Inland Revenue is giving hundreds of thousands of taxpayers' details to social media platforms for marketing campaigns, using an anonymisation tool that top international regulators say is inadequate at protecting people's personal information.
David Buckingham, a Queenstown employment relations consultant who spotted the practice, said it was a mass "betrayal" of taxpayers.
Buckingham said taxpayers had no choice but to give many personal details and their tax status to Inland Revenue, only for the details to end up with Facebook and LinkedIn, bolstering individuals' profiles that the big tech companies grew and traded.
Inland Revenue told him that neither he, nor anyone else, could opt out of having their details provided to the firms, he told RNZ.
In a statement, Inland Revenue said all the details were fully protected by anonymisation using a "hashing" process, in which letters are replaced by numbers.
"Inland Revenue generates between 30-50 custom audience lists a month which we use to target specific ads to customers on Facebook/Instagram, LinkedIn, or Google platforms," it told RNZ.
"The lists uploaded monthly are for things like student loans where the overseas-based customer population is constantly changing with people moving overseas or returning home."
Before a target audience was matched to, IRD's privacy officer completed a privacy impact assessment and "agrees for us to use Facebook/Instagram, LinkedIn, and Google".
"We have rejected the use of some platforms in the past because their data security was not up to the right standards," the department said.
"The lists are of up to 500,000 customers each, with names, DOB, address, phone, and email contacts.
"The data is hashed as it is being uploaded to Facebook, Instagram, or LinkedIn. We do not share any customer details directly with them.
However, in July, the United States Federal Commission said in a press release that hashing was not adequate protection.
"No, hashing still doesn't make your data anonymous," the headline of the statement said.
"Companies often claim that hashing allows them to preserve user privacy.
"This logic is as old as it is flawed - hashes aren't 'anonymous' and can still be used to identify users, and their misuse can lead to harm. Companies should not act or claim as if hashing personal information renders it anonymised."
European regulators who looked at hashing in 2019 concluded that there was a "re-identification problem" and several more steps had to be taken to protect data.
When RNZ asked Inland Revenue if it had taken the American and European conclusions into account, it did not say.
Its first statement said: "After hashing, the data cannot be decrypted and it's safe for the matching process to take place."
Later, it defaulted to relying on the companies' integrity.
"Each social media platform has its own privacy principles in place that it must adhere to," it said.
"These privacy principles were reviewed by Inland Revenue to ensure that customer information is protected and only used for the intended purpose."
It was satisfied the platforms handled customer information "responsibly" and deleted it after the hashing, it said.
But Buckingham was not satisfied, especially given Inland Revenue's privileged position.
"Look, Inland Revenue in particular has secrecy provisions. It makes it actually particularly egregious. No one agreed to any of this, and there's no way to opt out.
"[Inland Revenue] has created a technical-techno gobbledygook smokescreen as a distraction from the fact that they've actually betrayed almost every New Zealander by disclosing" the nature of their tax status, he said.
"The information can't be gotten back and we have no control over how that might be used."
Regardless of hashing, social media companies were skilled at matching profiles, he added, and questioned why, if Inland Revenue was so confident in hashing, it chose not to share data with TikTok, despite the platform's popularity among young people.
Inland Revenue said it was fully compliant with the Tax Administration Act and the Privacy Act.
Its privacy policy, available on its website, told the public it shared their details: "We sometimes provide hashed and fully anonymised information to social media channels when placing advertisements."
It told RNZ: "Inland Revenue is not 'giving up taxpayer details'. Audience lists up to 500,000 are not the norm. But lists of that size could be used for something like individual tax assessments when IR needs to get reminders out to many customers."
The Office of the Privacy Commissioner said anyone using hashing was accountable for making sure it was effective. Under the Privacy Act, the key question was whether a person remained "reasonably identifiable".
"OPC does not have a general position on hashing, but it is something we would consider if there was a question about the use of anonymisation or hashing and the application of the Privacy Act, which could depend on the facts involved and the circumstance of its use," it said.
"Should we have any concerns we may take a compliance approach as set out in our Compliance and Regulatory Action Framework."
RNZ asked the Office if the Inland Revenue case might give it reason to consider the question of hashing, like US and European regulators did years ago. It did not say.
RNZ also asked if the Office had concerns about the scale of Inland Revenue interactions with Facebook and the others, but it did not say.
The Public Service Commission did not respond to a question about its view of hashing.