AccessibilitySkip to Top NavigationSkip to Main ContentHome  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 11. Communications and Liaison

Chapter 3. Disclosure of Official Information

Section 36. Safeguard Review Program

11.3.36  Safeguard Review Program

11.3.36.1  (05-06-2003)
Purpose

  1. This section provides instructions and guidelines for Disclosure personnel who are responsible for ensuring that agencies, their authorized agents and/or contractors, and IRS contractors which receive tax data from the Internal Revenue Service (IRS) maintain adequate safeguards for the protection of this data. It establishes general procedures for performing safeguard evaluations and reviews. Instructional guidelines are included to help the reviewer determine whether the agencies are providing adequate protection for tax data consistent with Service standards.

    Note:

    The term agency includes Federal, state, local agencies and their authorized agents or contractors. The term contractor will generally be used with reference to agency contractors, while IRS contractors will be referred to as such.

  2. The safeguard program should be a cooperative effort with the recipient agencies, their authorized agents, their authorized contractors, and with IRS contractors, to ensure the confidentiality of the tax data. Interaction and education are key elements in promoting protection of tax information. However, in order to fulfill legal responsibilities, the program must also maintain a viable enforcement capability.

11.3.36.2  (05-06-2003)
Legal Requirements

  1. In accordance with legal requirements of Internal Revenue Code (IRC) 6103 and written agreements, the Service discloses tax data to various Federal, state, and local agencies, as well as contractors.

  2. IRC 6103(p)(4) requires that agencies receiving tax returns and return information provide adequate safeguards to protect the confidentiality of the tax returns and return information to the satisfaction of the Secretary (of Treasury).

  3. IRC 6103(p)(4)(E) requires the following recipients of Federal tax returns or return information to report to the Secretary their safeguard procedures for protecting those returns and return information:

    1. Federal agencies that receive information for certain purposes;

    2. the General Accounting Office (GAO);

    3. State tax agencies, bodies, or commissions;

    4. State and local child support enforcement agencies;

    5. State public assistance and law enforcement agencies;

    6. Agents and contractors of child support enforcement agencies, Federal lending agencies (including lenders, agencies and educational institutions) and their agents (reports are to be submitted through the contracting agencies).

      Note:

      This pertains to any agency, lender, and institution disclosing mailing addresses received pursuant to IRC 6103(l)(6)(A),(l)(12)(B), (m)(2), (4),(6), or (7) to its agent(s) and contractor(s).

  4. The provisions of 26 CFR 301.6103(n)-1(d) authorize the IRS to determine the compliance with any safeguards imposed on all contractors, whether agency or IRS contractors. IRC 6103(p)(4)(E), being imposed upon contractors for which the Headquarters Safeguards office has compliance review responsibility, requires that a person (contractor) must submit a Safeguard Procedures Report (SPR) which describes the safeguards established and that will be used to protect the confidentiality of tax data received from the IRS.

    Note:

    SPRs from contractors of IRS are also addressed at subsection 24.3.2(1) of this IRM.

  5. IRC 6103(p)(8) requires that states provide safeguards which protect the confidentiality of the copy of the Federal return (or portion thereof) that is attached to or reflected on any State tax returns as may be required of taxpayers by the state.

    Note:

    When preparing for a safeguard review that includes IRC 6103(p)(8) data, refer to IRM 11.3.32.14.1 which discusses the state law requirements pursuant to IRC 6103(p)(8).

  6. IRC 6103(p)(5) requires the Commissioner to furnish annual reports to the House Committee on Ways and Means, the Senate Finance Committee, and the Joint Committee on Taxation. The reports describe procedures and safeguards established by the various agencies and contractors receiving Federal tax data, as well as indicating deficiencies on the part of the agencies and contractors.

  7. IRC 7213 provides criminal penalties for unauthorized disclosures of Federal tax data.

  8. IRC 7213A provides criminal penalties for unauthorized inspection of any return or return information by officers and employees of the United States, officers and employees of persons described in IRC 6103(n), state and other employees.

  9. IRC 7431 provides civil remedies for violations of the disclosure and inspection statutes.

  10. A complete listing of the applicable security laws, regulations, and other guidance is contained in Exhibits 2.1.10–1 and 2.1.10–2 of IRM 2.1.10, Automated Information Systems Security.

11.3.36.3  (05-06-2003)
Awareness

  1. When an agency or a contractor is authorized to receive, or expresses an interest in receiving, tax information which requires safeguarding, IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, will be sent to the agency or contractor to advise them of the safeguard requirements. Assistance should be offered to the agency and to the contractor to resolve any questions.

  2. Employee awareness should be stressed. Training material such as IRS videos, Safeguarding IRS Confidential should be made available to agencies and contractors prior to their initial receipt of Federal tax information. Whenever possible, Disclosure personnel should assist agencies to develop and present disclosure and safeguard training.

  3. All contractors authorized to receive Federal tax information will be sent the IRS video, Safeguarding IRS Confidential Information — A Guide for Contractors and its accompanying pocket guide (Document 9946), IRS Disclosure Awareness Pocket Guide for Contractors.

    Note:

    Disclosure Officers should provide assistance to agencies as may be needed to effect compliance. Contracting Officer's Technical Representatives (COTRs) are to effect compliance as respects contractors of the IRS.

  4. An active awareness program should adequately inform agencies receiving tax returns and return information of the statutory requirements for, and their responsibility in, ensuring the confidentiality of Federal tax returns and return information. Disclosure Officers may request Governmental Liaison & Disclosure (GLD) Area Manager and Headquarters assistance for large group presentations or programs requiring specialized technical knowledge.

11.3.36.4  (12-31-2001)
Implementing Requirements

  1. The recipients listed in subsection 36.2(3) and (4) must submit the following:

    1. Safeguard Procedures Reports, and

    2. Annual Safeguard Activity Reports.

  2. These reports are described in detail in subsections 36.6 and 36.7.

  3. The Service reviews reports received from agencies and contractors to determine the adequacy of their safeguards.

  4. If an agency or contractor fails to submit a required report or to provide sufficient information to allow the Service to determine the adequacy of its safeguards, the reviewer may propose withholding tax information from that agency. Subsection 36.8.1 provides additional guidance.

  5. On-site reviews of agencies' and contractors' safeguards are undertaken when the criteria in subsection 36.10 are met.

11.3.36.5  (05-06-2003)
Responsibilities

  1. The Headquarters Safeguards Office (HQS), within the Office of Governmental Liaison and Disclosure (GLD), has oversight responsibility for the safeguard program nationwide. HQS also has specific program responsibility as listed in Exhibit 11.3.36–1.

  2. Disclosure Offices have responsibility for the safeguard review program for state tax agencies, their authorized agents, and their authorized contractors. Responsibility for performing safeguard reviews of certain contractors receiving Federal tax information under IRC 6103(n) is assigned to the Headquarters Safeguards Office (see IRM 11.3.24.3.3(6)).

  3. The Office of Governmental Liaison and Disclosure will conduct periodic safeguard program evaluative visits of GLD area offices.

  4. GLD Area Managers will conduct periodic safeguard program evaluative visits of the Disclosure offices. As part of the oversight activities, "need and use" documentation and reviews, Safeguard Procedures Reports, Safeguard Activity Reports, and Safeguard Review Reports will be reviewed and documented.

  5. Campus Disclosure Officers are responsible for reporting to the liaison Disclosure Office information regarding disclosures made to state agencies. These reports should contain the number and type of disclosures and any other information useful to the liaison Disclosure Office and the GLD Area Manager. Campus Disclosure staff may, at the direction of the GLD Area Manager and the concurrence of Campus management, participate in safeguard reviews of agencies and contractors receiving Federal tax data.

  6. Security personnel (e.g., physical or computer security analysts) will be consulted when questions arise requiring their expertise. (See subsection 36.10.1(2) regarding the inclusion of computer security personnel on safeguard reviews.)

11.3.36.5.1  (05-06-2003)
Agency Reports

  1. External agencies and their contractors that receive Federal tax returns and/or return information subject to the safeguards of IRC 6103(p)(4) must file a Safeguard Procedures Report (SPR) with the Service prior to the receipt of the tax information. This enables the Service to review the agency's and contractor's procedures for protecting return information from unauthorized inspection or disclosure before the information is released. Agencies must submit a revised Safeguard Procedures Report whenever significant changes occur in their safeguard program; this should take into consideration changes made by agency contractors. See the subsection on " Submission of Safeguard Procedures." Exhibit 11.3.36-1 identifies the IRS GLD offices and their responsibilities for each type of agency in the safeguard awareness, evaluation and review process.

    Note:

    Prior to initiating significant changes to their safeguard program, agency contractors and IRS contractors, from which the Headquarters Safeguards Office solicited an SPR, must submit a revised SPR and obtain written approval from the respective IRS Disclosure Officer or the COTR. A copy of the approval document will be attached to the revised SPR and maintained by the Disclosure Officer or the Headquarters Safeguards Office for the life of the revised SPR.

  2. Annually thereafter, agencies submit a Safeguard Activity Report (SAR)to certify that they are continuing to protect return information. Refer to IRM 11.3.24.3.2(1) for information on recertifying SARs from contractors.

  3. It is important that these reports are complete and remain current. In order for agencies and contractors to submit acceptable reports, recipients of Federal tax information must be aware of the IRS reporting requirements. The requirements are outlined below and are included in IRS Publication 1075, Tax Information Security Guidelines for Federal, State, and Local Agencies.

  4. Authorized agents and contractors are to submit their SPRs and SARs to the agency for routing to the IRS Disclosure Office. IRS contractors are to submit their SPR and SARs to the COTR; refer to IRM 11.3.24.3.2(1)(b) for additional discussion of the necessary reporting requirements for contractors.

  5. Agency and contractor reports will be evaluated upon receipt. If reports are complete and no significant questions arise, the evaluation should be concluded within 45 calendar days for the SPR and 30 calendar days for the SAR, with written notification to the agency and contractor via the agency.

    Note:

    SPRs must be accepted prior to initial release of Federal tax returns and/or return information to agencies and their contractors.

  6. It is essential that Disclosure Officers take a pro-active approach in assuring that agencies and agency contractors submit complete and comprehensive SPRs. To the extent necessary, hands-on guidance/assistance should be provided so that the agencies and their contractors will be aware of what kind of information is Federal tax information, its level of importance, and when new reports are needed.

11.3.36.6  (12-31-2001)
Safeguard Procedures Report

  1. IRC 6103(p)(4)(E) requires agencies and contractors receiving tax information to file a report that describes the procedures established and utilized by the agency or the contractor for ensuring the confidentiality of Federal tax information. The Safeguard Procedures Report is a record of how the agency or the contractor uses the information, and how it is protected from unauthorized inspection or disclosure by that agency or contractor.

  2. A Safeguard Procedures Report should also be considered the agency’s or the contractor's procedural guide for the use and protection of the Federal tax information. Therefore, the Safeguard Procedures Report should be written in such a manner, and include sufficient detail, to enhance its use as a procedural guideline by agency and contractor personnel, as well as meeting the Federal safeguards reporting requirements of IRC 6103(p)(4)(E).

11.3.36.6.1  (05-06-2003)
Safeguard Procedures Report Preparation Guidelines

  1. Agencies and contractors are required to develop safeguard procedures for all tax data received and all uses of that data by the agency or the contractor. Agencies and contractors receiving tax information under a single section of the Code may have several separate or independent uses of the data within the agency, involving several programs or functional units. The report should describe the various program uses and attendant safeguards in the information paragraph Flow of the Data; refer to subsection 36.6.2(4).

    Note:

    State public assistance and child support enforcement agencies receive data under separate provisions of the IRC and are considered separate agencies; therefore, they must file separate Safeguard Procedures Reports.

  2. Disclosures Under Multiple Code Sections (Federal Agencies)—Some Federal agencies receive tax return information from the IRS under the authority of more than one section of the Internal Revenue Code. In these cases, the agency must distinguish between the IRC sections, and provide safeguard procedures for each program or use. The agency may either file separate Safeguard Procedures Reports or consolidate the separate procedures for the various programs or uses into a single SPR.

  3. Federal, state, and local agencies requesting Form 8300 information pursuant to IRC 6103(I)(15) must file a separate SPR for this program. All agencies requesting data under IRC 6103(I)(15) should be referred to the Director, Governmental Liaison and Disclosure (Attention: Headquarters Safeguards Office).

    Note:

    Where IRS/CI and the U.S. Attorney's Office are among the participants of a multi-agency task force, and there is an investigative need to obtain Form 8300 information, the Assistant U.S. Attorney (AUSA) assigned to the task force is to request the information. Safeguards will therefore be centralized with the AUSA.

11.3.36.6.2  (05-06-2003)
Safeguard Procedures Report Content

  1. Responsible Officer(s)

    1. The name, title, address and telephone number of the agency official, agent, or contractor authorized to request the tax information from the IRS.

    2. The name, title, address and telephone number of the agency official, agent, or contractor responsible for the implementation of the safeguard procedures.

  2. Initial/new recipient agencies must include a copy of the statute(s) governing their activities for which Federal tax information will be used, including legal authorities or delegation orders permitting use and access, as may be applicable.

  3. Location of the Data—Include an organization chart or narrative description of the receiving organization agency, agent, or contractor that includes all functions where tax data will be processed or maintained. If the information is to be used or processed by more than one function, then the pertinent information must be included for each function.

  4. Flow of the Data—The report must contain a chart or narrative description of :

    a) the flow of the Federal tax data from its receipt through its return to the Service or its destruction,
    b) how it is used or processed, and
    c) how it is protected along the way.

    Note:

    It should be indicated if the Federal tax data is commingled or transcribed into non-tax data kept by the agency or contractor. If there are multiple uses (programs) or agency organizations using the Federal tax data, then there may be several different flow charts or narratives to describe all of the uses (programs).

  5. System of Records—A description of the permanent record(s) used to document requests for, receipt of, dissemination of (if applicable), and final disposition (return to the IRS or destruction) of the tax returns or return information (including tapes or cartridges). Agencies and contractors are expected to be able to provide an "audit trail" for information requested and received, including any copies or distribution beyond the original document/media.

  6. Secure Storage of the Data—A description of the security measures employed to provide secure storage for the Federal tax data when it is not in current use. Secure storage encompasses such diverse considerations as locked files or containers, secured facilities, key or combination control, off-site storage, and restricted areas. It is requested that Federal agencies submit a Vulnerability Assessment completed by the General Services Administration for their building(s) as it addresses physical security.

  7. Restricting Access to the Data—Restricting access to Federal tax information is the keystone of a sound safeguard policy, and a basic premise of the safeguard procedures employed by an agency, authorized agent, and contractor to ensure confidentiality. The agency’s and contractor's procedures should be designed to strictly limit access to the data to those employees with a need-to-know, and to prevent casual or unintended access (see IRC 7213A). The Safeguard Procedures Report should contain as much detail as necessary to provide assurance that the Federal tax information remains confidential and the taxpayer’s right to privacy is protected. The report should describe the procedural, physical, and systemic means employed to limit unauthorized access to the information as the information is used by the agency, organizations within the agency, and contractors.

  8. Disposal—A description of the method(s) of disposal of the different types of tax information provided by the IRS, and/or produced by the agency and contractor (e.g. print-outs, back-up tapes and the like), if not returned to the IRS. The IRS has the right to request a written report that documents the method of destruction and which records were destroyed (see paragraph (5), System of Records, above).

  9. Computer Security—All automated information systems and networks that receive, process, store, or transmit sensitive but unclassified information (tax return information) must meet the requirements for Controlled Access Protection as evaluated by the National Institute of Standards and Technology.

    1. Microprocessors and Mainframe Systems—Describe the systemic controls employed to ensure compliance with the requirements for Controlled Access Protection. Additional comments regarding the safeguards employed to ensure the protection of the computer system and authorized access to the return information are also appropriate.

    2. Personal Computers—If return information is (or is likely to be) used or processed by agency and contractor employees on personal computers, the Safeguard Procedures Report must include procedures for ensuring that all data is safeguarded from unauthorized access or disclosure. The SPR should include procedures that ensure secure storage of the disks and the data, limit access to the disk(s) or computer screens, and ensure proper destruction of the data.

  10. Disclosure Awareness Program—Each agency and contractor receiving returns and return information should have an awareness program by which all employees having access to the tax information certify annual notification of the confidentiality provisions of the Internal Revenue Code, what constitutes Federal tax information, and the civil and criminal sanctions for unauthorized inspection or disclosure. A description of the formal program should be included in the Safeguard Procedures Report.

11.3.36.6.3  (05-06-2003)
Submission of Safeguard Procedures Reports

  1. The initial Safeguard Procedures Report should be submitted to the IRS at least 45 days prior to the scheduled or requested receipt of Federal tax information. Additional disclosures or receipts under the same authorizing IRC section do not require additional SPRs.

  2. If the safeguard procedures outlined in the most recent Safeguard Procedures Report have become obsolete because of organizational or procedural changes within the agency, a new SPR should be filed.

  3. Whenever legislative change authorizes an agency to receive tax data for a new or different purpose, a new or revised Safeguard Procedures Report covering the additional program(s) must be filed.

    Note:

    It is conceivable that an addendum to the existing SPR may be all that is necessary, e.g. an additional program is added as a result of legislative change.

  4. All agencies listed at 36.5(1) above should submit their SPRs and the reports of their authorized agents and contractors to:
    Deputy Director
    Office of Governmental Liaison and Disclosure
    CL:GLD, Room 1603IR
    Attn: Headquarters Safeguards Office
    1111 Constitution Avenue, NW
    Washington, DC 20224

  5. Reports from state tax agencies and their authorized contractors should be submitted to the GLD Area Manager (Attn: " Liaison" Disclosure Officer). The "Liaison" Disclosure Officer is the one that has oversight responsibility for the State tax agency.

11.3.36.7  (05-06-2003)
Safeguard Activity Report

  1. Each agency and contractor requesting or receiving Federal tax returns or return information is required to file a Safeguard Procedures Report describing the procedures and safeguards utilized to ensure the confidentiality of the information.

  2. Annually thereafter, the agency and the contractor must file a Safeguard Activity Report which serves to:

    1. advise the IRS of minor modifications/changes to the procedures or safeguards described in the Safeguard Procedures Report,

    2. advise the IRS of future actions which will affect the agency’s or the contractor's safeguard procedures,

    3. summarize the agency’s or the contractor's current activities pertaining to awareness, inspections, destruction, and other methods used to ensure the confidentiality of the tax return information, and

    4. certify that the agency or the contractor is protecting tax return information in accordance with IRC 6103(p)(4) and the agency’s and contractor's own security requirements.

11.3.36.7.1  (05-06-2003)
Content of Safeguard Activity Report

  1. Changes to information or procedures previously reported, e.g.

    1. responsible officers or employees;

    2. functional organizations using the data;

    3. computer facilities or equipment and system security changes or enhancements;

    4. physical security changes or enhancements;

    5. retention or disposal policy or methods.

  2. Current annual safeguard activities shall include, at a minimum, the following items:

    1. Disclosure Awareness Program—Describe the efforts to inform all employees having access to Federal tax returns or return information of the confidentiality requirements of the Internal Revenue Code, the agency’s or the contractor's security requirements, and of the sanctions imposed for unauthorized inspection or disclosure of return information;

    2. Reports of Internal Inspections—Copies of the Inspection Reports, and a narrative of the corrective actions taken (or planned) to correct any deficiencies, should be included with the annual Safeguard Activity Report;

    3. Disposal of Federal Tax Data—Report the disposal of Federal tax data. The information should be adequate to identify the material destroyed and the date and manner of destruction; and

    4. IRC 7213A - Ensure proper training and certification to protect from as well as detect unauthorized inspection of Federal tax data.

  3. Actions on Safeguard Review Recommendations—If a safeguard review has been conducted and changes recommended by the IRS, the agency and/or the contractor should report all actions that have been taken (or are being initiated) regarding those recommendations.

  4. Planned Actions Affecting Safeguard Procedures—Any planned agency or contractor action which would create a major change to current procedures or safeguard considerations should be reported. Such major changes would include, but are not limited to, new computer equipment, facilities or systems, or use of a non-agency contractor (as permitted by law or regulation) or subcontractors, to perform programming, processing or administrative services requiring access to Federal tax information.

11.3.36.7.2  (05-06-2003)
Submission of Safeguard Activity Reports

  1. Federal agencies and state Child Support Enforcement Agencies—Safeguard Activity Reports should be submitted for the calendar year by January 31 of the following year to:
    Deputy Director,
    Office of Governmental Liaison and Disclosure
    CL:GLD, Room 1603IR
    Attn: Headquarters Safeguards Office
    1111 Constitution Avenue, NW
    Washington, DC 20224

  2. State Tax Agencies — Their Safeguard Activity Reports and the reports of their authorized agents and authorized contractors for the calendar year should be submitted by January 31 of the following year to the liaison Disclosure Officer.

  3. State Public Assistance Agencies — Safeguard Activity Reports for the processing year (July 1 through June 30) should be submitted by September 30 to:
    Deputy Director,
    Office of Governmental Liaison and Disclosure
    CL:GLD, Room 1603IR
    Attn: Headquarters Safeguards Office
    1111 Constitution Avenue, NW
    Washington, DC 20224

  4. Federal, State, and Local Law Enforcement Agencies — Agencies receiving Form 8300s pursuant to IRC 6103(l)(15) should submit their reports for the processing year (May 1 through April 30) by June 30 to the address in (3) above.

  5. Disclosure personnel need to evaluate SARs thoroughly and quickly. If an SAR is incomplete or unclear, the agency or the contractor should be contacted and asked to provide the necessary additional information. The aggregate reports (most current SPR and SARS) should clearly reflect the safeguard procedures in place at the present time.

11.3.36.8  (12-31-2001)
Analysis of Records

  1. In order to make supportable recommendations, reviewers need to have a thorough understanding of applicable statutes, Treasury regulations, agency agreements and contracts, and the agency’s and the contractor's system of processing Federal tax data.

  2. The familiarization process is accomplished through a review of all the written information available in the file, with emphasis on the following references and sources:

    1. Safeguard Procedures Report—The SPR should always be reviewed against the subsequent (and, perhaps, prior) Safeguard Activity Reports and last two (2) safeguard review reports;

    2. Publication 1075 —Tax information Security Guidelines for Federal, State and Local Agencies;

    3. Studies and audits—GAO and other studies conducted of an agency's general and data processing operation may give pertinent information;

    4. Safeguard Review Reports—if previous reviews were conducted, the reports should be examined for previous findings, recommendations, and follow-up actions;

    5. Treasury Inspector General for Tax Administration (TIGTA)—TIGTA may have information about the agency and the contractor that could have an impact on the sharing of Federal tax information;

    6. Safeguard Activity Reports — the SARs provide useful information, e.g. current Responsible Officer(s), the number of offices inspected, latest calendar/tax years of latest tax data destroyed, enhancements to computer systems;

    7. Campus Disclosure Office— review Campus transmittal documents to determine the type and volume of disclosures made to the agency and to the contractor.

11.3.36.8.1  (05-06-2003)
Delinquent or Incomplete Reports or Reported Deficiencies

  1. Delinquent reports, reports with incomplete information or reports which reveal safeguard deficiencies should initially be resolved through informal telephone contact between the reviewer and the agency or the COTR, in regards to SPRs solicited by the Headquarters Safeguards Office.

    Reminder:

    Any requests for missing reports, material, or actions to correct deficiencies should be followed up in writing.

  2. If an agency or contractor has sent the required report but does not supply missing information or take corrective action upon request, the reviewer should consider a limited review (see subsection 36.10.7) in order to obtain the information or cause corrective action to be taken.

  3. If the agency or contractor fails to respond to a request for scheduling an on-site limited review, then formal procedures to withhold tax information may be initiated (see subsection 36.14.3). Conducting a review is an option and not required.

  4. Reasonable attempts, including at least one written request, must be made to obtain a report, missing material, or cause corrective action to be implemented . If an agency or contractor fails to respond by sending in an acceptable report, the requested material or by taking action to correct a deficiency, formal procedures to withhold tax information will be initiated (see subsection 36.14).

    Note:

    In the case of an IRS contractor, procedures to terminate the contract will be initiated and coordinated with the COTR or the Contracting Officer (CO).

  5. If any agency or contractor fails to respond and is no longer receiving tax data, a written request will be made, to have the agency or contractor destroy any residual data or have it transferred back to the IRS.

  6. If a deficiency is minor, not causing immediate unauthorized inspections or disclosures or the potential of immediate unauthorized inspections or disclosures, then the report may be held in abeyance or accepted with the deficiencies noted. The circumstances must be documented, including corrective actions to be taken and scheduled follow-ups by the reviewer.

    Example:

    An agency or contractor may not have adequate disclosure awareness training for its employees. The agency or contractor agrees, but it may take a couple of months to develop a program and complete initial training. The report may be accepted or held in abeyance if this condition is documented, including planned follow-up action.

11.3.36.8.2  (12-31-2001)
Documentation

  1. The steps taken in reviewing reports and/or soliciting additional information from the agency or the contractor should be well documented. Notes, worksheets, communication contacts, memoranda, and other correspondence should be retained in the file to support decisions made as a result of the process.

11.3.36.8.3  (12-31-2001)
Response to Agency and Contractor

  1. If the evaluation of the reports and related materials does not indicate a need for an on-site review, then a letter should be sent to the agency or contractor acknowledging receipt and acceptance of the report. The letter should be signed by the appropriate supervisory level. The letter, however, should allow for the possibility of an on-site review, if subsequent information from other sources indicates a need for further investigation.

    Note:

    Letters regarding reports of authorized agents and contractors of agencies should be sent to the attention of the agency.

11.3.36.9  (05-06-2003)
Need and Use

  1. The IRS routinely discloses large amounts of tax information to state tax agencies, bodies and commissions for tax administration purposes under the statutory authority of IRC 6103(d)(1). (See IRM 11.3.32 for a discussion of Basic and Implementing Agreements.)

    Note:

    When referring to tax agencies throughout subsection 36.9, this also includes bodies and commissions.

  2. Whenever tax information is exchanged on a large scale, the probability of loss of confidentiality is increased. Limiting the quantity of tax data provided to the states to that which is genuinely needed and will be used for tax administration purposes, is a fundamental component of an effective safeguard program. Every effort will be made to eliminate disclosure of unnecessary information to state tax agencies.

  3. The objective of the need and use process is to reduce the likelihood of unauthorized disclosure or access, and is not meant to deny state tax agencies information needed for tax administration purposes.

  4. In recognition of the importance of the concept of limiting disclosures to the states, IRS Policy Statement P–1–35 states in part: "Tax information provided by the Service to State tax authorities will be restricted to the authorities’ justified needs and uses of such information."

  5. Disclosures to state and local agencies under IRC 4102 and IRC 6103(k)(5) are subject to need and use considerations even though the safeguarding provisions of IRC 6103(p)(4) do not apply.

11.3.36.9.1  (05-06-2003)
Need and Use Determinations

  1. All state tax agency requests for tax information are subject to a Need and Use Determination which is to be documented by the Disclosure Officer with oversight responsibilities for the agency.

  2. Need and Use Determinations are to be made at the time of request, prior to the actual exchanges(s), and should be a cooperative effort with the state tax agency to accurately determine the minimum amount or information required to accomplish the stated objective(s).

    Example:

    One of the available taxpayer transcripts may eliminate the need for a complete return.

  3. Disclosure Officers should ascertain and document the need for, and use of, the extracts requested by the state agency on the annual enrollment agreement to participate in the IRS Governmental Liaison Data Exchange Program. Please refer to IRM 11.3.32.4 for additional discussion regarding Need and Use Determinations.

  4. Specific requests for return information may be related to a state agency project or to a joint project with the IRS, and there may be a separate Memorandum of Understanding covering the project. The Disclosure Officer should ensure that a documented Need and Use Determination is part of the request file.

  5. Although a Need and Use Determination for a specific request may have been completed and documented, the agency may subsequently desire to use the information for a different tax administration purpose. If the subsequent use of the data is for bona fide tax administration purposes, and not in contravention of the Code, then applicable regulations, existing agency agreements, or Service policies, this would not usually be considered unauthorized use of the data so long as notification is given to the Disclosure Officer.

  6. State requests for data for tax modeling or revenue estimating purposes may require extensive analysis. The State must clearly demonstrate that the data requested is the minimum required, and that the data will not be used by any other agency or for any purpose other than tax administration. The reason for the model creation must be for a tax administration purpose. The Disclosure Officer should request a detailed Need and Use Statement from the State agency in order to make a proper determination. There is no standard format for this Statement, but the State should be advised to describe all the data requested, why it is needed, how it will be used, who will have access to it, and why the information cannot be obtained or derived from other sources. See Exhibit 11.3.32-6 for modelling guidelines.

  7. The Disclosure Officers will be responsible for maintaining complete and current documentation of the state tax agency’s need for and use of all Federal tax returns, return information and data elements which are provided to the agency on a continuing basis pursuant to the implementing agreement; refer to subsection 32.10.1.

  8. The Office of Governmental Liaison and Disclosure has developed project guidelines for use when developing joint projects with the States. Disclosure Officers should be consulted on these projects regarding any statutory (Privacy Act or IRC 6103) considerations of the proposed disclosures or exchanges.

  9. Need and Use Determinations should reflect the use of the tax data for tax administration purposes. The determination should not be contingent upon the cost-benefit analysis developed to make a business case for the project. However, projects that fall short of their initial objectives or expectations may indicate a need for a subsequent determination regarding the continuation of disclosures for the project.

11.3.36.9.2  (05-06-2003)
Need and Use Reviews

  1. A Need and Use Review should be considered as the verification or confirmation of the Need and Use determination made prior to the release of the requested tax information to the state agency.

  2. An on-site Need and Use Review of each state tax agency receiving tax return information will be conducted at least once each fiscal year by the liaison Disclosure Office.

  3. Disclosure Officers will establish an annual (fiscal year basis) review plan for the conduct of Need and Use Reviews to include all state tax agencies within their span of responsibility.

  4. GLD Area Managers will incorporate the review schedules of the Disclosure Offices into the area plan and advise the Headquarters Safeguards Office of the schedules. Each GLD Area Office will provide, as prescribed in the annual program letter or other Directorship guidance, periodic reports to the Headquarters Safeguards Office of the status of reviews scheduled.

  5. An evaluation of Need and Use is an element of all safeguard reviews of state tax agencies, and the Disclosure Officer should schedule the annual Need and Use review to coincide with a planned safeguard review.

  6. The annual on-site Need and Use Reviews are conducted in order to provide reasonable assurance that the state tax agency’s actual need for and use of Federal tax information:

    1. coincides with the anticipated usage described in the initial determination(s), and

    2. is consistent with statutes, regulations, existing agency agreements, and Service policies.

  7. The scope of the review should be broad enough to provide the reviewer with sufficient information to document a conclusion as to the agency’s need for and use of Federal tax information. The reviewer should not make any assumptions regarding the current status (or usefulness) of exchanges that have been routinely in effect for many years.

  8. Specific exchanges to be reviewed may vary from state to state, but the section on Information to be Exchanged on a Continuing Basis in the implementing agreement is a good starting point for planning the review.

  9. Although the need for and use of specific types of data may remain fairly constant, tolerances and other selection criteria can be useful "filters" to help reduce the volume of data disclosed. Revising the tolerances may more accurately reflect the agency’s actual need for and use of the data as well as reduce the volume of unnecessary disclosures.

  10. Other key areas to be reviewed would include (but are not limited to):

    1. routine exchanges;

    2. joint projects or other specific exchanges;

    3. MOUs;

    4. extracts (shown on the latest Governmental Liaison Data Exchange Program Enrollment Agreement form).

  11. Non-use of tax data does not necessarily constitute misuse. However, the objective of the program is to reduce or eliminate unnecessary disclosures of tax information. If the original Need and Use determination was valid, but the actual utilization has been postponed, the Disclosure Officer should evaluate whether there is a reasonable expectation that continued retention of the data will be of value to the state for tax administration within a reasonable and logical timeframe .

  12. Disclosure Officers must prepare a Need and Use Review Report promptly upon completion of the review. This report is to be furnished to the head of the state agency within 30 calendar days of completion of the on-site review. (If the Need and Use Review was conducted in conjunction with a scheduled safeguard review, the results will be included in the Safeguard Review Report and a separate report will not be required.) At a minimum, each report will:

    1. describe the scope of the review, with a description of the exchanges selected for review and the reasons for the selection;

    2. contain a summary of the findings;

    3. contain specific recommendations as applicable;

    4. establish a mutually agreeable implementation of, or follow-up to, the recommendations.

11.3.36.10  (05-06-2003)
On-Site Safeguard Reviews

  1. Agencies and their contractors receiving tax information for the first time must be reviewed within one year of initial receipt of tax information.

  2. Safeguard reviews are conducted on an as needed basis with a minimum requirement of once every three years. Evaluation of reports, as required by subsection 36.8, may determine whether more frequent reviews are necessary.

  3. The Director of the Headquarters Safeguards Office, GLD Area Managers, and Disclosure Officers will develop the annual review plans to ensure that all agencies within their sphere of responsibility are reviewed at least once every three years.

  4. These annual plans will be furnished to the Deputy Director, Office of Governmental Liaison and Disclosure upon request.

  5. The contents of SPRs and SARs are useful indicators of a need to conduct a review earlier than the regularly scheduled review. Often, however, a report does not present any irregularities or provide any indication as to the insufficiency of safeguards. In such cases, the reviewer needs to consider other factors in deciding whether or not to conduct an on-site review. These factors include:

    1. length of time since last on-site review;

    2. past history of problems;

    3. knowledge obtained during liaison visits;

    4. information reported from outside sources such as TIGTA and GAO;

    5. analysis of congressional records and news items having impact on agencies and contractors;

    6. significant changes in the nature or volume of disclosures to the agency;

    7. new administration within the agency;

    8. new location;

    9. major changes in the processing system;

    10. opening or relocation of a field office.

  6. In situations where the relationship between the agency, the contractor, and IRS is such that the IRS representative visits the agency and/or contractor regularly and is familiar with their safeguard procedures, observation of actual operations is not required at the time of the safeguard review. However, visits to the agency and contractors, safeguard observations and contacts involving safeguarding must be chronologically documented. The safeguard review report must include comments on all areas (see Exhibit 11.3. 36–3). If an area is not observed or fully examined during the on-site portion of a review, an explanation is required.

  7. Policy Statement P–1–35 states "Tax information provided by the Service to State tax authorities will be restricted to the authorities’ justified needs and uses of such information." An on-site Need and Use evaluation must be conducted as part of the safeguard review. See subsection 36.9 for a further discussion of Need and Use Reviews.

11.3.36.10.1  (05-06-2003)
Reviewer/Review Team Leader Responsibilities

  1. Once the determination has been made that an on-site review needs to be conducted, the reviewer will evaluate whether a team approach is to be used, and if so, which functions will participate. The number of support personnel will depend on the complexity of the review, the size of the agency and contractor, and the amount of tax information shared. Campus personnel and Governmental Liaisons should participate when appropriate.

    Note:

    The terms "reviewer" and "team leader" are used interchangeably in the following sections to denote the Disclosure function person actually responsible for the conduct of the review and the completion of the safeguard review report.

  2. IRS Disclosure personnel are not computer security experts. Information processing is a dynamic environment and as the technology continues to advance, so does the importance of having a high degree of up-to-date knowledge for review purposes. Accordingly, IRS computer security technical specialists and other data processing professionals should be made available to accompany Disclosure employees for the automated systems portion of the safeguard reviews and provide input to the review report.

  3. The reviewer or team leader is responsible for obtaining support from other functions and other offices. If support is desired from other Disclosure Offices or if needed support, such as a computer security analyst, is not available, the request for assistance will be coordinated through the GLD Area Manager(s) and/or appropriate functions. If necessary, GLD Area Managers may request assistance from HQS. When the HQS office requires field assistance, the team leader will coordinate the request through the GLD Area Manager(s).

  4. The team leader may contact TIGTA to notify them of an impending review. TIGTA may be able to provide pertinent information concerning the agency and/or contractor and the Service function furnishing the tax data.

  5. All personnel taking part in the actual on-site review should have an opportunity to participate in the planning process.

  6. The team leader will make final assignments to each team member. Each assignment must have clearly defined boundaries to prevent overlap and duplication of effort.

  7. The team leader will prepare the review plan and provide each team member with a copy of the plan as appropriate.

11.3.36.10.2  (05-06-2003)
Plannin