10.5.5  IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements

Manual Transmittal

August 26, 2013

Purpose

(1) This transmits new Internal Revenue Manual 10.5.5 Privacy and Information Protection

Material Changes

(1) This IRM establishes the comprehensive, uniform UNAX policies, procedures and requirements to be followed by all IRS organizations

(2) This IRM incorporates the Taxpayer Browsing Protection Act of 1997(26 USC 7213A).

Effect on Other Documents

There are no effects on other documents.

Audience

All IRS employees and contractors

Effective Date

(08-26-2013)

Susan B. Greer, Acting Director,
Privacy and Information Protection

10.5.5.1  (08-26-2013)
IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program

  1. To implement the requirements of the Taxpayer Browsing Protection Act of 1997 (Public Law No. 105-35), the IRS created the unauthorized access, attempted access or inspection of taxpayer records (UNAX) program. The Taxpayer Browsing Protection Act, in conjunction with the UNAX program, provides the following:

    1. Willful unauthorized access or inspection of taxpayer records is a crime, punishable upon conviction, by fines, imprisonment, and termination of employment. Taxpayer records include hard copies of returns and return information, as well as returns and return information maintained on a computer;

    2. A taxpayer who is a victim of unlawful access or inspection has the right to take legal action even if the taxpayer's information is never revealed to a third party;

    3. When IRS employees are criminally charged, the IRS is required to notify taxpayers that their records have been accessed without authorization;

    4. For contractors, the willful unauthorized access or inspection of taxpayer records can carry penalties upon conviction of removal from the contract, fines, and imprisonment;

    5. Criminal UNAX violations result from intentional unauthorized inspection of returns and return information. Under 26 USC 7213A, the violation is punishable by a fine not to exceed $1,000 or imprisonment of not more than 1 year, or both, together with the costs of prosecution. Upon conviction, the employee is terminated;

    6. Non-Criminal Penalties – pursuant to IRS UNAX policy, removal is to be proposed for all UNAX violations. The penalty can be mitigated to suspension by the deciding official at the decision stage; and

    7. UNAX can lead to additional criminal charges such as falsification of records, fraud, embezzlement and identity theft.

  2. IRS UNAX Policy provides that employees may be subject to administrative penalties for the willful and unauthorized attempted access of their own or another taxpayer's records.

    1. Administrative penalties include:

      • Removal of employee

      • Suspension of employee

    2. Additional information on penalties for UNAX violations can be found in the Guide to Penalty Determinations. http://publish.no.irs.gov/getpdf.cgi?catnum=32178

  3. The IRS relies on the ethics and integrity of its employees and contractors and enlists their support in eliminating all cases of UNAX. Employees who have knowledge of a suspected UNAX violation, must report to the U.S. Treasury Inspector General for Tax Administration (TIGTA), or their managers.

10.5.5.2  (08-26-2013)
Servicewide Roles and Responsibilities for Administering the IRS UNAX Program

  1. Human Capital Office (HCO) Workforce Relations Division is responsible for managing the administrative adjudication of confirmed UNAX cases. This office coordinates with TIGTA and the Office of Chief Counsel, General Legal Services (GLS) to ensure employees are treated fairly and equitably in every UNAX case. Workforce Relations is responsible for the following:

    1. tracking and reporting UNAX case status from inception to final disposition;

    2. preparing the necessary documents in support of the administrative actions taken by management;

    3. forwarding the necessary documents to management; and

    4. providing consultative support to management for administration of appropriate discipline.

  2. Information Technology (IT) Cybersecurity is responsible for reviewing and certifying various data security reports. Cybersecurity must analyze and partner with management to determine the validity of account-related accesses. Questionable accesses are referred to TIGTA as potential UNAX violations.

  3. The IRS organizations assign business unit Points of Contact (POCs) for the annual UNAX briefing and eCertification process. They are responsible for the following:

    1. attending meetings to discuss data security – including UNAX;

    2. working with the Privacy, Governmental Liaison and Disclosure (PGLD) UNAX team and their business unit managers to ensure all of their business unit employees complete the required briefings and certifications;

    3. supporting the Annual UNAX Briefing process by collecting and accounting for Form 11370, Certification of Annual Awareness Briefing within their business unit that are unable to be completed online;

    4. submitting completed Form 11370s to National Archive Record Administration (NARA) for inclusion in employee’s Official Personnel Folders;

    5. reviewing the business unit’s completion statistics; and

    6. informing management officials of the business unit’s UNAX Awareness Briefing completion rates.

  4. Agency Wide Shared Services (AWSS), Physical Security and Emergency Preparedness. The Contractor Security Management (CSM) manages contractors' completion of the Annual UNAX Awareness Briefing and ensures system and facility accesses are removed when a contractor separates. Contractors, like all IRS employees, are required to complete an Annual UNAX Awareness Briefing and provide a completed Form 11370, to their Contracting Officer’s Representative (COR).

  5. Treasury Inspector General for Tax Administration (TIGTA) is responsible for investigating all UNAX allegations. That responsibility covers all leads, including computer inspection techniques and computer system generated audit trails. Evidence of substantiated UNAX violations will be referred to the Department of Justice for Criminal Prosecution of UNAX.

  6. The Office of Privacy and Information Protection (PIP) UNAX Program Team, within PGLD, is responsible for the development and distribution of UNAX educational materials, including the Annual UNAX Awareness Briefing aimed at preventing and reducing the number of UNAX incidents.

  7. All Senior Executives and managers are responsible for:

    1. monitoring, assigning or removing employee or contractor access to IRS (internal or external) computing systems as needed based on assigned IRS duties. Systems that must be monitored include (but are not limited to): Integrated Data Retrieval System (IDRS), Accounts Management System (AMS), Transcript Delivery System (TDS), Registered User Portal (RUP), Employee User Portal (EUP) etc.,

    2. approving employee access to any internal or external IRS computer system only when required to complete official IRS duties as assigned by management, and

    3. removing access to any internal or external computer system when it is no longer required to complete official IRS duties as assigned by management.

  8. All IRS employees, and contractors - are responsible for:

    1. accessing IRS paper or electronic tax records or tax information only when it is required to complete official IRS duties as assigned by management;

    2. informing their managers when they no longer require access to a specific IRS internal or external computer system or command code requiring administrative approval;

    3. refraining from accessing unauthorized tax information; and

    4. employees are not authorized to initiate an access to their own records, or records of anyone with whom they have a covered relationship. This includes:

      • Their spouse and any ex-spouses;

      • Their children;

      • Their parents;

      • Anyone living in their household;

      • Their other close relatives;

      • Friends or neighbors with whom they have close relationships;

      • Celebrities, when the information is not needed to carry out tax related duties;

      • An individual or organization for which they or their spouse is an officer, trustee, general partner, agent, attorney, consultant, contractor, employee, or member; and

      • Any other individual or organization with which they may have a personal or outside business relationship that could raise questions about their lack of impartiality in handling the tax matter.

      Any other individual unless access is required by their duties as assigned by management.

10.5.5.2.1  (08-26-2013)
PIP UNAX Program Team Roles and Responsibilities

  1. The IRS is committed to preventing the willful unauthorized access, attempted access and inspection of taxpayer records. The PIP UNAX Program Team's mission is to ensure all employees and contractors:

    1. Understand what UNAX is;

    2. Understand what the consequences are if an employee accesses or inspects taxpayer records or tax information (electronic or paper ) for other than management authorized tax administration reasons; and

    3. Work to prevent all instances of UNAX violations. Please refer to the UNAX website for additional information:http://irweb.irs.gov/AboutIRS/bu/pipds/pip/privacy/unax/default.aspx

  2. The UNAX Program Team shall, in partnership with TIGTA, HCO, IT Cybersecurity and other stakeholders develop and implement a comprehensive Servicewide UNAX program that includes:

    1. UNAX education

    2. UNAX detection

    3. UNAX compliance for employees and contractors;

  3. The UNAX Program Team shall, in partnership with TIGTA, HCO, IT Cybersecurity and other stakeholders take action to:

    1. Mitigate weaknesses in programs and systems that lead to UNAX low compliance rates;

    2. Identify areas for compliance improvement;

    3. Re-train and certify employees and contractors;

    4. Implement other measures designed to foster voluntary UNAX compliance; and

    5. Stop all willful and attempted unauthorized access, and inspection of taxpayer records.

  4. Update, administer and maintain the IRS UNAX website containing information, policies, procedures, forms and links that support the UNAX program;

  5. Communicate and administer the Servicewide Annual UNAX Awareness Briefing Certification Program (for employees only) to include:

    1. Review and update, in partnership with all stakeholders, UNAX briefing materials to keep information current, relevant and effective;

    2. Track the numbers of employees who take the annual training, and provide relevant statistical data to IRS executive leadership;

    3. Request Senior officials to designate UNAX coordinators for their respective organizations on a yearly basis;

    4. Provide instruction and guidance to business unit UNAX coordinators prior to and during the annual Servicewide mandatory training cycle to ensure accurate reporting of the numbers of employees who complete the briefing;

    5. Prepare and deliver reports to senior officials that track the numbers of employees who take the training, and

    6. Investigate reasons for business units with low rates of compliance.

  6. As required by 26 USC 7431(e) notify (taxpayer) victims when a person is charged criminally by indictment or information with unauthorized inspection or disclosure (prior to any possible conviction) as provided/reported by TIGTA and sending notification letters to taxpayer victims alerting the taxpayer of permissible next steps;

  7. Brief newly appointed executives regarding the UNAX program focusing on their UNAX responsibilities;

  8. Provide all managers the guidance and tools needed to help them maintain an ongoing dialogue with their employees and contractors about UNAX violations and the consequences and penalties for willfully accessing or inspecting taxpayer records for other than authorized tax administrative duties as assigned by management;

  9. Respond to inquiries from managers, employees and taxpayers concerning UNAX reporting requirements and other UNAX inquiries, or refer them to other UNAX subject matter experts and stakeholders as appropriate;

  10. Educate Senior officials and managers of recertification requirements to ensure that all employees returning to work from UNAX disciplinary actions or after an extended absence or furlough complete recertification:

    1. within thirty days if they had previously completed the mandatory briefing during the preceding 12 months;

    2. immediately upon return to duty, if they had not.

  11. Develop and distribute comprehensive “just-in-time” Servicewide communications for all employees to understand the importance of the mandatory Annual UNAX Awareness Briefing and the rules for certifying that the training was completed; and

  12. Ensure Senior officials, managers and employees understand the procedures, next steps and consequences for employees who refuse to take the mandatory Annual UNAX Awareness Briefing.

10.5.5.2.2  (08-26-2013)
Manager UNAX Responsibilities

  1. All managers must take an active role to prevent willful and attempted unauthorized access, and inspection of taxpayer information in electronic and paper form. This involves overseeing employees’ work as well as continually stressing the importance of protecting and securing taxpayer records

  2. IRS Manager’s Guide to Penalty Determinations (Doc. 11500) located at http://publish.no.irs.gov/getpdf.cgi?catnum=32178 states that managers may be subject to written reprimand, suspension or removal for failure to adequately instruct, train, or supervise employees in their responsibilities for record and information protection;

  3. Communicating with employees on a regular basis ensures they are aware of UNAX prohibitions and the penalties. Communication also ensures employees know how to document and report inadvertent or unintentional access;

  4. Managers are responsible for the timely and thorough review of available system security reports. Managers must report suspected UNAX violations or any unusual activity to TIGTA for investigation;

  5. Managers must monitor and ensure that employees have access to IRS internal or external computer systems containing taxpayer information only when necessary to complete their IRS officially assigned duties;

  6. Managers must ensure employees who are being investigated for UNAX violations are promptly removed from IDRS and any other IRS computer system requiring administrative approval and containing taxpayer information. Managers must also ensure these employees are removed from other tax related duties;

  7. Signing and submitting timely Form 11377 or Form 11377-E, Taxpayer Data Access, to the designated head of office designee. Form 11377 or Form 11377-E are to document accesses to taxpayer information not supported by direct case assignment or which may otherwise appear questionable. A manager’s signature on this form does not imply authorization for documented accesses. The access may still be subjected to further review and investigation. Referring all questionable accesses to TIGTA;

  8. Making fair and timely reassignments whenever an employee reports having a covered relationship with an individual or organization in an assigned tax duty which may cause a conflict of interest. Form 4442, Inquiry Referral, may be used by the employee to request such reassignments, thus avoiding a possible conflict of interest;

  9. Educating employees to avoid UNAX violations, and assuring employees know the consequences of their actions;

  10. Leading by example; and

  11. Ensuring their employees’ access of IRS internal or external computer system is:

    1. controlled through the OL5081 approval process,

    2. granted only when required to complete official duties, and

    3. removed when no longer required to complete official duties.

10.5.5.2.3  (08-26-2013)
Employee UNAX Responsibilities

  1. All IRS employees (including managers, executives and contractors) are responsible for protecting the confidentiality and privacy of taxpayer information to which they have access. They are responsible for understanding what UNAX means and what the potential consequences are for the willful or attempted unauthorized access, or inspection of paper or electronic taxpayer records. Employees should always err on the side of caution. If they are uncertain whether or not an access or inspection is appropriate, they should first consult with their managers.

  2. The IRS relies on the ethics and integrity of its employees and enlists their support in eliminating "all" cases of UNAX.

  3. Employees should complete Form 11377 or 11377-E, Taxpayer Data Access to document certain accesses when one of the following situations occurs:

    1. Accessed tax return information in error (such as accidentally entering an incorrect taxpayer identification number);

    2. Researched other taxpayer's information as it related to an assigned case;

    3. Received requests from management to access taxpayer information on cases not assigned to the employee;

    4. Accessed tax return or tax information of another IRS employee on an assigned case before recognizing the individual as someone known to the employee; and

    5. Accessed tax return or tax information on an assigned case of an individual or organization before recognizing it as belonging to a person or business with whom the employee has a personal or business relationship.

  4. Review and apply the guidance within this IRM, the Employee's Guide to Safeguarding Taxpayer Records - Renewing Our Commitment Document 10281, Catalog Number 24946N at http://publish.no.irs.gov/getpdf.cgi?catnum=24946 and other local UNAX directives;

  5. Take the Annual UNAX Awareness Briefing and complete the Certification documentation either online or by filling out Form 11370, Certification of Annual UNAX Awareness Briefing, if the briefing was not completed online; - http://publish.no.irs.gov/getpdf.cgi?catnum=24947

  6. Timely refer to management cases where the employee's personal or business relationship can raise questions concerning a possible lack of impartiality in handling a tax matter. (Please see covered relationships in 10.5.5.1 (3) h for additional information) Employees should use Form 4442, Inquiry Referral for this purpose. Refer to :http://publish.no.irs.gov/getpdf.cgi?catnum=22950

  7. Refrain from accessing returns and return information of other employees known to them unless approved in writing by management;

  8. Inform their managers when they no longer require access to an IRS internal or external computer system or command code, requiring administrative approval and not available to the general public, is no longer required to complete IRS officially assigned duties;

  9. Refrain from accessing or asking other IRS employees to access information of individuals with whom they have a "covered relationship" ;

  10. Report any knowledge of a suspected UNAX violation to their local TIGTA office to the TIGTA toll free hotline at: 1-800-366-4484. TIGTA is responsible for investigating all UNAX allegations. IRS employees are protected by law from reprisals when they have reasonable cause to report suspected UNAX violations to TIGTA;

  11. Refrain from accessing tax returns or tax return information in any IRS internal or external computer system (ex. IDRS, AMS, TDS, RUP, EUP, etc.) unless the access is necessary to complete their official IRS duties as assigned by management; and

  12. Refrain from accessing tax returns or tax return information on a personal computer that they are not authorized to access on their work computer. For example: An IRS employee had formerly held a position as an accountant prior to becoming employed by IRS. He kept his access to the IRS Registered Users Portal (RUP). The employee accessed tax return information on the RUP of a former client on his personal computer. This is an unauthorized access and a UNAX violation. IRS employees can only access those accounts assigned to them by IRS management as part of their official IRS tax duties.

10.5.5.3  (08-26-2013)
Covered Relationships and Official Channels

  1. The IRS policy on access to paper and electronic tax returns and return information states “Employees are only allowed access to tax returns and return information when the information is received through official channels and is needed to carry out official IRS tax duties”;

  2. Official Channels include:

    1. Cases assigned by a manager;

    2. Taxpayer walk-ins;

    3. Telephone calls from taxpayers;

    4. Official correspondence; and

    5. Related case inquiries.

  3. Unofficial Channels include:

    1. Requests from individuals at social functions and non-work environments; and

    2. Requests received from close friends, close relatives, close neighbors or co-workers whom you know.

  4. Covered Relationships are those personal or business relationships that can raise questions on the appearance of a lack of impartiality in the handling of a tax matter. These individuals or businesses are perceived as receiving expedited or preferential treatment that is unavailable to the general taxpayer public. They include requests that were not received through the normal course of business or through official or administrative channels. Employees are not authorized to access the tax records or tax information of anyone with whom they have a covered relationship:

    1. Their spouse and any ex-spouses;

    2. Their children;

    3. Their parents;

    4. Anyone living in their household;

    5. Their other close relatives;

    6. Friends or neighbors with whom they have close relationships;

    7. Celebrities, when the information is not needed to carry out tax related duties;

    8. An individual or organization for which they or their spouse is an officer, trustee, general partner, agent, attorney, consultant, contractor, employee, or member; and

    9. Any other individual or organization with whom they may have a personal or outside business relationship that could raise questions about their lack of impartiality in handling the tax.

  5. Celebrity browsing or inspection of a celebrity's return or return information constitutes a serious UNAX violation with potential for fines, imprisonment, and dismissal. Employees have no legitimate tax-related reason to access the account of a celebrity unless they receive the matter through official channels or in the normal course of business.

10.5.5.4  (08-26-2013)
Violations of IRS Policy on UNAX

  1. The willful unauthorized access or inspection of taxpayer information - both electronic and paper - is a crime. Upon conviction, employees can be subject to penalties ranging from job loss to fines and prison terms.

  2. The IRS established the IRS Manager’s Guide to Penalty Determinations (Document 11500) to cover UNAX violations that are not criminally prosecuted. Assess the Penalty Guide at: http://publish.no.irs.gov/getpdf.cgi?catnum=32178

  3. Administrative penalties for violating the UNAX Policy range from removal from Federal Service to suspension from duty and pay.

    1. The Agency can still take disciplinary action against employees for violating the Agency’s UNAX policy even though they may not be criminally charged with violating the Taxpayer Browsing Protection Act,

  4. The information in the Penalty Guide applies to all IRS employees who have completed their probationary or trial period. It does not apply to individuals serving a probationary or trial period.

  5. Criminal Penalties Assessed Upon Conviction for Violating the Taxpayer Browsing Protection Act Include:

    1. A fine in any amount not exceeding $1,000;

    2. Imprisonment of not more than one year;

    3. Both the fine and imprisonment; and

    4. Cost of prosecution, restitution.

  6. Non-Criminal Penalties: If Federal officer or employee, discharge from employment.

  7. Civil Penalties: Taxpayers have the right to take legal action against the IRS when they are victims of unlawful access or inspection even if their information is never revealed to a third party. IRS is required to notify taxpayers that their records have been accessed without authorization when an employee or manager is criminally charged.


More Internal Revenue Manual