11.3.39 Computer Matching and Privacy Protection Act

Manual Transmittal

July 19, 2019

Purpose

(1) This transmits revised IRM 11.3.39, Disclosure of Official Information, Computer Matching and Privacy Protection Act.

Material Changes

(1) Editorial changes have been made throughout this entire section to conform to the new internal and management control standards and to support research in electronic media. Substantive changes have been made to each subsection to address appropriate reference material, organizational terms, titles, and clarify existing procedures according to current policies and procedures.

(2) Web references were added/updated throughout to support research in electronic media.

(3) IRM 11.3.39.1 – Revised title from “Background” to “Program, Scope and Objectives” and content to reflect internal control attributes to appropriately identify purpose, scope, audience, policy owner and program owner.

(4) IRM 11.3.39.1.1 through 11.3.39.1.4 – Added subsections to align content for background, authority, related resources and responsibilities.

(5) IRM 11.3.39.1.1 – New subsection titled “Background”.

(6) IRM 11.3.39.1.2 – New subsection titled “Authority”.

(7) IRM 11.3.39.1.3 – New subsection titled “Related Resources”.

(8) IRM 11.3.39.1.4 – New subsection titled “Responsibilities”.

(9) IRM 11.3.39.2 – Revised title from “Purpose” to “Acronyms” and content to address acronyms used throughout this section.

(10) IRM 11.3.39.3 – Revised title from “Responsibilities” to “Definitions” and content originally found IRM 11.3.39.5 to align and define terminology used throughout this section. OMB Circular A-108 modified terminology for computer matching agreements from “new” to “establishment,” from “extension” to “renewal’, from “renewal” to “re-establishment” and from “revision” to ‘modification.”

(11) IRM 11.3.39.4 – Revised title from “Scope” to “Categories of Subjects Covered by CMPPA” and content previously addressed in IRM 11.3.39.6.

(12) IRM 11.3.39.5 – Revised title from “Definitions” to “Matching Programs Covered by CMPPA” and aligned content previously addressed in IRM 11.3.39.7.

(13) IRM 11.3.39.5.1 – Added subsection titled “Exempt Matching Programs” and revised and aligned content previously addressed in IRM 11.3.39.7.1.

(14) IRM 11.3.39.6 – Revised title from “Categories of Subjects Covered by CMA” to “Requirements for Covered Matching Programs” and revised and aligned content previously addressed in IRM 11.3.39.8.

(15) IRM 11.3.39.6.1 – Added subsection titled “Written Agreements” and revised and aligned content previously addressed in IRM 11.3.39.8.1. Removed reference to Exhibit 11.3.39-1. Revised language to clarify actions required by OMB Circular A-108.

(16) IRM 11.3.39.6.2 – Added subsection titled “Matching Program Notice and Reporting Requirements” and revised and aligned content previously addressed in IRM 11.3.39.8.2. Revised language to support OMB Circular A-108 requirements regarding time frames for reporting matching programs to OMB and Congress and Federal Register Notice publication.

(17) IRM 11.3.39.6.3 – Added subsection titled “Notice to Records Subjects” and revised and aligned content previously addressed in IRM 11.3.39.8.3. Removed reference to TIGTA preparing the Federal Register Notice for matches it conducts involving IRS employees. The Inspector General Empowerment Act of 2016 includes an exemption for the Inspector General (IG) to the Computer Matching and Privacy Protection Act of 1988 (CMPPA). This exemption excuses Inspector Generals from obtaining formal matching agreements before matching data with other agencies and entities to identify fraud and waste.

(18) IRM 11.3.39.7 – Revised title from “Matching Programs Covered by CMA” to “Annual Matching Activity Review and Report” and added content to support annual reporting actions as required by OMB Circular A-108.

(19) IRM 11.3.39.7.1 – Removed subsection.

(20) IRM 11.3.39.8 – Revised title from “Requirements for Covered Computer Matching Programs” to “Existing Matching Programs”, updated current matching programs and revised and aligned content previously addressed in IRM 11.3.39.10.

(21) IRM 11.3.39.8.1 through IRM 11.3.39.10 – Removed subsections due to content alignment as previously referenced.

(22) Exhibit 11.3.39-1, 11.3.39-2 and 11.3.39-3 – Deleted exhibits; sample agreements can be obtained through Data Services via e-mail to GLDS.CMPPA@irs.gov.

Effect on Other Documents

IRM 11.3.39 dated September 17, 2013 is superseded.

Audience

All Operating Divisions and Functions.

Effective Date

(07-19-2019)

Related Resources

The Disclosure and Privacy Knowledge Base can be found at:
https://portal.ds.irsnet.gov/sites/vl003/pages/default.aspx


Phyllis T. Grimes
Director, Governmental Liaison, Disclosure and Safeguards

Program Scope and Objectives

  1. Purpose: This IRM section provides an overview of and provisional guidelines for Public Law (PL) 100-503, The Computer Matching and Privacy Protection Act of 1988; hereafter referred to as CMPPA. The CMPPA amended the Privacy Act of 1974 (5 U.S.C. §552a) and adds certain protections for the subjects of Privacy Act records whose records are used in automated matching programs. These protections have been mandated to ensure:

    • Procedural uniformity in carrying out matching programs

    • Due process for subjects in order to protect their rights

    • Oversight of matching programs through the establishment of Data Integrity Boards at each agency engaging in matching to monitor the agency’s matching activity

  2. Scope: The CMPPA is codified as part of the Privacy Act (5 U.S.C. §552a) and:

    • Applies primarily to all federal agencies subject to the Privacy Act;

    • Brings non-federal agencies within the ambit of the Privacy Act when they are engaging in certain types of matching activities in conjunction with a federal agency that is subject to the Privacy Act; and a federal system of records is involved in the match;

    • Applies to a broad range of federal agency computer matching activities when the objective may affect an individual’s rights, benefits and/or privileges; and

    • Is not intended to prevent the match of any computerized data for which there exists legal authority and which is deemed the most appropriate method of achieving a desired objective; administrative controls are established to ensure privacy, integrity and verification of data disclosed for computer matching programs.

      Note:

      The CMPPA does not extend Privacy Act coverage to those not originally included.

  3. Audience: This IRM provides procedures applicable to all IRS Operating Divisions and Functions.

  4. Policy Owner: Data Services, under Office of Governmental Liaison, Disclosure and Safeguards (GLDS), is responsible for administering CMPPA guidelines.

  5. Program Owner: Office of GLDS, under Privacy, Governmental Liaison and Disclosure (PGLD), is responsible for oversight of CMPPA guidelines.

Background

  1. One of the forces driving the Privacy Act of 1974 into existence was congressional concern about the governments' use of computers in which to keep records about individuals. The Act's preamble points out the possibility of automated recordkeeping greatly magnifying the potential harm to record subjects.

  2. Due to the steady automation of government programs, automated records play a significant and pervasive role in federal recordkeeping. The CMPPA is the first amendment to the Privacy Act to address the concern of automated records impacting individual privacy by establishing protections, including public and individual notice, when information an individual provides to one government agency is matched with records from another agency for a different purpose.

Authority

  1. The following statutes contain laws that relate to or impact the CMPPA:

    • Privacy Act of 1974 (5 U.S.C. §552a), as amended by the Computer Matching and Privacy Protection Act of 1988 (PL 100-503)

    • 26 U.S.C. §6103, commonly referred to as Internal Revenue Code (IRC) §6103, is the primary law governing the authority for disclosure of Federal Tax Information (FTI).

    • The Freedom of Information Act (5 U.S.C. §552)

    • Paperwork Reduction Act of 1995

    • Federal Information Security Modernization Act of 2014

Related Resources

  1. IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD)

  2. IRM 1.2.49, Delegation Order 11-2

  3. IRM 1.10.1, Office of the Commissioner of Internal Revenue, Correspondence Manual

  4. IRM 11.3.14, Disclosure of Information, Privacy Act General Provisions

  5. Computer Matching Programs: https://home.treasury.gov/footer/privacy-act/computer-matching-programs.

  6. National Archives and Records Administration (NARA), IRS Records Control Schedules (RCS): https://www.archives.gov/records-mgmt/rcs/schedules/index.html.

  7. Office of Management and Budget (OMB) Circular No. A-108, Federal Agency Responsibilities for Review, Reporting and Publication under the Privacy Act: https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdfPDF

    Note:

    OMB Circular No. A-108 supplements and clarifies OMB Circular No. A-130, Managing Information as a Strategic Resource.

  8. Privacy Act Directives: https://home.treasury.gov/footer/privacy-act/privacy-directives

  9. Privacy Act Reports: https://home.treasury.gov/footer/privacy-act/privacy-reports

  10. The Privacy Act Handbook: https://www.treasury.gov/privacy/Pages/handbook.aspx

  11. System of Records Notices (SORNs): https://home.treasury.gov/footer/privacy-act/system-of-records-notices-sorns

Responsibilities

  1. Before September 30, 1997, computer matching programs (inter- and intra-agency) subject to the CMPPA were programs administered by Governmental Liaison and Disclosure.

  2. The Chief Privacy Officer (CPO) is responsible for representing the IRS as a member of the Treasury Data Integrity Board (DIB) and is the executive director responsible for the IRS Privacy Program, including statutory oversight of IRS security and confidentiality requirements for federal and state agencies receiving Federal Tax Return and Return Information, collectively referred to as Federal Tax Information (FTI).

    Please see IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD), for additional information regarding functional statements and management controls.

  3. The Office of Privacy Policy and Compliance (PPC) is responsible for Privacy Act oversight, ensuring the IRS implements sound policies designed to protect the identity and privacy of employees and taxpayers.

  4. The Office of Governmental Liaison, Disclosure and Safeguards (GLDS) is responsible for overseeing the computer matching provisions of the CMPPA, ensuring FTI is appropriately disclosed and ensuring FTI provided to federal, state and local agencies remains confidential. Through its functions, GLDS provides administration, guidance, support and technical assistance to the IRS Business and Functional Operating Division (BOD/FOD), as owner of the records, in the development of computer matching programs, agreements, notices and reports.

    1. Data Services is responsible for administering IRS matching programs covered by the CMPPA and will coordinate all activities associated with initiating and continuing matching programs subject to the CMPPA provisions within the IRS, including matches that involve internal records (personnel) that are subject to the CMPPA.

    2. Governmental Liaison is responsible for facilitating the exchange of data and fostering partnerships with Federal, state and local government agencies to improve tax administration, in accordance with IRM 1.2.19.1.13, Policy Statement 11-98 (Formerly P-6-14).

    3. Disclosure is responsible for providing guidance and technical assistance in determining if matching programs are subject to the computer matching provisions, and if so, provide guidance in the technical review of required documents, notices and reports.

    4. Safeguards is responsible for ensuring that agencies and their contractors, who have access to FTI from the IRS maintain adequate safeguards for the protection of such information.

  5. The Business and Functional Operating Division (BOD/FOD), as owner of the records, is responsible for contacting Data Services, via e-mail atGLDS.CMPPA@irs.gov, to coordinate and prepare notices and reports required and appropriate for CMPPA matching program participation. Coordination will include, but is not limited to:

    • Drafting the Computer Matching Agreement (CMA) language;

    • Obtaining the necessary reviews and approvals;

    • Ensuring each agency obtains approval from its respective Data Integrity Board (DIB) for matching agreements at the Federal level;

    • Reviewing existing and proposed matching programs periodically to determine if they are subject to and in compliance with the CMPPA; and

    • Completing the requirements for covered matching programs as cited in 5 U.S.C. §552a(o), (p) and (r).

  6. With the increase in the number of record systems being developed locally, and the IRS's move toward more cooperative activities with state and local agencies, the potential has increased that matches with non-federal agencies at the area and territory levels may also be subject to the CMPPA provisions. It is incumbent on Field Disclosure personnel to become familiar with the provisions of the CMPPA so they can advise and assist with achieving compliance with the CMPPA when a covered match is identified.

Acronyms

  1. Acronym Definition
    ACA Affordable Care Act
    BOD/FOD Business and Functional Operating Division
    CMA Computer Matching Agreement
    CMPPA Computer Matching and Privacy Protection Act of 1988
    CPO Chief Privacy Officer
    DIB Data Integrity Board
    DIFSLA Disclosure of Information to Federal, State and Local Agencies
    FISMA Federal Information Security Management Act
    FTI Federal Tax Information
    GLDS Governmental Liaison, Disclosure and Safeguards
    IG Inspector General
    IRC Internal Revenue Code
    IT Information Technology
    NARA National Archives and Records Administration
    OMB Office of Management and Budget
    PGLD Privacy, Governmental Liaison and Disclosure
    PL Public Law
    PPC Privacy Policy and Compliance
    RCS Records Control Schedule
    SORN System of Records Notice
    TAR Taxpayer Address Request
    TIGTA Treasury Inspector General for Tax Administration
    U.S.C. United States Code

Definitions

  1. Computer Matching Agreement - written agreement between the source agency and the recipient agency (or non-federal agency) specifying the terms for parties engaging in a matching program. There are four types of CMAs: Establishment, Renewal, Re-establishment, and Modification.

    Note:

    OMB Circular A-108PDF, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act (December 23, 2016), modified the terminology for CMAs in OMB Circular A-130PDF, Managing Information as a Strategic Resource (July 28, 2016), from “new” to “establishment,” from “extension” to “renewal”, from “renewal” to “re-establishment” and from “revision” to “modification.”

    1. Establishment CMA -

      • Executed when an agency initially participates in a computer matching program; the computer matching program may have been in existence prior to the CMPPA.

      • Requires approval by each federal agency’s Data Integrity Board (DIB) and requires development of a cost/benefit analysis.

      • OMB and Congress must be notified of the CMA according to the requirements outlined in OMB Circular A-108PDF.

      • Publication of the matching notice in the Federal Register is required at least 30 days prior to the effective date of the Establishment CMA.

      • Expires at 18 months but may be renewed for an additional 12 months.

    2. Renewal CMA -

      • Executed within 3 months prior to the expiration of the existing CMA (Establishment or Re-establishment); each party to the CMA must certify to their respective DIB, in writing, that the matching program has been conducted in compliance with the existing CMA and will be conducted without change for not more than 12 months.

      • DIB Chairperson can approve without a DIB vote if no changes have been made to the existing CMA.

      • OMB and Congress notification is not required.

      • Publication of the matching notice in the Federal Register is not required.

      • Expires at 12 months and cannot be renewed.

    3. Re-establishment CMA -

      • Executed when an agency re-establishes a matching program upon the expiration of a CMA, including the expiration of a 12-month renewal.

      • Requires approval by DIB and requires development of a cost/benefit analysis.

      • OMB and Congress must be notified of the CMA according to the requirements outlined in OMB Circular A-108PDF.

      • Publication of the matching notice in the Federal Register is required at least 30 days prior to the effective date of the Re-establishment CMA.

      • Expires at 18 months but may be renewed for an additional 12 months.

    4. Modification CMA -

      • Executed when an agency makes significant modifications to the existing CMA, prior to its expiration.

      • Requires approval by the DIB and requires development of a cost/benefit analysis.

      • Publication of the matching notice in the Federal Register is required at least 30 days prior to the effective date of the Modified CMA.

      • Expires at 18 months but may be renewed for an additional 12 months.

  2. Cost/Benefit Analysis - the CMPPA requires a cost/benefit analysis be part of an agency’s decision to conduct or participate in a matching program. It must be included in matching agreements as justification of the proposed matching program and include a "specific estimate of any savings." The analysis is also used by the DIB in review process. Statutorily mandated matches do not have to reflect a positive cost benefit in order to be approved by the DIB.

  3. Data Integrity Board (DIB) - is established at the departmental level, consists of senior agency officials and is responsible for review and approval (or disapproval) of matching agreements and proposed matching programs.

  4. Matching program - is the computerized comparison of two or more automated systems of records, or of a system of records with non-federal records. The records must exist in automated form or be converted to automated form to perform the match. A single matching program may involve several matches among a number of participants.

  5. Non-Federal agency - is a state or local governmental agency that receives records contained in a system of records from a federal agency.

  6. Recipient agency - is the federal agency (or its contractor) that receives records from a Privacy Act system of records of another federal agency or from state and/or local government to be used in a matching program.

  7. Source agency - is the federal agency that discloses records from a system of records to another federal agency or to a state or local governmental agency to be used in a matching program. It can also be a non-federal agency that discloses records to a federal agency to be used in a matching program.

Categories of Subjects Covered by CMPPA

  1. Federal benefit program applicants (individuals initially applying for benefits).

    Note:

    The Congress intends that federal employees be treated as beneficiaries of a federal benefit program because of their employment by the government.

  2. Federal benefit program beneficiaries (individuals who actually receive benefits).

  3. Providers of services to assistance programs (those who are not the primary beneficiaries of federal benefits programs, but may derive income from them, e.g., health care providers).

  4. Federal employees in danger of adverse and/or disciplinary action.

Matching Programs Covered by CMPPA

  1. Only Federal benefit programs (including programs administered by states on behalf of the federal government) providing cash or in-kind assistance to individuals are covered.

  2. The purpose of the match must include one or more of the following:

    • Establishing or verifying initial or continuing eligibility for federal benefit programs.

    • Verifying compliance with the requirements, either statutory or regulatory, of federal benefit programs.

    • Recouping payments or delinquent debts under federal benefit programs.

  3. The federal benefit program or federal system of records need not be the sole source of data for a matching program to be covered by the CMPPA provisions.

  4. Federal personnel or payroll record matches conducted for the purpose of, or with an intended consequence of, taking adverse financial, personnel, or disciplinary or other adverse action against federal personnel or any individual, are subject to the CMPPA. This is the case even though these matches often take place within a single agency.

  5. Programs using records about subjects who are not individuals as defined by 5 U.S.C. §552a(a)(2) are not covered.

  6. The four elements must all be present before a matching program is covered under the provisions of the CMPPA. The provisions are:

    • Computerized comparison

    • Categories of subjects

    • Federal benefit program

    • Matching purpose

Exempt Matching Programs

  1. Certain matching programs are exempt from the requirements of the CMPPA. For disclosure purposes, the most pertinent exemptions are those which exclude matches done for the purposes of:

    • Tax refund offset

    • Tax administration

    • IRC §6103(d)

  2. Although the CMPPA exempts matches performed for tax administration purposes, OMB final guidance on implementing the provisions of the CMPPA expressly states that matches for management of the IRS workforce are not included in the Act’s exemption of matching program requirements for tax administration purposes.

  3. The CMPPA does not exclude matches conducted by an agency using only records from systems of records maintained by that agency; if the purpose of the match is not to take any adverse financial, personnel, disciplinary, or other adverse action against Federal personnel.

    Note:

    This means that matches only using IRS Privacy Act systems of records that may result in adverse action against the IRS workforce are not exempt from the Act’s matching requirements.

  4. Matches involving Federal employees conducted by Treasury Inspector General for Tax Administration (TIGTA) are exempt from the CMPPA under the Inspector General Act of 1978, as amended by the Inspector General Empowerment Act of 2016 (P.L. 114-317).

  5. See 5 U.S.C. §552a(a)(8)(B) for the complete list of exempt matches.

Requirements for Covered Computer Matching Programs

  1. Prior to implementing a covered matching program, the BOD/FOD must coordinate with Data Services to:

    • Develop, negotiate, execute and obtain approval of a written agreement, prepared in conformance with 5 USC §552a(o), and with the other agency or other IRS function.

    • Partner with IRS Information Technology (IT) management and staffs to determine system, programming and scheduling requirements.

    • Provide notice of the matching program to record subjects.

    • Prepare a report to Congress on the new matching program.

    • Prepare any Federal Register notice and report required (unless prepared by the recipient agency).

    Caution:

    Matching programs involving an IRS system of records must have a published routine use covering the matching activity.

Written Agreements

  1. Pursuant to 5 U.S.C. § 552a(o), no record which is contained in a system of records may be disclosed for use in a computer matching program except pursuant to a CMA between the agencies.

  2. IRS frequently conducts the same matching program for several different agencies; the match for each agency is considered a single matching program, thus requiring a CMA with each agency.

  3. The type of CMA shall be determined in accordance with OMB Circular A-108PDF and identified in IRM 11.3.39.3.

    1. Establishment

    2. Renewal

    3. Re-establishment

    4. Modification

  4. Data Services will coordinate with the BOD/FOD to appropriately draft and negotiate the CMA language with the other agency or other IRS function. According to the CMPPA, the CMA must specify the following:

    1. Purpose and legal authority for conducting the program.

    2. Justification for the program and anticipated results, including a specific estimate of any savings.

    3. Description of the records that will be matched, including each data element that will be used, the approximate number of records that will be matched, and the projected starting and completion dates of the matching program.

    4. Procedures for providing individualized notice to applicants for and recipients of financial assistance or payments under federal benefits programs and applicants for and holders of positions as federal personnel at the time of the application, and notice periodically thereafter.

    5. Procedures for verifying information produced in the matching program.

    6. Procedures for the retention and timely destruction of identifiable records created by a recipient agency or non-federal agency in the matching program.

      Note:

      Each agency shall provide a detailed description of their record retention time frames. Refer to Document 12990, IRS Records Control Schedules (RCS), Schedule 8, Administrative and Organizational Records, Item 52, Requests for Return and Return Information Files (NARA RCS Job No. N1-058-05-002, Division of Governmental Liaison and Disclosure Records Item 52). Although many of the records covered by Schedule 8 are created and maintained by the Office of the Commissioner of the Internal Revenue Service, and specified current and predecessor offices, this Schedule is intended to be functional in nature and can be used by other IRS functions.

    7. Procedures for ensuring the administrative, technical and physical security of the records matched and the results of the program.

    8. Prohibitions on duplication and redisclosure of records provided by the source agency within or outside the recipient agency or the non-federal agency, except where required by law or essential to the conduct of the matching program.

    9. Information on assessments that have been made on the accuracy of the records that will be used in such a matching program.

    10. The Comptroller General may have access to all records of a recipient agency or a non-federal agency that the Comptroller General deems necessary in order to monitor or verify compliance with the agreement.

  5. After each party to the CMA concurs with the agreement language, the final draft will be signed by the responsible official for each agency, at least 180 days prior to scheduled implementation of the matching program. The responsible official is considered the system manager or the head of the organizational unit who has delegated authority to perform Privacy Act activities in accordance with Treasury Directive 25-04.

    1. See IRM 1.10.1, Office of the Commissioner of Internal Revenue, Correspondence Manual, regarding IRS Signature Package Procedures.

    2. See IRM 1.2.49, Delegation Order 11-2, regarding delegated authority to permit the disclosure of FTI.

  6. Data Services will submit the CMA, signed by each party to the CMA, to the Treasury DIB, via e-mail to Privacy@treasury.gov for review and approval by the Board. In accordance with Treasury Directive 25-06, the Board will:

    1. Review and approve or deny the CMA for receipt or disclosure of records for matching programs to ensure compliance with all relevant statutes, regulations, and OMB guidance, including 5 USC §552a(o); and

    2. Approve or deny the CMA no later than 60 calendar days after receipt of the CMA and submit to Data Services any questions by day 30 of the 60-day period.

  7. Upon the Board’s approval, the Treasury DIB Chairperson will sign the CMA and the Treasury DIB Liaison will return the CMA to Data Services.

  8. Data Services will coordinate with Treasury to report the matching program to Congress and OMB, if required and per OMB Circular A-108PDF guidance.

    Note:

    The recipient agency (or source agency in a matching program where a non-federal agency is the recipient agency) is responsible for notifying and reporting to Congress and OMB of the matching program; this action shall occur at the agency level, rather than the sub-agency, component, or program level.

  9. When preparing the CMA, Data Services and the BOD/FOD must consider the systems of records to be used in the matching program. The routine use cited in the existing system notice must encompass the proposed matching program. If not, the system notice must be republished to modify the routine use statement prior to submitting the CMA for review by the Treasury DIB.

  10. In addition, the data resulting from the matching program must be considered. If the data match results in a new system of records, then a new system notice must also be published.

  11. The initial CMA may remain in effect for a period not to exceed 18 months. During the last 90 days of the existing CMA, the parties to the CMA may approve a one-time renewal, not to exceed 12 months. The renewal CMA does not require notice and reports to Congress and OMB and publication in the Federal Register.

  12. Upon expiration of the initial CMA and one-time renewal CMA, a re-establishment CMA must be secured to continue the matching program. A re-establishment CMA must be fully executed within the last 90 days of the original CMA, or renewal CMA, if applicable. The re-establishment CMA requires the same notice, reporting and publication requirements as the initial CMA. The format for the initial CMA shall be used for the re-establishment CMA.

Matching Program Notice and Reporting Requirements

  1. Agencies participating in matching programs that are subject to CMPPA are required to publish a matching notice in the Federal Register at least 30 days prior to the establishment, re-establishment, or significant modification of the matching program. Examples of significant modifications are cited in OMB Circular A-108PDF.

    1. Generally, the recipient federal agency (or the source federal agency in a match conducted with a non-federal agency) is responsible for publishing notice of the matching program in the Federal Register. However, in matching programs involving only federal agencies, the agencies may assign responsibility. In the case of matching programs conducted with a non-federal agency, the federal agency is responsible for publishing.

    2. Notice is not required for the one-year renewal of a matching program by the agency’s DIB.

  2. Agencies are required to report to OMB and Congress any proposal to establish, re-establish, or significantly modify a matching program at least 30 days prior to the submission of the notice to the Federal Register for publication.

    1. If the agency is re-establishing a matching program and continuing the program past the expiration of the current CMA (including any one-year renewal approved by the DIB), the agency shall report the proposal to re-establish the matching program at least 60 days prior to the expiration of the existing CMA.

    2. OMB will have 30 days to review the proposal to establish, re-establish, or significantly modify a matching program and provide any comments to the agency. Advance notice to OMB and Congress is required by subsection (r) of the Privacy Act.

    3. Submission of the report to OMB will officially start the 30-day advance review period.

      Note:

      OMB’s 30-day review period is separate from – and may not run concurrently with – the publication period in the Federal Register.

    4. The report of an established, re-established, or significantly modified matching program includes a transmittal letter, a narrative statement, a draft Federal Register notice, a CMA, and any supplementary documents.

Notice to Record Subjects

  1. When IRS is the recipient agency (or federal agency when the matching program is conducted with a non-federal agency), IRS will notify records subjects in one of two ways, either by constructive notice or direct notice.

    1. Constructive Notice - IRS will coordinate with Treasury to publish constructive notice of the matching program in the Federal Register informing record subjects of the proposed matching program and in accordance with 5 USC §552a(e) and OMB Circular A-108PDF, and in the format prescribed by the Federal Register Document Drafting HandbookPDF.

    2. Direct Notice - IRS will provide to each individual in the match population a direct notice of the match. This may be accomplished by a statement on an application form or by separate document. In most instances, amending the Privacy Act statement on an application form will meet CMPPA requirements.

  2. For IRS matching programs designed to detect fraud and/or illegal acts of agency employees, IRS will ensure that direct notice is provided to each record subject. While Document 12011, Internal Revenue Service Ethics Handbook , universally prohibits fraud or inappropriate actions on the part of its employees, a specific notice to each record subject regarding the matching program will be provided prior to the implementation of the matching program and, at the least, an annual notice during the period the matching program is authorized.

    Note:

    TIGTA investigations are not part of the scope of matching programs for which employees will get notice, as TIGTA’s matching programs have been exempted from the CMPPA by P.L. 114-317.

  3. Notice published in the Federal Register should contain the following information:

    1. Name of participating agency or agencies.

    2. Purpose of the match.

    3. Authority for conducting the match.

    4. Categories of records and individuals covered.

    5. Inclusive dates of the matching program.

    6. Address for receipt of public comment or inquiries.

  4. IRS must publish notices of the establishment, re-establishment or modification of a matching program in the Federal Register at least 30 days prior to conducting the matching program.

Annual Matching Activity Review and Report

  1. Annually, Data Services will conduct a servicewide review of that year’s CMPPA covered matching program activities and prepare an annual report of the matching programs for IRS. The annual report will be submitted to the Department of Treasury Senior Agency Official for Privacy to be included in Treasury’s annual report to OMB.

  2. Per OMB Circular A-108PDF, the report shall include a list of each matching program in which the agency participated during the year. For each matching program, the report shall include:

    1. A brief description of the matching program, including the names of all participating Federal and non-Federal agencies.

    2. Links to the matching notice.

    3. An account of whether the agency has fully adhered to the terms of the CMA.

    4. An account of whether all disclosures of agency records for use in the matching program continue to be justified.

    5. An indication of whether a cost-benefit analysis was performed, the results of the cost-benefit analysis, and an explanation of why the agency proceeded with any matching program for which the results of the cost-benefit analysis did not demonstrate that the program is likely to be cost effective.

    6. A description of any CMA that the DIB disapproved and the reasons for the disapproval.

    7. A description of any violations of matching agreements that have been alleged or identified, and a discussion of any action taken in response.

Existing Matching Programs

  1. Data Services maintains CMAs with approximately 61 federal, state and local agencies, initially developed for master file extract programs that were in place with government entities when the CMPPA was enacted.

  2. The CMAs maintained by Data Services cover various matching programs involving the disclosure of FTI. For example, one matching program provides address information to enable federal agencies to locate individuals to recoup monies, while another provides income information for use in determining eligibility for federal benefit programs.

  3. Some current matching programs include:

    1. Disclosure of Information to Federal, State and Local Agencies (DIFSLA) Matching Program - IRC §6103(l)(7) authorizes IRS to disclose certain return information to agencies administering certain programs under the Social Security Act, the Food Stamp Act of 1977 and Title 38 of the United States Code (Veterans’ Benefits).

    2. Taxpayer Address Requests (TAR) Matching Program - IRC §6103(m)(2) authorizes IRS to disclose, upon written request, of a taxpayer's mailing address for use by officers, employees, or agents of a federal agency for the purpose of locating such taxpayer to collect or compromise a federal claim against the taxpayer in accordance with §§3711, 3717, and 3718 of Title 31 of the U.S. Code.

    3. Verification of Household Income and Family Size for Insurance Affordability Programs and Exemptions Matching Program - IRC §6103(l)(21) authorizes IRS to disclose certain items of return information to the Centers for Medicare and Medicaid Services (CMS), a division of the Department of Health and Human Services, as a part of the eligibility determination process for programs covered by various sections of the Patient Protection and Affordable Care Act (Public Law No. 111-148), as amended by the Health Care and Education Reconciliation Act of 2010 (Public Law No. 111-152), codified at 42 U.S.C. 18001 (collectively, the ACA).

    4. Medicare Part D Matching Program - IRC §6103(l)(7) authorizes IRS to disclose to Social Security Administration (SSA) certain return information for the purpose of verifying eligibility for or the correct subsidy percentage of benefits provided under Social Security Act.

    5. Medicare Part B Matching Program - IRC §6103(1)(20) authorizes IRS to disclose specified return information to SSA with respect to taxpayers whose Part B and/or prescription drug coverage insurance premium(s) may (according to IRS records) be subject to premium subsidy adjustment pursuant to the Social Security Act for the purpose of establishing the amount of any such adjustment or increase.

    6. IRS Data Loss Prevention Matching Program - IRS has the responsibility to ensure that information is kept confidential as required by the Internal Revenue Code, Privacy Act of 1974, the Bank Secrecy Act, Title 18 of the United States Code, The Federal Information Security Modernization Act (FISMA), and other applicable laws that require safeguarding of information. Confidential information that is sent without sufficient protection is a violation of IRS Security Policy. The IRS matches computerized data to detect and deter breaches of security policy by IRS employees, contractors, or other individuals who have been granted access to IRS information, or to IRS equipment and resources, who send electronic communications in an unsecure and unencrypted manner.