Tax authorities collected personal data on a large scale, including social networks

Tax authorities have collected personal data of taxpayers – including information on social networks – from the Internet on a large scale, store them in a computer system and use them in their management and fight fraud. This happened despite internal doubts about the legality of this and about the “origin, accuracy and subjectivity” of the data stored.

The data was stored in a complex RAM database, which NRC launched a large-scale deployment this spring.

The privacy problems surrounding this Risk Analysis Model (RAM) that has been in use for years are much bigger than described in the post, according to the report. internal information from 2017 which outgoing Secretary of State Marnix van Rij (Taxes, CDA) sent to the House of Representatives after the publication of the NRC. Van Rij and his fellow Secretary of State Aukje de Vries (Profit, VVD) have decided to conduct an external investigation into the use of RAM and its consequences for citizens. The possible role of RAM in the Profit Scandal is also discussed.

The RAM – which came into use at the turn of the century – was used to ‘publish profiles’, including on the basis of nationality, according to an internal report. RAM also provided ‘surprise addresses’, where, based on the data collected, there are possible deviant (read: suspicious) behavioral patterns.

Also read
Therefore, Tax Authorities became frequent perpetrators of misuse of personal data

Benefits Department

RAM was also sent to the Benefits department, something Van Rij had previously denied in Parliament. To him short Van Rij has now corrected this to Parliament. Customs also used RAM, as did the Financial Intelligence and Investigation Service (FIOD), for ‘investigative purposes’. Tax authorities also used the system to monitor its employees, with the aim of “achieving production targets, production quality, anonymous summary and measurement of integrity violations.”

The self-created database contained “data of a highly sensitive nature, with respect to the tax, financial and/or personal nature of the data,” the internal analysis says. “A lot of sensitive data from a lot of people is brought together.” Tax authority employees also received information about possible criminal charges or investigations through RAM.

The analysis yielded ‘surprising addresses’ with potentially deviant behavior patterns

Tax authorities collected data from many sources, both inside and outside the government, so that hundreds of different data were stored for each citizen. Not only general personal data such as address and age, but also information about a person’s partner (tax), the date of the start of the relationship, the nationality of the partner, how many times a person entered the Tax Authority’s systems or filed an objection, all data . about income, assets and debts, how many cars, investments and real estate a person had, and so on. Through the search it was possible to “associate almost everything with everything,” the internal analysis said. In this way, departmental staff can identify individuals or groups for further investigation.

In 2016, there were already concerns within the Tax Authority’s senior management about the need for “large-scale data transmission” through RAM, according to internal email communications. There have been repeated attempts to disable or change the program because it did not comply with privacy laws. But RAM was very popular in the off. According to a confidential report from the time, there were “at least 2,000 customers” of RAM data within the service.

Transfer without control

Who exactly used the system, what was released from it and to whom this information was sent was not tracked. Employees can transfer requested information without looking at Excel sheets and take them with them to their disks or USB sticks.

Staff knew that RAM allowed searches “that could be considered discriminatory.”

Tax authorities knew that storing personal information that citizens shared on the Internet (“scraping/crawling, with or without third-party software”) was a legal problem. “The legal basis for processing such data is (..) under discussion and in several cases not allowed by the (Dutch Data Protection Authority),” the internal analysis says.

The system was officially shut down when a new privacy law was introduced in May 2018, but according to internal documents, at least part of the database remained available to employees until January 2021.

RAM’s possible role in the Profit Scam will also be discussed in the inquiry

The use of RAM and the major domestic concerns about the violation of citizens’ privacy that it caused were always hidden from Parliament. Then MP Pieter Omtzigt (CDA at the time) in 2018 he asked that internal privacy risk assessments had been carried out in the Tax Authorities, then Secretary of State Menno Snel (D66) concealed the existence of an internal analysis at RAM. When Van Rij informed Parliament of the presence of RAM in March 2022, he initially limited it to a summary statement that there had been “an estimated 125 authorized users”.

Partly because of this, little is known about the actual consequences of high RAM usage. The Ministry of Finance did not respond to questions because an external investigation is ongoing. The government wants to start selecting an external party that will conduct a study next month.

To participate





Email the editor