Information Security News: Tax gets tough on privacy

[InfoSec News <alerts () infosecnews org>]

http://www.australianit.news.com.au/story/0,24897,22317999-15306,00.html

By Ben Woodhead 
August 28, 2007

FRAUD detection systems have uncovered a rash of privacy breaches at the 
Australian Taxation Office as employees flout tough data protection 
rules despite ongoing monitoring and training.

The sweeps of data access logs led to three sackings during the 2007 
financial year and another nine staff resigned after the ATO detected 
unauthorised access to taxpayer records.

The breaches came despite extensive privacy education programs at the 
agency and closely matched the 24 instances of tax officers 
inappropriately accessing client information that were uncovered in the 
2006 financial year.

"While no level of unauthorised access is acceptable, in an organisation 
of about 22,000 people it is inevitable that a very small number of 
people will be tempted to do the wrong thing," an ATO spokeswoman said.

"Access to taxpayer records is limited to staff members who have a 
business need to access that information. Accessing taxpayer records, 
including an officer's own records, those of friends, relatives or 
others, is unauthorised access."

The latest privacy breaches were detected during systematic checks of 
access to taxpayer records, which can trigger probes with powerful data 
mining tools if instances of inappropriate access are suspected.

The systems used by the ATO, whose fraud awareness training has been 
taken up by international revenue collection agencies, are similar to 
those deployed at other federal agencies and departments including 
Medicare Australia and the Child Support Agency.

Last week the agency and Medicare confirmed that they had uncovered 
dozens of instances of employees spying on client records after they 
upgraded computer systems used to monitor information access.

The agency is considering whether to pursue criminal charges against 
three workers who resigned after they were found accessing customer 
records without proper authorisation.

Medicare confirmed 49 instances of inappropriate access during the 2007 
financial year and is investigating another 35 possible breaches during 
the period.

The agency strengthened its fraud protection systems in November while 
Medicare introduced a new detection platform modelled on Centrelink data 
matching rules last financial year.

A number of other federal agencies, such as the Department of 
Immigration and Citizenship, use software systems to monitor and track 
unauthorised access to client records.

The tax office spokeswoman said the agency did not consider all cases of 
inappropriate access to records to be privacy breaches.

"A breach of privacy is where records of others have been accessed 
without knowledge or permission," she said. "Sixteen of the cases 
involved a breach of privacy."

The spokeswoman said the tax office pursued court action against four 
employees caught breaching taxpayer privacy.

The employees were found guilty and received sentences ranging from good 
behaviour bonds to prison terms.

Disciplinary action against other tax officers caught in the sweep 
included fines, pay cuts, demotions, counselling and a letter of caution 
from the Director of Public Prosecutions.

Copyright 2007 News Limited.


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/