The Revenue Commissioners has suffered more than 370 data breaches over the past 18 months.
Among the breaches were tax files being sent to ex-spouses, a former employee who had not returned encrypted devices and files and dozens of cases of information being sent to the wrong address.
Revenue said there had been 256 data breaches throughout last year with a further 119 in the period from January to June 2023.
A database, released under Freedom of Information, shows the most common types of incident were staff data getting sent to the wrong recipient within Revenue or taxpayer data getting disclosed to third parties.
There were a large number of breaches due to mix-ups between family members or where partners had split up. In one case, two brothers each received the other’s tax information after an incorrect tax reference number had been provided to one of their employers.
There were two cases where Revenue correspondence was sent to the address of an ex-spouse, both where the person involved had not yet provided a change of address. In another case, a taxpayer’s details were made available to an ex-spouse due to a mistake by the tax authorities.
Revenue staff data was viewable by other colleagues due to what was described as an “error by [a] third party”. One case saw taxpayer data disclosed to a former member of staff by accident, while a large number of breaches were reported where data was sent to the wrong firm of accountants or tax agents.
One entry in the database detailed the disclosure of a taxpayer’s data to a Government department in error.
Among the most serious breaches logged by Revenue was a case involving the “failure by [an] ex-staff member to return encrypted devices and files”.
[ PSNI data breach: man arrested is released on bailOpens in new window ]
A spokeswoman said that the Revenue Commissioners held and processed a huge amount of data as part of its core work.
“A relatively small number of data breaches, mainly caused by human error, occur from time to time,” she said. “The risk of human error cannot, by its nature, be totally eliminated but Revenue strives to minimise and manage such risk.”
She added that where a data breach was likely to result in a risk to the rights and freedoms of the individual involved, the Data Protection Commission was notified.
