Skip to main content
2018 Report

4.5.3. Information security. Access control

The Tax Agency has established an Information Security Policy approved by Resolution of the Presidency of the Tax Agency, dated November 8, 2012, aligned with the National Security Scheme. The Information Security Policy is the instrument used by the Tax Agency to achieve its objectives using the information and communications systems in a secure manner.

In 2018, the Tax Agency completed the adaptation of its information systems to the European General Data Protection Regulation (Regulation (EU) 2016/679), applicable as of May 25, 2018, establishing in particular a specific procedure for attend to the exercise of the rights of citizens recognized in the Regulation. The process of adapting to Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights has also begun.

Within the framework established by the Information Security Policy, the Tax Agency has information protection and security mechanisms, including user and authorisation management and access control, the purpose of which is eminently preventive.

This control system, driven and supervised by the Internal Audit Service, is based on the registration of accesses. Every time a user accesses the corporate information system for an enquiry or for a management activity, they must declare the reason for access. Any access to tax information of a personal nature is registered together with a series of technical and administrative data which reveal its context and facilitate subsequent control.

The accesses of greatest risk are selected and audited, in accordance with the risk analysis and the guidelines of the Tax Computing Security and Control Commission. If the controller considers that it is a serious or very serious improper access, they can initiate a disciplinary proceeding, if applicable. Currently, users with any non-compliant access have dropped to one for every 485 users audited. In the three-year period 2015-2017, the platform for processing audited accesses and the access selection process using random and risk criteria were renewed.

In 2018, 81.32 percent of all Tax Agency users were required to provide justification for access. As a result of this access control, 8 disciplinary proceedings have been initiated to date.

Finally, the transfer of information from the Tax Agency to public bodies, covered by article 95 of the LGT, have security and control measures equivalent to the above, regardless of their supply channel.