10.5.1  Policy, Roles and Responsibilities

10.5.1.1  (05-05-2010)
Introduction to Privacy, Information Protection & Data Security (PIPDS)

  1. Purpose. This IRM section defines the management structure, assigns responsibilities and uniform policies and guidance to be used by IRS employees and organizations to carry out their responsibilities related to privacy, information protection and data security. It provides guidance on all aspects of protecting taxpayer and employee Personally Identifiable Information (PII).

  2. Scope. The provisions in this manual apply IRS-wide and are to be applied when PII is collected, created, transmitted, used, disseminated, processed, shared, stored or disposed of to accomplish the IRS mission. This manual also applies to individuals and organizations having contractual arrangements with the IRS, including contractors, subcontractors, vendors and outsourced providers who are doing business with the IRS.

  3. Mission. The mission of the IRS is to "Provide America’s taxpayers top-quality service by helping them understand and meet their tax responsibilities and enforce the law with integrity and fairness to all." In order to fulfill this mission, it is necessary for the IRS to collect, process and maintain personal data about taxpayers, their dependents and IRS employees.

  4. Vision. The vision of the IRS PIPDS organization is to preserve and enhance public confidence in the IRS by advocating for the protection and proper use of Personally Identifiable Information.

  5. Implementation. The implementation of the PIPDS vision shall comply with applicable laws, policies, federal regulations, Presidential Directives, Office of Management and Budget (OMB) guidance and Department of Treasury (Treasury) guidelines, policies and directives.

  6. Web site. Within the IRS intranet, the Office of Privacy, Information Protection & Data Security Web site provides information on all PIPDS programs at: http://PIPDS.web.irs.gov

10.5.1.2  (05-05-2010)
PIPDS Programs and Policies

  1. PIPDS Policy is developed to implement the following programs:

    1. Privacy Impact Assessments (PIAs) PIAs assess internal and external threats to the confidentiality of PII in compliance with the E-Government Act of 2002 (Pub. L 107-347) and applicable OMB guidance. Procedures for assessing the need and for preparing PIAs are available on the PIPDS web site at http://pipds.web.irs.gov/pia.

    2. Information Protection. This program includes policies and procedures aimed at preventing identity theft and protecting taxpayers. For the latest preventive procedures available, visit the PIPDS web site at http://pipds.web.irs.gov/ip.

    3. Incident Management. This program includes policies and procedures aimed at timely reaction and appropriate responses to occurrences of Personally Identifiable Information (PII) data losses. For the latest preventive procedures available, visit the PIPDS web site at http://pipds.web.irs.gov/im.

    4. Live Data Testing Request and Review. Responsibility for Live Data Testing Request and Review rests with the PIPDS office. Use of live data for testing is strictly prohibited without completion of a Live Data Request and prior approval. For further information about these procedures, visit the PIPDS web site at http://pipds.web.irs.gov/livedata. For information about the overall MITS Live Data policy, refer to IRM 10.8.8, Information Technology (IT) Security, Live Data Protection.

    5. Online Fraud Detection & Prevention. This office protects taxpayers who are using computers to attempt to conduct business with the IRS. Through the efforts of OFDP's Phishing program, PIPDS is part of the global monitoring and takedown process of bogus sites and phishing scams. Further information about this important compliance program is available on the PIPDS web site at http://pipds.web.irs.gov/ofdp

    6. SSN Elimination and use of SEIDs. The Office of Management and Budget issued Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information. IRS is currently working to apply the SSN Elimination and Reduction Implementation Plan and PIPDS has issued interim guidance to business units regarding how to comply with this mandate. For further details, visit the PIPDS web site at http://pipds.web.irs.gov/ssn.

    7. Use of Pseudonyms. A pseudonym is a false name. The use of a pseudonym is issued to IRS employees for the protection of their personal safety and the prevention of harm or danger. Further procedures are available on the PIPDS web site at http://pipds.web.irs.gov/pseudonym.

    8. Unauthorized Access (UNAX). The mission of the UNAX Program is to provide awareness to all IRS employees to ensure that employees do not compromise public confidence in our protection of tax account information in accordance with the Taxpayer Browsing Protection Act of 1997, commonly known as UNAX.. Full procedures are available on the PIPDS web site at http://pipds.web.irs.gov/unax.

10.5.1.3  (05-05-2010)
Key Principles and Definitions

  1. IRS Privacy Principles. The IRS is fully committed to protecting individuals’ rights to privacy. The IRS will only collect, maintain, use and disseminate PII as authorized or required by law and as necessary to fulfill IRS mandates from the President, OMB, Congress and Treasury.All IRS employees, contractors and persons with authorized access to PII are responsible for complying with IRS’ privacy policies and procedures and for adhering to the following five IRS Privacy Principles, based on the Privacy Act of 1974 (refer also to Exhibit 10.5.1-2, References):

    • Protecting taxpayer and employee privacy is a public trust.

    • Personal information will only be collected if it is necessary for tax administration or another legally authorized purpose.

    • Information will be used only for the purpose for which it was collected or as specifically authorized by law.

    • Information will be collected, to the greatest extent practicable, directly from the individual to whom it relates. Information that is collected from third parties will be verified for accuracy with the subject, whenever possible, before final action is taken.

    • All IRS employees share in the responsibility for protecting the privacy of individuals whose information they have access to, including taxpayers, employees and visitors to IRS Web sites.

  2. Personally Identifiable Information (PII). PII is information that, either alone or in combination with other information, can be used to uniquely identify an individual. PII includes names because they can be used to identify an individual when combined with other identifiers. PII includes the personal information of taxpayers, employees, contractors, applicants and visitors to the IRS. However, names of federal employees when used for business purposes, along with employee business phone numbers and business addresses are all considered publicly available information.

    Some examples of PII are:

    • name

    • Social Security Number (SSN)

    • date of birth

    • place of birth

    • address

    • biometric record

10.5.1.4  (05-05-2010)
Privacy Law

  1. PIPDS programs implement the provisions of the Privacy Act of 1974, the Taxpayer Browsing Protection Act of 1997, the E-Government Act of 2002 (to include accompanying guidance outlined in OMB memoranda), the Consolidated Appropriations Act of 2005, §522 and Treasury Directives.

  2. The PIPDS office leads the IRS in implementing the mandates of OMB M-07-16 "Safeguarding Against and Responding to the Breach of Personally Identifiable Information," Attachment 1,"Review and Reduce the Volume of Personally Identifiable Information."

  3. For a full listing of Privacy Law relevant to this IRM section, refer to Exhibit 10.5.1-2, References.

10.5.1.5  (05-05-2010)
Servicewide Roles and Responsibilities

  1. The IRS shall implement privacy roles and responsibilities for employees and contractors in accordance with federal laws and privacy guidelines.

10.5.1.5.1  (05-05-2010)
IRS Employees

  1. All IRS employees shall:

    1. Keep informed of and adhere to applicable IRS privacy, information protection and data security policies and procedures.

    2. Limit access to records containing taxpayer data and PII to that which is required to carry out their official duties.

    3. Use PII collected from taxpayers and employees only for the purposes for which it was collected, unless other purposes are legally mandated or authorized.

    4. Limit the disclosure of taxpayer and employee PII to that which is necessary and relevant for tax administration and other legally mandated or authorized purposes.

    5. Prevent unnecessary disclosure of PII in information systems, programs, electronic formats and hardcopy documents by adhering to proper safeguarding measures.

    6. Complete IRS annual and role-based privacy, information protection and data security training requirements; UNAX awareness briefings; and all other specialized privacy training, as required.

    7. Immediately complete Form 11377, "Taxpayer Data Access Form" to document the access to taxpayer return information when the accesses are not supported by direct case assignment, were performed in error, or when the access may raise a suspicion of an unauthorized access.

    8. Stay aware of the consequences of UNAX violations including accessing their own tax records, those of co-workers, family, friends, celebrities and other covered relationships. For information regarding the servicewide UNAX program and links to all UNAX forms, visit http://pipds.web.irs.gov/unax

    9. Immediately report to TIGTA any indications of intentional unauthorized accesses or disclosures of returns or return information in paper or electronic form. See IRM 11.3.1.6(2).

    10. Report to Office of Disclosure, inadvertent improper disclosures following the guidance in IRM 11.3.38.6.1.

    11. Safeguard IRS information and information systems entrusted to them. And upon becoming aware of the loss, theft, or improper disclosure of sensitive information, report the incident to:

      • Your manager

      • Computer Security Incident Response Center (CSIRC) online, or call 1-866-216-4809, and

      • If the incident involves the loss or theft of an IT asset or hardcopy data, TIGTA at 1-800-366-4484

    12. Visit Office of PIPDS Information Protection Web site at http://pipds.web.irs.gov/ip

10.5.1.5.2  (05-05-2010)
Senior Management/Executives

  1. Senior Management/Executives shall:

    1. Work with the Director, PIPDS to develop, implement, maintain and enforce a program to adequately protect all PII for which they are responsible in accordance with IRS privacy, information protection and data security policies and procedures. Focus special emphasis on the government-wide requirements to eliminate the unnecessary collection and use of SSNs as a personal identifier for employee and tax systems and programs.

    2. Clearly communicate IRS privacy, information protection and data security policies and procedures to all employees in their organizations, ensuring that employees are made aware of their responsibilities to protect PII and uphold applicable privacy, information protection and data security laws, regulations and IRS policies and procedures.

    3. Ensure personnel with authorized access to PII receive training to carry out their roles and responsibilities in a manner consistent with IRS privacy, information protection and data security policies.

    4. Periodically assess and evaluate privacy, information protection and data security awareness activities of their organization in order to set clear expectations for compliance with all requirements.

    5. Allocate sufficient resources to comply with IRS privacy, information protection and data security policies and procedures.

    6. Ensure that all employees and other individuals in their respective organizations comply with the IRS privacy, information and data security policies and procedures. Also ensure that any noncompliance is addressed and remedied promptly, including, if necessary, the initiation of penalties for noncompliance in accordance with federal law and IRS personnel rules and regulations.

    7. Take a proactive role in preventing UNAX in their respective areas. Ensure that all managers, employees and contractors are trained and knowledgeable of the Taxpayer Browsing Protection Act of 1997; the consequences of UNAX violations for managers, employees and contractors; and that all employees within their business area complete all IRS UNAX, privacy, information protection and data security training requirements annually and as required for their position.

    8. Ensure that all IDRS weekly and monthly security reports are certified timely.

    9. Ensure that IRS-wide, alternative unique identifiers are used for internal and taxpayer systems and programs in place of SSNs when possible.

    10. Ensure that proper safeguards are established to prevent unintentional exposure to SSNs in cases where SSN use is determined to be necessary.

    11. Ensure that the SEID is used as the primary employee identifier as an alternative use for SSNs when possible.

    12. Ensure that PIAs for which the senior official is responsible are completed timely and that they mitigate any privacy risks discovered.

10.5.1.5.3  (05-05-2010)
IRS System Owners

  1. IRS system owners shall:

    1. Follow applicable laws, regulations and IRS privacy, information protection and data security policies and procedures in the development, acquisition, implementation, operation and disposal of all systems under their control.

    2. Ensure that the collection, use and sharing of PII from taxpayers, employees and contractors is limited to that which is minimally necessary for tax administration purposes or other legally authorized purposes.

    3. Examine the use of SSNs in all information systems and programs, as well as hardcopy and electronic formats (e.g., forms, printouts, screen shots, displays, electronic media, archives and on-line storage repositories) and eliminate the unnecessary use of SSNs where identified.

    4. Ensure that adequate SSN alternatives are employed as necessary.

    5. Ensure, to the extent possible, that PII used by the IRS to complete business functions is accurate, relevant, timely and complete.

    6. Ensure that all new systems, systems under development or systems undergoing major modifications that contain PII have in place a completed and approved PIA in accordance with federal laws and IRS policy.

    7. Work with the Office of PIPDS to ensure that approved PIAs for systems that contain SBU or PII on the public are reviewed for redaction prior to being posted to IRS.gov.

    8. Coordinate with the system developer and the Office of Privacy to ensure identified privacy risks are documented in their Plans of Action and Milestones (POA&Ms) and are resolved in a timely manner.

    9. Coordinate all inter-agency PII sharing agreements with the Office of Governmental Liaison and Disclosure and other affected IRS entities that establish and monitor the sharing of PII with external entities.

    10. Implement safeguards to establish and monitor internal and third-party agreements for the protection of PII and to ensure confidentiality of PII.

    11. Ensure that suspected or actual data loss incidents are reported within the timeframes required to management, the Computer Security Incident Response Center (CSIRC) and to TIGTA per requirements.

    12. Ensure that all IRS and contractor employees involved in the management, operation, programming, maintenance or use of IRS information systems complete IRS UNAX, privacy, information protection and data security training prior to being granted access to those systems containing PII.

    13. Ensure that employees and contractors who have access to live tax data for testing have followed the requirements of IRM 10.8.8, Information Technology (IT) Security, Live Data (LD) Protection and have submitted Form 13471, Live Data Request to the proper authorities. Visit PIPDS for further information, at http://pipds.web.irs.gov/livedata

10.5.1.5.4  (05-05-2010)
System Developers

  1. System Developers shall:

    1. Follow IRS privacy, information protection and data security policies and procedures in the development, implementation and operation of information systems for which they are responsible, including reviews of the systems' use of SSNs. Work closely with system owners to eliminate the unnecessary collection and use of SSNs in all IRS systems.

    2. Develop information systems that provide the capability to partially mask, truncate or redact the SSN when the total elimination of the use of SSNs is not possible in both personnel and tax systems.

    3. Work with system owners to eliminate unnecessary accessing, collecting, displaying, sharing, transferring, retaining and use of the SSNs in personnel and tax systems.

    4. Establish, maintain and test the management, operational and technical controls to protect PII.

    5. Complete system PIAs in concert with system owners and in accordance with IRS policy.

    6. Coordinate with the system owners and the Office of PIPDS to resolve identified privacy risks.

    7. Perform system life cycle reviews to ensure satisfactory resolution of privacy risks and provide the results to the system owners.

10.5.1.5.5  (05-05-2010)
Personnel Engaged in Procurement Activities

  1. All personnel engaged in procurement-related activities, including management officials at all levels, shall:

    1. Ensure that all IRS acquisitions and contract vehicles contain appropriate language holding contractors and other service providers accountable for complying with federal and IRS privacy, information protection and data security policies and procedures.

    2. Ensure that contract work statements specifically identify the appropriate System of Records Notice when PII data is a part of the research, design, development, testing or operation work to be performed.

    3. Review contract requirements to determine whether the contract will involve the design, development or operation of a System of Records on individuals to accomplish an IRS function.

    4. Insert the following contract clauses in all acquisitions and procurement documents generated in support of an acquisition or procurement for the design, development, or operation of a System of Records on individuals that will be used to accomplish an IRS function: FAR 52.224-1, Privacy Act Notification and FAR 52.224-2, Privacy Act.

    5. Ensure compliance with the Federal Acquisition Regulations.

    6. Ensure that any contract that will involve the use of Live Data Testing requires adherence to IRM 10.8.8, Information Technology (IT) Live Data (LD) Protection.

10.5.1.6  (05-05-2010)
PIPDS Office and Stakeholder Roles and Responsibilities

  1. The IRS shall implement privacy roles and responsibilities for employees and contractors in accordance with federal laws and privacy guidelines.

10.5.1.6.1  (05-05-2010)
Director, Privacy, Information Protection & Data Security (PIPDS)

  1. The director shall formulate, develop, implement and promote effective taxpayer and employee privacy, information protection and data security programs, which include:

    • Data Loss Prevention

    • External Authentication Framework

    • Identity Protection Filters

    • Identity Theft Account Indicators

    • Incident Processing, Notification and Reporting

    • Live Data Testing Request and Review

    • Media Destruction

    • Online Fraud Detection & Prevention

    • Privacy Impact Assessments

    • Privacy Risk Assessments

    • SSN Elimination & Reduction

    • Unauthorized Access (UNAX)

    The success of these programs will enhance the efforts of the IRS to earn and keep the highest degree of public confidence in its integrity, efficiency and fairness.

  2. The director shall:

    1. Serve as the IRS Senior Agency Official for Privacy, having overall responsibility for accounting to Treasury, OMB and other regulatory agencies regarding the IRS’ implementation of information privacy protections, including full compliance with federal laws, regulations and policies relating to information protection, as established by the Consolidated Appropriations Act of 2005 §522. (Refer also to Exhibit 10.5.1-2, References.)

    2. Provide executive leadership and direction over the IRS PIPDS programs ensuring that taxpayer and employee privacy and sensitive personal information are protected.

    3. Serve as the principal advisor and consultant to senior management on matters related to taxpayer and employee privacy, information protection and data security.

    4. Establish an appropriate and timely IRS privacy strategy framework for the full range of IRS activities, including information systems, with special emphasis on modernization initiatives.

    5. Keep abreast of new information technology, information systems, data flows and their impact on privacy, information protection and data security to ensure that the IRS is aware of emerging privacy issues and that the IRS implements strategies and policies to ensure privacy protection.

    6. Incorporate privacy protection, information and data security in the IRS’s Strategic Planning process by identifying servicewide privacy objectives, goals and measures of success. Incorporate privacy principles by ensuring business requirements also reflect privacy and security practices and policies of the agency.

    7. Establish effective working relationships and communication with all other senior agency officials to understand operational priorities and initiatives, identify strategic and tactical privacy issues and provide effective advice and education on privacy, data protection and data security matters.

    8. Ensure the Privacy Impact Assessment (PIA) process is effective within IRS and meets government-wide standards and goals.

    9. Oversee and coordinate all activities related to privacy, identity protection and incident management (PII Incident Notification Process) reporting to oversight agencies and IRS executive management.

    10. Provide strategic direction to the IRS program to stop incidents of willful unauthorized access or inspection of taxpayer records (UNAX), as required by the Taxpayer Browsing Protection Act of 1997.

    11. Collaborate with IRS officials to lead in the government-wide requirements to eliminate unnecessary use of SSNs in tax and employee systems and programs.

    12. Participate in government-wide efforts to explore alternatives to agency use of SSNs as a personal identifier for both tax and employee systems and programs.

    13. Serve as IRS enterprise champion for external authentication policy.

10.5.1.6.2  (05-05-2010)
Director, Privacy and Information Protection

  1. The IRS Office of Privacy and Information Protection was created to develop and implement an enterprise-wide approach to privacy and information protection.

  2. The director shall:

    1. Establish IRS' strategic direction regarding privacy policy and ensure the agency is aware of emerging issues and trends in privacy protection.

    2. Provide guidance and direction in carrying out the privacy policies of the agency to all functional areas (both headquarters and field).

    3. Partner with IRS executives and system owners to ensure that information systems containing PII are protected from unauthorized access, inspection, use, disclosure or modification.

    4. Conduct servicewide risk assessments to identify sensitive personal information vulnerabilities. Detect and document the universe of threats and risks through forensic techniques to build a comprehensive enterprise-wide risk portfolio and mitigation strategy.

    5. Partner with Governmental Liaison and Disclosure to ensure that PII contained in a Privacy Act System of Records is handled in full compliance with fair information practices defined in the Privacy Act of 1974.

    6. Develop, distribute and periodically review and revise IRS privacy and information protection policies and procedures in conjunction with appropriate level partners within such offices as Chief Counsel, Governmental Liaison and Disclosure, Treasury Inspector General for Tax Administration (TIGTA), Associate Chief Information Officer (ACIO) for Cybersecurity, Director, Records Management and others to ensure the policies and procedures are comprehensive, up-to-date and in compliance with federal privacy laws, regulations and applicable guidance where necessary.

    7. Define and implement performance metrics to evaluate the effectiveness of the Office of Privacy and Information Protection programs.

    8. Manage the Privacy program whose mission is to promote the protection of individual privacy and integrate privacy into business practices, behaviors and technology solutions.

    9. Manage the Identity Protection program whose mission is to identify risks and reduce vulnerabilities for identity theft.

    10. Manage the Incident Management program whose mission is to provide timely data loss notification and victim assistance to individuals impacted by IRS PII losses.

    11. Chair the Privacy & Information Protection Advisory Committee, which oversees the development and execution of policy and procedures for the Identity Protection program and the Incident Management program, as well as the execution of identity theft outreach, victim assistance and prevention initiatives.

    12. Chair the Authentication Advisory Council, which oversees the products and recommendations of the Authentication Strategy Working Group, is a forum to address the high-level issues on the progress of the External Authentication Framework and will retain oversight of post-implementation activities in support of the Authentication Framework.

10.5.1.6.3  (05-05-2010)
Director, Online Fraud Detection & Prevention

  1. The IRS Office of Online Fraud Detection and Prevention was created to address the increasing and evolving threat of online fraud affecting the IRS and taxpayers. The mission is to reduce online fraud against the IRS and taxpayers.

  2. The director shall:

    1. Serve as the focal point, having overall responsibility for the coordination of online fraud prevention, detection, response, outreach and awareness activities for the IRS.

    2. Partner with other senior agency officials to ensure organizational effectiveness and collaboration in addressing online fraud.

    3. Manage a rapid response process to detect and to mitigate online fraud incidents, in collaboration with TIGTA.

    4. Promote technological innovations and process improvements to address current and future online fraud schemes.

    5. Partner with domestic and international public/private sectors to promote comprehensive online fraud awareness, and education programs.

    6. Establish an analytic and operational information sharing capability to prevent and reduce risk.

    7. Chair the Online Fraud Detection and Prevention Advisory Committee.

    8. Provide executive leadership and direction for the coordination of online fraud prevention and detection activities for the IRS.

10.5.1.6.4  (05-05-2010)
Chief, Agency Wide Shared Services (AWSS)

  1. The Chief AWSS shall:

    1. Ensure physical security and personnel controls are implemented to protect taxpayer and employee privacy.

    2. Advise PIPDS as to the implications of IRS physical security and personnel policies and procedures on taxpayer and employee privacy.

    3. Partner with PIPDS to ensure the servicewide Physical and Personnel Security training and Information Protection training complement each other.

10.5.1.6.5  (05-05-2010)
IRS Human Capital Officer (I-HCO)

  1. The IRS Human Capital Officer shall:

    1. Provide resources for annual and specialized training and education. This will include training for new employees, new managers and role-based training to all IRS employees and contractors regarding the privacy rights of employees and taxpayers. A strong focus will be on UNAX, the consequences of UNAX violations and federal and IRS requirements for the protection of SBU/PII.

    2. Provide guidance and recommendations on how to strengthen the UNAX program based on trends and analysis of the disposition of cases of willful UNAX violations.

    3. Ensure all IRS personnel systems and programs use the Standard Employee Identifier (SEID) to eliminate or minimize the use of PII including SSNs to the extent possible.

    4. Provide support and guidance in working with the National Treasury Employees Union (NTEU) on privacy, information protection and data security issues.

10.5.1.7  (05-05-2010)
IRS.Gov: IRS Internet Web Site Privacy Notices and Data Collection

  1. IRS Privacy notices are used to inform the public of the information collection procedures and the privacy measures in place at a particular Internet Web site or activity.

  2. The IRS privacy policy notices must be posted at every major entry point to the Internet Web site as well as on any Web page collecting substantial personal information from the public.

  3. The IRS privacy policy notice is:

    1. an overview of IRS privacy practices

    2. a description of any information collected and stored automatically by the system and how this information will be used

    3. an explanation of how IRS will use any personally identifiable information submitted by the Internet visitor

    4. a notice that security and intrusion protection measures are in place

    The IRS Internet Privacy notice is available at http://www.irs.gov/privacy/index.html?navmenu=menu2.

  4. Any IRS Internet web site that links to external sites must post a departure notice. This notice alerts Internet visitors that they are about to leave the IRS web site and its privacy practices. It advises them to review the Web site privacy practices for the Web site they are about to enter. The IRS Internet Departure Notice can be viewed at: http://irweb.irs.gov/AboutIRS/irhelp/intranet/standards_art/13750.aspx.

  5. Persistent "cookies" or other tracking devices to monitor the public's visits may not be used on an IRS Internet site except as authorized by OMB regulations.

10.5.1.8  (05-05-2010)
Inside IRS: Intranet Web Site Privacy Notices and Data Collection

  1. IRS Privacy notices are used to inform employees of the information collection procedures and the privacy measures in place at a particular intranet Web site or activity.

  2. The IRS privacy policy notice must be posted at every major entry point to an intranet Web site as well as on any Web page collecting personal information from an employee.

  3. The IRS privacy policy notice is:

    1. an overview of IRS privacy practices

    2. a description of any information collected and stored automatically by the system and how this information will be used

    3. an explanation of how the IRS will use any personally identifiable information submitted by the employee

    4. a notice that security and intrusion protection measures are in place

    The notice is available at http://irweb.irs.gov/AboutIRS/irhelp/privacy/default.aspx or from the PIPDS office

  4. Any IRS intranet Web site or page that links to external sites must post a departure notice. This notice alerts employees that they are about to leave the IRS Web site and its privacy practices. It advises them to review the privacy practices on the Web site that they are about to enter. The IRS intranet departure notice can be viewed at http://irweb.irs.gov/AboutIRS/irhelp/intranet/standards_art/13750.aspx.

  5. Persistent "cookies" or other tracking devices to monitor an employee's visit to IRS intranet sites may not be used except as authorized by OMB regulations.

Exhibit 10.5.1-1 
Glossary

A
Access - The ability or opportunity to gain knowledge of personally identifiable information.
Accountability - The privacy goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation and after-action recovery and legal action
B
Biometrics - Is the science and technology of measuring and analyzing biological data. In information technology, biometrics refers to technologies that measure and analyze human body characteristics, such as fingerprints, eye retinas and irises, voice patterns, facial patterns and hand measurements, for authentication purposes.
Breach - The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.
C
Certification and Accreditation - (C&A) comprehensive assessment of the management, operational and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements for the system.
Confidentiality - Preserving authorized restrictions on information access and disclosure (including means for protecting personal privacy and proprietary information) from unauthorized individuals, entities, or processes.
D
Data Loss (Breach Notification) - The process of notifying affected individuals following the discovery of a PII data loss incident when the incident results in a high risk of harm to these individuals. Also known as PII data loss incident notification.
E
External Web site - Any Internet Web site that does not begin with http://irs.gov
I
Identity Theft - A fraud that is committed or attempted, using a person's identifying information without authority.
Incident - A violation or imminent threat of violation of privacy policies.
Incident Management - The process of managing incidents involving the loss or unauthorized disclosure of data
Information Technology (IT) - Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by an executive agency
Integrity - The prevention of the unauthorized/improper modification or destruction of information; includes ensuring information non-repudiation and authenticity
L
Loss - Any event where an item is misplaced and/or neither the official owner nor the intended recipient has possession of the item in the expected time frame. A loss may involve an IRS-owned physical asset such as a laptop, blackberry, cell phone, and/or other portable media, or electronic or hard copy data that may contain Sensitive But Unclassified (SBU) data or Personally Identifiable Information (PII) such as paper or electronic taxpayer records, personnel records, or other identifying data, or a combination of a physical asset and electronic and/or hard copy data.
M
Major Application - An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Note: All federal applications require some level of protection. Certain applications, because of the information they hold, however, require special management oversight and shall be treated as major. Adequate security for other applications shall be provided by security of the systems in which they operate.
Management Controls - The security and privacy controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security and privacy
O
Office of Management and Budget (OMB) - A cabinet-level office that oversees the activities of federal agencies and monitors the adherence of their assigned federal programs to presidential policies.
Operational Controls - The security and privacy controls (i.e., safeguards or countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems).
P
Personally Identifiable Information (PII)/Personal Information – PII is information that, either alone or in combination with other information, can be used to uniquely identify an individual. PII includes names because they can be used to identify an individual when combined with other identifiers. PII includes the personal information of taxpayers, employees, contractors, applicants and visitors to the IRS. However, names of federal employees when used for business purposes, along with employee business phone numbers and business addresses are all considered publicly available information. Some examples of PII are: name, Social Security Number (SSN), date of birth, place of birth, address, and biometric record.
Plan of Action and Milestones (POA&M) - A document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks and scheduled completion dates for the milestones.
Privacy Impact Assessment (PIA)- An analysis of how SBU/PII information is handled: 1) to ensure handling conforms to applicable legal, regulatory and policy requirements regarding privacy; 2) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and 3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.
R
Risk - The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Risk Assessment - The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact and additional security and privacy controls that would mitigate this impact
Routine Use - The use of such record for a purpose which is compatible with the purpose for which it was collected
S
Safeguards - Protective measures prescribed to meet the privacy requirements specified for an information system.
Senior Management/Executives - IRS Leaders in the Senior Executive Service (SES).
Sensitive But Unclassified (SBU) Information - Any information that requires protection due to the risk and magnitude of loss or harm to the IRS or the privacy to which individuals are entitled under 5 U.S.C. § 552a (the Privacy Act), which could result from inadvertent or deliberate disclosure, alteration, or destruction.
Standard Employee Identifier (SEID) - A five character alpha/numeric string that is used as a unique identifier for employees and contractors to minimize the use of PII or SBU identifiers in IRS systems.
System - A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. A system normally includes hardware, software, information, data, applications, communications and people.
System Owner - Is the agency official responsible for the overall procurement, development, integration, modification, operation and maintenance of the information system.
System of Records (SOR) - A group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.
T
Technical Controls- The privacy controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system
Training - Training is more formal than "awareness" , having the goal of building knowledge and skills to facilitate privacy in one’s job performance. The training level strives to produce relevant and needed privacy skills and competency by practitioners whose functional specialties are other than privacy (e.g., management, systems design, development, acquisition, auditing). Current training guidance encourages Role-Based Training.
U
UNAX - Term used to describe the willful unauthorized access and inspection of taxpayer records. Based on the Taxpayer Browsing Protection Act of 1997.

Exhibit 10.5.1-2 
References

The IRS Privacy, Information Protection and Data Security programs have their foundation in laws, policies, federal regulations, Presidential Directives, OMB guidance and Treasury guidelines, policies and directives including, but not limited to, the authorities described below:

Public Law

  1. Public Law 93-579, Privacy Act of 1974, as Amended (Includes Computer Matching Agreement) (5 U.S.C. 552a)

  2. Public Law 99-474, The Computer Fraud and Abuse Act of 1986

  3. Public Law 104-13, Paperwork Reduction Act of 1995

  4. Public Law 104-106, Clinger-Cohen Act of 1996

  5. Public Law 104-231, Freedom of Information Act (5 U.S.C. 552)

  6. Public Law 105-35, Taxpayer Browsing Protection Act of 1997

  7. Public Law 105-206, IRS Reform and Restructuring Act of 1998

  8. Public Law 107-347, E-Government Act of 2002, (44 U.S.C. 101,Sec. 208)

  9. Public Law 107-347, Federal Information Security Management Act of 2002 (44 U.S.C. 3541).

  10. Public Law 108-447, Consolidated Appropriations Act of 2005, Section 522

  11. Confidentiality and Disclosure of Return and Return Information, Internal Revenue Code Section 6103 (26 U.S.C. 6103).

  12. Disclosure or Use of Information by Preparers of Returns, Internal Revenue Code Section 6713 (26 U.S.C. § 7216)

Information on Public Laws is available at: http://thomas.loc.gov

OMB Circulars

  1. OMB Circular No. A-11, Management and Reporting

  2. OMB Circular No. A-123, Management Accountability and Control

  3. OMB Circular No. A-130, Management of Federal Information Resources

Information on OMB Circulars is available at: http://www.whitehouse.gov/omb/circulars/index.html

OMB Memoranda

  1. M-99–18, Privacy Polices on Federal Web Sites, June 1999

  2. M-00-13, Privacy Policies and Data Collection on Federal Web Sites, June 2000

  3. M-01-05, Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy, December 2000

  4. M-02-01, Guidance for Preparing and Submitting Security POA&M October 2001

  5. M-03-22, Guidance for Implementing the Privacy Provisions of the E-Gov Act, September 2002

  6. M-05-04, Policies for Federal Agency Public Web Sites, December 2004

  7. M-05-08, Designation of Senior Officials for Privacy, February 2005

  8. M-06-15, Safeguarding Personally Identifiable Information, August 2005

  9. M-06-16, Protection of Sensitive Information, June 2006

  10. M-06-19, Reporting Security Incidents, July 2006

  11. M-06-20 (M-05-15), Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, July 2006

  12. M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 2007

The OMB Circulars and Memos noted above are available on the White House Web site: http://www.whitehouse.gov/omb/

Department of Treasury

  1. TDP 85-01, Treasury Information Programs, April 2000

  2. Treasury Internet Use Policy, October 1997

  3. Guidance for System Security Plans, October 2000

  4. Guidance on Audit Log Retention Periods, October 2000

The TDs above are available at: http://treas.gov/regs

IRS Policy Statements

  1. Policy Statement P-1–1, Policy Statement on Taxpayer Privacy Rights, October 1994

IRS System Development

  1. IRS Enterprise Architecture (EA)

  2. IRS Enterprise Life Cycle (ELC)

IRS Internal Revenue Manuals

IRS IRMs are available on the Electronic Publishing Web site at:http://irm.web.irs.gov

  1. IRM 10.8.1, Information Technology (IT) Security Policy and Standards - IT Security Policy and Guidance

  2. IRM 10.8.2, Information Technology Security Roles and Responsibilities

  3. IRM 10.8.3, Audit Logging Security Standards

  4. IRM 1.15, Organization, Finance And Management Records Management

IRS Memoranda

  1. Compliance with OMB Directives Regarding Internet Web Pages, December 2000

  2. OMB Directive Regarding Privacy Policies on Federal Web Sites, June 2000

  3. Privacy Policy for IRS Intranet Web Sites, January 2002

  4. Revised IRS Privacy Principles, January 2002

  5. Designation of the IRS Senior Official for Privacy, October 2005

  6. Sensitive Information and Personally Identifiable Information, June 2006

Federal Information Processing Standards

  1. FIPS 199, Standards for Security Categorization of Federal Information and Information Systems

  2. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems

  3. FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors

Information regarding the FIPS publications noted above is available on the NIST Web site: http://www.itl.nist.gov/fipspubs/

National Institute of Standards and Technology (NIST)

  1. SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996

  2. SP 800-18, Guide for Developing Security Plans for Federal Information Systems, February 2006.

  3. SP 800-19, Mobile Agent Security, October 1999

  4. SP 800-28, Guidelines on Active Content and Mobile Code, October 2001

  5. SP 800-44, Guidelines on Securing Public Web Servers, September 2002

  6. SP 800-46, Security for Telecommuting and Broadband Communications, August 2002

  7. SP 800-45A (Draft), Guidelines on Electronic Mail Security, August 2006

  8. SP 800-47, Security Guide for Interconnecting Information Technology Systems, August 2002

  9. SP 800-53, Minimum Security Requirements for Federal Information and Information Systems, February 2005

  10. SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, April 2006

  11. SP 800-55, Security Metrics Guide for Information Technology Systems, July 2002

  12. SP 800-95, Guide to Secure Web Services (Draft), August 2006

  13. SP 800-89, Recommendation for Obtaining Assurances for Digital Signature Applications, November 2006

  14. SP 800-88, Guidelines for Media Sanitization, September 2006

  15. SP 800-64, Security Considerations in the Information System Development Life Cycle, June 2004

Information regarding the NIST publications noted above is available on the NIST web site: http://csrc.nist.gov

Other Federal Guidance

  1. Federal Enterprise Architecture Security and Privacy Profile

  2. Security, Privacy and Critical Infrastructure Committee, Securing Electronic Government, January 19, 2001

  3. Identity Theft Presidential Task Force Report

IRS Privacy Policy Regulations

  1. Privacy Impact Assessment, IRS Publication 9927

  2. Policy Statement on Taxpayer Privacy Rights (Appendix B of IRS Publication 3656)


More Internal Revenue Manual