Skip to main content
Report 2022

4.5.3. Information security. Access control

The Tax Agency has established an Information Security Policy approved by Resolution of the Presidency of the Tax Agency, dated November 8, 2012, aligned with the National Security Scheme and has been developed into security operating standards and procedures. The Information Security Policy is the instrument used by the Tax Agency to achieve its objectives using the information and communications systems in a secure manner.

The Tax Agency has adapted its information systems to the General Data Protection Regulation and Organic Law 3/2018 on the Protection of Personal Data and guarantee of digital rights. In 2022, the Internal Audit Service has coordinated the participation of the Tax Agency in the TAXUD group on “ Data Protection Compliance” , which adapts the shared tax and customs systems in the European Union to protection legislation by developing joint responsibility agreements between Member States and the European Commission.

On the other hand, the Audit Service represents the Ministry of Finance and Public Service in the Interdepartmental Group for the protection of critical infrastructures.

Within the framework established by the Information Security Policy, the Tax Agency has information protection and security mechanisms, among which the management of users and authorizations and access control stand out, the purpose of which is eminently preventive.

This control system, driven and supervised by the Internal Audit Service, is based on the registration of accesses. Every time a user accesses the corporate information system for an enquiry or for a management activity, they must declare the reason for access. Any access to tax information of a personal nature is registered together with a series of technical and administrative data which reveal its context and facilitate subsequent control. The registration and access control processes continue to operate in the same way when the public employee is teleworking.

The accesses of greatest risk are selected and audited, in accordance with the risk analysis and the guidelines of the Tax Computing Security and Control Commission. If the controller considers that it is a serious or very serious improper access, they can initiate a disciplinary proceeding, if applicable. Currently, the ratio of users with some non-compliant access is one for every 441 audited users.

In 2022, more than 127,000 access audits have been carried out and justification of some access has been required for 80.05% of the total users of the Tax Agency. As a consequence of this access control, 6 disciplinary proceedings have been initiated to date.

Finally, transfers of information from the Tax Agency to public bodies, covered by article 95 of the LGT, have security and control measures equivalent to the previous ones, regardless of their supply channel. These measures extend to the security and confidentiality of international exchanges of tax information. In accordance with the peer reviews agreed upon within it, the Global Forum on Transparency and Exchange of Tax Information (OECD) has concluded at the end of 2022 with a favorable opinion a security and confidentiality audit of the international exchanges carried out by the Spanish jurisdiction.