The new Revenue data protection regime in the Finance Bill 2011

The Finance Bill 2011 seems to have become the key to Ireland’s salvation and our parliamentarians fear allowing democracy to run its course without first passing it.

When the Green Party withdrew from Government yesterday, Eamon Ryan suggested that a scaled-down bill could be passed quickly and that the balance of the provisions could be enacted by the next government. This seems a strange proposition and one might wonder why the next government couldn’t just do the whole job.

Nevertheless, the opposition have taken up that argument with Leo Varadkar memorably suggesting this morning that a “bikini bill” be passed: one which covers the bare essentials. Minister for Finance Brian Lenihan has difficulties with this, as some of the new provisions in the published bill address anti-avoidance measures and their publication has advertised opportunities to exploit tax loopholes. If they are not closed quickly, he argues, further taxes will be lost.

The list of items in the Bill published by the Department of Finance helpfully categorises them as measures which were announced in Budget 2011 and those which are new in the Bill. These type of provisions are often housekeeping and do not address strictly budgetary matters. One which caught my eye is that concerning taxpayer confidentiality.

Section 73 of the Bill would insert a new section 851A to the Taxes Consolidation Act 1997 to provide that taxpayer information held by the Revenue Commissioners is confidential and may only be disclosed in certain circumstances. The Department explains that this

addresses the current lack of a specific tax-related provision governing the confidentiality of taxpayer information provided to Revenue.

An offence of knowingly providing confidential information is included and can be punished by a fine of up to €10,000.

This section is surprising in light of the fact that the data security breach aspects of the Data Protection Acts 1988 and 2003 are currently under review. Indeed, the statement that it “addresses the current lack of a specific tax-related provision governing … confidentiality” suggests that the extensive provisions of the Data Protection Acts are insufficient. The proposition that these insufficiencies could be remedied by a single section in the Taxes Consolidation Act 1997 is implausible.

In 2009, the Data Protection Commissioner undertook a detailed audit of the Revenue Commissioners and the results were generally positive.

The Inspection Team considered that there exists a very high organisational awareness of data protection principles in Revenue. In particular, the presence of a dedicated Data Protection Unit, with designated contact points in the event of any issues arising was considered by the Team to be a very appropriate structure for a public sector entity in possession of high volumes of personal data. There is very clear evidence that a detailed approach has been taken by Revenue to identifying and setting out, via policy documents etc, its responsibilities under data protection legislation. This thorough approach is to be welcomed.

The Commissioner made a number of compliance recommendations and recommend that Revenue undertake a privacy impact assessment of any proposal to extend its investigative powers. Given that the report was overwhelmingly positive it is unclear where the impetus for section 73 lies (though TJ McIntyre speculates that it may have something to do with recent alleged wrongdoing by Revenue officials, uncovered by internal audits).

There are a number of aspects of the Data Protection Acts that could benefit from reform; not least the fact that the Acts do not provide for a straightforward offence of breaching data security, as is now proposed for Revenue data. Rather, it is an offence:

  • to ignore a notice issued by the Data Protection Commissioner in respect of personal data;
  • for a data processor to disclose personal data without the authority of the relevant data controller;
  • to gain access to personal data held by a data controller and to disclose it to another person.

This last offence does not apply to an employee of the data controller and so section 73 would seem to catch Revenue employees where the Data Protection Acts would not. However, the penalties in the Data Protection Acts reach a maximum of €100,000, in contrast with the €10,000 maximum fine envisaged in the Finance Bill. In the UK, the maximum fine is £500,000.

The Data Protection Acts are lacking in enforcement teeth to deal with willful data security breaches. Instead, they provide for a system of co-operation and escalated engagement with data controllers. Nevertheless, the decision of the Department of Finance to go it alone on this issue is disappointing and section 73 of the Finance Bill once again fragments Irish law on a particular area rather than seeking to improve the general law that applies to everyone.

If citizens deserve to have such a protection in place in respect of Revenue data, why not health or employment data?

  • Update: It was reported today (25/01/11) that a Donegal civil servant allegedly accessed personal data at the Department of Social Protection in Letterkenny and passed that data to a private investigator who subsequently sold it to insurance companies. This is precisely the type of data security breach that section 73 is aimed at, but section 73 will be limited to the Revenue Commissioners and so will not cover the Department of Social Protection. As I asked yesterday, if a protection like section 73 is necessary for Revenue data, why not for other data?

TJ McIntyre looks at some other IT law aspects of the Finance Bill here and here. From a practical perspective, it is also noteworthy that the Bill (section 75) proposes to allow payment of taxes by credit card. While this may facilitate the Revenue Commissioners, it would not appear to be a prudent move for indebted taxpayers who might avail of the facility.

4 thoughts on “The new Revenue data protection regime in the Finance Bill 2011

  1. I looked into this. Apparently an FOI in 2010 uncovered that there was no statutory basis for the presumption of taxpayer confidentiality in Ireland. DPA is not specific/explicit enough it seems.

    So, while it looks like unwarranted duplication it is, in fact, a necessary fix to the system which needed to be implemented quickly. Technically the gap uncovered exposed any taxpayer’s tax data (and by extension their spouses if jointly assessed) to FOI requests unless other grounds could be shown for not disclosing the information. There was no legal (constitutional, case law or statutory) basis for the presumption of tax data confidentiality.

    Of course, as a DP person I’d be much happier if the Govt decided to simplify things by introducing a single coherent set of Data Protection laws, which would incorporate the kind of requirement in s.73 as well as (holy grail territory here) a “Data Retention Period Consolidation Act” which would give a single point of reference for all Statutory data retention periods that currently exist across all legislation.

    As for the DSP, they may well be in a similar situation re: their presumption of confidentiality (unless they fixed things after the Euromillions Winner shenanigans) and similar legislation might be required – but as this area of legislation is not being actively managed in a proactive and consolidated manner that will likely only happen if there is an FOI that raises the same issues as the one that Revenue had to deal with.

  2. I think it would come as quite a shock to think that an explicit provision like this is necessary. Firstly, the DPA should more than cover confidentiality but, aside from the Acts, there is sure an implicit duty of care and the information should constitute confidential information.

    If this is the reason, what other Government departments now require explicit statutory confidentiality regimes and, again, why not work on DPA instead?

  3. I was reminded of this post when it was revealed that the garda who abused data retention records to spy on her ex-boyfriend would not face prosecution. It is quite incredible that no criminal charges were brought for such a serious breach, and might well suggest that yet another specific offence is needed for garda abuses also.

  4. I was surprised at the provision in the Finance Bill because I would have thought the Government should amend the DPA to catch all public sector use of confidential data, including by the Gardaí, etc.

Comments are closed.