Skip to main content
2017 Report

4.5.3. Information security. Access control

The Tax Agency has established an Information Security Policy approved by a Resolution of the Presidency of the Tax Agency of 8 November 2012. The Information Security Policy is the instrument used by the Tax Agency to achieve its objectives using the information and communications systems in a secure manner.

In 2017, the Tax Agency carried out the adjustment to the Royal Decree 951/2015, which modifies the National Security Law Outline in the field of Electronic Administration, and it launched the adjustment of its information systems to the EU General Data Protection Regulation (Regulation (EU) 2016/679), applied as at 25 May 2018.

Within the framework established by the Information Security Policy, the Tax Agency has data protection and security mechanisms in place, which include the management of users and authorisations and the control of accesses, which has an eminently preventive purpose.

This control system, driven and supervised by the Internal Audit Service, is based on the registration of accesses. Every time a user accesses the corporate information system for an enquiry or for a management activity, they must declare the reason for access. Any access to tax information of a personal nature is registered together with a series of technical and administrative data which reveal its context and facilitate subsequent control.

The accesses of greatest risk are selected and audited, in accordance with the risk analysis and the guidelines of the Tax Computing Security and Control Commission. If the controller considers that it is a serious or very serious improper access, they can initiate a disciplinary proceeding, if applicable. Currently, the number of users with improper access has decreased to one per 395 users. After the platform for processing audited accesses was renewed in 2015, in 2017 a new process for access selection with random risk criteria was implemented to replace the previous process.

In 2017, justification of access was required for 81.97% of the total number of users of the Tax Agency. As a result of this access control, 22 disciplinary proceedings were initiated.

Lastly, information transfer from the Tax Agency to public bodies, protected by article 95 of the LGT, have security and control measures in place equivalent to the previous.