From prostitutes to Belgian pensioners: in the tax authorities's privacy-infringing RAM system, the Random Research

Fiscal control For the supervision of taxpayers, the tax authorities's RAM system was crucial. But security control was all but out of the question. On Thursday, the House of Representatives will debate the situation at the service.

• Authors
  • Stefan Vermeulen
  • and Derk Stokmans
• Published onMarch 12, 2025 at 22:30

Tax office employees selected Chinese and Turkish entrepreneurs for a tax audit because “it was assumed” that they often incorrectly report illegal immigrants. As a contribution to “the Italian mafia analysis team”, the Dutch Italians and linked their names to police systems are selected. The employees ask for information about the second nationality of taxpayers “to imagine a person”. It was also “regularly” selected by zip code to identify groups of taxpayers in certain neighborhoods.

The tax authorities have done this since 1998 with the self-built computer system RAM (“Risk Analysis Model”). In that system, all information within the tax authorities about millions of citizens was brought together, supplemented with information from, for example, the Land Registry, the Chamber of Commerce and the Road Traffic Department. Using RAM, employees can spend twenty years browsing, combining and selecting almost limitless information, looking for citizens who they felt deserved extra attention from the tax inspector.

With RAM, a supervisor had a powerful tool for powerfully combining all kinds of data and making selective cross-sections.

KPMG

The system was crucial for monitoring taxpayers, but it was hardly secured and usage was not controlled. What data was retrieved from the system and what happened in the process were not kept. All these risks were known to the tax authorities, but were accepted. The use of RAM was not reported by the Data Protection Authority, although this was mandatory.

After NRC in 2023 had revealed the use of RAM and had received the tax authorities's careless handling of privacy-sensitive data , KPMG consultants were commissioned to investigate the use of RAM.

The results this, and more than fifteen hundred pages of internal documents released by the Ministry of Finance, show how extensively and carelessly the tax authorities use RAM. Outdated KPMG has also noticed new details. For example, it appears that elements of the RAM system were still used until 2021, although the system was formally shut down in 2018. Two external employees, from ICT company CapGemini, can switch off all RAM data — and thus view all taxpayers' data.

KPMG recently found a copy of the FSV in an old RAM print on a network drive owned by the tax authorities, the infamous “black list” who played an important role in unfairly stopping surcharges in the Allowance Scandal, and who, according to the tax authorities, was deported and was no longer accessible to employees.

In 2021, the Rutte III cabinet fell over the Allowance scandal, in which the tax authorities seriously disadvantaged citizens by using their data in a careless and discriminatory manner. Pieter Omtzigt, now NSC party leader, made a name for himself with his relentless criticism of the treatment of allowance parents by the tax authorities.

In other circumstances, RAM could overcome a new political and social nightmare for the tax authorities. Because his three-hundred-page report shows that KPMG has probably only described the tip of the iceberg and that using RAM for many more hamburgers could have adverse consequences because ten potential people were seen as fraudsters. But political attention to the subject is affected.

How many citizens have been wrongly edited by RAM is not transparent. Although the system was used intensively for twenty years, due to the careless use of RAM, hardly any written traces of the consequences were found by KPMG.

RAM combined unbridled access to hundreds of data with an almost total lack of control

RAM combined unbridled access to hundreds of individual taxpayers' data with an almost total lack of control over the use of the system. According to KPMG, this causes a “high risk of loss or unlawful access to use” of data, without the chance that this can be discovered. These were risks that were actively known within the service. In 2017, the tax authorities themselves concluded: “The process is not secure. From start to finish, it's a craft that involves a lot of people. All these people have access to data that they shouldn't have access to.”

And that wasn't just data. The tax authorities have perhaps the most and most confidential data of all government services, of all Dutch people. For example, RAM all data about income, assets and debt, how many cars, investments and real estate someone has, details about the (tax) partner, such as the start date of the relationship, what nationality the partner has, when they immigrated, and hundreds of other data.

Precisely for this reason, RAM was an extremely popular tool within the service that was used intensively. “With RAM, a supervisor had a powerful tool for powerfully combining all kinds of data and making selective cross-sections,” KPMG writes. The idea was that the limited supervisory capacity of the service could be used in a targeted manner. The pressure to detect tax evasion and tax fraud was high in these years. In the eyes of the service, an alternative to RAM did not exist, employees told KPMG.

RAM, mainly huge amounts of data, but its quality was uncertain, writes KPMG. Information in RAM can sometimes be one year old, and inspectors frequently work with old RAM outputs. Some data has not been refreshed at all, but remains in RAM. There were no formal processes to verify the accuracy of data in RAM; corrections became indirect. All habits have increased the risk that citizens will be selected for close supervision on the basis of damaged or outdated information.

KPMG found that three general user accounts were not traceable to an individual employee

On the impossible in 2017, two hundred employees had “authorization” to view all data in RAM. But in practice, many more employees had access to the data. First, KPMG found three general user accounts that “are not traceable to an individual employee.” The researchers did not find out “who has the login details for these user accounts”.

Authorized user data could also extract from RAM for employees without access and “place it in unsecured Excel format on a USB stick or send it by email” to colleagues. This happened on a large scale; in 2017, for example, there were 21,394 such RAM extractions. KPMG did not find any restrictions on requesting information. The unsecured files can be edited and shared by the recipient without technical restrictions. When the use of RAM was curbed in 2017 after internal criticism, according to an internal report, “informal circuits” were created so that employees could still access RAM data.

The mountains of information that were thus disseminated are still roaming around, according to the KPMG investigation. Although RAM has been formally off for seven years, and the tax authorities had tried to clean the internal drives of leftover RAM information, after a digital search of the network drives, KPMG found 1,170 unsecured Excel files with RAM extractions (2,662 files in total, but they were partly duplicate). In total, more than 21 million lines of data existed. This included information that should have been stored on network drives for years as highly sensitive components, and therefore not unsecured — criminal information about citizens, information about nationality and data from the FSV “black list”.

And there is certainly more, according to conversations that compare KPMG with employees: “We learned in interviews that files with RAM selections could now also be stored on employees' local drives and USB sticks”.

Where this highly sensitive information ultimately ended up, and what happened with it, cannot be published, writes KPMG. “Most of these documents do not identify who performed these analyses, how these analyses were performed, how RAM was used, what RAM data and extractions used, whether these analyses were prohibited from a monitoring project, which citizens/companies were selected, and whether follow-up and enforcement actions based on these selections of RAM data were explained.”

Information requests from outside

According to KPMG, it also states that the tax authorities often share data with external parties. Data from RAM was provided to partnerships with various government organizations, such as the UWV, DUO, SVB, the Public Prosecutor's Office, the police, De Nederlandsche Bank, the ministries of Justice and Security, Internal Affairs and Social Affairs, municipalities, the Royal Military Police and the IND.

The focus was on supporting other government departments to detect and prosecute specific violations of the law. For example, the tax authorities provided data to projects to combat real estate fraud, hemp cultivation, money laundering, coffee shops and grow shops, human trafficking, false constructions, address fraud, “all types of fraud from IND”, “getting manipulation off the street”, projects to help municipalities “find the blind spots in their suitable control objects for supervision and enforcement”.

Sometimes these are very specific requests for information. For example, KPMG found a data delivery to a regional partnership against organized crime that was about “a specific family, in response to a report”. KPMG also writes that it cannot rule out that other services had direct access to the system.

Gut feeling

The information that KPMG found suggests that tax inspectors followed their gut when deciding to subject citizens to additional scrutiny. This did not only happen by selecting Chinese or Turkish entrepreneurs, because they would often be employed illegally. “Nationality data was used [as a selection tool] when there were signs that certain domestic fraudsters were present,” several tax officials told KPMG.

Even if data about (second) nationality were not explicitly used as a selection tool, they were still included to inspectors. For example, she was among a third of the unsecured excel files that KPMG found on the tax authorities network drives.

Other snippets of information that KPMG found also gave the impression that tax inspector's feelings and arbitrariness played a role. For example, there were projects about the Beverwijk bazaar, fish stalls, trailer camps, prostitutes, “Belgian pensioners”, bankruptcies of Amsterdam taxi companies and the allegedly poor tax morals of divorced entrepreneurs.

Taxpayers who had received a penalty or administrative fine in the past were also appointed for additional supervision. Because, missing inspectors told KPMG: “'The proven fact' that 'something has been wrong' before [gives] a double chance that something may be 'wrong again'.” By the way, this criminal information had not been updated in RAM since 2016. For example, people who were convicted but acquitted on appeal were still able to use RAM “selected for investigation based on limited data”, concludes KPMG.

According to KPMG, the effects of RAM on citizens are not too noticeable, because actual use of the system has not been (systematically) recorded

What now? On Thursday, the House of Representatives will debate with Secretary of State Tjebbe van Oostenbruggen (Tax Administration, NSC). As a result of the KPMG investigation, he already reported that “the tax authorities should not and should not have used RAM”, and that he “regrets” that.

The cabinet is having additional research carried out into whether the use of RAM has violated individual citizens' fundamental rights. The results are expected in June.

But the crucial question of what the effects of RAM use were for citizens, according to the KPMG report, there will be no satisfactory answer. “Because the use has not been (systematically) recorded,” writes KPMG, it is “not possible” to discover that.

According to KPMG, the only way to find out is to “examine] whether, and how, RAM data is used and what possible adverse effects occurred during the 20-year period of use of RAM, each correction to a report or surcharge for each (absentee/misdemeanor) penalty.” An executable assignment, says the consultancy firm.

A version of this article also appeared in the newspaper of March 13, 2025 .