Property Tax Administration

I propose to take Questions Nos. 55 to 57, inclusive, together.

I am informed by the Revenue Commissioners that in their implementation of the LPT data was exchanged between Government Departments, State agencies, semi State bodies and the Revenue Commissioners. Sections 151 and 153 of the Finance (Local Property Tax) Act 2012 (as amended) enable the Revenue Commissioners to request certain details from specified bodies for LPT purposes. Section 153 of the Act includes a list of these bodies.

Under section 151 of the Act, the information that the Revenue Commissioners may request is details, in the possession or control of the relevant person, of the address or addresses, as the case may be, of residential properties, and in relation to each residential property:

- the name of the occupier,

- the name of the owner,

- the address contained in any geodirectory maintained by any relevant person or such other information as may allow the location of the property to be established,

- any unique identification number which the relevant person has assigned to the property or, as the case may be, to any meter or other device located in the property or to the occupier or owner of that property, and

- information in relation to the size and type of the property. 

As there is a legislative basis for the sharing of the specified information by these bodies with the Revenue Commissioners, it is permitted from a data protection perspective under section 8(e) of the Data Protection Acts 1988 and 2003.  However, the Office of the Data Protection Commissioner is routinely consulted in relation to proposed data exchanges between State Bodies and Revenue and did provide guidance in relation to aspects of the data which was transferred to Revenue for the purposes of implementing Local Property Tax.   A key aspect of the work undertaken by Revenue in the implementation of LPT was the development of a comprehensive Register of residential properties in the State. The Register was developed using data drawn from a range of sources including Revenue's own databases, the Household Charge database from the Local Government Management Agency (LGMA), Non-Principal Private Residence data, Private Residential Tenancies Board data, information from the Department of Social Protection and data from utility companies.  As well as being provided for in the LPT legislation, in advance of the data exchanges, data protocol agreements were drawn up between Revenue and the relevant organisations. These outlined how the data would be transmitted and how it would be secured and managed by Revenue.  I am also advised that the Commissioners utilised the following data sources in their development of the on-line interactive valuation guide, most of which are publically available:

- Revenue's stamp duty records, which record all property sales in the Republic and the values of the properties sold.

- CSO's Residential Property Price Index which provides guidance on establishing the percentage reduction to be applied to the prices obtained for properties sold in 2010, 2011 or 2012.

- The Geo-Directory produced by Ordnance Survey Ireland and An Post, which provides information on property location and type.

- Information in relation to property location and type collected by the Sustainable Energy Authority of Ireland.

- Spatially derived data that indicate relative distances of all residential properties (using GeoDirectory) to a series of key amenities and services (transport, health, education, retail, emergency services etc).

- Geographically linked data from publicly available sources such as the Central Statistics Office Census 2011 results at small area level and the 2012 Pobal HP Deprivation index.

Revenue is an integrated tax and customs organisation. Frontline customer service, compliance and debt management staff throughout the organisation, amounting to about 4,800 at clerical, administrative and management grades, who are authorised to do so, have access to taxpayer records, including LPT, to enable them to do their jobs.   I am advised that access to data by Revenue staff is based on a management approved business case. Access controls are in place for staff using all Revenue taxpayer systems.  All access is recorded and regular audits are carried out to ensure access policies are followed. The Deputy should note that this number fluctuates as a result of staff movements and changing business needs.

I am further informed by the Revenue Commissioners that taxpayer confidence in Revenue is essential for the organisation to fulfil its duties as laid down by the Houses of the Oireachtas and it is Revenue's reputation for properly and securely holding and using data that has nurtured and sustained that confidence.  This principle of taxpayer confidentiality has always been central to the ethos of the organisation. The Finance Act 2011 introduced a taxpayer confidentiality provision which reinforced the existing ethos by providing the clear legal basis which allows Revenue officials to disclose taxpayer information and includes legal sanctions where this provision is breached. It has been hugely influential in encouraging staff to be more vigilant, thus further strengthening data protection in the organisation.

The security and privacy of Revenue taxpayer data are of the highest priority and Revenue implements a host of different procedures and policies to protect this data.  Revenue has a number of policies and practices in place to ensure the integrity and confidentiality of taxpayer data.

- Revenue has a Data Controller appointed by the Board pursuant to Section 1 of the Data Protection Acts who has overall responsibility for driving data protection policy and management.

- A code of practice for the protection of personal data in Revenue was introduced in January of 2013 which was developed in conjunction with the office of the Data Protection Commissioner and is designed to give operational meaning to the principles of data protection set out in the Data Protection Acts.

- Following on the Code of Practice, a consolidated Data Breach Management Plan has also been introduced which places the responsibility on senior management to report breaches to the Data Controller and which are logged in a data breach register which the Office of the Data Protection Commissioner may access. 

Data protection policies and practices in Revenue have been examined on a number of occasions by the Data Protection Commissioner. His report of the substantial cross-organisation audit in 2010 was positive and Revenue has subsequently built on some of the recommendations in that report. All Revenue officials are bound by the Officials Secrets Acts, the Civil Service Code of Standards and Behaviour, the Revenue Code of Ethics, in addition to Section 851A of the Taxes Consolidation Act, which introduced criminal sanctions for unauthorised disclosure of taxpayer information. Revenue has a range of internal controls to ensure compliance. Internal data protection audits were introduced in 2010 which examine compliance with the Data Protection Acts in district and regional offices. New measures were introduced to assure staff compliance with Revenue policy on data security and confidentiality. This facilitates periodic review of staff access logs to ensure compliance with access and transaction processing rules. Revenue has attained and maintained ISO27001 since January 2010 accreditation.  This covers information/data security for the public facing systems (www.revenue.ie and www.ros.ie).  ISO27001 is the international best practice standard for information security and is independently audited by external practitioners.  For Revenue this includes all live application software, network, security, server, operating systems, middleware, data, storage and the monitoring components within these zones.  Revenue systems/processes were last audited in November 2013.  Revenue also holds ISO 22301 for their Data Centres, which is the international standard for business continuity management. The ISO 22301 management system lets you identify threats relevant to your business and the critical business functions they could impact. It requires Revenue to have plans in place ahead of time to ensure business continuity. Finally, I am advised that the Office of the Data Protection Commissioner is routinely consulted in relation to all proposed data exchanges between State Bodies and Revenue.