10.5.1 Privacy Policy

Manual Transmittal

July 26, 2021

Purpose

(1) This transmits revised IRM 10.5.1, Privacy and Information Protection, Privacy Policy.

Background

IRM 10.5.1 is part of the Security, Privacy and Assurance policy family, IRM Part 10 series for IRS Privacy and Information Protection.

Material Changes

(1) This publication removed HVA control information as it was included erroneously in IRM 10.5.1.8, a section new in the version published July 8, 2021. The following Material Changes are for the version published July 8, 2021.

(2) IRM 10.5.1.1, Program Scope and Objectives, updated to clarify what PII processing includes.

(3) IRM 10.5.1.1.6, Authority, updated Taxpayer Bill of Rights language.

(4) IRM 10.5.1.2.1, Privacy Lifecycle, updated to clarify what PII processing includes.

(5) IRM 10.5.1.2.3.1, Examples and Categories of PII, added example.

(6) IRM 10.5.1.2.3.2, Public Record, clarified.

(7) IRM 10.5.1.2.7, Privacy Act Information, updated to show how SOR and SORN apply.

(8) IRM 10.5.1.3, Key Privacy Concepts, updated link and clarified source of controls.

(9) IRM 10.5.1.3.1, Privacy Controls, updated to explain authority, purpose, and audience for the NIST SP 800-53 controls, as it differs from much of the rest of this IRM.

(10) IRM 10.5.1.3.2, IRS Privacy Principles, removed references to previous version of NIST controls, and the same was done to these subsections:

  1. IRM 10.5.1.3.2.1, Accountability [PVR-01]

  2. IRM 10.5.1.3.2.2, Purpose Limitation [PVR-02]

  3. IRM 10.5.1.3.2.3, Minimizing Collection, Use, Retention, and Disclosure [PVR-03]

  4. IRM 10.5.1.3.2.4, Openness and Consent [PVR-04]

  5. IRM 10.5.1.3.2.5, Strict Confidentiality [PVR-05]

  6. IRM 10.5.1.3.2.6, Security [PVR-06]

  7. IRM 10.5.1.3.2.7, Data Quality [PVR-07]

  8. IRM 10.5.1.3.2.8, Verification and Notification [PVR-08]

  9. IRM 10.5.1.3.2.9, Access, Correction, and Redress [PVR-09]

  10. IRM 10.5.1.3.2.10, Privacy Awareness and Training [PVR-10]

(11) IRM 10.5.1.4.1, Employees/Personnel, clarified.

(12) IRM 10.5.1.4.2, Management, clarified.

(13) IRM 10.5.1.4.4 System Owners, clarified authority sources.

(14) IRM 10.5.1.4.5, System Developers, clarified authority sources.

(15) IRM 10.5.1.4.7, Personnel Engaged in Procurement Activities, clarified authority sources and updated link.

(16) IRM 10.5.1.5.1, Clean Desk Policy, fixed typo.

(17) IRM 10.5.1.5.2, Privacy in Practice (PiP), clarified authority.

(18) IRM 10.5.1.6.3, Computers and Mobile Computing Devices, clarified.

(19) IRM 10.5.1.6.8.4, Emails with Personal Accounts, clarified.

(20) IRM 10.5.1.6.8.5, Limited Exceptions to Email SBU Data Encryption, clarified.

(21) IRM 10.5.1.6.9.4, Faxing, removed reference.

(22) IRM 10.5.1.6.10, Disposition and Destruction, clarified authority.

(23) IRM 10.5.1.6.10.1, Hardcopy Paper Disposition and Destruction, updated title.

(24) IRM 10.5.1.6.10.2, Electronic Disposition and Destruction, updated title.

(25) IRM 10.5.1.6.10.3, Microforms Disposition and Destruction, updated title.

(26) IRM 10.5.1.6.10.4, Temporary Storage Disposition and Destruction, updated title.

(27) IRM 10.5.1.6.10.5, Records Management Disposition and Destruction, updated title.

(28) IRM 10.5.1.6.10.6, Contractors Disposition and Destruction, updated title.

(29) IRM 10.5.1.6.10.7, Recycling Disposition and Destruction, updated title.

(30) IRM 10.5.1.6.14, Civil Liberties, updated Taxpayer Bill of Rights language.

(31) IRM 10.5.1.6.14.1, First Amendment, clarified.

(32) IRM 10.5.1.6.16, Online Data and Privacy Notices, updated section name to better reflect content.

(33) IRM 10.5.1.6.16.1, IRS.gov Privacy Policy Notice, updated link.

(34) IRM 10.5.1.6.18.1, Shared Calendar, clarified.

(35) IRM 10.5.1.6.18.2, Online Meeting Tools, clarified.

(36) IRM 10.5.1.6.18.3, Shared IRS Storage, updated title and deleted unnecessary information.

(37) IRM 10.5.1.6.18.4, SharePoint, added IRM reference.

(38) IRM 10.5.1.6.19, Training, updated to include section names.

(39) IRM 10.5.1.7, Privacy-Related Programs, updated to reference governance boards.

(40) IRM 10.5.1.7.13, Data Services, added to Privacy-Related Programs.

(41) IRM 10.5.1.7.19.2, SSN Necessary-Use Criteria, clarified.

(42) IRM 10.5.1.7.21, Quick Response (QR) Codes, added.

(43) IRM 10.5.1.8, NIST SP 800-53 Security and Privacy Controls, is a new section of privacy or joint (privacy and security) controls for technical management officials developing and supporting IT systems, including Management, Senior Management/Executives, System Owners, System Developers, and Authorizing Officials.

(44) Exhibit 10.5.1-1, Glossary and Acronyms, added terms (CMA, controls, POA&M, privacy controls, requirements, SOR, SORN, system of records, System of Records Notice) and updated terms (privacy and information lifecyle).

(45) Exhibit 10.5.1-2, References, updated.

Effect on Other Documents

This version supersedes IRM 10.5.1, dated July 8, 2021 (which replaced December 31, 2020). Also, this IRM supports other IRMs in the IRM 10.5 series.

Audience

IRM 10.5.1 addresses IRS personnel responsible for ensuring adequate privacy and information protection for all Sensitive but Unclassified (SBU) data, including taxpayer and personnel Personally Identifiable Information (PII). This policy applies to all IRS personnel, as defined in the Glossary and Acronyms section.

Effective Date

(07-26-2021)



Peter C. Wade
Director, Privacy Policy and Compliance (PPC)

Program Scope and Objectives

  1. This IRM lays the foundation to:

    1. Protect the privacy of Sensitive but Unclassified (SBU) data for taxpayers and employees, including personally identifiable information (PII), such as Federal Tax Information (FTI, hereafter called tax information), tax return, financial, and employment information regardless of format.

    2. Use SBU data (including PII and tax information) throughout the privacy lifecycle (creation, collection, receipt, use, processing, maintenance, access, inspection, display, storage, disclosure, dissemination, or disposal) only as authorized by law and as necessary to fulfill IRS responsibilities in compliance with the IRS Privacy Principles (cited in IRM 10.5.1.3.2).

      Note:

      Processing operations also include logging, generation, and transformation, as well as analysis techniques, such as data mining. [NIST SP 800-53 PT-2]

    3. Destroy or dispose of SBU data when no longer required for business use, in a secure manner to protect privacy.

    4. Implement and maintain a strong privacy program, which enables the IRS to provide e-government services. Refer to the IRS Privacy Program Plan or look on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

  2. This IRM covers IRS-wide privacy policy, including but not limited to:

    1. Definition of SBU data (including PII and tax information).

    2. IRS Privacy Principles.

    3. IRS-wide privacy roles and responsibilities.

    4. Privacy guidance on topics such as email, telework, and contractors.

    5. Introduction to privacy-related programs.

Purpose of the Program

  1. The mission of PGLD is to preserve and enhance public confidence by advocating for the protection and proper use of identity information.

  2. The privacy and security of taxpayer and employee information is one of the IRS's highest priorities. PGLD administers privacy and records management policy and initiatives and coordinates privacy and records management-related actions throughout the IRS. [OMB A-130]

  3. PGLD is committed to ensuring the protection of SBU data, including taxpayer and employee PII, from unauthorized access. The organization identifies and reduces threats to privacy and increases awareness of criminal activities aimed at compromising this information. PGLD also leads IRS privacy and records management policies, coordinates privacy protection guidance and activities, responds to privacy complaints, and promotes data protection awareness throughout the IRS. [OMB A-130]

  4. This IRM defines the uniform policies used by IRS personnel and organizations to carry out privacy-related responsibilities.

  5. This IRM establishes the minimum baseline privacy policy and requirements for all IRS SBU data (including PII and tax information) to:

    1. Establish and maintain a comprehensive privacy program. [OMB A-130]

    2. Comply with privacy requirements and manage privacy risks. [OMB A-130]

    3. Ensure the protection and proper use of SBU data of the IRS.

    4. Prevent unauthorized access to SBU data of the IRS.

    5. Enable operation of IRS environments and business units that meet the requirements of this policy and support the business needs of the organization.

  6. It is acceptable to employ practices that are more restrictive than those defined in this IRM.

  7. It is the policy of the IRS:

    1. To establish and manage privacy practices within all offices to create a culture of privacy. This manual provides uniform policies and guidance for all offices to use.

      Note:

      Policies continue to apply in exigent circumstances. The IRS will post exceptions on IRS Source as needed. For example, refer to the COVID-19 site.

    2. To protect SBU data of the IRS at a level equal with the risk and magnitude of harm that could result from loss, misuse, or unauthorized access to that information.

    3. To protect SBU data and allow the use, access, and disclosure of information following applicable laws, policies, federal regulations, Office of Management and Budget (OMB) Circulars, Treasury Directives (TDs), National Institute of Standards and Technology (NIST) Publications, other regulatory guidance, and best practice methodologies.

    4. To use best practices methodologies and frameworks, such as Enterprise Life Cycle (ELC) and Enterprise Architecture (EA), to document and improve IRS privacy policy efficiency and effectiveness.

  8. The Director, PGLD, is the IRS Chief Privacy Officer (CPO). For more information about PGLD, refer to IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD), and PGLD’s Disclosure and Privacy Knowledge Base on IRS Source.

Audience

  1. The audience to which the provisions in this manual apply includes:

    1. All IRS organizations.

    2. All IRS employees with any access to SBU data (including PII and tax information).

    3. All individuals and organizations with contractual arrangements with the IRS, including seasonal/temporary employees, interns, detailees, contractors, subcontractors, non-IRS-procured contractors, vendors, and outsourcing providers, with any access to SBU data.

      Note:

      This IRM covers all sensitive data used and operated by and for the IRS no matter what stage of the IT lifecycle it is in (such as production, pre-production, and post-production systems).

  2. For this IRM, the following terms apply.

    1. IRS personnel or users includes:
      1. Employees
      2. Seasonal/temporary employees
      3. Detailees
      4. Interns
      5. Consultants
      6. IRS contractors (including contractors, subcontractors, non-IRS-procured contractors, vendors, and outsourcing providers)

    2. Authorized or Unauthorized personnel applies to whether they are authorized or unauthorized to perform a particular action.

      Note:

      To be authorized, all personnel must complete required training (IRS annual and role-based privacy, information protection, and disclosure training requirements, Unauthorized Access [UNAX] awareness briefings, records management briefings, and all other specialized privacy training) and background investigations before given access to SBU data (including PII and tax information). [OMB A-130]

Policy and Program Owners

  1. Privacy Policy and Knowledge Management (PPKM) under PGLD’s Privacy Policy and Compliance (PPC) develops privacy policy following applicable laws, mandates, guidance, mission, and input from other stakeholders. See also the References section in Exhibit 10.5.1-2.

  2. For more information about PGLD, refer to IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD), and PGLD’s Disclosure and Privacy Knowledge Base on IRS Source.

Primary Stakeholders

  1. All business units are stakeholders for privacy.

Background

  1. This IRM serves as the framework for IRS privacy policy and an introduction to PGLD.

  2. This policy establishes the privacy context for the development of related subordinate IRMs, IRS publications, and subordinate procedural guidance such as Standard Operating Procedures (SOP) and Desk Procedures.

  3. Subordinate IRMs offer added privacy program protection information.

  4. Subordinate procedural guidance provides detailed guidance for implementing and complying with the requirements within this IRM. For further information, refer to PGLD’s Disclosure and Privacy Knowledge Base on IRS Source.

  5. If IRM 10.5.1 conflicts with or varies from the subordinate IRMs in the 10.5 series or guidance, IRM 10.5.1 takes precedence, unless the subordinate IRM is more restrictive or otherwise noted.

    Note:

    To deviate from privacy policy, follow the Risk Acceptance Form and Tool (RAFT) process. The executive or other senior official with the authority to formally assume responsibility for the process must sign the RAFT as the approver. The RAFT clearly documents business decisions in the context of risk appetite and/or acceptance. Submit the RAFT to PPKM for review for compliance with privacy laws and regulations. PPKM will not grant exceptions to bypass laws or mandates. Submit RAFT review requests via email to *Privacy (give topic name in subject line and add Attn: CPO RAFT review). For RAFT guidance, refer to the Office of the Chief Risk Officer.

  6. This policy assigns responsibilities and lays the foundation necessary to measure privacy progress and compliance.

Authority

  1. PGLD’s Privacy Policy and Knowledge Management (PPKM) implements relevant privacy statutes, regulations, guidelines, OMB Memoranda, and other requirements. Various statutes, such as the Privacy Act, Federal Information Security Modernization Act (FISMA), and Paperwork Reduction Act mandate compliance with OMB policy and NIST guidance, giving them the force of law.

  2. The Taxpayer Bill of Rights (TBOR) lists rights that already existed in the tax code, putting them in simple language and grouping them into 10 fundamental rights. Employees are responsible for being familiar with and acting in accord with taxpayer rights. See IRC 7803(a)(3), Execution of Duties in Accord with Taxpayer Rights. For additional information about the TBOR, see https://www.irs.gov/taxpayer-bill-of-rights. The TBOR requires the IRS to protect taxpayer rights to privacy and confidentiality.

  3. In an effort to reference the origin of a privacy policy cited later in this IRM (National Institute of Standards and Technology (NIST), Treasury, etc.), this IRM may reference a requirement’s origin in brackets at the end of the guidance, such as [PVR-xx] (IRS Privacy Principles and Privacy Requirements), [AC-1] (NIST SP 800-53 Security and Privacy Controls), or [TD P 85-01] (Treasury Directive Publications). If no specific origin reference appears, multiple origins may apply. Lack of a reference citation does not mean that no origin applies.

  4. The primary laws include:

    • Privacy Act (1974).

    • Computer Matching and Privacy Protection Act (1988).

    • Freedom of Information Act (FOIA) (1974).

    • Internal Revenue Code (primarily 26 USC 6103, also known as IRC 6103, and 26 USC 7803(a)(3), also known as IRC 7803(a)(3)).

    • The Taxpayer Browsing Protection Act (1997).

    • Federal Information Security Modernization Act of 2014 (FISMA).

    • E-Government Act (2002).

    • Health Insurance Portability and Accountability Act (1996) (HIPAA).

  5. The most relevant OMB Circulars and Memos are:

    • OMB Circular No. A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act.

    • OMB Circular No. A-130, Management of Federal Information Resources.

    • M-03-22 – OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.

    • M-10-22 – Guidance for Online Use of Web Measurement and Customization Technologies.

    • M-10-23 – Guidance for Agency Use of Third-Party Websites and Applications.

    • M-14-04 – Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management.

    • M-16-24 – Role and Designation of Senior Agency Officials for Privacy.

    • M-17-06 – Policies for Federal Agency Public Websites and Digital Services.

    • M-17-12 – Preparing for and Responding to a Breach of Personally Identifiable Information.

  6. Relevant NIST guidance includes:

    • NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations.

    • NIST SP 800-63, Digital Identity Guidelines.

    • NIST SP 800-88, Guidelines for Media Sanitization.

    • NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).

  7. The relevant Department of the Treasury directives and publications are:

    • Treasury Directive Publication (TD P) 15-71, Treasury Security Manual.

    • Treasury’s Privacy and Civil Liberties Impact Assessment (PCLIA) Template and Guidance.

    • TD P 85–01, Treasury Information Technology (IT) Security Program.

  8. For a full listing of and links to privacy-related statutes, regulations, guidelines, OMB Memoranda, and other materials relevant to this IRM, see Exhibit 10.5.1-2, References.

Key Privacy Definitions

  1. To support the IRS mission, understanding the key privacy definitions in the following subsections is essential.

Privacy Lifecycle

  1. The concept of a privacy and information lifecycle refers to the creation, collection, receipt, use, processing, maintenance, access, inspection, display, storage, disclosure, dissemination, or disposal of SBU data (including PII and tax information), regardless of format. [OMB A-130]

    Note:

    Processing operations also include logging, generation, and transformation, as well as analysis techniques, such as data mining. [NIST SP 800-53 PT-2]

  2. IRS personnel must protect SBU data (including PII and tax information) throughout the privacy lifecycle, from receipt to disposal.

Sensitive But Unclassified (SBU) Data

  1. Sensitive But Unclassified (SBU) data is any information which if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under the Privacy Act. For the full definition, refer to TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information.

  2. SBU data includes, but is not limited to:

    1. Tax information (protected by IRC 6103), Personally Identifiable Information (PII), Protected Health Information (PHI), certain procurement information, system vulnerabilities, case selection methodologies, system information, enforcement procedures, investigation information.

    2. Live data is production data in use. Live means that when changing the data, it changes in production. Authorized personnel may extract the data for testing, development, etc., in which case, it is no longer "live." Live data often is SBU data (including PII and tax information); however, tax information stays tax information whether it is live in a production environment or is removed to a non-production environment.

      Note:

      For classified National Security Information (NSI), refer to IRM 10.9.1, Classified National Security Information, for procedures for protecting NSI.

  3. All IRS personnel must protect SBU data. Personnel must restrict access, inspection, and disclosure of SBU data to others who have a need to know the information. [PVR-05]

    1. For more information on encryption and other protections, see also the Practical Privacy Policy section in IRM 10.5.1.6.

    2. For more information, see also the Need To Know section in IRM 10.5.1.2.8.

    3. Refer to the IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, sections on Access Controls and Least Privilege for information about limiting access to people who have a need to know the information.

    4. Refer to IRM 11.3.22, Disclosure of Official Information, Disclosure to Federal Officers and Employees for Tax Administration Purposes, for the section, Access by IRS Employees Based on Need To Know.

  4. SBU data includes categories of protected information which many IRS personnel handle daily, such as PII and tax information. It also includes other categories, such as procurement (which can include general procurement and acquisition, small business research and technology, and source selection) and system information (which can include critical infrastructure categories like information systems vulnerability information, physical security, emergency management).

  5. Personnel must determine if the SBU data is necessary to do business (does it support the business purpose of the system or the organization’s mission?). If it does not serve a valid business purpose, then the IRS must not collect that SBU data. If that SBU data does serve a business purpose, then the IRS may use it throughout the privacy lifecycle appropriately. For more information, see also the IRS Privacy Principles section in IRM 10.5.1.3.2. [Privacy Act; PVR-02; PVR-03]

  6. Complete a Privacy and Civil Liberties Impact Assessment (PCLIA) for any system using SBU data. Refer to IRM 10.5.2, Privacy and Information Protection, Privacy Compliance and Assurance, for more information about PCLIAs.

  7. SBU data in a public record is still SBU data, however different protections apply. To determine if publicly available SBU data or SBU data in the public record is still sensitive, see also the Public Record section in IRM 10.5.1.2.3.2.

  8. For more information on PII, see also the Protecting and Safeguarding SBU Data and PII section in IRM 10.5.1.6.1.

Examples and Categories of SBU Data
  1. Some examples and categories of IRS SBU data include, but are not limited to:

    1. Personally Identifiable Information (PII) in this IRM refers to Privacy information and its subcategories. These categories include:
      - Contract use.
      - Death records.
      - General privacy.
      - Genetic information.
      - Health information, also known as Protected Health Information (PHI).
      - Inspector General protected.
      - Military personnel records.
      - Personnel records.
      - Student records.

    2. Tax Information refers to a Tax category that includes:
      - Federal Taxpayer Information (FTI), which includes individual and corporate (or other business) tax return information under IRC 6103.
      - Tax convention.
      - Taxpayer Advocate information.
      - Written determinations.

      Note:

      Tax information is also PII if it identifies an individual.

    3. Documents marked "Official Use Only" (OUO).

    4. Certain Procurement information, which can include:
      - General procurement and acquisition (such as contract proposals).
      - Small business research and technology.
      - Source selection.

    5. Financial information in the Finance category, including:
      - Bank Secrecy Act (31 U.S.C. Bank Secrecy Act protected reports filed by financial institutions).
      - Budget.
      - Retirement.
      - Electronic funds transfer.
      - General financial information.
      - International financial institutions.
      - Mergers.
      - Net worth.

    6. Criminal Investigation and Law Enforcement information, such as:
      - General Law Enforcement (procedures and training materials).
      - Informant (identification, activities, contacts, payments, and correspondence).
      - Investigation (identifiers, associations, and relationships; investigative records received from other law enforcement and regulatory agencies, foreign and domestic; records related to investigation related travel and financing).
      - Law Enforcement Financial Records (and other records obtained via witness consent, subpoena, summons, search warrant, or any other legal process).
      - Pen Register/Trap & Trace.
      - Reward (recipient and payment information).
      - Whistleblower Identity. (Refer to IRC 7623 or the Whistleblower Protection Act of 1989, Pub.L. 101-12 as amended. For more information, refer to IRM 25.2.1, Information and Whistleblower Awards, Receiving Information.)

    7. Case selection methodologies including tolerance criteria or general investigation parameters.

    8. Proprietary processes or algorithms used in investigative work or tax processing.

    9. Critical infrastructure category information, which includes:
      - Information system vulnerabilities information (referred to as system information in this IRM), which includes passwords.
      - Physical security information, such as details of facility vulnerabilities (entry codes, badge access, etc.).
      - Emergency management.

    10. Proprietary business information entrusted to the IRS.

    11. Confidential data to be released to the public later.

    12. Legal information, including:
      - Administrative Proceedings.
      - Collective Bargaining.
      - Federal Grand Jury (18 U.S.C. Grand Jury information protected by Rule 6(e) of the Federal Rules of Criminal Procedure).
      - Legal Privilege (including draft, pre-decisional, and deliberative information).
      - Legislative Materials (including Congressional or state).

    13. 18 U.S.C. 1905 information protected under the Trade Secrets Act (trade secrets, processes, operations, style of work, or apparatus, or confidential statistical data, amount or source of any income, profits, losses, or expenditures of any person, firm, partnership, corporation, or association).

Official Use Only and Limited Official Use
  1. By definition, documents designated as "Official Use Only" (OUO) and "Limited Official Use" (LOU) include SBU data.

  2. For more information, refer to IRM 11.3.12, Disclosure of Official Information, Designation of Documents.

Freedom of Information Act (FOIA) and SBU Data
  1. The Freedom of Information Act (FOIA) exempts most SBU data from release to the public under one of the nine exemptions listed in 5 U.S.C. 552(b).

  2. However, the fact that the IRS must release certain information if requested under FOIA does not automatically remove its status as SBU data. [FOIA]

  3. For more information, refer to IRM 11.3.13, Freedom of Information Act.

Personally Identifiable Information (PII)

  1. Personally identifiable information (PII) means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. [OMB A-130]

  2. For IRS purposes:

    1. To distinguish an individual is to identify an individual. For example, an individual might be distinguished by a passport identification number or Social Security Number (SSN). However, a list of credit scores without any other information concerning the individual does not distinguish the individual.

    2. To trace an individual is to process sufficient information to make a determination about a specific aspect of an individual’s activities or status, such as with an audit log.

    3. Linked information is information about or related to an individual that is logically associated with other information about the individual.

    4. Linkable information is information about or related to an individual for which there is a possibility of logical association with other information about the individual.
      [GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008, https://www.gao.gov/products/gao-08-536 ]

  3. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified.

  4. Personnel should know that non-PII can become PII whenever more information becomes available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual. [NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII); OMB Memorandum M-10-23]

  5. See also the Examples and Categories of PII section in IRM 10.5.1.2.3.1 for more information.

  6. Refer to the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

  7. Submit a PCLIA for any system using PII. Refer to IRM 10.5.2 for more information about PCLIAs.

  8. PII in a public record is still PII; however, different protections apply. To determine if publicly available PII or PII in the public record is still sensitive, see also the Public Record section in IRM 10.5.1.2.3.2.

  9. For more information on PII, see also the Protecting and Safeguarding SBU Data and PII section in IRM 10.5.1.6.1.

Examples and Categories of PII
  1. Examples and categories of PII may include, but are not limited to the following, when used to distinguish or trace an individual’s identity, or when combined with information that is linked or linkable to an individual:

    1. Name, such as full name, maiden name, mother’s maiden name, alias, or name control (first 4 letters of last name).

    2. Address information, such as street address or email address.

    3. A unique set of numbers or characters assigned to a specific individual, such as:
      1. Telephone numbers, including mobile, business, and personal numbers.
      2. SSN or ITIN, including the last 4 digits.
      3. Taxpayer identification number (TIN) that identifies an individual, such as an Employer Identification Number (EIN) for a sole proprietorship or partnership.
      4. Document locator number (DLN) to identify an individual’s record.
      5. Email or Internet Protocol (IP) address.
      6. Driver’s license number.
      7. Passport number.
      8. Financial account or credit card number.
      9. Standard Employee Identifier (SEID).
      10. Automated Integrated Fingerprint Identification System (AIFIS) identifier, booking, or detention system number.
      11. Universally Unique Identifier (UUID), a unique random number generated for each individual taxpayer in the electronic authentication process (eAuth).
      12. Any other type of identification number or card, including state ID or Alien Card ID.

    4. Employee and employee information, including personnel files, employment testing materials, medical information, and information concerning reasonable accommodations for disabilities.

      Note:

      For privacy considerations concerning pandemics and employee illness, refer to Infectious Disease in the Workplace, Document 13001. For more about the application of the Privacy Act in this situation, refer to IRM 10.5.6. For further privacy considerations concerning disability and reasonable accommodation matters, refer to the Confidentiality and Disclosure section in IRM 1.20.2, Providing Reasonable Accommodation for Individuals with Disabilities.

    5. Individual tax return information, including Adjusted Gross Income (AGI) or combinations of fields that identify an individual. See also the Federal Tax Information (FTI) section in IRM 10.5.1.2.4.

    6. Corporate or other business tax return information that identifies an individual, such as an S-Corporation, partnership, or sole proprietorship.

    7. Personal characteristics and data, including:
      1. Date of birth.
      2. Place of birth.
      3. Age.
      4. Height.
      5. Weight.
      6. Gender.
      7. Hair color.
      8. Eye color.
      9. Race.
      10. Ethnicity.
      11. Scars.
      12. Tattoos.
      13. Distinguishing features.
      14. Religious affiliation.
      15. Sexual orientation.
      16. Gang affiliation.
      17. Photographic image (especially of face or other distinguishing characteristic).
      18. Biometric information (such as x-rays, fingerprints, retina scan, voice, facial geometry, DNA).
      19. Behavior patterns.

    8. Asset information, such as Media Access Control (MAC) address, Device ID, or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people.

    9. Descriptions of events or times (information in documents, such as behavior patterns, incident reports, police reports, arrest reports, and medical records).

    10. Descriptions of locations, such as geographic information system (GIS), Global Positioning System (GPS) data, and electronic bracelet monitoring information.

    11. Information identifying personally owned property, such as vehicle registration number or title number and related information.

      Exception:

      "Constitutionally Required Disclosures" — Some situations require disclosure of information, including SBU data, such as criminal cases where the IRS has a constitutional obligation to disclose, upon the defendant's request, evidence material either to guilt or punishment (exculpatory evidence). For more details, refer to IRM 11.3.35, Requests and Demands for Testimony and Production of Documents.

  2. Information about an individual that is linked or linkable to one of the above.

Public Record
  1. IRS personnel must protect SBU data regardless of whether the same information is in the public record or publicly available. However, less stringent protections might apply in some situations.

  2. Generally, personnel must encrypt SBU data (including PII). However, inside the IRS network, encryption is not required if the IRS proactively makes it available to all personnel on internal resource sites (including, but not limited to, Discovery Directory, Outlook [calendar, profile information, and address book], intranet, and SharePoint site collections), such as names, SEID, and business contact information. [NIST SP 800-122; [TD P 85-01, Appendix A, AC-20(3)_T.028, and MP-6(3)_T.124]

  3. Email addresses, by themselves as the method of the email conveyance, generally do not need encrypting. However, when combined with the content and attachments of an email, the email address may become SBU data.

    1. Encryption rules still apply for the body of emails and attachments.

    2. See also the Email section in IRM 10.5.1.6.8 for more information on email.

  4. As for other SBU data and PII in the public record or publicly available, the requirements differ, depending on the information.

    Note:

    Tax information must always be protected under IRC 6103.

  5. No IRC 6103 public records exemption exists. However, the Information Which Has Become Public Record section of IRM 11.3.11, Other Information Available to the Public, discusses disclosure of matters that have become public records as a result of tax administration, such as court cases. This is known as the judicially created public records exception.

  6. Treasury security guidance exempts Treasury information made available proactively to the public from certain encryption controls. This exemption implies a public records exception for information the agency makes available to the public. [TD P 85-01, Appendix A, AC-20(3)_T.028, and MP-6(3)_T.124]

  7. The Public Information Listing (PIL) designated by OPM makes six items of information available to the public by FOIA request. These items include: [5 CFR 293.311]

    1. Employee name.

    2. Present and past position titles and occupational series.

    3. Present and past grades.

    4. Present and past annual salary rates (including awards or bonuses, etc.).

    5. Present and past official duty stations (no telework information).

    6. Position descriptions, identification of job elements, and certain performance standards (but not actual performance appraisals).

  8. However, OPM exempts release of information on employees in these sensitive positions:

    • GS-0083, Police Officer

    • GS-0512, Revenue Agent

    • GS-0930, Appeals Officer

    • GS-1169, Revenue Officer

    • GS-1171, Property Appraisal and Liquidation Specialist

    • GS-1801, General Inspection, Investigation and Compliance

    • GS-1802, Compliance Inspection and Support

    • GS-1805, Investigative Analyst

    • GS-1810, General Investigating

    • GS-1811, Special Agent

  9. IRS policy also authorizes the withholding of the public information items of employees in cybersecurity designated positions. Cybersecurity designated positions are not identified by a specific GS/IR series or position title.

  10. Personnel should exercise caution and consult with PGLD for any questions they might have about application of a public record exception, on a case-by-case basis, prior to reducing privacy protections based on a public record exception. For further information, email *Privacy.

  11. For more information, refer to IRM 11.3.13, Freedom of Information Act.

Defining PII versus Sensitive PII
  1. Little difference exists between PII and what personnel refer to as "sensitive" PII.

  2. As defined in the PII section in IRM 10.5.1.2.3, personally identifiable information means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. [OMB A-130]

  3. The level of risk increases with the potential level of harm caused by exposed SBU data or PII.

  4. Context remains important. PII that does not seem high risk may still require protection if its context makes it risky. For example, a collection of names:

    • Is not Sensitive PII if it is a list, file, query result, etc., of:
      - Attendees at a public meeting.
      - Names out of a public telephone book.
      - FOIA listing of IRS employees in non-protected positions.

    • Is Sensitive PII if it is a list, file, query result, etc., of:
      - Individual taxpayers who filed returns.
      - Law enforcement personnel.
      - Employees with poor performance ratings.

  5. For more information, see also the Deciding Risk Levels for SBU Data and PII section in IRM 10.5.1.6.1.1.

Federal Tax Information (FTI)

  1. The term tax information, or Federal Tax Information (FTI), refers to a taxpayer’s return and return information protected from unauthorized disclosure under IRC 6103. This law defines return information as any information the IRS has about a tax or information return, liability, or potential liability under Title 26. This return information includes, but is not limited to, a taxpayer’s:

    1. Identity.

    2. Income, payments, deductions, exemptions, or credits.

    3. Assets, liabilities, or net worth.

    4. Tax liability investigation status (whether the IRS ever investigates or examines the return).

  2. Redacting, masking, or truncating tax information does not change its nature. It is still tax information.

  3. Tax information in IRS business processes comes under many names, such as FTI, IRC 6103-protected information, 6103, taxpayer data, taxpayer information, tax return information, return information, case information, SBU data, and PII. The term "live data" should not be used to describe tax information, unless it is in a production environment as discussed in the Sensitive But Unclassified (SBU) Data section in IRM 10.5.1.2.2.

  4. Tax information is SBU data. IRC 6103 protects tax information from unauthorized disclosure. When tax information relates to an individual, that SBU data is also PII. [IRC 6103(b)(2)]

  5. Submit a Privacy and Civil Liberties Impact Assessment (PCLIA) for any system using SBU data (including PII and tax information). Refer to IRM 10.5.2 for more information about PCLIAs.

  6. See also these subsections in this IRM for more information:

    • Protecting and Safeguarding SBU Data and PII, IRM 10.5.1.6.1.

    • SBU data, IRM 10.5.1.2.2.

    • PII, IRM 10.5.1.2.3.

  7. For more information about return information and a definition, refer to IRM 11.3.1, Disclosure of Official Information, Introduction to Disclosure.

UNAX

  1. The term UNAX defines the act of committing an unauthorized access or inspection of any tax information contained on paper or within any electronic format. An access or inspection is unauthorized if done without a management-assigned IRS business need.

  2. The IRS created the unauthorized access or inspection of tax information and records (UNAX) program to implement privacy protection and statutory unauthorized access and browsing prevention requirements.

  3. The Taxpayer Browsing Protection Act defines UNAX. For more information about UNAX, refer to IRM 10.5.5, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements.

Unauthorized Access of SBU Data

  1. While statutory UNAX (based on the Taxpayer Browsing Protection Act) refers to unauthorized access to tax information, other statutes, Treasury, and IRS policy govern unauthorized access to SBU data. [TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information]

  2. The term unauthorized access of SBU data defines the act of committing an unauthorized access or inspection of any SBU data (not tax information) contained on paper or within any electronic format. An access or inspection is unauthorized if done without a management-assigned IRS business need.

  3. See Sensitive but Unclassified (SBU) Data, IRM 10.5.1.2.2, and Need To Know IRM 10.5.1.2.8.

  4. Refer to 18 U.S. Code 1030 - Fraud and related activity in connection with computers; 44 U.S. Code Chapter 35 (44 U.S.C. 3551-3558); and Privacy Act of 1974, 5 U.S.C. 552a.

Privacy Act Information

  1. The Privacy Act of 1974 (Privacy Act) forms the core of IRS privacy policy. It provides certain safeguards for an individual against an invasion of personal privacy by requiring federal agencies to:

    1. Collect, maintain, use, or disseminate any record of identifiable personal information in a manner that ensures that such action is for a necessary and lawful purpose.

    2. Ensure that the information is current and accurate.

    3. Ensure that the information is for its intended use.

    4. Provide adequate safeguards to prevent misuse of such information.

  2. The Privacy Act applies to agency records retrieved by an identifier for an individual who is a US citizen or an alien permanently admitted to US residence. A group of these records is a system of records (SOR).

  3. The term "record" includes, but is not limited to, education, financial transactions, medical history, and criminal or employment history and that contains name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or a photograph.

  4. Responsible IRS personnel must publish a System of Records Notice (SORN) in the Federal Register when establishing a new system of records, before retrieving the information by an identifier.

  5. Privacy Act information is PII because it identifies individuals. Therefore, it is also SBU data. As with any other SBU data, you must allow disclosure only to persons authorized to have access to the information under to the Privacy Act.

  6. For more information on the Privacy Act, refer to IRM 10.5.6, Privacy Act.

Need To Know

  1. Restrict access to SBU data (including PII and tax information) to those IRS personnel who have a need for the information in the performance of their duties.

  2. The term "need to know" describes the requirement that personnel may access SBU data (including PII and tax information) only as authorized to meet a legitimate business need, which means personnel need the information to perform official duties. See examples later in this section for explanations of how need to know applies to duties.

    Note:

    See Unauthorized Access of SBU Data, IRM 10.5.1.2.6, and UNAX, IRM 10.5.1.2.5.

  3. Personnel (including current employees, rehired annuitants, returning contractors, etc.) who change roles or assignments may access only the SBU data (including PII and tax information) for which they still have a business need to know to perform their duties. If you no longer have a business need to know, you must not access the information. This policy includes, but is not limited to, information in systems, files (electronic and paper), and emails, even if technology does not prevent access.

    Example:

    A compliance case has a litigation hold or similar request in place. Even if in a new assignment, you may retain and access old case files from your earlier role if you need to retrieve them for a litigation hold or similar request.

    Example:

    A former employee now works for a vendor who has a contract with the IRS. The former employee may not access old files in email or on their laptop from their earlier role with the IRS, even if those files are archived under their SEID. The IRS will supply any information necessary to perform the current contract on a need-to-know basis.

    Note:

    To determine applicability of employee duties, based on sensitivity of information, refer to the position description or contact Labor Relations.

  4. You must ensure your own adherence to this need-to-know policy.

  5. This standard is less stringent than a "cannot function without it" test. For each use, consider whether the information is needed to perform official duties properly, efficiently, or appropriately. Necessary for official duties in this context does not mean essential or indispensable, but rather appropriate and helpful in obtaining the information sought.

  6. Personnel who have a need to know must be informed of the protection requirements under the law by management and must have an appropriate level of clearance through a background investigation, typically covered by the onboarding and training process.

  7. Need to know supports the "relevant and necessary" aspect of the Purpose Limitation Privacy Principle and the Privacy Act. It conveys the statutory restrictions to disclose protected information to those who have an authorized need for the information in the performance of their duties. The Strict Confidentiality Privacy Principle requires this, as does the NIST Privacy Control for Privacy Monitoring and Auditing and Security Controls in the Access Control family. [PVR-02; PVR-05; Privacy Act; IRC 6103 and 7803(a)(3); UNAX; Treasury’s Privacy and Civil Liberties Impact Assessment (PCLIA) Template and Guidance; NIST SP 800-53]

  8. Access to NSI requires more stringent controls outlined in IRM 10.9.1, Classified National Security Information.

  9. Refer to IRM 11.3.22, Disclosure of Official Information, Disclosure to Federal Officers and Employees for Tax Administration Purposes, for information about Access by IRS Employees Based on Need To Know.

High Security Items

  1. High security items are original or certified paper documents containing SBU data (including PII and tax information), typically received and processed in IRS office critical or limited areas, that management must not allow to be removed from the facility.

    Note:

    These are referred to as "high security items" in IRM 10.2.15 , and "highly sensitive documents" in IRM 6.800.2 Employee Benefits, IRS Telework Program. IRM 10.2.15’s exhibit, Protectable Items, gives examples of categories of protectable items, including high security items.

    Exception:

    This policy does not apply to field employees whose positions allow them to have such documents in a field environment (such as Criminal Investigation Special Agents and field compliance Revenue Agents and Revenue Officers). Those positions have more controls and requirements to protect and to process such documents timely (for example, refer to IRM Parts 5 and 9). For more information about field work, see also the section Field and Travel in IRM 10.5.1.6.9.1, and the section Other Forms of Transmission in IRM 10.5.1.6.9.

    1. Examples of such high security items include, but are not limited to, certain original Federal records, original tax returns and related original correspondence, payments, original legal documents (such as affidavits), and primary identification documents (such as drivers’ licenses, passports, birth certificates, and Social Security cards).

      Example:

      Payments and original paper tax returns received in campus critical areas.

      Note:

      Properly manage original paper Federal records generated by IRS personnel outside the office, even on telework, the same as you would in the office. Refer to the FAQs about Telework Records Guidance for more information.

    2. The IRS office critical or limited areas include large amounts of information requiring protection or in highly concentrated and easily alterable or destroyable form that is critical and must be protected. Refer to the Critical Areas section of IRM 10.2.11.

    3. High security items must not be transported to a telework location. See also the Telework section in IRM 10.5.1.6.12. Refer to the Denial of Telework Agreement Requests section of IRM 6.800.2.

      Note:

      Electronic or paper copies of high security items may be transported, if the originals remain in the office’s secured environment.

  2. Send questions about high security items to the *Privacy mailbox.

Key Privacy Concepts

  1. The IRS Privacy Principles and federally mandated Privacy Controls from NIST describe how the IRS protects an individual’s right to privacy.

  2. IRS Privacy Requirements (PVR), system requirements derived from IRS Privacy Principles and linked to the Privacy Controls, form the basis for privacy protection within the IRS. They mirror the IRS Privacy Principles and provide high-level privacy requirements applicable to the IRS Enterprise Architecture.

  3. Adherence to IRS Privacy Principles and Requirements is mandatory for management officials responsible for protecting SBU data (including PII and tax information).

  4. For a listing of the IRS Privacy Requirements, refer to the Enterprise Architecture site on IRS Source.

Privacy Controls

  1. OMB A-130 mandates federal agencies implement NIST security and privacy controls.

  2. The IRS formally documents its privacy program in the IRS Privacy Program Plan.

  3. These privacy and security controls are the technical controls that address federal IT systems. For all the controls relevant to privacy, see also IRM 10.5.1.8, NIST SP 800-53 Security and Privacy Controls.

    Note:

    The section IRM 10.5.1.8 is for technical management officials developing and supporting IT systems, including Management, Senior Management/Executives, System Owners, System Developers, and Authorizing Officials.

  4. The NIST Special Publication (SP) 800-53 Revision 5 (R5) controls establish a relationship between privacy and security controls. Per Section 2.4, Security and Privacy Controls:

    The selection and implementation of security and privacy controls reflect the objectives of information security and privacy programs and how those programs manage their respective risks. Depending on the circumstances, these objectives and risks can be independent or overlapping. Federal information security programs are responsible for protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction (i.e., unauthorized activity or system behavior) to provide confidentiality, integrity, and availability. Those programs are also responsible for managing security risk and for ensuring compliance with applicable security requirements. Federal privacy programs are responsible for managing risks to individuals associated with the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal (collectively referred to as "processing") of personally identifiable information (PII) and for ensuring compliance with applicable privacy requirements. When a system processes PII, the information security program and the privacy program have a shared responsibility for managing the security risks for the PII in the system. Due to this overlap in responsibilities, the controls that organizations select to manage these security risks will generally be the same regardless of their designation as security or privacy controls in control baselines or program or system plans.

IRS Privacy Principles

  1. The public trusts the IRS and its personnel to protect taxpayer privacy and safeguard confidential tax information.

  2. The IRS is dedicated to meeting this expectation. You must act in a way that reflects a commitment to treat individuals fairly, honestly, and respectfully, and always protect their right to privacy. [OMB A-130]

  3. Protecting taxpayer privacy and safeguarding confidential tax information is a public trust. To maintain this trust, the IRS and its personnel must follow these privacy principles:

    1. Accountability

    2. Purpose Limitation

    3. Minimizing Collection, Use, Retention, and Disclosure

    4. Openness and Consent

    5. Strict Confidentiality

    6. Security

    7. Data Quality

    8. Verification and Notification

    9. Access, Correction, and Redress

    10. Privacy Awareness and Training

  4. The IRS derived the privacy principles from the Fair Information Practice Principles (FIPPs) and the Privacy Act.

  5. IRS Policy Statement 1-1 reflects these principles in the Policy Statements for Organization, Finance and Management Activities section of IRM 1.2.1, Servicewide Policies and Authorities, Servicewide Policy Statements.

Accountability [PVR-01]
  1. All IRS personnel are responsible and accountable for the effective implementation of privacy protections. [PVR-01]

Purpose Limitation [PVR-02]
  1. PII will be collected and used only when necessary and relevant for legitimate IRS purposes, namely tax administration and other authorized purposes. [PVR-02]

Minimizing Collection, Use, Retention, and Disclosure [PVR-03]
  1. Limit the collection, use, retention, and disclosure of PII to what is minimally necessary for the specific purposes for which it was collected, unless specifically authorized. [PVR-03]

Openness and Consent [PVR-04]
  1. The IRS will make its privacy policies and practices readily available to individuals, such that individuals will be informed of the collection, use, retention, and disclosure of their PII, and will obtain individuals’ consent to the greatest extent practicable. [PVR-04]

Strict Confidentiality [PVR-05]
  1. PII will only be accessed by or disclosed to authorized individuals who require the information for the performance of official duties. The IRS will not tolerate browsing of confidential information, including PII, by unauthorized IRS personnel. Protected information includes confidential information of all individuals, not just taxpayers. Protected information includes, but is not limited to, confidential information of IRS employees, volunteers, practitioners, and other individuals who interact with the IRS. [PVR-05]

Security [PVR-06]
  1. IRS personnel will provide appropriate administrative, technical, and physical safeguards will be provided to protect against the unauthorized collection, use, and disclosure of SBU data, including PII. [PVR-06]

Data Quality [PVR-07]
  1. Requirements governing the accuracy, completeness, and timeliness of PII will be to ensure fair treatment of all individuals. IRS personnel will collect information, to the greatest extent practicable, directly from the individual to whom it relates. [PVR-07]

Verification and Notification [PVR-08]
  1. IRS personnel will verify all information about an individual with the individual, as well as any other relevant sources, to the greatest extent possible before taking adverse action based on that information. We will notify individuals prior to final action to the greatest extent possible. [PVR-08]

Access, Correction, and Redress [PVR-09]
  1. Individuals will be able to access and correct their PII upon request to the maximum extent allowable. Individuals include, but are not limited to, taxpayers, IRS employees, IRS contractors, practitioners, and others who interact with the IRS. Individuals will be able to contest determinations made based on allegedly incomplete, inaccurate, or out-of-date PII to the maximum extent allowable. [PVR-09]

Privacy Awareness and Training [PVR-10]
  1. IRS personnel will be made aware of, and appropriately trained, in the proper treatment of SBU data, including PII. [PVR-10]

IRS-Wide Privacy Roles and Responsibilities

  1. The IRS implements privacy roles and responsibilities for personnel following federal laws and privacy guidelines.

Employees/Personnel

  1. IRS personnel (as defined in the Audience section in IRM 10.5.1.1.2) must:

    1. Keep informed of and adhere to applicable IRS privacy policies and procedures. This means carrying out the mission of the IRS, which requires the IRS to safeguard privacy and protect privacy rights.

    2. Limit access to records that include SBU data.

    3. Use SBU data only for the purposes for which it was collected, unless other purposes are legally mandated or authorized.

    4. Limit the disclosure of SBU data to that which is necessary and relevant for tax administration and other legally mandated or authorized purposes.

    5. Prevent unnecessary access, inspection, and disclosure of SBU data in information systems, programs, electronic formats, and hardcopy documents by adhering to proper safeguarding measures.

    6. Safeguard IRS information and information systems entrusted to them.

    7. Use IRS email accounts for performance of official duties.

    8. Follow existing IT Security Policy and IRS System Security Rules (rules of behavior) on use of IRS-furnished equipment to process IRS information, not personally-owned or non-IRS furnished equipment (including cloud or web-based systems or services). Refer to IRM 10.8.1, including, but not limited to, the sections AC-20 Use of External Information Systems and Personally-Owned and Other Non-Government Furnished Equipment.

    9. Complete IRS annual and role-based privacy, information protection, and disclosure training requirements, UNAX awareness briefings, records management awareness briefing, and all other specialized privacy training, as required.

      Note:

      To be authorized, all personnel must complete required training (IRS annual and role-based privacy, information protection, and disclosure training requirements, Unauthorized Access [UNAX] awareness briefings, records management briefings, and all other specialized privacy training) and background investigations before given access to SBU data (including PII and tax information). [OMB A-130]

    10. Immediately complete Form 11377-E, Taxpayer Data Access, to document the access of taxpayer return information when the accesses are not supported by direct case assignment, were performed in error, or when the access may raise a suspicion of an unauthorized access.

    11. Stay aware of the consequences of UNAX violations, including accessing their own records, those of coworkers, family, friends, celebrities, and other covered relationships. For information about the IRS-wide UNAX program and links to all UNAX forms, refer to the UNAX site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

    12. Report a data loss, theft, or improper disclosure of sensitive information immediately upon discovery of the loss to:
      1. Their manager and
      2. The appropriate organizations based on what was lost or disclosed.

      Note:

      For more information on reporting an incident, refer to IRM 10.5.4, Privacy and Information Protection, Incident Management Program, or the Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets and BYOD Assets site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

  2. IRS personnel must follow privacy and security responsibilities outlined in IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, and IRM 10.8.2, Information Technology (IT) Security, IT Security Roles and Responsibilities.

Management

  1. In addition to the Employee/Personnel responsibilities, Management must also:

    1. Communicate IRS privacy policies and procedures clearly to all personnel in their organizations, ensuring awareness of their responsibilities to protect SBU data (including PII and tax information) and uphold applicable privacy laws, regulations, and IRS policies and procedures.

    2. Ensure personnel with authorized access to SBU data receive training to carry out their roles and responsibilities in a manner consistent with IRS privacy policies. [OMB A-130]

    3. Ensure all personnel in their respective organizations comply with the IRS privacy policies and procedures. Also address any noncompliance and remedy it promptly, including, if necessary, the initiation of penalties for noncompliance following federal law and IRS personnel rules and regulations.

    4. Prevent UNAX violations proactively in their respective areas. Ensure all personnel are trained and knowledgeable of the Taxpayer Browsing Protection Act of 1997, the consequences of UNAX violations for personnel, and that all personnel within their business area complete all IRS UNAX, privacy, information protection, and disclosure training requirements annually and as required for their position.

      Note:

      To be authorized, all personnel must complete required training (IRS annual and role-based privacy, information protection, and disclosure training requirements, Unauthorized Access [UNAX] awareness briefings, records management briefings, and all other specialized privacy training) and background investigations before given access to SBU data (including PII and tax information). [OMB A-130]

    5. Ensure establishment of proper safeguards to prevent unintentional exposure to SSNs in cases where SSN use is determined necessary.

    6. Ensure use of the SEID as the primary employee identifier as an alternative use for SSNs when possible.

    7. Ensure timely completion of PCLIAs, for which they are the responsible official, and mitigation of any privacy risks discovered.

      Note:

      The IRS requires PCLIAs for pilot projects, research, experimentation, the use of innovative technologies, technical demonstrations, prototypes, and proof of concepts, and the like. For more information about the PCLIA process, refer to IRM 10.5.2 and IRM 2.16.1.

    8. Follow IRS records management requirements outlined in the IRM 1.15 series, Records and Information Management.

    9. Ensure all personnel report a data loss, theft, or improper disclosure of sensitive information immediately upon discovery of the loss to:
      1. Their manager and
      2. The appropriate organizations based on what was lost or disclosed.

      Note:

      For more information on reporting an incident, refer to IRM 10.5.4, Privacy and Information Protection, Incident Management Program, or the Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets and BYOD Assets site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Senior Management/Executives

  1. In addition to the Employee/Personnel and Management responsibilities, Senior Management/Executives must also:

    1. Coordinate with the Chief Privacy Officer (CPO) to develop, implement, maintain, and enforce a program to protect all SBU data (including PII and tax information) for which they are responsible following IRS privacy policies and procedures. [OMB A-130]

    2. Focus special emphasis on the government-wide requirements to eliminate the unnecessary collection and use of SSNs as a personal identifier for employee and tax systems and programs. [OMB A-130]

    3. Periodically assess and evaluate privacy awareness activities of their organization to set clear expectations for compliance with all requirements.

    4. Allocate sufficient resources to comply with IRS privacy policies and procedures. [OMB A-130]

    5. Ensure IRS-wide use of alternative unique identifiers for internal and taxpayer systems and programs in place of SSNs when possible.

    Note:

    To deviate from privacy policy, follow the Risk Acceptance Form and Tool (RAFT) process. The executive or other senior official with the authority to formally assume responsibility for the process must sign the RAFT as the approver. The RAFT clearly documents business decisions in the context of risk appetite and/or acceptance. Submit the RAFT to PPKM for review for compliance with privacy laws and regulations. PPKM will not grant exceptions to bypass laws or mandates. Submit RAFT review requests via email to *Privacy (give topic name in subject line and add Attn: CPO RAFT review). For RAFT guidance, refer to the Office of the Chief Risk Officer.

System Owners

  1. In addition to the Employees/Personnel responsibilities, IRS system owners must:

    1. Integrate information security and privacy fully into the system development process. [OMB A-130] This means to include privacy at the table for planning and discussion.

    2. Follow applicable laws, regulations, and IRS privacy policies and procedures in the development, acquisition, implementation, operation, and disposal of all systems under their control.

    3. Limit the use of SBU data (including PII and tax information) throughout the privacy lifecycle to that which is minimally necessary for tax administration purposes or other legally authorized purposes.

    4. Examine the use of SSNs in all information systems and programs, as well as hardcopy and electronic formats (for example, forms, printouts, screenshots, displays, electronic media, archives, and online storage repositories) and eliminate the unnecessary use of SSNs where identified.

    5. Ensure that adequate SSN alternatives are employed, as necessary.

    6. Ensure, to the extent possible, that SBU data used by the IRS to complete business functions is accurate, relevant, timely, and complete.

    7. Ensure that all new systems, systems under development, or systems undergoing major modifications that contain SBU data have in place a completed and approved PCLIA following federal laws and IRS policy, including the NIST SP 800-53 privacy controls.

      Note:

      The IRS requires PCLIAs for pilot projects, research, experimentation, the use of innovative technologies, technical demonstrations, prototypes, and proof of concepts, and the like. For more information about the PCLIA process, refer to IRM 10.5.2 and IRM 2.16.1.

    8. Work with Privacy Compliance and Assurance (PCA) to review approved PCLIAs to redact SBU data or PII before the PCLIAs are posted to IRS.gov.

    9. Coordinate with the system developer and PCA to ensure documentation of identified privacy risks in their Plans of Action and Milestones (POA&Ms) and prompt resolution.

    10. Coordinate all inter-agency PII sharing agreements with PGLD’s Governmental Liaison, Disclosure, and Safeguards (GLDS) and other affected IRS entities that establish and monitor the sharing of PII with external entities.

    11. Implement safeguards to establish and monitor internal and third-party agreements for the protection of SBU data and to ensure the confidentiality of SBU data.

    12. Ensure that IRS personnel involved in the management, operation, programming, maintenance, or use of IRS information systems complete IRS UNAX and privacy, information protection and disclosure training prior to being granted access to those systems that include SBU data.

    13. Ensure that IRS personnel who have access to SBU data for testing follow the requirements of IRM 10.5.8, Privacy and Information Protection, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments. For more information, refer to the SBU Data Policy page on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

    14. Follow IRS records management requirements outlined in the IRM 1.15 series, Records and Information Management.

System Developers

  1. In addition to the Employees/Personnel responsibilities, System Developers must:

    1. Integrate information security and privacy fully into the system development process. [OMB A-130] This means to include privacy at the table for planning and discussion.

    2. Follow IRS privacy policies and procedures in the development, implementation, and operation of information systems for which they are responsible, including reviews of the use of SSNs by IRS systems.

    3. Work closely with system owners to eliminate the unnecessary collection and use of SSNs in all IRS systems.

    4. Develop information systems that provide the capability to partially mask, truncate, or redact the SSN when the total elimination of the use of SSNs is not possible in both personnel and tax systems.

    5. Work with system owners to eliminate unnecessary accessing, collecting, displaying, sharing, transferring, retaining, and using of the SSNs in personnel and tax systems.

    6. Establish, maintain, and test the management, operational, and technical controls to protect SBU data (including PII and tax information).

    7. Complete system PCLIAs in concert with system owners and following IRS policy, if they are the responsible management official or designees.

      Note:

      The IRS requires PCLIAs for pilot projects, research, experimentation, the use of innovative technologies, technical demonstrations, prototypes, and proof of concepts, and the like. For more information about the PCLIA process, refer to IRM 10.5.2 and IRM 2.16.1.

    8. Coordinate with the system owners and PCA to resolve identified privacy risks.

    9. Perform system lifecycle reviews to ensure satisfactory resolution of privacy risks and give the results to the system owners.

Authorizing Officials

  1. In addition to the Employee/Personnel and Management responsibilities, the Authorizing Official (AO) must develop and maintain operational documentation (such as action and implementation plans, standard operating procedures) necessary for implementation of the privacy controls, delineated in the IRM 10.5 series.

    Note:

    To deviate from privacy policy, follow the Risk Acceptance Form and Tool (RAFT) process. The executive or other senior official with the authority to formally assume responsibility for the process must sign the RAFT as the approver. The RAFT clearly documents business decisions in the context of risk appetite and/or acceptance. Submit the RAFT to PPKM for review for compliance with privacy laws and regulations. PPKM will not grant exceptions to bypass laws or mandates. Submit RAFT review requests via email to *Privacy (give topic name in subject line and add Attn: CPO RAFT review). For RAFT guidance, refer to the Office of the Chief Risk Officer.

  2. The AO holds responsibility for implementation of privacy, including documentation and procedures for managing, administering, and monitoring their information systems.

Personnel Engaged in Procurement Activities

  1. In addition to the Employee/Personnel responsibilities, personnel engaged in procurement-related activities must:

    1. Review and understand the proper procurement-related training and guidance, including the Contracting Officer Representative (COR) Security, Privacy, and Disclosure Awareness Training.

      Note:

      For more information, see also the Contractors section in IRM 10.5.1.6.15 and refer to IRM 11.3.24.

    2. Ensure all IRS acquisitions and contract vehicles contain proper language holding contractors and other service providers accountable for complying with federal and IRS privacy policies and procedures. [OMB A-130] This means to include privacy at the table for planning and discussion when necessary.

    3. Insert the necessary contract clauses in all acquisitions and procurement documents generated in support of any contract or agreement involving access to SBU data (including PII and tax information). This includes, but is not limited to, clauses specific to SBU data, IRC 6103, the Privacy Act, and Non-Disclosure Agreements. To find the proper contract clauses, refer to Contractor Compliance page on the PGLD Disclosure and Privacy Knowledge Base on IRS Source or the IRS Acquisition Policy site.

    4. Ensure contract work statements specifically name the proper System of Records Notice (SORN) when Privacy Act information is a part of the research, design, development, testing, or operation work under the contract.

    5. Review contract requirements to determine whether the contract will involve access to SBU data (including PII and tax information), or the design, development, or operation of a SORN on individuals to carry out an IRS function.

    6. Ensure compliance with the Federal Acquisition Regulations (FAR). For more information, refer to the FAR site:
      https://www.acquisition.gov/browse/index/far

    7. Support the proper level of contractor background investigation in cooperation with the Office of Contractor Security Management (CSM) and Office of Personnel Security (PS) as described in IRM 10.23.2, Personnel Security – Contractor Investigations. This includes working with PS to assign the correct risk designations (often Moderate for access to SBU data), helping with contractor fingerprinting, and distributing identity cards, if needed. If contractors need re-investigation every five years, the COR must start those.

      Note:

      Any staff-like access (facilities, systems, or SBU data) requires completion of a favorable suitability/fitness determination (background investigation) conducted by IRS Personnel Security. For more information about staff-like access, refer to IRM 10.23.2.

    8. Ensure contractors take required security, privacy, disclosure, and UNAX training and complete Non-Disclosure Agreements (NDAs) within the required time frames per CSM instructions.

      Note:

      To be authorized, all personnel must complete required training (IRS annual and role-based privacy, information protection, and disclosure training requirements, Unauthorized Access [UNAX] awareness briefings, records management awareness briefing, and all other specialized privacy training) and background investigations before given access to SBU data (including PII and tax information). [OMB A-130]

    9. Ensure any contract involving the use of SBU data for testing follows the requirements of IRM 10.5.8, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments. For more information, refer to the SBU Data Policy page on PGLD Disclosure and Privacy Knowledge Base on IRS Source.

    10. Ensure contractors receive and understand the PCLIA when supporting a project with a PCLIA. In some cases, contractors might need to work with the IRS to complete the required PCLIA. Before "developing or procuring information technology that collects, maintains, or disseminates" SBU data (including PII and tax information), the IRS must complete a PCLIA. [E-Government Act]

      Note:

      The IRS requires PCLIAs for pilot projects, research, experimentation, the use of innovative technologies, technical demonstrations, prototypes, and proof of concepts, and the like. For more information about the PCLIA process, refer to IRM 10.5.2 and IRM 2.16.1.

    11. Ensure the contractor understands incident response requirements. All incidents related to IRS processing, information, or information systems must be reported immediately upon discovery to the CO and COR. Report security incidents to Computer Security Incident Response Center (CSIRC) by contacting the CSIRC Support Desk at 240-613-3606. Refer to the IR-6 Incident Reporting section in Pub 4812.

    12. Report UNAX by a contractor to TIGTA and Procurement.

    13. Collaborate with CSM at contract closeout to revoke system and facilities accesses and to ensure all IRS data is returned or purged as required by the contract.

    14. Email Privacy Policy for help with these responsibilities at *Privacy.

    15. For more information, refer to the internal Procurement site on IRS Source.

    [OMB A-130]

Privacy Culture

  1. The IRS requires a privacy culture, wherein all personnel think about privacy before acting. In such an environment or culture, protecting privacy guides the day-to-day practices and routines of everyone.

  2. Throughout the privacy lifecycle, consider whether the use of SBU data (including PII and tax information) meets all the IRS Privacy Principles.

    Note:

    One approach might be to ask if you would want your information treated in this way.

  3. The IRS has programs to promote a privacy culture.

Clean Desk Policy

  1. The IRS has a clean desk policy. To protect SBU data (including PII and tax information) when it is not in your possession, you must lock it up. The Clean Desk Policy requirements apply to data left out in work areas (including those in telework and offsite locations) and non-secured containers, on credenzas, desk tops, fax/copy machines, conference rooms, and in/out baskets. [TD P 15-71; PVR-01, PVR-05, PVR-06]

  2. IRS personnel must containerize all SBU data (including PII and tax information) in non-secured areas during non-duty hours.

  3. Lock protected data in containers in areas where non-IRS personnel have access during non-duty hours and/or when not under the direct control of an authorized IRS employee. For more information, refer to the Containers section in IRM 10.2.14, Methods of Providing Protection.

  4. For some pipeline activities and processing conducted at Submission Processing centers, campuses, and computing centers, the volume of the tax information processed and the disruption to these operations might prevent containerization and Clean Desk implementation. We require Clean Desk Waivers for these areas. Clean Desk Waiver requests must be:

    1. Restricted to pipeline activities and processing conducted at Submission Processing centers, campuses, and computing centers.

    2. Justified and not just a matter of convenience.

    3. Limited to items not requiring Special Security (SP). For more guidance, refer to IRM 10.2.15, Minimum Protection Standards (MPS).

    4. Supported with a layered security plan that allows the campuses and the computing centers a higher level of protection to accommodate the processing operation.

    5. Approved at the Executive level of the business unit making the request via Form 14617, Clean Desk Waiver Request and Checklist.

    6. Forwarded by the business unit to PGLD for approval via email to *Privacy. Facilities Management and Security Services (FMSS) will conduct the physical onsite reviews, with assistance from PGLD Records Management as necessary.

    7. Reviewed and approved by FMSS and PGLD, including exemptions citing voluminous files.

    8. Submitted annually, unless no longer required.

    Note:

    Submission Processing activity may complete one waiver request for each campus, computing center, or other POD, but we will not grant blanket waivers for any entire facility

Privacy in Practice (PiP)

  1. IRS Privacy in Practice includes protecting privacy in systems and safeguarding privacy in everyday business practices. All IRS activities should include an element of privacy. A culture of privacy prevails through Privacy in Practice; from systems development to customer service, training, communications, passwords, and the Clean Desk Policy.

  2. PGLD Privacy Policy and Compliance (PPC) employees serve as privacy advocates and consultants for IRS personnel and projects.

  3. Designing privacy into projects is a key aspect of effective privacy policy and compliance at the IRS.

    1. This concept reflects the principle that organizations best achieve privacy goals when they weave privacy proactively into business processes and operational practices.

    2. To be effective, introduce privacy principles early in a project lifecycle, in architecture planning, system design, contract review and selection, and the development of operational procedures.

  4. Invite privacy employees whenever necessary at all project stages to include privacy at the table for planning and discussion. [OMB A-130]

  5. Refer to Privacy in Practice Quick Reference Guide (Document 13291)

  6. For help or more information, email *Privacy.

  7. Refer to the Enterprise Architecture site on IRS Source.

Practical Privacy Policy

  1. These sections describe privacy policy in terms of common issue areas. Many of these areas interrelate with each other, physical protection, and IT security practices.

  2. For more information, refer to the PGLD Disclosure and Privacy Knowledge Base on IRS Source.
    For help, email *Privacy.

Protecting and Safeguarding SBU Data

  1. Regardless of the risk, IRS personnel must protect and safeguard SBU data (including PII and tax information). This means you must properly use SBU data throughout the privacy lifecycle.

  2. IRS personnel must comply with the following requirements, which stem from TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information.

  3. Be aware of and comply with safeguarding requirements for SBU data. Disclosing or accessing SBU data without proper authority could result in administrative or disciplinary action (including termination of contract). The lack of an SBU data marking does not mean the information is not sensitive nor does it relieve you from responsibility to appropriately safeguard the information from unauthorized use or inadvertent disclosure.

  4. Take steps to prevent the possibility of such disclosure by non-IRS personnel. Deny unauthorized non-IRS personnel access to other than IRS areas established for serving the public.

  5. Follow the IRS Clean Desk Policy in IRM 10.5.1.5.1.

  6. Determine how long to protect the information, for example, either by date or lapse of a determinable event.

  7. IRS security officials must provide routine oversight of measures in place to protect SBU data through a program of routine administration and day-to-day management of their information security program.

  8. IRS supervisors and program managers are responsible for personnel being trained to recognize and safeguard SBU data supporting their mission, operations, and assets. Supervisors and managers must also ensure an adequate level of education and awareness is maintained by affected personnel. Education and awareness must begin upon initial personnel assignment and annually reinforced through mandatory training, staff meetings, or other methods/media contributing to an informed workforce.

  9. IRS personnel must protect SBU data supporting their mission, operations, and assets. Protection efforts must focus on preventing unauthorized or inadvertent disclosure and especially when visitors enter areas where SBU data is handled, processed, discussed, or stored. This includes being aware of surreptitious and accidental threats posed by high-end communications technologies carried/used by personnel and visitors, such as cell phones (with or without photographic capability), personal data assistants/digital assistants, smart devices, Internet of Things (IoT), portable/pocket computers, cameras, and other video imaging recorders, flash drives, multi-functional, and two-way pagers, and wireless devices capable of storing, processing, or transmitting information.

  10. IRS program managers and contracting officials must also require appropriate privacy and security contract clauses for personnel, facilities, and information protection through the acquisition process of contracts or grants that concern access to SBU data.

Deciding Risk Levels for SBU Data
  1. Loss, compromise, or disclosure of SBU data (including PII and tax information) could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual or the IRS.

  2. Harm includes any adverse effects experienced by an individual whose PII was compromised, or adverse effects to the IRS such as a loss of public confidence.

  3. The greater the potential for harm, the more at risk the SBU data becomes. As outlined in NIST SP 800-122:

    1. PII with a low confidentiality level means limited potential harm with minor impact on an individual or the IRS.

    2. Low confidentiality level SBU data would include, for example, information that the IRS may release under FOIA requests, or information that has become public record or is publicly available. For more information, see FOIA and SBU Data, IRM 10.5.1.2.2.3, and Public Record, IRM 10.5.1.2.3.2. The SEID is an example of low risk PII.

    3. PII with moderate or high confidentiality levels means the potential harm ranges from serious to severe or catastrophic, with significant to severe impact to an individual or the IRS. Tax information is an example of high risk PII.

  4. The greater the risk to SBU data, the stronger the privacy and security protections become. [OMB A-130, NIST SP 800-122] For example, moderate and high risk SBU data require encryption, but publicly available low risk SBU data might not need encryption.

  5. When in doubt about the level of risk of SBU data (including PII and tax information), or the privacy concerns around the data, email *Privacy for help.

  6. For more information about publicly available information, see also the Public Record section in IRM 10.5.1.2.3.2.

  7. For more information on the IT aspects of data security, refer to IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

Limiting Sharing of SBU Data
  1. We must protect all SBU data (including PII and tax information). What SBU data we may share is limited. [PVR-02, PVR-05]

  2. Disseminate SBU data (orally, visually, or electronically) in such a manner to avoid access by unauthorized persons. Precautions might include preventing visual access and restricting oral disclosure to designated individuals.

  3. You may reproduce SBU data on regular office copiers to the extent needed to carry out official business. Properly destroy flawed or otherwise unusable reproductions. See also the Disposition and Destruction section in IRM 10.5.1.6.10.

  4. Follow extensive Disclosure rules in the IRM 11.3 series, Disclosure of Official Information.

  5. Internally: Only share SBU data (including PII and tax information) with other IRS personnel if the recipient’s need for the information is related to their official duties.

  6. The electronic transmission of SBU data (including PII and tax information) requires encryption for security purposes. See also the Encryption section in IRM 10.5.1.6.2 for more information.

  7. The confidentiality provisions of IRC 6103 restrict release of tax information (whether of an individual or business). Share tax information only with authorized individuals following established written procedures.

    Note:

    Removing identifying information (such as name or TIN) from specific tax records does not remove it from the confidentiality protections of IRC 6103.

  8. Externally: Only share SBU data (including PII and tax information) with authorized individuals outside of IRS, in encrypted files, if you meet all these conditions:

    1. Individual authorized to receive it under law or regulation, such as IRC 6103. Establish authority by a formal request for information processed using established written procedures, or a memorandum of understanding or executed agreement which also shows the secure method of transmission for the data.

      Note:

      Keep agreements in an approved database/program, such as IRS Agreement Database (IAD). For more information about the IAD, see also the Governmental Liaison (GL) section in IRM 10.5.1.7.12.

    2. Recipient need for the information related to official duties.

    3. Recipient authenticated.

    4. Recipient accepted information and any obligation to protect.

    5. Access controls limited to those with need to know.

    6. The applicable System of Records Notice (SORN) includes the use as a published routine use. Refer to the section on SORNs on the PGLD Disclosure and Privacy Knowledge Base on IRS Source and IRM 10.5.6, Privacy Act.

  9. Refer to the IRM 11.3 series (Disclosure of Official Information) or email *Disclosure for more guidance.

Extracting SBU Data
  1. IRS personnel must not create unauthorized, unnecessary, or duplicative hardcopy or electronic collections of SBU data (including PII and tax information), such as duplicate, ancillary, shadow, personal copies, or "under the radar" files. [PVR-03]

  2. If creating new spreadsheets or databases that include SBU data (including PII and tax information) from a larger file or database is necessary, consider whether it requires a PCLIA.

    1. To do so, submit a Qualifying Questionnaire (QQ), or email *Privacy.

    2. For more information on the QQ and PCLIA process, refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program.

Encryption

  1. Encryption is a crucial tool in the IRS’s protection of SBU data (including PII and tax information). [OMB A-130, PVR-06]

  2. For more details about emailing and encrypting SBU data, see also the Email section in IRM 10.5.1.6.8.

External
  1. Protect all SBU data (including PII and tax information) processed, stored, or transmitted outside the IRS with IT-approved encryption methods, unless specifically excluded in the IRM. This includes, but is not limited to, SBU data in email, removable media (such as USB drives), on mobile computing devices, and on computers and mobile devices.

  2. IRS IT-approved encryption methods include, but are not limited to, Symantec Endpoint Encryption Removable Storage (SEERS, formerly known as GERS, Guardian Edge Removable Storage), password-protected SecureZip, and secure messaging via Outlook.

    Note:

    Different policies apply for emails to taxpayers and representatives, other stakeholders, those with IRS accounts, and personal email. For more information and requirements about emailing outside the IRS, see also Emails to Taxpayers and Representatives, IRM 10.5.1.6.8.1, Emails to Other External Stakeholders, IRM 10.5.1.6.8.2, Emails to IRS Accounts, IRM 10.5.1.6.8.3, and Emails with Personal Accounts, IRM 10.5.1.6.8.4, Email section in IRM 10.5.1.6.8.

  3. See the Virtual Library for more information about encrypting documents, emails, and email attachments on the Encryption page on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

  4. Refer to specific requirements in these IRMs:

    • IRM 1.15 series, Records and Information Management.

    • IRM 10.2 series, Physical Security Program.

    • IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, in the Cryptographic Protection, Access Control, Media Protection, and Physical and Environmental Protection sections.

Internal
  1. Within the IRS, protect all SBU data (including PII and tax information) with encryption and access controls, limiting access only to approved personnel with a need to know.

  2. Within the IRS network, encrypt emails using the Secure Enterprise Messaging System.

    Note:

    See also the Public Record section in IRM 10.5.1.2.3.2, for more information about publicly available information.

  3. Refer to specific data encryption requirements in IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, in the Encryption, Access Control, Media Protection, and Physical and Environmental Protection sections.

Attachment Encryption Instructions
  1. Refer to the SecureZip and SEERS (formerly GERS) brochures in the Encryption page on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

  2. Instructions for using SecureZip and SEERS (formerly GERS) to encrypt attachments also are available on the IT4U site on IRS Source.

Computers and Mobile Computing Devices

  1. Any SBU data (including PII and tax information) on a computer (such as a server, desktop, or mobile computing device [such as a laptop, tablet, smartphone, etc.]) must be protected, locked (such as a screen saver), secured physically, and kept within sight and/or control.

  2. IRS personnel must use encryption, access controls, and physical security measures proper for the equipment and setting.

    1. For example, computers on IRS sites (federal facilities, contractor’s offices, or rented areas) must follow the proper Physical Security Program policies or contractual requirements.

    2. In addition, IRS personnel must not use mobile devices in public settings in such a way as to expose SBU data (including PII and tax information).

    3. To the extent possible, position any computer or device screen displaying IRS SBU data (including PII and tax information) so that non-authorized personnel cannot view the data.

  3. Protect equipment. Securely lock computers (such as a server, desktop, or mobile computing device [such as a laptop, tablet, smartphone, etc.]) or other equipment (such as flash drives, CDs, external drives) when left unattended, whether in the office, in the home, or in a hotel room. Use the IRS-provided cables and cable locks to secure laptops when working in regular workspace (worksite), working out of the office, or in travel status.

    Note:

    This policy applies even to personnel who live alone. Always secure equipment.

  4. For more information about secured wireless access points (wi-fi hotspots), see also the Telework section in IRM 10.5.1.6.12 and the AC-18 Wireless Access section in IRM 10.8.1, Information Technology (IT) Security Policy and Guidance.

Data Loss

  1. IRS personnel must prevent SBU data loss throughout the privacy lifecycle.

  2. If such a loss occurs:

    Immediately upon discovery of an inadvertent unauthorized disclosure of sensitive information, or the loss or theft of an IT asset or hardcopy record or document that includes sensitive information, you must report the incident to your manager and the appropriate organizations based on what was lost or disclosed. [OMB A-130]

  3. For a brief description of the Incident Management program, see also the Incident Management section in IRM 10.5.1.7.16.

  4. For more information about how to report an incident, refer to IRM 10.5.4, Privacy and Information Protection, Incident Management Program, or the Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets and BYOD Assets site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Marking

  1. The Treasury Security Manual [TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information] requires distinct labeling of SBU data (including PII and tax information) to highlight its sensitivity. IRM 11.3.12, Designation of Documents, includes IRS-specific marking requirements. The lack of SBU markings, however, does not relieve the holder from safeguarding responsibilities. Do not remove, mark, and restore unmarked SBU information already in records storage. However, if you remove unmarked SBU items from storage, you must mark them properly before processing or re-filing.

    1. Prominently mark items that include SBU information at the top/bottom of the front/back cover and each individual page with the marking "SENSITIVE BUT UNCLASSIFIED" or "SBU." Information system prompts may be adjusted to incorporate SBU markings in headers and footers.

    2. Mark portions, paragraphs, and subject titles that include SBU information with the abbreviation "SBU" to differentiate it from the remaining text. Only when the entire text contains SBU information are individual portion markings optional.

    3. Controlling, decontrolling, or originator information markings are not required.

    4. When sent outside IRS, except for tax information sent to a taxpayer, documents with SBU data must include a statement alerting the recipient, either in a transmittal letter or directly on the document.

      Example:

      This document belongs to the IRS. Do not release without the express permission of (creating office). Refer requests and inquiries for the document to: (insert name and address of originating office and contact number(s)).

  2. Protective measures start when markings are applied and end when such markings are cancelled, or the records are destroyed.

  3. Although SBU is Treasury’s standard for identifying sensitive information, some types of SBU information might be more sensitive than others and call for more safeguarding measures beyond the minimum requirements established here. Certain information might be extremely sensitive based on repercussions if the information is released or compromised – potential loss of life or compromise of a law enforcement informant or operation. IRS and its personnel must use sound judgment coupled with an evaluation of the risks, vulnerabilities, and the potential damage to personnel or property/equipment as the basis for determining the need for safeguards in excess of the minimum requirements contained here.

  4. A green Sensitive But Unclassified (SBU) Cover Sheet, Other Gov TDF 15-05.11, must be placed on documents that contain SBU material to prevent unauthorized or inadvertent disclosure when SBU information is removed from an authorized storage location and persons without a need-to-know are present or casual observation would reveal SBU information.

    1. When sending SBU information, place an SBU cover sheet inside the envelope and on top of the transmittal letter, memorandum, or document.

    2. When receiving SBU or equivalent information from another U.S. Government agency, handle it following the guidance provided by the other U.S. Government agency. Where no guidance exists, handle it following IRS policy as described here.

Storage

  1. For storage of SBU data (including PII and tax information), refer to IRM 10.8.1 about limiting access to need-to-know personnel and for encryption requirements.

  2. For methods for protecting and storing SBU data (including PII and tax information), as well as high security and special security items, refer to IRM 10.2.14, Methods of Providing Protection and IRM 10.2.15, Minimum Protection Standards (MPS).

  3. For storage of federal records, refer to IRM 1.15 series, Records and Information Management.

  4. For managers handling employee performance files (EPFs), refer to the sections:

    • Maintaining Tax Return Information in Employee Performance Files section in IRM 11.3.22.

    • Employees in Critical Job Elements in IRM 6.430.2, Performance Management, Performance Management Program for Evaluating Bargaining Unit and Non-Bargaining Unit Employees Assigned to Critical Job Elements (CJEs).

    • Performance Management Program for Evaluating Managers, Management Officials and Confidential Management/Program Analysts in IRM 6.430.3, Performance Management, Performance Management Program for Evaluating Managers, Management Officials and Confidential Management/Program Analysts.

Phone

  1. When communicating SBU data (including PII and tax information) via phone, IRS personnel must:

    1. Confirm you’re talking to an authorized person before discussing the information.

    2. Inform the person that the forthcoming discussion will include sensitive information.

    3. Refer to the section Methods for Communication of Confidential Information in IRM 11.3.2, Disclosure to Persons of Material Interest.

Cell Phone or Cordless Device
  1. Remember that the use of cell phones or other cordless devices (cordless land lines) does not automatically create disclosure concerns. However, use of these devices might raise some vulnerability issues. Refer to the Telecommunication Devices and the Personally-Owned and Other Non-Government Furnished Equipment sections of IRM 10.8.1.

  2. Whenever possible, conduct cellular phone conversations in a private setting (and not in a crowded public setting) to minimize the potential for eavesdropping. Cordless devices are rarely, if ever, used outside of a person’s home and do not lend themselves to conversations in crowded areas, but can still pose a risk of someone overhearing a conversation that the taxpayer does not want overheard.

    Example:

    You may normally conduct a cell phone conversation from a private workspace within your home or from an automobile where you are the only occupant without someone overhearing the conversation. You may also conduct a conversation away from passers-by. Conversely, if you’re returning a call in a restaurant or an office lobby, be careful not to convey sensitive information that others might overhear.

    Caution:

    Be aware how loud you talk. Cell phone users tend to talk louder, often without realizing it. Digital cell phones are more secure than analog cell phones.

  3. For contacts initiated by IRS personnel that discuss SBU data (including PII or tax information), you must inform a taxpayer you are calling from a cell phone or other cordless device when in a public place where others could overhear sensitive information. This will alert the taxpayer of the potential for the inadvertent disclosure of their tax information. When calling from a private setting where others cannot overhear the conversation, you don’t have to disclose that the call is originating from a cell or cordless phone.

    Example:

    When returning a taxpayer’s call from a public place, say, "I’m calling you from my cell phone. Do you have the bank account information I requested?" Or, "I’m calling you from my cell phone. Do you have the information I requested about your tax return?" These or similar statements informing the person that you are calling from a cell phone are proper.

  4. Even when a call from a public place is not expected to discuss sensitive information, you still should consider telling the taxpayer you are using a cell phone or other cordless device in case a sensitive issue comes up in the discussion.

    Example:

    "I’m returning your call from my cell phone. You wanted to set up an appointment?"

  5. You must honor a taxpayer’s request not to conduct a conversation concerning sensitive information by cell or cordless phone. Offer the taxpayer the choice of rescheduling the conversation when a more secure land line is available. Appropriately document any agreement (if documentation kept, such as history notes).

  6. For taxpayer-initiated contacts, the IRS is under no obligation to determine if the taxpayer is using a less secure platform such as a cordless device or cell phone. Any necessary dialogue, including the disclosure of SBU data (including PII or tax information), is authorized because the taxpayer has accepted any security vulnerability by using such a device to contact the IRS.

  7. Never discuss NSI over a cell or cordless phone. For more about NSI, refer to IRM 10.9.1, Classified National Security Information.

  8. For information about text messaging or texting, see also the Text Messaging (Texting) section in IRM 10.5.1.6.9.6.

Answering Machine or Voicemail
  1. Use the following for answering machine and voicemail guidelines when leaving messages with sensitive information:

    1. You generally may not leave tax information protected by IRC 6103 on an answering machine or voicemail. However, if you "reasonably believe" you have reached the taxpayer’s correct answering machine or voicemail, leave your name, telephone number, any proper reference number for the inquiry, the fact that you work for the IRS (identifying your function is permissible), and the name of the person who should return the call. You may leave additional information on the recording if the taxpayer has given prior approval to leave such information.

    2. The following supports "reasonable belief:"
      - The greeting on the answering machine or voicemail refers to the taxpayer being contacted, or
      - The taxpayer has indicated that this is the telephone number where they may be reached directly.

    3. Document the taxpayer’s telephone number, their approval to call that number, and their permission for IRS to leave information on the recording.

    4. Without such reasonable belief that you have reached the correct taxpayer, you must not disclose any tax or other sensitive information on the message.

  2. When you can’t positively identify the number reached as the taxpayer’s, and it is otherwise appropriate and practical, simply ask for a return call without giving the taxpayer’s name. If the call is in response to an earlier taxpayer inquiry or request, say the call is in response to an earlier inquiry or request. In such a case, you must not say the nature of the original situation nor reveal any specifics about the return call if it involves sensitive information.

    Caution:

    When calling about collection of unpaid taxes, the restrictions of IRC 6304(b)(4) apply, and IRS personnel generally are precluded from identifying themselves as IRS unless they reasonably believe the answering machine or voicemail belongs to the taxpayer.

  3. Normally, do not leave sensitive information on the answering machine of the taxpayer’s designee under IRC 6103(c) because these designees cannot further authorize IRS to disclose the taxpayer’s information to anyone else, and IRS cannot be certain who will pick up the message.

    Example:

    You must not leave taxpayer information on the voicemail of a Congressional staffer when working a Congressional inquiry, as a member of Congress (or the designated staffer) has no authority to give a third party access to that information, and you have no way to know whether anyone else has access to that voicemail.

    Exception:

    An attorney-in-fact who under Conference and Practice Requirements has been authorized in Section 5 of Form 2848, Power of Attorney and Declaration of Representative, to designate others to receive information of the taxpayer. However, that does not mean that anyone with access to the voicemail has been authorized to receive disclosure of tax information.

Email

  1. IRS personnel must use IRS email accounts to conduct IRS official business. (TD P 85-01)

  2. The Protecting Americans from Tax Hikes (PATH) Act of 2015, Section 402, Division Q of the Consolidated Appropriations Act of 2016 reads:

    No officer or employee of the Internal Revenue Service may use a personal email account to conduct any official business of the government.

    Note:

    This policy applies to IRS officers, employees, and contractors alike, as noted in the Audience section in IRM 10.5.1.1.2. Law enforcement employees must refer to their divisional or law enforcement manuals for special rules.

  3. Manage emails used for business communications as IRS records.

  4. IRS personnel hold a legal responsibility to protect all IRS SBU data (including PII and tax information) entrusted to us by taxpayers, fellow personnel, and other individuals.

  5. For more information about emailing outside the IRS, see the following subsections in this IRM for policy about taxpayers and representatives, other external stakeholders, IRS accounts, and personal email.

    Note:

    Different policies apply for emails to taxpayers and representatives, other stakeholders, those with IRS accounts, and personal email. For more information and requirements about emailing outside the IRS, see also Emails to Taxpayers and Representatives, IRM 10.5.1.6.8.1, Emails to Other External Stakeholders, IRM 10.5.1.6.8.2, Emails to IRS Accounts, IRM 10.5.1.6.8.3, and Emails with Personal Accounts, IRM 10.5.1.6.8.4.

  6. When authorized to email SBU data, encrypt SBU data in emails using IRS IT-approved encryption technology. Do not include SBU data (including PII or tax information, such as name control) in the email subject line.

    Caution:

    Encryption methods do not encrypt the subject line or the header (email address information).

    Note:

    See also Emails to Taxpayers and Representatives in IRM 10.5.1.6.8.1 for subject line and header requirements.

  7. IRS IT-approved encryption technology includes:

    1. Internal email (within the IRS network): Microsoft Outlook’s Secure Enterprise Messaging System (SEMS), which is secure email certificate encryption.

    2. External email (outside the IRS network):Password-protected encrypted attachments or previously authorized secure email certificate encryption, for example, refer to the LBI Secure Email program site.
      Refer to IRM 10.8.52, Information Technology (IT) Security, IRS Public Key Infrastructure (PKI) X.509 Certificate Policy, for more information about secure email certificate encryption.

    3. Attachments: SecureZip password-protected encrypted attachments, or Symantec Endpoint Encryption Removable Storage (SEERS, formerly known as Guardian Edge Removable Storage, GERS) encrypted attachments.

      Note:

      Methods such as SecureZip and SEERS only encrypt the attachment, not the body of the email or the address or subject information. These methods do not encrypt the channel or authenticate the recipient, which is why we do not allow this method for emails with taxpayers and their representatives. For those requirements, see Emails to Taxpayers and Representatives in IRM 10.5.1.6.8.1.

      Reminder:

      Never send the password in the email with the password-protected encrypted attachment.

  8. Refer to these IRMs for more policy:

    • IRM 1.10.3, Standards for Using Email.

    • IRM 1.15.6, Managing Electronic Records.

    • IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, (in the Electronic Mail Security and Use of External Information Systems sections).

    • IRM 10.8.27, Personal Use of Government Furnished Information Technology Equipment and Resources.

    • IRM 11.3.1, Disclosure of Official Information, Introduction to Disclosure (in the Electronic Mail and Secure Messaging section).

Emails to Taxpayers and Representatives
  1. Do not send emails that include SBU data (including PII and tax information) to taxpayers or their authorized representatives, even if requested, because of the risk of improper disclosure or exposure.

    Note:

    Special rules apply to personnel in previously approved secure email programs, such as LBI and Chief Counsel employees. Refer to the LBI Secure Email program site on IRS Source and the Chief Counsel Directives Manual for more information.

  2. When taxpayers request email contact and accept the risk of such, limited allowable situations without risking unauthorized disclosure of SBU data include:

    1. Message sent under a previously authorized privacy- and IT-approved secure email program (rare). For example, the LBI Secure Email program site on IRS Source.

    2. Brief, unencrypted message confirming the date, time, or location of an upcoming appointment, but not the nature of the appointment. Include no SBU data (including PII and tax information, such as name control) in the email, subject line, or attachment. Permit no follow-up email discussion of any taxpayer account or case.

    3. Link to the publicly available forms and publications sections of IRS.gov. Avoid sending information about specific tax matters (revenue rulings, court cases, and specific IRS forms), which might unintentionally disclose the nature of a tax matter to an unauthorized third party.

  3. When responding to unsolicited emails from taxpayers or tax professionals, respond by letter or phone; if address or phone number not available, respond by email. IRS personnel must:

    1. Delete any SBU data (including PII and tax information) appearing in the original email. Some examples of phrases to watch for are "my situation" or "my information."

    2. Discourage the taxpayer from continuing the discussion by email. Sample response:

      To ensure your privacy, we discourage you from sending your personal information to us by email. Further, IRS doesn’t allow its personnel to exchange unencrypted personally identifiable or other sensitive information with email accounts outside of the IRS network, even with your permission. For further discussion about the matters included in your original email, please contact us by telephone, fax, or mail.

Emails to Other External Stakeholders
  1. Do not email SBU data (including PII and tax information) to other external stakeholders unless specifically authorized. Refer to IRM 11.3.1, Disclosure of Official Information, Introduction to Disclosure.

  2. Send SBU data (including PII and tax information) through password-protected encrypted attachments or through a previously authorized privacy- and IT-approved secure email program. For example, refer to the LBI Secure Email program site.

  3. Email SBU data (including PII and tax information) outside the IRS in encrypted, password-protected attachments or secure email only when:

    1. Individual authorized to receive it under law or regulation, such as IRC 6103. Establish authority by a formal request for information processed using established written procedures, or a memorandum of understanding or executed agreement which also establishes email as the secure method of transmission for the data.

    2. Recipient need for the information related to official duties.

    3. Recipient authenticated.

    4. Recipient accepted information and any obligation to protect.

    5. Access controls limited to those with need to know.

    6. The applicable System of Records Notice (SORN) includes the use as a published routine use. Refer SORN page on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

    7. Adherence to policy in the IRM 11.3 series, Disclosure of Official Information.

  4. See Emails to Taxpayers and Representatives in IRM 10.5.1.6.8.1 when receiving emails from external parties that contain SBU data (including PII and tax information).

  5. Interact with applicants or prospective contractors by email only to answer questions about their information, qualifications, or administrative matters; minimize the exposure of their personal information (such as PII).

  6. For those who must provide IRS with their SBU data (such as PII) to facilitate a business arrangement, ask them to fax, mail, or upload their SBU data to a secure system, such as USAJobs.

Emails to IRS Accounts
  1. IRS personnel must use IRS email for email communications with other IRS personnel about official business matters. They must encrypt all internal email messages that contain SBU data (including PII and tax information) with IT-approved encryption, which includes secure messaging or password-protected encrypted attachments.

  2. For contractors, when provided with an IRS workstation as part of a contract, they must use their IRS workstation and account for all official communication (e.g., email, instant messaging). Refer to the Contractor section of IRM 10.8.2, IT Security Roles and Responsibilities.

Emails with Personal Accounts
  1. No officer, employee, or contractor of the IRS may use a personal email account to conduct any official business of the government. Three limited allowable circumstances include:

    1. Personal Information – You may send your own SBU data (including your PII and your tax information) to or from your personal email accounts, if it is in a password-protected encrypted attachment. Examples may include, but are not limited to:
      - Personnel forms or records.
      - Financial records used to prepare an OGE Form 450 or OGE Form 278 or other form for financial reporting related to the job.
      - Records needed for a personal transaction.
      - Job application, resume, self-assessment, or appraisal.
      - Health records or fitness for duty information.
      - Travel itinerary (but only by adding personal email address for ConcurGov notifications related to their own travel, not approvals for others; personnel cannot forward a travel itinerary from a work email address to a personal email address).

      Exception:

      The encryption policy does not apply to your own PII that the IRS proactively makes available to all employees on resource sites (including, but not limited to, Discovery Directory, Outlook (calendar, profile information [including profile photos], and address book), intranet, and SharePoint site collections [including profile photos]), such as names and business contact information.

    2. Training or publicly available information – You may send non-case-related content, including links, to and from yourself when IT Security constraints prevent access. Examples of this include online training or meetings, such as webinars and seminars, as well as publicly available information (including public profile photos or business photos intended for publication with permission of pictured individuals).

    3. Exigent circumstances, such as in emergencies. This includes when the IRS network is down and there is an urgent need to communicate or in disaster recovery situations. Refer to IRM 10.8.60 and IRM 10.8.62. Limit SBU data to that necessary for the situation. Examples may include, but are not limited to:
      - Reporting for work.
      - The condition or availability of the workplace.
      - An emergency situation.
      - The well-being of IRS personnel.

      Note:

      In all instances, you must copy an IRS email account at the same time to ensure you retain a record of the communication in the IRS email system for transparency and information management purposes.

    For further guidance, refer to:
    • Frequently asked questions (FAQs) on email scenarios (right side of the PGLD Disclosure and Privacy Knowledge Base on IRS Source).

    • The Email section of the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Limited Exceptions to Email SBU Data Encryption
  1. The general rule for encrypting SBU data (including PII and tax information) in emails reflects the IRS’s priority to protect sensitive information from unauthorized disclosure causing a risk of loss or harm to individual privacy or to IRS data.

  2. Having evaluated business needs in relation to potential risk, the following limited exceptions for external emails are appropriate:

    Caution:

    Do not include SBU data (including PII or tax information), such as name control, in the email subject line. Encryption methods do not encrypt the subject line or the header (email address information).

    1. Subject line of case-related emails to the Department of Justice
      1. When IRS personnel communicate with the Department of Justice about established cases, personnel may include the case name and filing number in the subject line of those emails. If the full name is not part of the case name, then do not use the full name.
      2. This information fits within the judicially created public records exception to IRC 6103, recognized in most jurisdictions. Refer to IRM 11.3.11.12, Information Which Has Become Public Record, for more information on the public records exception.
      3. However, if the body of an email or any attachment contains more SBU data, IRS personnel must encrypt both the email and attachment using IT-approved technology (such as certificate encryption).

    2. Emails generated to taxpayers or representatives by approved online applications
      1. The IRS online applications may issue emails to taxpayers or representatives, without encryption, when the messages contain only incidental information (such as name and email address) and are for e-authentication purposes, or to inform a user that a secure message is available for viewing on the IRS website.
      2. This exception is limited to the following circumstances:
      a. The email is automatically generated by an approved IRS application developed by or in conjunction with the Office of Online Services, and
      b. The taxpayer or representatives consented to these notices by completing the application’s enrollment process. During this enrollment process, the taxpayer or representative must have received clear notice of the IRS’s intent to send such notices via email.

    3. IRS employees sending their personal SBU data via encrypted email attachment
      1. You may choose to send your personal SBU data outside the IRS via an attachment encrypted with SecureZip or SEERS (formerly GERS). Use SecureZip to send one or more encrypted files, or use SEERS to send a single encrypted file.
      2. You must send this information only if you encrypt the attachment(s) send only your personal SBU data. Personal SBU data is information pertaining only to you.
      3. This exception does not include IRS usernames and passwords.
      4. Refer to the SecureZip and SEERS (formerly GERS) brochures in the Encryption page on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.
      5. Instructions for using SecureZip and SEERS to encrypt attachments also are available on the IT4U site on IRS Source.
      6. To open a SecureZip file on an external computer, the receiving computer must have SecureZip installed. SecureZip is a commercial product that available for purchase through the manufacturer’s website (with free trials). Mobile users can obtain the free SecureZip Reader app for both iOS and Android platforms. To open a SEERS file on an external computer, it must run a Windows operating system.

    4. Emergency emails by Facilities Management and Security Services (FMSS)
      1. Where significant incidents (as defined in IRM 10.2.8, Incident Reporting) occur, and FMSS employees need to supply law enforcement entities with detailed information, but cannot do it expediently by phone, they may use unencrypted email to send the necessary details, including SBU data.
      2. FMSS employees must make every effort to minimize the amount of SBU data within those messages (for example, no SSNs).

Surveys by Email
  1. Special rules apply when transmitting customer satisfaction or other surveys by email.

  2. For details on the Survey process, refer to IRM 10.5.2.

Other Forms of Transmission

  1. This section addresses forms of transmission other than phone and email.

  2. You must provide adequate safeguards for SBU data (including PII and tax information) transmitted from one location to another.

  3. Refer to the Transporting Documents section of IRM 11.3.1.

Field and Travel
  1. If IRS personnel carry SBU data (including PII and tax information) in connection with a trip or during daily activities, they must keep it with them to the extent possible.

  2. If you must leave SBU data (including PII and tax information) unattended in an automobile while traveling between work locations or between work and home, lock it in the trunk. If the vehicle does not have a trunk, conceal the material from plain view and secure it in some manner. When not in transit, secure data in an approved work location (office, approved and securable telework location, or approved taxpayer site in IRS-approved lockable containers).

    Note:

    In either case, lock the vehicle and leave the material unattended for only a brief period.

  3. If you must leave the SBU data (including PII and tax information) unattended in hotel or motel room, lock it in a briefcase and conceal it to the extent possible.

  4. If SBU data (including PII and tax information) is being moved from one building to another (even within the same campus) or one location to another even if it is a short distance, take necessary steps to protect the information from unauthorized disclosure, loss, damage or destruction.

  5. Field employees might have SBU data needing protection while temporarily stored at the taxpayer's site.

    1. SBU data (such as agent's work papers, original returns, examination plans, probes, or fraud data) housed unattended at the taxpayer's site must be stored in a container under the control of the responsible IRS employee.

      Note:

      If possible, use an IRS-furnished security container. If necessary, use a taxpayer-furnished container, but change the taxpayer-furnished container (such as with bars and locks) so the taxpayer cannot access the container.

    2. During duty-hours, the SBU data must be under the personal custody of the IRS employee if not properly secured in approved containers.

    3. If you don’t have a lockable and suitable container provided, you must not leave SBU data at the taxpayer's site.

  6. For more information about how to protect taxpayer location when using GPS and location services, see also the Global Positioning Systems (GPS) and Location Services section in IRM 10.5.1.6.11.

Mail
  1. IRS personnel must follow proper data protection procedures when mailing SBU data.

    Reminder:

    During the pandemic evacuation orders, refer to the COVID-19 resource page. For more information about mailing and shipping, refer to the article: Mailing and Shipping Guidance – Maximized Telework due to COVID-19.

  2. You may mail letters and packages with SBU data that weigh less than 13 ounces via United States Postal Service (USPS). These packages do not require double packaging and double labeling.

  3. When sending SBU data by mail within the U.S. and Territories (serviced by United States Postal Service [USPS]):

    1. Place SBU data in a single opaque envelope/container.

    2. Seal it to prevent inadvertent opening and to reveal evidence of possible tampering.

    3. Clearly show the complete name and address of the sender and intended recipient or program office on the envelope/container.

      Note:

      Mail room personnel may open and examine SBU data the same way they evaluate and determine other incoming mail safe for internal delivery. You must mail SBU data by USPS First Class Mail. You may use express mail services or commercial overnight delivery service, as warranted.

  4. When sending SBU data to offices Overseas:

    1. If serviced by a military postal facility (i.e., APO/FPO), mail SBU data directly to the recipient.

    2. Where a military postal facility does not service the overseas office, send the information through the Department of State’s (DOS’s) unclassified diplomatic pouch. Coordinate in advance with DOS officials to ensure delivery at the final destination meets Treasury/IRS needs and DOS schedule for such deliveries.

Shipping
  1. IRS personnel must follow proper data protection procedures when shipping PII.

    Reminder:

    During the pandemic evacuation orders, refer to the COVID-19 resource page. For more information about mailing and shipping, refer to the article: Mailing and Shipping Guidance – Maximized Telework due to COVID-19.

  2. You may mail letters and packages with PII that weigh less than 13 ounces via United States Postal Service (USPS). These packages do not require double packaging and double labeling.

  3. You must ship packages with PII that weigh 13 ounces or more through a private delivery carrier.

  4. If the package contains PII and is being shipped through a private delivery carrier, the sender must follow the procedures included below for properly double packaging, double labeling, and tracking the shipment, including the use of Form 3210, Document Transmittal.

    Exception:

    You must continue to send mail to Post Office Boxes via USPS.

  5. When shipping PII through private delivery carrier, the use of UPS CampusShip is mandatory at all locations except Campus locations and offices serviced by a FMSS contract mailroom. UPS CampusShip is an Internet-based shipping system that you can access from any location that has Internet access. The IRS has rolled out UPS CampusShip across the country to IRS field offices not serviced by a FMSS contract mail room. Find training material in the following UPS CampusShip documents:

    • Document 12888, UPS CampusShip: Electronic Shipping Methods.

    • Document 12889, UPS CampusShip: Advanced Features.

  6. CampusShip allows employees to:

    1. Generate labels electronically.

    2. Secure current IRS address information from corporate address repository to improve accuracy of delivery. CampusShip features a Corporate Address Book which contains addresses for over 700 IRS locations; this improves accuracy of delivery since addresses are current.

    3. Track packages via the Internet to easily verify their shipments arrived at the intended destination and to quickly find a missing shipment, reducing the likelihood that PII could be lost or exposed to an unauthorized individual.

  7. Packages with PII must be double-packaged and double-labeled prior to shipping. Double-packaging helps ensure the contents are protected if the outer package is damaged or destroyed during the shipping process. Duplicate shipping labels allow proper delivery of the contents without potential disclosure if the external package is damaged or destroyed.

    Caution:

    Shrink wrapping the external packaging or wrapping the external packaging in paper does not satisfy double packaging requirements.

  8. Evaluate the size of the PII shipment and identify appropriate packing materials. The appropriate type of internal and external packaging depends upon the size and weight of the package. Use the smallest size packaging possible to reduce shipping costs and ensure minimal shifting of contents during shipment.

  9. The sender must also determine whether to ship via ground service or express (Overnight and Second Day Air) services:

    • Use Ground service for shipping whenever possible. Ground service should always be the first choice; use express services only when absolutely necessary. There is no requirement to mail PII via express services. For distances up to 500 miles, the regular ground service offered by the small package or motor freight carriers (depending on weight of shipment) can deliver your shipment within one or two days. For ground shipments, the business operating divisions supply the packaging material.

    • Express Services generally are the fastest mode of transportation available, but they are also much more expensive. Only use this mode when transit time requirements are very short and the urgency of the shipment outweighs the added costs involved (for example, remittances, statute cases, or tax court cases) Only use small package carrier-provided packaging (carrier branded envelopes and boxes) for express services and when provided at no cost.

  10. For internal shipments, the sender must prepare Form 3210, Document Transmittal, identifying the package contents for all packages with PII. For easier tracking, the sender may include the small package carrier tracking number in the "Remarks" area of Form 3210 on Part 4 (sender’s copy).

    1. If the sender is using the small package carrier's web-based system to electronically generate shipping labels, the tracking number is available immediately on the pre-printed shipping label.

    2. If the sender is using a contract mailroom, the sender should complete the sender's email address section of Form 9814, Request for Mail/Shipping Service:
      The mailroom must enter this email address when preparing the shipping label, and the small package carrier must send an email to the sender with the tracking number. The sender can then place the tracking number on Part 4 of Form 3210 for proper record keeping.

    Caution:

    Based on current instructions, redact SSNs appearing on Form 3210 to show only the last four digits. Do not include the full SSN on Form 3210.

  11. Securely package the PII by placing the contents and the properly completed Form 3210 in an appropriately sized internal package. The sender keeps Part 4, Sender's copy, of Form 3210 and includes Part 1, Recipient’s copy, and Part 3, Acknowledgement copy, with the shipment. When possible, when sending the package to a specific individual, the sender may choose to notify the recipient via email, phone, or other method prior to shipment that the package with PII is on its way. The sender may also choose to send an electronic PDF version of Form 3210 via secure email to the intended recipient, so the recipient is aware of the expected shipment.

  12. Internal packaging may include any of the following:

    • An envelope: an E-20, Confidential Information envelope, is acceptable for this purpose.

    • A plastic bag: should be sturdy enough to support the weight of the contents without tearing; should be black, green, or a similar color so the contents are not readable through the plastic bag.

      Note:

      We recommend this as the easiest and most cost-effective method for double packaging large case file shipments.

    • A small box: an undamaged smaller box that fits within the external shipping box.

  13. Label the internal package with the following information:

    1. Send to Address, including Mail Stop and/or Drop Point Number, if applicable.

    2. Return Address, including Mail Stop and/or Drop Point Number, if applicable.

    3. Sender's phone number.

    4. Small Carrier tracking number, if available.

  14. The sender may use a copy of the exterior small package carrier shipping label for the internal label.

    1. If using a small package carrier web-based shipping system to label packages, print two copies of the generated label and attach one to the internal package.

    2. If using a hardcopy small package carrier shipping document to label packages, photocopy the original form and attach it to the internal package.

    3. If using Form 9814 prepare an internal label with the required information. You can also include a copy of Form 9814 with the internal label.

  15. Place the properly labeled, packaged, and sealed internal package into the external package. External packaging materials may include:

    1. Envelope: For shipping smaller case files and documents via ground service, use an IRS issued non-confidential envelope (E-44; minimum size 9 ½” X 12”). Use an envelope or padded pack provided by the Small Package Carrier only when time constraints require shipping via express services.

    2. Box: Use an undamaged box specifically designed for shipping. Choose a box strength that is suitable for the size and weight of the contents you are shipping. For shipping smaller packages up to 10 pounds, use a small box ordered from an office supply vendor for ground shipments. Use boxes provided free of charge by the small package carrier only when time constraints require shipping via express services. For shipments over 10 pounds, the external box should be a suitable flap top, corrugated cardboard box rated with a bursting strength to support the contents. Never exceed the maximum gross weight for the box, usually printed on the box maker's certificate on the bottom flap of the box.

      Note:

      A standard Shipping Record Box (size 14.75” X 12” X 9.5”) that is used to retire files meets this requirement. If possible, use the Shipping Record Box Sleeve as the external packaging. File boxes used for Federal Record Center storage, combined with a sleeve box, will have a bursting strength exceeding 125 pounds per square inch and will be more than adequate for most ground shipments.

      Caution:

      Used copy paper boxes and other boxes with lids do not meet this requirement; boxes with lids can get caught on conveyer belts and damage or destroy the shipment.

  16. Whenever possible, use a new box; however, you may re-use undamaged packaging materials to ship PII. Only reuse a box if it is rigid and in good condition with no punctures, tears, rips, or corner damages, and all flaps are intact. Remove any existing labels and all other shipment markings if re-using a box.

  17. If appropriately sized packaging is not available, use cushioning material inside the package so the contents do not move or shift when shaken. Cushioning material should consist of materials that are readily available, and you can re-use them. It is not necessary to buy prefabricated materials specifically designed to cushion packages for this purpose. Examples of cushioning material include non-confidential paper, shredded administrative paper, obsolete forms, newspaper, and/or commercially bought Styrofoam peanuts, air bags, etc. Place the cushioning material around the items in the box. Close and shake the box to see whether you have enough cushioning material; add more cushioning material if you hear or feel the contents shifting.

  18. Do not mark or label external packaging material with information showing that package contents include sensitive information. You can mark packages as "time sensitive" or "process immediately" as applicable to ensure timely processing. Labels that show sensitive contents include, but are not limited to:

    • "Remittance" labels indicating package contents include remittances.

    • Labels showing package contents include case files or re-files. An acceptable alternative method would be to write "Sort and Sequence."

      Note:

      Do not remove references to IRS from an envelope since it is necessary to include IRS on Return Address and Send To Address labels to ensure that the package is delivered to the intended location if any of the address information is incorrect.

  19. Seal the package with strong clear shipping tape that is two inches or more in width. Do not use string, paper over-wrap, shrink wrap, and/or plastic straps.

  20. Place the shipping label on the top of the package and ensure it is properly adhered and will not separate from the box. Do not place the label over a seam or closure or on top of sealing tape since this could cause it to be damaged or removed from the package.

  21. The sender must be responsible for monitoring the delivery of the shipment. Follow your organization’s established time frames for Form 3210 acknowledgement follow-up. Where there is no established time frame in an individual organization, the follow-up action should take place in three business days for overnight shipments and ten business days for ground shipments.

  22. Once the shipment is received, the recipient will verify receipt of the contents and sign the acknowledgment copy of the Form 3210. The recipient will return the Form 3210 acknowledgement to the sender using secure email (electronic or scanned copy), fax, or mail. If the SSN was not redacted as required on the Form 3210, redact all but the last four digits of the SSN prior to returning it to the sender. After receiving the acknowledgement copy, the sender will associate it with the original Form 3210.

    Note:

    No further action is required if the Form 3210 acknowledgment is received.

  23. If the Form 3210 acknowledgement isn't received within the established time frame, the sender should access the small package carrier's website to track the shipment to determine if it was delivered successfully. The tracking number should have been included on Form 3210 when the shipping labels were prepared or after the number was received from the carrier if Form 9814 was used.

  24. If the tracking information shows the package was delivered, the sender must call the intended recipient to confirm actual receipt of the package.

    1. If the recipient did receive the package, ask the recipient to complete and return the Form 3210 Acknowledgement.

    2. If the recipient didn’t receive the package, the package is considered lost within the IRS facility and the sender must follow the procedures for reporting a loss of hardcopy documents. The intended recipient should also start a search in their IRS facility when the carrier shows an individual signed for the package.

  25. If the tracking information indicates the package was not successfully delivered, the sender should closely monitor the tracking information for up to 48 hours (2 business days) after the anticipated delivery date for air services and up to 72 hours (3 business days) after the anticipated delivery date for ground services. If the package is not delivered within these time frames, the package is considered lost and the sender should follow the procedures for reporting a loss of hardcopy documents.

  26. Immediately upon discovering or identifying a package is lost, report the loss following IRM 10.5.4. Refer to the Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets and BYOD Assets site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

  27. Managers must perform, at a minimum, quarterly audits of the Form 3210 Acknowledgement process for packages with PII to ensure appropriate follow-up is occurring. This procedure will allow IRS managers the opportunity to validate that PII senders are following up on Form 3210 Acknowledgments within defined time frames so that lost shipments are identified quickly. This reduces the likelihood that the PII could be exposed to an unauthorized user. Local management must determine the proper follow-up time frame as part of the manager’s operational review. Maintain Form 3210 following the existing record retention schedule for each Business Unit.

  28. For more information, refer to the PII Hardcopy Shipping page on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

  29. Refer to IRM 1.15.5, Relocating/Removing Records, for shipping records (such tax or personnel records) to the Federal Records Centers.

Faxing
  1. Protect faxed SBU data (including PII and tax information) as with any other transmission of SBU data.

  2. Use secure encrypted email internally, if possible, as an alternate way to send SBU data, instead of using a stand-alone fax machine. Scan, encrypt, and internally email documents that include SBU data. Do not email taxpayers or their representatives. See also the Email section in IRM 10.5.1.6.8 for more information.

  3. If you must fax the information, do not send SBU data to a fax machine without contacting the recipient to arrange for its receipt.

  4. When transmitting SBU data via fax, use Enterprise Electronic Fax (EEFax) as the preferred method of faxing documents. Refer to IRS Electronic Fax System section of IRM 21.2.3, Systems and Research Programs, Transcripts, or the EEFax site on IRS Source.

  5. For more information on securely faxing documents, refer to the Facsimile and Facsimile Devices and AC-20 Use of External Information Systems - Control Enhancements sections of IRM 10.8.1.

Printing
  1. Protect printed documents with SBU data and follow the IRS Clean Desk Policy in all work locations (including field and telework).

  2. Minimize the printing of SBU data to what is explicitly necessary.

  3. Properly store and dispose of printed materials. See also the Storage section, IRM 10.5.1.6.6, and the Disposition and Destruction section, IRM 10.5.1.6.10.

  4. Use only IRS-furnished (not personally owned) printers. Refer to the AC-20 Use of External Information Systems and Personally-Owned and Other Non-Government Furnished Equipment sections of IRM 10.8.1.

Text Messaging (Texting)
  1. IRS personnel must not use text messaging (texting) for official business.

  2. Refer to the Preserving Electronic Messages section of IRM 1.15.6, Managing Electronic Records.

  3. Refer to the Telecommunication Devices section of IRM 10.8.1.

Electronic
  1. Electronic transmission addresses uploading or downloading, secure file transfer, file sharing, peer-to-peer (P2P), firewall rules, collaborative technology and systems, and blacklisted sites.

  2. For more information about securing electronic transmissions, refer to those key words in IRM 10.8.1 and the CSIRC Firewall Rule Set Configuration Management section in IRM 10.8.54, Information Technology (IT) Security, Minimum Firewall Administration Requirements.

  3. For more information about secure emailing, see also the Email section in IRM 10.5.1.6.8.

Information Privacy During Office Moves
  1. When moving an office or material, make plans to protect and account for all SBU data (including PII and tax information), as well as government property. Consider the relevant factors of the move (such as the distance involved and the method used in making the move).

    1. Keep SBU data in locked cabinets or sealed packing cartons while in transit.

    2. Maintain accountability to ensure that cabinets or cartons do not become misplaced or lost during the move.

  2. Take precautions equal with the type and value of property and data involved.

Disposition and Destruction

  1. Documents with SBU data (including PII and tax information), also known as sensitive waste material, must be destroyed by properly shredding, burning, mulching, pulping, or pulverizing beyond recognition and reconstruction. If other sources for these requirements conflict, use the most stringent requirements. [TD P 15-71, Treasury Security Manual, Chapter III, Section 16, Destruction of Classified and Sensitive Information, and Section 24, Sensitive But Unclassified Information]

    1. Note:

      While PGLD owns this policy, FMSS owns the Sensitive Document Destruction (SDD) program. Refer to the FMSS SDD program site on IRS Source.

  2. Sensitive waste material may include, but is not limited to, extra copies, photo impressions, microfilm, printouts, computer tape printouts, IDRS printouts, notes, work papers, CDs, USB drives, or any other material with SBU data (including PII and tax information) which has served its purpose.

  3. Bring all sensitive waste material for destruction into the office for proper disposition, even when teleworking with access to a shredder at home. It’s not necessary to transport sensitive waste in a locked receptacle; however, you must still be careful to protect it during transit.

    Note:

    In exigent circumstances, or if under evacuation orders, work with your manager to safely arrange this.

  4. Do not discard sensitive waste material, including that shredded with non-compliant equipment, in regular trash bins.

  5. Protect sensitive waste as you do any other SBU data (including PII and tax information). The fact that material has been identified for destruction does not change the requirement to provide proper protective measures. Protect sensitive waste material as required for the most protected item.

  6. Maintain waste material in a secured (locked) container in a secured area to prevent SBU data from unauthorized disclosure or access.

    Note:

    The only exception to this policy is for pipeline activities subject to a Clean Desk Policy waiver. See also the Clean Desk Policy section in IRM 10.5.1.5.1.

  7. Although IRS personnel might know the proper methods of destroying tax data, management must reinforce this knowledge by including document destruction as a topic in orientation sessions, periodic group meetings, and other awareness sessions.

  8. Managers must periodically review work areas to ensure employees discard sensitive waste material properly.

Hardcopy Paper Disposition and Destruction
  1. Place hardcopy waste material with SBU data in locked receptacles specifically marked for sensitive document destruction (SDD or shred bins). This includes material shredded with non-compliant equipment that does not meet requirements.

    Exception:

    Burn bags/shred boxes for Temporary Storage. [TD P 15-71, Treasury Security Manual, Chapter III, Section 16, Destruction of Classified and Sensitive Information]

  2. For one-step destruction of paper with SBU data, use cross-cut shredders which produce particles that are 1 mm x 5 mm (0.04 in. x 0.2 in.) in size (or smaller), or pulverize/disintegrate paper materials using disintegrator devices equipped with a 3/32 in. (2.4 mm) security screen. [NIST SP 800-88, Guidelines for Media Sanitization]

    Note:

    When shredding, the same equipment approved for destroying Secret and/or Confidential classified information (NSI) must be procured and used. See the current National Security Administration/Central Security Service (NSA/CSS) Evaluated Products List (EPL) for compliant shredders. [TD P 15-71, Treasury Security Manual, Chapter III, Section 16, Destruction of Classified and Sensitive Information]

  3. For multi-step destruction of paper, you may use non-compliant methods for the first step, if the product is then destroyed in a manner that renders it unreadable, indecipherable, and irrecoverable. [32 CFR 2002]

Electronic Disposition and Destruction
  1. For electronic media destruction requirements (for items such as magnetic media, diskettes, hard disks, CDs, external drives, USB drives, or other storage devices), refer to the MP-6 Media Sanitization section in IRM 10.8.1 and follow NIST SP 800-88, Guidelines for Media Sanitization.

  2. Refer to the Media Destruction Shipping Procedures page on IRS Source for disposal of electronic media.

  3. Do not put electronic media with hardcopy paper in the sensitive document destruction bins.

Microforms Disposition and Destruction
  1. For microforms with SBU data (microfilm, microfiche, or other reduced image photo negatives): [NIST SP 800-88, Guidelines for Media Sanitization]

    1. Destroy microforms by burning.

    2. Do not put microforms with hardcopy paper in the sensitive document destruction bins.

Temporary Storage Disposition and Destruction
  1. For temporary storage, while waiting for destruction of sensitive waste, you don’t have to put it in a locked receptacle if you follow these requirements for burn bags or shred boxes:

    1. SBU data to be destroyed may be torn and placed in sealed opaque containers, commonly known as burn bags or shred boxes, so that the sensitive information is not visible.

    2. Protect burn bags or shred boxes awaiting destruction while in your custody.

    3. Ensure burn bags or shred boxes only are collected and contents destroyed by cleared contractor personnel or facilities maintenance personnel, or persons authorized by IRS privacy, records, or security officials.

    4. If not in your custody, store burn bags or shred boxes within a Sensitive Compartmented Information Facility (SCIF) or security-approved open storage area pending collection by authorized personnel.

    5. Never leave unattended any burn bags or shred boxes located outside a SCIF or open-storage area.

    [TD P 15-71, Treasury Security Manual, Chapter III, Section 16, Destruction of Classified and Sensitive Information]

Records Management Disposition and Destruction
  1. Ensure IRS records (hardcopy and electronic), including those with PII, are managed appropriately and follow the Records Control Schedules (RCS) Document 12990 and General Records Schedules (GRS) Document 12829 to prevent unlawful/unauthorized destruction of records.

    Note:

    An approved Form 11671, Certificate of Records Disposal for Paper or Electronic Records, is required prior to destruction of any original federal records. Refer to IRM 1.15.3, Records and Information Management, Disposing of Records.

  2. Disposition and destruction of tax information must follow the Records and Information Management IRM 1.15.2, Types of Records and Their Life Cycle, IRM 1.15.3, Disposing of Records, and IRM 1.15.6, Managing Electronic Records.

Contractors Disposition and Destruction
  1. Unshredded sensitive information may be turned over to a contractor provided the contract includes necessary safeguards that will ensure compliance with IRC 6103(n) requirements, provides for periodic safeguard reviews, and includes language describing methods of collection, pick-up, storage, and disposition.

  2. In the event tax information media is to be collected and destroyed by an independent contractor, to preclude the necessity of having an IRS employee present during destruction, the contract must include the safeguard provisions required by IRC 6103(n) and regulations.

    1. The provisions of the contract must allow for IRS inspection of the contractor facility and operations to ensure the safeguarding of IRS information.

    2. Contractors must maintain waste material in a secured (locked) container in a secured area to prevent SBU data from unauthorized disclosure or access.

  3. CORs will periodically review work areas to ensure that contractors are discarding sensitive waste material properly.

  4. CORs will conduct periodic unannounced inspections at the off-site contractor facilities (including cloud service providers) where contractors handle IRS SBU data. Document results of these inspections, including identification of any privacy, records, or security issues, and document verification that the contractor has taken proper corrective actions on any privacy, records, or security issues observed or identified.

Recycling Disposition and Destruction
  1. Do not place paper documents with SBU data in regular recycling containers. Instead, place them in clearly marked secured containers (sensitive document destruction bins).

  2. The preferred approach is that sensitive information be segregated and shredded following guidelines contained in Disposition and Destruction, IRM 10.5.1.6.10, prior to turning it over to the recycler.

  3. Another method is to have IRS personnel observe the destruction of sensitive information upon delivery to the recycler. This allows for destruction of sensitive information while maintaining custody of the material up to the moment of destruction. Again, the contractor must be in compliance with IRC 6103(n) requirements which provides for safeguards and periodic safeguard reviews. However, we don’t recommend this method because of the resource requirements.

Global Positioning Systems (GPS) and Location Services

  1. Policy for personally owned GPS device usage and location services (geolocation) on devices balances the business needs of field employees voluntarily using these devices and the privacy and security concerns related to the SBU data that might be contained in the devices. The purpose of the following is to minimize the risk of exposing SBU data and to prevent unauthorized disclosures. [IRC 6103, Privacy Act]

Global Positioning Systems (GPS)
  1. This exception for the use of personally owned GPS devices is limited to GPS functions only. For example, this does not apply to the use of the non-GPS functions on personally owned mobile computing devices.

  2. Input only taxpayer address information into the GPS device, and delete this information from the device once it is no longer necessary. Never input individual or business taxpayer names into the device.

  3. Do not connect the GPS device to an IRS computer, as the device has the potential to introduce computer viruses and malware into the IRS network.

  4. If available, use a security personal identification number (PIN) code with the device to help protect the privacy of tax information in the event the device is lost or stolen.

  5. Take every precaution to prevent the GPS device from being left unattended or unsecured.

  6. Remove portable GPS devices from vehicle when not in use as circumstances permit. In those limited instances where you must leave a portable device in a locked vehicle, store it out of sight in the trunk or glove compartment.

  7. Never leave portable GPS devices in a vehicle overnight.

  8. Do not leave the portable GPS device and any mounts in an unattended vehicle in plain sight. After removing mount, clean the suction cup mount area because it can leave marks on the windshield/dashboard showing that a GPS or other device may be present in the vehicle, increasing the risk of a break-in.

  9. Report the loss or theft of a GPS device with taxpayer addresses (whether a government-issued GPS or a personally-owned GPS), as a potential breach of PII:

    1. Immediately upon discovery of the loss or theft, the employee must report the potential breach to the employee’s manager and the appropriate organizations based on what was lost or disclosed.

    2. For more information about how to report an incident, refer to IRM 10.5.4, Privacy and Information Protection, Incident Management Program, or the IM site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Location Services
  1. We strongly encourage you not to use your personal devices (such as phones, tablets, fitness watches, or wearable devices) or applications on them to identify taxpayer or work addresses with location services, geotagging, or GPS features or any social media accounts (Facebook Check In, Find My Friends, etc.). Geotagging pinpoints location, which might inadvertently reveal a taxpayer’s home or business, or show activities and location at an IRS office. You should use an IRS-furnished device (if issued) when locating and receiving directions to taxpayer addresses.

    Caution:

    This includes infectious disease exposure notification applications built into your phone.

  2. When using services that need location, try to avoid using an exact taxpayer address if it might pinpoint the IRS has an interest in the taxpayer.

Telework

  1. Special privacy considerations arise in the telework environment. Like all IRS personnel, teleworking personnel have a responsibility to safeguard SBU data (including PII and tax information). Unique potential risks, such as family members accidentally taking case files left out on a desk, or overhearing phone calls with tax information, create the need for more guidelines.

  2. Except for those documents received in a field environment, high security items (see also the High Security Items section in IRM 10.5.1.2.9) must not be transported to a telework location. [Telework Enhancement Act of 2010; Treasury Telework Program policy, TN-18-001; OMB Guide to Telework in the Federal Government; NIST 800-46, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security]

  3. For more information on Telework requirements, refer to IRM 6.800.2, Employee Benefits, IRS Telework Program.

  4. Be aware of your environment as you conduct business at an approved telework location.

  5. When setting up a home office, you should evaluate the nature of your work and the level of sensitivity around the information you handle on a day-to-day basis, per the Equipment and Furniture section of IRM 6.800.2.

  6. Do not use an unsecured wireless access point (wi-fi hotspot) as a regular telework location. For more information about secured wireless access points (wi-fi hotspots), refer to the AC-18 Wireless Access section in IRM 10.8.1.

    Note:

    If you use a hotspot temporarily (not as a permanent Telework solution), it must be secured, so you must add security with a password. Refer to How to use your iPhone as a Hotspot. Ensure you only use secured wi-fi networks when working at their designated worksite (approved telework location or approved lodging) and adhere to this guidance for protecting taxpayer’s privacy and safeguarding confidential information.

  7. Teleworking personnel should adhere to the following guidelines. For bargaining unit employees, should any of the guidelines conflict with a provision of a negotiated agreement, the agreement will prevail. Individual office practices may supplement this information.

  8. Teleworking personnel should consider:

    1. If possible, set home office designated workspace apart from the rest of the house, ideally with a door that can be secured.

    2. Avoid frequent interruptions or working within listening distance of others, per the Relatives of IRS employees and Protecting Confidentiality section of IRM 11.3.1.

    3. Apply the Clean Desk requirements to data left out in work areas, credenzas, desktops, fax, copy machines, and in/out baskets. When away from the desk, secure SBU data in a locked room, locked file cabinet, or a locked desk, per the Clean Desk Policy section in IRM 10.5.1.5.1.

    4. Whenever possible, conduct phone conversations in private settings or in locations that minimize the potential for eavesdropping. Contain telephone calls that include audible SBU data within a closed office environment or out of the listening range of others. See also the Cell Phone or Cordless Device section in IRM 10.5.1.6.7.1.

    5. To properly transmit SBU data, follow the Other Forms of Transmission section and subsections in IRM 10.5.1.6.9 for field and travel, mailing, shipping, electronic, faxing, printing, and phone. This includes securely transporting SBU data to the office for shredding.

    6. If possible, minimize the printing of SBU data to what is explicitly necessary.

    7. To properly dispose of SBU data, see also the Disposition and Destruction section in IRM 10.5.1.6.10.

      Note:

      Bring all SBU data for destruction into the office for proper disposition.

    Note:

    For more information, refer to the Telework Privacy Considerations on the PGLD Disclosure and Privacy Knowledge Base site on IRS Source.

  9. Digital assistants, smart devices, Internet of Things (IoT), and other devices that can record or transmit sensitive audio or visual information must not be allowed to compromise privacy in the work or telework environment. These devices typically have sensors, microphones, cameras, data storage components, speech recognition, GPS or location options, and other multimedia capabilities. These features could put the privacy of personnel and/or taxpayers at risk due to the personal information that might be unwittingly disclosed. When working on any form of SBU data (including PII and tax information), follow these rules:

    1. Treat the device as if it were another person in the room because many such devices and applications can record and/or transmit data when activated. To protect privacy, the personnel must mute or disable the listening/detecting features of the device so that SBU data is not sent to the device or anything to which it is connected.

    2. If the device or application can take photos or record video or sound, then the personnel must not do sensitive work within visual or audio range.

    These devices/applications include (but are not limited to the examples provided):
    • Digital assistants (such as Dot or Echo hardware using Alexa software, HomePod using Siri, etc.).

    • Voice-activated devices and smartphone applications (such as Siri, Google Now (“Okay Google”), or Alexa on phones, tablets, etc.).

    • Non-IRS-approved video-chatting apps (FaceTime, SnapChat, etc.).

    • Internet of Things (IoT) equipment (devices, systems, etc.).

    • Internet-connected toys (Cloud Pet, Smart Toy, Hello Barbie, etc.) that might record and transmit.

    • Security systems and webcams in the telework environment.

    • Smart TVs or auxiliary equipment (if includes voice activation).

    • Operating systems/applications (such as Windows 10, Cortana, etc.) that allow voice commands.

    • Home surveillance, security, and video/audio: Webcams on personal devices in the home, security cameras/microphones.

    For more information about privacy risks of Internet-connected toys, refer to the FBI’s Public Service Announcement, “Consumer Notice: Internet-Connected Toys Could Present Privacy and Contact Concerns for Children:”
    https://www.ic3.gov/media/2017/170717.aspx

Bring Your Own Device (BYOD)

  1. Bring Your Own Device (BYOD) is a concept that allows personnel to utilize their personally‐owned technology devices to stay connected to, access data from, or complete tasks for their organizations. At a minimum, BYOD programs allow users to access employer‐provided services and/or data on their personal tablets/e-readers, smartphones, and other devices.

  2. To protect the privacy of the tax information, BYOD participants must:

    1. Use only IRS-approved applications.

    2. Refrain from using devices in public settings where others might overhear conversations involving SBU data (including PII and tax information) or where others might see screens with this information. See also the Cell Phone and Cordless Device section in IRM 10.5.1.6.7.1

    3. Follow the terms in the Personally-Owned Mobile Device Acceptable Use Agreement, including, but not limited to:
      1. Report lost or stolen devices timely and accurately.
      2. Follow procedures for removal of the IRS-approved mobile device business software if changing your device or leaving the program.
      3. Adhere to all applicable laws, regulations, rules, policies, and procedures, including Federal Records Act, Office of Government Ethics Standards of Ethical Conduct, and the Department of the Treasury Employee Rules of Conduct.

    Note:

    This program protects the privacy of the taxpayer. All BYOD users must acknowledge having no expectation of privacy for any information on their use of the IRS-approved mobile device business software on their mobile devices.

  3. For your privacy, you may block the outgoing phone number of the personal device per IT4U BYOD guidance on IRS Source.

    Note:

    The Fair Debt Collection Practices Act (FDCPA) does not prohibit this practice by the IRS. The IRS is not a creditor or debt collector under the FDCPA. Section 803 (6) of the FDCPA defines the term "debt collector," and specifically excludes in (C) "any officer or employee of the United States or any State to the extent that collecting or attempting to collect any debt is in the performance of his official duties."

  4. Refer to IRM 10.8.26, Government Furnished and Personally Owned Mobile Computing Device Security Policy, and IRM 10.8.27, IRS Policy on Limited Personal Use of Government IT Resources.

  5. For more information about BYOD, refer to the IT4U BYOD site on IRS Source.

Civil Liberties

  1. Privacy and civil liberties often overlap.

  2. Civil liberties are the rights of people to do or say things that are not illegal without being stopped or interrupted by the government (due process). For example, the U.S. Constitution’s Bill of Rights guarantees civil liberties:
    https://www.archives.gov/founding-docs/bill-of-rights

  3. The Privacy Act provides for privacy and civil liberties protections, outlined in the First Amendment section in IRM 10.5.1.6.14.1 and detailed in the Recordkeeping Restrictions section of IRM 10.5.6, Privacy Act.

  4. The Taxpayer Bill of Rights (TBOR) lists rights that already existed in the tax code, putting them in simple language and grouping them into 10 fundamental rights. Employees are responsible for being familiar with and acting in accord with taxpayer rights. See IRC 7803(a)(3), Execution of Duties in Accord with Taxpayer Rights. For additional information about the TBOR, see https://www.irs.gov/taxpayer-bill-of-rights. The TBOR requires the IRS to protect taxpayer rights to privacy (with due process) and confidentiality as essential rights that help protect their civil liberties:
    https://www.irs.gov/taxpayer-bill-of-rights

  5. The Privacy Act also allows for due process rights, as it forms the basis for the IRS Privacy Principles.

  6. Many existing privacy policy and compliance requirements, including the IRS Privacy Principles, also protect civil liberties. For example, the principle of Data Quality ensures fair treatment [PVR-07]. The principle of Access, Correction, and Redress ensures due process [PVR-09], as do the principles of Openness and Consent [PVR-04], and Verification and Notification [PVR-08].

  7. The IRS further addresses civil liberties protections through the PCLIA. The PCLIA reinforces Privacy Act requirements for the collection of First Amendment activities information and monitoring of individuals (see also the Monitoring Individuals section in IRM 10.5.1.6.14.3).

  8. Refer to IRM 10.5.2 for more information on the PCLIA process.

  9. For more information, refer to the Recordkeeping Restrictions section of IRM 10.5.6, Privacy Act.

  10. For more information, refer to Treasury’s Privacy and Civil Liberties Impact Assessment (PCLIA) Template and Guidance.

First Amendment
  1. The Privacy Act prohibits federal agencies from maintaining records on how any individual exercises their First Amendment rights unless certain exceptions apply.

  2. First Amendment rights include religious and political beliefs, freedom of speech and of the press, and freedom of assembly and petition.

  3. Congress intended agencies to apply the broadest reasonable interpretation when determining whether a particular activity is a right guaranteed by the First Amendment.

  4. IRS personnel must not keep files of persons who are merely exercising their constitutional rights.

  5. IRS personnel involved in the design, development, operation, or maintenance of any system of records subject to the Privacy Act must be aware of the restrictions on maintaining records on the exercise of First Amendment rights and alert to any potential violation of those restrictions.

  6. Taxpayers must report income and provide information necessary to verify deductions on their tax returns. The IRS may collect such information although, in some instances, this data may reveal how individuals exercise their First Amendment rights, such as religious affiliation, group membership, or political preference. The IRS may collect this information because statutory exceptions apply. [Privacy Act; PVR-02]

  7. For more information, refer to the Recordkeeping Restrictions section of IRM 10.5.6, Privacy Act.

Recordings in the Workplace
  1. Widely available electronic recording and monitoring equipment (such as digital cameras and smartphones) raise privacy and security concerns. IRS personnel must not make recordings or conduct monitoring of any type (including, but not limited to, audio, video, photographic, or infrared) in IRS facilities without a business need and prior FMSS approval (except audio recordings, which require direct supervisor approval) or at alternative duty stations duties remote to the conventional office site (e.g., satellite locations, employee’s residence). Refer to the Photography and Video Recordings Prohibition and the Alternative Duty Stations - IRS Telework Program sections of IRM 10.2.11, Physical Security Program, Basic Security Concepts.

  2. Privacy concerns for recording in the workplace center around individual employee privacy and the potential disclosure of SBU data (including PII and tax information).

  3. The law for recording others in the workplace varies by state, but many states require consent of both the recording individual and the recorded individual. To protect individual employee privacy, IRS policy prohibits most recordings because of such variations.

  4. IRS personnel may use their smartphones (or other devices with recording capabilities) in the workplace. However, you must take reasonable precautions that no unauthorized recordings or disclosures occur. When working on any form of SBU data (including PII and tax information), such precautions include muting or disabling voice-activated devices and smartphone applications (such as FaceTime, Siri or Google Now (“Okay Google”) on phones, tablets, etc.). For more information about precautions, see also the Telework section in IRM 10.5.1.6.12 about digital assistants, smart devices, IoT, and other devices that can record or transmit sensitive audio or visual information.

  5. Certain circumstances allow for limited recording in the IRS workplace. They include:

    1. Approval and Consent: When approval authority approves the business need, and all participants consent to the recording beforehand, an employee may make a recording in the IRS workplace.

    2. Service Quality Control: Employees may make recordings when performed to determine the quality of service delivery, such as with Contact Recording.

    3. Taxpayer Interviews: Taxpayers may request to audio record in-person interviews, with prior notice to the IRS, and the IRS may record those interviews, under IRC 7521(a)
      Refer to IRM 4.10.3, Examination of Returns, Examination Techniques; IRM 5.1.12, Field Collecting Procedures, Cases Requiring Special Handling, and IRM 25.5.5, Summons, Summons for Taxpayer Records and Testimony.

    4. Investigation: This policy does not apply to criminal investigations or official investigations relating to the integrity of any officer or employee of the IRS. Refer to IRC 7521(d)

    5. Employee Education: When used for employee education, employees may make recordings using IRS-issued software applications or platforms, such as Adobe Articulate, Skype, or Saba Centra.

    6. Reasonable Accommodation: When performed by an individual with a disability as part of an approved reasonable accommodation, certain recordings may be allowed. Refer to IRM 1.20.2, Equal Employment Opportunity and Diversity, Providing Reasonable Accommodation for Individuals with Disabilities.

    7. Labor Relations: The policy is not intended to and should not be interpreted to interfere with employee rights to engage in concerted activity under the National Labor Relations Act. For more information, refer to IRM 6.432, Performance Base Reduction in Grade and Removal Actions; IRM 6.711, Labor-Management Relations; IRM 6.751, Discipline and Disciplinary Actions; IRM 6.752, Disciplinary Suspensions and Adverse Actions; and IRM 6.771, Agency Grievance System.

  6. If you receive proper approval and consent to make a recording or take a photograph, you must not record or photograph SBU data (including PII and tax information). Ensue those items are not in view or earshot of the device.

  7. If SBU data (including PII and tax information) appears in an electronic recording nonetheless, you must protect the recording as SBU data and must not disclose the information unless a statutory exemption applies under IRC 6103 or the Privacy Act (depending on the nature of the data).

  8. For more information, refer to IRM 10.8.26; IRM 11.3.1, Introduction to Disclosure; and IRM 10.5.6, Privacy Act.

Monitoring Individuals
  1. The IRS needs to conduct some monitoring of individuals to protect federal systems, information, and personnel. Examples of such monitoring include access logs to IRS facilities and audit trails that monitor IT usage. [Privacy Act]

  2. However, limitations still exist on use of any PII collected, with sharing on a need-to-know basis for its intended use only. [Privacy Act]

  3. Monitoring of the public outside IRS facilities must not occur without first consulting Privacy Policy [Treasury’s Privacy and Civil Liberties Impact Assessment Template and Guidance]. For help, email *Privacy.

    Note:

    This policy does not apply to criminal investigation activities. Refer to IRM 9.4.6, Surveillance and Non-Consensual Monitoring.

  4. For more information about the limitation of monitoring individuals, refer to the Privacy Act Recordkeeping Restrictions section of IRM 10.5.6, Privacy Act.

  5. The IRS PCLIA addresses these limitations. For more information about PCLIAs, refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program.

Contractors

  1. The IRS has privacy obligations for contractors with access to SBU data (including PII and tax information). As outlined in the IRS Privacy Principle of Accountability and NIST Privacy Controls, the IRS must:

    1. Establish privacy roles, responsibilities, oversight, and access requirements for contractors and service providers throughout the privacy lifecycle. [OMB A-130]

    2. Include privacy requirements for all relevant stages of the privacy lifecycle in contracts and other acquisition-related documents.

    3. Follow Privacy Act requirements for contractors, outlined in the Publication and Reporting section of IRM 10.5.6, Privacy Act.

  2. Employees responsible for procurement activities on contracts that involve SBU data (including PII and tax information) must therefore:

    1. Ensure inclusion of all tax, privacy, and security clauses in contracts as required in IRM 11.3.24, Disclosures to Contractors.

    2. Ensure inclusion of necessary clauses in all contracts and provision of appropriate safeguards before disclosing any necessary SBU data (including PII and tax information) and/or Privacy Act information to a contractor.

    3. Ensure contractors (including non-IRS procured contractors) take required privacy, security, disclosure, records management, and UNAX training and complete Non-Disclosure Agreements (NDAs) within the required time frames per CSM instructions. [OMB A-130]

      Note:

      To be authorized, all personnel must complete required training (IRS annual and role-based privacy, information protection, and disclosure training requirements, Unauthorized Access [UNAX] awareness briefings, records management awareness briefing, and all other specialized privacy training) and background investigations before given access to SBU data (including PII and tax information). [OMB A-130]

    4. Ensure the contractor receives a copy of the approved PCLIA, if one is required. For more information on the PCLIA process, refer to IRM 10.5.2.

    5. Ensure each contractor employee receives a background investigation appropriate for the risk level designation associated with the contracted work (often Moderate for access to SBU data).

      Note:

      Any staff-like access (facilities, systems, or SBU data) requires completion of a favorable suitability/fitness determination (background investigation) conducted by IRS Personnel Security.

    6. Ensure contractors with access to SBU data comply with IRM 10.8.1, as well as the relevant 10.8 series IRMs or Pub 4812, Contractor Security Controls, which requires:
      1. All contracting actions with SBU data (including PII and tax information), with some exceptions, carry a Moderate impact security level.
      2. Contracts with staff-like access to FISMA systems carry a High impact security level.

      Note:

      These are security impact levels, not background investigation levels.

    [PVR-01]

  3. Refer to IRM 10.23.2, Contractor Investigations, or the Procurement site on IRS Source.

Online Data and Privacy Notices

  1. Do not post SBU data (including PII and tax information) online, including IRS official internal or external websites or cloud-based systems or services, unless secured with IT-approved access controls by the IRS (or by an IRS vendor bound by contract to protect the information). [NIST SP 800-122, TD P 85-01]

    Note:

    However, this policy does not apply to SBU data the IRS proactively makes available to all IRS personnel on internal resource sites (including, but not limited to, Discovery Directory, Outlook (calendar, profile information, and address book), intranet, and SharePoint site collections), such as names, SEID, and business contact information.

  2. Do not use persistent cookies or other tracking devices to monitor the public's visits on an IRS Internet site, except as authorized by OMB regulations.

  3. Online data may require several types of notices:

    1. An IRS-approved IT system use notification message (refer to the AC-8 System-Use Notifications section of IRM 10.8.1).

    2. Link to IRS.gov Privacy Policy (see also the IRS.gov Privacy Policy Notice section in IRM 10.5.1.6.16.1).

    3. A website or application Privacy Policy notice (see also the Website or Application Privacy Policy Notice section in IRM 10.5.1.6.16.2).

    4. Privacy Policy Departure Notice (see also Privacy Policy Departure Notice section in IRM 10.5.1.6.16.3).

    5. Privacy Act Notice (if collecting data on a form).

      Note:

      Online privacy policy statements differ from Privacy Act notices required by the Privacy Act on forms that ask individuals to supply Privacy Act-protected information. For more information on the Privacy Act notification programs, refer to IRM 10.5.6, Privacy Act.

  4. For any Privacy Policy notice approval, email *Privacy.

  5. For more information on authentication of individuals in online transactions, see also the Electronic Authentication section in IRM 10.5.1.7.10. For more information on online accessible storage, see also the Online Accessible Shared Storage section in IRM 10.5.1.6.18.6.

IRS.gov Privacy Policy Notice
  1. The IRS Internet privacy policy notices on IRS.gov inform the public of the information collection procedures and the privacy measures in place for a particular Internet website or activity. [E-Government Act, OMB A-130, OMB-03-22, PVR-04]

  2. Post the IRS privacy policy notices at every major entry point to an IRS Internet website or application, as well as on any page collecting substantial personal information from the public. The requirement includes, at a minimum, a link to the IRS.gov privacy policy. It also may include a unique privacy policy for that website.

  3. The IRS privacy policy notice is:

    1. An overview of IRS privacy practices.

    2. A description of any information collected and stored automatically by the system and how the IRS will use this information.

    3. An explanation of how the IRS will use any PII submitted by the Internet visitor.

    4. A notice that security and intrusion protection measures are in place.

  4. Refer to the overarching IRS.gov Internet Privacy Policy notice:
    https://www.irs.gov/privacy

Website or Application Privacy Policy Notice
  1. A unique privacy policy for a website or application can detail the differences from the IRS.gov privacy policy. This policy applies to any website or application hosted by or for the IRS. [E-Government Act, OMB A-130, OMB-03-22, PVR-04]

    Note:

    If the website or application is asking for SBU data (including PII or tax information), then the website or application needs to explain its use of the data.

  2. The website or application privacy policy must still link to the IRS.gov Privacy Policy.

  3. A simple example, with blanks to fill in the details pertinent to the website or application, is:

    _____ Privacy Policy
    This privacy policy describes the use of your personal information including _____.
    To prevent fraud and identity theft, the IRS does not send unsolicited emails or text messages to taxpayers or businesses with any IRS related information or requesting your personal information such as name, address, social security number (SSN), taxpayer identification number (TIN), Employer Identification Number (EIN) and tax history.
    To participate in _____, you will be required to provide _____ for the IRS to _____. By agreeing to use the IRS _____, you give the IRS permission to _____. You will have the ability to opt-out of this at any time by_____.

  4. More complicated policy notices might be needed if the website or application is more complex.

Privacy Policy Departure Notice
  1. Any IRS Internet website (or link to a third-party site for the IRS) that links to external sites must post a departure notice. This notice alerts Internet visitors that they are about to leave the IRS website and its privacy practices. It advises them to review the website privacy practices for the website they are about to enter. Refer to the IRS Internet Departure Notice page on the IRS Source. [PVR-04]

Intranet Privacy Policy
  1. IRS Intranet (for example, IRS Source) privacy policy notices inform personnel of the information collection procedures and the privacy measures in place at a particular intranet site or activity.

  2. Post the IRS privacy policy notice at every major entry point to an intranet site, as well as on any page collecting personal information from an individual.

  3. The IRS intranet privacy policy notice is:

    1. An overview of IRS privacy practices.

    2. A description of any information collected and stored automatically by the system and the how IRS will use this information.

    3. An explanation of how the IRS will use any PII submitted by the individual.

    4. A notice that security and intrusion protection measures are in place.

    5. The notice is available on the IRS intranet.

  4. Any IRS intranet site or page that links to external sites must post a departure notice. This notice alerts IRS personnel that they are about to leave the IRS website and its privacy practices. It advises them to review the privacy practices on the website that they are about to enter. Refer to the IRS Intranet departure notice on IRS Source.

  5. Do not use persistent cookies or other tracking devices to monitor an individual's visit to IRS intranet sites, except as authorized by OMB regulations.

Social Media

  1. The IRS uses social media to share the latest information on tax changes, initiatives, products, and services. To expand reach to taxpayers and stakeholders, the IRS shares information on several social media platforms, including Twitter, Facebook, and LinkedIn.

  2. Because the use of social media allows potential direct interaction with the public, the IRS implemented specific rules to ensure only authorized employees speak in an official capacity. Except for approved IRS communicators handling official IRS media initiatives, the IRS does not authorize you to use social media in an official capacity. Refer to the Social Media Guidelines for IRS Employees site on IRS Source.

  3. For more information about Internet research guidelines, refer to the Use of Social Networking and Other Internet Sites by IRS Employees for Compliance Research or for Other Purposes section in IRM 11.3.21, Investigative Disclosure

  4. Personal, non-work usage of these social media tools on personal devices must not compromise the confidentiality of SBU data (including PII or tax information) or the integrity of the IRS. Except for approved IRS communicators handling official IRS media initiatives, the IRS does not authorize you to use social media in an official capacity and should follow the Communications and Liaison guidelines. Refer to the Social Media site on IRS Source.

  5. To use any existing IRS social media tools in communications plans or outreach initiatives, business units must use the appropriate social media authorization form or contact the appropriate social media platform owner.

  6. If an IRS organization would like to consider use of a new social media platform, they must submit a New Media Use Authorization Form for approval by the IRS Social Media Governance Council, along with a Social Media PCLIA.

  7. For more information on Social Media PCLIAs, refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program, or the Social Media site on IRS Source.

Data on Collaborative Technology and Systems

  1. This policy does not apply to PII the IRS proactively makes available to all personnel on resource sites (including, but not limited to, Discovery Directory, Outlook (calendar, profile information, and address book), intranet, and SharePoint site collections), such as names and business contact information.

  2. Some of the privacy risks associated with collaborative data sites include:

    1. Breaches and inadvertent disclosures.

    2. Unauthorized access of data without a need to know.

    3. Sharing data without proper permissions or authorizations.

  3. The data residing on collaborative data sites require privacy protections. These protections must include:

    1. Controlling access to the sites (both as a user and as an administrator).

    2. Controlling what data is shared on the sites.

    3. Ensuring privacy and security controls are in place.

  4. Refer to the SC-15 Collaborative Computing Devices section in IRM 10.8.1 for more information.

Shared Calendar
  1. You may place information that is not SBU data (including PII and tax information) on all calendars without restriction.

  2. You must not post SBU data (including PII and tax information) on public calendars with uncontrolled access.

  3. The following applies any time a business needs to enter some form of SBU data (including PII and tax information) on a shared calendar:

    1. Assign permissions on the calendar to limit access to only those people with a need to know the information.

    2. Encrypt any attachments to the calendar that contain SBU data (including PII and tax information) other than noted in the following sections.

    Note:

    This encryption policy does not apply to SBU data (including PII and tax information) the IRS proactively makes available to all personnel on resource sites (including, but not limited to, Discovery Directory, Outlook (calendar, profile information, and address book), Intranet, and SharePoint site collections), such as names and business contact information.

  4. For Business Unit Calendar Meetings/Appointments about Taxpayers:

    1. Place on the calendar only a portion of the taxpayer's name, the last two digits of the tax year, and any business unit-specific codes that are not sensitive PII (such as a case control number that is not an SSN and not easily linked to a taxpayer by an outside party).

    2. The abbreviated name should consist of the first four significant characters of the taxpayer entity's name (the name control):
      i. For individual taxpayers, these significant characters could include the first four letters of the individual taxpayer's last name (for example, John Finch would be "FINC," or use the IDRS name control). If the taxpayer's name consists of only four characters or fewer, you may use the entire name.
      ii. For corporations, partnerships, trusts or other such entities, the first four letters of the entity's name, excluding articles, could be the first four significant letters used (for example, "The Quail Company" would be "QUAI" , or "Bluebird Foundation" would be "BLUE" ).

  5. For Calendars for Offices with Regulatory, Investigative, and/or Advocacy Responsibilities (docketed case meetings):

    1. These requirements apply to calendars for Appeals, Chief Counsel (Counsel), Criminal Investigation (CI), Taxpayer Advocate Service (TAS), and other functions with regulatory, investigative, and/or advocacy responsibilities.

    2. When the subject matter of the meeting is a case docketed in the United States Tax Court or other judicial forum, calendar the meeting as the case name (for example, the name of the taxpayer with case number).

      Note:

      This does not violate privacy principles, as the name of the case is public record information. It falls under the judicially created public records exception. (For more information, refer to the Information Which Has Become Public Record section in IRM 11.3.11.)

    3. This practice also applies for unsealed CI matters (such as an indictment, where testimony occurred in an open proceeding, or if an official press release is issued). It would not apply for sealed federal court matters.

  6. For Calendars for Offices with Regulatory, Investigative, and/or Advocacy Responsibilities (particular taxpayer meetings):

    1. Counsel's calendar entry may use a succinct description of the subject matter and include the case control number assigned to the matter in Counsel's management information system (CASE-MIS). For example, a calendar entry for a meeting to discuss whether to pursue enforcement of a summons in the examination of taxpayer A would appear as "Summons enforcement/POSTF-x01234-56." Except for assignments of cases docketed in the U.S. Tax Court (see previous section), this case control number is not public record and not PII that must be encrypted. So long as the shared calendar is accessible only by Counsel employees whose work requires them to know of such meetings, encryption is not necessary. An invitee could then access CASE-MIS to ascertain the identity of the taxpayer about whom the summons enforcement matter is to be discussed.

    2. CI may use the Criminal Investigation Management Information System (CIMIS) investigation number.

    3. TAS, as well as Counsel to the National Taxpayer Advocate, may use the Taxpayer Advocate Management Information System number plus the first four (4) significant letters of the taxpayer entity's name.

  7. For Non-Taxpayer-Related Meetings/Appointments:

    1. An entry on the calendar for meetings with external parties doing business with the IRS (Enrolled Agents, for example) that does not concern specific taxpayers, would consist of the name of the external representative, the name of the organization (where appropriate), and/or the subject matter of the meeting.

    2. You may send any meeting-related non-taxpayer-related PII or SBU data in a separate email (with encrypted, password-protected attachments using IT-approved encryption methods) with directions in the calendar invite to look for the separate email.

    3. Examples of situations where you may use this practice include, but are not limited to:
      i. Where Counsel hosts informational meetings with external parties, such as trade groups or other professional organizations, in conjunction with its published guidance program.
      ii. Where IRS organizations meet with external parties to plan or deliver presentations or for procurement matters.
      iii. Examples of emails requiring encrypted PII or SBU data attachments in these scenarios include details on speakers (such as resumes) or procurement issues (such as contract information).

    4. You may voluntarily include your personal appointments on the calendar to ensure business appointments do not conflict.

    5. Supervisors may note absences of direct reports on their calendar to schedule meetings, assign work, and manage their work unit more efficiently.

    6. Supervisors may not include more information such as the location of those direct reports. However, official travel status and telework notations (without addresses) are acceptable supervisor calendar entries.

    7. Include leave and other personal information on shared group calendars only with the permission of the affected personnel.

Online Meeting Tools
  1. Online meeting tools include Skype for Business, Saba Centra, Webex, Zoom for Government (ZoomGov), etc. Use only enterprise-approved tools as they will have the necessary authorization and protections, such as encryption.

    Note:

    The commercial Zoom (Zoom.us) application is not an Enterprise Architecture-approved tool

  2. When using Saba Centra, Webex, ZoomGov, and other approved virtual meeting tools with encrypted communication capability for official IRS business:

    1. Ensure that the audience/recipients have given consent for this form of meeting, are authenticated, and are authorized to hear/view the material.

    2. Share SBU data (including PII and tax information) on a need-to-know basis.

    3. Avoid recording meetings. Before recording online meetings, see also the Recordings in the Workplace section in IRM 10.5.1.6.14.2.

    4. Use IRS contact information (such as email or name).

    5. Do not use personal email or device to access virtual meeting tools for official IRS business.

      Note:

      Training or publicly available information – IRS personnel may transmit non-case-related content (or information that is not SBU including PII and tax information), including links, to and from personal accounts when IT Security constraints prohibit access. See also the Emails with Personal Accounts section in IRM 10.5.1.6.8.4.

  3. IRS-approved encrypted online meeting tools may convey SBU data; however, do not use instant messaging (such as Skype) to conduct official business without saving an official record. Refer to the Use of Agency-approved Electronic Messaging Systems section in IRM 1.15.6.

  4. For more information about online meeting privacy considerations, refer to the Online Meeting Tools - Privacy Considerations section of the PGLD Disclosure and Privacy Knowledge Base site on IRS Source.

Shared IRS Storage
  1. The IRS shared network drives (such as I drive, S drive, home directories or other shared resource) are governed in part by the section SC-28 Protection of Information at Rest in IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance. This policy makes it clear that only those with a need to know may have access to SBU data (including PII and tax information) on shared drives, with tight access and controls in place. Because of these controls, encryption is not required.

  2. To protect the privacy of employee and tax information, the law and IRS policy require a PIA when the IRS uses PII in Information Technology to ensure examination and mitigation of privacy risks, with few exceptions.

  3. For more information on PIAs and PCLIAs, refer to IRM 10.5.2, Privacy Compliance and Assurance.

SharePoint
  1. Sharing data in collaborative data environments, such as SharePoint, might offer valuable benefits while having inherent privacy risks. Understanding the risks involved with sharing data on these sites allows for risk management.

  2. SharePoint access controls must limit access using site, folder, and file permissions as appropriate.

  3. Site collection owners also must ensure SharePoint users follow rules and protect privacy.

  4. A SharePoint PIA is required any time a SharePoint site collection contains SBU data (including PII and tax information). The IRS reviews these privacy protections through the SharePoint PIA process. For more information on SharePoint PCLIAs, refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program.

  5. For more information on Collaborative Environments, refer to IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, and IRM 2.25.20, Integrated Enterprise Portal-Web Services, SharePoint.

Cloud Computing
  1. Before contracting for cloud services, address the necessary privacy, records management, and security policies.

  2. PGLD must approve all procurements of cloud computing services that include SBU data (including PII and tax information) via the Privacy and Civil Liberties Impact Assessment (PCLIA) process (required by the ELC).

  3. The IRS PCLIA process addresses privacy concerns for IRS systems with SBU data (including PII and tax information) using cloud computing. These issues include, but are not limited to:

    • Who is the Cloud Service Provider (CSP)?

    • Who has access to the information at the Cloud Service Provider?

    • Do other CSPs service this CSP (subcontract with), such as performing updates, maintenance, or other services?

    • What is the Cloud Service Provider’s Federal Risk and Authorization Management Program (FedRAMP) compliance status?

    • What deployment model (private, hybrid, etc.)?

    • Where does the information go?

    • Where is it stored, transmitted?

    • How is it secured? What security categorization (Low, Moderate, High)?

    • How reliable and secure is the audit trail?

    • How will monitoring be done and how often?

    • Does the CSP contract include all required privacy and security contract clauses, including those for protecting SBU data (including PII and tax information)?

    • How long must the data be maintained? When will it be destroyed?

  4. Except for systems principally supporting overseas Federal/Treasury personnel and/or activities, Treasury systems must be located and operated within the U.S. [TD P 85-01, control SA-4_T.193]

    Note:

    This includes Treasury contractor systems.

  5. PGLD and COR must provide written notification to the contractor when the contractor is allowed to maintain Government data at a location outside the U.S.

  6. Failure to comply with privacy and security policies and processes might require contract modifications.

  7. For more information on cloud computing issues and cloud deployment models, refer to IRM 10.8.24. Information Technology (IT) Security, Cloud Computing Security Policy, and IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

Online-Accessible Shared Storage
  1. Online accessible shared storage includes commercially available file-sharing sites in the cloud or private file-sharing on remote servers.

  2. Use only IRS Enterprise-approved sites. For more information, refer to the Cloud Front Door.

  3. Use only IRS identifiers (name or email) when conducting official business.

    Note:

    Never use personal email accounts for IRS business.

  4. Do not post SBU data (including PII and tax information) online, including IRS official internal or external websites or cloud-based systems or services, unless secured with IT-approved access controls by the IRS (or by an IRS vendor bound by contract to protect the information).

    Note:

    Transmission to and from online-accessible shared sites might not be secure (unless secured with IT-approved access controls by the IRS), putting the data at risk.

Training

  1. Although IRC 6103(h) (1) permits the disclosure of tax information to IRS personnel for tax administration to the extent the individual obtaining that access has a "need to know," you must avoid the use of tax information in training.

    1. Using tax information increases the risks of unauthorized disclosure and might subject the IRS to civil unauthorized disclosure actions which might then result in disciplinary actions against the offending employee(s).

    2. Use of tax information also raises issues about compliance with the IRS Taxpayer Bill of Rights, codified in IRC 7803(a)(3), which requires the IRS to protect taxpayer rights to privacy and confidentiality. While 6103(h) authorizes disclosure when information is helpful in performing tax administration duties, do not use returns and return information for training purposes when hypothetical or fictional cases will serve the training requirements.

      Note:

      Avoiding extra effort is not justification for increasing risk.

    3. Employee publications, training and presentation materials are publicly available under the Freedom of Information Act and in the FOIA Library on IRS.gov. That makes it critical that all IRS personnel follow published guidelines to prevent the unauthorized disclosure of tax information.

  2. For more information about fictionalizing data, refer to the PGLD Fictitious Identifying Information Examples page and the Disclosure Requirements section of IRM 6.410.1, Learning and Education, Learning and Education Policy.

  3. For more information about training material and official use only requirements, refer to the Protection of Return Information section of IRM 11.3.12, Designation of Documents, and the Fictitious Identifying Information section of IRM 1.11.2, Internal Management Documents System, Internal Revenue Manual (IRM) Process.

Privacy-Related Programs

  1. The IRS promotes a robust privacy program leveraging the use of technology and privacy processes. The IRS privacy program improves taxpayer service by protecting the privacy of taxpayers’ and employees’ data and enhancing their trust. Designing privacy into the IRS modernization initiative (people, systems, processes, and technology) further improves the protection of SBU data (including PII and tax information) throughout the IRS.

  2. Privacy issues are integral to IRS business. Because of the complexity, scope, and importance of privacy to the IRS mission, PGLD is not the single point of contact for all privacy-related programs.

  3. PGLD participates in various privacy-related governance boards. For more information, refer to PGLD Governance Assignments.

  4. This IRM and IRM 10.5.2, Privacy Compliance Assurance (PCA) Program, provide links and references to other IRMs and programs that work closely with PPC or contain elements of privacy within those programs. IRS personnel must familiarize themselves with and use all links and reference IRMs, as appropriate. This includes, but is not limited to, the following privacy-related programs, not all which PGLD manages.

  5. For more information about PGLD, refer to IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD), and the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

IRS Privacy Council

  1. Privacy Policy and Knowledge Management (PPKM), within PGLD’s PPC, oversees and coordinates the IRS Privacy Council.

  2. The purpose of the IRS Privacy Council is to:

    1. Develop a cohesive privacy vision to implement and oversee IRS-wide privacy and disclosure policies.

    2. Serve as a high-level strategy and policy development group charged with identifying and effectively addressing significant current and emerging information privacy, disclosure, and related policy issues.

    3. Centralize the Chief Privacy Officer’s (CPO) policy-making role in the development and evaluation of legislative, regulatory, and other policy proposals, which implicate information privacy issues. In so doing, the Council takes a central role in ensuring the IRS is fully compliant with federal laws, regulations, and policies relating to information privacy while enabling continued progress and innovation.

  3. To carry out these objectives, the IRS Privacy Council members will:

    1. Engage the Business Units and Operating Divisions for purposes of multi-level identification of issues appropriate for Council action.

    2. Partner with cross-functional working groups to identify and work issues appropriate for Council action.

    3. Generate policy guidance to be issued from the CPO.

    4. Establish communications and web strategies to ensure successful dissemination of guidance and more tools for ongoing IRS-wide education and assistance.

    5. Conduct periodic reviews of established policy guidance to ensure sufficiency and consistency.

    6. Partner with Office of Chief Counsel for consultative purposes, and to identify and develop needed legislative and regulatory proposals.

    7. Review and comment on circulated draft legislation, Executive Orders, Office of Management and Budget memoranda, executive agency white papers, and other inter-governmental documents.

    8. Provide subject matter expertise on broad-scope IRS-wide initiatives.

    9. Partner with program offices to ensure inclusion of information privacy, records, and disclosure policies are appropriately included in training modules. [PVR-01]

  4. The IRS privacy community takes part in the Federal Privacy Council (FPC) to identify federal agency best practices, build and strengthen collaboration with other agencies, and conduct outreach as appropriate. See also the References section in Exhibit 10.5.1-2 for the link to the FPC website and resources.

  5. For more information, email *Privacy or refer to the IRS Privacy Council site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Privacy and Civil Liberties Impact Assessment (PCLIA)

  1. Privacy Compliance and Assurance (PCA), within PGLD’s PPC, supports the IRS in recognizing the importance of protecting the privacy of taxpayers and employees, balancing the need for information collection with the privacy risks. The vehicle for addressing privacy issues in a system is the PCLIA. [OMB A-130]

  2. If the IRS procures, uses, or develops IT to process (collect, maintain, or disseminate) PII, the IRS must consider the privacy protections with a PCLIA. [E-Government Act]

    Note:

    The IRS requires PCLIAs for pilot projects, research, experimentation, the use of innovative technologies, technical demonstrations, prototypes, and proof of concepts, and the like. For more information about the PCLIA process, refer to IRM 10.5.2 and IRM 2.16.1.

  3. For more information about the PCLIA process, refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program, or the PCLIA site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Business PII Risk Assessment (BPRA)

  1. Privacy Compliance and Assurance (PCA), within PGLD’s PPC, uses the Business PII Risk Assessment (BPRA) program to assess privacy risks in IRS processes. The BPRA addresses the impact of privacy risks in the same way an IT security risk assessment addresses the impact of security risks to the IRS. [OMB A-130]

  2. For more information about the BPRA program, email *Privacy or refer to the BPRA page on the PCA site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Treasury PII Holdings Report

  1. Treasury is mandated by Congress to maintain a listing of all systems that contain PII. The database is designed to help the Treasury in maintaining a detailed inventory of its PII holdings. [OMB A-130]

  2. For more information about the Treasury PII Holdings Report, email *Privacy.

Unauthorized Access (UNAX)

  1. Information Protection Projects (IPP), under PGLD’s Identity and Records Protection (IRP), administers the Unauthorized Access to Taxpayer Accounts (UNAX) program.

  2. The term UNAX is used to define the act of committing an unauthorized access, attempted access or inspection (commonly referred to as UNAX) of any tax information contained on paper or within any electronic format without a management-assigned IRS business need.

  3. For more information, refer to IRM 10.5.5, IRS Unauthorized Access, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements.

  4. Refer to the UNAX site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Mandatory Briefings

  1. Mandatory briefings deliver required IRS-wide training – including the Privacy Information Protection and Disclosure, Records Management, and UNAX briefings managed by the PGLD offices of PPKM, IRP, and IPP, respectively.

  2. For more information about mandatory briefings, refer to the Mandatory Briefings page on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Records and Information Management (RIM)

  1. Records and Information Management (RIM) Office within IRP supports the IRS mission and programs by promoting current information, guidance, and awareness of the importance of managing records throughout the IRS. The RIM program addresses the requirements for recordkeeping, protection, review, storage, and disposal.

  2. The public expects that IRS records are available where and when they are needed, to whom they are needed, for only as long as they are needed, to conduct business, adequately document IRS activities, and protect the interests of the federal government and American taxpayer. The Federal Records Act requires the IRS to efficiently manage all IRS records until final disposition.

  3. Refer to the IRM 1.15 series, Records and Information Management, Files Management, for more information.

Disclosure

  1. Disclosure, within PGLD’s Governmental Liaison, Disclosure and Safeguards (GLDS), supports the Disclosure program. Disclosure safeguards confidential records, from the mailroom to the Commissioner’s office. The word "sensitive" encompasses every type of SBU data from tax records to personal employee data.

  2. Tax returns and return information are considered SBU data. IRC 6103 provides the general rule that tax returns and return information are confidential information that we must not disclose except as provided by the IRC.

    Note:

    IRC 7213 and IRC 7431 include civil and criminal penalties for willful or negligent disclosure of returns or return information.

  3. IRM 11.3 series, Disclosure of Official Information, contains guidelines governing whether we may disclose tax returns and other information contained in IRS files. Disclosure may not be made unless IRC 6103 authorizes disclosure and not before requirements in IRC 6103 and IRM 11.3 series are met. The Office of Government, Liaison and Disclosure must approve proposed disclosures and ensure they meet the requirements of an exception in Title 26 before disclosure.

  4. Before disclosing IRS information (tax information, proprietary information, processes, system information, etc.), contact Disclosure to ensure that the information may be disclosed or what we can/should redact.

  5. Refer to the Disclosure site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

  6. Refer to the external site for submitting a FOIA Request:
    https://www.irs.gov/privacy-disclosure/irs-freedom-of-information

Digital Identity Risk Assessment (DIRA) [formerly Electronic Risk Assessment (e-RA)]

  1. Digital Identity Risk Assessment (DIRA) [formerly Electronic Risk Assessment (e-RA]) is a joint effort between IT Cybersecurity and Online Services to establish a framework for establishing authentication risk consistently across online web-based electronic transactions.

  2. To ensure privacy and security, agencies must authenticate users of their web-based or online transactions before allowing access to information entrusted to them. The DIRA process evaluates the risk of a transaction to determine the applicable assurance level on three component parts, referred to as Identity Assurance Level (IAL), Authenticator Assurance Level (AAL), and Federation Assurance Level (FAL).

    Note:

    The DIRA process applies to online web-based transactions.

  3. For information about risk assessments of online services, contact *IT Cyber CPO DIRA.

Electronic Authentication (e-Authentication)

  1. To ensure privacy and security, agencies must authenticate web-based or online transaction users before allowing access to information. In the Identity and Access Management domain, the e-Authentication (eAuth) framework uses this process to guide business units with the implementation of online applications/transactions.

  2. For more information, see also the DIRA section in IRM 10.5.1.7.9. Refer to the Secure Access e-Authentication section in IRM 21.2.1, Systems and Research Programs, Systems. Refer to the e-Authentication site on IRS Source.

Enterprise Life Cycle (ELC)

  1. The IT Enterprise Life Cycle (ELC) office manages the ELC program.

  2. The IRS ELC is the methodology by which the IRS manages project activities through established standard processes.

    1. The Enterprise Architecture (EA) is an integral component of ELC compliance process particularly from Milestone 1 through Milestone 4a.

    2. The ELC provides the direction, processes, tools, and assets necessary to accomplish business change in a consistent and repeatable manner as they implement the EA.

  3. For more information about the ELC, refer to IRM 2.16.1, Enterprise Life Cycle (ELC), ELC Guidance, or the ELC site on IRS Source.

Governmental Liaison (GL)

  1. Governmental Liaison (GL) facilitates, develops, and maintains relationships with federal, state, and local governmental agencies and IRS operating and functional divisions on strategic IRS programs. All IRS personnel should contact GL prior to contacting any governmental agency about initiatives or data exchanges.

  2. GL maintains the IRS Agreement Database (IAD), which includes:
    Formal agreements that GL established with U.S. federal, state and local governmental agencies and IRS business units to exchange data, and tax and non-tax information that require PGLD oversight for privacy, disclosure, and safeguarding. (Internet service agreements, LBI treaty and Foreign Account Tax Compliance Act agreements, Agreements with 6103(k)(6) disclosures and IRC 6103(c) consent-based disclosures with non-government agencies are excluded.)

  3. For more information about GL, refer to IRM 11.4.1, Communications and Liaison, Office of Governmental Liaison, Governmental Liaison Operations.

  4. For more information about GL’s programs, refer to the GL page on IRS Source.

Data Services

  1. Data Services provides support to GL and Disclosure programs through a variety of information technology initiatives, including:

    • Managing computer matching agreements (CMAs).

    • Managing the Governmental Liaison Data Exchange Program (GLDEP).

  2. For more information about Data Services, refer to IRM 11.4.2, Office of Governmental Liaison, Data Exchange Program, and IRM 11.3.39, Disclosure of Official Information, Computer Matching and Privacy Protection Act.

Identity Assurance (IA)

  1. Identity Assurance (IA) provides oversight and strategic direction for authentication, authorization, and access processes of taxpayer information. IA also delivers externally facing IRS services across all channels while protecting taxpayer data from fraudsters and identity thieves.

  2. For more information about IA, refer to the IA site on IRS Source.

Electronic Signature (e-Signature) Program
  1. The IRS e-signature principles and federally mandated authentication controls describe how the IRS protects an individual’s identity and assures that only authorized signers are completing the transaction.

  2. For detailed information on the e-signature program, refer to IRM 10.10.1, Identity Assurance, IRS Electronic Signature (e-Signature) Program.

Risk Management for Authentication in Non-Electronic Channels (Omni Channel Risk Assessment)
  1. Interim Guidance Memo PGLD-10-0220-0001 details the Risk Management for Authentication in Non-Electronic Channels policy, owned by PGLD’s IA as part of their Omni Channel approach to authentication and authorization for all interactions.

  2. For electronic interactions, this policy defers to the DIRA process (see IRM 10.5.1.7.9) for electronic interactions. For all other interactions, this policy applies to assessing the risk in the authentication process of telephone, in-person, and correspondence exchanges of sensitive information with individuals in authenticated customer contact channels.

  3. Identity Assurance created a SharePoint site to provide guidance and house business unit risk assessments.

  4. For more information, email *OS P GLD IA Risk Assessments.

IT Security

  1. Architecture and Implementation under Cybersecurity supports IT security policy and implementation.

  2. IT security and privacy issues go together. Information Technology security policy describes how to protect IT environments, while privacy policy describes how to protect individuals’ information in those IT environments. Information Technology focuses on protecting the systems, the network, and the applications that house the data. Privacy focuses on protecting the individual represented by the data.

  3. For more information about IT security policy and references, refer to the IRM 10.8 series.

  4. For more information about the Cybersecurity program, refer to the Cybersecurity site on IRS Source.

Incident Management (IM)

  1. Incident Management (IM), within PGLD’s PPC, is dedicated to assisting taxpayers and personnel potentially impacted by IRS breaches by working quickly and thoroughly to investigate breaches to decrease the possibility that information will be compromised and used to perpetrate identity theft or other forms of harm.

  2. The IM program manages reports of IRS losses, thefts, and inadvertent unauthorized disclosure of SBU data (including PII and tax information).

  3. Immediately upon discovery of an inadvertent unauthorized disclosure of sensitive information, or the loss or theft of an IT asset or hardcopy record or document that includes sensitive information, personnel must report an incident/breach to the manager and the appropriate organizations based on what was lost or disclosed.

  4. Anyone discovering a breach must report the breach to the appropriate organizations.

  5. For more information about how to report an incident/breach, refer to IRM 10.5.4, Privacy and Information Protection, Incident Management Program, or the Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets and BYOD Assets site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Pseudonym

  1. Incident Management (IM), within PGLD’s PPC, manages the IRS Pseudonym program.

  2. Under certain conditions (protection of personal safety, adequate justification, pre-approval, etc.), the Pseudonym program provides for the use of pseudonyms by IRS employees. The IRS Incident Management operation helps employees protect the privacy of these pseudonyms.

  3. Refer to IRM 10.5.7, Use of Pseudonyms by IRS Employees

Safeguards

  1. The Safeguards program and staff are responsible for ensuring that federal, state, and local agencies receiving federal tax information protect it as if the information remained in IRS’s hands.

  2. For more information about Safeguards, refer to the Safeguards site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Social Security Number Elimination and Reduction (SSN ER)

  1. Information Protection Projects (IPP), under PGLD’s Identity and Records Protection (IRP), administers the Social Security Number Elimination and Reduction (SSN ER) program.

  2. This program’s goal is to implement regulatory requirements to eliminate or reduce the collection and use of SSNs in programs, processes, and forms. [Pub.L. 115-59, OMB A-130]

  3. For more information, refer to the SSN ER site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.
    or email *PGLD SSN Reduction.

Acceptable Use of SSNs
  1. Use of SSNs is acceptable when any of these options mandates such use:

    • Law/statute.

    • Executive orders.

    • Federal regulations.

    • Business need (e.g., the inability to alter systems, processes, or forms due to costs or unacceptable level of risk).

SSN Necessary-Use Criteria
  1. SSN ER compliance requires owners of forms, notices, letters, and systems to apply the following SSN necessary-use criteria to determine whether SSN use is justifiable and necessary:

    1. Apply the SSN Necessary-Use Criteria
      Based on the definition of the necessary and/or acceptable use of SSNs:
      1. Provide an accurate and complete citation of what authority (legislative mandate, regulation, or executive order) justifies SSN usage.
      2. Consider how we use the SSN throughout the information lifecycle (reviewing all forms, notices, letters, and systems), and consider the following about SSN data:
      - Acquisition/collection
      - Conversion/use and display
      - Migration/transmission
      - Storage
      - Deletion/disposal
      3. Determine whether the SSN is a critical component to the business process, which we cannot perform or achieve without the use of the SSN. The owner must describe in detail those existing operational dependencies.

      Note:

      Step c contains procedures for completing and submitting Form 14132, Social Security Number Elimination and Reduction Inventory.

    2. Identify SSN Elimination and Reduction Solutions
      After identifying potential areas to reduce or eliminate SSN use, collaborate with business unit stakeholders to explore and identify feasible short- and long-term mitigation solutions, and submit a written mitigation plan to IPP by email to *PGLD SSN Reduction.

    3. Develop a Mitigation Strategy for Existing Inventories
      Whether SSN use is determined to be necessary or unnecessary, develop and provide to PGLD/IPP a mitigation strategy for existing forms, notices, and letters inventories on Form 14132.

    4. When Creating New Forms, Notices, Letters, and Systems
      Business/system owners must practice due diligence when creating new forms, notices, letters, and systems to ensure they apply the necessary-use criteria.

      For New... The Process Is...
      Forms W&I Media and Publications will ask form owners to consider the necessary use of SSNs on newly created forms. You must provide justification for all forms requiring an SSN. The justification will become part of the form history folder. (For required Privacy Act Notification information, refer to the Notification Section of IRM 10.5.6.)
      Notices/Letters The Office of Taxpayer Correspondence will ask owners to consider use of SSNs on all newly created notices/letters. These questions and answers will become part of the interview file and maintained for documentation purposes.
      Systems Owners must complete a Privacy and Civil Liberties Impact Assessment (PCLIA) for any system that will contain any personally identifiable information, including SSNs. The purpose of a PCLIA is to demonstrate that program/project managers and system owners and developers have consciously incorporated privacy and civil liberties protections throughout the entire lifecycle of a system. The Privacy Impact Assessment Management System will maintain the justification for SSN usage.

    5. Manage Inventory
      PGLD will use completed Forms 14132 to manage the SSN ER Program and report progress to Treasury and IRS executive leadership.

    6. Reassess Periodically
      Once every three years, business/systems owners must reassess any forms, notices, letters, or systems to determine if conditions have changed that allow for the elimination or masking the SSN on their products. Business/system owners must inform the SSN ER Program of updated statuses on each product.

SBU Data Use for Non-Production Environments

  1. Privacy Compliance and Assurance (PCA), within PGLD’s PPC, manages the SBU Data Use process for non-production environments.

  2. The SBU Data Use for non-production environments process helps Information Owners (IOs) and Authorizing Officials (AOs) know when we are using SBU data (including PII or tax information) in other non-production environments, when appropriate. This process helps IOs and AOs, tasked with accepting risk for the IRS, to know and understand the movement of the SBU data outside the production environment and to ensure its protection.

  3. Refer to IRM 10.5.8 (formerly IRM 10.8.8), Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments and that site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

Quick Response (QR) Codes

  1. Office of Taxpayer Correspondence in Media and Publishing manages the Quick Response (QR) codes for the IRS.

  2. The program objective is to provide taxpayers with targeted, timely guidance and outreach. Using IRS-created QR codes allows the IRS to minimize data collection (to collect only necessary data), to protect taxpayer privacy and civil rights, to reduce costs, and to ensure that the experience instills trust and consistency.

  3. Refer to IRM 1.17.1, IRS Logo, Program Logos and Internal Logos.

NIST SP 800-53 Security and Privacy Controls

  1. These privacy and security controls are the technical controls that address federal IT systems. These privacy requirements and technical controls build on the existing IRS Privacy Principles and supplement the full range of existing security controls in IRM 10.8.1. This section addresses all the controls relevant to privacy.

    Note:

    This section is for technical management officials developing and supporting IT systems, including Management, Senior Management/Executives, System Owners, System Developers, and Authorizing Officials.

  2. NIST SP 800-53 has these definitions: [NIST SP 800-53]

    • Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the protection needs of organizational stakeholders. Controls are selected and implemented by the organization in order to satisfy the system requirements. Controls can include administrative, technical, and physical aspects.

    • For federal information security and privacy policies, the term requirement is generally used to refer to information security and privacy obligations imposed on organizations.
      and
      The term requirement can also be used in a broader sense to refer to an expression of stakeholder protection needs for a particular system or organization. Stakeholder protection needs and the corresponding security and privacy requirements may be derived from many sources (e.g., laws, executive orders, directives, regulations, policies, standards, mission and business needs, or risk assessments).

  3. This section’s naming structure follows the pattern shown here in this example:
    AC-3(14) Access Control -- Access Enforcement - Individual Access [P]

    • AC-3: The 2-letter control abbreviation NIST uses for the control family with a dash and the control number

    • (14): This part is used only for the controls that are control enhancements (CEs); the CE number is in parentheses and merged with the control enhancement number (IRM 10.8.1 uses this convention)

    • Access Control: Control family name

    • Access Enforcement: Control name

    • Individual Access: Control enhancement name, if applicable

    • [P] for privacy or [J] for joint security and privacy:
      - If a control is privacy-owned [P], the language of the control is here in this IRM.
      - If a control is jointly owned by security and privacy [J], the language of the control is in IRM 10.8.1. IRM 10.8.1 includes the IT security roles and responsibilities and refers to this IRM for the privacy roles and responsibilities.
      - The security [S] controls are in IRM 10.8.1.

    • All joint and privacy controls are for Low, Moderate, and High systems.

  4. How this IRM shows the control information:

    1. If joint, this IRM shows the IRM 10.8.1 section name; if privacy, then this IRM repeats the NIST control language (ending with the attribution [NIST SP 800-53]), with any IRS organization-defined parameters italicized.

      Note:

      If the control differs from the NIST baseline, then this note will explain how it differs and who requires it. When the IRS PGLD/Cyber [NIST SP 800-53] Rev 5 Collaboration Working Group indicates a change from the NIST baseline for IRS assessment, the Note refers to IRS Collaboration.

    2. If the control is not a "-1" ("Policy and Procedures" ) control, the next paragraph is the privacy concern and a summary of the IRS policy that addresses that concern.

    3. References to policy related to the control in this IRM follow in the pattern: IRM section number, section name. (Sometimes specific subsections are listed in parentheses.)

    4. If the privacy roles and responsibilities reside with a different privacy program, references to the appropriate IRM or program documentation follow with names of specific sections following, when applicable. The pattern is Type-of-publication Reference#: Section Name. Multiple section names are separated by commas. When multiple section names include commas, they are separated with semicolons. If the reference says “throughout and specifically,” the specific section is only a starting point.

AC-1 Access Control -- Policy and Procedures [J]

  1. This is a joint security and privacy control requiring that the IRS have policy and procedures about access control. For the full text of the control, see the AC-1 Access Control section of IRM 10.8.1.

  2. In this IRM, PGLD policies on access control policy and procedures control include, but are not limited to, the sections:

    1. IRM 10.5.1.1.1, Purpose of the Program

    2. IRM 10.5.1.1.2, Audience

    3. IRM 10.5.1.2, Key Privacy Definitions [Sensitive But Unclassified (SBU) Data, Unauthorized Access of SBU Data, Privacy Act Information, Need to Know]

    4. IRM 10.5.1.3.2, IRS Privacy Principles (Strict Confidentiality [PVR-05], Security [PVR-06], Access, Correction, and Redress [PVR-09])

    5. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (including Employees/Personnel, System Owners, System Developers, Personnel Engaged in Procurement Activities)

    6. IRM 10.5.1.5.1, Clean Desk Policy

    7. IRM 10.5.1.6.1, Protecting and Safeguarding SBU Data (including Limiting Sharing of SBU Data)

    8. IRM 10.5.1.6.2, Encryption (including External, Internal)

    9. IRM 10.5.1.6.3, Computers and Mobile Computing Devices

    10. IRM 10.5.1.6.6, Storage

    11. IRM 10.5.1.6.8.2, Emails to Other External Stakeholders

    12. IRM 10.5.1.6.10, Disposition and Destruction

    13. IRM 10.5.1.6.15, Contractors

    14. IRM 10.5.1.6.16, Online Data and Privacy Notices

    15. IRM 10.5.1.6.18, Data on Collaborative Technology and Systems (including Shared Calendar, Online Meeting Tools, Shared Drives or Shared IRS Storage, SharePoint, Cloud Computing, Online-Accessible Shared Storage)

    16. IRM 10.5.1.6.19, Training

    17. IRM 10.5.1.7.9, Digital Identity Risk Assessment (DIRA) [formerly Electronic Risk Assessment (e-RA)]

    18. IRM 10.5.1.7.10, Electronic Authentication (e-Authentication)

    19. IRM 10.5.1.7.12, Governmental Liaison (GL)

  3. PGLD and IRS also address access control policy and procedures control in the following:

    1. IRM 10.5.2: Program Scope and Objectives, Background, Qualifying Questionnaire (QQ) for PCLIA, Surveys Accessed by Links, Determining SharePoint PIA Requirement, Shared Storage PIAs

    2. IRM 10.5.4: Program Scope and Objectives; Responsibilities; Authority; Terms; Reporting Losses, Thefts and Disclosures (Intentional Unauthorized Disclosures of Tax Information; Inadvertent Accesses of Tax Information); PGLD/Incident Management Intake, Risk Assessment and Notification (OMB Major Incidents, PGLD/Incident Management Risk Assessment)

    3. IRM 10.5.6:- Content of a System of Records Notice, Privacy Act Access and Amendment of Records

    4. IRM 10.5.5: throughout, and specifically Privacy and Information Protection, Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements

    5. IRM 10.5.8: Security controls applicable to non-production data

    6. IRM 11.3.22: Access by IRS Employees

    7. IRM 1.2.1: Policy Statement 1-1, Mission of the Service, Taxpayer Privacy Rights

    8. Privacy & Civil Liberties Impact Assessment (PCLIA) Reference Guide

AC-3(14) Access Control -- Access Enforcement - Individual Access [P]
  1. The IRS must provide information on IRS.gov/privacy to enable individuals to have access to the elements of their personally identifiable information that the IRS collects, as governed by the applicable laws and regulations. [NIST SP 800-53] [OMB M-21-04]

  2. The privacy concerns are that individuals have access to the information that the IRS has on them, as governed by the applicable laws and regulations. The IRS requires publishing SORNs and PCLIAs and handling requests for information under the Privacy Act, IRC, and FOIA.

  3. In this IRM, PGLD policies on the individual access control include, but are not limited to, the sections:

    1. IRM 10.5.1.3.2.9, Access, Correction, and Redress [PVR-09]

    2. IRM 10.5.1.6.16, Online Data and Privacy Notices

  4. PGLD and IRS also address the individual access control in the following:

    1. IRM 10.5.2: PCLIAs on IRS.gov

    2. IRM 10.5.6: Privacy Act Publication and Reporting Requirements, Privacy Act Access and Amendment of Records

    3. IRM 11.3.13: throughout, and specifically FOIA and Routine Established Agency Procedures for other types of requests (including tax information)

    4. Privacy & Civil Liberties Impact Assessment (PCLIA) Reference Guide

AT-1 Awareness and Training -- Policy and Procedures [J]

  1. This is a joint security and privacy control requiring that the IRS have policy and procedures about awareness and training control. For the full text of the control, see the AT-1 Awareness and Training Policy and Procedures section of IRM 10.8.1.

  2. In this IRM, PGLD policies on the awareness and training policy and procedures control include, but are not limited to, the sections:

    1. IRM 10.5.1.3.2.10, Privacy Awareness and Training [PVR-10]

    2. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (including Employees/Personnel, Management, Senior Management/Executives, System Owners, Personnel Engaged in Procurement Activities)

    3. IRM 10.5.1.6.1, Protecting and Safeguarding SBU Data (including Limiting Sharing of SBU Data)

    4. IRM 10.5.1.6.10.6, Contractors

    5. IRM 10.5.1.7.1, IRS Privacy Council

    6. IRM 10.5.1.7.6, Mandatory Briefings

  3. PGLD and IRS also address the awareness and training policy and procedures control in the following:

    1. IRM 10.5.2: Program Scope and Objectives, PCLIA Roles and Responsibilities

    2. IRM 10.5.4: Program Scope and Objectives, Responsibilities, Awareness Training and Education

    3. IRM 10.5.5: throughout, and specifically Servicewide Roles and Responsibilities for Administering the IRS UNAX Program, Manager UNAX Responsibilities, IRP UNAX Program Team Roles and Responsibilities

    4. IRM 10.5.6: Privacy Act Training

    5. IRM 10.5.8: Security controls applicable to non-production data

    6. IRM 11.3.1: Roles and Responsibilities

    7. IRM 1.15.1: Responsibilities of the IRS Records Officer, Responsibilities of the RIM Records Specialist

    8. IRM 1.1.27: Roles and Responsibilities

    9. Privacy & Civil Liberties Impact Assessment (PCLIA) Reference Guide

AT-2 Awareness and Training -- Literacy Training and Awareness [J]
  1. This is a joint security and privacy control about literacy training and awareness. For the full text of the control, see the AT-2 Literacy Training and Awareness section of IRM 10.8.1.

  2. The privacy concerns are keeping personnel current on privacy training and awareness. The IRS requires annual mandatory briefings on security and privacy. PGLD contributes to the content of the mandatory briefings, incorporating lessons learned or issues of concern. PGLD employs awareness techniques such as all-employee communications, awareness events, and ad-hoc sessions.

  3. In this IRM, PGLD policies on the literacy training and awareness control include, but are not limited to, the sections listed in the AT-1 references, IRM 10.5.1.8.2.

  4. PGLD and IRS also address the literacy training and awareness control in the sections listed in the AT-1 references, IRM 10.5.1.8.2

AT-3 Awareness and Training -- Role-Based Training [J]
  1. This is a joint security and privacy control about role-based training. For the full text of the control, see the AT-3 Role-Based Training section of IRM 10.8.1.

  2. The privacy concerns are keeping personnel current on privacy training and awareness. The IRS requires role-based privacy training for roles with specialized privacy responsibilities.

  3. In this IRM, PGLD policies on the role-based training control include, but are not limited to, the sections listed in the AT-1 references, IRM 10.5.1.8.2.

  4. PGLD and IRS also address the role-based training control in the sections listed in the AT-1 references, IRM 10.5.1.8.2

AT-3(5) Awareness and Training -- Role-Based Training - Processing Personally Identifiable Information [P]
  1. Provide all personnel with access to PII with initial and annual training in the employment and operation of personally identifiable information processing and transparency controls. [NIST SP 800-53]

  2. The privacy concerns are that all personnel processing PII understand how to protect privacy. The IRS requires annual mandatory role-based briefings on security and privacy.

  3. In this IRM, PGLD policies on the processing personally identifiable information control include, but are not limited to, the sections listed in the AT-1 references, IRM 10.5.1.8.2.

  4. PGLD and IRS also address the processing personally identifiable information control in the sections listed in the AT-1 references, IRM 10.5.1.8.2

AT-4 Awareness and Training -- Training Records [J]
  1. This is a joint security and privacy control about training records. For the full text of the control, see the AT-4 Training Records section of IRM 10.8.1.

  2. The privacy concerns are tracking the training records to ensure that all personnel are current on privacy training and awareness. The IRS requires keeping and reviewing records that personnel have taken the annual mandatory briefings on security and privacy.

  3. In this IRM, PGLD policies on the training records control include, but are not limited to, the sections listed in the AT-1 references, IRM 10.5.1.8.2.

  4. PGLD and IRS also address the training records control in the sections listed in the AT-1 references, IRM 10.5.1.8.2.

AU-1 Audit and Accountability -- Policy and Procedures [J]

  1. This is a joint security and privacy control requiring that the IRS have policy and procedures about the audit and accountability control. For the full text of the control, see the AU-1 Audit and Accountability Policy and Procedures section of IRM 10.8.1.

  2. In this IRM, PGLD policies on the audit and accountability policy and procedures control include, but are not limited to, the sections:

    1. IRM 10.5.1.2.8, Need to Know

    2. IRM 10.5.1.3.2, IRS Privacy Principles (Accountability [PVR-01]; Minimizing Collection, Use, Retention, and Disclosure [PVR-03]; Strict Confidentiality [PVR-05])

    3. IRM 10.5.1.6.15, Contractors

    4. IRM 10.5.1.6.14.3, Monitoring Individuals

    5. IRM 10.5.1.6.18.5, Cloud Computing

  3. PGLD and IRS also address the audit and accountability policy and procedures control in the following:

    1. IRM 10.5.2: Determining SharePoint PIA Requirement, Authority for BPRAs

    2. IRM 10.5.5: throughout, and specifically Servicewide Roles and Responsibilities for Administering the IRS UNAX Program

    3. IRM 10.5.8: Security controls applicable to non-production data

    4. IRM 1.2.1: Mission of the Service, Taxpayer Privacy Rights

    5. Privacy & Civil Liberties Impact Assessment (PCLIA) Reference Guide

AU-2 Audit and Accountability -- Event Logging [J]
  1. This is a joint security and privacy control about event logging. For the full text of the control, see the AU-2 Event Logging section of IRM 10.8.1.

  2. The privacy concerns are that logging events (audit logs, audit trails, event logs, etc.) can reveal information about individuals. The IRS requires systems limit the SBU data (including PII and FTI) in audit logs to only that needed for its intended use, grant access only on a need-to-know basis, and document the justification for information collected and shared.

  3. In this IRM, PGLD policies on the event logging control include, but are not limited to, the section IRM 10.5.1.6.14.3, Monitoring Individuals.

  4. PGLD and IRS also address the event logging control in the following:

    1. IRM 10.5.2: Determining SharePoint PIA Requirement

    2. IRM 10.5.5: Background

    3. IRM 10.5.8: Security controls applicable to non-production data

    4. IRM 1.15.6: Creation, Use, and Maintenance of Unstructured Electronic Data

    5. Privacy & Civil Liberties Impact Assessment (PCLIA) Reference Guide

AU-3(3) Audit and Accountability -- Content of Audit Records - Limit Personally Identifiable Information Elements [P]
  1. Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: Minimum necessary PII identified in the PCLIA. [NIST SP 800-53]

  2. The privacy concerns are that "Limiting personally identifiable information in audit records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system." The IRS requires systems limit PII in audit records to the minimum necessary.

  3. In this IRM, PGLD policies on the limit personally identifiable information elements control include, but are not limited to, the sections:

    1. IRM 10.5.1.2.8, Need to Know

    2. IRM 10.5.1.3.2, IRS Privacy Principles (Minimizing Collection, Use, Retention, and Disclosure [PVR-03], Strict Confidentiality [PVR-05])

    3. IRM 10.5.1.6.14.3, Monitoring Individuals

  4. PGLD and IRS also address the limit personally identifiable information elements control in the following:

    1. IRM 10.5.5: throughout, and specifically Servicewide Roles and Responsibilities for Administering the IRS UNAX Program

    2. IRM 10.5.8: Security controls applicable to non-production data

    3. IRM 1.2.1: Mission of the Service, Taxpayer Privacy Rights

    4. Privacy & Civil Liberties Impact Assessment (PCLIA) Reference Guide

AU-11 Audit and Accountability -- Audit Record Retention [J]
  1. This is a joint security and privacy control about audit record retention. For the full text of the control, see the AU-11 Audit Record Retention section of IRM 10.8.1.

  2. The privacy concerns are that the IRS retains audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions for the proper period to maintain transparency. The IRS requires adherence to the IRS records managements requirements.

  3. In this IRM, PGLD policies on the audit record retention control include, but are not limited to, the sections:

    1. IRM 10.5.1.3.2.3, Minimizing Collection, Use, Retention, and Disclosure [PVR-03]

    2. IRM 10.5.1.4.4, Systems Owners

    3. IRM 10.5.1.7.7, Records and Information Management (RIM)

  4. PGLD and IRS also address the audit record retention control in the following:

    1. IRM 1.15.6: Retention and Disposition of Electronic Records

    2. Privacy & Civil Liberties Impact Assessment (PCLIA) Reference Guide

CA-1 Assessment Authorization and Monitoring -- Policy and Procedures [J]

  1. This is a joint security and privacy control requiring that the IRS have policy and procedures about the assessment authorization and monitoring policy and procedures control. For the full text of the control, see the CA-1 Assessment Authorization and Monitoring Policy and Procedures section of IRM 10.8.1.

  2. In this IRM, PGLD policies on the assessment authorization and monitoring policy and procedures control include, but are not limited to, the sections:

    1. IRM 10.5.1.2, Key Privacy Definitions [Sensitive But Unclassified (SBU) Data, Personally Identifiable Information (PII), Federal Tax Information (FTI)]

    2. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (including System Owners, Authorizing Officials)

    3. IRM 10.5.1.3.1, Privacy Controls

    4. IRM 10.5.1.3.2, IRS Privacy Principles

    5. IRM 10.5.1.6.18.5, Cloud Computing

    6. IRM 10.5.1.7.2, Privacy and Civil Liberties Impact Assessment (PCLIA)

    7. IRM 10.5.1.7.3, Business PII Risk Assessment (BPRA)

    8. IRM 10.5.1.7.9, Digital Identity Risk Assessment (DIRA) [formerly Electronic Risk Assessment (e-RA)]

    9. IRM 10.5.1.7.14.2, Risk Management for Authentication in Non-Electronic Channels (Omni Channel Risk Assessment)

  3. PGLD and IRS also address the assessment authorization and monitoring policy and procedures control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA), PCLIA Roles and Responsibilities, Major Change Determination (MCD) for PCLIA, Business PII Risk Assessment (BPRA), Responsibilities, BPRA Roles and Responsibilities

    2. IRM 10.5.4: PGLD/Incident Management Risk Assessment

    3. IRM 10.5.5: Servicewide Roles and Responsibilities for Administering the IRS UNAX Program

    4. IRM 10.5.6: OMB Privacy Act Guidance, Agency Review Requirements (Exhibit 1 formerly in IRM 11.3.14)

    5. IRM 10.5.8: Security controls applicable to non-production data

    6. IRS Privacy Program Plan

    7. Document 13347, Data Breach Response Playbook

    8. Document 13347-A, IRS Data Breach Response Plan

CA-2 Assessment Authorization and Monitoring -- Control Assessments [J]
  1. This is a joint security and privacy control about control assessments. For the full text of the control, see the CA-2 Control Assessments section of IRM 10.8.1.

  2. The privacy concerns are to ensure controls operate as intended, sufficiently ensure compliance with applicable privacy requirements, and manage privacy risks. The IRS requires assessing privacy controls.

  3. In this IRM, PGLD policies on the control assessments control include, but are not limited to, the sections listed in the CA-1 references, IRM 10.5.1.8.4.

  4. PGLD and IRS also address the control assessments control in the sections listed in the CA-1 references, IRM 10.5.1.8.4.

CA-5 Assessment Authorization and Monitoring -- Plan of Action and Milestones [J]
  1. This is a joint security and privacy control about plan of action and milestones (POA&Ms). For the full text of the control, see the CA-5 Plan of Action and Milestones section of IRM 10.8.1.

  2. The privacy concerns are to monitor privacy on POA&Ms. The IRS requires System Owners monitor and address privacy risks identified on the PCLIA in a POA&M.

  3. In this IRM, PGLD policies on the plan of action and milestones control include, but are not limited to, the section IRM 10.5.1.4.4, System Owners.

  4. PGLD and IRS also address the plan of action and milestones control in IRM 10.5.2: Roles and Responsibilities.

CA-6 Assessment Authorization and Monitoring -- Authorization [J]
  1. This is a joint security and privacy control about authorization. For the full text of the control, see the CA-6 Authorization section of IRM 10.8.1.

  2. The privacy concerns are to address privacy requirements before authorization to operate. The IRS requires including privacy in the ELC (specifically PCLIAs).

  3. In this IRM, PGLD policies on the authorization control include, but are not limited to, the sections listed in the CA-1 references, IRM 10.5.1.8.4.

  4. PGLD and IRS also address the authorization control in the sections listed in the CA-1 references, IRM 10.5.1.8.4.

CA-7 Assessment Authorization and Monitoring -- Continuous Monitoring [J]
  1. This is a joint security and privacy control about continuous monitoring. For the full text of the control, see the CA-7 Continuous Monitoring section of IRM 10.8.1.

  2. The privacy concerns are to maintain ongoing awareness of developing vulnerabilities. The IRS requires following the IRS Privacy Program Plan.

  3. In this IRM, PGLD policies on the continuous monitoring control include, but are not limited to, the sections listed in the CA-1 references, IRM 10.5.1.8.4.

  4. PGLD and IRS also address the continuous monitoring control in the sections listed in the CA-1 references, IRM 10.5.1.8.4.

CA-7(4) Assessment Authorization and Monitoring -- Continuous Monitoring - Risk Monitoring [J]
  1. This is a joint security and privacy control about risk monitoring. For the full text of the control, see the CA-7 Continuous Monitoring section of IRM 10.8.1.

  2. The privacy concerns are to monitor and address privacy risks. The IRS requires monitoring risks identified in PCLIAs, BPRAs, POA&Ms, and other assessment practices.

  3. In this IRM, PGLD policies on the risk monitoring control include, but are not limited to, the sections listed in the CA-1 references, IRM 10.5.1.8.4.

  4. PGLD and IRS also address the risk monitoring control in the sections listed in the CA-1 references, IRM 10.5.1.8.4.

CM-1 Configuration Management -- Policy and Procedures [J]

  1. This is a joint security and privacy control requiring that the IRS have policy and procedures about the configuration management control. For the full text of the control, see the CM-1 Configuration Management Policy and Procedures section of IRM 10.8.1.

  2. In this IRM, PGLD policies on the configuration management policy and procedures control include, but are not limited to, the sections:

    1. IRM 10.5.1.2, Key Privacy Definitions

    2. IRM 10.5.1.3, Key Privacy Concepts

    3. IRM 10.5.1.4, IRS-Wide Roles and Responsibilities

    4. IRM 10.5.1.6.2, Encryption

    5. IRM 10.5.1.6.9.7, Electronic [Other Forms of Transmission]

  3. PGLD and IRS also address the configuration management policy and procedures control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA), Major Change Determination (MCD) for PCLIA

    2. IRM 10.5.6: Report on New Systems of Records

    3. IRM 10.5.8: Security controls applicable to non-production data

CM-4 Configuration Management -- Impact Analyses [J]

  1. This is a joint security and privacy control about impact analyses. For the full text of the control, see the CM-4 Impact Analyses section of IRM 10.8.1.

  2. The privacy concerns are determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. The IRS requires reviewing Major Change Determinations (MCDs) and updating PCLIAs.

  3. In this IRM, PGLD policies on the impact analyses control include, but are not limited to, the sections listed in the CA-1 references.

  4. PGLD and IRS also address the impact analyses control in the sections listed in the CA-1 references.

IR-1 Incident Response -- Policy and Procedures [J]

  1. This is a joint security and privacy control requiring that the IRS have policy and procedures about the incident response control. For the full text of the control, see the IR-1 Incident Response Policy and Procedures section of IRM 10.8.1.

  2. In this IRM, PGLD policies on the incident response policy and procedures control include, but are not limited to, the sections:

    1. IRM 10.5.1.3.2, IRS Privacy Principles (Strict Confidentiality [PVR-05], Security [PVR-06])

    2. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (Employees/Personnel, Management, Personnel Engaged in Procurement Activities)

    3. IRM 10.5.1.6.4, Data Loss

    4. IRM 10.5.1.7.16, Incident Management (IM)

  3. PGLD and IRS also address the incident response policy and procedures control in the following:

    1. IRM 10.5.4 throughout

    2. Document 13347, Data Breach Response Playbook

    3. Document 13347-A, IRS Data Breach Response Plan

    4. If/Then Guide for Reporting Incidents and Breaches

IR-2 Incident Response -- Incident Response Training [J]
  1. This is a joint security and privacy control about incident response training. For the full text of the control, see the IR-2 Incident Response Training section of IRM 10.8.1.

  2. The privacy concerns are that IRS personnel need to know who to call or how to recognize an incident or a breach. The IRS requires providing mandatory training on Incident Management that is updated annually, and IM conducts a tabletop annually per OMB M-17-12.

  3. In this IRM, PGLD policies on the incident response training control include, but are not limited to, the sections listed in the IR-1 references, IRM 10.5.1.8.7.

  4. PGLD and IRS also address the incident response training control in the following:

    1. IRM 10.5.4: Awareness Training and Education

    2. If/Then Guide for Reporting Incidents and Breaches

IR-2(3) Incident Response -- Incident Response Training - Breach [P]
  1. Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach. [NIST SP 800-53]

  2. The privacy concerns are that IRS personnel need to know who to call or how to recognize a breach involving PII. The IRS requires providing mandatory training that includes information on how to identify and respond to a breach. The training includes links to how to respond to a breach.

  3. In this IRM, PGLD policies on the breach control include, but are not limited to, the sections listed in the IR-1 references, IRM 10.5.1.8.7.

  4. PGLD and IRS also address the breach control in the following:

    1. IRM 10.5.4: Awareness Training and Education; Reporting Losses, Thefts and Disclosures

IR-3 Incident Response -- Incident Response Testing [J]
  1. This is a joint security and privacy control about incident response testing. For the full text of the control, see the IR-3 Incident Response Testing section of IRM 10.8.1.

  2. The privacy concerns are that IRS personnel test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. The IRS requires testing the breach response plan annually in compliance with OMB M-17-12.

  3. In this IRM, PGLD policies on the incident response testing control include, but are not limited to, the sections listed in the IR-1 references, IRM 10.5.1.8.7.

  4. PGLD and IRS also address the incident response testing control in the following:

    1. IRM 10.5.4: Responsibilities

    2. Document 13347, Data Breach Response Playbook: Section 4.2, Tabletop Exercises: Testing the Plan

    3. Document 13347-A, IRS Data Breach Response Plan: Section 10.1, Tabletop Exercises

IR-4 Incident Response -- Incident Handling [J]
  1. This is a joint security and privacy control about incident handling. For the full text of the control, see the IR-4 Incident Handling section of IRM 10.8.1.

  2. The privacy concerns are the IRS has the capability to handle all types of incidents consistent with the incident response plan. The IRS requires coordinating incident handling with IM, Cyber, CSIRC, and other business units as needed.

  3. In this IRM, PGLD policies on the incident handling control include, but are not limited to, the sections listed in the IR-1 references, IRM 10.5.1.8.7.

  4. PGLD and IRS also address the incident handling control in the following:

    1. IRM 10.5.4: Responsibilities

    2. Document 13347, Data Breach Response Playbook: Section 5

IR-5 Incident Response -- Incident Monitoring [J]
  1. This is a joint security and privacy control about incident monitoring. For the full text of the control, see the IR-5 Incident Monitoring section of IRM 10.8.1.

  2. The privacy concerns are the IRS tracks and documents incidents. The IRS requires using a tracking system.

  3. In this IRM, PGLD policies on the incident monitoring control include, but are not limited to, the sections listed in the IR-1 references, IRM 10.5.1.8.7.

  4. PGLD and IRS also address the incident monitoring control in the following:

    1. IRM 10.5.4: PGLD/Incident Management Intake

    2. Document 13347, Data Breach Response Playbook: Section 2.0, Breach Response Team (BRT); Section 3.0, Data Breach Response Process

    3. Document 13347-A, IRS Data Breach Response Plan: Section 11.1, Tracking and Documenting the Response to a Breach

IR-6 Incident Response -- Incident Reporting [J]
  1. This is a joint security and privacy control about incident reporting. For the full text of the control, see the IR-6 Incident Reporting section of IRM 10.8.1.

  2. The privacy concerns are that the IRS reports incidents or breaches. The IRS requires all personnel report when an incident or breach occurs.

  3. In this IRM, PGLD policies on the incident reporting control include, but are not limited to, the sections listed in the IR-1 references, IRM 10.5.1.8.7.

  4. PGLD and IRS also address the incident reporting control in the following:

    1. IRM 10.5.4: Reporting Losses, Thefts and Disclosures; PGLD/Incident Management Intake

IR-7 Incident Response -- Incident Response Assistance [J]
  1. This is a joint security and privacy control about incident response assistance. For the full text of the control, see the IR-7 Incident Response Assistance section of IRM 10.8.1.

  2. The privacy concerns are that IRS provides a support resource that offers advice and assistance to personnel for the handling and reporting of incidents. The IRS requires offering a hotline.

  3. In this IRM, PGLD policies on the incident response assistance control include, but are not limited to, the sections listed in the IR-1 references, IRM 10.5.1.8.7.

  4. PGLD and IRS also address the incident response assistance control in the following:

    1. IRM 10.5.4: Responsibilities; Related Resources; Inadvertent Unauthorized Disclosures and Losses or Thefts of IT Assets, BYOD Assets and Hardcopy Records/Documents; PGLD/Incident Management Intake

IR-8 Incident Response -- Incident Response Plan [J]
  1. This is a joint security and privacy control about incident response plan. For the full text of the control, see the IR-8 Incident Response Plan section of IRM 10.8.1.

  2. The privacy concerns are that IRS develop and implement a coordinated approach to incident response. The IRS requires following Document 13347, Data Breach Response Playbook, and Document 13347-A, IRS Data Breach Response Plan.

  3. In this IRM, PGLD policies on the incident response plan control include, but are not limited to, the sections listed in the IR-1 references, IRM 10.5.1.8.7.

  4. PGLD and IRS also address the incident response plan control in the following:

    1. IRM 10.5.4: Responsibilities

    2. Document 13347, Data Breach Response Playbook

    3. Document 13347-A, IRS Data Breach Response Plan

IR-8(1) Incident Response -- Incident Response Plan - Breaches [P]
  1. Include the following in the Incident Response Plan for breaches involving personally identifiable information:

    1. A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;

    2. An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms;

    3. Identification of applicable privacy requirements.

    [NIST SP 800-53]

  2. The privacy concerns are that IRS develop and implement a coordinated approach to incidents. The IRS requires following Document 13347, Data Breach Response Playbook, and Document 13347-A, IRS Data Breach Response Plan.

  3. In this IRM, PGLD policies on the breaches control include, but are not limited to, the sections listed in the IR-1 references, IRM 10.5.1.8.7.

  4. PGLD and IRS also address the breaches control in the following:

    1. IRM 10.5.4: Reporting Losses, Thefts and Disclosures; PGLD/Incident Management Risk Assessment

    2. Document 13347, Data Breach Response Playbook

    3. Document 13347-A, IRS Data Breach Response Plan

MP-1 Media Protection -- Policy and Procedures [J]

  1. This is a joint security and privacy control requiring that the IRS have policy and procedures about the media protection control. For the full text of the control, see the MP-1 Media Protection Policy and Procedures section of IRM 10.8.1.

  2. In this IRM, PGLD policies on the media protection policy and procedures control include, but are not limited to, the sections:

    1. IRM 10.5.1.2, Key Privacy Definitions [Sensitive But Unclassified (SBU) Data, Personally Identifiable Information (PII), Federal Tax Information (FTI), Unauthorized Access of SBU Data, Privacy Act Information, Need to Know]

    2. IRM 10.5.1.3.2, IRS Privacy Principles (Strict Confidentiality [PVR-05], Security [PVR-06])

    3. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities

    4. IRM 10.5.1.5.1, Clean Desk Policy

    5. IRM 10.5.1.6.1, Protecting and Safeguarding SBU Data (including Limiting Sharing of SBU Data)

    6. IRM 10.5.1.6.2, Encryption (including External, Internal)

    7. IRM 10.5.1.6.3, Computers and Mobile Computing Devices

    8. IRM 10.5.1.6.5, Marking

    9. IRM 10.5.1.6.6, Storage

    10. IRM 10.5.1.6.9, Other Forms of Transmission

    11. IRM 10.5.1.6.10, Disposition and Destruction

    12. IRM 10.5.1.6.15, Contractors

  3. PGLD and IRS also address the media protection policy and procedures control in the following:

    1. IRM 10.5.6: Requirements of the Privacy Act

    2. IRM 1.15.6: Security of Electronic Records, Retention and Disposition of Electronic Records

    3. IRM 11.3.12: throughout, and specifically Official Use Only

MP-6 Media Protection -- Media Sanitization [J]
  1. This is a joint security and privacy control about media sanitization. For the full text of the control, see the MP-6 Media Sanitization section of IRM 10.8.1.

  2. The privacy concerns are preventing the disclosure of information to unauthorized individuals when such media is reused or released for disposal. The IRS requires compliance with the IRS Records and Information program.

  3. In this IRM, PGLD policies on the media sanitization control include, but are not limited to, the sections:

    1. IRM 10.5.1.6.10, Disposition and Destruction

    2. IRM 10.5.1.7.7, Records and Information Management (RIM)

  4. PGLD and IRS also address the media sanitization control in the following:

    1. IRM 10.5.6: Requirements of the Privacy Act

    2. IRM 1.15.6: Retention and Disposition of Electronic Records

PE-1 Physical and Environmental Protection -- Policy and Procedures [J]

  1. This is a joint security and privacy control requiring that the IRS have policy and procedures about the physical and environmental protection control. For the full text of the control, see the PE-1 Physical and Environmental Protection Policy and Procedures section of IRM 10.8.1.

    Note:

    This control differs from the NIST baseline where it is a security control, but will be assessed as a joint control per IRS Collaboration.

  2. In this IRM, PGLD policies on the physical and environmental protection policy and procedures control include, but are not limited to, the sections:

    1. IRM 10.5.1.2.9, High Security Items

    2. IRM 10.5.1.3.2, IRS Privacy Principles (Purpose Limitation [PVR-02], Minimizing Collection, Use, Retention, and Disclosure [PVR-03], Security [PVR-06])

    3. IRM 10.5.1.5.1, Clean Desk Policy

  3. PGLD and IRS also address the physical and environmental protection policy and procedures control in the following:

    1. IRM 10.5.6: Requirements of the Privacy Act

PE-8(3) Physical and Environmental Protection -- Visitor Access Records - Limit Personally Identifiable Information Elements [P]
  1. Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: Minimum necessary PII. [NIST SP 800-53]

  2. The privacy concerns are that limiting PII elements in visitor access records when such information is not needed for operational purposes helps reduce the level of privacy risk. The IRS requires collecting only minimum necessary information.

  3. In this IRM, PGLD policies on the limit personally identifiable information elements control include, but are not limited to, the sections:

    1. IRM 10.5.1.3.2, IRS Privacy Principles (Purpose Limitation [PVR-02], Minimizing Collection, Use, Retention, and Disclosure [PVR-03], Security [PVR-06])

  4. PGLD and IRS also address the limit personally identifiable elements control in the following:

    1. IRM 10.5.6: Requirements of the Privacy Act

PL-1 Planning -- Policy and Procedures [J]

  1. This is a joint security and privacy control requiring that the IRS have policy and procedures about the planning control. For the full text of the control, see the PL-1 Planning Policy and Procedures section of IRM 10.8.1.

  2. In this IRM, PGLD policies on the planning policy and procedures control include, but are not limited to, the sections:

    1. IRM 10.5.1.3, Key Privacy Concepts (Privacy Controls, IRS Privacy Principles)

    2. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (System Owners, System Developers, Authorizing Officials)

    3. IRM 10.5.1.6.16, Online Data and Privacy Notices

    4. IRM 10.5.1.6.17, Social Media

    5. IRM 10.5.1.7.2, Privacy and Civil Liberties Impact Assessment (PCLIA)

    6. IRM 10.5.1.7.11, Enterprise Life Cycle (ELC)

    7. IRM 10.5.1.7.15, IT Security

  3. PGLD and IRS also address the planning policy and procedures control in the following:

    1. IRM 10.5.2: throughout, and specifically Responsibilities, PCLIA Roles and Responsibilities, System PCLIAs, Determining SharePoint PIA Requirement, FISMA Reporting

    2. IRM 10.5.6: Privacy Act Publication and Reporting Requirements

    3. IRM 10.5.8: Security controls applicable to non-production data

    4. IRM 1.15.1: Responsibilities of the IRS Records Officer

    5. IRM 1.15.6: Creation, Use, and Maintenance of Structured Electronic Data; Security of Electronic Records

PL-2 Planning -- System Security and Privacy Plan [J]
  1. This is a joint security and privacy control about system security and privacy plan. For the full text of the control, see the PL-2 System Security and Privacy Plan section of IRM 10.8.1.

  2. The privacy concerns are that privacy needs to be incorporated into the system development lifecycle. The IRS requires following the ELC, completing the PCLIA process, and including privacy requirements in the system security and privacy plans.

  3. In this IRM, PGLD policies on the system security and privacy plan control include, but are not limited to, the sections listed in the PL-1 references, IRM 10.5.1.8.10.

  4. PGLD and IRS also address the system security and privacy plan control in the sections listed in the PL-1 references, IRM 10.5.1.8.10.

PL-4 Planning -- Rules of Behavior [J]
  1. This is a joint security and privacy control about rules of behavior. For the full text of the control, see the PL-4 Rules of Behavior section of IRM 10.8.1.

  2. The privacy concerns are that all personnel with access to PII understand and comply with the rules of behavior. The IRS requires using an IRS-approved access control system [such as Online 5081 (OL5081) or Business Entitlement Access Request System (BEARS)] to communicate and document acknowledgement of the IRS System Security Rules.

  3. In this IRM, PGLD policies on the rules of behavior control include, but are not limited to, the section IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities.

  4. PGLD and IRS also address the rules of behavior control in the following:

    1. IRM 10.5.5: IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program

    2. IRM 11.3.1: Disclosure Code, Authority and Procedure (CAP)

    3. Document 12011, IRS Ethics Handbook

PL-4(1) Planning -- Rules of Behavior - Social Media and External Site/Application Usage Restrictions [J]
  1. This is a joint security and privacy control about social media and external site/application usage restrictions. For the full text of the control, see the PL-4 Rules of Behavior section of IRM 10.8.1.

  2. The privacy concerns are that all personnel with access to PII understand and comply with the rules of behavior. The IRS requires using an IRS-approved access control system (such as OL5081 or BEARS) to communicate and document acknowledgement of the IRS System Security Rules.

  3. In this IRM, PGLD policies on the social media and external site/application usage restrictions control include, but are not limited to, the sections:

    1. IRM 10.5.1.6.11.2, Location Services

    2. IRM 10.5.1.6.17, Social Media

  4. PGLD and IRS also address the social media and external site/application usage restrictions control in the following:

    1. IRM 10.5.2: Social Media PCLIA

    2. IRM 11.1.3: Media Responsibilities

    3. IRM 11.3.21: Use of Social Networking and Other Internet Sites by IRS Employees for Compliance Research or for Other Purpose

    4. IRM 1.15.6: Use of Social Media

    5. Document 12011, IRS Ethics Handbook

PL-8 Planning -- Security and Privacy Architecture [J]
  1. This is a joint security and privacy control about security and privacy architecture. For the full text of the control, see the PL-8 Security and Privacy Architecture section of IRM 10.8.1.

  2. The privacy concerns are that privacy needs to be incorporated into the system development lifecycle. The IRS requires following the ELC, completing the PCLIA process, and including privacy requirements in the system security and privacy architecture.

  3. In this IRM, PGLD policies on the security and privacy architecture control include, but are not limited to, the sections listed in the PL-1 references, IRM 10.5.1.8.10.

  4. PGLD and IRS also address the security and privacy architecture control in the sections listed in the PL-1 references, IRM 10.5.1.8.10.

PL-9 Planning -- Central Management [J]
  1. This is a joint security and privacy control about central management. For the full text of the control, see the PL-9 Central Management section of IRM 10.8.1.

    Note:

    This control differs from the NIST baseline where it is privacy, but joint per IRS Collaboration requirements.

  2. The privacy concerns are to support privacy continuous monitoring and risk-based decision-making within the organization. The IRS requires managing the control assessment through the Enterprise FISMA Compliance program.

  3. In this IRM, PGLD policies on the central management control include, but are not limited to, the sections listed in the PL-1 references, IRM 10.5.1.8.10.

  4. PGLD and IRS also address the central management control in the sections listed in the PL-1 references, IRM 10.5.1.8.10.

PM-1 Program Management

  1. The PM-1 is a security-only [S] control in IRM 10.8.1. Privacy program plans are addressed separately in PM-18.

PM-3 Program Management -- Information Security and Privacy Resources [J]
  1. This is a joint security and privacy control about information security and privacy resources. For the full text of the control, see the PM-3 Information Security and Privacy Resources section of IRM 10.8.1.

  2. The privacy concerns are that privacy programs have the resources needed to manage federal information resources that involve PII. The IRS requires senior management and executives ensure their programs and policies meet this responsibility.

  3. In this IRM, PGLD policies on the information security and privacy resources control include, but are not limited to, the sections:

    1. IRM 10.5.1.3.2, IRS Privacy Principles (Accountability [PVR-01])

    2. IRM 10.5.1.4, IRS-Wide Roles and Responsibilities (Senior Management/Executives)

  4. PGLD and IRS also address the information security and privacy resources control in the following:

    1. IRM 1.1.27: Roles and Responsibilities, Program and Planning Support

    2. IRS Privacy Program Plan

PM-4 Program Management -- Plan of Action and Milestones [J]
  1. This is a joint security and privacy control about plan of action and milestones. For the full text of the control, see the PM-4 Plan of Action and Milestones section of IRM 10.8.1.

  2. The privacy concerns are to reduce privacy risk by documenting and tracking planned remediations on POA&Ms. The IRS requires that System Owners include privacy risks identified on the PCLIA are in a POA&M.

  3. In this IRM, PGLD policies on the plan of action and milestones control include, but are not limited to, the section, IRM 10.5.1.4.4, System Owners.

  4. PGLD and IRS also address the plan of action and milestones control in IRM 10.5.2: Roles and Responsibilities.

PM-5(1) Program Management -- System Inventory - Inventory of Personally Identifiable Information [P]
  1. Establish, maintain, and update every three years an inventory of all systems, applications, and projects that process personally identifiable information. [NIST SP 800-53]

    Note:

    This control differs from the NIST baseline where it is a joint control, but will be assessed as a privacy control per IRS Collaboration.

  2. The privacy concerns are the IRS uses this inventory to ensure that systems only process the PII for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein. The IRS requires using the PCLIA process.

  3. In this IRM, PGLD policies on the inventory of personally identifiable information control include, but are not limited to, the sections:

    1. IRM 10.5.1.3.2, IRS Privacy Principles (Purpose Limitation [PVR-02], Security [PVR-06])

  4. PGLD and IRS also address the inventory of personally identifiable information control in the following:

    1. IRM 10.5.2: throughout, and specifically, Treasury Holdings PII Report

    2. IRM 10.5.6: Publication and Reporting Requirements Responsibilities

PM-6 Program Management -- Measures of Performance [J]
  1. This is a joint security and privacy control about measures of performance. For the full text of the control, see the PM-6 Measures of Performance section of IRM 10.8.1.

  2. The privacy concerns are to measure the effectiveness or efficiency of the privacy programs and the controls employed. The IRS requires measuring privacy performance on the PGLD Internal and External Reports site.

  3. In this IRM, PGLD policies on the measures of performance control include, but are not limited to, the sections:

    1. IRM 10.5.1.3.2, IRS Privacy Principles (Purpose Limitation [PVR-02], Security [PVR-06])

  4. PGLD and IRS also address the measures of performance control in the following:

    1. IRM 10.5.2: FISMA Reporting

    2. IRM 10.5.4: Measures and Reports; Timeliness of the Data Breach Notification

    3. IRM 11.3.13: FOIA Reporting

    4. IRM 11.3.39: Annual Matching Activity Review and Report

PM-7 Program Management -- Enterprise Architecture [J]
  1. This is a joint security and privacy control about enterprise architecture. For the full text of the control, see the PM-7 Enterprise Architecture section of IRM 10.8.1.

  2. The privacy concerns are to ensure that privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The IRS requires compliance with Enterprise Architecture’s standards.

  3. In this IRM, PGLD policies on the enterprise architecture control include, but are not limited to, the sections:

    1. IRM 10.5.1.3, Key Privacy Concepts

    2. IRM 10.5.1.7.11, Enterprise Life Cycle (ELC)

  4. PGLD and IRS also address the enterprise architecture control in the following:

    1. IRM 10.5.2: Background, System PCLIAs, Reconciliation with As-Built Architecture (ABA)

PM-8 Program Management -- Critical Infrastructure Plan [J]
  1. This is a joint security and privacy control about critical infrastructure plan. For the full text of the control, see the PM-8 Critical Infrastructure Plan section of IRM 10.8.1.

  2. The privacy concerns are the IRS address privacy issues in critical infrastructure, assets, resources, and processes in the mission life cycle. The IRS requires embedding data protection through the life cycle of critical infrastructure, assets, resources, and processes.

  3. In this IRM, PGLD policies on the critical infrastructure plan control include, but are not limited to, the sections:

    1. IRM 10.5.1.2.1, Privacy Lifecycle

    2. IRM 10.5.1.2.2, Sensitive But Unclassified (SBU) Data

  4. PGLD and IRS also address the critical infrastructure plan control in the following:

    1. IRM 10.5.2: PCLIA’s Relevance to Privacy Compliance

    2. IRM 10.6.1: Responsibilities

PM-9 Program Management -- Risk Management Strategy [J]
  1. This is a joint security and privacy control about risk management strategy. For the full text of the control, see the PM-9 Risk Management Strategy section of IRM 10.8.1.

  2. The privacy concerns are that the IRS manage privacy risk to individuals resulting from the authorized processing of PII. The IRS requires:

    1. Implementing a risk management framework consistent with OMB guidance.

    2. Assessing regularly for risks based on the privacy controls.

    3. Developing and monitoring mitigation projects to minimize privacy risks.

  3. In this IRM, PGLD policies on the risk management strategy control include, but are not limited to, the sections:

    1. IRM 10.5.1.2, Key Privacy Definitions [Sensitive But Unclassified (SBU) Data, Personally Identifiable Information (PII), Federal Tax Information (FTI)]

    2. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (including System Owners, Authorizing Officials)

    3. IRM 10.5.1.3.1, Privacy Controls

    4. IRM 10.5.1.3.2, IRS Privacy Principles (Accountability [PVR-01], Minimizing Collection, Use, Retention, and Disclosure [PVR-03], Strict Confidentiality [PVR-05])

    5. IRM 10.5.1.6.1.1, Deciding Risk Levels for SBU Data

    6. IRM 10.5.1.6.18.5, Cloud Computing

    7. IRM 10.5.1.7.2, Privacy and Civil Liberties Impact Assessment (PCLIA)

    8. IRM 10.5.1.7.3, Business PII Risk Assessment (BPRA)

    9. IRM 10.5.1.7.9, Digital Identity Risk Assessment (DIRA) [formerly Electronic Risk Assessment (e-RA)]

    10. IRM 10.5.1.7.14.2, Risk Management for Authentication in Non-Electronic Channels (Omni Channel Risk Assessment)

  4. PGLD and IRS also address the risk management strategy control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA), Major Change Determination (MCD) for PCLIA, Business PII Risk Assessment (BPRA), Responsibilities, BPRA Roles and Responsibilities

    2. IRM 10.5.4: PGLD/Incident Management Risk Assessment

    3. IRM 10.5.5: Servicewide Roles and Responsibilities for Administering the IRS UNAX Program,

    4. IRM 10.5.6: OMB Privacy Act Guidance, Agency Review Requirements (Exhibit 1 formerly in IRM 11.3.14)

    5. IRM 10.5.8: Security controls applicable to non-production data

    6. IRS Privacy Program Plan

PM-10 Program Management -- Authorization Process [J]
  1. This is a joint security and privacy control about authorization process. For the full text of the control, see the PM-10 Authorization Process section of IRM 10.8.1.

  2. The privacy concerns are to address privacy requirements before authorization to operate. The IRS requires including privacy in the ELC (specifically PCLIAs).

  3. In this IRM, PGLD policies on the authorization process control include, but are not limited to, the sections:

    1. IRM 10.5.1.2, Key Privacy Definitions [Sensitive But Unclassified (SBU) Data, Personally Identifiable Information (PII), Federal Tax Information (FTI)]

    2. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (including System Owners, Authorizing Officials)

    3. IRM 10.5.1.3.1, Privacy Controls

    4. IRM 10.5.1.3.2, IRS Privacy Principles

    5. IRM 10.5.1.6.18.5, Cloud Computing

    6. IRM 10.5.1.7.2, Privacy and Civil Liberties Impact Assessment (PCLIA)

    7. IRM 10.5.1.7.3, Business PII Risk Assessment (BPRA)

    8. IRM 10.5.1.7.9, Digital Identity Risk Assessment (DIRA) [formerly Electronic Risk Assessment (e-RA)]

    9. IRM 10.5.1.7.14.2, Risk Management for Authentication in Non-Electronic Channels (Omni Channel Risk Assessment)

  4. PGLD and IRS also address the authorization process control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA), Major Change Determination (MCD) for PCLIA, Business PII Risk Assessment (BPRA), Responsibilities, BPRA Roles and Responsibilities

    2. IRM 10.5.4: PGLD/Incident Management Risk Assessment

    3. IRM 10.5.5: Servicewide Roles and Responsibilities for Administering the IRS UNAX Program,

    4. IRM 10.5.6: OMB Privacy Act Guidance, Agency Review Requirements (Exhibit 1 formerly in IRM 11.3.14)

    5. IRM 10.5.8: Security controls applicable to non-production data

PM-11 Program Management -- Mission and Business Process Definition [J]
  1. This is a joint security and privacy control about mission and business process definition. For the full text of the control, see the PM-11 Mission and Business Process Definition section of IRM 10.8.1.

  2. The privacy concerns are the IRS protects privacy in systems and safeguards privacy in everyday business processes supporting the IRS mission. The IRS requires a privacy culture, wherein all personnel think about privacy before acting. The mission of the service requires the IRS safeguard privacy and protect privacy rights.

  3. In this IRM, PGLD policies on the mission and business process definition control include, but are not limited to, the sections:

    1. IRM 10.5.1.1.1, Purpose of the Program

    2. IRM 10.5.1.3.2, IRS Privacy Principles

    3. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (Employees/Personnel)

    4. IRM 10.5.1.5, Privacy Culture [Privacy in Practice (PiP)]

  4. PGLD and IRS also address the mission and business process definition control in the following:

    1. IRM 10.5.2: Business PII Risk Assessment (BPRA)

    2. IRM 10.5.6: Responsibilities, Privacy Principles

    3. IRM 11.3.1: Disclosure Code, Authority and Procedure (CAP)

    4. IRM 1.1.27: Roles and Responsibilities

    5. IRM 1.2.1: Policy Statement 1-1, Mission of the Service, Taxpayer Privacy Rights

PM-13 Program Management -- Security and Privacy Workforce [J]
  1. This is a joint security and privacy control about security and privacy workforce. For the full text of the control, see the PM-13 Security and Privacy Workforce section of IRM 10.8.1.

  2. The privacy concerns are the IRS develop and institutionalize the core privacy capabilities of personnel needed to protect organizational operations, assets, and individuals. The IRS requires defining and developing privacy training for PGLD and other privacy-minded personnel.

  3. In this IRM, PGLD policies on the security and privacy workforce control include, but are not limited to, the sections:

    1. IRM 10.5.1.1.2, Audience

    2. IRM 10.5.1.3.2, IRS Privacy Principles (Privacy Awareness and Training [PVR-10])

  4. PGLD and IRS also address the security and privacy workforce control in the following:

    1. IRM 10.5.2: PCLIA Roles and Responsibilities

    2. IRM 10.5.6: Privacy Act Training

    3. IRM 1.1.27: Roles and Responsibilities

    4. IRS Privacy Program Plan

PM-14 Program Management -- Testing, Training, and Monitoring [J]
  1. This is a joint security and privacy control about testing, training, and monitoring. For the full text of the control, see the PM-14 Testing, Training, and Monitoring section of IRM 10.8.1.

  2. The privacy concerns are that the IRS coordinates the training for personnel with access to PII and the testing of privacy controls. The IRS requires reviewing testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

  3. In this IRM, PGLD policies on the testing, training, and monitoring control include, but are not limited to, the sections:

    1. IRM 10.5.1.3.2.10, Privacy Awareness and Training [PVR-10]

    2. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (including Employees/Personnel, Management, Senior Management/Executives, System Owners, Personnel Engaged in Procurement Activities)

    3. IRM 10.5.1.6.1, Protecting and Safeguarding SBU Data

    4. IRM 10.5.1.6.15, Contractors

    5. IRM 10.5.1.7.6, Mandatory Briefings

  4. PGLD and IRS also address the testing, training, and monitoring control in the following:

    1. IRM 10.5.2: Program Scope and Objectives, Privacy and Civil Liberties Impact Assessment (PCLIA)

    2. IRM 10.5.4: Program Scope and Objectives; Responsibilities; Awareness Training and Education

    3. IRM 10.5.5: throughout, and specifically Servicewide Roles and Responsibilities for Administering the IRS UNAX Program, Manager UNAX Responsibilities, IRP UNAX Program Team Roles and Responsibilities

    4. IRM 10.5.6: Privacy Act Training

    5. IRM 10.5.8: Security controls applicable to non-production data

    6. IRM 11.3.1: Roles and Responsibilities

    7. IRM 1.15.1: Responsibilities of the IRS Records Officer, Responsibilities of the RIM Records Specialist

    8. IRM 1.1.27: Roles and Responsibilities

    9. Privacy & Civil Liberties Impact Assessment (PCLIA) Reference Guide

PM-15 Program Management -- Security and Privacy Groups and Associations [J]
  1. This is a joint security and privacy control about security and privacy groups and associations. For the full text of the control, see the PM-15 Security and Privacy Groups and Associations section of IRM 10.8.1.

    Note:

    This control differs from the NIST baseline where it is a security control, but will be assessed as a joint control per IRS Collaboration.

  2. The privacy concerns are the IRS maintain ongoing contact with security and privacy groups and associations in an environment of rapidly changing technologies and threats. The IRS requires encouraging participation in appropriate groups, such as Federal Privacy Council (FPC), International Association of Privacy Professionals (IAPP), etc.

  3. In this IRM, PGLD policies on the security and privacy groups and associations control include, but are not limited to, the sections:

    1. IRM 10.5.1.7.1, IRS Privacy Council

    2. Exhibit 10.5.1-2, References

  4. PGLD and IRS also address the security and privacy groups and associations control in the following:

    1. IRM 1.1.27: Responsibilities

    2. IRS Privacy Program Plan

PM-17 Program Management -- Protecting Controlled Unclassified Information on External Systems [J]
  1. This is a joint security and privacy control about protecting controlled unclassified information (CUI) on external systems. For the full text of the control, see the PM-17 Protecting Controlled Unclassified Information on External Systems section of IRM 10.8.1.

  2. The privacy concerns are that all sensitive information is protected on external systems. The IRS requires that contractors and external partners protect all SBU data (including PII and tax information).

    Note:

    Once the IRS implements the CUI program, then these requirements will apply to all CUI.

  3. In this IRM throughout, and specifically, PGLD policies on the protecting controlled unclassified information/SBU data on external systems control include, but are not limited to, the sections:

    1. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (Personnel Engaged in Procurement Activities)

    2. IRM 10.5.1.6.15, Contractors

    3. IRM 10.5.1.6.18.5, Cloud Computing

    4. IRM 10.5.1.7.12, Governmental Liaison (GL)

    5. IRM 10.5.1.7.18, Safeguards

  4. PGLD and IRS also address the protecting controlled unclassified information/SBU data on external systems control in the following:

    1. IRM 10.5.2: System PCLIAs, Survey PCLIA, Shared Storage PIAs

    2. IRM 10.5.4: Reporting Losses, Thefts, and Disclosures

    3. IRM 10.5.5: throughout, and specifically Employee and Contractor UNAX Responsibilities

    4. IRM 10.5.6: Responsibilities, Privacy Act Training, Privacy Act Contract Requirements

    5. IRM 11.3.24: throughout, and specifically Requirements

    6. IRM 11.3.36: throughout, and specifically Legal Requirements

    7. IRM 11.4.1: throughout, and specifically Data Exchange Agreements

    8. IRM 1.15.1: Responsibilities of all IRS Employees and Contractors

    9. Document 13347, Data Breach Response Playbook: Section 5.4, External Third-Party Incidents

    10. Document 13347-A, IRS Data Breach Response Plan: Section 2.5, Contractors

PM-18 Program Management -- Privacy Program Plan [P]
  1. Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:

    1. Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;

    2. Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;

    3. Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;

    4. Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;

    5. Reflects coordination among organizational entities responsible for the different aspects of privacy; and

    6. Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and

  2. Update the plan every three years or more frequently to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments. [NIST SP 800-53]

    Note:

    This control differs from the NIST baseline where it is a joint control, but will be assessed as a privacy control per IRS Collaboration.

  3. The privacy concerns are that the IRS formally documents its privacy program. The IRS requires publishing the IRS Privacy Program Plan.

  4. In this IRM, PGLD policies on the Privacy Program Plan control include, but are not limited to, the sections:

    1. IRM 10.5.1.1, Program Scope and Objectives

    2. IRM 10.5.1.3.1, Privacy Controls

  5. PGLD and IRS also address the Privacy Program Plan control in the following:

    1. IRM 10.5.6: OMB Privacy Act Guidance

    2. IRS Privacy Program Plan

PM-19 Program Management -- Privacy Program Leadership Role [P]
  1. Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program. [NIST SP 800-53]

    Note:

    This control differs from the NIST baseline where it is a joint control, but will be assessed as a privacy control per IRS Collaboration.

  2. The privacy concerns are that the IRS has a senior official responsible for ensuring that IRS implements sound policies to protect SBU data (including PII and tax information). The IRS requires designating a Chief Privacy Officer (CPO); Treasury appoints the senior agency official for privacy (SAOP).

  3. In this IRM, PGLD policies on the privacy program leadership role control include, but are not limited to, the sections:

    1. IRM 10.5.1.1.1, Purpose of the Program

    2. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (including Senior Management/Executives)

    3. IRM 10.5.1.7.1, IRS Privacy Council

  4. PGLD and IRS also address the privacy program leadership role control in the following:

    1. IRM 10.5.6: Responsibilities, OMB Privacy Act Guidance

    2. IRM 1.1.27: Roles and Responsibilities

PM-20 Program Management -- Dissemination of Privacy Program Information [P]
  1. Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:

    1. Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;

    2. Ensures that organizational privacy practices and reports are publicly available; and

    3. Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.

    [NIST SP 800-53]

    Note:

    This control differs from the NIST baseline where it is a joint control, but will be assessed as a privacy control per IRS Collaboration.

  2. The privacy concerns are that people have a way to see privacy policies and contact the IRS regarding concerns. The IRS requires maintaining the IRS.gov Privacy Policy page https://www.irs.gov/privacy and giving the email privacy@treasury.gov.

  3. In this IRM, PGLD policies on the dissemination of privacy program information control include, but are not limited to, the sections:

    1. IRM 10.5.1.3.2, IRS Privacy Principles

    2. IRM 10.5.1.6.16, Online Data and Privacy Notices

  4. PGLD and IRS also address the dissemination of privacy program information control in the following:

    1. IRM 10.5.2: PCLIAs on IRS.gov

    2. IRM 10.5.6: Privacy Act Publication and Reporting Requirements, Privacy Act Access and Amendment of Records

    3. IRM 11.3.13: throughout, and specifically FOIA and Routine Established Agency Procedures for other types of requests (including tax information)

PM-20(1) Program Management -- Dissemination of Privacy Program Information - Privacy Policies on Websites, Applications, and Digital Services [P]
  1. Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that:

    1. Are written in plain language and organized in a way that is easy to understand and navigate;

    2. Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and

    3. Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes.

    [NIST SP 800-53]

    Note:

    This control differs from the NIST baseline where it is a joint control, but will be assessed as a privacy control per IRS Collaboration.

  2. The privacy concerns are the public can make an informed decision about sharing their information. The IRS requires both maintaining the IRS.gov Privacy Policy page https://www.irs.gov/privacy and a link to that page for all external facing online services.

  3. In this IRM, PGLD policies on the privacy policies on websites, applications, and digital services control include, but are not limited to, the sections:

    1. IRM 10.5.1.3.2.4, Openness and Consent [PVR-04]

    2. IRM 10.5.1.6.16, Online Data and Privacy Notices

  4. PGLD and IRS also address the privacy policies on websites, applications, and digital services control in the following:

    1. IRM 10.5.6: Online Privacy Policy Notices, Privacy Act Recordkeeping Restrictions

PM-21 Program Management -- Accounting of Disclosures [P]
  1. Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:

    1. Date, nature, and purpose of each disclosure; and

    2. Name and address, or other contact information of the individual or organization to which the disclosure was made;

  2. Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and

  3. Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request. [NIST SP 800-53]

    Note:

    This control differs from the NIST baseline where it is a joint control, but will be assessed as a privacy control per IRS Collaboration.

  4. The privacy concerns are to allow individuals to learn to whom their PII has been disclosed. The IRS requires that employees authorized to make disclosures of non-tax Privacy Act records must account for such disclosures.

  5. In this IRM, PGLD policies on the accounting of disclosures control include, but are not limited to, the section IRM 10.5.1.2.7, Privacy Act Information.

  6. PGLD and IRS also address the accounting of disclosures control in the following:

    1. IRM 10.5.6: Privacy Act Accounting for Disclosures

    2. IRM 11.3.37: Accounting System

PM-22 Program Management -- Personally Identifiable Information Quality Management [P]
  1. Develop and document organization-wide policies and procedures for:

    1. Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;

    2. Correcting or deleting inaccurate or outdated personally identifiable information;

    3. Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and

    4. Appeals of adverse decisions on correction or deletion requests.

    [NIST SP 800-53]

    Note:

    This control differs from the NIST baseline where it is a joint control, but will be assessed as a privacy control per IRS Collaboration.

  2. The privacy concerns are to confirm the accuracy and relevance of PII throughout the information life cycle. The IRS requires accuracy, completeness, and timeliness of PII to ensure fair treatment of all individuals. IRS personnel will collect information, to the greatest extent practicable, directly from the individual to whom it relates.

  3. In this IRM, PGLD policies on the personally identifiable information quality management control include, but are not limited to, the sections:

    1. IRM 10.5.1.2.1, Privacy Lifecycle

    2. IRM 10.5.1.3.2, IRS Privacy Principles (Data Quality [PVR-07], Verification and Notification [PVR-08])

    3. IRM 10.5.1.6.14, Civil Liberties

  4. PGLD and IRS also address the personally identifiable information quality management control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA)

    2. IRM 10.5.6: Program Scope and Objectives; Privacy Act General Provisions; Requirements of the Privacy Act; Privacy Act Recordkeeping Restrictions; Privacy Act Requirement to Maintain Accurate, Relevant, Timely, and Complete Records

PM-23 Program Management -- Data Governance Body [J]
  1. This is a joint security and privacy control about data governance body. For the full text of the control, see the PM-23 Data Governance Body section of IRM 10.8.1.

    Note:

    This control differs from the NIST baseline where it is a security control, but will be assessed as a joint control per IRS Collaboration.

  2. The privacy concerns are that data, including PII, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. The IRS requires using the Cybersecurity & Privacy Management Level Governance Board to establish policies, procedures, and standards that facilitate data governance.

  3. In this IRM, PGLD policies on the data governance body control include, but are not limited to, the sections:

    1. IRM 10.5.1.1.6, Authority

    2. IRM 10.5.1.7, Privacy-Related Programs

PM-24 Program Management -- Data Integrity Board [P]
  1. Establish a Data Integrity Board to:

    1. Review proposals to conduct or participate in a matching program; and

    2. Conduct an annual review of all matching programs in which the agency has participated.

    [NIST SP 800-53]

    Note:

    This control differs from the NIST baseline where it is a joint control, but will be assessed as a privacy control per IRS Collaboration.

  2. The privacy concerns are the IRS monitor the agency’s matching activities. The IRS requires having the CPO representing the IRS as a member of the Treasury Data Integrity Board.

  3. In this IRM, PGLD policies on the data integrity board control include, but are not limited to, the sections:

    1. IRM 10.5.1.6.1.2, Limiting Sharing of SBU Data

    2. IRM 10.5.1.7.13, Data Services

  4. PGLD and IRS also address the data integrity board control in the following:

    1. IRM 10.5.6: Annual Matching Activity Review and Report

    2. IRM 11.3.39: throughout, and specifically Program Scope and Objectives

PM-25 Program Management -- Minimization of Personally Identifiable Information Used for Testing, Training, and Research [P]
  1. Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;

  2. Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;

  3. Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and

  4. Review and update policies and procedures every three years or if there is a significant change. [NIST SP 800-53]

    Note:

    This control differs from the NIST baseline where it is a joint control, but will be assessed as a privacy control per IRS Collaboration.

  5. The privacy concerns are that the use of PII in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. The IRS requires the SBU Data Use process for non-production environments.

  6. In this IRM, PGLD policies on the minimization of personally identifiable information used for testing, training, and research control include, but are not limited to, the sections:

    1. IRM 10.5.1.3.2.3, Minimizing Collection, Use, Retention, and Disclosure [PVR-03]

    2. IRM 10.5.1.7.20, SBU Data Use for Non-Production Environments

  7. PGLD and IRS also address the minimization of personally identifiable information used for testing, training, and research control in the following:

    1. IRM 10.5.8: throughout, and specifically all security controls applicable to non-production data

PM-26 Program Management -- Complaint Management [P]
  1. Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes:

    1. Mechanisms that are easy to use and readily accessible by the public;

    2. All information necessary for successfully filing complaints;

    3. Tracking mechanisms to ensure all complaints received are reviewed and addressed within 20 business days;

    4. Acknowledgement of receipt of complaints, concerns, or questions from individuals within 20 business days if the IRS will not be responding with the response within 20 days; and

    5. Response to complaints, concerns, or questions from individuals within 20 business days.

    [NIST SP 800-53]

    Note:

    This control differs from the NIST baseline where it is a joint control, but will be assessed as a privacy control per IRS Collaboration.

  2. The privacy concerns are to respond to concerns that members of the public might have about their privacy. The IRS requires having a Privacy Complaints section on https://www.irs.gov/privacy.

  3. In this IRM, PGLD policies on the complaint management control include, but are not limited to, the sections:

    1. IRM 10.5.1.1.1, Purpose of the Program

    2. IRM 10.5.1.6.16, Online Data and Privacy Notices

  4. PGLD and IRS also address the complaint management control in the following:

    1. IRM 10.5.2: Section 803 Reporting

    2. IRM 10.5.4: Caller Indicates He/She is a Victim of Identity Theft as a Result of an IRS Data Breach

    3. IRM 10.5.6: Responsibilities, Section 803 Reports Pertaining to Privacy Act Complaints

    4. IRS Privacy Program Plan

PM-27 Program Management -- Privacy Reporting [P]
  1. Develop all required privacy reports listed in the latest spreadsheet for internal and external reports on the PGLD Internal and External Reports site and disseminate to:

    1. the appropriate oversight bodies in the Distribution Level(s) column to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and

    2. the appropriate officials in the Groups Responsible column and other personnel with responsibility for monitoring privacy program compliance; and

  2. Review and update privacy reports on the frequency listed in the Due Date column. [NIST SP 800-53]

    Note:

    This control differs from the NIST baseline where it is a joint control, but will be assessed as a privacy control per IRS Collaboration.

  3. The privacy concerns are to promote accountability and transparency in organizational privacy operations. The IRS requires compliance with established reporting activities.

  4. In this IRM, PGLD policies on the privacy reporting control include, but are not limited to, the section IRM 10.5.1.7.4, Treasury PII Holdings Report.

  5. PGLD and IRS also address the privacy reporting control in the following:

    1. IRM 10.5.2: Reporting

    2. IRM 10.5.4: Measures and Reports; Inadvertent Unauthorized Disclosures and Losses or Thefts of IT Assets, BYOD Assets and Hardcopy Records/Documents [Treasury Government Security Operations Center (GSOC)]; High-Risk Data Breaches

    3. IRM 10.5.5: Servicewide Roles and Responsibilities for Administering the IRS UNAX Program

    4. IRM 10.5.6: Privacy Act Publication and Reporting Requirements

    5. IRM 11.3.13: FOIA Reporting

    6. IRM 11.3.37: Disclosure Accounting Report to the Joint Committee on Taxation (JCT)

    7. IRM 11.3.39: Matching Program Notice and Reporting Requirements

    8. PGLD Internal and External Reports

    9. Document 13347-A, IRS Data Breach Response Plan: Section 11, Reports

PM-28 Program Management -- Risk Framing [J]
  1. This is a joint security and privacy control about risk framing. For the full text of the control, see the PM-28 Risk Framing section of IRM 10.8.1.

  2. The privacy concerns are that privacy considerations inform risk assessment, risk response, and risk monitoring activities. The IRS requires conducting PCLIAs, BPRAs, and other risk assessment, response, and monitoring activities and sharing results with the CPO.

  3. In this IRM, PGLD policies on the risk framing control include, but are not limited to, the sections:

    1. IRM 10.5.1.1.5, Background

    2. IRM 10.5.1.3.2, IRS Privacy Principles

    3. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (Management, Senior Management/Executives, System Owners, System Developers, Authorizing Officials, Personnel Engaged in Procurement Activities)

    4. IRM 10.5.1.6.1, Protecting and Safeguarding SBU Data and PII

    5. IRM 10.5.1.6.1.1, Deciding Risk Levels for SBU Data and PII

    6. IRM 10.5.1.6.1.2, Limiting Sharing of SBU Data and PII

    7. IRM 10.5.1.6.8, Email

    8. IRM 10.5.1.7.2, Privacy and Civil Liberties Impact Assessment (PCLIA)

    9. IRM 10.5.1.7.3, Business PII Risk Assessment (BPRA)

    10. IRM 10.5.1.7.9, Digital Identity Risk Assessment (DIRA) [formerly Electronic Risk Assessment (e-RA)]

  4. PGLD and IRS also address the risk framing control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA), Business PII Risk Assessment (BPRA)

    2. IRM 10.5.4: Background; Responsibilities; PGLD/Incident Management Intake, Risk Assessment and Notification

    3. IRM 10.5.8: Security controls applicable to non-production data

    4. IRM 10.10.1: Oversight Procedure

    5. IRS Privacy Program Plan

    6. Document 13347, Data Breach Response Playbook

    7. Document 13347-A, IRS Data Breach Response Plan

PM-31 Program Management -- Continuous Monitoring Strategy [J]
  1. This is a joint security and privacy control about continuous monitoring strategy. For the full text of the control, see the PM-31 Continuous Monitoring Strategy section of IRM 10.8.1.

  2. The privacy concerns are to conduct continuous monitoring to support organizational risk management decisions in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. The IRS requires following the IRS Privacy Program Plan.

  3. In this IRM, PGLD policies on the continuous monitoring strategy control include, but are not limited to, the sections:

    1. IRM 10.5.1.2, Key Privacy Definitions [Sensitive But Unclassified (SBU) Data, Personally Identifiable Information (PII), Federal Tax Information (FTI)]

    2. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (including System Owners, Authorizing Officials)

    3. IRM 10.5.1.3.1, Privacy Controls

    4. IRM 10.5.1.3.2, IRS Privacy Principles

    5. IRM 10.5.1.6.18.5, Cloud Computing

    6. IRM 10.5.1.7.2, Privacy and Civil Liberties Impact Assessment (PCLIA)

    7. IRM 10.5.1.7.3, Business PII Risk Assessment (BPRA)

    8. IRM 10.5.1.7.9, Digital Identity Risk Assessment (DIRA) [formerly Electronic Risk Assessment (e-RA)]

    9. IRM 10.5.1.7.14.2, Risk Management for Authentication in Non-Electronic Channels (Omni Channel Risk Assessment)

  4. PGLD and IRS also address the continuous monitoring strategy control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA), Major Change Determination (MCD) for PCLIA, Business PII Risk Assessment (BPRA), Responsibilities, BPRA Roles and Responsibilities

    2. IRM 10.5.4: PGLD/Incident Management Risk Assessment

    3. IRM 10.5.5: Servicewide Roles and Responsibilities for Administering the IRS UNAX Program

    4. IRM 10.5.6: OMB Privacy Act Guidance, Agency Review Requirements (Exhibit 1 formerly in IRM 11.3.14)

    5. IRM 10.5.8: Security controls applicable to non-production data

    6. IRS Privacy Program Plan

PS-1 Personnel Security -- Policy and Procedures [J]

  1. This is a joint security and privacy control requiring that the IRS have policy and procedures about the personnel security policy and procedures control. For the full text of the control, see the PS-1 Personnel Security Policy and Procedures section of IRM 10.8.1

    Note:

    This control differs from the NIST baseline where it is a security control, but will be assessed as a joint control per IRS Collaboration.

  2. In this IRM, PGLD policies on the personnel security policy and procedures control include, but are not limited to, the sections:

    1. IRM 10.5.1.1.2, Audience

    2. IRM 10.5.1.2.8, Need To Know

    3. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities

    4. IRM 10.5.1.6.15, Contractors

  3. PGLD and IRS also address the personnel security policy and procedures control in the following:

    1. IRM 10.5.5: IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program

    2. IRM 10.5.8: Security controls applicable to non-production data; throughout and specifically Requirement for Using SBU Data

    3. IRM 11.3.1: Security and Disclosure

    4. IRM 10.23 series, Personnel Security

PS-6 Personnel Security -- Access Agreements [J]
  1. This is a joint security and privacy control about access agreements. For the full text of the control, see the PS-6 Access Agreements section of IRM 10.8.1.

  2. The privacy concerns are that all personnel with access to PII understand the rules of behavior through access agreements. The IRS requires using an IRS-approved access control system (such as OL5081 or BEARS) to communicate and document acknowledgement of the IRS System Security Rules (which serves as the access agreement).

  3. In this IRM, PGLD policies on the access agreements control include, but are not limited to, the sections listed in the PS-1 references, IRM 10.5.1.8.12.

  4. PGLD and IRS also address the access agreements control in the PS-1 references, IRM 10.5.1.8.12.

PT-1 Personally Identifiable Information Processing and Transparency -- Policy and Procedures [P]

  1. Develop, document, and disseminate to all IRS personnel with access to PII:

    1. Organization-level personally identifiable information processing and transparency policy that:
      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

    2. Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls;

  2. Designate the CPO to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; and

  3. Review and update the current personally identifiable information processing and transparency:

    1. Policy every three years and following significant changes in federal privacy laws and policy; and

    2. Procedures every three years and following significant changes in federal privacy laws and policy.

    [NIST SP 800-53]

  4. In this IRM, PGLD policies on the personally identifiable information processing and transparency policy and procedures control include all of IRM 10.5.1, but specifically the sections for transparency are:

    1. IRM 10.5.1.3.2, IRS Privacy Principles (Openness and Consent [PVR-04])

    2. IRM 10.5.1.6.16, Online Data and Privacy Notices

  5. PGLD and IRS also address the personally identifiable information processing and transparency policy and procedures control in the following:

    1. IRM 10.5.2: throughout, and specifically Program Scope and Objectives

    2. IRM 10.5.4: throughout, and specifically Program Scope and Objectives

    3. IRM 10.5.5: throughout, and specifically Program Scope and Objectives

    4. IRM 10.5.6: throughout, and specifically Program Scope and Objectives

    5. IRM 10.5.8: throughout, and specifically Program Scope and Objectives

    6. IRM 11.3.1: throughout, and specifically Program Scope and Objectives

    7. IRM 1.2.1: Policy Statement 1-1, Mission of the Service, Taxpayer Privacy Rights

PT-2 Personally Identifiable Information Processing and Transparency -- Authority to Process Personally Identifiable Information [P]
  1. Determine and document the Internal Revenue Code (IRC) and Privacy Act authority that permits the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information; and

  2. Restrict the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information to only that which is authorized. [NIST SP 800-53]

  3. The privacy concerns are that PII is only processed for authorized purposes. The IRS requires documenting authority in privacy policies and notices, SORNs, PCLIAs, Privacy Act statements, CMAs and notices, contracts, ISAs, MOUs, and other documentation.

  4. In this IRM, PGLD policies on the authority to process personally identifiable information control include, but are not limited to, the sections:

    1. IRM 10.5.1.1, Program Scope and Objectives (Authority)

    2. IRM 10.5.1.2, Key Privacy Definitions

    3. IRM 10.5.1.3.2, IRS Privacy Principles

    4. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities

    5. IRM 10.5.1.6.1, Protecting and Safeguarding SBU Data

  5. PGLD and IRS also address the authority to process personally identifiable information control in the following:

    1. IRM 10.5.2: Authority, Privacy and Civil Liberties Impact Assessment (PCLIA)

    2. IRM 10.5.5: throughout, and specifically Program Scope and Objectives

    3. IRM 10.5.6: Authorities, Privacy Act General Provisions, Privacy Act Publication and Reporting Requirements, Privacy Act Notification Programs, Privacy Act Recordkeeping Restrictions

    4. IRM 11.3.1: Disclosure Code, Authority and Procedure (CAP)

    5. IRM 1.2.1: Policy Statement 1-1, Mission of the Service

PT-3 Personally Identifiable Information Processing and Transparency -- Personally Identifiable Information Processing Purposes [P]
  1. Identify and document the legitimate IRS purposes, namely tax administration and other authorized purposes for processing personally identifiable information;

  2. Describe the purpose(s) in the public privacy notices and policies of the organization;

  3. Restrict the processing (as defined in this IRM) of personally identifiable information to only that which is compatible with the identified purpose(s); and

  4. Monitor changes in processing personally identifiable information and implement the Privacy Compliance and Assurance team’s processes to ensure that any changes are made in accordance with this IRM and the IRS Privacy Principles. [NIST SP 800-53]

  5. The privacy concerns are that PII is processed only for identified purposes. The IRS requires that personnel consult with PGLD to ensure any new purposes that arise from changes in processing are compatible with the purpose for which the information was collected. If the new purpose is not compatible, consult with PGLD to implement mechanisms in accordance with defined requirements to allow for the new processing, if appropriate. Mechanisms might include obtaining consent from individuals, revising SORNs, updating PCLIAs, or other measures to manage privacy risks that arise from changes in PII processing purposes.

    Note:

    This control is a hybrid organization and system-level control. On the system-level, the PCLIA process addresses the control parameters.

  6. In this IRM, PGLD policies on the personally identifiable information processing purposes control include, but are not limited to, the sections:

    1. IRM 10.5.1.2, Key Privacy Definitions

    2. IRM 10.5.1.3.2, IRS Privacy Principles

    3. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities

  7. PGLD and IRS also address the personally identifiable information processing purposes control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA)

    2. IRM 10.5.6: Privacy Act General Provisions, Privacy Act Publication and Reporting Requirements, Privacy Act Notification Programs, Privacy Act Recordkeeping Restrictions

    3. IRM 10.5.8: Privacy Authorities

    4. IRM 11.3.1: Disclosure Code, Authority and Procedure (CAP)

    5. IRM 1.2.1: Policy Statement 1-1, Mission of the Service

PT-4 Personally Identifiable Information Processing and Transparency -- Consent [P]
  1. Implement appropriate mechanisms (ability to provide information voluntarily or opt in) for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making. [NIST SP 800-53]

  2. The privacy concerns are that individuals participate in making decisions about the processing of their information and provide consent as required by applicable laws. The IRS requires:

    1. Organization-level: Implied consent. The fact that the entire IRS tax administration system and employment process is based on voluntary compliance where taxpayers and personnel have implied consent by providing their information.

    2. System-level: Opt-in consent. For a system that interacts with the public, the online notices require the individual to opt in (voluntarily providing information or giving consent) to access the system.

  3. In this IRM, PGLD policies on the consent control include, but are not limited to, the sections:

    1. IRM 10.5.1.3.2.4, Openness and Consent [PVR-04]

    2. IRM 10.5.1.6.16, Online Data and Privacy Notices

  4. PGLD and IRS also address the consent control in the following:

    1. IRM 10.5.2: External Surveys

    2. IRM 10.5.6: Online Privacy Policy Notices, Privacy Act Recordkeeping Restrictions

PT-5 Personally Identifiable Information Processing and Transparency -- Privacy Notice [P]
  1. Provide notice to individuals about the processing of personally identifiable information that:

    1. Is available to individuals upon first interacting with an organization, and subsequently at every major entry point to an IRS Internet website or application, as well as on any page collecting substantial personal information from the public.

    2. Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language (an overview of IRS privacy practices);

    3. Identifies the authority that authorizes the processing of personally identifiable information;

    4. Identifies the purposes for which personally identifiable information is to be processed; and

    5. Includes a unique privacy notice when system-level website or application information collected is more specific than what IRS.gov privacy policy says.

    [NIST SP 800-53]

  2. The privacy concerns are that the IRS informs individuals about how their PII is being processed. The IRS requires providing notice to individuals before collecting or processing information.

  3. In this IRM, PGLD policies on the privacy notice control include, but are not limited to, the sections:

    1. IRM 10.5.1.3.2.4, Openness and Consent [PVR-04]

    2. IRM 10.5.1.6.16, Online Data and Privacy Notices

  4. PGLD and IRS also address the privacy notice control in the following:

    1. IRM 10.5.2: External Surveys

    2. IRM 10.5.6: throughout, and specifically Privacy Act Notification Programs [including Notice to Individuals Asked to Supply Information (Privacy Act Notice), Online Privacy Policy Notices]

    3. Privacy & Civil Liberties Impact Assessment (PCLIA) Reference Guide

PT-5(2) Personally Identifiable Information Processing and Transparency -- Privacy Notice - Privacy Act Statements [P]
  1. Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals. [NIST SP 800-53]

  2. The privacy concerns are that the IRS complies with the Privacy Act and informs individuals about how their PII is being processed. The IRS requires providing notice to individuals before collecting or processing information.

  3. In this IRM, PGLD policies on the Privacy Act statements control include, but are not limited to, the sections:

    1. IRM 10.5.1.3.2.4, Openness and Consent [PVR-04]

    2. IRM 10.5.1.6.16, Online Data and Privacy Notices

  4. PGLD and IRS also address the Privacy Act statement control in the following:

    1. IRM 10.5.2: External Surveys

    2. IRM 10.5.6: throughout, and specifically Privacy Act Notification Programs [including Notice to Individuals Asked to Supply Information (Privacy Act Notice), Online Privacy Policy Notices]

    3. Privacy & Civil Liberties Impact Assessment (PCLIA) Reference Guide

PT-6 Personally Identifiable Information Processing and Transparency -- System of Records Notice [P]
  1. For systems that process information that will be maintained in a Privacy Act system of records:

    1. Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review;

    2. Publish system of records notices in the Federal Register; and

    3. Keep system of records notices accurate, up-to-date, and scoped in accordance with policy.

    [NIST SP 800-53]

  2. The privacy concerns are that IRS has the public-facing notice of the categories, authorities, purposes, and routine uses of the PII that the IRS collects. The IRS requires the publication and updating of SORNs.

  3. In this IRM, PGLD policies on the system of records notice control include, but are not limited to, the section IRM 10.5.1.2.7, Privacy Act Information.

  4. PGLD and IRS also address the system of records notice control in the following:

    1. IRM 10.5.2: PCLIA Roles and Responsibilities

    2. IRM 10.5.6: throughout, and specifically Privacy Act Publication and Reporting Requirements

    3. Privacy & Civil Liberties Impact Assessment (PCLIA) Reference Guide

PT-6(1) Personally Identifiable Information Processing and Transparency -- System of Records Notice - Routine Uses [P]
  1. Review all routine uses published in the system of records notice on a continuous basis, at a minimum once every year to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected. [NIST SP 800-53]

  2. The privacy concerns are that the routine uses control is compatible with the purpose for which the information was originally collected. The IRS requires reviewing PCLIAs and SORNs periodically on their appropriate cycles.

  3. In this IRM, PGLD policies on the routine uses control include, but are not limited to, the section IRM 10.5.1.2.7, Privacy Act Information.

  4. PGLD addresses the routine uses control in the Agency Review Requirements section of IRM 10.5.6.

PT-6(2) Personally Identifiable Information Processing and Transparency -- System of Records Notice - Exemption Rules [P]
  1. Review all Privacy Act exemptions claimed for the system of records on a continuous basis, at a minimum once every year to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice. [NIST SP 800-53]

  2. The privacy concerns are that the exemption rules control remain appropriate and necessary. The IRS requires reviewing PCLIAs and SORNs periodically.

  3. In this IRM, PGLD policies on the system of records notice control include, but are not limited to, the section IRM 10.5.1.2.7, Privacy Act Information.

  4. PGLD and IRS also address the exemption rules control in the following:

    1. IRM 10.5.6: Agency Review Requirements

    2. Privacy & Civil Liberties Impact Assessment (PCLIA) Reference Guide

PT-7 Personally Identifiable Information Processing and Transparency -- Specific Categories of Personally Identifiable Information [P]
  1. Apply all relevant IRS privacy policy protections for specific categories of personally identifiable information. [NIST SP 800-53]

  2. The privacy concerns are that some categories are particularly sensitive or raise particular privacy risks. The IRS requires implementing policy to address different categories of PII based on sensitivity and context. Organizations consult with the senior agency official for privacy and legal counsel regarding any protections that may be necessary.

  3. In this IRM, PGLD policies on the specific categories of personally identifiable information control include all of IRM 10.5.1, and specifically the Key Privacy Definitions section, IRM 10.5.1.2.

  4. PGLD and IRS also address the specific categories of personally identifiable information control in the following:

    1. IRM 10.5.2: Civil Liberties

    2. IRM 10.5.5: throughout, and specifically IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program

    3. IRM 10.5.6: throughout, and specifically Privacy Act Recordkeeping Restrictions

    4. IRM 11.3 series: All discussion of tax information under the IRC

    5. Privacy & Civil Liberties Impact Assessment (PCLIA) Reference Guide

PT-7(1) Personally Identifiable Information Processing and Transparency -- Specific Categories of Personally Identifiable Information - Social Security Numbers [P]
  1. When a system processes Social Security numbers:

    1. Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier;

    2. Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and

    3. Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.

    [NIST SP 800-53]

  2. The privacy concerns are that social security numbers are particularly sensitive or raise particular privacy risks. The IRS requires eliminating the unnecessary use of SSNs.

  3. In this IRM, PGLD policies on the social security numbers control include, but are not limited to, the sections:

    1. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities

    2. IRM 10.5.1.7.19, Social Security Number Elimination and Reduction (SSN ER)

  4. PGLD and IRS also address the social security numbers control in the following:

    1. IRM 10.5.5: throughout, and specifically IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program

    2. IRM 10.5.6: Notice to Individuals Asked to Disclose Their Social Security Number

    3. Privacy & Civil Liberties Impact Assessment (PCLIA) Reference Guide

PT-7(2) Personally Identifiable Information Processing and Transparency -- Specific Categories of Personally Identifiable Information - First Amendment Information [P]
  1. Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity. [NIST SP 800-53]

  2. The privacy concerns are that the absence of First Amendment information from agency records helps to prevent selective treatment of persons on the basis of religion, opinion, or group membership. The IRS requires complying with the Privacy Act and not maintaining records of how individuals exercise their Constitutional First Amendment rights except as specifically authorized. Organizations consult with the senior agency official for privacy and legal counsel regarding any protections that may be necessary.

  3. In this IRM, PGLD policies on the First Amendment information control include, but are not limited to, the section IRM 10.5.1.6.14.1, First Amendment.

  4. PGLD and IRS also address the First Amendment information control in the following:

    1. IRM 10.5.2: Civil Liberties

    2. IRM 10.5.6: Privacy Act Recordkeeping Restrictions

    3. Privacy & Civil Liberties Impact Assessment (PCLIA) Reference Guide

PT-8 Personally Identifiable Information Processing and Transparency -- Computer Matching Agreements [P]
  1. When a system or organization processes information for the purpose of conducting a matching program:

    1. Obtain approval from the Data Integrity Board to conduct the matching program;

    2. Develop and enter into a computer matching agreement;

    3. Publish a matching notice in the Federal Register;

    4. Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and

    5. Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual.

    [NIST SP 800-53]

  2. The privacy concerns are that if an individual might be subject to an adverse action due to a matching program, that the individual has a way to identify the source of an adverse action. The IRS requires computer matching agreements (CMAs) and Treasury Data Integrity Board approval.

  3. In this IRM, PGLD policies on the computer matching agreements control include, but are not limited to, the sections:

    1. IRM 10.5.1.6.1.2, Limiting Sharing of SBU Data

    2. IRM 10.5.1.7.13, Data Services

  4. PGLD and IRS also address the computer matching agreements control in the following:

    1. IRM 10.5.6: Program Scope and Objectives

    2. IRM 11.3.39: throughout, and specifically Program Scope and Objectives

RA-1 Risk Assessment -- Policy and Procedures [J]

  1. This is a joint security and privacy control requiring that the IRS have policy and procedures about the risk assessment policy and procedures control. For the full text of the control, see the RA-1 Risk Assessment Policy and Procedures section of IRM 10.8.1.

  2. In this IRM, PGLD policies on the risk assessment policy and procedures control include, but are not limited to, the sections:

    1. IRM 10.5.1.1.5, Background

    2. IRM 10.5.1.3.2, IRS Privacy Principles

    3. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (Management, Senior Management/Executives, System Owners, System Developers, Authorizing Officials, Personnel Engaged in Procurement Activities)

    4. IRM 10.5.1.6.1, Protecting and Safeguarding SBU Data and PII

    5. IRM 10.5.1.6.1.1, Deciding Risk Levels for SBU Data and PII

    6. IRM 10.5.1.6.1.2, Limiting Sharing of SBU Data and PII

    7. IRM 10.5.1.6.8, Email

    8. IRM 10.5.1.7.2, Privacy and Civil Liberties Impact Assessment (PCLIA)

    9. IRM 10.5.1.7.3, Business PII Risk Assessment (BPRA)

    10. IRM 10.5.1.7.9, Digital Identity Risk Assessment (DIRA) [formerly Electronic Risk Assessment (e-RA])

  3. PGLD and IRS also address the risk assessment policy and procedures control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA), Business PII Risk Assessment (BPRA)

    2. IRM 10.5.4: Background; Responsibilities; PGLD/Incident Management Intake, Risk Assessment and Notification

    3. IRM 10.5.6: Agency Review Requirements

    4. IRM 10.5.8: Security controls applicable to non-production data

    5. IRM 10.10.1: Oversight Procedure

    6. IRS Privacy Program Plan

    7. Document 13347, Data Breach Response Playbook

    8. Document 13347-A, IRS Data Breach Response Plan

RA-3 Risk Assessment -- Risk Assessment [J]
  1. This is a joint security and privacy control about risk assessment. For the full text of the control, see the RA-3 Risk Assessment section of IRM 10.8.1.

  2. The privacy concerns are that privacy risks can be identified and addressed throughout the privacy lifecycle. The IRS requires conducting PCLIAs, BPRAs, and other risk assessment, response, and monitoring activities and sharing results with the CPO.

  3. In this IRM, PGLD policies on the risk assessment control include, but are not limited to, the sections:

    1. IRM 10.5.1.3.2, IRS Privacy Principles

    2. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (Management, Senior Management/Executives, System Owners, System Developers, Authorizing Officials, Personnel Engaged in Procurement Activities)

    3. IRM 10.5.1.6.1, Protecting and Safeguarding SBU Data and PII

    4. IRM 10.5.1.6.1.1, Deciding Risk Levels for SBU Data and PII

    5. IRM 10.5.1.6.1.2, Limiting Sharing of SBU Data and PII

    6. IRM 10.5.1.7.2, Privacy and Civil Liberties Impact Assessment (PCLIA)

    7. IRM 10.5.1.7.3, Business PII Risk Assessment (BPRA)

    8. IRM 10.5.1.7.9, Digital Identity Risk Assessment (DIRA) [formerly Electronic Risk Assessment (e-RA])

    9. IRM 10.5.1.7.16, Incident Management (IM)

  4. PGLD and IRS also address the risk assessment control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA), Business PII Risk Assessment (BPRA)

    2. IRM 10.5.4: Background; Responsibilities; PGLD/Incident Management Intake, Risk Assessment and Notification

    3. IRM 10.5.6: Agency Review Requirements

    4. IRM 10.5.8: Security controls applicable to non-production data

    5. IRM 10.10.1: Oversight Procedure

    6. IRS Privacy Program Plan

    7. Document 13347, Data Breach Response Playbook

    8. Document 13347-A, IRS Data Breach Response Plan

RA-7 Risk Assessment -- Risk Response [J]
  1. This is a joint security and privacy control about risk response. For the full text of the control, see the RA-7 Risk Response section of IRM 10.8.1.

  2. The privacy concerns are that the IRS respond appropriately to risk to help protect privacy. The IRS requires avoiding or mitigating risks with strengthened controls, accepting risk with appropriate justification or rationale, and documenting actions taken.

  3. In this IRM, PGLD policies on the risk response control include, but are not limited to, the sections:

    1. IRM 10.5.1.3.2, IRS Privacy Principles

    2. IRM 10.5.1.6.1, Protecting and Safeguarding SBU Data and PII

    3. IRM 10.5.1.6.1.1, Deciding Risk Levels for SBU Data and PII

    4. IRM 10.5.1.6.1.2, Limiting Sharing of SBU Data and PII

    5. IRM 10.5.1.7.16, Incident Management (IM)

  4. PGLD and IRS also address the risk response control in the following:

    1. IRM 10.5.2: PCLIA Roles and Responsibilities, BPRA Roles and Responsibilities

    2. IRM 10.5.4: Background; Responsibilities; PGLD/Incident Management Intake, Risk Assessment and Notification

    3. IRM 10.5.8: Security controls applicable to non-production data

    4. IRM 10.10.1: Oversight Procedure

    5. IRS Privacy Program Plan

    6. Document 13347, Data Breach Response Playbook

    7. Document 13347-A, IRS Data Breach Response Plan

RA-8 Risk Assessment -- Privacy Impact Assessments [P]
  1. Conduct privacy impact assessments for systems, programs, or other activities before:

    1. Developing or procuring information technology that processes personally identifiable information; and

    2. Initiating a new collection of personally identifiable information that:
      1. Will be processed using information technology; and
      2. Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government.

    [NIST SP 800-53]

  2. The privacy concerns are that IT systems that process PII be reviewed for privacy risks in compliance with the E-Government Act of 2002. The IRS requires PCLIAs for IT systems that process PII.

  3. In this IRM, PGLD policies on the privacy impact assessments control include, but are not limited to, the sections:

    1. IRM 10.5.1.2.3, Personally Identifiable Information (PII)

    2. IRM 10.5.1.3.2, IRS Privacy Principles

    3. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (Management, Senior Management/Executives, System Owners, System Developers, Authorizing Officials, Personnel Engaged in Procurement Activities)

    4. IRM 10.5.1.6.1, Protecting and Safeguarding SBU Data and PII

    5. IRM 10.5.1.6.1.1, Deciding Risk Levels for SBU Data and PII

    6. IRM 10.5.1.6.1.2, Limiting Sharing of SBU Data and PII

    7. IRM 10.5.1.6.14, Civil Liberties

    8. IRM 10.5.1.7.2, Privacy and Civil Liberties Impact Assessment (PCLIA)

  4. PGLD and IRS also address the privacy impact assessments control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA)

    2. IRM 10.5.6: Publication and Reporting Requirements Responsibilities

    3. IRM 10.5.8: Requirements for Using SBU Data

SA-1 System and Services Acquisition -- Policy and Procedures [J]

  1. This is a joint security and privacy control requiring that the IRS have policy and procedures about the system and services acquisition control. For the full text of the control, see the SA-1 System and Services Acquisition Policy and Procedures section of IRM 10.8.1.

  2. In this IRM, PGLD policies on the system and services acquisition policy and procedures control include, but are not limited to, the sections:

    1. IRM 10.5.1.3.2, IRS Privacy Principles (Accountability [PVR-01])

    2. IRM 10.5.1.4, IRS-Wide Roles and Responsibilities (Senior Management/Executives)

  3. PGLD and IRS also address the system and services acquisition policy and procedures control in the following:

    1. IRM 1.1.27: Roles and Responsibilities, Program and Planning Support

    2. IRS Privacy Program Plan

SA-2 System and Services Acquisition -- Allocation of Resources [J]
  1. This is a joint security and privacy control about allocation of resources. For the full text of the control, see the SA-2 Allocation of Resources section of IRM 10.8.1.

  2. The privacy concerns are that the IRS properly funds and manages contracted information resources, especially those that involve PII. The IRS requires senior management and executives ensure their programs and policies meet this responsibility.

  3. In this IRM, PGLD policies on the allocation of resources control include, but are not limited to, the sections:

    1. IRM 10.5.1.1, Program Scope and Objectives

    2. IRM 10.5.1.2.1, Privacy Lifecycle

    3. IRM 10.5.1.3.2, IRS Privacy Principles (Accountability [PVR-01], Minimizing Collection, Use, Retention, and Disclosure [PVR-03]

    4. IRS-Wide Privacy Roles and Responsibilities (Senior Management/Executives, System Owners, System Developers, Personnel Engaged in Procurement Activities)

    5. IRM 10.5.1.5, Privacy Culture

    6. IRM 10.5.1.6.1, Protecting and Safeguarding SBU Data

    7. IRM 10.5.1.6, Practical Privacy Policy (Computers and Mobile Computing Devices, Email, Contractors, Cloud Computing)

    8. IRM 10.5.1.7.11, Enterprise Life Cycle (ELC)

    9. IRM 10.5.1.7.20, SBU Data Use for Non-Production Environments

  4. PGLD and IRS also address the allocation of resources control in the following:

    1. IRM 10.5.2: PCLIA’s Relevance to Privacy Compliance, PCLIA Roles and Responsibilities

    2. IRM 10.5.8: Security controls applicable to non-production data

    3. IRM 1.15.1: Program Scope and Objectives

    4. IRM 1.15.2: Stages of the Records Life Cycle

    5. IRM 1.1.27: Roles and Responsibilities, Program and Planning Support

    6. IRS Privacy Program Plan

SA-3 System and Services Acquisition -- System Development Life Cycle [J]
  1. This is a joint security and privacy control about system development life cycle. For the full text of the control, see the SA-3 System Development Life Cycle section of IRM 10.8.1.

  2. The privacy concerns are that sensitive data can be vulnerable across different life cycle stages, including the system development life cycle (SDLC) and the broader privacy lifecycle. The IRS requires that IRS personnel must protect SBU data (including PII and tax information) throughout the privacy lifecycle, from receipt to disposal, which includes the SDLC process.

  3. In this IRM, PGLD policies on the system development life cycle control include, but are not limited to, the sections:

    1. IRM 10.5.1.1, Program Scope and Objectives

    2. IRM 10.5.1.2.1, Privacy Lifecycle

    3. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (System Owners, System Developers)

    4. IRM 10.5.1.5, Privacy Culture

    5. IRM 10.5.1.6.1, Protecting and Safeguarding SBU Data

    6. IRM 10.5.1.6.15, Contractors

    7. IRM 10.5.1.7.11, Enterprise Life Cycle (ELC)

  4. PGLD and IRS also address the system development life cycle control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA), PCLIA’s Relevance to Privacy Compliance, PCLIA Roles and Responsibilities

    2. IRM 10.5.6: Relevant and Necessary Guidelines

    3. IRM 10.5.8: Security controls applicable to non-production data

    4. IRM 1.15.1: Program Scope and Objectives

    5. IRM 1.15.2: Stages of the Records Life Cycle

    6. IRS Privacy Program Plan

    7. IRM 1.2.1: Policy Statement 1-1, Mission of the Service, Taxpayer Privacy Rights

SA-4 System and Services Acquisition -- Acquisition Process [J]
  1. This is a joint security and privacy control about acquisition process. For the full text of the control, see the SA-4 Acquisition Process section of IRM 10.8.1.

  2. The privacy concerns are that contract provisions incorporate privacy protections. The IRS requires all IRS acquisitions and contract vehicles contain proper language holding contractors and other service providers accountable for complying with federal and IRS privacy policies and procedures, such as privacy clauses in contracts, PCLIAs for contracted IT, security and privacy controls, and defining contractors as IRS personnel in this IRM with all the same responsibilities for data protection.

  3. In this IRM, PGLD policies on the acquisition process control include, but are not limited to, the sections listed in the SA-1 references, IRM 10.5.1.8.15.

  4. PGLD and IRS also address the acquisition process control in the sections listed in the SA-1 references, IRM 10.5.1.8.15.

SA-8(33) System and Services Acquisition -- Security and Privacy Engineering Principles - Minimization [P]
  1. Implement the privacy principle of minimization using the privacy continuous monitoring process. [NIST SP 800-53]

  2. The privacy concerns are the "relevant and necessary" requirement of the Privacy Act. The IRS requires collecting only information that is both relevant and necessary to accomplish the authorized purpose for which it is maintained.

  3. In this IRM, PGLD policies on the minimization control include all of IRM 10.5.1, and specifically the Minimizing Collection, Use, Retention, and Disclosure [PVR-03] section, IRM 10.5.1.3.2.3.

  4. PGLD and IRS also address the minimization control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA)

    2. IRM 10.5.6: Relevant and Necessary Guidelines

    3. IRM 10.5.8: SBU Data Use Questionnaire

    4. IRM 1.2.1: Policy Statement 1-1, Mission of the Service, Taxpayer Privacy Rights

SA-9 System and Services Acquisition -- External System Services [J]
  1. This is a joint security and privacy control about external system services. For the full text of the control, see the SA-9 External System Services section of IRM 10.8.1.

  2. The privacy concerns are that the IRS’s data is protected in external system services. The IRS requires all IRS external system services contracts and documentation contain proper language holding contractors and other service providers accountable for complying with federal and IRS privacy policies and procedures, such as privacy clauses in contracts, PCLIAs for contracted IT, security and privacy controls, and defining contractors as IRS personnel in this IRM with all the same responsibilities for data protection.

  3. In this IRM, PGLD policies on the external system services control include, but are not limited to, the sections listed in the SA-1 references, IRM 10.5.1.8.15.

  4. PGLD and IRS also address the external system services control in the sections listed in the SA-1 references, IRM 10.5.1.8.15.

SA-11 System and Services Acquisition -- Developer Testing and Evaluation [J]
  1. This is a joint security and privacy control about developer testing and evaluation. For the full text of the control, see the SA-11 Developer Testing and Evaluation section of IRM 10.8.1.

  2. The privacy concerns are that the systems and services acquired address privacy controls and that SBU data used in development and testing is also protected during the life cycle. The IRS requires testing and evaluation of all relevant security and privacy controls and protecting the data used in development and testing.

  3. In this IRM, PGLD policies on the developer testing and evaluation control include, but are not limited to, the sections:

    1. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (Senior Management/Executives, System Owners, Personnel Engaged in Procurement Activities)

    2. IRM 10.5.1.2.1, Privacy Lifecycle

    3. IRM 10.5.1.3.2, IRS Privacy Principles

    4. IRM 10.5.1.5, Privacy Culture

    5. IRM 10.5.1.6.1, Protecting and Safeguarding SBU Data

    6. IRM 10.5.1.6, Practical Privacy Policy (Computers and Mobile Computing Devices, Email, Contractors, Cloud Computing)

    7. IRM 10.5.1.7.20, SBU Data Use for Non-Production Environments

  4. PGLD and IRS also address the developer testing and evaluation control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA)

    2. IRM 10.5.6: Privacy Act Contract Requirements

    3. IRM 10.5.8: Program Scope and Objectives, Requirements for Using SBU Data

    4. IRM 11.3.24: Disclosure of Returns and Return Information to Vendors and Expert Services

    5. IRS Privacy Program Plan

    6. Privacy & Civil Liberties Impact Assessment (PCLIA) Reference Guide

SC-1 System and Communications Protection -- Policy and Procedures [J]

  1. This is a joint security and privacy control requiring that the IRS have policy and procedures about the system and communications protection control. For the full text of the control, see the SC-1 System and Communications Protection Policy and Procedures section of IRM 10.8.1.

    Note:

    This control differs from the NIST baseline where it is a security control, but will be assessed as a joint control per IRS Collaboration.

  2. In this IRM, PGLD policies on the system and communications protection policy and procedures control include, but are not limited to, the sections:

    1. IRM 10.5.1.1.1, Purpose of the Program

    2. IRM 10.5.1.1.2, Audience

    3. IRM 10.5.1.2, Key Privacy Definitions [Sensitive But Unclassified (SBU) Data, Unauthorized Access of SBU Data, Privacy Act Information, Need to Know]

    4. IRM 10.5.1.3.2, IRS Privacy Principles (Strict Confidentiality [PVR-05], Security [PVR-06], Access, Correction, and Redress [PVR-09])

    5. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (including Employees/Personnel, System Owners, System Developers, Personnel Engaged in Procurement Activities)

    6. IRM 10.5.1.5.1, Clean Desk Policy

    7. IRM 10.5.1.6.1, Protecting and Safeguarding SBU Data (including Limiting Sharing of SBU Data)

    8. IRM 10.5.1.6.2, Encryption (including External, Internal)

    9. IRM 10.5.1.6.3, Computers and Mobile Computing Devices

    10. IRM 10.5.1.6.8.2, Emails to Other External Stakeholders

    11. IRM 10.5.1.6.10, Disposition and Destruction

    12. IRM 10.5.1.6.15, Contractors

    13. IRM 10.5.1.6.16, Online Data and Privacy Notices

    14. IRM 10.5.1.6.18, Data on Collaborative Technology and Systems (including Online Meeting Tools, Cloud Computing, Online-Accessible Shared Storage)

    15. IRM 10.5.1.7.9, Digital Identity Risk Assessment (DIRA) [formerly Electronic Risk Assessment (e-RA)]

    16. IRM 10.5.1.7.10, Electronic Authentication (e-Authentication)

    17. IRM 10.5.1.7.12, Governmental Liaison (GL)

  3. PGLD and IRS also address the system and communications protection policy and procedures control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA)

    2. IRM 10.5.4: Reporting Losses, Thefts and Disclosures

    3. IRM 10.5.6: Privacy Act General Provisions

    4. IRM 10.5.8: Security controls applicable to non-production data

    5. IRM 11.3.1: Program Scope and Objectives

    6. Privacy & Civil Liberties Impact Assessment (PCLIA) Reference Guide

SC-7(24) Boundary Protection -- Personally Identifiable Information [P]
  1. For systems that process personally identifiable information:

    1. Apply the following processing rules to data elements of personally identifiable information: all relevant IRS privacy policy protections;

    2. Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;

    3. Document each processing exception; and

    4. Review and remove exceptions that are no longer supported.

    [NIST SP 800-53]

  2. The privacy concerns are to ensure that PII is processed only in accordance with established privacy requirements. The IRS requires applying, monitoring for, and documenting exceptions to processing rules.

  3. In this IRM, PGLD policies on the boundary protection personally identifiable information control include, but are not limited to, the sections listed in the SC-1 references, IRM 10.5.1.8.16.

  4. PGLD and IRS also address the boundary protection personally identifiable information control in the sections listed in the SC-1 references, IRM 10.5.1.8.16.

SI-1 System and Information Integrity -- Policy and Procedures [J]

  1. This is a joint security and privacy control requiring that the IRS have policy and procedures about the system and information integrity control. For the full text of the control, see the SI-1 System and Information Integrity Policy and Procedures section of IRM 10.8.1.

  2. In this IRM, PGLD policies on the system and information integrity policy and procedures control include, but are not limited to, the sections:

    1. IRM 10.5.1.2, Key Privacy Definitions

    2. IRM 10.5.1.3.2, IRS Privacy Principles

    3. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities

    4. IRM 10.5.1.6.1.2, Limiting Sharing of SBU Data

    5. IRM 10.5.1.6.10, Disposition and Destruction

    6. IRM 10.5.1.6.12, Telework

    7. IRM 10.5.1.6.19, Training

    8. IRM 10.5.1.7.2, Privacy and Civil Liberties Impact Assessment (PCLIA)

    9. IRM 10.5.1.7.7, Records and Information Management (RIM)

  3. PGLD and IRS also address the system and information integrity policy and procedures control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA)

    2. IRM 10.5.4: Retention and Disposition

    3. IRM 10.5.6: Responsibilities; Requirements of the Privacy Act; OMB Privacy Act Guidance; Privacy Act Requirement to Maintain Accurate, Relevant, Timely, and Complete Records; Privacy Act Access and Amendment of Records

    4. IRM 10.5.8: Security controls applicable to non-production data

    5. IRM 11.3.1: Disclosure of Official Information; Introduction to Disclosure; Safeguarding and Disposing of Tax Returns, Return Information, and Other Confidential Records; Federal Tax Information Guidelines in IRS Training Programs; Records Disposition For Disclosure

    6. IRM 11.3.11: Disclosure of Statistical Data

    7. IRM 11.3.12: Protection of Return Information

    8. IRM 11.3.22: Use of Tax Returns in Training Material

    9. IRM 1.15.3: throughout, and specifically Destroying Records in the Custody of the IRS

    10. IRM 1.11.2: Fictitious Identifying Information

    11. IRS Privacy Program Plan

SI-12 System and Information Integrity -- Information Management and Retention [J]
  1. This is a joint security and privacy control about information management and retention. For the full text of the control, see the SI-12 Information Management and Retention section of IRM 10.8.1.

  2. The privacy concerns are that privacy risks can occur throughout the lifecycle and across any usage. The IRS requires protecting and minimizing SBU across the data lifecycle, to include minimizing, retaining safely, and disposing properly.

  3. In this IRM, PGLD policies on the information management and retention control include, but are not limited to, the sections listed in the SI-1 references, IRM 10.5.1.8.17.

  4. PGLD and IRS also address the information management and retention control in the sections listed in the SI-1 references, IRM 10.5.1.8.17.

SI-12(1) System and Information Integrity -- Information Management and Retention - Limit Personally Identifiable Information Elements [P]
  1. Limit personally identifiable information being processed in the information life cycle to the following elements of PII: Minimum necessary PII identified in the PCLIA. [NIST SP 800-53]

  2. The privacy concerns are that extraneous PII increases risk. The IRS requires minimizing PII throughout the lifecycle.

  3. In this IRM, PGLD policies on the limit personally identifiable information elements control include, but are not limited to, the sections:

    1. IRM 10.5.1.2, Key Privacy Definitions (Sensitive But Unclassified (SBU) Data, Personally Identifiable Information (PII), Federal Tax Information (FTI), Need To Know)

    2. IRM 10.5.1.3.2, IRS Privacy Principles (Minimizing Collection, Use, Retention, and Disclosure [PVR-03])

    3. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (Management, System Owners, System Developers, Personnel Engaged in Procurement Activities)

    4. IRM 10.5.1.6.1.2, Limiting Sharing of SBU Data

    5. IRM 10.5.1.7.2, Privacy and Civil Liberties Impact Assessment (PCLIA)

  4. PGLD and IRS also address the limit personally identifiable information elements control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA)

    2. IRM 10.5.6: OMB Privacy Act Guidance

    3. IRM 10.5.8: Security controls applicable to non-production data

SI-12(2) System and Information Integrity -- Information Management and Retention - Minimize Personally Identifiable Information in Testing, Training, and Research [P]
  1. Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: Where possible, use fictitious, masked, or synthetic data. [NIST SP 800-53]

  2. The privacy concerns are that other uses of data outside the production environment can increase privacy risks. The IRS requires the SBU Data Use process for non-production environments, adherence to the training fictitious data requirements, and the protections of research data.

  3. In this IRM, PGLD policies on the minimize personally identifiable information in testing, training, and research control include, but are not limited to, the sections:

    1. IRM 10.5.1.2, Key Privacy Definitions [Sensitive But Unclassified (SBU) Data, Personally Identifiable Information (PII), Federal Tax Information (FTI), Need To Know]

    2. IRM 10.5.1.3.2, IRS Privacy Principles (Minimizing Collection, Use, Retention, and Disclosure [PVR-03])

    3. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (Management, System Owners, System Developers, Personnel Engaged in Procurement Activities)

    4. IRM 10.5.1.6.1.2, Limiting Sharing of SBU Data

    5. IRM 10.5.1.6.19, Training

    6. IRM 10.5.1.7.2, Privacy and Civil Liberties Impact Assessment (PCLIA)

  4. PGLD and IRS also address the minimize personally identifiable information in testing, training, and research control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA)

    2. IRM 10.5.6: OMB Privacy Act Guidance

    3. IRM 10.5.8: throughout, and specifically SBU Data Process

    4. IRM 11.3.1: Federal Tax Information Guidelines in IRS Training Programs

    5. IRM 11.3.22: Use of Tax Returns in Training Material

    6. IRM 1.11.2: Fictitious Identifying Information

SI-12(3) System and Information Integrity -- Information Management and Retention - Information Disposal [P]
  1. Use the techniques to dispose of, destroy, or erase information following the retention period outlined in the Disposition and Destruction section of IRM 10.5.1. [NIST SP 800-53]

  2. The privacy concerns are that even older information can be sensitive. The IRS requires enforcing a retention period followed by proper disposal.

  3. In this IRM, PGLD policies on the information disposal control include, but are not limited to, the sections:

    1. IRM 10.5.1.2, Key Privacy Definitions (Privacy Lifecycle)

    2. IRM 10.5.1.3.2, IRS Privacy Principles (Minimizing Collection, Use, Retention, and Disclosure [PVR-03])

    3. IRM 10.5.1.6.10, Disposition and Destruction

    4. IRM 10.5.1.6.12, Telework

    5. IRM 10.5.1.7.7, Records and Information Management (RIM)

  4. PGLD and IRS also address the information disposal control in the following:

    1. IRM 10.5.2: Privacy and Civil Liberties Impact Assessment (PCLIA)

    2. IRM 10.5.4: Retention and Disposition

    3. IRM 10.5.6: Responsibilities, Requirements of the Privacy Act, Privacy Act Contract Requirements

    4. IRM 10.5.8: Security controls applicable to non-production data

    5. IRM 11.3.1: Safeguarding and Disposing of Tax Returns, Return Information, and Other Confidential Records; Records Disposition For Disclosure

    6. IRM 1.15.3: throughout, and specifically Destroying Records in the Custody of the IRS

SI-18 System and Information Integrity -- Personally Identifiable Information Quality Operations [P]
  1. Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle using the privacy continuous monitoring process; and

  2. Correct or delete inaccurate or outdated personally identifiable information. [NIST SP 800-53]

  3. The privacy concerns are that inaccurate PII might cause problems for individuals, especially in those business functions where inaccurate information might result in inappropriate decisions or the denial of benefits and services to individuals. The IRS requires following the Privacy Act provisions.

    Note:

    IRC 7852(e) prohibits using the Privacy Act amendment provisions to change tax records. Refer to IRM 10.5.6 for more information.

  4. In this IRM, PGLD policies on the personally identifiable information quality operations control include, but are not limited to, the sections:

    1. IRM 10.5.1.2.7, Privacy Act Information

    2. IRM 10.5.1.3.2, IRS Privacy Principles (Data Quality [PVR-07], Access, Correction, and Redress [PVR-09])

  5. PGLD and IRS also address the personally identifiable information quality operations control in the following:

    1. IRM 10.5.6: Privacy Act Requirement to Maintain Accurate, Relevant, Timely, and Complete Records; Privacy Act Access and Amendment of Records

    2. IRS Privacy Program Plan

SI-18(4) System and Information Integrity -- Personally Identifiable Information Quality Operations - Individual Requests [P]
  1. Correct or delete personally identifiable information upon request by individuals or their designated representatives. [NIST SP 800-53]

  2. The privacy concerns are that inaccurate PII might cause problems for individuals, especially in those business functions where inaccurate information might result in inappropriate decisions or the denial of benefits and services to individuals. The IRS requires following the Privacy Act provisions for amendment.

    Note:

    IRC 7852(e) prohibits using the Privacy Act amendment provisions to change tax records. Refer to IRM 10.5.6 for more information.

  3. In this IRM, PGLD policies on the individual requests control include, but are not limited to, the sections:

    1. IRM 10.5.1.2.7, Privacy Act Information

    2. IRM 10.5.1.3.2, IRS Privacy Principles (Data Quality [PVR-07], Access, Correction, and Redress [PVR-09])

  4. PGLD and IRS also address the individual requests control in the following:

    1. IRM 10.5.6: Privacy Act Requirement to Maintain Accurate, Relevant, Timely, and Complete Records; Privacy Act Access and Amendment of Records

    2. IRS Privacy Program Plan

SI-19 System and Information Integrity -- De-Identification [P]
  1. Remove the following elements of personally identifiable information from datasets: in statistical datasets, any identifier or combination of elements that could re-identify an individual, and in all other datasets, limit to minimum necessary PII identified in the PCLIA; and

  2. Evaluate continuously for effectiveness of de-identification. [NIST SP 800-53]

  3. The privacy concerns are that many datasets contain PII, and certain elements or combinations of elements can re-identify individuals despite efforts to redact, mask, or truncate information. The IRS meets this control either by removing PII elements described in this control or by requiring the use of synthetic data in place of PII and tax information where possible.

    Note:

    Removing identifying information (such as name or TIN) from specific tax records does not remove it from the confidentiality protections of IRC 6103.

  4. In this IRM, PGLD policies on the de-identification control include, but are not limited to, the sections:

    1. IRM 10.5.1.2.3, Personally Identifiable Information (PII)

    2. IRM 10.5.1.2.4, Federal Tax Information (FTI)

    3. IRM 10.5.1.4, IRS-Wide Privacy Roles and Responsibilities (System Owners, System Developers)

    4. IRM 10.5.1.6.1.2, Limiting Sharing of SBU Data

    5. IRM 10.5.1.6.19, Training

  5. PGLD and IRS also address the de-identification control in the following:

    1. IRM 10.5.2: Survey PCLIA

    2. IRM 11.3.1: Disclosure of Official Information, Introduction to Disclosure

    3. IRM 11.3.11: Disclosure of Statistical Data

    4. IRM 11.3.12: Protection of Return Information

    5. IRM 1.13.1: throughout, and specifically Statistical Reporting Overview

    6. IRM 1.11.2: Fictitious Identifying Information

Glossary and Acronyms

Term Definition or description
AO Authorizing Official.
ATO Authorization to Operate.
Authorization to Operate (ATO) An Authorization to Operate (ATO) is a formal declaration by a Designated Approving Authority (DAA) that authorizes operation of a Business Product and explicitly accepts the risk to IRS operations. The ATO is signed after a Certification Agent (CA) certifies that the system has met and passed all requirements to become operational. Systems continue to operate under the same ATO following the Information System Continuous Monitoring (ISCM) process.
Authorizing Official (AO) The Authorizing Official (AO) or accrediting official, must be a senior management/executive official government employee with the authority to formally assume responsibility for operating a system at an acceptable level of risk. (Refer to IRM 10.8.2 for more information.)
BYOD Bring Your Own Device. A program that enables employees to use their personal handheld devices to access IRS applications and data that was previously available only with government-issued equipment.
civil liberties The basic rights guaranteed to individual citizens by law.
CMA Computer matching agreements. Refer to IRM 11.3.39 for more information.
controls From NIST SP 800-53 R5, Section 2.1:
Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and reflecting the protection needs of organizational stakeholders. Controls are selected and implemented by the organization in order to satisfy the system requirements. Controls can include administrative, technical, and physical aspects.
COR Contracting Officer Representative
critical areas Refer to the Critical Areas section of IRM 10.2.11.
CSP Cloud Service Provider.
Data Owner See Information Owner.
DIRA Digital Identity Risk Assessment.
employee information All employee information covered by the Privacy Act of 1974 (5 U.S.C. 552a, as amended). Examples include personnel, payroll, job applications, disciplinary actions, performance appraisals, drug tests, health exams, and evaluation data. Most employee information falls under the SBU data category called PII or Privacy information.
ELC Enterprise Life Cycle.
electronic mail message (email) A record created or received on an electronic mail system including briefing notes, more formal or substantive narrative documents, and any attachments, such as word processing and other electronic documents, which may be transmitted with the message. Email is not encrypted by default and may be exchanged with recipients who are operating in a separate technology environment (domain), outside IRS control.
electronic media Electronic media are electronic copy or devices containing bits and bytes such as hard drives, random access memory (RAM), read-only memory (ROM), disks, flash memory, memory devices, phones, mobile computing devices, networking devices, office equipment, and many other types listed in Appendix A of NIST Special Publication 800-88, Guidelines for Media Sanitization.
employees IRS employees, which includes:
1. Employees
2. Seasonal/temporary employees
3. Interns
4. Detailees
EP Employee Protection, within PGLD’s Privacy Policy and Compliance (PPC).
Federal tax information (FTI) Any return or return information as defined in IRC 6103(b). This includes any information obtained, received, or generated by IRS or any Treasury component with respect to determining liability, potential liability, or amount of liability under the IRC.

FTI falls under the SBU data category called tax information or Tax. This IRM uses the term tax information to encompass all types of tax data.
FedRAMP Federal Risk and Authorization Management Program.
fictionalized data Fictional examples of similar situations that contain neither the identity of the taxpayer nor any information that could be considered attributable to a particular taxpayer. Such examples would not require any designation as sensitive.
FIPS Federal Information Processing Standards.
FISMA Federal Information Security Modernization Act of 2014.
FTI Federal Tax Information.
GL Governmental Liaison.
GRS General Records Schedules -Document 12829.
hardcopy Hardcopy media are physical representations of information, most often associated with paper printouts. However, printer and facsimile ribbons, drums, and platens are all examples of hardcopy media. The supplies associated with producing paper printouts are often the most uncontrolled. Hard copy materials that include sensitive data that leave an organization without effective sanitization expose a significant vulnerability to "dumpster divers" and over-curious employees, risking unwanted information disclosures. [NIST Special Publication 800-88, Guidelines for Media Sanitization]
high security items High security items are original or certified paper documents containing SBU data (including PII and tax information), typically received and processed in IRS office critical or limited areas, that management must not allow to be removed from the facility.

Note:

These are referred to as "high security items" in IRM 10.2.15, and "highly sensitive documents" in IRM 6.800.2 Employee Benefits, IRS Telework Program. IRM 10.2.15’s exhibit Protectable Items gives examples of categories of protectable items, including high security items.

Exception:

This policy does not apply to field employees whose positions allow them to have such documents in a field environment (such as Criminal Investigation Special Agents and field compliance Revenue Agents and Revenue Officers). Those positions have more controls and requirements to protect and to process such documents timely (for example, refer to IRM Parts 5 and 9). For more information about field work, see also the section Field and Travel in IRM 10.5.1.6.9.1, and the section Other Forms of Transmission in IRM 10.5.1.6.9

IAD IRS Agreement Database.
IA Identity Assurance, within PGLD.
IM Incident Management, within PGLD’s PPC.
Information Owner (IO) Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.
Information Systems Vulnerability Information Related to information that if not protected, could result in adverse effects to information systems. Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
IO Information Owner.
IoT Internet of Things.
  • IoT involves sensing, computing, communication, and actuation. [NIST SP 800-183]

  • The Internet of Things (IoT) is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. IoT devices are an outcome of combining the worlds of information technology (IT) and operational technology (OT). Many IoT devices are the result of the convergence of cloud computing, mobile computing, embedded systems, big data, low-price hardware, and other technological advances. IoT devices can provide computing functionality, data storage, and network connectivity for equipment that previously lacked them, enabling new efficiencies and technological capabilities for the equipment, such as remote access for monitoring, configuration, and troubleshooting. IoT can also add the abilities to analyze data about the physical world and use the results to better inform decision making, alter the physical environment, and anticipate future events. [NIST IR 8228]

IPP Information Protection Projects, under PGLD’s Identity and Records Protection (IRP).
IRC Internal Revenue Code.
IRP Identity and Records Protection, under PGLD.
law enforcement sensitive information Law enforcement data is often sensitive in nature. This data falls under the SBU data category called Law Enforcement, which includes the subcategories:
  • Accident Investigation

  • Campaign Funds

  • Committed Person

  • Communications

  • Controlled Substances

  • Criminal History Records Information

  • DNA

  • General Law Enforcement

  • Informant

  • Investigation

  • Juvenile

  • Law Enforcement Financial Records

  • National Security Letter

  • Pen Register/Trap & Trace

  • Reward

  • Sex Crime Victim

  • Terrorist Screening

  • Whistleblower Identity

Some of the types of law enforcement data that the IRS might see includes grand jury, informant, and undercover operations information, and procedural guidance.
layered security Where layered and complementary privacy and security controls are deemed sufficient to deter and detect unauthorized entry within the area. Examples include, but are not limited to, use of perimeter fences, employee and visitor access controls, use of an intrusion detection system, random guard patrols throughout the facility during non-working hours, closed circuit video monitoring or other safeguards that mitigate the vulnerability of open storage areas without alarms and security storage cabinets during non-working hours. Also sometimes referred to as Security in depth (refer to IRM 10.2.11).
legal Legal data is often sensitive in nature. This data falls under the SBU data category called Legal, which includes the subcategories:
  • Administrative Proceedings

  • Child Pornography

  • Child Victim/Witness

  • Collective Bargaining

  • Federal Grand Jury

  • Legal Privilege

  • Legislative Materials

  • Pre-sentence Report

  • Prior Arrest

  • Protective Order

  • Victim

  • Witness Protection



Some of the types of legal data that the IRS might see include draft, pre-decisional, and deliberative information.
limited area Refer to the Limited Area section of IRM 10.2.11.
live data Production data in use.

Live means that when changing the data, it changes in production. Authorized personnel may extract the data for testing, development, etc., in which case, it is no longer live. Live data often includes SBU data.
MCD Major Change Determination.
MER Milestone Exit Release.
NDA Non-Disclosure Agreement.
NIST National Institute of Standards & Technology.
NSI Classified National Security Information
OFDP Online Fraud Detection and Prevention, within IT Cybersecurity.
other protected information Other protected information includes any knowledge or facts received by or created by IRS in support of IRS work. This includes all information covered by the Trade Secrets Act, the Procurement Integrity Act, and similar statutes. Examples include, but are not limited to:
  • Records about individuals requiring protection under the Privacy Act.

  • Information that is not releasable under the Freedom of Information Act.

  • Proprietary data or proprietary business information.

  • Procurement sensitive data, such as contract proposals.

  • Information, which if modified, destroyed or disclosed in an unauthorized manner could cause: loss of life, loss of property or funds by unlawful means, violation of personal privacy or civil rights, gaining of an unfair procurement advantage by contractors bidding on government contracts, or disclosure of proprietary information entrusted to the Government.

  • System sensitive information or Information Systems Vulnerability Information:

    1. Information related to the design and development of application source code.

    2. Specific IT configurations, where the information system security configurations could identify the state of security of that information system; Internet Protocol (IP) addresses that allow the workstations and servers to be potentially targeted and exploited; and source code that reveals IRS processes that could be exploited to harm IRS programs, employees, or taxpayers.

    3. Security information containing details of serious weaknesses and vulnerabilities associated with specific information systems and/or facilities.

  • Any information, which if improperly used or disclosed could adversely affect the ability of the IRS to accomplish its mission.

PCA Privacy Compliance and Assurance.
PCLIA Privacy and Civil Liberties Impact Assessment; replaced PIA for most privacy assessments. Refer to IRM 10.5.2 for more information.
personnel IRS personnel or users, which includes:
1. Employees
2. Seasonal/temporary employees
3. Interns
4. Detailees
5. Consultants
6. IRS contractors (including contractors, subcontractors, non-IRS-procured contractors, vendors, and outsourcing providers)

Subcategory of data in Privacy category.
personally identifiable information (PII) Per OMB Circular A-130: ‘Personally identifiable information’ means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

Because there are many different types of information that can be used to distinguish or trace an individual’s identity, the term PII is necessarily broad. To determine whether information is PII, the agency must perform an assessment of the specific risk that an individual can be identified using the information with other information that is linked or linkable to the individual. In performing this assessment, it is important to recognize that information that is not PII can become PII whenever more information becomes available – in any medium and from any source – that would make it possible to identify an individual.

PII as defined here falls under the SBU data category called General Privacy, which is subcategory of the Privacy category. General Privacy refers to personal information, or, in some cases, "personally identifiable information," as defined in OMB M-17-12, or "means of identification" as defined in 18 USC 1028(d)(7).
PGLD Privacy, Governmental Liaison and Disclosure.
PHI Personal Health Information; falls under the SBU data category called Health Information (part of the Privacy category).
PIA Privacy Impact Assessment; replaced by PCLIA at IRS for most privacy assessments. Refer to IRM 10.5.2 for more information.
PIAMS Privacy Impact Assessment Management System.
PII Personally Identifiable Information.
POA&M Plan of action and milestones.
PPC Privacy Policy and Compliance.
PPKM Privacy Policy and Knowledge Management, under PGLD’s Privacy Policy and Compliance (PPC).
privacy Privacy at the IRS reflects the combined effort of the IRS, its personnel, and individual taxpayers to protect, control, and exercise rights over the collection, use, retention, dissemination, and disposal of personal information.
Privacy Compliance and Assurance (PCA) Organization that owns and manages the PCLIA, BPRA, SBU Data Use programs for IRS.
privacy controls The administrative, technical, and physical safeguards employed within an agency to ensure compliance with applicable privacy requirements and manage privacy risks. [NIST SP 800-53]
privacy culture Where all personnel think about privacy before acting. In such an environment or culture, protecting privacy guides the day-to-day practices and routines of everyone.
privacy and information lifecycle The series of uses and status of information. It includes the creation, collection, receipt, use, processing, maintenance, access, inspection, display, storage, disclosure, dissemination, or disposal of SBU data (including PII and tax information) regardless of format.

Note:

Processing operations also include logging, generation, and transformation, as well as analysis techniques, such as data mining. [NIST SP 800-53 PT-2]



Information life cycle means the stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition, to include destruction and deletion. [OMB A-130]

Also described as designation, safeguarding, marking, sharing (accessing and disseminating), destruction, and decontrol.
Privacy Principles The IRS Privacy Principles describe how the IRS protects an individual’s right to privacy. Protecting taxpayer privacy and safeguarding confidential tax information is a public trust. To maintain this trust, the IRS and its personnel must follow the privacy principles.
privacy requirements Mandatory IRS system requirements derived from IRS Privacy Principles and linked to the Privacy Controls, form the basis for privacy protection within the IRS. They mirror the IRS Privacy Principles and provide high-level privacy requirements applicable to the IRS Enterprise Architecture.
processing Creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal; processing operations also include logging, generation, and transformation, as well as analysis techniques, such as data mining. [NIST SP 800-53]
PVR IRS Privacy Requirements (see Privacy Requirements).
QQ Qualifying Questionnaire (see PCLIA).
RAFT Risk Acceptance Form and Tool.
RBD Risk-Based Decision.
RCS Records Control Schedules -Document 12990
record Anything you create or receive (in hard copy or electronic format) related to your daily work activities. Refer to the Records and Information Management IRM 1.15 series for more information.
requirements Per NIST SP 800-53, Section 2.1:
For federal information security and privacy policies, the term requirement is generally used to refer to information security and privacy obligations imposed on organizations. For example, [OMB A-130] imposes information security and privacy requirements with which federal agencies must comply when managing information resources. The term requirement can also be used in a broader sense to refer to an expression of stakeholder protection needs for a particular system or organization. Stakeholder protection needs and the corresponding security and privacy requirements may be derived from many sources (e.g., laws, executive orders, directives, regulations, policies, standards, mission and business needs, or risk assessments).
return Any tax or information return, estimated tax declaration, or refund claim (including amendments, supplements, supporting schedules, attachments, or lists) required by or permitted under the IRC and filed with the IRS by, on behalf of, or with respect to any person or entity (IRC 6103(b)(1).

Also falls under the SBU data subcategory called Federal Taxpayer Information, which is in the Tax category.
return information In general, is any information collected or generated by the IRS with regard to any person’s liability or possible liability under the IRC. IRC 6103(b)(2)(A) defines return information as very broad.

Also falls under the SBU data subcategory called Federal Taxpayer Information, which is in the Tax category.
RIM Records and Information Management, under PGLD's Identity and Records Protection (IRP).
SBU Sensitive but Unclassified.
SBU data Any information which, if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under the Privacy Act (5 U.S.C. 552a). [TD P 15-71]
SBU data includes but is not necessarily limited to:
  • Federal Tax Information (FTI), Personally Identifiable Information (PII), Protected Health Information (PHI), certain procurement information, system vulnerabilities, case selection methodologies, system information, enforcement procedures, investigation information.

  • Live data, which is production data in use. Live means that when changing the data, it changes in production. Authorized personnel may extract the data for testing, development, etc., in which case, it is no longer live. Live data often includes SBU data.

For more information about security protections of Sensitive But Unclassified (SBU) data, refer to IRM 10.8.1.
SCIF Sensitive Compartmented Information Facility (an enclosed area within a building used to process sensitive data).
SDLC System development life cycle.
sensitive information SBU data (including PII and tax information); generic Plain Language term for readability.
SLA Staff-Like Access.
SOR System of Records
SORN System of Records Notice
SP Special Publication (NIST).
SSN ER Social Security Number Elimination and Reduction.
staff-like access [From IRM 10.23.2] Staff-like access (SLA) is the authority granted to perform one or more of the following:
  • Enter IRS facilities or space (owned or leased) unescorted (when properly badged).

  • Possess login credentials to information systems (IRS or vendor-owned systems that store, collect, and/or process IRS information).

  • Possess physical and/or logical access to (including the opportunity to see, read, transcribe, and/or interpret) Sensitive but Unclassified (SBU) data, wherever the location. (See also IRM 10.5.1 for examples of SBU data.)

  • Possess physical access to (including the opportunity to see, read, transcribe, and/or interpret) security items and products (e.g., items that must be stored in a locked container, security container, or a secure room, wherever the location. These items include, but are not limited to security devices/records, computer equipment, Identification media. For more guidance, see IRM 10.2.15, Minimum Protection Standards (MPS)

  • Enter physical areas, wherever the location, that store/process SBU information (unescorted).


SLA is granted to an individual who is not an IRS employee (and includes, but is not limited to: contractors/subcontractors, whether procured by IRS or another entity, vendors, delivery persons, experts, consultants, paid/unpaid interns, other federal employees, cleaning/maintenance employees, etc.), and is approved upon required completion of a favorable suitability/fitness determination conducted by IRS Personnel Security.
survey Any data collection method, including but not limited to surveys, focus groups, interviews, pilot studies, and field tests. Refer to IRM 10.5.2 for more information.
synthetic data Data that does not contain SBU data; however, it imitates data as it appears in an actual taxpayer’s file and does not require the submission of an SBU Data Usage and Protection request.
system information Included in Critical Infrastructure category, also known as information systems vulnerability information. This term includes passwords and vulnerabilities.
system of records A group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.
System of Records Notice Information which is required to be published in the Federal Register by 5 USC 552a(e)(4). Refer to the Content of a System of Records Notice section of IRM 10.5.6.
tax information Any return or return information as defined in IRC 6103(b). This includes any information obtained, received, or generated by IRS or any Treasury component with respect to determining liability, potential liability, or amount of liability under the IRC.

For this IRM, the terms tax data and tax information include return and return information as defined in IRC 6103(b).

Tax information falls under the SBU data category called FTI or Tax. This IRM uses the term tax information to encompass all types of tax data. The Tax category includes:
  • Federal Taxpayer Information.

  • Tax Convention.

  • Taxpayer Advocate Information.

  • Written Determinations.

TIGTA Treasury Inspector General for Tax Administration.
UNAX Unauthorized Access; the willful unauthorized access, attempted access or inspection of taxpayer returns or return information.

The Taxpayer Browsing Protection Act (1997) forbids the willful unauthorized access or inspection of taxpayer records.
  • UNAX site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source

  • IRM 10.5.5, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements

UUID Universally Unique Identifier, a unique random number generated for each individual taxpayer in the electronic authentication process (eAuth). It can be PII.

References

This section lists the primary privacy statutes, regulations, guidelines, OMB Memoranda, and other materials that drive the privacy programs. You can find many of these on the Federal Privacy Council’s website in the law library section.
https://www.fpc.gov/law-library/

Laws, Acts, Mandates, and OMB Memos

  • Privacy Act of 1974 (5 U.S.C. 552a; Pub. L. No. 93-579), December 1974.

  • Computer Matching and Privacy Protection Act of 1988 (Pub. L. 100-503), which amended the Privacy Act of 1974 (1988).

  • Freedom of Information Act (FOIA) (1974).

    Note:

    FOIA has been amended several times, the most significant of which for purposes of this IRM are: OPEN Government Act of 2007, Pub. L. No. 110-175, 121 Stat. 2524 (2007); FOIA Improvement Act of 2016, Pub. L. 114-185.

  • IRC 6103

  • E-Government Act (2002) [Pub.L. 107–347, 116 Stat. 2899, 44 U.S.C. 3501 Note, H.R. 2458/S. 803], December 2002.

    • Federal Information Security Modernization Act of 2014 (FISMA, Pub. L. No. 113-283, Title II), December 2014.

  • Protecting Americans from Tax Hikes Act of 2015
    https://www.congress.gov/bill/114th-congress/house-bill/2029/text

  • Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. 2510 et seq.

  • Taxpayer First Act of 2019.

Executive Orders

The link for Executive Orders is:
https://www.federalregister.gov/executive-orders

  • Executive Order 10450, Security Requirements for Government Employment, April 1953.

  • Executive Order 13556, Controlled Unclassified Information, November 2010.

  • Executive Order 13636, Improving Critical Infrastructure Cybersecurity, February 2013.

  • Executive Order 13681, Improving the Security of Consumer Financial Transactions, October 2014.

OMB Circulars
https://www.whitehouse.gov/omb/information-for-agencies/circulars/

  • OMB Circular No. A-11, Preparation, Submission, and Execution of the Budget

  • OMB Circular No. A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act

  • OMB Circular No. A-130, Managing Information as a Strategic Resource

OMB Memos
https://www.whitehouse.gov/omb/information-for-agencies/memoranda/

The list of OMB Memos is:

  • M-01-05 – Guidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy.

  • M-03-22 – OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.

  • M-10-22 – Guidance for Online Use of Web Measurement and Customization Technologies.

  • M-10-23 – Guidance for Agency Use of Third-Party Websites and Applications.

  • M-12-20 – FY 2012 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. [FAQ 51]

  • M-14-04 – Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. [FAQ 60]

  • M-16-24 – Role and Designation of Senior Agency Officials for Privacy.

  • M-17-06 – Policies for Federal Agency Public Websites and Digital Services.

  • M-17-09 – Management of Federal High Value Assets.

  • M-17-12 – Preparing for and Responding to a Breach of Personally Identifiable Information.

  • M-19-17 – Enabling Mission Delivery through Improved Identity, Credential, and Access Management.

  • M-19-21 – Transition to Electronic Records.

Department of the Treasury

  • Treasury Directive Publication (TD P) 15-71, Treasury Security Manual.

  • TD P 25-04, Privacy Act Handbook.

  • Treasury’s Privacy and Civil Liberties Impact Assessment (PCLIA) Template and Guidance.

  • TD P 85-01, Treasury Information Technology (IT) Security Program, December 12, 2017.

IRS

On the IRS Source (links in Hyperlinks for Other Privacy-Related Programs document on PGLD Disclosure and Privacy Knowledge Base):

  • Cybersecurity

  • Authorized software

  • Office of Disclosure (*Disclosure)

  • Office of Safeguards (*Safeguard Reports)

  • Privacy, Governmental Liaison and Disclosure (email *Privacy)

  • SA&A

  • Taxpayer Bill of Rights, codified in IRC 7803(a)(3):
    https://www.irs.gov/taxpayer-bill-of-rights

Related IRMs:

  • IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD)

  • IRM 11.3 series, Disclosure of Official Information.

  • IRM 1.15 series, Records and Information Management.

  • IRM 10.8 series, especially:

    • IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

    • IRM 10.8.2, Information Technology (IT) Security, Roles and Responsibilities.

    • IRM 10.8.24, Information Technology (IT) Security, Cloud Computing Security Policy.

    • IRM 10.8.26, Information Technology (IT) Security, Government Furnished and Personally Owned Mobile Computing Device Security Policy.

    • IRM 10.8.27, Information Technology (IT) Security, Personal Use of Government Furnished Information Technology Equipment and Resources.

  • IRM 10.23.2, Personnel Security, Contractor Investigations.

NIST

The link for National Institute of Standards and Technology (NIST) Special Publication (SP):
https://csrc.nist.gov/publications/sp

  • SP 800-18, Guide for Developing Security Plans for Federal Information Systems, February 2006.

  • SP 800-28 Version 2, Guidelines on Active Content and Mobile Code, March 2008.

  • SP 800-30 Rev. 1, Guide for Conducting Risk Assessments, September 2012.

  • SP 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, December 2018.

  • SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, March 2011.

  • SP 800-44 Version 2, Guidelines on Securing Public Web Servers, September 2007.

  • SP 800-45 Version 2, Guidelines on Electronic Mail Security, February 2007.

  • SP 800-46 Rev. 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, July 2016.

  • SP 800-47, Security Guide for Interconnecting Information Technology Systems, August 2002.

  • SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations, December 2020.

  • SP 800-55 Rev. 1, Performance Measurement Guide for Information Security, July 2008.

  • SP 800-59, Guideline for Identifying an Information System as a National Security System, August 2003.

  • SP 800-60 Rev. 1, Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008.

  • SP 800-63, Digital Identity Guidelines, March 2020:

    1. Digital Identity Guidelines: Enrollment and Identity Proofing.

    2. Digital Identity Guidelines: Authentication and Lifecycle Management.

    3. Digital Identity Guidelines: Federation and Assertions.

  • SP 800-83 Rev. 1, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, July 2013.

  • SP 800-88 Rev. 1, Guidelines for Media Sanitization, December 2014.

  • SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), April 2010.

  • SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations, September 2011.

  • SP 800-163 Rev. 1, Vetting the Security of Mobile Applications, April 2019.

  • SP 800-183, Networks of ‘Things’, July 2016.

  • IR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, June 2019.

The link for FIPS publications is:
https://csrc.nist.gov/publications/fips

  • Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems.

  • Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems.

  • Federal Information Processing Standards (FIPS) Publication 201, Personal Identity Verification of Federal Employees and Contractors.

National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity.

National Institute of Standards and Technology Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management.

More information about the NIST publications noted above is available on the NIST website:
https://csrc.nist.gov/

IAPP

The link for International Association of Privacy Professionals (IAPP):
https://www.iapp.org