It has recently been revealed that the IRD has been sharing taxpayer data with major social media platforms such as Google and Facebook.
This has caused concern among taxpayers, as they were neither informed of nor able to opt-out of this data sharing. Many people expect the information collected by the IRD to remain confidential and secure, and sharing it with private companies contradicts that expectation.
While the IRD say the data being shared is anonymised and hashed to protect users’ identities, this has not eased all concerns. Critics argue that this process may not provide sufficient protection.
In both the US and the EU, data privacy laws like the GDPR (General Data Protection Regulation) require a higher standard of protection for sensitive data. Hashing, without additional safeguards, doesn’t meet the legal threshold for full anonymisation or compliance with these data privacy regulations.
In response to privacy complaints and media coverage, the IRD has paused further data sharing while a privacy review is conducted.
An example of an email address being hashed using various algorithms
| MD5 | SHA1 | SHA256 | |
| example@example.com | 23463b99b62a72f26ed677cc556c44e8 | 914fec35ce8bfa1a067581032f26b053591ee38a | 31c5543c1734d25c7206f5fd591525d0295bec6fe84ff82f946a34fe970a1e66 |
The output of the email will always produce the same hash, meaning that if a matching hash is found in a pre-existing database or rainbow table, the original email can be easily uncovered. This same process applies to other sensitive data, like dates of birth, which are often used in security questions when people have lost access to an account.
Some social media users, in an effort to protect their privacy, provide incorrect or incomplete information when creating their social media profiles—such as using a fake name or birth date.
However, with access to accurate taxpayer data, platforms like Facebook and Google can cross-reference this data with their internal records.
This could allow the platform to correct inaccuracies in its own data or flag discrepancies for further investigation which will assist in their targeted advertising campaigns.
While sharing data may help the IRD ensure taxpayers are compliant, questions remain about the extent to which such measures should go. The IRD already has methods for reaching taxpayers, such as email reminders and public advertising campaigns. The IRD can also share information with other departments, which allows them greater scope to collect information which may have been updated elsewhere that can then be used.
The main questions to resolve are how should taxpayer data be handled in relation to private companies, and to what extent the IRD should go to engage individuals who have failed to meet their tax obligations?
A list of the IRD information sharing agreements and summaries can be found here: https://www.ird.govt.nz/about-us/information-sharing
For an update to the above article please see here:
Leave a Reply
You must be logged in to post a comment.