The practice was legal and the process was secure, IRD said. Photo: Supplied
Inland Revenue has been told to consider giving taxpayers a right to opt out of it sharing their details with social media platforms, if it ever decides to take the approach again.
A new review found the IRD also sent taxpayers' details to TradeMe for a customised ad campaign in 2017.
The department said on Tuesday it wasstopping its decade-old practice of sharing encrypted taxpayers' details, though not any financial information, with Facebook, Instagram, Google and LinkedIn for marketing purposes, due to the public backlash.
It had pulled the plug despite insisting the practice was "a very valuable tool for Inland Revenue" for marketing to taxpayers, was fully secure and that there was no evidence data had been misused.
"That's correct," IRD Commissioner Peter Mersi said when asked if its new move was entirely due to public opinion.
The practice was legal and the process was secure, he said.
This position was backed in part by IRD's 36-page internal review released on Tuesday, although the report also said it had found "issues" over sharing with the platforms, and recommended it stop.
The review and an OIA process found two breaches of unencrpyted customer lists - one of which had 268,000 customers in it and went to Meta - and discovered the TradeMe campaign in 2017, which it said was a one-off but gave no details about.
It was not the breaches, but overall trust, that motivated it to stop, Mersi said.
"We recognise the importance of building and maintaining public trust as a cornerstone of an effective tax and social policy system," the review said.
"For these reasons, Inland Revenue will be ceasing the use of custom audience lists for the foreseeable future."
Mersi said IRD would still use social media for marketing, but stop using targeted lists of customers - yet did not rule out that approach being reactivated in future.
The review said the department should reassess all its use of social media marketing, all the products used "as well as the information sharing required to enable them".
A common complaint among the 8000 people who contacted IRD over this - and those who lodged OIAs or complaints with the Privacy Commissioner - was about the lack of an option to opt-out.
"It is recommended that, in the event Inland Revenue determines that social media marketing or advertising capabilities which target individuals is required, the appropriateness of the implementation of an opt in/opt out process within the core tax system is considered," the review said.
IRD began looking into if its encryption of the taxpayers' details, called "hashing", was "still safe" after RNZ reported a challenge to it, and overseas regulator advice it was not adequate, in early September'
Another common complaint was about the social media platforms' data-harvesting practices, and whether the IRD approach facilitated that.
A core question the review considered was whether social media platforms used data from custom audience lists to enhance their own user profiles.
"The social media platforms indicated that custom audience list information is not used to enhance or build profiles of their own users," it said, without offering supporting evidence other than the companies' lists of what assurance processes they used.
"There is no evidence to suggest in any way that the data has been used in anything other than the way in which it was intended," Mersi told the news conference.
Taxpayers' details get protection from the Privacy Act and the Tax Administration Act (TAA).
"Inland Revenue takes its TAA obligations in relation to taxpayer confidentiality seriously and has internal processes for signing off the disclosure of information," the review said.
"Written approval has been located for each of the three platforms [Meta, Google, LinkedIn] used but, given organisational and personnel changes over the last 10 years, there are gaps in timing for that documentation."
IRD has been sharing taxpayers' name, address, and date-of-birth information with Facebook since 2014, but the first record of a privacy assessment of it was in 2016.
This was by way of a "brief privacy analysis", an earlier OIA showed - yet the new review called this a full privacy impact assessment, which was a much fuller look that had not been previously undertaken.
Google was included around 2019, and LinkedIn in 2020, without any assessment.
The only other assessment occurred in September 2024, after RNZ reported on it.
This was a lesser "privacy threshold assessment" that concluded a full privacy impact assessment was not needed.
The new review does not include any input from the Office of the Privacy Commissioner (OPC) , stating only that the OPC was assessing how good its hashing was.
"We are reviewing the information provided by IR in its review and our other engagements with them and expect to come to a view in the next few months," the OPC told RNZ on Tuesday.
Earlier, the deputy commissioner Liz MacPherson said it was disappointing to learn of IRD's two breaches.
"What is particularly concerning in this case is that IR apparently had no idea that these incidents, including the intentional sharing by IR staff of identifiable personal details of 268,000 New Zealand taxpayers with social media platforms had occurred," she said.
The IRD internal review said the system was secure "with the platform's hashed data in an automated, machine-to-machine process".
"The data is deleted after the matching process is completed and not used in any other way by the platforms", it said.
If someone was advertised to, because they had been on the target customer list, then "by interacting with the advertisement, it is possible for a social media platform to infer that they may be interested in certain topics like student loan (this is different from User Profile Enhancing).
"Simply clicking or viewing the ads will not give a social media platform conclusive data but rather increases the likelihood of a user being interested in a certain topic," the review said.
On the assurance, the three platforms listed five types of assurance out of a possible nine. One of these five types of assurance is over 10 years old, while Meta said it had a system and organisations audit report - which IRD asked to see.
Google did not list this, however, unlike Meta, Google had an international standard that applied (called ISO27001).
On data retention, the review said Google did not keep the customer list "any longer than necessary"; LinkedIn kept it for four weeks; Facebook and Instagram "promptly deleted" it after matching data.
IRD has said it operated well within the guidelines of the NZ Information Security manual, maintained by the Government Communications Security Bureau (GCSB)
When the GCSB was asked if the manual covered custom social media marketing, it said it only covered how secure systems were set up, and did not cover how information was used - "that is up to the agency's decision makers".
At a system level, the hashing algorithm used on the tax details is up to GCSB standard.
Tax lawyer Geoff Nightingale was asked by IRD to look over the review.
He reported in a short letter that "the findings are well supported and clearly set out. I have not identified any unaddressed concern".
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
