1.1.27 Privacy, Governmental Liaison and Disclosure (PGLD)

Manual Transmittal

May 7, 2019

Purpose

(1) This transmits revised IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD).

Material Changes

(1) IRM 1.1.27.1.1 - Added reference in Background subsection to the Identity Assurance (IA) office moving from Online Services to PGLD.

(2) IRM 1.1.27.1.3 - Added reference to IA authorities in new IRM Exhibit 1.1.27-4.

(3) IRM 1.1.27.1.4 - Added IA to list of PGLD offices and added Director, IA role and major responsibilities.

(4) IRM 1.1.27.1.5 through 1.1.27.1.5.3 - Removed all subsections on PGLD program reports as the information is not necessary for functional IRMs per feedback from Servicewide Policy, Directives and Electronic Resources (SPDER).

(5) IRM 1.1.27.4 - New subsection with information on the IA office and program.

(6) Added Data Breach Response Playbook maintenance to Incident Management’s list of responsibilities.

(7) IRM Exhibit 1.1.27-1 - Added new IA acronyms.

(8) IRM Exhibit 1.1.27-2 - Added new IA terms and definitions.

(9) IRM Exhibit 1.1.27-4 - New exhibit reflecting primary IA authorities.

(10) IRM Exhibit 1.1.27-7 - New Functional Delegation Order PGLD-1-23-1 reflecting the order of succession for PGLD executive positions.

Effect on Other Documents

None.

Audience

All divisions, functions, employees and contractors within the IRS.

Effective Date

(05-07-2019)

Related Resources

The Privacy, Governmental Liaison and Disclosure intranet home page can be found at: Disclosure and Privacy Knowledge Base.

Edward T. Killen
Chief Privacy Officer

Program Scope and Objectives

  1. Mission: To preserve and enhance public confidence by advocating for the appropriate protection, retention and disclosure of taxpayer information.

  2. Purpose: This IRM provides organizational information about Privacy, Governmental Liaison and Disclosure (PGLD).

  3. Policy Owner: PGLD, under the Deputy Commissioner for Operations Support (DCOS).

  4. Program Owner: PGLD administers privacy and records policies, procedures, and initiatives and coordinates privacy and records-related actions throughout the IRS. Each IRS organization is responsible for managing their privacy and records requirements based on these Servicewide policies and procedures.

  5. Contact Information: To recommend changes to this IRM, see IRM 1.11.6.6, Providing Feedback About an IRM Section - Outside of Clearance, and send your suggestions to the PGLD Internal Management Documents (IMD) Coordinator at *PGLD IMD SPOC.

Background

  1. PGLD has experienced numerous organizational changes affecting functional statements throughout its current structure. These organizational changes were made to:

    • Leverage the workforce’s specialized expertise

    • Enhance accountability

    • Ensure organizational efficiency, effectiveness, and customer service

  2. PGLD stood up as a separate functional business unit effective April 08, 2012. Major organizational changes include:

    1. Merging Privacy, Information Protection and Data Security (PIPDS) and Governmental Liaison and Disclosure (GLD) into one unit effective June 19, 2011. Safeguards merged with GLD to become Governmental Liaison, Disclosure and Safeguards (GLDS) on December 12, 2013. PIPDS was formerly known as the Office of Privacy and Information Protection (before that, it was known as the Office of Privacy). GLD and Safeguards were both realigned from Communications, Liaison and Disclosure (CLD), Small Business and Self-Employed Division (SB/SE). They were merged to solidify the common bond of taxpayer and employee privacy information protection in full compliance with the Privacy Act of 1974, 5 U.S.C. § 552a, as amended, coupled with the public right to information under the Freedom of Information Act (FOIA) of 1966, 5 U.S.C. § 552 , as amended.

    2. Creating a new Director level operation titled Governmental Liaison, Disclosure and Safeguards (GLDS) by combining the operations of the same names.

    3. Restructuring GLDS offices of Data Services, Disclosure, Governmental Liaison, and Safeguards, by creating, closing, consolidating, and renaming subordinate units and realigning staff accordingly.

    4. Creating a new Director level operation titled Strategic Support Office (SSO) and subsequently renamed Program and Planning Support (PPS). The PPS function was created to allow the centralization of support activities under a single point of ownership and accountability.

    5. Realigning the Office of Employee Protection (OEP), Collection Policy, Small Business/Self-Employed Division, as a subordinate operating unit to Incident Management (retitled Incident Management and Employee Protection), under the Director, Privacy and Information Protection (PIP) effective February 24, 2014.

    6. Migrating victim assistance aspects of identity theft to Wage & Investment (W&I) to centralize identity theft victim assistance under one leadership team and foster process and efficiency improvements.

    7. Removing the operating units Identity Protection Technical and Identity Protection Analysis and forming Privacy Policy & Knowledge Management (PPKM), Privacy Compliance and Assurance, and Incident Management/Employee Protection (IM/OEP).

    8. Renaming the Director level operation Privacy and Information Protection as Privacy Policy and Compliance (PPC).

    9. Realigning the headquarters Records and Information Management (RIM) staff from the former Agency-Wide Shared Services’ (AWSS) Real Estate and Facilities Management (now Facilities Management and Security Services (FMSS)) and Information Protection Projects (IPP) into one director-level office named Identity and Records Protection (IRP) effective August 10, 2014.

    10. Moving GL’s Congressional Affairs Program to Communications & Liaison (C&L) effective October 2, 2016.

    11. Moving PGLD’s in-house human resources and training staff to the Human Capital Office (HCO) effective February 21, 2016, and its in-house communications staff to C&L effective November 13, 2016.

    12. Moving the Identity Assurance (IA) office from Online Services to PGLD on May 27, 2018.

Terms/Definitions/Acronyms

  1. See Exhibit 1.1.27-1 for commonly used PGLD acronyms and their definitions.

  2. See Exhibit 1.1.27-2 for commonly used PGLD terms and their definitions.

Authorities

  1. See Exhibit 1.1.27-3 for significant GLDS authorities.

  2. See Exhibit 1.1.27-4 for significant IA authorities.

  3. See Exhibit 1.1.27-5 for significant IRP authorities.

  4. See Exhibit 1.1.27-6 for significant PPC authorities.

  5. See Exhibit 1.1.27-7 for PGLD’s functional delegation order of succession.

Roles and Responsibilities

  1. The Chief Privacy Officer reports directly to the DCOS and is responsible for ensuring that IRS strives to implement sound policies to protect taxpayer and employee privacy, and personal and sensitive information. Major responsibilities of the Chief Privacy Officer include:

    • Establishing the IRS strategic direction regarding privacy protection, retention, and disclosure of taxpayer information

    • Directing a core staff privacy and security subject matter experts, both on the policy front and in information systems

    • Promoting consistent implementation of privacy policies and legal record retention and disclosure requirements

    • Reporting on IRS’s activities to promote privacy protection and information security

    • Leading privacy policy development and providing expert advice on privacy, disclosure of taxpayer data, records management, execution of the FOIA, data protection and data sharing efforts across IRS and with external government partners

    • Assessing and supporting plans to mitigate organizational risk from potential data breaches or unauthorized disclosures of IRS records

    • Partnering with federal and state agencies to obtain data that supports business unit tax administration and compliance efforts

    • Interpreting and administering of IRC 6103 to ensure confidentiality of tax records and the integrity of the tax administration systems

    • Providing statutory oversight of IRS security and confidentiality requirements for federal and state agencies receiving tax return information

    • Enhancing the privacy expertise and field presence of PGLD through knowledge management practices that expand the privacy knowledge and professional expertise of all PGLD employees

  2. There are five offices or functions within PGLD:

    1. Governmental Liaison, Disclosure and Safeguards, or GLDS

    2. Identity Assurance, or IA

    3. Identity and Records Protection, or IRP

    4. Privacy Policy and Compliance, or PPC

    5. Program and Planning Support, or PPS

  3. The Director, GLDS reports to the Chief Privacy Officer and is responsible for interpreting and applying laws, regulations, policies, and guidance to provide access to IRS records and information, while ensuring protected information is appropriately disclosed. This includes ensuring the confidentiality of IRS information provided to Federal, state, and local agencies. Major responsibilities of the Director, GLDS include:

    • Developing Servicewide policies, standards and guidelines for protecting taxpayer confidentiality and access to agency records under IRC 6103, the FOIA, and other disclosure related regulations and directives, and collaborating with Privacy Policy and Compliance with regard to confidentiality and access matters under the Privacy Act

    • Establishing IRS strategic direction regarding data sharing, disclosure, and safeguards

    • Examining disclosure and privacy-related legislation and other initiatives proposed by Congress, other agencies, and the public and formulating IRS’s position to address the affect of such initiatives. When appropriate, identifies the need for new legislation to strengthen and support IRS’s privacy and disclosure policies and to address future issues

    • Collaborating with IRS Information Technology to support critical infrastructure improvements and enhance the protection of these systems from unauthorized access and exploitation and ensuring data exchange partners meet these same critical standards

    • Overseeing the research, analysis, and data for timely FOIA responses and serves as the liaison to external customers and recipients to clarify and resolve FOIA issues

    • Managing the safeguards program to ensure compliance with IRC Section 6103(p)(4) federal safeguarding requirements through the verification and monitoring of agency risk mitigation plans, to reduce the threat of loss, breach, or misuse of Federal Tax Information (FTI) entrusted to external government agencies

    • Managing relationships with Business and Functional Operating Divisions (BODs/FODs) to identify strategic priorities that may impact national policy in consideration of external stakeholders’ needs

    • Supporting the BOD/FOD strategic priorities by ensuring Servicewide compliance with statutory disclosure requirements through delivering awareness training, preparing BOD/FOD specific guidance, conducting Quality/Privacy Reviews, reviewing documents, and providing technical guidance

    • Processing requests for disclosure of agency records, such as FOIA/Privacy Act, testimony requests and court orders from internal and external stakeholders and the public

    • Reporting to Congress and Treasury on FOIA/Privacy Act end of year inventory and IRC 6103 accounting

  4. The Director, IA reports to the Chief Privacy Officer and provides IRS-wide leadership in developing and integrating authentication, authorization and access (A3) policies, including related frameworks and processes. Major responsibilities of the Director, IA include:

    • Collaboratively guiding and supporting improved security, data protection, customer access, and enhanced identity assurance posture across IRS

    • Establishing and maintaining a Servicewide A3 strategy by developing and maintaining IRS’s strategic vision, identifying trends and best practices, and representing IRS’s A3 interests with internal and external stakeholders

    • Facilitating A3 policy decision-making through the development, approval, and use of policies and related A3 frameworks and processes across the IRS

    • Developing and integrating A3 initiatives by coordinating their planning, prioritization, establishment, and integration across channels

    • Ensuring consistent oversight of all A3-related processes, frameworks, and policy needs by providing identity assurance policy recommendations and guidance, including at the time of filing, online, face-to-face, telephone, fax, and written correspondence, while monitoring and coordinating the A3 portfolio to ensure its investments and initiatives are consistent with policies and are properly prioritized

  5. The Director, IRP reports to the Chief Privacy Officer and advises IRS senior leadership on the adequacy of documentation and creation and management of agency records, protection of taxpayer data from unauthorized access and by reducing Servicewide use of SSNs, keeping senior management informed on current and projected operational requirements, issues, legislative, and regulatory matters. Major responsibilities of the Director, IRP include:

    • Formulating and overseeing the implementation of IRS policy and guidance for recordkeeping in accordance with the strategic plan, Congressional mandates, and the National Archives and Records Administration (NARA) regulations, standards and guidance

    • Establishing strategic direction on records and information management for the full range of IRS activities

    • Examining records and information management-related legislative and other initiatives proposed by Congress, Treasury, other agencies, and the public and formulating IRS’s position to address the affect of such initiatives

    • Serving as the IRS agency representative to the Office of Management and Budget (OMB), the Congress, NARA, and the press in matters relating to records management

    • Establishing effective working relationships and communication with IRS business units in order to understand operational priorities and initiatives, and identify strategic and tactical issues related to records and information protection

    • Ensuring that IRS employees are knowledgeable and kept current about records management principles and requirements, and that they receive records management training appropriate to their needs

    • Working with Information Technology to build records management functionality into the enterprise architecture and to ensure all information systems incorporate records management functionality appropriate to the records/information assets they support

    • Collaborating closely with the Department of the Treasury to implement and oversee records and information management processes and initiatives

    • Collaborating Servicewide to identify opportunities to reduce or eliminate SSNs in tax administration

    • Protecting taxpayer data through oversight of the Unauthorized Access (UNAX) program and updates to the annual employee mandatory briefing

    • Implementing the Controlled Unclassified Information (CUI) program

  6. The Director, PPC reports to the Chief Privacy Officer and is responsible for ensuring the IRS implements sound policies designed to protect the identity and privacy of employees and taxpayers. Major responsibilities of the Director, PPC include:

    • Promoting consistent implementation of privacy policies and reporting on IRS’ activities to promote privacy protection

    • Establishing strategic direction on privacy for the full range of IRS activities, including data protection strategies such as designing privacy into systems and business processes and evaluating the compliance and effectiveness of these strategies

    • Examining privacy-related legislative and other initiatives proposed by Congress, other agencies, and the public and formulating IRS’s position to address the affect of such initiatives. When appropriate, identifies the need for new legislation to strengthen and support IRS’s privacy policies and to address future issues

    • Developing a training curriculum regarding privacy for IRS executives, managers, and employees, and contractors who receive taxpayer information. Develops and delivers a training curriculum to ensure a staff of highly skilled privacy professionals. Promotes internal and external awareness of IRS’ commitment to privacy and information protection

    • Collaborating closely with the Department of the Treasury to implement and oversee privacy and data protection processes and initiatives

    • Collaborating with IRS Information Technology to ensure that privacy functionality is included in system design and support critical infrastructure improvements to enhance the protection of these systems from unauthorized access and exploitation

    • Overseeing an incident response plan for data breach incidents through risk evaluation and measured response

    • Ensuring IRS’s Privacy and Civil Liberties Impact Assessment (PCLIA) process effectively meets government-wide standards and goals

    • Effectively administering programs tracking potentially dangerous taxpayers and those taxpayers that should be approached with caution

    • Leading the IRS Privacy Council to identify emerging issues and develop policies to mitigate privacy risks

  7. The Director, PPS reports to the Chief Privacy Officer and:

    • Manages budget and technology issues for PGLD

    • Coordinates internal/external communications on privacy issues related to tax administration

    • Coordinates PGLD hiring

    • Monitors PGLD TIGTA/GAO audits and responses

    • Supports the Internal Management Document (IMD) program

    • Provides facilities planning and oversight

    • Institutes contract procurement and oversight

    • Conducts emergency preparedness exercises

    • Sponsors PGLD-wide CPE

  8. PGLD’s current organization chart is available at https://portal.ds.irsnet.gov/sites/PGLD/ap/PGLD-Org-Chart.pptx .

Related Resources

  1. The following table lists the primary sources of information on PGLD programs:

    IRM Title Contains
    IRM 11.3.1 Introduction to Disclosure The instructions, guidelines, and procedures necessary to fulfill our obligations under the disclosure laws
    IRM 11.4.1 Governmental Liaison Operations The operating procedures, policy and guidelines for Governmental Liaison employees and managers
    IRM 11.4.2 Office of Governmental Liaison, Data Exchange Program Information on the program which shares federal tax data with state agencies for the purposes of state tax administration
    IRM 11.3.36 Safeguard Review Program Information and procedural guidance for Office of Safeguards staff for ensuring that outside agencies and their contractors maintain adequate safeguards to protect the federal tax data received from IRS
    IRM 1.15.1 The Records and Information Management Program Information, including the responsibilities of all IRS employees, for complying with the requirements of maintaining and managing IRS’s records and information
    IRM 10.5.1 Privacy and Information Protection, Privacy Policy Information on the Privacy Policy and Compliance office and the uniform policies used by IRS employees and organizations to carry out their privacy responsibilities
      Disclosure and Privacy Knowledge Base The PGLD virtual library

Privacy, Governmental Liaison and Disclosure

  1. PGLD is responsible for safeguarding and protecting sensitive taxpayer and employee information while promoting government transparency and accountability through better access to government information.

  2. PGLD is geographically dispersed across the U.S. with business operations sharing a commitment to privacy, records and information management, and data and employee protection.

  3. To accomplish its mission, PGLD:

    • Preserves and enhances public confidence by advocating for the protection and proper use of sensitive information

    • Protects the sensitive information and privacy of taxpayers and IRS employees

    • Reduces vulnerabilities for identity theft, which promotes identity protection

    • Ensures IRS records, including those containing PII, are managed appropriately

    • Works with all IRS operations to ensure only authorized disclosures and data sharing

    • Partners with federal, state, and local governmental agencies to promote privacy and protect FTI

    • Exchanges FTI as authorized by law with external stakeholders

    • Safeguards FTI held by data exchange partners

    • Protects IRS employees through the use of cautionary indicators on appropriate taxpayer accounts

    • Leads development and integration of IRS authentication, authorization and access (A3) policies

  4. The following subsections provide details about the four PGLD offices listed in IRM 1.1.27.1.4(2).

Governmental Liaison, Disclosure and Safeguards

  1. Governmental Liaison, Disclosure and Safeguards (GLDS) provides timely public access to IRS records in accordance with applicable disclosure laws; strengthens America’s tax system by partnering with federal, state, and local governmental agencies; and ensures IRS employees and external partners protect confidential tax information.

  2. GLDS is geographically dispersed throughout the country providing disclosure guidance and support to all IRS employees while interacting with federal, state, and local agencies on data exchanges and other issues.

  3. There are four offices within GLDS:

    1. Governmental Liaison

    2. Disclosure

    3. Safeguards

    4. Data Services

  4. GLDS’s offices work collaboratively:

    • Disclosure serves as the taxpayer data gatekeeper and makes IRC 6103"need and use" determinations regarding what IRS should and should not disclose

    • Working with Disclosure and Safeguards, Governmental Liaison (GL) helps determine data needs and uses and manages relationships between IRS and a diverse assortment of approximately 300 external agencies

    • After Disclosure and GL have determined the data needs, Data Services defines and develops the necessary extracts

    • Safeguards protects the data by verifying the external agencies are using and safeguarding it appropriately

  5. To accomplish its mission, GLDS:

    • Provides timely public access to IRS records in accordance with applicable disclosure laws

    • Strengthens America’s tax system by partnering with federal, state, and local governmental agencies to increase compliance, enforcement, and service to taxpayers

    • Ensures IRS employees and external partners protect confidential tax and privacy information

    • Provides oversight and outreach to more than 300 federal, state, and local agencies receiving FTI

Governmental Liaison

  1. Governmental Liaison (GL) is the primary point of contact with federal, state, and local government agencies and partners with them to obtain and exchange data to support IRS efforts related to identity theft, tax compliance, and refund fraud. Cooperation between IRS and other government agencies helps achieve IRS’s strategic goals of improved voluntary compliance, increased efficiency of tax administration, and reduced taxpayer burden.

  2. GL facilitates agreements to exchange data and tax and non-tax information with federal, state, and local governmental agencies. These exchanges augment IRS’s tax compliance systems by helping IRS better identify where to apply compliance resources, thereby helping to reduce the tax gap, reduce taxpayer burden and optimize use of resources. GL’s three partnering programs are:

    1. Fed/State: Facilitates tax information exchanges through joint tax administration relationships between the IRS and state taxing authorities, such as departments of revenue and state workforce agencies

    2. Federal Intergovernmental Program (FIP): Strengthens existing partnerships and develops potential reciprocal arrangements across the federal government to enhance effective tax administration and good government

    3. Municipal Agency Partnering Program (MAPP): Focuses on partnering opportunities with municipalities and other local agencies and offices - sometimes referred to as “non-traditional” agencies

  3. The Associate Director, Governmental Liaison, reports to the Director, GLDS, and oversees the GL program. The following GL managers and offices report to the Associate Director:

    • Chiefs, Governmental Liaison - Fields East and West

    • Chief, Governmental Liaison Headquarters Policy

  4. See IRM 11.4.1, Governmental Liaison Operations, for more information.

Data Services

  1. Data Services provides support to GL and Disclosure programs through a variety of information technology and data initiatives, including:

    • Managing the Governmental Liaison Data Exchange Program (GLDEP), including computation, billing, and receivable process for reimbursable fees

    • Managing Disclosure and Safeguards inventory controls and producing statistical management reports and measures

    • Working with NARA to obtain documents from Federal Records Centers (FRCs)

    • Performing quality review of Disclosure casework and providing feedback

  2. The Associate Director, Data Services, reports to the Director, GLDS, and oversees the Data Services program. The following Data Services managers and offices report to the Associate Director:

    • Chief, Centralized Processing Unit

    • Chief, Data Exchange and Quality Initiative

    • Chief, Technical Support and Analysis

  3. See IRM 11.4.2, Governmental Liaison Data Exchange Program (GLDEP), for more information.

Disclosure

  1. Disclosure ensures the right information is released to the right individuals at the right time by developing standards and guidelines for the protection of taxpayer confidentiality and access to IRS records under the Internal Revenue Code, the FOIA (5 U.S.C. § 552) and the Privacy Act (5 U.S.C. § 552a). Disclosure helps IRS employees comply with statutory requirements through awareness of access and authentication requirements, quality/privacy reviews, document clearances and technical assistance. Disclosure casework includes:

    • Addressing requests for access to IRS records through the FOIA and the Privacy Act

    • Ex-Parte court orders

    • Testimony authorizations

    • Authoring over three dozen IRMs on various disclosure topics

    • Providing specialized review for all IRS business units’ IRMs and training materials containing disclosure and privacy issues and/or content designated as Official Use Only (OUO)

  2. The Associate Director, Disclosure, reports to the Director, GLDS, and oversees the Disclosure program. The following Disclosure managers and offices report to the Associate Director:

    • Deputy Area Director, Disclosure Areas - East and West

    • Deputy Area Director, Disclosure Policy and Program Operations

  3. See IRM 11.3.1, Introduction to Disclosure, for more information.

Safeguards

  1. Safeguards is responsible for ensuring that outside agencies and their contractors with access to federal tax returns and return information, collectively referred to as Federal Tax Information (FTI), maintain proper safeguards to adequately protect the data. These agencies receiving return information must protect the confidentiality of return information and are periodically reviewed by Safeguards personnel to ensure they meet the safeguarding requirements of IRC 6103(p)(4). These requirements include:

    • Employee awareness programs

    • Computer security

    • Secure storage

    • Proper disposal

  2. Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, contains the specific requirements for those receiving FTI.

  3. The Associate Director, Safeguards, reports to the Director, GLDS, and oversees the Safeguards program. The following Safeguards managers and offices report to the Associate Director:

    • Chiefs, Safeguards Review Teams 1 and 2

    • Chief, Safeguards Policy

  4. See IRM 11.3.36, Safeguards Review Program, for more information.

Identity Assurance

  1. The Identity Assurance (IA) mission is to establish and maintain a Servicewide strategy that provides a framework for assessing risk and developing proposed mitigations that strive for a consistent approach of all authentication, authorization and access needs across IRS functions and programs.

  2. IA’s role is to strengthen the IRS authentication posture by enhancing visibility and coordination for identity proofing, authentication, authorization, and access (A3) strategies, processes and capabilities. IA accomplishes this by leveraging, coordinating and integrating approaches to foster enterprise strategies.

  3. Identity Assurance Operations is the lone suboffice within IA.

  4. To accomplish its mission, IA:

    • Identifies trends, best practices, lessons learned, etc., and shares information in support of authentication, authorization, and access (A3) efforts

    • Guides integration of identity assurance policy decisions for compliance and risk management

    • Facilitates the evaluation of identity assurance efforts and policy decisions to mitigate risk, while also focusing on cost, time-to-market, and taxpayer usability

    • Coordinates the development of analyses for A3 in accordance with government standards and guidance

    • Promotes enterprise-wide policy prioritization decisions regarding budget formulation and execution of enterprise-wide A3 platforms and processes

    • Advises and guides the identification, establishment, integration, and ongoing refinement of new or existing A3 capabilities and processes

    • Partners to ensure that newly developed or integrated capabilities comply with IRS A3 policies, frameworks, OMB memoranda, National Institute of Standards and Technology (NIST) guidelines, etc., as appropriate

    • Monitors and coordinates the A3 portfolio ensuring A3 investments and initiatives are consistent with policies and are prioritized and delivered against the most critical opportunities, gaps, and program/initiative risks and/or emerging priorities

    • Acts as a Servicewide expert for identity assurance related policies, practices, risks, and initiatives regardless of functional origination or process ownership

    • Develops and collects performance metrics for A3

Identity and Records Protection

  1. Identity and Records Protection (IRP) provides Servicewide records management expertise and protection of taxpayer and employee identities through the Unauthorized Access (UNAX) and Social Security Number Elimination and Reduction (SSN ER) programs.

  2. IRP leads Servicewide efforts to implement the federal electronic records management requirements of OMB Memorandum M-12-18, Managing Government Records Directive, and address recordkeeping requirements for:

    • Email

    • Social media

    • Electronic messaging (Skype, Office Communicator Server/Lync)

    • The future vision for taxpayer digital communications

  3. IRP also promotes IRS behavioral changes through coordinated awareness, communication and educational efforts designed to reinforce understanding of:

    • What is and what is not a federal record

    • Consequences of not complying with Federal Records Act requirements

    • Individual employees’ and IRS’s joint obligation to manage records appropriately

  4. There are two offices within IRP:

    1. Records and Information Management, or RIM

    2. Information Protection Projects, or IPP

  5. To accomplish its mission, IRP:

    • Provides guidance and oversees functions related to recorded IRS information throughout the life cycle of a document

    • Protects taxpayer data by managing the Unauthorized Access (UNAX) and Social Security Number Elimination and Reduction (SSNER) programs

    • Provides oversight for the Controlled Unclassified Information (CUI) Program which seeks to standardize the way the Executive branch handles unclassified information. The authority of CUI comes from Executive Order 13556, 32 CFR 2002 and the CUI Registry, which set forth the parameters and requirements for implementing, designating, safeguarding, disseminating, marking, destructing, and decontrolling CUI.

Records and Information Management

  1. Records and Information Management (RIM) helps business units apply sound management practices and techniques throughout the life cycle of all IRS records by:

    • Planning, developing and promoting IRS records management policy standards, procedures and guidelines that provide for effective controls over IRS records and information - see IRM 1.15 series

    • Working with NARA, Department of the Treasury, other governmental agencies and private industry on all records and information management matters affecting IRS

    • Promoting awareness and understanding of RIM principles to all IRS employees

    • Providing oversight and monitoring of IRS electronic records dispositions

    • Providing technical guidance and assistance to business units in fostering the mission of the RIM program

    • Overseeing and monitoring all off-site NARA Records Center Program services, including the off-site storage of IRS records

  2. Servicewide records specialists and business unit information resource coordinators have oversight responsibilities for implementing an effective RIM program nationwide. They assist the IRS Records Officer by:

    • Supporting and providing assistance to designated information resource coordinators assigned to the IRS functional organizations

    • Participating in local area or business function studies and providing recommendations to improve the RIM program

    • Resolving local RIM matters

    • Elevating Servicewide RIM issues to the IRS Records Officer

    • Serving as a liaison with NARA, FRCs, and IRS business units on all records disposition matters

    • Tracking and monitoring records requests to and from FRCs

    • Assisting customers with maintaining records control schedules, including the identification of new or revised authorities for electronic records

  3. The Associate Director, Records and Information Management, reports to the Director, IRP, and oversees the RIM program. The following managers and officers report to the Associate Director:

    • Records Management Manager, Records Specialist Team

    • IRS Records Officer

  4. See IRM 1.15.1, The Records and Information Management Program, for more information.

Information Protection Projects

  1. Information Protection Projects (IPP) manages the Servicewide Unauthorized Access to Taxpayer Accounts (UNAX) and Social Security Number Elimination and Reduction (SSNER), and Controlled Unclassified Information (CUI) programs.

  2. The Associate Director, Information Protection Projects, reports to the Director, IRP, and oversees the IPP office.

  3. See IRM 10.5.5, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements, and the SSNER home page.

Privacy Policy and Compliance

  1. Privacy Policy and Compliance (PPC) promotes and integrates privacy into business practices, behaviors and technology solutions. PPC serves as IRS’s primary office for:

    • Privacy-related inquiries

    • eAuthentication policy

    • Personally Identifiable Information (PII) in email guidance

    • Federal Information Security Management Act (FISMA) compliance

    • General protections for sensitive information

  2. There are three offices within PPC:

    • Incident Management and Employee Protection (IMEP)

    • Privacy Compliance and Assurance (PCA), which includes the sub-office of Privacy Review

    • Privacy Policy and Knowledge Management (PPKM)

  3. To accomplish its mission, PPC:

    • Manages incidents involving the loss or theft of an IRS asset, or loss, theft, or disclosure of PII

    • Ensures data loss incidents are investigated, analyzed and resolved

    • Oversees the IRS’s Personally Identifiable Information Incident Notification process for notifying affected taxpayers and employees

    • Issues privacy policy to promote privacy protection, compliance and awareness

    • Administers programs tracking potentially dangerous taxpayers and those taxpayers who should be approached with caution

  4. See IRM 10.5.1, Privacy and Information Protection, Privacy Policy, for more information.

Privacy Compliance and Assurance

  1. PCA processes Privacy and Civil Liberties Impact Assessments (PCLIAs) for IRS’s:

    • Computer systems

    • SharePoint sites containing PII

    • Social media

    • Surveys

  2. A PCLIA ensures program and project managers, system owners, and developers have consciously incorporated privacy and civil liberties protections throughout the entire life cycle of a system.

  3. PCA also conducts business PII risk assessment reviews, which focus on the areas of greatest risk to the IRS for data loss or disclosure. The reviews identify risks and provide business units with mitigation strategies. PCA also is the parent organization for Privacy Review.

  4. The Associate Director, Privacy Compliance and Assurance, reports to the Director, PPC and oversees the PCA program.

  5. See IRM 10.5.2, Privacy and Information Protection, Privacy Compliance and Assurance, for more information.

Privacy Review
  1. Privacy Review processes Privacy and Civil Liberties Impact Assessments (PCLIAs) for IRS’s:

    • Computer systems

    • SharePoint sites containing PII

    • Social media

    • Surveys

  2. A PCLIA ensures program and project managers, system owners, and developers have consciously incorporated privacy and civil liberties protections throughout the entire life cycle of a system.

  3. The Chief, Privacy Review, reports to the Associate Director.

Incident Management and Employee Protection

  1. Incident Management and Employee Protection (IMEP) is comprised of the Incident Management office, and the Office of Employee Protection.

  2. The Associate Director, Incident Management and Employee Protection, reports to the Director, PPC, and oversees the IMEP program.

Incident Management
  1. Incident Management administers and manages agency program requirements for ensuring incidents involving the following are investigated, analyzed and resolved:

    • The loss or theft of an IRS asset

    • The loss, theft or disclosure of PII (data loss incidents)

  2. IM activities include:

    • Incident intake and risk assessment

    • Victim notification

    • Follow-up and support

    • Functional interaction and support related to incident data

    • Facilitating the data loss prevention working group

    • Maintaining the Data Breach Response Playbook

    • Managing the Servicewide pseudonym program

  3. See IRM 10.5.4, Privacy and Information Protection, Incident Management Program, and IRM 10.5.7, Use of Pseudonyms by IRS Employees, for more information.

Office of Employee Protection
  1. The Office of Employee Protection (OEP) tracks potentially dangerous taxpayers and those taxpayers who should be approached with caution through two main programs:

    1. Potentially Dangerous Taxpayer (PDT)

    2. Caution Upon Contact (CAU)

  2. OEP Mission: To effectively administer programs tracking potentially dangerous taxpayers and those taxpayers that should be approached with caution.

  3. OEP Vision: OEP is dedicated to top quality customer service by:

    • Committing to continual process improvement

    • Actively seeking customer feedback and acting upon it

    • Periodically providing program development awareness and trend analyses

    • Conducting quarterly program area reviews

  4. The Chief, Office of Employee Protection, reports to the Associate Director, IMEP, and oversees the OEP program.

  5. See IRM 25.4.1, Employee Protection, Potentially Dangerous Taxpayer, and IRM 25.4.2, Caution Upon Contact Taxpayer, for more information.

Privacy Policy and Knowledge Management

  1. Privacy Policy and Knowledge Management (PPKM) engages in multiple initiatives to implement directives from the Office of Management and Budget (OMB), and both legislation and directives from:

    • Privacy Act (1974)

    • Computer Matching and Privacy Protection Act (1988)

    • Freedom of Information Act (1974)

    • IRC 6103

    • The Taxpayer Browsing Protection Act (1997) (UNAX)

    • Federal Information Security Management Act of 2014 (FISMA)

    • E-Government Act (2002)

    • Health Insurance Portability and Accountability Act (1996) (HIPAA)

  2. PPKM resolves privacy-related inquiries and provides policy and procedural guidance for:

    • Email containing PII

    • FISMA compliance

    • General protections for sensitive information

  3. PPKM leads the PGLD:

    • IRS Privacy Council (and corresponding Privacy Advisory Group)

    • PGLD Policy Board

  4. The Associate Director, Privacy Policy and Knowledge Management, reports to the Director, PPC, and oversees the PPKM program.

  5. See IRM 10.5.1, Privacy and Information Protection, Privacy Policy, for more information.

Program and Planning Support

  1. Program and Planning Support (PPS) provides guidance, oversight and coordination for PGLD organizational matters, and serves as liaison for HCO, training and communications efforts.

  2. PPS’s budget and contract management responsibilities include:

    • Managing resources across multiple appropriations (Operations Support, Affordable Care Act, and Reimbursables)

    • Providing contracting guidance and contract management services

    • Managing the purchase card program

  3. PPS’s Business Systems Planning responsibilities include coordinating:

    • Operation Support (OS) Get Services Tickets through Knowledge Incident/Problem Service and Asset Management (KISAM)

    • Unified Work Requests

    • IT Budget Funding Process

    • FISMA Testing

    • Wireless devices

    • IT initiated enterprise wide projects

  4. PPS is also involved in:

    • Servicewide communications on privacy and records management issues

    • Performance management and strategic planning

    • Coordination of all IT-initiated Servicewide projects for PGLD

    • SharePoint management and oversight

    • Web communications related to PGLD programs on IRS.gov and the intranet

    • Coordination of PGLD’s Internal Management Document (IMD) and non-IRM publishing programs

  5. The Chief, Financial Planning and Technical Support, reports to the Director, PPS.

Acronyms

The following table contains definitions for the acronyms used in this IRM:

Acronym Definition
A3 Authentication, authorization and access
CAP Corrective Action Plan
CAU Caution Upon Contact
CUI Controlled Unclassified Information
DCOS Deputy Commissioner for Operations Support
ESIGN Electronic Signatures in Global and National Commerce Act
FIP Federal Intergovernmental Program
FISMA Federal Information Management Security Act
FOIA Freedom of Information Act
FTI Federal Tax Information
FRC Federal Records Center
GL Governmental Liaison
GLDEP Governmental Liaison Data Exchange Program
GLDS Governmental Liaison, Disclosure and Safeguards
GPEA Government Paperwork Elimination Act
IA Identity Assurance
IMEP Incident Management and Employee Protection
IPP Information Protection Projects
IRP Identity and Records Protection
MAPP Municipal Agency Partnering Program
NARA National Archives and Records Administration
NIST National Institute of Standards and Technology
OEP Office of Employee Protection
OMB Office of Management and Budget
OUO Official Use Only
PCA Privacy Compliance and Assurance
PCLIA Privacy and Civil Liberties Impact Assessment
PDT Potentially Dangerous Taxpayer
PGLD Privacy, Governmental Liaison and Disclosure
PIAMS Privacy Impact Assessment Management System
PII Personally Identifiable Information
PPC Privacy Policy and Compliance
PPS Programming and Planning Support
PPKM Privacy Policy and Knowledge Management
RMSA Record Management Self-Assessment
RIM Records and Information Management
SAO Senior Agency Official
SRR Safeguards Review Report
SSNER Social Security Number Elimination and Reduction
UNAX Unauthorized Access [to taxpayer accounts]

Defined Terms

The following table contains definitions for the significant terms used in this IRM:

Term Definition
Access The right or permission to view or receive information. Access by an individual is determined by sensitivity of the data and authority to receive it.
Authorization The process of establishing the rights or privileges of users to interact with the IRS on behalf of themselves, other individuals, businesses, or other organizations and allowing those users to exercise rights that have been previously established.
Authentication The process IRS employees should use to make sure that the person to whom returns or return information are released has authorized access.
Breach The loss of control, disclosure, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where individuals other than authorized users and for other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.
Civil liberties The basic rights guaranteed to individual citizens by law.
Data loss/breach An incident involving a loss, theft, breach, or inadvertent unauthorized disclosure.
Disclosure The making known to any person in any manner whatever a return or return information. For example, confirming whether a tax return is on file or not (i.e. fact of filing) is a disclosure.
Federal tax information Any return or return information protected by IRC 6103 confidentiality whether received from the IRS, or secondary source such as the Social Security Administration, etc. FTI includes any information created by the recipient that is derived from return or return information.
Incident management The process of managing incidents involving the loss, theft, breach or disclosure of data.
Loss Any event where an item is misplaced and/or neither the official owner nor the intended recipient has possession of the item in the expected time frame.
Non-record Work-related documents that do not qualify as records such as duplicate copies, convenient/reference copies, and stocks of publications.
Personally Identifiable Information Any information that:
  1. can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and

  2. is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Privacy Privacy at the IRS reflects the combined effort of the IRS, its personnel, and individual taxpayers to protect, control, and exercise rights over the collection, use, retention, dissemination, and disposal of personal information.
Record All recorded information such as books, papers, maps, photographs, machine-readable materials, or other documentary materials, regardless of form or characteristics, made or received by a Federal agency under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the United States Government or because of the informational value of data in them. See 44 U.S.C. § 3301.
Return Any tax or information return, estimated tax declaration, or refund claim - including amendments, supplements, supporting schedules, attachments, or lists - required by or permitted under the IRC and filed with the IRS by, on behalf of, or with respect to any person or entity.
Return information Generally any information collected or generated by the IRS with regard to any person’s liability or possible liability under the IRC. IRC 6103(b)(2)(A) defines return information very broadly.
Risk The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
Safeguard Any action, device, procedure, technique, or other measure that reduces a system’s vulnerability to a threat.
Unauthorized access The willful unauthorized access and/or inspection of tax returns and return information.
Theft An asset, electronic or hardcopy, thought or known to have been taken without permission from the individual who is responsible for the asset.
Unauthorized disclosure An unlawful disclosure of any return or return information to an individual not authorized to receive it or for a purpose not authorized by Title 26. A willful unauthorized disclosure is a felony.

Governmental Liaison, Disclosure and Safeguards Authorities

The following table reflects the authorities and their general descriptions for GLDS activities:

Authority Description
IRC 6103 Confidentiality and disclosure of returns and return information
IRC 7213 Unauthorized disclosure of information
IRC 7213A Unauthorized inspection of returns or return information
5 U.S.C. § 552 The Freedom of Information Act (FOIA)
5 U.S.C. § 552a The Privacy Act
Policy Statement 11-13 IRM 1.2.19.1.1, Freedom of Information Act Requests
Treasury Directive 25-05 Provides policy and assigns responsibilities for carrying out the requirements of the FOIA
NIST Special Publication 800-53 Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations

Identity Assurance Authorities

The following table reflects the authorities and their general descriptions for IA activities:

Authority Description
IRC 6061(b) Signing of Returns and Other Document - Electronic Signatures
NIST Special Publication 800-53 Rev. 4, Appendix E Security and Privacy Controls for Federal Information Systems and Organizations -- Assurance and Trustworthiness, Measures of Confidence for Information Systems
NIST Special Publication 800-63 Digital Identity Guidelines
Public Law 105-277, Title XVII Government Paperwork Elimination Act (GPEA) §§ 1703 and 1705
Public Law 106-299 Electronic Signatures in Global and National Commerce Act (ESIGN)
Uniform Electronic Transactions Act Uniform state-level law finalized by the National Conference of Commissioners on Uniform State Laws in 1999 and subsequently adopted by 47 states. May be applicable to commercial, consumer, or governmental affairs transactions involving federal organizations in certain cases.

Identity and Records Protection Authorities

The following table reflects the authorities and their general descriptions for IRP activities:

Authority Description
44 U.S.C. Chapter 21 National Archives and Records Administration (NARA)
44 U.S.C. Chapter 29 Records Management by the Archivist of the United States
44 U.S.C. Chapter 31 Records Management by Federal Agencies
44 U.S.C. Chapter 33 Disposal of Records
36 CFR Chapter XII, Subpart B - Part 1222 Agency Recordkeeping Requirements
36 CFR Chapter XII, Subpart B - Part 1235 Transfer of Records to the National Archives of the United States
36 CFR Chapter XII, Subpart B - Part 1236 Electronic Records Management
OMB M-12-18 Managing Government Records Directive
NARA Bulletin 2012-02 Guidance on Managing Content on Shared Drives
NARA Bulletin 2014-04 Revised Format Guidance for the Transfer of Permanent Electronic Records
NARA Bulletin 2015-04 Metadata Guidance for the Transfer of Permanent Electronic Records
Protecting Americans from Tax Hikes (PATH) Act of 2015, Section 402 IRS Employees Prohibited from Using Personal Email Accounts for Official Business
Public Law 105-35 Taxpayer Browsing Protection Act (UNAX)

Privacy Policy and Compliance Authorities

The following table reflects the authorities and their general descriptions for PPC activities:

Authority Description
5 U.S.C § 552 The Freedom of Information Act (FOIA)
5 U.S.C. § 552a The Privacy Act
IRC 6103 Confidentiality and disclosure of returns and return information
Public Law 100-503 Computer Matching and Privacy Protection Act of 1988
Public Law 107-347 E-Government Act of 2002
18 U.S.C. § 2510, et seq. Electronic Communications Privacy Act
NIST Special Publication 800-53 Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations
NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
Treasury Directive Publication 25-07 Privacy Impact Assessment
Treasury Directive Publication 85-01 Treasury Information Technology (IT) Security Program

Functional Delegation Order PGLD-1-23-1 (New)

(1) Authority to Act in the Absence of the Chief Privacy Officer and other Privacy, Governmental Liaison and Disclosure Executives

(2) Authority: To act in the absence of the Chief Privacy Officer.
The management officials who occupy the positions listed below are delegated authorization to the position of Chief Privacy Officer.
The official named as successor will be vested with all authority given the Chief Privacy Officer until relieved of the responsibility.

(3) Delegated to:

  • Director, Governmental Liaison, Disclosure and Safeguards

  • Director, Identity Assurance

  • Director, Identity and Records Protection

  • Director, Privacy Policy and Compliance

(4) Redelegation: This authority may not be redelegated.

(5) Authority: To act in the absence of the Director, Governmental Liaison, Disclosure and Safeguards.
The management officials who occupy the positions listed below are delegated authorization to the position of Director, Governmental Liaison, Disclosure and Safeguards.
The official named as successor will be vested with all authority given the Director, Governmental Liaison, Disclosure and Safeguards until relieved of the responsibility.

(6) Delegated to:

  • Associate Director, Data Services

  • Associate Director, Disclosure

  • Associate Director, Governmental Liaison

  • Associate Director, Safeguards

(7) Redelegation: This authority may not be redelegated.

(8) Authority: To act in the absence of the Director, Identity Assurance.
The management officials who occupy the positions listed below are delegated authorization to the position of Director, Identity Assurance.
The official named as successor will be vested with all authority given the Director, Identity Assurance until relieved of the responsibility.

(9) Delegated to:

  • Associate Director, Identity Assurance Operations

(10) Redelegation: This authority may not be redelegated.

(11) Authority: To act in the absence of the Director, Identity and Records Protection.
The management officials who occupy the positions listed below are delegated authorization to the position of Director, Identity and Records Protection.
The official named as successor will be vested with all authority given the Director, Identity and Records Protection until relieved of the responsibility.

(12) Delegated to:

  • Associate Director, Information Protection Projects

  • Associate Director, Records and Information Management

(13) Redelegation: This authority may not be redelegated.

(14) Authority: To act in the absence of the Director, Privacy Policy and Compliance.
The management officials who occupy the positions listed below are delegated authorization to the position of Director, Privacy Policy and Compliance.
The official named as successor will be vested with all authority given the Director, Privacy Policy and Compliance until relieved of the responsibility.

(15) Delegated to:

  • Associate Director, Incident Management and Employee Protection

  • Associate Director, Privacy Compliance and Assurance

  • Associate Director, Privacy Policy and Knowledge Management

(16) Redelegation: This authority may not be redelegated.

(17) Source of Authority: Servicewide Delegation Order 1-23 (see IRM 1.2.40.21)

(18) To the extent that the authority previously exercised consistent with this order may require ratification, it is hereby approved and ratified.

(19) Signed: Edward Killen, Chief Privacy Officer, Privacy, Governmental Liaison and Disclosure.