, including the intentional sharing by IR staff of identifiable personal details of 268,000 New Zealand taxpayers with social media platforms had occurred”.

It is unlikely based on the information available to us that the breaches are notifiable under the Privacy Act. However, the fact the data of so many people was shared inappropriately is troubling and OPC will be seeking further information about the incidents that emerged during this review.

It is pleasing to see that in the face of public sentiment IR are taking this issue seriously including stopping supplying custom audience lists to social media agencies and taking steps to notify affected taxpayers, but it is worrying that the two disclosures were only discovered after media coverage.

OPC have previously noted that care is needed with data anonymisation and that agencies using data anonymisation and de-identification techniques are accountable for making sure the techniques they use protect people’s privacy. “This includes regular reviews to ensure that de-identification techniques remain robust against potential malicious actors – a set and forget approach is not acceptable”

“This case is a reminder to all agencies to have strong privacy processes in place before they share data with third parties, no matter what level of data protection is used to meet the expectations of their customers.”

Editors’ note
• OPC previously issued a media statement Care is needed with data anonymisation on 17 September.
• Criteria for notifiable privacy breaches: What is a notifiable breach.