By Ben Woodhead
August 28, 2007
FRAUD detection systems have uncovered a rash of privacy breaches at the
Australian Taxation Office as employees flout tough data protection
rules despite ongoing monitoring and training.
The sweeps of data access logs led to three sackings during the 2007
financial year and another nine staff resigned after the ATO detected
unauthorised access to taxpayer records.
The breaches came despite extensive privacy education programs at the
agency and closely matched the 24 instances of tax officers
inappropriately accessing client information that were uncovered in the
2006 financial year.
"While no level of unauthorised access is acceptable, in an organisation
of about 22,000 people it is inevitable that a very small number of
people will be tempted to do the wrong thing," an ATO spokeswoman said.
"Access to taxpayer records is limited to staff members who have a
business need to access that information. Accessing taxpayer records,
including an officer's own records, those of friends, relatives or
others, is unauthorised access."
The latest privacy breaches were detected during systematic checks of
access to taxpayer records, which can trigger probes with powerful data
mining tools if instances of inappropriate access are suspected.
The systems used by the ATO, whose fraud awareness training has been
taken up by international revenue collection agencies, are similar to
those deployed at other federal agencies and departments including
Medicare Australia and the Child Support Agency.
Last week the agency and Medicare confirmed that they had uncovered
dozens of instances of employees spying on client records after they
upgraded computer systems used to monitor information access.
The agency is considering whether to pursue criminal charges against
three workers who resigned after they were found accessing customer
records without proper authorisation.
Medicare confirmed 49 instances of inappropriate access during the 2007
financial year and is investigating another 35 possible breaches during
The agency strengthened its fraud protection systems in November while
Medicare introduced a new detection platform modelled on Centrelink data
matching rules last financial year.
A number of other federal agencies, such as the Department of
Immigration and Citizenship, use software systems to monitor and track
unauthorised access to client records.
The tax office spokeswoman said the agency did not consider all cases of
inappropriate access to records to be privacy breaches.
"A breach of privacy is where records of others have been accessed
without knowledge or permission," she said. "Sixteen of the cases
involved a breach of privacy."
The spokeswoman said the tax office pursued court action against four
employees caught breaching taxpayer privacy.
The employees were found guilty and received sentences ranging from good
behaviour bonds to prison terms.
Disciplinary action against other tax officers caught in the sweep
included fines, pay cuts, demotions, counselling and a letter of caution
from the Director of Public Prosecutions.
Copyright 2007 News Limited.
Attend HITBSecConf2007 - Malaysia
Taking place September 3-6 2007 featuring seven tracks of technical
training and a dual-track security conference with keynote speakers
Lance Spitzner and Mikko Hypponen! - Book your seats today!