The Inland Revenue Department is stopping the use of custom audience lists with social media platforms amid public concern at the practice.
Custom audience lists – which IRD asserted involved anonymising personal information – were used by the department for a decade with platforms such as Facebook and Google as one way to provide important updates to taxpayers.
The practice was paused in September this year after privacy concerns were raised, which led to an internal review.
Two instances of customer details being supplied in their raw form by Inland Revenue to a social media platform were discovered in the review.
IRD commissioner Peter Mersi said one instance occurred when trying to fix a problem with creating a particular custom audience list while the other was a misunderstanding of what data the hashing process applied to with one platform.
“We are writing to the 268,000 taxpayers involved in the first of the two instances, apologising for what has happened, explaining how it happened, and telling them what details were shared, and the social media platform involved has confirmed that all un hashed data provided to them was deleted within previously agreed timeframes,” he said.
Mersi said the second instance was less easy to quantify and that identifying impacted customers would be “very difficult” due to it occurring over a period of time and lists being deleted once the process has been completed.
The decision to stop using custom audience lists has been driven by public concern, and not by the unintended disclosure, Mersi said, with 8000 taxpayers writing to Inland Revenue expressing concerns.
“We want to be transparent and do the right thing in responding to customer concerns,” Mersi said.
He said there was no evidence of any customer details – hashed or unhashed – being used by social media platforms for anything other than the agreed purpose.
“Custom audience lists have been a very valuable tool for Inland Revenue with real benefits for customers because we could get relevant messages directly to them through the channels we knew they were using.
“The terms of the agreements with the social media platforms were always explicit and clear in stating that all hashed data was secure, used only for the purpose intended, and then deleted within agreed timeframes.
“But as I’ve said, public concern at the practice of passing details to social media platforms in any form has led us to the decision not to resume use of the custom audience list tool.”
Deputy Privacy Commissioner ‘disappointed’
In response to Inland Revenue’s update, the Deputy Privacy Commissioner Liz MacPherson said she is very disappointed at “in at least two instances, identifiable personal information was shared by Inland Revenue with social media platforms”.
“What is particularly concerning in this case is that IR apparently had no idea that these incidents, including the intentional sharing by IR staff of identifiable personal details of 268,000 New Zealand taxpayers with social media platforms had occurred.”
McPherson said it was pleasing to see IR taking the issue seriously in the face of public sentiment but that it was worrying the two disclosures were only discovered after media coverage.
“This case is a reminder to all agencies to have strong privacy processes in place before they share data with third parties, no matter what level of data protection is used to meet the expectations of their customers.”
Letters of apology will be going out to impacted customers within the next 24 hours.
