10.2.13  Information Protection

Manual Transmittal

August 06, 2012

Purpose

(1) This transmits revised IRM 10.2.13, Physical Security Program, Information Protection.

Background

This revision addresses new and revised Department of Treasury policy and guidance relating to protecting and handling sensitive information.

Material Changes

(1) The IRM was revised as follows:

  1. Applicable updates based on new/revised policy and guidance on protecting and handling sensitive information.

  2. IRM 10.2.13.4.4.1. Incorporated Interim Guidance on IRS Agency-Wide Shipping Policy and Procedures for Personally Identifiable Information (PII), dated March 29, 2012, Control #: PGLD-10-0312-01.

  3. IRM 10.2.13.4.5. Incorporated Interim Guidance on Disposition and Destruction of Sensitive but Unclassified (SBU) located on IRS Contractor Facilities, IRM 10.2.13, dated August 16, 2011, Control #: AWSS-10-0811-02.

  4. New IRM 10.2.13.4.7. Add procedures relating to Incident Reporting.

(2) Made various grammatical and editorial changes throughout. and renumbered subsections, where applicable, to improve the flow of information.

(3) Removed exhibits that are reproductions of the documents accessible to employees on the Electronic Publishing website. This will ensure employees have access to the most current version. This includes: Form TD F 15-05.11, Sensitive But Unclassified (SBU) Cover Sheet; Form 3210, Document Transmittal; and Form 9814, Request for Mailing/Shipping Service.

Effect on Other Documents

This IRM supersedes 10.2.13, Information Protection, dated September 28, 2008. This IRM also incorporates Interim Guidance on IRS Agency-Wide Shipping Policy and Procedures for Personally Identifiable Information (PII), dated March 29, 2012, Control #: PGLD-10-0312-01, in IRM 10.2.13.4.4.1. and Interim Guidance on Disposition and Destruction of Sensitive but Unclassified (SBU) located on IRS Contractor Facilities, IRM 10.2.13, dated August 16, 2011, Control #: AWSS-10-0811-02, in IRM 10.2.13.4.5.

Audience

Servicewide

Effective Date

(08-06-2012)

Signed by Norris L. Walker
Director, Physical Security and Emergency Preparedness

10.2.13.1  (08-06-2012)
Overview

  1. This IRM provides policy and guidance on protecting and handling sensitive information.

  2. The protection of information is of vital concern to the Service. Every effort must be made to ensure that all documents are provided protection commensurate with the information therein.

10.2.13.1.1  (08-06-2012)
Responsibilities

  1. The Chief, Agency-Wide Shared Services (AWSS), is authorized to prescribe the IRS Information Protection Program for use within the IRS. The Director, Physical Security and Emergency Preparedness, is responsible for oversight of the IRS Information Protection Program.

  2. IRS employees, contractor personnel and consultants must be aware and comply with safeguarding requirements for SBU information. Personnel should also be aware that divulging SBU information without proper authority could result in administrative or disciplinary action (including termination of contract). The lack of a SBU marking does not necessarily mean the information is not sensitive nor does it relieve the creator or holder of such information from responsibility to appropriately safeguard the information from unauthorized use or inadvertent disclosure.

  3. IRS officials who create SBU information are responsible for determining how long the information must be protected, for example, either by date or lapse of a determinable event. Unless otherwise noted on a document, information marked as SBU will generally no longer be treated as sensitive after 25 years except as provided by statute, law or agency regulation.

    1. Previously generated sensitive information of IRS origin will be subject to release determinations under the FOIA/Privacy Act.

    2. Information creators, not system-operators, will determine what information requires protection depending on the nature of the information and the environment in which it is processed and stored.

    3. SBU information will not remain designated as such when its disclosure would no longer reasonably be expected to adversely impact economic, industrial, or international financial institutions; or compromise unclassified programs or essential operations or critical infrastructures

  4. IRS security officials will provide routine oversight of measures in place to protect SBU information through a program of routine administration and day-to-day management of their information security program.

  5. IRS supervisors and program managers are responsible for employees being trained to recognize and safeguard SBU information supporting their mission, operations and assets. Supervisors and managers will also ensure an adequate level of education and awareness is maintained by affected employees. Education and awareness will begin upon initial employee assignment and annually reinforced through mandatory training, staff meetings or other methods/media contributing to an informed workforce.

  6. IRS employees are also responsible for protecting SBU information supporting their mission, operations and assets. Protection efforts will focus on preventing unauthorized or inadvertent disclosure and especially when visitors enter areas where SBU information is handled, processed, discussed or stored. This includes being aware of surreptitious and accidental threats posed by high-end communications technologies carried/used by employees and visitors, such as cell phones (with or without photographic capability), personal data assistants, portable/pocket computers, cameras and other video imaging recorders, flash drives, multi-functional and two-way pagers, and wireless devices capable of storing, processing or transmitting information.

  7. IRS program managers and contracting officials are also responsible for requiring appropriate security contract clauses for personnel, facilities, and information protection through the acquisition process of contracts or grants that concern access to SBU information.

10.2.13.1.2  (08-06-2012)
Terminology and Data Types

  1. For the purpose of this IRM, the terms "tax data" and "tax information" include "return" and "return information" as defined in IRC 6103(b). See Exhibit 10.2.13-1

  2. In addition to tax data, there are many other documents that require protection from disclosure, such as classified national security information, informant communications, personnel files and employee medical records, investigator files, security clearance files, employment testing materials, grand jury information, passwords, and proprietary information belonging to either the IRS, contractors, or taxpayers.

  3. Information such as training material, statistical files and various internal communications may require protection from disclosure and undesired dissemination. The manager of the function originating the information will determine the degree of protection required, if any, and will work with the physical security staff to implement appropriate protective measures.

  4. The sensitivity of information on media such as magnetic tapes or disks, memory sticks/flash drives, microfilm, microfiche, etc., may not be readily apparent without the use of equipment. Therefore all Service personnel must take care to ensure they store information on approved storage media and that they recognize information which requires protection regardless of the media on which that information is contained. For additional guidance on security of computer systems and magnetic media, see IRM 10.8.1, Information Technology (IT) Security Policy and Guidance.

10.2.13.1.3  (08-06-2012)
Resources

  1. Material relating to Privacy and Government Liaison and Disclosure matters include:

    • IRM 11.3.12, Designation of Documents, regarding unauthorized disclosure of official information, including personally identifiable information (PII).

    • IRM 11.3.16, Privacy Act Notification Programs, relating to disclosure of an individual's social security number.

    • IRM 11.3.32, Disclosure to States for Tax Administration Purposes.

    • IRM 10.23.3, Personnel Security/Suitability Program.

    • IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

    • IRM 10.2.8, Physical Security Incident Reporting.

  2. In addition, records control information, referenced in this document, include:

    • IRM 1.15.2, Types of Records and Their Life Cycle.

    • IRM 1.15.3, Disposing of Records.

    • IRM 1.15.29, Records Control Schedule for Submissions Processing Campus Records, will be followed for the packing and shipping of tax data.

10.2.13.2  (08-06-2012)
Disclosure of Tax Data

  1. Tax returns and return information are to be considered Sensitive But Unclassified (SBU) information. 26 USC 6103 provides the general rule that tax returns and return information are confidential and can not be disclosed except as provided by title 26.

  2. IRC 7213 and IRC 7431 include civil and criminal penalties for willful or negligent disclosure of returns or return information.

  3. IRM 11.3, Disclosure of Official Information, contains guidelines governing whether tax returns and other information contained in Service files may be disclosed. Disclosure may not be made unless IRC 6103 authorizes disclosure and not before requirements in IRC 6103 and IRM 11.3 are met. The Office of Government, Liaison and Disclosure should approve proposed disclosures and ensure they meet the requirements of an exception in title 26 before disclosure to state governments.

  4. In addition to guarding against unauthorized disclosure of tax and national security information by Service employees, steps must be taken to prevent the possibility of such disclosure by non-Service personnel. Care must be taken to deny unauthorized non-Service personnel access to other than those areas which have been established for serving the public. With the exception of those places that have received approved waivers, all tax data in non-secured areas must be containerized during non-duty hours and must be protected from inadvertent disclosures during duty hours.

  5. For tax information disclosure, those individuals who have a "need-to-know" , such as certain government contractors and vendor personnel, must be informed of the protection requirements under the law and in general must have a background investigation. Access to classified national security information requires more stringent controls which are addressed in IRM 10.9.1, National Security Information. Protection requirements should be provided in writing, citing the prohibitions, restrictions and penalties for unauthorized disclosure of tax return and return information under appropriate sections of the Internal Revenue Code for willful or negligent disclosure of returns or return information.

10.2.13.2.1  (08-06-2012)
Release of Tax Data Outside of IRS

  1. Any tax return or return information data whether magnetic media or photocopy impressions provided to any other Federal or state government activity may not be disclosed unless it is in compliance with the requirements of IRC 6103, and IRM 11.3, Disclosure of Official Information, which contains instructions for periodic review of the safeguards of Federal tax returns and return information established by such agencies receiving this material. These reviews are required to meet the provisions of IRC 6103(p). Procedures for conducting safeguard reviews can be found in IRM 10.2.3, Safeguard Reviews.

  2. However, information sensitivity may decrease with changes in circumstances and this may be a factor in determining whether SBU information will be released. The Privacy Act generally requires that information be made available to a person if:

    1. The information is retrieved by an identifier for that person, and

    2. There are not applicable exemptions, and

    3. If there is a Privacy Act request that meets regulatory requirements.

10.2.13.2.2  (08-06-2012)
Informant Information

  1. The identity of persons who furnish information regarding possible tax violations, must be protected. All employees must, therefore, handle such information in strict confidence. See IRM 25.2, Information and Whistleblower Rewards. Such information must be given special handling to avoid disclosure to other than those employees having an absolute "need-to-know."

  2. As soon as informant correspondence is recognized by mail classifiers or other employees, it will be sealed in "To Be Opened by Addressee Only" envelopes and referral instructions in IRM 25.2.1, Receiving Information, will be followed. These same precautions also apply to claims for rewards, memorandums of oral interviews with informants, or any other communications which might, in any way, identify informants or by hand carrying the material to the appropriate office.

  3. In order to maintain maximum security, informant communications claims for reward, claims for reward reports, memorandums or documents which identify informants will be stored in approved containers at all times, except when such documents are being processed. Access to such storage containers will be limited to the person or persons responsible for the security of the documents.

10.2.13.2.3  (09-30-2008)
State and Local Government Tax Returns

  1. State and local government tax returns and other non-Federal tax information will be protected in the same manner as the corresponding Federal tax return or tax information.

10.2.13.2.4  (08-06-2012)
Other Protected Information

  1. For other categories of protected information, such as those protected under the Privacy Act, see IRM 11.3, Disclosure of Official Information.

  2. Although the Service rarely has had an occasion to classify a document containing classified national security information, it does have custody of some documents so classified. IRM 10.9.1, Classified National Security Information, provides policy and guidance for safeguarding and handling information classified as Top Secret, Secret, or Confidential.

10.2.13.3  (08-06-2012)
Sensitive But Unclassified (SBU) Information

  1. Sensitive But Unclassified (SBU) information is any information that requires protection due to the risk and magnitude of loss or harm to the IRS or the privacy to which individuals are entitled under Section 552a of Title 5, United States Code (USC) (the Privacy Act), which could result from inadvertent or deliberate disclosure, alteration, or destruction.

  2. SBU is the primary term used to mark sensitive information originating in the IRS. The SBU marking identifies information, the release of which could cause harm to a person's privacy or welfare; may adversely impact economic, industrial, or international financial institutions; or compromise unclassified programs or IRS essential operations or critical infrastructures.

  3. Sensitive information (including tax and tax-related information) is any information which if lost, stolen, or altered without proper authorization, may adversely affect Service operations.

    Example:

    Unauthorized disclosure of an individual's tax information may cause lawsuits against Service officials as well as the Service, unwanted notoriety for the Service, and public distrust in the Service's ability to protect such information, all of which may result in an increase in noncompliance with tax laws. Furthermore, unauthorized release of information such as the name and address of an informant may threaten that person's life.

  4. Previous designations to label sensitive information such as "Limited Official Use," "For Official Use Only," "Market Sensitive, " "Close Hold," "Eyes Only, " "Privileged or Proprietary," et al., will not be used to identify SBU information produced within IRS unless a particular term is authorized by law, statute, or agency regulation. SBU information so marked is not meant for public release but controlled or restricted in conducting official IRS business.

  5. Access to SBU will be based on a determination that an employee, contractor personnel or consultant requires access to specific SBU information in order to perform or assist in lawful, authorized IRS governmental functions. While additional investigations may be needed for access to SBU information, a national security clearance is not required to access SBU information.

  6. Designating particular information as "sensitive" is not a license to:

    1. Conceal possible negligence, waste, or illegal activity

    2. Prevent embarrassment to a person, organization, or agency;

    3. To restrain competition

    4. Prevent or delay the release of information

    5. Restrict access by executive, legislative, or judicial agencies, organizations, or officials.

  7. SBU information is not automatically exempt from provisions of the Freedom of Information Act (FOIA) requests or the Privacy Act. A FOIA request for SBU or other sensitive information must be evaluated to determine in each instance whether one or more FOIA exemptions apply. Such evaluations pertain to both marked and unmarked records that are subject to the FOIA. However, information sensitivity is expected to decrease with passage of time or changes in circumstances and this must be a factor in determining whether SBU information will be released. The Privacy Act also requires agencies to collect, maintain, disseminate and make available to a person his or her personal information as required by the Act and its implementing regulations. SBU may include, but is not necessarily limited to, information:

    1. Within international/domestic banking and finance sectors or otherwise protected by statute, treaty, or other agreements, or requiring protection until officially released

    2. Identifying IRS unclassified critical infrastructures/key resources, protective measures for safeguarding information, facility schematics, etc.

    3. Unclassified systems data, e.g., routing, configuration, engineering, systems-architecture, security surveys, personnel security files, or investigative type reports.

  8. Except for the term "LAW ENFORCEMENT SENSITIVE" used by other agencies and Department of the Treasury law enforcement components, e.g., Office of Terrorism and Financial Intelligence (TFI); IRS Criminal Investigations (CI) Division; Office of Inspector General (OIG); Treasury Inspector General for Tax Administration (TIGTA); the Financial Crimes Enforcement Network (FinCEN); and the Office of Foreign Assets Control (OFAC), descriptions similar to "Improper use of the report is a violation of 18 United States Code (USC) 641" used by the Comptroller of the Currency and the Office of Thrift Supervision (OTS) for bank exam/secrecy reports and "tax return information" restricted under IRC 6103, no other terms will be applied to IRS originated sensitive information determined to be SBU unless authorized by law, statute, or regulation.

  9. Other Federal, State and local government agencies, international organizations or foreign governments may use different terms to identify sensitive information. In most instances the safeguards are equivalent to SBU information. Some agencies and international organizations have additional requirements for their sensitive information.

    For example: "Warning: This document is FOR OFFICIAL USE ONLY (FOUO). It contains information that might be exempt from public release under the Freedom of Information Act (5 USC 522). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with Department of Homeland Security (DHS) policy relating to FOUO information and is not to be released to the public or other personnel who do not have a valid need-to-know without prior approval of an authorized DHS official."

  10. IRS users will follow protective requirements of the U.S. Government agency/organization providing sensitive information but are not expected to re-mark such information.

    1. When responding to FOIA/Privacy Act requests for information, updated decisions as to the continued value or need to protect such information will be noted on documentation for future reference prior to being returned to files.

    2. Employees will contact non-IRS originators of specifically marked SBU information for guidance or instructions on proper handling.

      Note:

      In the absence of such guidance the information will be safeguarded in accordance with the requirements contained in this section.

10.2.13.3.1  (09-30-2008)
Personally Identifiable Information (PII)

  1. Some Personally Identifiable Information (PII) is SBU information. Other PII is available to the public when a proper Freedom of Information Act (FOIA) request is submitted. SBU PII includes information protected by the confidentiality provisions of the Internal Revenue Code and the Privacy Act. PII includes the personal data of taxpayers, and also the personal information of employees, contractors, applicants, and visitors to the IRS. Examples of PII include, but are not limited to:

    1. Names

    2. Home addresses

    3. Social Security numbers

    4. Date of birth

    5. Home telephone numbers

    6. Biometric data (height, weight, eye color, fingerprints, etc.)

    7. Other numbers or information that alone or in combination with other data can identify an individual.

  2. Failure to protect PII could result in disciplinary action for employees and managers.

10.2.13.4  (08-06-2012)
Protective Measures for Sensitive Information

  1. The following requirements cover only the most sensitive types of information. Often, the employee or manager working with sensitive information not mentioned herein will be able to determine how much protection is required and how that protection can best be provided.

10.2.13.4.1  (08-06-2012)
Marking Requirements and General Handling Procedure

  1. Information designated as SBU and requiring such marking as determined by IRS components and especially those identified by FOIA and Privacy Act will be distinctly labeled so persons authorized access are readily aware of its sensitivity. IRS specific marking requirements are also addressed in IRM 11.3.12, Designation of Documents. The lack of SBU markings, however, does not relieve the holder from safeguarding responsibilities. Unmarked SBU information already in records storage does not need to be removed, marked, and restored. However, when individual items are temporarily removed from storage that have no markings (and are subsequently deemed to be SBU they will be appropriately marked to reflect the correct status as SBU before being re-filed.

    1. Items containing SBU information will be prominently marked at the top/bottom of the front/back cover and each individual page with the marking "SENSITIVE BUT UNCLASSIFIED" or "SBU" . Information system prompts may be adjusted to incorporate SBU markings in headers and footers.

    2. Portions, paragraphs and subject titles containing SBU information will be marked with the abbreviation "SBU" to differentiate it from the remaining text. Only when the entire text contains SBU information are individual portion markings optional.

    3. Controlling, decontrolling or originator information markings are not required.

    4. When sent outside IRS, SBU information documents will include a statement alerting the recipient in a transmittal letter or directly on the document containing SBU information, for example: "This document belongs to the IRS. It may not be released without the express permission of (creating office). Refer requests and inquiries for the document to: (insert name and address of originating office and contact number(s))" .

  2. Protective measures start when markings are applied and end when such markings are cancelled or the records are destroyed. SBU information may be reproduced on regular office copiers to the extent needed to carry out official business. Flawed or otherwise unusable reproductions will be destroyed via shredding or placement in burn-bags.

  3. Although SBU is Treasury’s standard for identifying sensitive information, some types of SBU information might be more sensitive than others and warrant additional safeguarding measures beyond the minimum requirements established herein. Certain information might be extremely sensitive based on repercussions if the information is released or compromised – potential loss of life or compromise of a law enforcement informant or operation. IRS and employees must use sound judgment coupled with an evaluation of the risks, vulnerabilities, and the potential damage to personnel or property/equipment as the basis for determining the need for safeguards in excess of the minimum requirements contained herein.

  4. A green "SENSITIVE BUT UNCLASSIFIED cover sheet" , Form TD F 15-05.11, Sensitive But Unclassified (SBU) Cover Sheet, http://core.publish.no.irs.gov/othergov/pdf/56033c07.pdf must be placed on documents that contain SBU material to prevent unauthorized or inadvertent disclosure when SBU information is removed from an authorized storage location and persons without a need-to-know are present or casual observation would reveal SBU information.

    1. When forwarding SBU information, place a SBU cover sheet inside the envelope and on top of the transmittal letter, memorandum or document.

    2. When receiving SBU or equivalent information from another U.S. Government agency, handle it in accordance with the guidance provided by the other U.S. Government agency. Where no guidance is provided, handle it in accordance with IRS policy as described herein.

10.2.13.4.2  (08-06-2012)
Dissemination and Access

  1. Dissemination and access requirements for SBU information include the following:

    1. Information designated as SBU will be orally, visually, or electronically disseminated in such manner to avoid access by unauthorized persons. Precautions might include preventing visual access and restricting oral disclosure to designated individuals. Websites, if available to the public, will not contain or provide links to SBU information.

    2. Tax information will not be released outside the Service except as provided in the Internal Revenue Code.

    3. Access to SBU information will be on a need-to-know basis as determined by the holder of the information. However, where there is uncertainty as to a person’s need-to-know, the holder of the information will request dissemination instructions from his or her next level supervisor or manager.

    4. Holders of SBU information will comply with any additional access and/or dissemination restrictions cited on the document.

    5. Unless marked to the contrary, SBU information officially released to the IRS may be provided to another U.S. Government agency without prior permission of the originator. Where there is uncertainty as to whether to release information or not, the holder of the information will request release instructions from his or her next level supervisor or manager.

10.2.13.4.3  (08-06-2012)
Storage

  1. A document containing information that requires protection must be stored in accordance with minimum protection standards whenever it is not in the custody of an authorized IRS employee.

  2. SBU information will be stored, at a minimum, in a file cabinet, desk drawer, overhead storage bin, credenza, or similar locked compartment. SBU information may also be stored in a room or area with physical access control measures affording adequate protection and preventing unauthorized access by the public, visitors, or other persons without a need-to-know. Examples include, but are not limited to, a key-locked room, or restricted access work area controlled by a cipher lock or card reader.

  3. To the extent possible, SBU information stored in the same container used for safeguarding classified information will be filed separately from classified information. When SBU and classified information are commingled in an IRS document or file, the required protection for the particular file will be the same as the highest level of classified information.

  4. Processing SBU information will comply with IRS systems security requirements for use of IRS-owned or -leased equipment. When laptop computers are not being used, the laptop will be secured or stored to protect it from loss, theft, and unauthorized access. Information contained therein or stored on removable disks will also be labeled and protected from unauthorized disclosure.

  5. Processing SBU information will comply with IRS systems security requirements for use of IRS-owned or -leased equipment. When laptop computers are not being used, the laptop will be secured or stored to protect it from loss, theft, and unauthorized access. Information contained therein or stored on removable disks will also be labeled and protected from unauthorized disclosure.

  6. Field employees, at times, have sensitive information at the taxpayer's site which should be stored at an IRS facility. Service managers must ensure that employees adequately secure such information at the taxpayer's site.

    1. Sensitive tax information, such as agent's work papers, original returns, examination plans, probes, fraud data, etc. which is housed at the taxpayer's site, must be stored in a container under the control of the responsible Service employee. This container must be either a security container furnished by the Service, or if using a taxpayer furnished container, it must be modified by the Service (e.g., bars and locks) so that the Service is assured that the taxpayer cannot access the container.

    2. During duty-hours, the data must be under the personal custody of the Service employee if it is not properly secured in approved containers. If a lockable and suitable container cannot be provided, sensitive tax information will not be left at the taxpayer's site.

10.2.13.4.4  (08-06-2012)
Transmission

  1. Tax information transmitted from one location to another must be provided adequate safeguards.

    1. If an employee hand carries material in connection with a trip or in the course of daily activities, keep it with him or her to the extent possible.

    2. If tax information must be left in an automobile, lock it in the trunk. If the vehicle does not have a trunk, conceal the material from plain view and secure it in some manner.

      Note:

      In either case, lock the vehicle and leave the material unattended for only a short period.

    3. If the material must be left in hotel or motel room, lock it in a briefcase and conceal it to the extent possible.

      Caution:

      Do this as a last resort as a hotel or motel room is usually not a good location to leave tax information.

    4. If SBU information is being moved from one building to another (even within the same fence line) or one location to another even if it is a short distance, take necessary steps to protect the information from unauthorized disclosure, loss, damage or destruction.

  2. When sending SBU information by mail within the U.S. and Territories:

    1. Place SBU information in a single opaque envelope/container.

    2. Sealed it to prevent inadvertent opening and to reveal evidence of possible tampering.

    3. Clearly identify the complete name and address of the sender and intended recipient or program office on the envelope/container

      Note:

      SBU information may be opened and examined by mail room personnel in the same manner in which other incoming mail is evaluated and determined to be safe for internal delivery. SBU information will be mailed by U.S. Postal Service (USPS) First Class Mail. Use of express mail services or commercial overnight delivery service is authorized, as warranted.

  3. When sending SBU information to offices Overseas:

    1. In general, transmit SBU information electronically via encrypted email.

    2. If serviced by a military postal facility, i.e., APO/FPO, mail SBU information directly to the recipient.

    3. Where the overseas office is not serviced by a military postal facility, send the information through the Department of State’s (DOS’s) unclassified diplomatic pouch. Coordinate in advance with State officials to ensure delivery at the final destination meets Treasury/IRS needs and State’s schedule for such deliveries.

  4. When transmitting SBU information via FAX, secure fax is encouraged for transmitting SBU information. However, SBU information may be transmitted via unsecured fax unless verbal or written restrictions have been cited by the originator. Where an unsecured fax is used,

    1. Obtain assurance by the intended recipient that the information will not be left unattended or subject to possible unauthorized disclosure on the receiving end. Such assurance may entail the recipient standing by to receive SBU information and immediately phoning the sender to verbally acknowledge receipt.

    2. The recipient of the information must indicate they will comply with any access, dissemination, and transmittal restrictions cited thereon or verbally communicated by the originator.

  5. When transmitting SBU information via Secure Communication. The use of a Secure Telephone Equipment (STE) is encouraged though not required. When using a regular office telephone, employees will:

    1. Confirm speaking to an authorized person before discussing the information,

    2. Inform the person that the forthcoming discussion will include SBU information, and

    3. Identify in advance the part(s) of the discussion that are sensitive.

      Caution:

      Only under exigent circumstances should a voice-mail message containing SBU information be left for a recipient. Thereafter, IRS IT personnel will be engaged to effectively delete such messages except where the message itself is regarded as evidence by a competent investigative authority.

  6. When transmitting SBU information via E-Mail. Treasury/IRS internal e-mail systems provide sufficient safeguards to allow for the transmission of SBU information. However, it is up to the holder to determine if the information should be sent via e-mail or other means.

    1. If the holder determines the information is too sensitive to transmit via e-mail, then it should not be sent electronically. Make alternate secure arrangements to disseminate the information.

    2. If the holder determines e-mail provides sufficient protection, the information may be sent. For added security, send the information as an attachment rather than in the text of the message. The holder may then password-protect the attached file by activating the password capability of the word-processing program using a previously established password or a password sent to the intended recipient under separate cover.

      Note:

      Any message from an IRS mailbox used to transmit SBU information must be encrypted.

  7. Mass storage media will be transmitted in accordance with IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

  8. Tax data retired to a Federal Records Center will be transmitted via the use of SF 135, Records Transmittal and Receipt. Column “f” of this form will contain the following statement:

    "These are restricted records and must be guarded at all times from disclosure to unauthorized persons."

  9. Instructions provided in IRM 1.15.29, Records Control Schedule for Submissions Processing Campus Records, will be followed for the packing and shipping of tax data and all shipments will be coded "W" to require both restricted access and witnessed destruction.

  10. Tax data transmitted to other authorized agencies and jurisdictions will be transmitted in accordance with this guidance and record keeping requirements of IRM 11.3, Disclosure of Official Information.

    Note:

    These instructions do not apply to tax data transmitted to foreign governments in accordance with tax treaties.

10.2.13.4.4.1  (08-06-2012)
Shipping Personally Identifiable Information (PII)

  1. If the package contains PII (see IRM 10.2.13.3.1) and is being shipped through a private delivery carrier, the sender will follow the procedures included below for properly double packaging, double labeling, and tracking the shipment, including the use of Form 3210, Document Transmittal, http://core.publish.no.irs.gov/forms/internal/pdf/22150d10.pdf.

    Exception:

    Double packaging, double labeling, and the use of Form 3210 are not required when mailing via the United States Postal Service (USPS). Mail to taxpayers and mail to Post Office Boxes must continue to be sent via USPS. Packages containing PII that weigh less than 13 ounces may also be mailed via USPS.

  2. When shipping PII, the use of UPS CampusShip is mandatory at all locations except Campus locations and offices serviced by an AWSS contract mailroom. UPS CampusShip is an internet-based shipping system that can be accessed from any location that has internet access. UPS CampusShip has been rolled out across the country to IRS field offices that are not serviced by an AWSS contract mail room. Training material can be found in the following UPS CampusShip documents:

    • t Document 12888 , UPS CampusShip: Electronic Shipping Methods

    • Document 12889 , UPS CampusShip: Advanced Features

  3. CampusShip allows employees to:

    1. Generate labels electronically.

    2. Secure current IRS address information from corporate address repository to improve accuracy of delivery. CampusShip features a Corporate Address Book which contains addresses for over 700 IRS locations; this improves accuracy of delivery since addresses are current.

    3. Track packages via the internet to easily verify their shipments arrived at the intended destination and to quickly identify a missing shipment, reducing the likelihood that PII could be lost or exposed to an unauthorized individual.

  4. Packages containing PII must be double-packaged and double-labeled prior to shipping. Double-packaging helps ensure the contents are protected if the outer package is damaged or destroyed during the shipping process. Duplicate shipping labels will allow the contents to be properly delivered without potential disclosure if the external package is damaged or destroyed.

    Caution:

    Shrink wrapping the external packaging or wrapping the external packaging in paper does not satisfy double packaging requirements.

  5. Employees shall evaluate the size of the PII shipment to be sent and identify appropriate packing materials. The appropriate type of internal and external packaging depends upon the size and weight of the package to be shipped. Use the smallest size packaging possible to reduce shipping costs and ensure minimal shifting of contents during shipment.

  6. The sender must also determine whether to ship via ground service or express (Overnight and Second Day Air) services:

    • Ground service should be used for shipping whenever possible. Ground service should always be the first choice; use express services only when absolutely necessary. There is no requirement that PII must be mailed via express services. For distances up to 500 miles, the regular ground service offered by the small package or motor freight carriers (depending on weight of shipment) can deliver your shipment within one or two days. For ground shipments, the business operating divisions provide the packaging material.

    • Express Services are generally the fastest mode of transportation available, but are also much more expensive. This mode should only be used when transit time requirements are very short and the urgency of the shipment outweighs the additional costs involved; for example, remittances, statute cases, tax court cases, etc. Small package carrier provided packaging (carrier branded envelopes and boxes) can only be used for express services and are provided at no cost.

  7. The sender will prepare Form 3210, Document Transmittal, identifying the package contents for all packages containing PII. For easier tracking, the sender may include the small package carrier tracking number in the "Remarks" area of Form 3210 on Part 4 (sender’s copy).

    1. If the sender is using the small package carrier's web-based system to electronically generate shipping labels, the tracking number is immediately available on the pre-printed UPS label.

    2. If the sender is using a contract mailroom, the sender should complete the sender's e-mail address section of Form 9814 , Request for Mail/Shipping Service, http://core.publish.no.irs.gov/forms/internal/pdf/22023j11.pdf. The mailroom will enter this e-mail address when preparing the shipping label and the small package carrier will send an e-mail to the sender providing the tracking number. The sender can then place the tracking number on Part 4 of Form 3210 for proper record keeping.

    Caution:

    According to current instructions, Social Security numbers appearing on Forms 3210 should be redacted to show only the last four digits. Do not include the full SSN on Form 3210.

  8. Securely package the PII by placing the contents and the properly completed Form 3210 in an appropriately sized internal package. The sender will retain Part 4, Sender's copy, of Form 3210 and will include Part 1, Recipient’s copy, and Part 3, Acknowledgement copy, with the shipment. When possible, when sending the package to a specific individual, the sender may choose to notify the recipient via e-mail, phone, or other method prior to shipment that the package containing PII is being sent. The sender may also choose to send an electronic PDF version of Form 3210 via secure e-mail to the intended recipient so the recipient is aware of the expected shipment.

  9. Internal packaging may include any of the following:

    • An envelope: an E-20, Confidential Information envelope, is acceptable for this purpose.

    • A plastic bag: should be sturdy enough to support the weight of the contents without tearing; should be black, green, or a similar color so the contents are not readable through the plastic bag.

      Note:

      This is recommended as the easiest and most cost effective method for double packaging large case file shipments.

    • A small box: an undamaged smaller box that fits within the external shipping box.

  10. Label the internal package with the following information:

    1. Send To Address, including Mail Stop and/or Drop Point Number, if applicable

    2. Return Address, including Mail Stop and/or Drop Point Number, if applicable

    3. Sender's phone number

    4. Small Carrier tracking number, if available

  11. The sender may use a copy of the exterior small package carrier shipping label for the internal label.

    1. If using a small package carrier web based shipping system to label packages, print two copies of the generated label and attach one to the internal package.

    2. If using a hardcopy small package carrier shipping document to label packages, make a photo-copy of the original form and attach it to the internal package.

    3. If using Form 9814, prepare an internal label with the required information. A copy of Form 9814 can also be included with the internal label.

  12. Place the properly labeled, packaged, and sealed internal package into the external package. External packaging materials may include:

    1. Envelope: For shipping smaller case files and documents via ground service, use an IRS issued non-confidential envelope (E-44; minimum size 9 ½ X 12). Use an envelope or padded pack provided by the Small Package Carrier only when time constraints require shipping via express services.

    2. Box: Use an undamaged box specifically designed for shipping. Choose a box strength that is suitable for the size and weight of the contents you are shipping. For shipping smaller packages up to 10 pounds, use a small box ordered from an office supply vendor for ground shipments. Use boxes provided free of charge by the small package carrier only when time constraints require shipping via express services. For shipments over 10 pounds, the external box should be a suitable flap top, corrugated cardboard box rated with a bursting strength to support the contents. Never exceed the maximum gross weight for the box, which is usually printed on the box maker's certificate on the bottom flap of the box.

      Note:

      A standard Shipping Record Box (size 14.75” X 12” X 9.5”) that is used to retire files meets this requirement. If possible, use the Shipping Record Box Sleeve as the external packaging. File boxes used for Federal Record Center storage, combined with a sleeve box, will have a bursting strength exceeding 125 pounds per square inch and will be more than adequate for most ground shipments.

      Caution:

      Used copy paper boxes and other boxes with lids do not meet this requirement; boxes with lids can get caught on conveyer belts and damage or destroy the shipment.

  13. Whenever possible, use a new box; however undamaged packaging materials may be re-used to ship PII. Only reuse a box if it is rigid and in good condition with no punctures, tears, rips or corner damages and all flaps are intact. Remove any existing labels and all other shipment markings if a box is being reused.

  14. If appropriately sized packaging is not available, use cushioning material inside the package so the contents do not move or shift when the package is shaken. Cushioning material should consist of materials that are readily available and they can be re-used. It is not necessary to purchase prefabricated materials specifically designed to cushion packages for this purpose. Examples of cushioning material include non-confidential paper, shredded administrative paper, obsolete forms, newspaper, and/or commercially-purchased Styrofoam peanuts, air bags, etc. Place the cushioning material around the items in the box. Close and shake the box to see whether you have enough cushioning material; add more cushioning material if you hear or feel the contents shifting.

  15. External packaging material shall not be marked or labeled with information indicating that package contents include sensitive information. Packages can still be marked as "time sensitive " or "process immediately " as applicable to ensure documents are processed timely. Labels that indicate sensitive contents include, but are not limited to:

    • "Remittance" labels indicating package contents contain remittances.

    • Labels indicating package contents contain case files or re-files; an acceptable alternative method would be to indicate "Sort and Sequence" .

      Note:

      Do not remove references to IRS from an envelope since it is necessary to include IRS on Return Address and Send To Address labels to ensure that the package is delivered to the intended location if any of the address information is incorrect.

  16. Seal the package with strong clear shipping tape that is two inches or more in width. Do not use string, paper over-wrap, shrink wrap and/or plastic straps.

  17. Place the shipping label on the top of the package and ensure it is properly adhered and will not separate from the box. Do not place the label over a seam or closure or on top of sealing tape since this could cause it to be damaged or removed from the package.

  18. The sender shall be responsible for monitoring the delivery of the shipment. Employees should follow their organization’s established timeframes for Form 3210 acknowledgement follow-up. Where there is no established timeframe in an individual organization, the follow-up action should take place in three business days for overnight shipments and ten business days for ground shipments.

  19. Once the shipment is received, the recipient will verify the contents were received and sign the acknowledgment copy of the Form 3210. The recipient will return the Form 3210 acknowledgement to the sender using secure e-mail (electronic or scanned copy), fax, or mail. If the SSN was not redacted as required on the Form 3210, redact all but the last four digits of the SSN prior to returning it to the sender. After receiving the acknowledgement copy, the sender will associate it with the original Form 3210.

    Note:

    No further action is required if the Form 3210 acknowledgment is received.

  20. If the 3210 acknowledgement isn't received within the established timeframe, the sender should access the small package carrier's website to track the shipment to determine if it was delivered successfully. The tracking number should have been included on Form 3210 when the shipping labels were prepared or after the number was received from the carrier if Form 9814 was used.

  21. If the tracking information indicates the package was delivered, the sender must call the intended recipient to confirm actual receipt of the package.

    1. If the recipient did receive the package, ask the recipient to complete and return the Form 3210 Acknowledgement.

    2. If the recipient didn’t receive the package, the package is considered lost within the IRS facility and the sender must follow the procedures for reporting a loss of hardcopy documents. The intended recipient should also initiate a search in their IRS facility when the carrier shows an individual signed for the package.

  22. If the tracking information indicates the package was not successfully delivered, the sender should closely monitor the tracking information for up to 48 hours (2 business days) after the anticipated delivery date for air services and up to 72 hours (3 business days) after the anticipated delivery date for ground services. If the package is not delivered within these timeframes, the package is considered lost and the sender should follow the procedures for reporting a loss of hardcopy documents.

  23. Within one hour of identifying a package is lost; report the loss to:

    WHO to CONTACT IF the package Take the following actions
    Your Manager   Contact your manager.
    Appropriate Incident Reporting Office 1) Contains only hardcopy documents, report to the Situation Awareness Management Center (SAMC).
    1. Complete security incident reporting form at: http://awss.web.irs.gov/PhysicalSecurity/IR/Default.shtml, or

    2. Call 1-866-216-4809.

    2) Also contains an IT asset (e.g., removable media, CD/DVD, flash drive, etc.,) in addition to the hardcopy documents, report instead to Computer Security Incident Response Center (CSIRC):
    a. Complete security incident reporting form at: https://www.csirc.web.irs.gov/incident/ , or
    b. Call 1-866-216-4809
    Treasury Inspector General for Tax Administration (TIGTA)   Call 1-800-366-4484

  24. Managers shall perform, at a minimum, quarterly audits of the Form 3210 Acknowledgement process for packages containing PII to ensure appropriate follow-up is occurring. This procedure will allow IRS managers the opportunity to validate that PII senders are following up on Form 3210 Acknowledgments within defined timeframes so that lost shipments are identified quickly. This reduces the likelihood that the PII could be exposed to an unauthorized user. Local management should determine the proper follow-up timeframe as part of the manager’s operational review. Forms 3210 should be maintained in accordance with the existing record retention schedule for each Business Unit.

10.2.13.4.5  (08-06-2012)
Disposition and Destruction

  1. Originators and their successors may decontrol a record’s SBU information status when circumstances indicate the information no longer requires protection. Known holders of the information will be notified to the extent possible, that the information is no longer SBU and be directed to mark their copies accordingly.

  2. SBU documents will be destroyed by burning, mulching, pulping, or pulverizing beyond recognition and reconstruction. SBU information may also be destroyed by shredding or disposed of in burn bags. When shredding, the same equipment approved for destroying Secret and/or Confidential classified information will be procured and used. If using burn bags, the outside will be distinctly labeled or marked SBU to distinguish the contents from burn bags containing classified information. When using office shredders, employees are encouraged to dispose of the residue with normal paper waste in more than one trash receptacle to disseminate the remains as widely as possible.

  3. Disposition and destruction of tax information must be in accordance with the IRM 1.15.2, Types of Records and Their Life Cycle, and IRM 1.15.3, Disposing of Records. Although IRS employees may know the proper methods of destroying tax data, management must reinforce this knowledge by including document destruction as a topic in orientation sessions, periodic group meetings and other awareness sessions.

  4. Waste material generated in the processing of tax documents, protected data or other related documents must be destroyed by burning, disintegrating, pulping, shredding or by any other manner which in the judgment of the responsible security official renders the information contained in such material irrecoverable. The fact that material has been identified for destruction does not change the requirement to provide appropriate protective measures. Waste material must be provided the protection equal to that required by the most protected item. This material may include, but is not limited to, extra copies, photo impressions, microfilm, printouts, computer tape printouts, IDRS printouts, notes, work papers or any other material containing tax information which has served its purpose. Policy and procedures for sanitization and disposal of digital media (e.g., magnetic media, diskettes, hard disks, or other storage devices) containing sensitive information can be found in IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

  5. Waste material generated in the processing of tax documents, protected data or other related documents must be placed in receptacles specifically marked for sensitive information (i.e., shred material, burn, sensitive). Sensitive waste material must not be discarded in regular trash bins. The guidelines provided below must be followed in order to ensure the proper destruction of sensitive waste material.

    1. Managers and Contracting Officer Representatives (CORs) will periodically review work areas to ensure that sensitive waste material is being discarded in an appropriate manner.

    2. CORs will conduct periodic unannounced inspections at the off-site contractor facilities where sensitive IRS information or data is handled. Results of these inspections will be documented, including identification of any security issues, and documented verification that the contractor has taken appropriate corrective actions on any security issues observed and/or identified.

10.2.13.4.5.1  (08-06-2012)
Destruction Precautions

  1. The purpose of destroying protected information is to keep the information from being disclosed to unauthorized personnel. Protected information on any media will be removed, obliterated, or the media destroyed by or in the presence of an IRS employee. Security personnel will work with managers to develop and implement local procedures to enhance the concepts outlined here.

  2. In the event tax information media is to be collected and destroyed by an independent contractor, to preclude the necessity of having an IRS employee present during destruction, the contract must include the safeguard provisions required by IRC 6103(n) and regulations therein. The provisions of the contract must allow for IRS inspection of the contractor facility and operations to ensure the safeguarding of IRS information. Waste material must be maintained in a secured container in a secured area to prevent sensitive information from unauthorized disclosure or access. The contractor must provide a certificate of destruction.

  3. Paper data will be destroyed in one of the following ways:

    1. Shredding to effect 5/16 inch wide or smaller strips, consideration should be given to the purchase of cross cut shredders when replacing or purchasing new equipment, as these types of shredders provide the best destruction method among shredders

    2. Pulping to be accomplished in such a manner that all material is reduced to particles one inch or smaller

    3. Disintegrating to be accomplished with 1/2 inch or smaller screen

    4. Burning to effect complete incineration.

  4. When it becomes necessary to store protected information which has been collected for destruction, it will be provided protection equal to that required by the most protected item. All tax data will be destroyed by or in the presence of an IRS employee or authorized contract employee.

  5. Protected information contained on any other form of media will be removed, obliterated, or the media destroyed by or in the presence of an IRS employee or contractor employee in such a manner that the information is totally unrecoverable. For guidance on disposition of magnetic media, see IRM 10.8.1.

  6. After the protected information has been destroyed as specified in these standards, there are no restrictions on how or by whom the material will be collected and transported.

  7. To reduce the cost involved in destroying tax data, local procedures will be developed to prevent employees from throwing coffee cups, lunch bags, newspapers, etc., in receptacles reserved for protected information.

  8. There may be areas or activities where the volume of paper documents containing tax information is sufficient to make it more practical to destroy all documents in the area of activity.

10.2.13.4.6  (08-06-2012)
Recycling

  1. Tax information or other sensitive information may not be placed in regular recycling containers, but must be placed in secured containers and must be clearly marked.

  2. The preferred approach is that sensitive information be segregated and shredded in accordance with guidelines contained in IRM 10.2.13.4.5.1, Destruction Precautions, prior to turning it over to the recycler.

  3. Unshredded sensitive information may be turned over to a contractor provided the contract includes necessary safeguards that will ensure compliance with IRC 6103(n) requirements, provides for periodic safeguard reviews, and includes language describing methods of collection, pick-up, storage and disposition. The contract should also include provisions for a Certificate of Destruction.

  4. Another method is to have IRS personnel observe the destruction of sensitive information upon delivery to the recycler. This allows for destruction of sensitive information while maintaining custody of the material up to the moment of destruction. Again, the contractor must be in compliance with IRC 6103(n) requirements which provides for safeguards and periodic safeguard reviews. However, this method is not recommended because of the resources that would be required.

10.2.13.4.7  (08-06-2012)
Incident Reporting

  1. Employees or contractor personnel who observe or become aware of the loss, compromise, suspected compromise, or unauthorized disclosure of SBU information will report it immediately to their supervisor and to local IRS security officials. Notification to appropriate IRS officials will be made without delay when the disclosure or compromise could result in physical harm to an individual or compromise an unclassified plan or on-going operation. The initial notification of the incident may be either verbal or in writing.

  2. See IRM 10.2.8, Physical Security Incident Reporting, for specific incident reporting procedures. The procedures include reporting the incident to the IRS Situation Awareness Management Center (SAMC) by completing the security incident reporting form http://awss.web.irs.gov/PhysicalSecurity/IR/Default.shtml or calling the SAMC at 1-866-216-4809.

10.2.13.5  (09-30-2008)
Information Security During Office Moves

  1. When it is necessary for an office to move to another location, plans must be made to properly protect and account for all tax data and other information, as well as government property. The circumstances of the move must be carefully considered (e.g., the distance involved and the method to be used in making the move).

    1. Tax documents and other information will be kept in locked cabinets or sealed in packing cartons while in transit.

    2. Accountability will be maintained to ensure that cabinets or cartons do not become misplaced or lost during the move.

    3. Throughout the move, classified material and other critical material will remain in the custody of an IRS employee with the appropriate clearance and need-to-know.

  2. The precautions taken to protect Government property during the move will be commensurate with the type and value of property involved. Small items of high value will be packed in cartons or moved in locked cabinets. Accountability will be maintained throughout the move.

Exhibit 10.2.13-1 
Glossary and Terms

Freedom of Information Act, 5 U.S.C. §552, (FOIA) – A federal statute enacted in 1966, that generally provides that any person has the right to request access to federal agency records or information. The FOIA is based on the presumption that the government and its information belong to the people. Requesters have a “right to know,” and they do not need to establish a “need to know” to request information under the FOIA.
Personally Identifiable Information (PII) – Taxpayer information or any combination of information that can be used to uniquely identify, contact, or locate a person. Examples of PII include, but are not limited to: names, addresses, social security numbers, date of birth, home telephone numbers, biometric data (height, weight, eye color, fingerprints, etc.), other numbers or information that alone or in combination with other data can identify an individual, etc.
Return – Any tax or information return, estimated tax declaration, or refund claim (including amendments, supplements, supporting schedules, attachments or lists) required by or permitted under the Code which is filed with the IRS by, on behalf of, or with respect to any person. Examples of returns include forms filed on paper or electronically, 1040, 941, 1099, 1120 and W-2).
Sensitive But Unclassified (SBU) Information – Information that requires protection due to the risk and magnitude of loss or harm to the IRS or the privacy to which individuals are entitled under section 552a of title 5, United States Code (USC) (the Privacy Act), which could result from inadvertent or deliberate disclosure, alteration, or destruction.
Sensitive Information – Information in which the loss, misuse, or unauthorized access to, or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (USC) (the Privacy Act), but has not been specifically authorized under criteria established by an Executive Order (E.O.) or an act of Congress to be kept classified in the interest of national defense or foreign policy. Examples of such sensitive information include personal financial information and information that discloses law enforcement investigative methods. Other particular classes of information may have additional statutory limits on disclosure that require that information to also be treated as sensitive. Examples include tax information, which is protected by Section 6103 of the IRC (26 U.S.C. § 6103) and advanced procurement information, protected by the Procurement Integrity Act (41 U.S.C. § 423).

More Internal Revenue Manual