Select Committee on Treasury Appendices to the Minutes of Evidence


Fifth supplementary memorandum submitted by the Inland Revenue


  1.  The Department is now in its third year of offering a free Internet service for self assessment whereby taxpayers who choose to do so can file their tax return online. This service supplements the Electronic Lodgement Service (ELS) which provides a service for agents to file electronically using commercial software packages and over Electronic Data Interchanges (EDI) lines. The numbers who have successfully filed via these services are:


1997-9846,129 46,129
1998-99201,464 201,464
1999-2000312,137 312,137
2000-01302,87739,290* 342,167
2001-02343,08579,287 422,372
2002-03 (To date)27,099 23,50450,603

Totals1,232,791 142,0811,374,872

* FBI introduced 2000-01.

  2.  Throughout the period the Department has followed a strategy of encouraging the software industry to develop commercial products for the Internet service while providing a basic, and free, Inland Revenue product. All products are directly accessible via the Inland Revenue website. This was made possible because the Department was at the vanguard of using the then emerging standards for internet products and in particular the joint development in full collaboration with the software industry of "XML schema" - the basic technical building blocks for the online products. Any product adopting these schemes can pass electronic data directly to the Department. In practice the Inland Revenue product has been by far and away the most popular vehicle. Last year 88 per cent of filers used the Inland Revenue product.

  3.  The Department has evolved the product in the light of both experience and technology developments. The product used in the first year required the issue of a CD-Rom - which was then the most popular approach throughout the industry. This presented some problems. Any "bugs" in the product, for example, could only be addressed by sending updated CD-Roms. Some computers, for example Apple Macs, could not be used. The second year product was an internet-based form online but restricted to the 3 main schedules. This was deliberate to encourage the software industry to create products. But, in the light of the popularity of the Inland Revenue product and lower than forecast take up rates, it was decided that this year's product should cover the main schedules covering 91.47 per cent of the SA population not represented by agents. A separate agent service was developed in August 2001. We have designed the product to make the filing experience as straightforward as possible for the taxpayer. Key features include:

    —  a Q&A approach so that only relevant questions are displayed

    —  a facility to store a part-completed return

    —  online help including, for example, pop-up tables to record interest from different accounts

    —  automatic calculation

    —  item by item validation so that incorrect entries can be flagged back to the taxpayer.

  Electronically filed returns are automatically entered on Revenue systems, rather than manually keyed from paper returns. The overall process is much accelerated and repayments, for example, are made in days.

  4.  Take up rates are a key issue. The table below shows graphically the encouraging and upward trend.

  5.  The blip in this year's figures was caused by the security incident which caused us to take the service down at the end of May. On the weekend of 25 and 26 May, four customers contacted the department's Electronic Business Unit Helpdesk to report seeing information on another person's return while using the online self assessment service. Customers could also add or overwrite information on that other person's return. The Revenue's online service was withdrawn although taxpayers could continue to use alternative products. Subsequently a further nine contacts were received from customers making 13 in all.

  6.  The department takes taxpayer confidentiality very seriously and once the service was withdrawn an immediate investigation was started involving the department's strategic partners EDS, the e-Envoy's Office, and an independent specialist Internet security company. It was quickly established that the systems were not "hacked" into.

  7.  The department has now completed what was a thorough and exhaustive review and the service was successfully restored on Friday 28 June. The reason for the problem, in the event, turned out to be very complex. In summary, we found aspects of our own technical design meant that we were vulnerable to someone outside our control storing information that they should not have stored. This in turn meant that two different people could share an online "session" because our system thought they were the same person. That is how some people were able to see another person's information. In nearly all cases, the problem manifested itself through customers of one Internet service provider (ISP). But ISPs out-source or subcontract many of their services including storing information, so the picture is complex, and it would not be fair to single out one ISP for blame.

  8.  We have already made a number of changes to ensure that this will not happen again. These will ensure that we improve our own design so that we are not vulnerable to bad practices by others outside our control. The approach is very much a belt and braces one, based on fixing the problems but also fitting alarms so that we can act immediately if two users ever share the same session again.

  9.  As part of the review we have taken active steps to establish how many customers may have had their details seen by someone else. This has been an enormous exercise, because we had to go right back to 6 April, involving literally millions of computer logs, but we took the view that it was vital for customer confidence and the Department's reputation that we established as much certainty as we could.

  10.  We now know that 27,967 taxpayers have used SA Online without details being seen by anyone else. There are 47 cases where the returns could have been seen by someone else (even though this may have been only the pre-populated name and address) and a further 665 cases where we cannot be certain that someone's tax return was not seen by another person, but have no reason to believe that it was. We have written to all the taxpayers who were or could have been affected, or their representatives. In the interests of confidentiality we will be deleting the relevant records in SA Online. The response from those affected to date has been remarkably positive. The most common query to our Helpline has been to ask when the service was going to be restored.

  11.  The department recognises that there are lessons to be drawn from incidents like this one: some of them raise wider issues of internet security more generally. The department is now working actively with the e-Envoy's office to ensure that these lessons are shared more widely.

  12.  Since the service was restored take up volumes are coming near to the peak levels experienced last September, an encouraging sign that the speed with which the department reacted to the problem and the thoroughness of its examination has paid dividends.

Inland Revenue

17 July 2002

previous page contents

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2002
Prepared 25 July 2002