Revenue staff break data law by snooping on stars

Staff at the Inland Revenue are breaching the Data Protection Act by gaining unauthorised access to the computer records of...

Staff at the Inland Revenue are breaching the Data Protection Act by gaining unauthorised access to the computer records of taxpayers, including celebrities, and in some cases selling information.

In an internal newsletter, the board of the Inland Revenue expressed concern over the amount of unauthorised access to the records of taxpayers. Directors have asked managers to draw up a new policy on security, stipulating the punishments for breaches, which the Revenue is due to publish this month.

The information commissioner Richard Thomas was unaware that some Revenue staff were selling tax details. "It is a serious offence - with an unlimited fine - to sell or buy personal data without the consent of the organisation which holds the information," he said. "I will not hesitate to take enforcement action where there is evidence of serious criminal conduct."

More than 60,000 staff have access to computers at the Inland Revenue. The department's systems include the computerised operation of PAYE, which holds tax records, and the National Insurance Recording System 2, which has historic and current data on more than 60 million people.

Tony O'Dwyer of the Inland Revenue's human resources conduct and discipline section said, "There have been a number of instances of celebrity browsing, or looking up the details of family or friends out of idle curiosity.

"But there is also evidence that some people are using the information maliciously. For example, finding out how much an ex-spouse earns and passing information to the Child Support Agency or even selling the information to outside agencies. This is clearly a breach of customer confidentiality and the Data Protection Act."

He said the Revenue's board has become concerned about unauthorised browsing of records and asked for clarification of the rules on accessing records.

The Revenue's security policy assures taxpayers that their records are confidential and only for legal reasons will personal data be passed to other agencies. It says sensitive information is "encrypted to protect confidentiality, and protected according to industry best practice".

Last year the Revenue took disciplinary action, including dismissal, against staff in 226 cases of computer misuse. Although staff sign the Official Secrets Act, and face criminal proceedings for breaches of the Data Protection Act, there have been only two prosecutions for computer misuse.

Disciplinary action, including a bar on promotion and financial penalties, has been taken against staff who sent obscene and abusive e-mails, browsed the records of celebrities or accessed other records without authorisation.

An Inland Revenue spokesman said, "The board has become aware of an amount of unauthorised browsing and as a result of this the department needs to draw together a policy to clarify the rules on computer misuse."

The internal newsletter warns staff that systems automatically log how computers are used.

Details of the security breaches have emerged as the Home Office considers allowing more public servants, including those in local councils, to see personal information held by Whitehall. That information could include records on an individual's e-mails, telephone and Internet use. Plans are at a consultative stage.

The Revenue already divulges some tax records to other public bodies. Computer Weekly has obtained an internal circular to staff which said that, with authorisation, information on taxpayers may be passed to organisations such as local councils.

Read more on IT risk management