[IN CONFIDENCE RELEASE EXTERNAL]
25OIA1568
3 December 2024
H Patel
[FYI request #29088 email] Dear H Patel
Thank you for your request made under the Official Information Act 1982 (OIA), received on 6
November 2024. You requested the following:
In the 'Review and analysis of Social Media for Custom Audiences' document (Review)
you have noted that a cleartext CSV was sent to Meta Support via email.
Could you please advise:
1. What, if any, end-to-end encryption method was used (e.g. S/MIME, PGP) when
transmitting the file?
2. What is IRD's policy on appropriate methods to secure personal information when
transmitting to third parties (both via email and other means)?
3. Can IRD be sure that there have been no other occasions of personal information
being shared with third parties, in a non-approved manner, other than the incidents
described in the review document or otherwise previously disclosed? Why/why not?
Question 1
Inland Revenue’s systems are secure and encrypted in line with expectations in the New Zealand
Information Security Manual (NZISM). Providing specific details of methods used may impact
the security of those systems.
Your request for what encryption method is used is therefore refused under section 18(c)(i) of
the OIA, as making the requested information available would be contrary to section 18(3) of
the Tax Administration Act 1994 (TAA). It provides that the Commissioner of Inland Revenue is
not required to disclose any item of revenue information if the release of the information would
adversely affect the integrity of the tax system or prejudice the maintenance of the law.
Question 2
Inland Revenue has a range of security policies and standards. An internal policy about
information handling states that during the processes of collection, use and dissemination of
electronic information users must comply with the provisions of Inland Revenue's security
requirements. Minimal compliance is with the New Zealand Information Security Manual
(NZISM). Information that is sent to external parties in physical or electronic format must be
protected to ensure it is not compromised.
Page 1 of 2
[IN CONFIDENCE RELEASE EXTERNAL]
25OIA1568
Question 3
Inland Revenue has mature privacy practices and takes extensive measures to protect personal
information. However, no agency can be absolutely sure there are no instances of unauthorised
sharing. Even with stringent controls, human error can lead to unintentional data breaches, some
incidents may not be detected immediately, and with cyber threats constantly evolving new
vulnerabilities can be exploited before they are identified.
Inland Revenue monitors for breaches and encourages staff to report incidents. Robust security
measures, and a culture of transparency help minimise risks and improve detection. This
unintended disclosure was an isolated incident, and Inland Revenue has not experienced a
breach of this scale previously.
Right of review
If you disagree with my decision on your OIA request, you can ask an Inland Revenue review
officer to review my decision. To ask for an internal review, please email the Commissioner of
Inland Revenue at
: [email address].
Alternatively, under section 28(3) of the OIA, you have the right to ask the Ombudsman to
investigate and review my decision. You can contact the office of the Ombudsman by email at:
[email address].
If you choose to have an internal review, you can still ask the Ombudsman for a review.
Publishing of OIA response
We intend to publish our response to your request on Inland Revenue’s website
(ird.govt.nz) as
this information may be of interest to other members of the public. This letter, with your personal
details removed, may be published in its entirety. Publishing responses increases the availability
of information to the public and is consistent with the OIA's purpose of enabling more effective
participation in the making and administration of laws and policies and promoting the
accountability of officials.
Thank you again for your request.
Yours sincerely
Pip Knight
Service Leader, Marketing & Communications
Page 2 of 2
