Barry Heneghan (Dublin Bay North, Independent)
Link to this: Individually | In context

55. To ask the Minister for Finance the reason no annual report of the Revenue Commissioners has ever reported a single personal data breach of either the Data Protection Acts 1988 and 2003, or of the GDPR; the number of such breaches that occurred in each year from 2010 to 2024, the number of each such number were the result of the unauthorised or unlawful destruction of the personal data of data subjects; and if he will make a statement on the matter. [24790/25]

Paschal Donohoe (Dublin Central, Fine Gael)
Link to this: Individually | In context

I am informed by the Revenue Commissioners that Revenue is aware of and complies with its obligations under data protection legislation (i.e. the Data Protection Acts 1988 to 2003 and, from May 2018, the General Data Protection Regulation and Data Protection Act 2018).

Revenue reports the personal data breach statistics to the Data Protection Regulator, who publish these figures. There is no requirement for Revenue to publish details of personal data breaches.

The table below details the number of personal data breaches for the years 2013 to 2024:

Revenue have advised that the number of personal data breaches for the years 2010 to 2013 have not been recorded. Similarly, the number of breaches due to unauthorised or unlawful destruction of personal data is not available.

Barry Heneghan (Dublin Bay North, Independent)
Link to this: Individually | In context

56. To ask the Minister for Finance the number of phone call recordings unlawfully destroyed by the Revenue Commissioners in the absence of a disposal certificate made by the Director or a Designated Officer of the National Archives for each year since 2018; and if he will make a statement on the matter. [24791/25]

Paschal Donohoe (Dublin Central, Fine Gael)
Link to this: Individually | In context

I am advised by the Revenue Commissioners that it operates multiple telephone lines dedicated to different taxes and duties. Each phone line informs taxpayers that “for quality and customer satisfaction purposes, this call may be recorded”.

During telephone interactions, the taxpayer’s identity will be verified in order to discuss potential confidential matters. The call recordings will therefore contain personal information as defined by Article 4(1) of the General Data Protection Regulation (GDPR). The recorded lines fall under taxpayer information and so the provisions of section 851A of the Taxes Consolidation Act 1997 that guarantees taxpayer confidentiality applies. Therefore, the call recordings won’t be transferred to National Archives.

Call recordings are included on Revenue’s record retention schedule published on revenue.ie at: www.revenue.ie/en/corporate/documents/records-retention-schedule.pdf. This document is published to meet Revenue’s transparency obligations under Articles 13 and 14 GDPR. The retention period is set based with regard to the data protection principles (Article 5 GDPR) of storage limitation, data minimisation and proportionality. The retention period for call recordings is 6-12 months (page 40). Calls are deleted thereafter.

The table below provides details on the volume of calls received by Revenue’s telephone services and then deleted after the 6-12 month retention period: