Inland Revenue (IRD) has hit “pause” on a process that saw the personal details of hundreds of thousands of Kiwis handed to social media platforms, such as Meta, as it carries out an internal review amid privacy complaints.
Privacy researchers raised concerns last week following reporting by RNZ and 1News on the tax agency’s data-sharing practices.
IRD has long asserted that its approach involved anonymising personal information — a characterisation that multiple experts have said does not assuage privacy concerns.
On Tuesday last week, a spokesperson for IRD told 1News it would continue to share people’s information with online platforms while it reviewed the way it operates — which included Google, Meta-owned Facebook and Instagram, and LinkedIn.
But in an update today, the agency said it had since “paused the uploading and creation of new custom audience lists” on Thursday amid an ongoing review.
“Inland Revenue has received a number of complaints since the first story ran.”
Last week, the agency said its ongoing internal “review” would look at whether its practices were “still safe” to use after warnings from US and European regulators.
However, the temporary pause doesn’t neccesarily mean IRD is no longer targeting social media ads using the lists that have already been created, the agency said.
The details shared directly include “hashed” versions of people’s names, email addresses, phone numbers, dates of birth, geographic information and gender. But that didn’t include the information that could be gleaned from the ads themselves.
IRD has argued the marketing tool, which allows more precise targeting of ads, increased the “compliance of collecting tax revenue and dispersing payments”.
For example, IRD might take the phone numbers of people owing income tax and scramble that info into garbled strings of characters through the “hashing” process.
This list of hashed numbers is then securely shared with Facebook, which compares it to its own list of hashed phone numbers from its users. When there are matching hashes between the two lists, Facebook shows the user (linked to the matching hashed phone number) ads from IRD about setting up a payment plan for their tax debt.
Other examples included targeting businesses, taxpayers who claimed Working for Families credits, and people who had student loan debt.
‘Privacy complaint’ email not treated as a complaint
In an Official Information Act response, IRD said earlier this month it hadn’t fielded any complaints about the way it shared personal information with social media platforms.
However, correspondence supplied to 1News shows an email sent to the department on May 6 with the subject “Breach of Privacy Complaint”, outlining concerns about its ad targeting and data-sharing methods. The email was received and responded to.
“It is shocking to discover that information about me has been uploaded to a social media platform,” wrote Queenstown employment consultant David Buckingham in his email in May.
“Meta, the parent of Facebook, is regarded with suspicion and caution by many people in any event. I am very cautious about what I share with this platform.” He added: “I also reach a breach of privacy complaint against IRD for this unauthorised disclosure.”
Asked about the exchange, an IRD spokesperson said the email “was predominantly seeking information, and because this was not an unauthorised disclosure of information, it was treated as an information request” instead of a complaint.
“We also told the customer in our response that there was the option for them to complain to the Privacy Commissioner if they weren’t satisfied.”
Buckingham told 1News it was clear the agency knew of concerns: “One paragraph of my complaint asked for information. The vast majority of the rest of my complaint is a complaint about the behaviour, and I specifically raised a breach of privacy.”
The consultant has since complained to the Privacy Commissioner about his concerns.