HM Revenue & Customs, the UK’s tax authority, is planning to sell taxpayers’ financial data to private organisations.
Treasury minister David Gauke is overseeing the plans and the government insists that safeguards against the release of personal data, which will be sold to companies, research organisations and other public bodies “where there is a public benefit”. However, it is unclear why the government thinks it wise to sell people’s tax data.
According to The Guardian newspaper, HMRC is currently in the process of considering charging options. The plans were buried within documents released as part of the autumn statement and the recent budget, according to the newspaper.
Conservative MP David Davis, who resigned his seat in 2008 to fight a by-election over identity cards, described the plans as “borderline insane”.
“The Treasury lists no credible benefits and offers a justification based on an international agreement that does not lead other governments to open up their tax database,” he told The Guardian. “The officials who drew this up clearly have no idea of the risks to data in an electronic age.”
The plans were also criticised by cryptographer and computer security expert Ross Anderson, Professor in Security Engineering at the University of Cambridge Computer Laboratory. “If they were to make HMRC information more available, there’s an awful lot of people who would like to get their hands on it,” he said.
HMRC has already started sharing information with credit-reference agencies in a pilot programme covering VAT. In this project, it has skirted laws against sharing tax data with third-parties by contracting with Dun & Bradstreet, Equifax and Experian, the UK’s three main credit reference agencies, to act on its behalf and “therefore treated as part of the department”.
In a statement, HMRC defended the programme: “The government has decided to proceed with the proposal to remove the legal restrictions that currently limit HMRC’s ability to share anonymised individual-level data for the purpose of research and analysis and deliver public benefits wider than HMRC’s own functions, but they accept that this must be done only where there are sufficient safeguards in place to protect taxpayer confidentiality.
“HMRC is committed to protecting its customers’ information. We shall be consulting further on implementing the proposals for sharing anonymised data, and would only take forward specific measures where there was a clear public benefit and subject to suitable safeguards.”
HMRC’s proposals mirror the much-criticised care.data programme in the National Health Service, which will see patient records anonymised and sold to research organisations and, potentially, companies.
Like care.data, HMRC’s plans raise fears that the data will be inadequately anonymised and that it could and will subsequently be de-anonymised. Indeed, there are question marks over whether anonymisation is genuinely possible in an era of big data analytic techniques.
Dr Latanya Sweeney, a US mathematician and currently the chief technology officer at the US Federal Trade Commission, demonstrated in the late-1990s how easy it is to de-anonymise data by cross-referencing a few simple items of data.
Under the care.data proposals, the Health & Social Care Information Centre (HSCIC) overseeing the programme, claimed that it would prevent organisations purchasing the patient data from de-anonymising it under the terms of their contract.
However, critics argued that the HSCIC would have no way of knowing whether they had or not, and the commercial advantages of doing so, combined with the lack of any real punishment for contravening the contract, might make it too tempting.
The HSCIC’s anonymisation proposals were also criticised for being too weak and too easy to crack.