New Zealand’s Inland Revenue Department (IRD)—which holds the personal details of millions of New Zealanders, even children who hold after-school jobs—has been giving personal information to social media platforms in a format it insists is safe but which experts say is not.
Data on hundreds of thousands of people have been given to the platforms to enable the targeting of IRD’s marketing campaigns.
The IRD had not personally informed the people whose data was disclosed that they were doing so, but an individual uncovered the practice and characterised it as a “betrayal” of taxpayers.
However, its privacy policy, available on its website, carries the general disclaimer: “We sometimes provide hashed and fully anonymised information to social media channels when placing advertisements.”
The chairperson of the New Zealand Council for Civil Liberties, Thomas Beagle, said the department responsible for tax records simply shouldn’t share personal data for any reason.
“It’s infringing privacy,” he said.
He pointed out that the more data the recipients held, the easier it would be to match individuals’ attributes across data sets and thus de-anonymise the information from IRD to reveal names and other details. This is especially so when it is handed to “platforms like Facebook [which] have a rapacious desire for data,” he said.
Claiming Hashing is Secure is ‘Deceptive’: US FTC
Once the practice was exposed, IRD said in a statement to RNZ that the data is hashed as it is uploaded to Facebook, Instagram, or LinkedIn and customer details are not directly shared.But as recently as July of this year the United States Federal Trade Commission (FTC) published a warning headed “No, hashing still doesn’t make your data anonymous.”
It went as far as to call claims that hashing meant data was securely anonymised “deceptive” and said, “This logic is as old as it is flawed—hashes aren’t ‘anonymous’ and can still be used to identify users, and their misuse can lead to harm. Companies should not act or claim as if hashing personal information renders it anonymised.”
As far back as 2019, European regulators who examined hashing concluded that there was a “re-identification problem” and that several more steps needed to be taken if data was to be securely protected.
Relying on Social Media Companies’ Integrity
The Department revealed it also relied significantly on the integrity of the social media companies, saying, “Each social media platform has its own privacy principles in place that it must adhere to.“These privacy principles were reviewed by Inland Revenue to ensure that customer information is protected and only used for the intended purpose.”
It claimed it fully complies with the Tax Administration and Privacy Act.
The Office of New Zealand’s Privacy Commissioner, Michael Webster, said anyone relying on hashing was responsible for ensuring its effectiveness. Under the Privacy Act, the key question was whether a person remained “reasonably identifiable.”
Unlike the United States and Europe, the privacy commissioner does not currently have a position on hashing but would consider developing one if there were questions about the use of anonymisation or hashing and the application of the Privacy Act.
“Should we have any concerns we may take a compliance approach as set out in our Compliance and Regulatory Action Framework,” it said in a statement.
Under New Zealand’s Privacy Act, everyone has a right to know whether their information is “used and shared appropriately” and “kept safe and secure” and can complain to the Commissioner if they feel it is not.
At present, there are 3.38 million individual taxpayers in New Zealand.
