Human error blamed for majority of 149 data breaches at Revenue

Incidents include final tax demand sent to ex-wife, and exam results sent to third party

A detailed log of the Revenue incidents reveals a significant chunk related to Covid-19 support payments. Photograph: Nick Bradshaw/The Irish Times
A detailed log of the Revenue incidents reveals a significant chunk related to Covid-19 support payments. Photograph: Nick Bradshaw/The Irish Times

A final tax demand sent to an ex-wife, a Revenue official sent information on her former husband by accident, and a staff member’s exam results mistakenly sent to a third party were among 149 breaches recorded by the Revenue Commissioners last year.

Revenue said the majority of the breaches were caused by human error and the volume of such incidents had been low given the volume of data it deals with.

A detailed log of the incidents reveals a significant chunk of the incidents related to Covid-19 support payments.

There were 26 cases where a compliance check letter was sent to a company with an incorrect list of employees.

READ MORE

Another seven cases were recorded where a compliance letter was sent to the wrong tax agent, according to a database provided by Revenue.

Other one-off incidents included one where a taxpayer’s medical receipts were sent to the wrong person and a breach where an email about a taxpayer’s audit was attached to an “unconnected third party’s correspondence”.

Also logged was a case where a final tax demand was sent to a “taxpayer’s ex-wife’s address” and another involving a final demand issued to the “incorrect person of same name”.

In another breach, a Revenue official received her “ex-husband’s information due to [a] systems error”, according to the log.

Separated couples

There were multiple other cases involving separated couples, with intervention letters sent to an ex-spouse’s address in one case and taxpayer correspondence sent in error to the address of a former spouse.

Confusion over taxpayer names caused other breaches, including four cases where two individuals were using the same PPS number.

There were also internal incidents, according to the log, including one case where a spreadsheet with staff data was sent in error to three managers.

In another, the name and PPS numbers of staff were circulated to an internal mailing list while a breach was also reported when a staff member’s exam results were sent to a third party by mistake.

A case was also logged where promotion forms were sent to the wrong staff member, where they had shared a name with the person who was supposed to get it.

A spokeswoman said: “[With] the amount of data held and processed by Revenue in the course of carrying out our core business, a relatively small number of data breaches, mainly caused by human error, occur from time to time.

“The risk of human error cannot by its nature be totally eliminated, but Revenue strives to minimise and manage such risk by continually working to increase awareness of, and to improve compliance with, data protection among our staff members.”

She said all instances where a data breach was likely to result in a risk to the rights and freedoms of an individual were notified to the Data Protection Commissioner.