11.3.24  Disclosures to Contractors

11.3.24.1  (07-22-2008)
General

  1. This section provides instructions for assuring that Internal Revenue Service (IRS) contracts involving the inspection or disclosure of Federal tax returns and return information under IRC §6103(n), information covered by the Privacy Act of 1974 (Privacy Act), or documents classified as Sensitive But Unclassified (SBU) comply with all applicable laws, regulations and procedures.

  2. Initial contacts with contractors to engage their services and disclosures of tax information necessary in these circumstances are made pursuant to IRC §6103(k)(6) and are discussed in IRM 11.3.21, Investigative Disclosure.

  3. Whenever possible business offices should structure procurement actions under the authority of IRC §6103(n) rather than under IRC §6103(k)(6). There are no re-disclosure restrictions under IRC §6103(k)(6). Safeguarding, accounting and penalty provisions are not applicable as well.

11.3.24.2  (07-22-2008)
Authority

  1. IRC §6103(n) permits the Secretary of the Treasury, pursuant to regulations, to disclose returns and return information to any person, including persons described in IRC §7513(a), to the extent necessary in connection with procurement actions for tax administration purposes as defined in IRC §6103(b)(4), such as:

    • Equipment or other property or

    • Services relating to the processing, storage, transmission, and reproduction of returns and return information or

    • Services relating to the programming, maintenance, repair, testing of equipment or other property or

    • The providing of other services such as tow trucks, locksmiths, appraisers, court reporters and others

  2. Treasury Regulation 301.6103(n)-1 provides that the IRS and the Office of Chief Counsel may disclose returns and return information to contractors pursuant to IRC §6103(n).

    1. The regulation also places certain limitations on the disclosures; these are defined in Treasury Regulation 301.6103(n)-1(b).

  3. 5 U.S.C. 552a(b)(3), Routine Use , authorizes the disclosure of Privacy Act records provided the system of records notice includes appropriate language allowing contractors access to such information.

    1. "Disclosure pursuant to IRC §6103 " or similar language provides Privacy Act authorization to disclose.

    2. System of Records Notices are posted on Disclosure's intranet website at: http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Office/TechnicalResources/Privacy/SoR/4662.aspx .

  4. IRC§ 7513 authorizes the Secretary of Treasury to have any Federal agency or any person process films or other photo-impressions of any return, document, or other matter, and make reproductions from films or photo-impressions of any return, document or other matter. The Secretary shall prescribe regulations which shall provide such safeguards as in the opinion of the Secretary are necessary or appropriate to protect the film, photo-impressions, and reproductions made therefrom, against any unauthorized use, and to protect the information contained therein against any unauthorized disclosure.

11.3.24.3  (07-22-2008)
Requirements

  1. In accordance with Treasury Regulation 301.6103(n)-1(d), contractors, agents, and subcontractors receiving tax information from the IRS are required to inform their employees, in writing, of the criminal and civil penalty provisions of IRC §7213, IRC §7213A, and IRC §7431.

  2. Treasury Regulation 301.6103(n)-1(e) requires that safeguard provisions be included in procurement actions involving the disclosure of returns and return information under IRC §6103(n):

    1. Subcontractors and agents of the contractor are held to the same provisions and penalties as the primary contractor.

    2. Safeguards for the subcontractors and agents are to be included in their contracts verbatim as contained in the primary contract for work.

  3. Treasury Regulation 301.7513-1 establishes safeguard requirements for contractors who process and reproduce films or photo impressions.

  4. The Federal Acquisition Regulation (FAR), subpart 1.602-1(b), provides that no contract shall be entered into unless the contracting officer ensures that all requirements of law, executive orders, regulations, and all other applicable procedures, including clearances and approvals, have been met.

  5. Part 24 of the FAR implements the provisions of the Privacy Act. Contractors and their employees who contract for the design, development, operation, or maintenance of a system of records on individuals, on behalf of the IRS to accomplish an IRS function, are subject to the civil and criminal provisions of the Privacy Act.

    1. Pursuant to FAR, subpart 24.103(b)(1), the contracting officer will ensure that the contract work statement specifically identifies the system of records on individuals and the design, development, or operation work to be performed.

  6. Internal Revenue Service Acquisition Procedures (IRSAP) Manual, Part 1004.2, Administrative Matters (as developed by the IRS Agency-Wide Shared Services (AWSS), Office of Procurement Policy), provides instructions with respect to procedures to be followed where contractual procurement will be subject to the Privacy Act, the provisions of IRC §6103(n) or where access by a contractor to Sensitive But Unclassified material is contemplated.

11.3.24.4  (07-22-2008)
Contract Compliance Reviews

  1. This section provides instructions to Disclosure personnel who are conducting reviews of IRS procurement actions for equipment, supplies or services that involve the design, development or use of a system of records or the disclosure of sensitive but unclassified (SBU) data, which includes:

    1. Federal tax returns or return information

    2. Solely protected Privacy Act records/information and

    3. Sensitive but Unclassified Information (SBU)).

11.3.24.4.1  (07-22-2008)
Responsibilities

  1. The Office of Disclosure, will be responsible for reviewing the following documents that meet the criteria of IRM 11.3.24.2:

    1. Form 1334, Requisitions for Equipment, Supplies, or Services, electronic or paper

    2. Interagency Agreements

    3. Agreements for Reimbursable Purchase/Services; and

    4. Purchase/Delivery/Task/Service Orders against existing contracts, Blanket Purchase Agreements and GSA schedules.

  2. The Office of Disclosure (Headquarters) provides support for procurement actions issued by:

    1. Headquarters functions

    2. Martinsburg Computing Center

    3. Detroit Computing Center; or

    4. Where more than one Area is involved

  3. Field Disclosure Managers will establish procedures to review procurement actions in the Web Request Tracking System (webRTS) issued by local functions or by the functions in their respective servicing geographical areas which meet the criteria in IRM 11.3.24.4(1) .

    1. The local Disclosure Manager will review contractual documents and requisitions that are for the Tennessee Computing Center.

  4. Disclosure personnel will no longer approve procurement actions in webRTS. Instead it will conduct post award compliance reviews of procurement actions with disclosure or privacy implications.

    Note:

    Business operation units should not include the offices of Disclosure, Privacy, Safeguards and Information Technology in their WebRTS approval paths, but rather contact their respective Contracting Officers Technical Representatives (COTRs) for requisition guidance when preparing requisitions.

  5. Area Managers monitor the review activities of subordinate Disclosure Offices and will coordinate compliance reviews with other areas or Headquarters, when necessary.

  6. Reviews of existing procurement actions may be included as a part of every functional quality review to ensure appropriate safeguard language and other necessary clauses relating to the disclosure of information are present where appropriate or to ensure the function is properly identifying those situations where tax information or Privacy Act information is being provided to contractors.

  7. IRS Personnel Security has the responsibility for conducting background investigation pre-screening checks; and initiation of background investigations for contractors and their employees having access to IRS controlled facilities, sensitive but unclassified information, or involve the design, operation, repair, or maintenance of information systems. See IRM 10.23.2, Security, Privacy and Assurance, Personnel Security, Contractor Investigations.

  8. MITS Cybersecurity administers policy for conducting mandatory briefings for contractors as mandated by the Federal Information Security Management Act (FISMA). Procurement oversees compliance (see Office of Procurement Policy Memorandum 39.1).

11.3.24.4.2  (07-22-2008)
Review Instructions

  1. WebRTS has been enhanced to ensure that the appropriate IRSAP and FAR clauses are included in every procurement action involving the disclosure of sensitive but unclassified information.

  2. WebRTS users answer a series of questions, which upon doing so, the system will automatically insert the appropriate clauses.

    1. Procurement actions involving the design, development or operation of a system of records as defined by the Privacy Act will contain the Privacy Act Notification and a clause entitled "PRIVACY ACT" , both of which are at FAR 52.224-1 and FAR 52.224-2, respectively.

    2. Federal Acquisition Regulation 39.107 states that Federal Acquisition Regulation clause 52.239-1, Privacy or Security Safeguards or other similar language, is to be included in all procurement actions for information technology which require security of information technology, and/or are for the design, development, or operation of a system of records using commercial information technology services or support services.

    3. Procurement actions involving the disclosure of Federal tax returns or return information will contain a clause entitled "SAFEGUARDS " which will contain the terms outlined in Treasury Regulation 301.6103(n)-1(e). The IRSAP clause number is 1052.224-9000.

  3. In addition, webRTS includes a pop up menu containing numbers and titles only, there is no information on the contents of the System of Records Notices (SORNs).

  4. Local business offices are encouraged to contact the local Disclosure office for assistance with system of records selection.

  5. For National Office procurement actions, business units should contact Disclosure in headquarters.

  6. Post Award Compliance Reviews will be conducted by Disclosure personnel to monitor adherence to these requirements.

  7. Instructions for researching awards are found on webRTS Training Course Module 5 Search Award. HQ Disclosure will provide reviewers with a listing of contract award numbers consisting of disclosure or privacy requisitions and those not identified as disclosure or privacy requisitions.

  8. Disclosure personnel will use Post Award Compliance Check Sheet (See Exhibit 11.3.24 -1) to record findings.

  9. Findings will be reported to Headquarters to be compiled in a report to Bureau Chief Procurement Officer (BCPO) and to each effected business unit.

  10. All procurement actions for property or services which require or properly indicate disclosure to contractors of any Federal tax returns or return information, Privacy Act protected information, or other sensitive but unclassified (SBU) information , must contain the following as an attachment to the requisition:

    1. Statement, signed by the requesting activity management official, that the contractor will have access to information subject to disclosure limitations or include the official in the approval path on webRTS;

    2. A statement that the contract will or will not involve the design, development or operation of a system of records (Privacy Act); usually found by the function checking the appropriate box on the requisition that IRC §6103 and the Privacy Act either apply or don’t apply; and

    3. Documentation from the requesting management official that states why the disclosure of returns or return information is necessary if disclosures of tax information, sensitive but unclassified information or Privacy Act information are required.

      1. This documentation must demonstrate that the procurement cannot be reasonably, properly or economically carried out without such disclosure

        Note:

        See Treasury Regulation 301.6103(n)-1(b).

11.3.24.4.3  (07-22-2008)
Coordination

  1. If an IRS function believes that safeguards may have been compromised, the Contracting Officer's Technical Representative (COTR) should request that security personnel inspect the contractor’s facility.

    1. The IRS function responsible for the contract should brief AWSS Physical Security and MITS Cybersecurity of specific concerns that need to be addressed.

    2. All unauthorized willful disclosures should be reported to TIGTA.

  2. Based upon a review of the written findings and any discussions with them as well as other management officials involved in the contract activity, the contracting officer and the COTR will determine whether to continue disclosures to the contractor.

    1. Recommendations will be made to discontinue the contract when evidence is developed that the contractor has failed to satisfy the safeguard or privacy provisions of the contract and immediate remedial action cannot be taken by the contractor. Disclosure will make recommendations to procurement to terminate the contract.

  3. Disclosure personnel at all levels should maintain close coordination with Operating Divisions and functions that plan, design and use the services of contractors and provide guidance to them concerning disclosure, Privacy Act, and other issues that may arise related to dealing with contractors.

  4. To assure that the contractors are adhering to contractual safeguards, AWSS Physical Security and MITS Cybersecurity functions will be responsible for periodic safeguard reviews of contractors.

  5. Procurement will include the minimum mandatory System Security Requirements that are to be required of the contractor's (and any subcontractor's) facility, as determined by the IRS management official(s) responsible for the security of that information system/application (IRM 10.8.1.3.3.1) in solicitation documents.

    1. Contractors must address, in their proposal submission , how they intend to meet the minimum mandatory requirements, including the security of SBU information systems.

    2. An evaluation panel will review the information submitted to determine if the contractor complies with the mandatory minimum standards.

  6. After award, the IRS will conduct reviews to ensure the contractor has implemented security requirements as proposed, and in accordance with contract requirements. If a contractor is unable to meet IRS standards at any time during the contract, the contracting officer, together with the COTR, will decide whether to terminate the contract and recover all returns, return information, and IRS records, inclusive of SBU.

    1. Similarly, after meeting with MITS Cyber Security and Contracting representatives to discuss findings of a security review, if the contractor is unwilling to meet IRS standards, the contracting officer, together with the COTR, will decide whether to terminate the contract and recover the records.

  7. IRS functions that initiated procurement actions that involve the disclosure of Federal tax returns, return information, employee personnel information, and any SBU data/records that have been provided to a contractor, should be notified in writing if the IRS terminates the contract for failure to meet contract provisions. Under these circumstances, the IRS may terminate a contract for default once they have satisfied the conditions outlined in FAR Part 49.4. If default circumstances are not in the best interests of the IRS, Procurement may pursue and negotiate a termination for the convenience of the Government as outlined in FAR Parts 49.1, 49.2, and 49.3.

    1. In the event an award is terminated, Disclosure personnel will monitor recovery operations and, upon request, assist the contracting officer and the COTR to ensure unauthorized disclosures are avoided. Full recovery of Federal tax returns, return information, employee personnel information, and SBU data/records must include any duplications or transcribing onto magnetic or computer media and spoilage.

11.3.24.5  (07-22-2008)
Disclosure of Returns and Return Information to Vendors

  1. To enable vendors to fully evaluate the parameters of the work involved when invited to submit a quote, proposal, or bid for a specific requirement, it may become necessary to provide them access to Federal tax returns, return information, or other SBU data at the solicitation phase of an acquisition.

  2. In such cases, the written solicitation must conform to the requirements of the IRSAP. It must incorporate the Safeguard provisions, the Privacy Act clauses, if applicable, and conform generally with the provisions of IRM 11.3.24.4.2. AWSS Physical and MITS Cybersecurity Security functions, as appropriate, must determine whether a pre-award on-site security inspection needs to be performed.

  3. IRS COTRs will ensure full recovery of all SBU data immediately upon completion of its necessitated use during the solicitation stage. Care should be exercised to place a limited time-frame on the length of time it takes for the bidder(s) to use the SBU data.

11.3.24.5.1  (07-22-2008)
Disclosure of Returns and Return Information to Students/Trainees

  1. The IRS occasionally hires trainees through participation in certain work programs. Some of the students/trainees are of the " direct-hire" while others are of the "hosting" type.

  2. "Direct-hire" trainees are employed and paid by the IRS and their right of access to returns or return information, when required as part of their duties, is the same as for other IRS employees. See IRC §6103(h)(1).

  3. "Hosting" trainees are hired and paid by non-Treasury Department organizations and assigned by these organizations to the IRS for training. They may not be given access to tax returns or return information or information governed by the Privacy Act.

    Note:

    If these trainees qualify as "students" under IRM 11.3.24.5.2(4), those rules will govern.

  4. Uncompensated student volunteers have been deemed by statute (5 U.S.C. 3111) to be Treasury and/or IRS employees for purposes of both the Privacy Act and IRC §6103. As such, disclosures are permissible. However, the student must meet the following criteria.

    • Qualify as a Student - A student is defined as "an individual who is enrolled, not less than half-time, in a high school, trade school, technical or vocational institute, junior college, college, university, or comparable recognized educational institution." Individuals from high schools or above who participate in a formal program with the IRS as part of their curriculum are considered student volunteers. To qualify, they must obtain the permission of the institution where they are enrolled as part of a program to provide educational experiences for students. They must be "uncompensated" and may not be used to displace any employee. Counsel has clarified the definition of uncompensated. Student volunteers compensated by other than Federal funds are considered uncompensated for 5 U.S.C. Section 3111 purposes

      Note:

      Volunteers from other organizations such as American Association of Retired People (AARP) or welfare to work programs do not qualify for access to IRC §6103 or Privacy Act data.

11.3.24.5.2  (07-22-2008)
Disclosure of Returns and Return Information to Assistors of Disabled Employees

  1. The IRS hires a considerable number of disabled employees. To effectively use the skills of these individuals it is often necessary that they be assisted by non-IRS personnel. Several Federal, state and local agencies provide assistors at no cost to the IRS.

  2. Under 5 U.S.C. 3102(b), these assistors can be "hired" by IRS and are permitted to have access to returns or return information, under IRC §6103(h)(1), subject to its requirements, even if they are uncompensated by IRS.

11.3.24.5.3  (07-22-2008)
Disclosure of Return Information to Title Search Companies

  1. The IRS procures the vast majority of title searches by use of contracts or purchase orders pursuant to IRC §6103(n).

  2. When low volume, rare, exigent circumstances exist, purchase cards may be used, rather than contracts or purchase orders, to procure title searches. The disclosures will be pursuant to IRC §6103(k)(6) , investigative disclosures, and the IRS business office/unit must:

    1. Incur very few needs for title searches on a monthly basis

    2. Demonstrate that vigorous, real effort has been made to procure a contract for title searches and

    3. Thoroughly document that no company contacted is willing (obtain written refusal where possible) to enter such a contract

    Note:

    Every effort should be made to locate a vendor (or vendors) who will enter into a contractual agreement (purchase order) to provide title searches upon request, for a specified geographical area.

11.3.24.5.4  (07-22-2008)
Appraisers, Court Reporter and Interpreter Services

  1. Procurement actions involving the use of appraisers, court reporters, interpreters and others may require the selection of a System of Records Notice (SORN) on webRTS.

  2. Disclosure assistance may be required until the business units become familiar with SORN selection on webRTS. Local business offices should contact the local Disclosure office for assistance with determining the correct SORN. For HQ procurement actions, contact Disclosure HQ.

  3. It is important that the system of records notice routine use contains the appropriate language to permit disclosing Privacy Act records to a contractor. See IRM 11.3.24.2(3).

11.3.24.5.5  (07-22-2008)
Contracts Involving Disclosure of "Sensitive But Unclassified Information" (SBU) or formerly Official Use Only Documents

  1. Sensitive but unclassified information documents may be disclosed to contractors when it is determined that such access is necessary to properly perform assigned tasks.

  2. This type of material is not protected by either the Privacy Act or the statutes governing release of returns and return information.

  3. SBU documents are the property of the IRS, and are construed to be "a thing of value" protected by statute (18 U.S.C. 641, as modified by 18 U.S.C. 3571).

  4. Access to SBU documents will not be routinely granted to contractors. Each case must be decided on its own merit, with the needs of the IRS being the foremost consideration.

  5. When access to this material is necessary in order for the contractor to perform the work on behalf of the IRS, the following paragraphs, modified as deemed appropriate to meet case needs, should be included in the contractual agreement:

    1. "SAFEGUARDS"

      • Any Treasury Department information made available, which is marked "Sensitive but Unclassified" information, shall be used only for the purpose of carrying out the provisions of this contract, and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the contract

    2. "CRIMINAL/CIVIL SANCTIONS "

      • Each officer or employee of the contractor or subcontractor at any tier to whom "Sensitive but Unclassified" information may be made available or disclosed shall be notified in writing by the contractor that "Sensitive But Unclassified" information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such " Sensitive But Unclassified" information, by any means, for a purpose or to an extent unauthorized herein, may subject the offender to criminal sanctions imposed by 18 U.S.C. Sections 641 and 3571. 18 U.S.C. Section 641 provides, in pertinent part, that whoever knowingly converts to his use or the use of another, or without authority, sells, conveys, or disposes of any record of the United States or whoever receives the same with the intent to convert it to his use or gain, knowing it to have been converted, shall be guilty of a crime punishable by fine or imprisoned up to ten years or both

        Note:

        As of this writing, Procurement is in the process of revising all IRSAP clauses to reflect the term SBU.

11.3.24.5.6  (07-22-2008)
Destruction of Returns and Return Information

  1. Contracts for the destruction of tax information falls within the scope of IRC §6103(n).

    1. A contractual agreement, in compliance with IRC §6103(n), is required if tax information to be destroyed does not remain in sealed containers or is otherwise protected from view by the contractor during the destruction process

  2. IRSAP clauses should be included when procuring services for the destruction of sensitive but unclassified information:

    1. IRSAP 1052.2249000(d) - DISCLOSURE OF "OFFICIAL USE ONLY " INFORMATION SAFEGUARDS

    2. IRSAP 1052.2249001(b) - DISCLOSURE OF INFORMATION - OFFICIAL USE ONLY

    3. IRSAP 1052.2249002 - DISCLOSURE OF INFORMATION – INSPECTION

11.3.24.6  (07-22-2008)
Glossary

  1. Procurement Actions - Solicitations, contract awards, purchase orders, task orders, delivery orders, modifications, interagency agreements, blanket purchase agreements (BPAs), and simplified acquisitions.

  2. Post Award Compliance Reviews - Conducted by Disclosure personnel to ensure that the appropriate language has been inserted into procurement actions involving the disclosure of SBU data and that other Disclosure requirements for contracts are met.

  3. Routine Use - The disclosure of a record for a purpose which is compatible with the purpose for which it was collected.

  4. Sensitive But Unclassified Information (SBU) - Any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under Section 552a of Title 5, United States Code (USC) (the Privacy Act) but which has not been specifically authorized under criteria established by an executive order or an act of Congress to be kept secret in the interest of national defense or foreign policy.

  5. System of Records (SOR) - A group of any records under the control of the Department (IRS) from which information is retrieved by the name of an individual, or by some other identifying number, symbol or particular assigned to an individual.

Exhibit 11.3.24-1  (07-22-2008)
Disclosure Quality Review Check Sheet for Post-Award Contracts

Disclosure Office:

Area Manager:

Disclosure Manager:

Reviewer:

Date(s):

Award Number(s) Contracting Officer Discretion (COD) or Correct/Resolve (C/R) Statement of Work Attached With Required information? Disclosure of SBU Data to a Contractor Correct Privacy System of Records Identified Privacy Act SOR Routine Use Identified Applicable Clauses Inserted (This indicates the level of understanding questions 2-14)
  COD C/R Y N Y N Y N N/A Y N N/A Y/2-14 N N/A
1.                              
2.                              
3.                              
4.                              
5.                              
6.                              
7.                              
8.                              
9.                              
10.                              
11.                              
12.                              
13.                              
14.                              
General Comments:   EDIMS Case Number:
Time Applied:
 
   

More Internal Revenue Manual