Staff at the Inland Revenue are breaching the Data Protection Act
by gaining unauthorised access to the computer records of
taxpayers, including celebrities, and in some cases selling
information.
In an internal newsletter, the board of the Inland Revenue
expressed concern over the amount of unauthorised access to the
records of taxpayers. Directors have asked managers to draw up a
new policy on security, stipulating the punishments for breaches,
which the Revenue is due to publish this month.
The information commissioner Richard Thomas was unaware that some
Revenue staff were selling tax details. "It is a serious offence -
with an unlimited fine - to sell or buy personal data without the
consent of the organisation which holds the information," he said.
"I will not hesitate to take enforcement action where there is
evidence of serious criminal conduct."
More than 60,000 staff have access to computers at the Inland
Revenue. The department's systems include the computerised
operation of PAYE, which holds tax records, and the National
Insurance Recording System 2, which has historic and current data
on more than 60 million people.
Tony O'Dwyer of the Inland Revenue's human resources conduct and
discipline section said, "There have been a number of instances of
celebrity browsing, or looking up the details of family or friends
out of idle curiosity.
"But there is also evidence that some people are using the
information maliciously. For example, finding out how much an
ex-spouse earns and passing information to the Child Support Agency
or even selling the information to outside agencies. This is
clearly a breach of customer confidentiality and the Data
Protection Act."
He said the Revenue's board has become concerned about unauthorised
browsing of records and asked for clarification of the rules on
accessing records.
The Revenue's security policy assures taxpayers that their records
are confidential and only for legal reasons will personal data be
passed to other agencies. It says sensitive information is
"encrypted to protect confidentiality, and protected according to
industry best practice".
Last year the Revenue took disciplinary action, including
dismissal, against staff in 226 cases of computer misuse. Although
staff sign the Official Secrets Act, and face criminal proceedings
for breaches of the Data Protection Act, there have been only two
prosecutions for computer misuse.
Disciplinary action, including a bar on promotion and financial
penalties, has been taken against staff who sent obscene and
abusive e-mails, browsed the records of celebrities or accessed
other records without authorisation.
An Inland Revenue spokesman said, "The board has become aware of an
amount of unauthorised browsing and as a result of this the
department needs to draw together a policy to clarify the rules on
computer misuse."
The internal newsletter warns staff that systems automatically log
how computers are used.
Details of the security breaches have emerged as the Home Office
considers allowing more public servants, including those in local
councils, to see personal information held by Whitehall. That
information could include records on an individual's e-mails,
telephone and Internet use. Plans are at a consultative stage.
The Revenue already divulges some tax records to other public
bodies. Computer Weekly has obtained an internal circular to staff
which said that, with authorisation, information on taxpayers may
be passed to organisations such as local councils.