When the Green Party withdrew from Government yesterday, Eamon Ryan suggested that a scaled-down bill could be passed quickly and that the balance of the provisions could be enacted by the next government. This seems a strange proposition and one might wonder why the next government couldn’t just do the whole job.
Nevertheless, the opposition have taken up that argument with Leo Varadkar memorably suggesting this morning that a “bikini bill” be passed: one which covers the bare essentials. Minister for Finance Brian Lenihan has difficulties with this, as some of the new provisions in the published bill address anti-avoidance measures and their publication has advertised opportunities to exploit tax loopholes. If they are not closed quickly, he argues, further taxes will be lost.
The list of items in the Bill published by the Department of Finance helpfully categorises them as measures which were announced in Budget 2011 and those which are new in the Bill. These type of provisions are often housekeeping and do not address strictly budgetary matters. One which caught my eye is that concerning taxpayer confidentiality.
Section 73 of the Bill would insert a new section 851A to the Taxes Consolidation Act 1997 to provide that taxpayer information held by the Revenue Commissioners is confidential and may only be disclosed in certain circumstances. The Department explains that this
addresses the current lack of a specific tax-related provision governing the confidentiality of taxpayer information provided to Revenue.
An offence of knowingly providing confidential information is included and can be punished by a fine of up to €10,000.
This section is surprising in light of the fact that the data security breach aspects of the Data Protection Acts 1988 and 2003 are currently under review. Indeed, the statement that it “addresses the current lack of a specific tax-related provision governing … confidentiality” suggests that the extensive provisions of the Data Protection Acts are insufficient. The proposition that these insufficiencies could be remedied by a single section in the Taxes Consolidation Act 1997 is implausible.
In 2009, the Data Protection Commissioner undertook a detailed audit of the Revenue Commissioners and the results were generally positive.
The Inspection Team considered that there exists a very high organisational awareness of data protection principles in Revenue. In particular, the presence of a dedicated Data Protection Unit, with designated contact points in the event of any issues arising was considered by the Team to be a very appropriate structure for a public sector entity in possession of high volumes of personal data. There is very clear evidence that a detailed approach has been taken by Revenue to identifying and setting out, via policy documents etc, its responsibilities under data protection legislation. This thorough approach is to be welcomed.
The Commissioner made a number of compliance recommendations and recommend that Revenue undertake a privacy impact assessment of any proposal to extend its investigative powers. Given that the report was overwhelmingly positive it is unclear where the impetus for section 73 lies (though TJ McIntyre speculates that it may have something to do with recent alleged wrongdoing by Revenue officials, uncovered by internal audits).
There are a number of aspects of the Data Protection Acts that could benefit from reform; not least the fact that the Acts do not provide for a straightforward offence of breaching data security, as is now proposed for Revenue data. Rather, it is an offence:
- to ignore a notice issued by the Data Protection Commissioner in respect of personal data;
- for a data processor to disclose personal data without the authority of the relevant data controller;
- to gain access to personal data held by a data controller and to disclose it to another person.
This last offence does not apply to an employee of the data controller and so section 73 would seem to catch Revenue employees where the Data Protection Acts would not. However, the penalties in the Data Protection Acts reach a maximum of €100,000, in contrast with the €10,000 maximum fine envisaged in the Finance Bill. In the UK, the maximum fine is £500,000.
The Data Protection Acts are lacking in enforcement teeth to deal with willful data security breaches. Instead, they provide for a system of co-operation and escalated engagement with data controllers. Nevertheless, the decision of the Department of Finance to go it alone on this issue is disappointing and section 73 of the Finance Bill once again fragments Irish law on a particular area rather than seeking to improve the general law that applies to everyone.
If citizens deserve to have such a protection in place in respect of Revenue data, why not health or employment data?
- Update: It was reported today (25/01/11) that a Donegal civil servant allegedly accessed personal data at the Department of Social Protection in Letterkenny and passed that data to a private investigator who subsequently sold it to insurance companies. This is precisely the type of data security breach that section 73 is aimed at, but section 73 will be limited to the Revenue Commissioners and so will not cover the Department of Social Protection. As I asked yesterday, if a protection like section 73 is necessary for Revenue data, why not for other data?
TJ McIntyre looks at some other IT law aspects of the Finance Bill here and here. From a practical perspective, it is also noteworthy that the Bill (section 75) proposes to allow payment of taxes by credit card. While this may facilitate the Revenue Commissioners, it would not appear to be a prudent move for indebted taxpayers who might avail of the facility.