10.5.1 Privacy Policy

Manual Transmittal

September 25, 2019

Purpose

(1) This transmits revised IRM 10.5.1, Privacy and Information Protection, Privacy Policy.

Background

IRM 10.5.1 is part of the Security, Privacy and Assurance policy family, IRM Part 10 series for IRS Privacy and Information Protection.

Material Changes

(1) This version incorporated the Interim Guidance (IG) Memo #PGLD-10-0918-0001, Cloud Computing, dated September 4, 2018, in the Cloud Computing section.

(2) Updated Training section to align with existing updated policy from other groups.

(3) Updated Staff-Like Access terminology to align with existing updated policy from other groups.

(4) Internal IRS hyperlinks removed:

  1. Hyperlinks replaced with description to enable a successful search on internal IRS website.

  2. Hyperlinks available on internal PGLD’s website. On the Privacy shelf, click on the Privacy Policy and Privacy Controls book. From the left-hand column, choose References. The hyperlinks are listed by program in the document Hyperlinks for Privacy-Related Programs.

(5) Some sections changed names:

  1. Global Positioning Systems (GPS) to Global Positioning Systems (GPS) and Location Services.

  2. IRS.gov to IRS.gov Privacy Policy Notice.

  3. Electronic Risk Assessment (e-RA) to Digital Identity Risk Assessment (DIRA) [formerly Electronic Risk Assessment (e-RA)].

(6) Some sections moved as follows:

  1. Parts of formerly named subsection IRS.gov section moved to Online Data and parts to the new Website or Application Privacy Policy Notice section and the new Privacy Policy Departure Notice section.

  2. Electronic Authentication (e-Authentication) from Online Data section to the Other Privacy-Related Programs section.

  3. Most of the content of Global Positioning Systems (GPS) became subsection of Global Positioning Systems (GPS) and Location Services.

(7) Some sections added:

  1. Note about RAFT process in the Background, Senior Management/Executives, and Authorizing Officials sections.

  2. Table mapping Appendix J controls to IRS Privacy Principles in IRS Privacy Principles section.

  3. Location Services under new Global Positioning Systems (GPS) and Location Services section for clarification of geolocation risks.

  4. Website or Application Privacy Policy Notice as subsection under Online Data section.

  5. Privacy Policy Departure Notice as subsection under Online Data section.

  6. Governmental Liaison (GL) to Other Privacy-Related Programs.

  7. Identity Assurance Office (IAO) to Other Privacy-Related Programs.

  8. Safeguards to Other Privacy-Related Programs.

  9. Terms and acronyms in the Glossary and Acronyms section.

  10. Exhibit 10.5.1-3, NIST Appendix J Privacy Controls [from NIST SP 800-53 r4].

(8) Terminology updated in the sections for clarity: Sensitive But Unclassified (SBU) Data, Public Records, Tax Information, Need To Know, Personnel Engaged in Procurement Activities, Clean Desk Policy, Electronic (under Transmission section), Limited Exceptions to Email SBU Data Encryption, Telework, Bring Your Own Device (BYOD), Recordings in the Workplace, Contractors, Online Meeting Tools, Shared Drives, Cloud Computing, and Incident Management (IM).

(9) If the section’s modification date changed, but the section is not listed, then that section had minor edits, clarifications, name changes, updated hyperlinks, or additional examples.

Effect on Other Documents

This version supersedes IRM 10.5.1, dated March 23, 2018. Also, this IRM supports other IRMs in the 10.5 family.

This version incorporated the Interim Guidance (IG) Memo #PGLD-10-0918-0001, "Cloud Computing" , dated September 4, 2018, in the Cloud Computing section.

Audience

IRM 10.5.1 addresses IRS personnel responsible for ensuring adequate privacy and information protection for all Sensitive But Unclassified (SBU) data, including taxpayer and personnel Personally Identifiable Information (PII). This policy applies to all IRS personnel, as defined in the Glossary and Acronyms section.

Effective Date

(09-25-2019)

Peter C. Wade
Director, Privacy Policy and Compliance (PPC)

Program Scope and Objectives

  1. This IRM lays the foundation to:

    1. Protect the privacy of Sensitive But Unclassified (SBU) data for taxpayers and employees, including personally identifiable information (PII), such as federal tax information (FTI, hereafter called tax information), tax return, financial, and employment information regardless of format.

    2. Use SBU data (including PII and tax information) throughout the privacy lifecycle (creation, collection, receipt, use, processing, maintenance, access, inspection, display, storage, disclosure, dissemination, or disposal) only as authorized by law and as necessary to fulfill agency responsibilities in compliance with the IRS Privacy Principles (cited later in this IRM).

    3. Destroy or dispose of SBU data when no longer required for business use, in a secure manner to protect privacy.

    4. Implement and maintain a strong privacy program, which enables the IRS to provide e-government services.

  2. This IRM covers Servicewide privacy policy, including but not limited to:

    1. Definition of SBU data (including PII and tax information).

    2. IRS Privacy Principles.

    3. Servicewide privacy roles and responsibilities.

    4. Privacy guidance on topics such as email, telework, and contractors.

    5. Introduction to privacy-related programs.

Purpose of the Program

  1. The mission of PGLD is to preserve and enhance public confidence by advocating for the protection and proper use of identity information.

  2. The privacy and security of taxpayer and employee information is one of the IRS's highest priorities. PGLD administers privacy and records policy and initiatives and coordinates privacy and records-related actions throughout the IRS. [OMB A-130]

  3. PGLD is committed to ensuring the protection of SBU data, including taxpayer and employee PII, from unauthorized access. The organization identifies and reduces threats to privacy and increases awareness of criminal activities aimed at compromising this information. PGLD also leads IRS privacy and records policies, coordinates privacy protection guidance and activities, responds to privacy complaints, and promotes data protection awareness throughout the IRS. [OMB A-130, IP-4]

  4. This IRM defines the uniform policies used by IRS personnel and organizations to carry out their responsibilities related to privacy.

  5. This IRM establishes the minimum baseline privacy policy and requirements for all IRS SBU data (including PII and tax information) in order to:

    1. Establish and maintain a comprehensive privacy program. [OMB A-130]

    2. Comply with privacy requirements and manage privacy risks. [OMB A-130]

    3. Ensure the protection and proper use of SBU data of the IRS.

    4. Prevent unauthorized access to SBU data of the IRS.

    5. Enable operation of IRS environments and business units that meet the requirements of this policy and support the business needs of the organization.

  6. It is acceptable to employ practices that are more restrictive than those defined in this IRM.

  7. It is the policy of the IRS:

    1. To establish and manage privacy practices within all offices to create a culture of privacy. This manual provides uniform policies and guidance to be used by all offices.

    2. To protect SBU data of the IRS at a level commensurate with the risk and magnitude of harm that could result from loss, misuse, or unauthorized access to that information.

    3. To protect SBU data and allow the use, access, and disclosure of information in accordance with applicable laws, policies, federal regulations, Office of Management and Budget (OMB) Circulars, Treasury Directives (TDs), National Institute of Standards and Technology (NIST) Publications, other regulatory guidance, and best practice methodologies.

    4. To use best practices methodologies and frameworks, such as Enterprise Life Cycle (ELC) and Enterprise Architecture (EA), to document and improve IRS privacy policy efficiency and effectiveness.

  8. The Director, PGLD, is the IRS Chief Privacy Officer. For more information about PGLD, refer to IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD), and the PGLD website (search for PGLD on the IRS internal website).

Audience

  1. The audience to which the provisions in this manual apply includes:

    1. All offices and business, operating, and functional units within the IRS

    2. Individuals and organizations having contractual arrangements with the IRS, including employees, seasonal/temporary employees, interns, detailees, contractors, subcontractors, non-IRS-procured contractors, vendors, and outsourcing providers, with any access to SBU data.

      Note:

      This IRM covers all sensitive data used and operated by and on behalf of the IRS no matter what stage of the IT lifecycle it is in (i.e., production, pre-production, and post-production systems).

  2. For the purpose of this IRM, the following terms apply. Hereinafter, this IRM refers to IRS personnel, which includes all categories below:

    1. IRS personnel or users, which includes:
      1. Employees
      2. Seasonal/temporary employees
      3. Detailees
      4. Interns
      5. Consultants
      6. IRS contractors (including contractors, subcontractors, non-IRS-procured contractors, vendors, and outsourcing providers)

    2. Authorized or Unauthorized personnel applies to IRS personnel being authorized or unauthorized to perform a particular action.

      Note:

      To be authorized, all personnel must complete required training (IRS annual and role-based privacy, information protection, and disclosure training requirements, Unauthorized Access [UNAX] awareness briefings, and all other specialized privacy training) and background investigations before given access. [OMB A-130]

Policy and Program Owners

  1. Privacy Policy and Knowledge Management (PPKM) under PGLD’s Privacy Policy and Compliance (PPC) develops privacy policy in accordance with applicable laws, mandates, guidance, mission, and input from other stakeholders. See the References section of this IRM.

  2. For more information about PGLD, refer to IRM 1.1.27 and the PGLD website. (search for PGLD on the IRS internal website).

Primary Stakeholders

  1. All business units are stakeholders regarding privacy.

Background

  1. This IRM serves as the framework for IRS privacy policy and an introduction to PGLD.

  2. This policy establishes the privacy context for the development of related subordinate IRMs, IRS publications, and subordinate procedural guidance such as Standard Operating Procedures (SOP) and Desk Procedures.

  3. Subordinate IRMs offer additional privacy program protection information.

  4. Subordinate procedural guidance provides detailed guidance for implementing and complying with the requirements within this IRM. For further information, see PGLD’s website (search for PGLD on the IRS internal website).

  5. If IRM 10.5.1 conflicts with or varies from the subordinate IRMs in the 10.5 series or guidance, IRM 10.5.1 takes precedence, unless the subordinate IRM is more restrictive or otherwise noted.

    Note:

    Exceptions to policy must be granted via the Risk Acceptance Form and Tool (RAFT) process. Exceptions will not be granted to bypass laws or mandates. Executives/AOs may make requests via *Privacy (give topic name in subject line and add "Attn: CPO" ).

  6. This policy assigns responsibilities and lays the foundation necessary to measure privacy progress and compliance.

Authority

  1. In an effort to reference the origin of a privacy policy cited later in this IRM (National Institute of Standards and Technology (NIST), Treasury, etc.), this IRM may reference a requirement’s origin in brackets at the end of the guidance, such as [PVR-xx] (IRS Privacy Principles and Privacy Requirements), [AP-01] (NIST Privacy Controls), or [TD P 85-01] (Treasury Directive Publications). If no specific origin reference appears, multiple origins may apply. Lack of a reference citation does not indicate no origin applies.

  2. PGLD’s Privacy Policy and Knowledge Management (PPKM) implements relevant privacy statutes, regulations, guidelines, OMB Memoranda, and other requirements. Various statutes, such as the Privacy Act, FISMA, and Paperwork Reduction Act mandate compliance with OMB policy and NIST guidance, giving them the force of law.

  3. The primary laws include:

    • Privacy Act (1974).

    • Computer Matching and Privacy Protection Act (1988).

    • Freedom of Information Act (FOIA) (1974).

    • Internal Revenue Code (§6103).

    • The Taxpayer Browsing Protection Act (1997) (UNAX).

    • Federal Information Security Modernization Act of 2014 (FISMA).

    • E-Government Act (2002).

    • Health Insurance Portability and Accountability Act (1996) (HIPAA).

  4. The most relevant OMB Circulars and Memos are:

    • OMB Circular No. A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act

    • OMB Circular No. A-130, Management of Federal Information Resources

    • M–03–22 – OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.

    • M–10–22 – Guidance for Online Use of Web Measurement and Customization Technologies.

    • M–10–23 – Guidance for Agency Use of Third-Party Websites and Applications.

    • M–14–04 – Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management.

    • M–16–24 – Role and Designation of Senior Agency Officials for Privacy.

    • M–17–06 – Policies for Federal Agency Public Websites and Digital Services.

    • M–17–12 – Preparing for and Responding to a Breach of Personally Identifiable Information.

  5. Relevant NIST guidance includes:

    • NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations.

    • NIST SP 800-63, Digital Identity Guidelines.

    • NIST SP 800-88, Guidelines for Media Sanitization.

    • NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).

  6. The relevant Department of Treasury directives and publications are:

    • Treasury Directive Publication (TD P) 15-71, Treasury Security Manual.

    • Treasury’s Privacy and Civil Liberties Impact Assessment (PCLIA) Template and Guidance.

    • TD P 85–01, Treasury Information Technology (IT) Security Program.

  7. For a full listing of and links to privacy-related statutes, regulations, guidelines, OMB Memoranda, and other materials relevant to this IRM, see Exhibit 10.5.1-2, References.

Key Privacy Definitions

  1. To support the IRS mission, understanding the key privacy definitions in the following subsections is essential.

Privacy Lifecycle

  1. The concept of a privacy lifecycle refers to the creation, collection, receipt, use, processing, maintenance, access, inspection, display, storage, disclosure, dissemination, or disposal of SBU data (including PII and tax information), regardless of format.

  2. IRS personnel must protect SBU data (including PII and tax information) throughout the privacy lifecycle, from receipt to disposal.

Sensitive But Unclassified (SBU) Data

  1. Sensitive But Unclassified (SBU) data is any information which if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under the Privacy Act. For the full definition, refer to TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information.

  2. SBU data includes, but is not limited to:

    1. Tax information (Federal Tax Information (FTI) protected by IRC § 6103), Personally Identifiable Information (PII), Protected Health Information (PHI), certain procurement information, system vulnerabilities, case selection methodologies, system information, enforcement procedures, investigation information.

    2. Live data, which is defined as production data in use. Live means that when changing the data, it changes in production. The data may be extracted for testing, development, etc., in which case, it is no longer "live" . Live data often contains SBU data (including PII and tax information); however, tax information (FTI) remains tax information (FTI) whether it is live in a production environment or is removed to a non-production environment.

      Note:

      For classified information, see IRM 10.9.1, National Security Information, for additional procedures for protecting classified information.

  3. All IRS personnel must protect SBU data. Personnel must restrict access, inspection, and disclosure of SBU data to others who have a need to know the information. [PVR-05]

    1. For more information on encryption and other protections, see the Practical Privacy Policy section in this IRM.

    2. For more information, see the Need to Know section in this IRM.

    3. Refer to IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, controls about Access Controls and Least Privilege for information about limiting access to only people who have a need to know the information.

    4. Refer to IRM 11.3.22, Disclosure of Official Information, Disclosure to Federal Officers and Employees for Tax Administration Purposes, for information about Access by IRS Employees Based on Need to Know.

  4. SBU data includes subsets of protected information which many IRS personnel handle on a daily basis, such as PII and tax information. It also includes other subsets, such as procurement and system information.

  5. Personnel must determine if the SBU data is necessary to do business (does it support the business purpose of the system or the organization’s mission?). If it does not serve a valid business purpose, then the IRS must not collect that SBU data. If that SBU data does serve a business purpose, then the IRS may use it throughout the privacy lifecycle appropriately. For more information, see the IRS Privacy Principles section of this IRM. [Privacy Act; PVR-02; PVR-03]

  6. Do a Privacy and Civil Liberties Impact Assessment (PCLIA) for any system using SBU data. Refer to IRM 10.5.2, Privacy and Information Protection, Privacy Compliance and Assurance, for more information about PCLIAs.

  7. SBU data in a public record is still SBU data, however different protections apply. To determine if publicly available SBU data or SBU data in the public record is still sensitive, see the Public Record section of this IRM.

  8. For more information on PII, see the Protecting and Safeguarding SBU Data and PII section of this IRM.

Examples of SBU Data
  1. Some examples of IRS SBU data include, but are not limited to:

    1. Personally Identifiable Information (PII).

    2. Corporate, or other business, tax return information (also classified as PII if it identifies an individual).

    3. Federal Tax Information (FTI).

    4. Protected Health Information (PHI).

    5. Documents marked "Official Use Only" (OUO).

    6. Passwords.

    7. Certain procurement information.

    8. Budget information.

    9. Contract proposals.

    10. Criminal Investigation information, including informant communications (law enforcement sensitive information).

    11. Enforcement procedures.

    12. Case selection methodologies including tolerance criteria.

    13. Proprietary processes or algorithms used in investigative work or tax processing.

    14. System information.

    15. System vulnerabilities.

    16. Physical security information, such as details of facility vulnerabilities (entry codes, badge access, etc.).

    17. Proprietary data (business information entrusted to the IRS).

    18. Confidential data to be released to the public at a later date.

    19. 31 U.S.C. Bank Secrecy Act protected reports filed by financial institutions.

    20. 18 U.S.C. Grand Jury information protected by Rule 6(e) of the Federal Rules of Criminal Procedure (law enforcement sensitive information).

    21. 18 U.S.C. 1905 information protected under the Trade Secrets Act for entities (trade secrets, processes, operations, style of work, or apparatus, or to the identity, confidential statistical data, amount or source of any income, profits, losses, or expenditures of any person, firm, partnership, corporation, or association).

    22. Whistleblower information under IRC 7623 or the Whistleblower Protection Act of 1989, Pub.L. 101-12 as amended. For more information, refer to IRM 25.2.1, Information and Whistleblower Awards, Receiving Information.

Official Use Only and Limited Official Use
  1. By definition, documents designated as "Official Use Only" (OUO) and "Limited Official Use" (LOU) contain SBU data.

  2. For more information, see IRM 11.3.12, Disclosure of Official Information, Designation of Documents.

Freedom of Information Act (FOIA) and SBU Data
  1. The Freedom of Information Act (FOIA) exempts most SBU data from release to the public under one of the nine exemptions listed in 5 U.S.C. § 552(b).

  2. However, the fact that IRS must release certain information if requested under FOIA does not automatically remove its status as SBU data. [FOIA]

  3. For more information, see IRM 11.3.13, Freedom of Information Act.

Personally Identifiable Information (PII)

  1. Personally identifiable information means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. [OMB A-130]

  2. For IRS purposes:

  3. To distinguish an individual is to identify an individual. For example, an individual might be distinguished by a passport identification number or Social Security Number (SSN). However, a list of credit scores without any other information concerning the individual does not distinguish the individual.

  4. To trace an individual is to process sufficient information to make a determination about a specific aspect of an individual’s activities or status, such as with an audit log.

  5. Linked information is information about or related to an individual that is logically associated with other information about the individual.

  6. Linkable information is information about or related to an individual for which there is a possibility of logical association with other information about the individual.
    [GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008, http://www.gao.gov/new.items/d08536.pdf]

  7. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified.

  8. Personnel should know that non-PII can become PII whenever additional information becomes available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual. [NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII); OMB Memorandum M-10-23]

  9. See the Examples of PII section of this IRM for more information.

  10. Refer to the PGLD webpage (search for PGLD on the IRS internal website).

  11. Submit a PCLIA for any system using PII. Refer to IRM 10.5.2 for more information about PCLIAs.

  12. PII in a public record is still PII; however, different protections apply. To determine if publicly available PII or PII in the public record is still sensitive, see the Public Record section of this IRM.

  13. For more information on PII, see the Protecting and Safeguarding SBU Data and PII section of this IRM.

Examples of PII
  1. Examples of PII include, but are not limited to:

    1. Name, such as full name, maiden name, mother’s maiden name, alias, or name control (first 4 letters of last name).

    2. Address information, such as street address or email address.

    3. A unique set of numbers or characters assigned to a specific individual, such as:
      1. Telephone numbers, including mobile, business, and personal numbers.
      2. SSN, including the last 4 digits.
      3. Taxpayer identification number (TIN) that identifies an individual.
      4. Email or Internet Protocol (IP) address.
      5. Driver’s license number.
      6. Passport number.
      7. Financial account or credit card number.
      8. Standard Employee Identifier (SEID).
      9. Automated Integrated Fingerprint Identification System (AIFIS) identifier, booking, or detention system number.

    4. Employee and employee information, including personnel files, employment testing materials, medical information, and Americans with Disabilities Act (ADA) accommodations.

    5. Individual tax return information.

    6. Corporate or other business tax return information that identifies an individual, such as an S-Corporation, partnership, or sole proprietorship.

    7. Personal characteristics and data, including:
      1. Date of birth.
      2. Place of birth.
      3. Age.
      4. Height.
      5. Weight.
      6. Gender.
      7. Hair color.
      8. Eye color.
      9. Race.
      10. Ethnicity.
      11. Scars.
      12. Tattoos.
      13. Distinguishing features.
      14. Religious affiliation.
      15. Sexual orientation.
      16. Gang affiliation.
      17. Photographic image (especially of face or other distinguishing characteristic).
      18. Biometric information (such as x-rays, fingerprints, retina scan, voice signature, facial geometry, DNA).

    8. Asset information, such as Media Access Control (MAC) address, Device ID, or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people.

    9. Descriptions of events or times (information in documents, such as police reports, arrest reports, and medical records).

    10. Descriptions of locations, such as geographic information system (GIS), GPS data, and electronic bracelet monitoring information.

    11. Information identifying personally owned property, such as vehicle registration number or title number and related information.

      Exception:

      "Constitutionally Required Disclosures" — Some situations require disclosure of information, including SBU data, such as criminal cases where the IRS has a constitutional obligation to disclose, upon the defendant's request, evidence material either to guilt or punishment (exculpatory evidence). For more details, refer to IRM 11.3.35, Requests and Demands for Testimony and Production of Documents.

  2. Information about an individual that is linked or linkable to one of the above.

Public Record
  1. IRS personnel must protect SBU data regardless of whether the same information is in the public record or publicly available. However, less stringent protections might apply in some situations.

  2. Generally, personnel must encrypt SBU data (including PII). However, inside the IRS network, encryption is not required if the IRS proactively makes it available to all personnel on internal resource sites (including, but not limited to, Discovery Directory, Outlook [calendar, profile information, and address book], intranet, and SharePoint site collections), such as names, SEID, and business contact information. [NIST SP 800-122; [TD P 85-01, Appendix A, AC-20(3)_T.028, and MP-6(3)_T.124]

  3. Email addresses, by themselves as the method of the email conveyance, generally do not need encrypting. However, when combined with the content and attachments of an email, the email address may become SBU data.

    1. Encryption rules still apply for the body of emails and attachments.

    2. See the Email section of this IRM for more information on email.

  4. As for other SBU data and PII in the public record or publicly available, the requirements differ, depending on the information.

    Note:

    Tax information (FTI) must always be protected under IRC § 6103.

  5. No IRC § 6103 public records exemption exists. However, the Information Which Has Become Public Record section of IRM 11.3.11, Other Information Available to the Public, discusses disclosure of matters that have become public records as a result of tax administration, such as court cases. This is referred to as the judicially created public records exception.

  6. Treasury security guidance exempts Treasury information made available proactively to the public from certain encryption controls. This implies another public records exception based on information the agency makes available to the public. [TD P 85-01, Appendix A, AC-20(3)_T.028, and MP-6(3)_T.124]

  7. The Public Information Listing (PIL) designated by OPM makes six items of information available to the public by FOIA request. These items include: [5 CFR 293.311]

    1. Employee name.

    2. Present and past position titles and occupational series.

    3. Present and past grades.

    4. Present and past annual salary rates (including awards or bonuses, etc.).

    5. Present and past official duty stations (no telework information).

    6. Position descriptions, identification of job elements, and certain performance standards (but not actual performance appraisals).

  8. However, OPM exempts release of information on employees in these sensitive positions:

    • GS-0083, Police Officer

    • GS-0512, Revenue Agent

    • GS-0930, Appeals Officer

    • GS-1169, Revenue Officer

    • GS-1171, Property Appraisal and Liquidation Specialist

    • GS-1801, General Inspection, Investigation and Compliance

    • GS-1802, Compliance Inspection and Support

    • GS-1810, General Investigating

    • GS-1811, Special Agent

  9. Personnel should exercise caution and consult with PGLD regarding any questions they might have about application of a public record exception, on a case-by-case basis, prior to reducing privacy protections based on a public record exception. To request assistance or for further information, email *Privacy.

  10. For more information, refer to IRM 11.3.13, Freedom of Information Act.

Defining PII versus Sensitive PII
  1. Little difference exists between PII and what personnel refer to as "sensitive" PII.

  2. As defined in the PII section of this IRM, personally identifiable information means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. [OMB A-130]

  3. The level of risk increases with the potential level of harm caused by exposed SBU data or PII.

  4. Context remains important. PII that does not seem high risk may still require protection if its context makes it risky. For example, a collection of names:

    • Is not Sensitive PII if it is a list, file, query result, etc., of:
      - Attendees at a public meeting.
      - Names out of a public telephone book.
      - FOIA listing of IRS employees in non-protected positions.

    • Is Sensitive PII if it is a list, file, query result, etc., of:
      - Individual taxpayers who filed returns.
      - Law enforcement personnel.
      - Employees with poor performance ratings.

  5. For more information, see the Deciding Risk Levels for SBU Data and PII section of this IRM.

Tax Information (FTI)

  1. The term tax information refers to a taxpayer’s return and return information protected from unauthorized disclosure under IRC § 6103. This law defines return information as any information the IRS has about a tax return or liability determination. This return information includes, but is not limited to, a taxpayer’s:

    1. Identity.

    2. Income, payments, deductions, exemptions, or credits.

    3. Assets, liabilities, or net worth.

    4. Tax liability investigation status (whether the IRS ever investigates or examines the return).

  2. Redacting, masking, truncating, or sanitizing tax information does not change its nature. It is still tax information.

  3. Tax information in IRS business processes comes under many names, such as FTI, IRC § 6103-protected information, 6103, taxpayer data, taxpayer information, tax return information, return information, case information, SBU data, and PII. The term "live data" should not be used to describe tax information, unless it is in a production environment in the Sensitive But Unclassified (SBU) Data section of this IRM.

  4. Tax information is SBU data. IRC § 6103 protects tax information from unauthorized disclosure. When tax information relates to an individual, that SBU data is also PII. [IRC § 6103(b)(2)]

  5. Submit a Privacy and Civil Liberties Impact Assessment (PCLIA) for any system using SBU data (including PII and tax information). Refer to IRM 10.5.2 for more information about PCLIAs.

  6. See these subsections in this IRM for more information:

    • Protecting and Safeguarding SBU Data and PII.

    • SBU data.

    • PII.

  7. For more information about return information and a definition, refer to IRM 11.3.1, Disclosure of Official Information, Introduction to Disclosure

UNAX

  1. The term UNAX defines the act of committing an unauthorized access or inspection of any tax information contained on paper or within any electronic format. An access or inspection is unauthorized if it is done without a management-assigned IRS business need.

  2. The IRS created the unauthorized access or inspection of tax information and records (UNAX) program to implement privacy protection and statutory unauthorized access and browsing prevention requirements.

  3. UNAX is governed by the Taxpayer Browsing Protection Act. For more information about UNAX, refer to IRM 10.5.5, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements.

Unauthorized Access of SBU Data

  1. While statutory UNAX (based on the Taxpayer Browsing Protection Act) refers to unauthorized access to tax information, unauthorized access to SBU data is governed by other statutes and by Treasury and IRS policy. [TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information]

  2. The term unauthorized access of SBU data defines the act of committing an unauthorized access or inspection of any SBU data (not tax information) contained on paper or within any electronic format. An access or inspection is unauthorized if it is done without a management-assigned IRS business need.

  3. See the Sensitive But Unclassified (SBU) Data and Need to Know sections in this IRM.

  4. Refer to 18 U.S. Code § 1030 - Fraud and related activity in connection with computers; 44 U.S.Code Chapter 35 (44 U.S.C. §§ 3551-3558); and Privacy Act of 1974, 5 U.S.C. § 552a.

Privacy Act Information

  1. The Privacy Act of 1974 (Privacy Act) forms the core of IRS privacy policy. It provides certain safeguards for an individual against an invasion of personal privacy by requiring federal agencies to:

    1. Collect, maintain, use, or disseminate any record of identifiable personal information in a manner that ensures that such action is for a necessary and lawful purpose.

    2. Ensure that the information is current and accurate.

    3. Ensure that the information is for its intended use.

    4. Provide adequate safeguards to prevent misuse of such information.

  2. The Privacy Act applies to agency records retrieved by an identifier for an individual.

  3. The term "record" includes, but is not limited to, education, financial transactions, medical history, and criminal or employment history and that contains name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or a photograph.

  4. Privacy Act information is PII because it identifies individuals. Therefore, it is also SBU data. As with any other SBU data, disclosure must be restricted to persons authorized to have access to the information pursuant to the Privacy Act

  5. For more information on the Privacy Act, refer to IRM 10.5.6, Privacy Act.

Need To Know

  1. The term "need to know" means that the personnel require the information to perform their duties. This is not a "cannot function without it" test; it considers whether the personnel can perform their official duties properly, efficiently, or appropriately without the information.

  2. Restrict access to all SBU data (including PII and tax information) to need-to-know personnel.

  3. This concept relates to the "relevant and necessary" aspect of the Purpose Limitation Privacy Principle and the Privacy Act. [PVR-02; Privacy Act; Treasury’s Privacy and Civil Liberties Impact Assessment (PCLIA) Template and Guidance]

  4. Those individuals who have a need to know must be informed of the protection requirements under the law and must have a background investigation. Protection requirements must be provided in writing, citing the prohibitions, restrictions, and penalties for unauthorized disclosure of tax return and return information (tax information) under appropriate sections of the Internal Revenue Code for willful or negligent disclosure of tax information.

  5. See the Unauthorized Access of SBU Data section of this IRM.

  6. Access to classified national security information requires more stringent controls which are addressed in IRM 10.9.1, National Security Information.

  7. Refer to IRM 11.3.22, Disclosure of Official Information, Disclosure to Federal Officers and Employees for Tax Administration Purposes, for information about Access by IRS Employees Based on Need to Know.

Key Privacy Concepts

  1. The IRS Privacy Principles and federally mandated Privacy Controls describe how the IRS protects an individual’s right to privacy.

  2. IRS Privacy Requirements (PVR), derived from IRS Privacy Principles and linked to the Privacy Controls, form the basis for privacy protection within the IRS.

  3. Adherence to IRS Privacy Principles and Requirements is mandatory for management officials responsible for protecting SBU data (including PII and tax information).

  4. For a listing of the IRS Privacy Requirements, refer to the Enterprise Architecture website on the IRS intranet.

Privacy Controls

  1. The NIST Special Publication (SP) 800-53 (Rev. 4), Appendix J, outlines 26 privacy controls in eight (8) groups designed to protect privacy for the lifecycle of PII. These controls establish a relationship between privacy and security controls.

  2. OMB A-130 mandates implementation of NIST privacy controls.

  3. The IRS applies NIST privacy controls within its Privacy Principles and Privacy Requirements. See the Privacy Principles section of this IRM to view the connections.

    ID Privacy Controls
    AP Authority and Purpose
    AP-1 Authority to Collect
    AP-2 Purpose Specification
    AR Accountability, Audit, and Risk Management
    AR-1 Governance and Privacy Program
    AR-2 Privacy Impact and Risk Assessment
    AR-3 Privacy Requirements for Contractors and Service Providers
    AR-4 Privacy Monitoring and Auditing
    AR-5 Privacy Awareness and Training
    AR-6 Privacy Reporting
    AR-7 Privacy-Enhanced System Design and Development
    AR-8 Accounting of Disclosures
    DI Data Quality and Integrity
    DI-1 Data Quality
    DI-2 Data Integrity and Data Integrity Board
    DM Data Minimization and Retention
    DM-1 Minimization of Personally Identifiable Information
    DM-2 Data Retention and Disposal
    DM-3 Minimization of PII Used in Testing, Training, and Research
    IP Individual Participation and Redress
    IP-1 Consent
    IP-2 Individual Access
    IP-3 Redress
    IP-4 Complaint Management
    SE Security
    SE-1 Inventory of Personally Identifiable Information
    SE-2 Privacy Incident Response
    TR Transparency
    TR-1 Privacy Notice
    TR-2 System of Records Notices and Privacy Act Statements
    TR-3 Dissemination of Privacy Program Information
    UL Use Limitation
    UL-1 Internal Use
    UL-2 Information Sharing with Third Parties
  4. The IRS conducts privacy continuous monitoring through its comprehensive privacy program. [OMB A-130]

IRS Privacy Principles

  1. The public trusts the IRS and its personnel to protect taxpayer privacy and safeguard confidential tax information.

    Note:

    This section quotes the existing IRS Privacy Principles, so the language uses "employees" and "contractors" instead of "IRS personnel."

  2. The IRS is dedicated to meeting this expectation. All IRS personnel are required to conduct their actions in a way that reflects a commitment to treat individuals fairly, honestly, and respectfully, and protect their right to privacy at all times. [OMB A-130]

  3. Protecting taxpayer privacy and safeguarding confidential tax information is a public trust. To maintain this trust, the IRS and its personnel must follow these privacy principles:

    1. Accountability

    2. Purpose Limitation

    3. Minimizing Collection, Use, Retention, and Disclosure

    4. Openness and Consent

    5. Strict Confidentiality

    6. Security

    7. Data Quality

    8. Verification and Notification

    9. Access, Correction, and Redress

    10. Privacy Awareness and Training

  4. The IRS derived the privacy principles from the Fair Information Practice Principles (FIPPs) and the Privacy Act.

  5. IRS Policy Statement 1-1 reflects these principles in the Policy Statements for Organization, Finance and Management Activities section of IRM 1.2.1, Servicewide Policies and Authorities – Policy Statements for Organization, Finance and Management Activities.

Accountability [PVR-01]
  1. All IRS employees and contractors are responsible and accountable for the effective implementation of privacy protections. [PVR-01]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Accountability, Audit and Risk Management:
      1. AR-1: Governance and Privacy Program
      2. AR-2: Privacy Impact and Risk Assessment
      3. AR-3: Privacy Requirements for Contractors and Service Providers
      4. AR-4: Privacy Monitoring and Auditing
      5. AR-6: Privacy Reporting
      6. AR-8: Accounting of Disclosures

Purpose Limitation [PVR-02]
  1. PII will be collected and used only when necessary and relevant for legitimate IRS purposes, namely tax administration and other authorized purposes. [PVR-02]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Authority and Purpose:
      1. AP-1: Authority to Collect

    2. Use Limitation:
      1. UL-1: Internal Use
      2. UL-2: Information Sharing with Third Parties

Minimizing Collection, Use, Retention, and Disclosure [PVR-03]
  1. The collection, use, retention, and disclosure of PII will be limited to what is minimally necessary for the specific purposes for which it was collected, unless specifically authorized. [PVR-03]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Authority and Purpose:
      1. AP-2: Purpose Specification

    2. Accountability, Audit and Risk Management:
      1. AR-7: Privacy-Enhanced System Design and Development

    3. Data Minimization and Retention:
      1. DM-1: Minimization of Personally Identifiable Information
      2. DM-2: Data Retention and Disposal
      3. DM-3: Minimization of PII used in Testing, Training and Research

Openness and Consent [PVR-04]
  1. The IRS will make its privacy policies and practices readily available to individuals, such that individuals will be informed of the collection, use, retention, and disclosure of their PII, and will obtain individuals’ consent to the greatest extent practicable. [PVR-04]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Individual Participation and Redress:
      1. IP-1: Consent

    2. Transparency:
      1. TR-1: Privacy Notice
      2. TR-2: System of Records Notices and Privacy Act Statements
      3. TR-3: Dissemination of Privacy Program Information

Strict Confidentiality [PVR-05]
  1. PII will only be accessed by or disclosed to authorized individuals who require the information for the performance of official duties. Browsing of confidential information, including PII, by unauthorized IRS employees or contractors will not be tolerated. Protected information includes confidential information of all individuals, not just taxpayers. Protected information includes, but is not limited to, confidential information of IRS employees, volunteers, practitioners, and other individuals who interact with the IRS. [PVR-05]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Accountability, Audit and Risk Management:
      1. AR-4: Privacy Monitoring and Auditing

    2. Use Limitation:
      1. UL-1: Internal Use

Security [PVR-06]
  1. Appropriate administrative, technical, and physical safeguards will be provided to protect against the unauthorized collection, use, and disclosure of SBU data, including PII. [PVR-06]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Data Quality and Integrity:
      1. DI-2: Data Integrity and Data Integrity Board

    2. Security:
      1. SE-1: Inventory of Personally Identifiable Information
      2. SE-2: Privacy Incident Response

Data Quality [PVR-07]
  1. Requirements governing the accuracy, completeness, and timeliness of PII will be to ensure fair treatment of all individuals. Information will be collected, to the greatest extent practicable, directly from the individual to whom it relates. [PVR-07]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Data Quality and Integrity:
      1. DI-1: Data Quality

Verification and Notification [PVR-08]
  1. All information about individuals will be verified with the individual, as well as any other relevant sources, to the greatest extent possible before adverse action is taken based on that information. Individuals will be notified prior to final action to the greatest extent possible. [PVR-08]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Data Quality and Integrity:
      1. DI-2: Data Integrity and Data Integrity Board

Access, Correction, and Redress [PVR-09]
  1. Individuals will be able to access and correct their PII upon request to the maximum extent allowable. Individuals include, but are not limited to, taxpayers, IRS employees, IRS contractors, practitioners, and others who interact with the IRS. Individuals will be able to contest determinations made based on allegedly incomplete, inaccurate, or out-of-date PII to the maximum extent allowable. [PVR-09]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Individual Participation and Redress:
      1. IP-2: Individual Access
      2. IP-3: Redress
      3. IP-4: Complaint Management

Privacy Awareness and Training [PVR-10]
  1. IRS employees and contractors will be made aware of, and appropriately trained, in the proper treatment of SBU data, including PII. [PVR-10]

  2. Related NIST 800-53 Privacy Controls include, but are not limited to:

    1. Accountability, Audit and Risk Management:
      1. AR-5: Privacy Awareness and Training

Servicewide Privacy Roles and Responsibilities

  1. The IRS implements privacy roles and responsibilities for personnel in accordance with federal laws and privacy guidelines.

Employees/Personnel

  1. IRS personnel (as defined in the Audience section in this IRM) must:

    1. Keep informed of and adhere to applicable IRS privacy policies and procedures.

    2. Limit access to records containing SBU data.

    3. Use SBU data only for the purposes for which it was collected, unless other purposes are legally mandated or authorized.

    4. Limit the disclosure of SBU data to that which is necessary and relevant for tax administration and other legally mandated or authorized purposes.

    5. Prevent unnecessary access, inspection, and disclosure of SBU data in information systems, programs, electronic formats, and hardcopy documents by adhering to proper safeguarding measures.

    6. Safeguard IRS information and information systems entrusted to them.

    7. Use IRS email accounts for performance of official duties.

    8. Complete IRS annual and role-based privacy, information protection, and disclosure training requirements, UNAX awareness briefings, and all other specialized privacy training, as required.

    9. Immediately complete Form 11377-E, Taxpayer Data Access, to document the access of taxpayer return information when the accesses are not supported by direct case assignment, were performed in error, or when the access may raise a suspicion of an unauthorized access.

    10. Stay aware of the consequences of UNAX violations, including accessing their own records, those of coworkers, family, friends, celebrities, and other covered relationships. For information regarding the Servicewide UNAX program and links to all UNAX forms, refer to the UNAX website in the PGLD Virtual Library.

    11. Report a data loss, theft, or improper disclosure of sensitive information immediately upon discovery of the loss to:
      1. Their manager and
      2. The appropriate organizations based on what was lost or disclosed.

      Note:

      For more information on reporting an incident, see IRM 10.5.4, Privacy and Information Protection, Incident Management Program, or the Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets website in the PGLD Virtual Library.

  2. IRS personnel must follow privacy and security responsibilities outlined in IRM 10.8.2, Information Technology (IT) Security, IT Security Roles and Responsibilities.

Management

  1. In addition to the Employee/Personnel responsibilities, Management must also:

    1. Clearly communicate IRS privacy policies and procedures to all personnel in their organizations, ensuring awareness of their responsibilities to protect SBU data (including PII and tax information) and uphold applicable privacy laws, regulations, and IRS policies and procedures.

    2. Ensure personnel with authorized access to SBU data receive training to carry out their roles and responsibilities in a manner consistent with IRS privacy policies. [OMB A-130]

    3. Ensure all personnel in their respective organizations comply with the IRS privacy policies and procedures. Also ensure any noncompliance is addressed and remedied promptly, including, if necessary, the initiation of penalties for noncompliance in accordance with federal law and IRS personnel rules and regulations.

    4. Take a proactive role in preventing UNAX violations in their respective areas. Ensure all personnel are trained and knowledgeable of the Taxpayer Browsing Protection Act of 1997, the consequences of UNAX violations for personnel, and that all personnel within their business area complete all IRS UNAX, privacy, information protection, and disclosure training requirements annually and as required for their position.

    5. Ensure proper safeguards are established to prevent unintentional exposure to SSNs in cases where SSN use is determined to be necessary.

    6. Ensure the SEID is used as the primary employee identifier as an alternative use for SSNs when possible.

    7. Ensure PCLIAs, for which they are the responsible official, are completed timely and mitigate any privacy risks discovered.

    8. Follow IRS records management requirements outlined in IRM 1.15.7, Records and Information Management, Files Management.

    9. Ensure all personnel report a data loss, theft, or improper disclosure of sensitive information immediately upon discovery of the loss to:
      1. Their manager and
      2. The appropriate organizations based on what was lost or disclosed.

      Note:

      For more information on reporting an incident, see IRM 10.5.4, Privacy and Information Protection, Incident Management Program, or the Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets website in the PGLD Virtual Library.

Senior Management/Executives

  1. In addition to the Employee/Personnel and Management responsibilities, Senior Management/Executives must also:

    1. Coordinate with the Chief Privacy Officer (CPO) to develop, implement, maintain, and enforce a program to protect all SBU data (including PII and tax information) for which they are responsible in accordance with IRS privacy policies and procedures. [OMB A-130]

    2. Focus special emphasis on the government-wide requirements to eliminate the unnecessary collection and use of SSNs as a personal identifier for employee and tax systems and programs. [OMB A-130]

    3. Periodically assess and evaluate privacy awareness activities of their organization in order to set clear expectations for compliance with all requirements.

    4. Allocate sufficient resources to comply with IRS privacy policies and procedures. [OMB A-130]

    5. Ensure Servicewide, alternative unique identifiers are used for internal and taxpayer systems and programs in place of SSNs when possible.

    Note:

    Exceptions to policy must be granted via the Risk Acceptance Form and Tool (RAFT) process. Exceptions will not be granted to bypass laws or mandates. Executives/AOs may make requests via *Privacy (give topic name in subject line and add "Attn: CPO" ).

System Owners

  1. In addition to the Employees/Personnel responsibilities, IRS system owners must:

    1. Follow applicable laws, regulations, and IRS privacy policies and procedures in the development, acquisition, implementation, operation, and disposal of all systems under their control.

    2. Ensure that the use of SBU data (including PII and tax information) throughout the privacy lifecycle is limited to that which is minimally necessary for tax administration purposes or other legally authorized purposes.

    3. Examine the use of SSNs in all information systems and programs, as well as hardcopy and electronic formats (for example, forms, printouts, screenshots, displays, electronic media, archives, and online storage repositories) and eliminate the unnecessary use of SSNs where identified.

    4. Ensure that adequate SSN alternatives are employed, as necessary.

    5. Ensure, to the extent possible, that SBU data used by the IRS to complete business functions is accurate, relevant, timely, and complete.

    6. Ensure that all new systems, systems under development, or systems undergoing major modifications that contain SBU data have in place a completed and approved PCLIA in accordance with federal laws and IRS policy.

    7. Work with Privacy Compliance and Assurance (PCA) to ensure that approved PCLIAs for systems that contain SBU data or PII on the public are reviewed for redaction prior to being posted to IRS.gov.

    8. Coordinate with the system developer and PCA to ensure identified privacy risks are documented in their Plans of Action and Milestones (POA&Ms) and are resolved in a timely manner.

    9. Coordinate all inter-agency PII sharing agreements with GLDS and other affected IRS entities that establish and monitor the sharing of PII with external entities.

    10. Implement safeguards to establish and monitor internal and third party agreements for the protection of SBU data and to ensure the confidentiality of SBU data.

    11. Ensure that IRS personnel involved in the management, operation, programming, maintenance, or use of IRS information systems complete IRS UNAX and privacy, information protection and disclosure training prior to being granted access to those systems containing SBU data.

    12. Ensure that IRS personnel who have access to SBU data for testing follow the requirements of IRM 10.5.8, Privacy and Information Protection, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments. For more information, refer to the SBU Data Policy webpage.

    13. Follow IRS records management requirements outlined in IRM 1.15.7, Records and Information Management, Files Management.

System Developers

  1. In addition to the Employees/Personnel responsibilities, System Developers must:

    1. Follow IRS privacy policies and procedures in the development, implementation, and operation of information systems for which they are responsible, including reviews of the use of SSNs by IRS systems.

    2. Work closely with system owners to eliminate the unnecessary collection and use of SSNs in all IRS systems.

    3. Develop information systems that provide the capability to partially mask, truncate, or redact the SSN when the total elimination of the use of SSNs is not possible in both personnel and tax systems.

    4. Work with system owners to eliminate unnecessary accessing, collecting, displaying, sharing, transferring, retaining, and using of the SSNs in personnel and tax systems.

    5. Establish, maintain, and test the management, operational, and technical controls to protect SBU data (including PII and tax information).

    6. Complete system PCLIAs in concert with system owners and in accordance with IRS policy, if they are the responsible management official or designees.

    7. Coordinate with the system owners and PCA to resolve identified privacy risks.

    8. Perform system lifecycle reviews to ensure satisfactory resolution of privacy risks and provide the results to the system owners.

Authorizing Officials

  1. In addition to the Employee/Personnel and Management responsibilities, the Authorizing Official (AO) must develop and maintain additional operational documentation (such as action and implementation plans, standard operations procedures) necessary for implementation of the privacy controls, delineated in the IRM 10.5 series.

    Note:

    Exceptions to policy must be granted via the Risk Acceptance Form and Tool (RAFT) process. Exceptions will not be granted to bypass laws or mandates. Executives/AOs may make requests via *Privacy (give topic name in subject line and add "Attn: CPO" ).

  2. The AO holds responsibility for implementation of privacy, including documentation and procedures for how their information systems are managed, administered, and monitored.

Personnel Engaged in Procurement Activities

  1. In addition to the Employee/Personnel responsibilities, personnel engaged in procurement-related activities must:

    1. Review and understand the appropriate procurement-related training and guidance, including the Contracting Officer Representative (COR) Security, Privacy, and Disclosure Awareness Training.

      Note:

      For more information, see the Contractors section (in the Practical Privacy Policy section) of this IRM and refer to IRM 11.3.24.

    2. Ensure all IRS acquisitions and contract vehicles contain appropriate language holding contractors and other service providers accountable for complying with federal and IRS privacy policies and procedures.

    3. Insert the necessary contract clauses in all acquisitions and procurement documents generated in support of any contract or agreement involving access to SBU data (including PII and tax information). This includes, but is not limited to, clauses specific to SBU data, IRC 6103, the Privacy Act, and Non-Disclosure Agreements. To find the appropriate contract clauses, refer to Contractor Compliance webpage on the PGLD Virtual Library or the Procurement website on the IRS intranet.

    4. Ensure contract work statements specifically identify the appropriate System of Records Notice (SORN) when Privacy Act information is a part of the research, design, development, testing, or operation work to be performed.

    5. Review contract requirements to determine whether the contract will involve access to SBU data (including PII and tax information), or the design, development, or operation of a SORN on individuals to accomplish an IRS function.

    6. Ensure compliance with the Federal Acquisition Regulations (FAR). For more information, refer to the FAR site:
      https://www.acquisition.gov/browse/index/far

    7. Support the appropriate level of contractor background investigation in cooperation with the Office of Contractor Security Management (CSM) and Office of Personnel Security (PS) as described in IRM 10.23.2, Personnel Security – Contractor Investigations. This includes working with PS to assign the correct risk designations (often Moderate for access to SBU data), assist with contractor fingerprinting if needed, as well as identity card distribution. Contractors may need to be re-investigated every five years; the COR is responsible for initiating re-investigations.

      Note:

      Any staff-like access (facilities, systems, or SBU data) requires completion of a favorable suitability/fitness determination (background investigation) conducted by IRS Personnel Security. For more information about staff-like access, refer to IRM 10.23.2.

    8. Ensure contractors take required security, privacy, disclosure, and UNAX training and complete Non-Disclosure Agreements (NDAs) within the required time frames per CSM instructions.

    9. Ensure any contract involving the use of SBU data for testing follows the requirements of IRM 10.5.8, Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments. For more information, refer to the SBU Data Policy webpage.

    10. Ensure contractors receive and understand the PCLIA when supporting a project with a PCLIA. In some cases, contractors might need to work with the IRS to complete the required PCLIA. Before "developing or procuring information technology that collects, maintains, or disseminates" SBU data (including PII and tax information), the IRS must complete a PCLIA. [E-Government Act]

    11. Ensure the contractor understands incident response requirements. All incidents related to IRS processing, information, or information systems must be reported immediately upon discovery to the CO and COR. Report security incidents to CSIRC by contacting the CSIRC Support Desk at 240-613-3606. Refer to the IR-6 Incident Reporting section in Pub 4812.

    12. Report UNAX by a contractor to TIGTA and Procurement.

    13. Collaborate with CSM at contract closeout to ensure system and facilities accesses are revoked and all IRS data is returned or purged as required by the contract.

    14. For more information, see the internal Procurement webpage.

    [OMB A-130, AR-3]

Privacy Culture

  1. The IRS requires a privacy culture, wherein all personnel think about privacy before taking action. In such an environment or culture, protecting privacy guides the day-to-day practices and routines of each individual.

  2. Throughout the privacy lifecycle, consider whether the use of SBU data (including PII and tax information) meets all the IRS Privacy Principles.

    Note:

    One approach might be to ask if you would want your information treated in this way.

  3. The IRS has programs to promote a privacy culture.

Clean Desk Policy

  1. The IRS’s Clean Desk Policy and containerization objectives are designed to address the protection of SBU data (including PII and tax information) throughout the privacy lifecycle. The Clean Desk Policy requirements apply to data left out in work areas (including those in telework and offsite locations) and non-secured containers, on credenzas, desk tops, fax/copy machines, conference rooms, and in/out baskets. [TD P 15-71; PVR-01, PVR-05, PVR-06]

  2. All SBU data (including PII and tax information) in non-secured areas must be containerized during non-duty hours.

  3. Protected data must be locked in containers in areas where non-IRS personnel have access during non-duty hours and/or when not under the direct control of an authorized IRS employee. For additional information, refer to the Containers section in IRM 10.2.14, Methods of Providing Protection.

  4. For some pipeline activities and processing conducted at Submission Processing centers, campuses, and computing centers, the volume of the tax information processed and the disruption to these operations might prevent containerization and Clean Desk implementation. Clean Desk Waiver requirements are:

    1. Waivers are restricted to pipeline activities and processing conducted at Submission Processing centers, campuses, and computing centers.

    2. The request must be justified and not just a matter of convenience.

    3. Requests for exemption must be approved at the Executive level of the business unit making the request via Form 14617, Clean Desk Waiver Request and Checklist.

    4. The Clean Desk Waiver request must be forwarded by the business unit to PGLD for approval via email to *Privacy. Facilities Management and Security Services (FMSS) will conduct the physical reviews, with assistance from Records as necessary.

    5. Exemptions citing voluminous files will not be granted until a review is conducted by FMSS and PGLD.

    6. Items identified as requiring Special Security (SP) can not be exempted from the Clean Desk Policy. For additional guidance see IRM 10.2.15, Minimum Protection Standards (MPS).

    7. Requests must demonstrate a layered security plan that affords the campuses and the computing centers a higher level of protection to accommodate the processing operation.

    8. The request for waiver must be submitted annually as required.

  5. An entire campus, computing center, or Post of Duty (POD) may not have a blanket waiver of the Clean Desk Policy approved.

    1. Submission Processing activity may use one waiver request for each campus, computing center, or other POD.

    2. All other activities in campuses or other locations must request a waiver from the Clean Desk Policy.

Privacy in Practice (PiP)

  1. IRS Privacy in Practice includes protecting privacy in systems and safeguarding privacy in everyday business practices. All IRS activities should contain an element of privacy. A culture of privacy prevails through Privacy in Practice; from systems development to customer service, training, communications, passwords, and the Clean Desk Policy.

  2. PGLD Privacy Policy and Compliance (PPC) employees serve as privacy advocates and consultants for IRS personnel and projects.

  3. Designing privacy into projects is a key aspect of effective privacy policy and compliance at the IRS.

    1. This concept reflects the principle that organizations best achieve privacy goals when they weave privacy proactively into business processes and operational practices.

    2. To be effective, privacy principles must be introduced early in a project lifecycle, in architecture planning, system design, and the development of operational procedures.

  4. Invite PPC privacy employees whenever necessary at all project stages.

  5. Refer to Privacy in Practice Quick Reference Guide (Document 13291)

  6. To request assistance or for further information, email *Privacy.

  7. Refer to the Enterprise Architecture website on the IRS intranet.

Practical Privacy Policy

  1. These sections describe privacy policy in terms of common issue areas. Many of these areas interrelate with each other, physical protection, and IT security practices.

  2. For more information, refer to the PGLD Virtual Library website.
    For additional help, email *Privacy.

Protecting and Safeguarding SBU Data and PII

  1. Regardless of the risk, IRS personnel must protect and safeguard SBU data (including PII and tax information). This means personnel must properly use SBU data throughout the privacy lifecycle.

  2. The following requirements stem from TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information.

  3. IRS personnel must be aware and comply with safeguarding requirements for SBU data. Personnel must also be aware that divulging SBU data without proper authority could result in administrative or disciplinary action (including termination of contract). The lack of an SBU marking does not mean the information is not sensitive nor does it relieve the creator or holder of such information from responsibility to appropriately safeguard the information from unauthorized use or inadvertent disclosure.

  4. Personnel must take steps to prevent the possibility of such disclosure by non-IRS personnel. Personnel must deny unauthorized non-IRS personnel access to other than those areas which have been established for serving the public. Personnel must containerize all tax data in non-secured areas during non-duty hours and must protect it from inadvertent disclosures during duty hours.

    Exception:

    Only those places that have received approved waivers are excepted.

  5. IRS officials who use SBU data are responsible for determining how long the information must be protected, for example, either by date or lapse of a determinable event. Unless otherwise noted on a document, information marked as SBU will generally no longer be treated as sensitive after 25 years except as provided by statutes, regulations, guidelines, OMB Memoranda, or other requirements.

    1. Previously generated sensitive information of IRS origin will be subject to release determinations under the FOIA/Privacy Act.

    2. Information creators, not system operators, will determine what information requires protection depending on the nature of the information and the environment in which it is processed and stored.

    3. SBU data must not remain designated as such when its disclosure would no longer reasonably be expected to adversely impact economic, industrial, or international financial institutions; or compromise unclassified programs or essential operations or critical infrastructures.

  6. IRS security officials must provide routine oversight of measures in place to protect SBU data through a program of routine administration and day-to-day management of their information security program.

  7. IRS supervisors and program managers are responsible for personnel being trained to recognize and safeguard SBU data supporting their mission, operations, and assets. Supervisors and managers must also ensure an adequate level of education and awareness is maintained by affected personnel. Education and awareness must begin upon initial personnel assignment and annually reinforced through mandatory training, staff meetings, or other methods/media contributing to an informed workforce.

  8. IRS personnel must protect SBU data supporting their mission, operations, and assets. Protection efforts must focus on preventing unauthorized or inadvertent disclosure and especially when visitors enter areas where SBU data is handled, processed, discussed, or stored. This includes being aware of surreptitious and accidental threats posed by high-end communications technologies carried/used by personnel and visitors, such as cell phones (with or without photographic capability), personal data assistants/digital assistants, smart devices, Internet of Things (IoT), portable/pocket computers, cameras, and other video imaging recorders, flash drives, multi-functional, and two-way pagers, and wireless devices capable of storing, processing, or transmitting information.

  9. IRS program managers and contracting officials must also require appropriate privacy and security contract clauses for personnel, facilities, and information protection through the acquisition process of contracts or grants that concern access to SBU data.

Deciding Risk Levels for SBU Data and PII
  1. If SBU data (including PII and tax information) is lost, compromised, or disclosed without authorization, it could result in substantial harm, embarrassment, inconvenience or unfairness to an individual or the IRS.

  2. Harm includes any adverse effects experienced by an individual whose PII was compromised, or adverse effects to the IRS such as a loss of public confidence.

  3. The greater the potential for harm, the more at risk the SBU data becomes. As outlined in NIST SP 800-122:

    1. PII with a low confidentiality level means limited potential harm with minor impact on an individual or the IRS.

    2. Low confidentiality level SBU data would include, for example, information that can be released under FOIA requests, or information that has become public record or is publicly available. See the FOIA and Public Record sections of this IRM for more information. The SEID is an example of low risk PII.

    3. PII with moderate or high confidentiality levels means the potential harm ranges from serious to severe or catastrophic, with significant to severe impact to an individual or the IRS. Tax information is an example of high risk PII.

  4. The greater the risk to SBU data, the stronger the privacy and security protections become. [OMB A-130, NIST SP 800-122] For example, moderate and high risk SBU data require encryption, but publicly available low risk SBU data might not need encryption.

  5. When in doubt about the level of risk of SBU data (including PII and tax information), or the privacy concerns around the data, email *Privacy for assistance.

  6. For more information about publicly available information, see the Public Record section of this IRM.

  7. For more information on the IT aspects of data security, refer to IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

Limiting Sharing of SBU Data and PII
  1. All SBU data (including PII and tax information) must be protected. What SBU data may be shared is limited. [PVR-02, PVR-05; UL-2: Information Sharing with Third Parties]

  2. Information designated as SBU must be orally, visually, or electronically disseminated in such manner to avoid access by unauthorized persons. Precautions might include preventing visual access and restricting oral disclosure to designated individuals.

  3. SBU data may be reproduced on regular office copiers to the extent needed to carry out official business. Flawed or otherwise unusable reproductions must be destroyed via shredding or placement in burn bags. See the Disposition and Destruction section of this IRM.

  4. Follow extensive Disclosure rules in the IRM 11.3 series, Disclosure of Official Information

  5. Internally: Only share SBU data (including PII and tax information) with other IRS personnel if the recipient’s need for the information is related to his or her official duties.

  6. The electronic transmission of SBU data (including PII and tax information) requires encryption for security purposes. See the Encryption section of this IRM for more information.

  7. Release of tax information (whether of an individual or business) is restricted by the confidentiality provisions of IRC § 6103(a). Share tax information only with authorized individuals following established written procedures.

    Note:

    Removing identifying information (i.e., Name/TIN) from specific tax records does not remove it from the confidentiality protections of IRC § 6103.

  8. Externally: Only share SBU data (including PII and tax information) with authorized individuals outside of IRS, in encrypted files, if all these conditions are met:

    1. Individual authorized to receive it under law or regulation, such as IRC § 6103. Authority may be established by a formal request for information processed using established written procedures, or a memorandum of understanding or executed agreement which also establishes the secure method of transmission for the data.

      Note:

      Keep agreements in an approved database/program, such as IRS Agreement Database (IAD). For more information about the IAD, see the Governmental Liaison (GL) section.

    2. Recipient need for the information related to official duties.

    3. Recipient authenticated.

    4. Recipient accepted information and any obligation to protect.

    5. Access controls limited to those with need to know.

    6. The applicable System of Records Notice (SORN) includes the use as a published routine use. Refer to the section on SORNs on the PGLD website.

  9. Refer to the IRM 11.3 series (Disclosure of Official Information) or email *Disclosure for additional guidance.

Extracting SBU Data (Including PII and Tax Information)
  1. IRS personnel must not create unauthorized, unnecessary, or duplicative hardcopy or electronic collections of SBU data (including PII and tax information), such as duplicate, ancillary, shadow, personal copies, or "under the radar" files. [PVR-03]

  2. If creating new spreadsheets or databases containing SBU data (including PII and tax information) from a larger file or database is necessary, consider whether a PCLIA is required.

    1. To do so, submit a Qualifying Questionnaire (QQ), or email *Privacy.

    2. For more information on the QQ and PCLIA process, refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program.

Encryption

  1. Encryption is an important tool in the IRS’s protection of SBU data (including PII and tax information). [OMB A-130, PVR-06]

  2. For more details about emailing and encrypting SBU data, see the Email section of this IRM.

External
  1. Protect all SBU data (including PII and tax information) processed, stored, or transmitted outside the IRS with IT-approved encryption methods, unless specifically excluded in the IRM. This includes, but is not limited to, SBU data in email, removable media (such as USB drives), on mobile computing devices, and on computers and mobile devices.

  2. IRS IT-approved encryption methods include, but are not limited to, Symantec Endpoint Encryption Removable Storage (SEERS, formerly known as GERS, Guardian Edge Removable Storage), password-protected SecureZip, and secure messaging via Outlook.

    Note:

    Different policies apply for emails to taxpayers and representatives, other stakeholders, those with IRS accounts, and personal email. For more information and requirements about emailing outside the IRS, see the Emails to Taxpayers and Representatives, Emails to Other External Stakeholders, Emails to IRS Accounts, and Emails with Personal Accounts sections in the Email section of this IRM.

  3. See the Virtual Library for more information about encrypting documents, emails, and email attachments on the Encryption website in the PGLD Virtual Library.

  4. Refer to specific requirements in these IRMs:

    • IRM 1.15 series, Records and Information Management.

    • IRM 10.2 series, Physical Security Program.

    • IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, in the Cryptographic Protection, Access Control, Media Protection, and Physical and Environmental Protection sections.

Internal
  1. Within the IRS, protect all SBU data (including PII and tax information) with encryption and/or access controls, limiting access only to approved personnel with a need to know.

  2. Within the IRS network, emails can be encrypted using the Secure Enterprise Messaging System.

    Note:

    See the Public Record section of this IRM for more information about publicly available information.

  3. Refer to specific data encryption requirements in IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, in the Encryption, Access Control, Media Protection, and Physical and Environmental Protection sections.

Attachment Encryption Instructions
  1. Refer to the SecureZip and SEERS (formerly GERS) brochures in the Encryption website on the PGLD Virtual Library.

  2. Instructions for using SecureZip and SEERS (formerly GERS) to encrypt attachments also are available on the FindIT website on the IRS intranet.

Computers and Mobile Computing Devices

  1. Any SBU data (including PII and tax information) on a computer (such as a server, desktop, or mobile computing device [such as a laptop, tablet, smartphone, etc.]) must be protected, locked (such as a screen saver), secured physically, and kept within sight and/or control.

  2. IRS personnel must use encryption, access controls, and physical security measures as appropriate for the equipment and setting.

    1. For example, computers on IRS sites (federal facilities, contractor’s offices, or rented areas) must follow the appropriate Physical Security Program policies or contractual requirements.

    2. In addition, IRS personnel must not use mobile devices in public settings in such a way as to expose SBU data (including PII and tax information).

    3. To the extent possible, position any computer or device screen displaying IRS SBU data (including PII and tax information) so that non-authorized personnel cannot view the data.

  3. Protect equipment. Securely lock computers (such as a server, desktop, or mobile computing device [such as a laptop, tablet, smartphone, etc.]) or other equipment (such as flash drives, CDs, external drives) when left unattended, whether in the office, in the home, or in a hotel room. Use the IRS-provided cables and cable locks to secure laptops when working in regular work space (worksite), working out of the office, or in travel status.

  4. For more information about secured wireless access points (wi-fi hotspots), refer to the Access Control section in IRM 10.8.40, Information Technology (IT) Security, Wireless Security Policy.

  5. Refer to IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

Data Loss

  1. IRS personnel must prevent SBU data loss throughout the privacy lifecycle.

  2. If such a loss occurs:

    Immediately upon discovery of an inadvertent unauthorized disclosure of sensitive information, or the loss or theft of an IT asset or hardcopy record or document containing sensitive information, IRS personnel must report the incident to his or her manager and the appropriate organizations based on what was lost or disclosed. [OMB A-130]

  3. For a brief description of the Incident Management program, see the Incident Management section in this IRM.

  4. For more information about how to report an incident, refer to IRM 10.5.4, Privacy and Information Protection, Incident Management Program, or the Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets website in the PGLD Virtual Library..

Marking

  1. The Treasury Security Manual [TD P 15-71, Treasury Security Manual, Chapter III, Section 24, Sensitive But Unclassified Information] requires that information designated as SBU data (including PII and tax information) and requiring such marking must be distinctly labeled so persons authorized access are readily aware of its sensitivity. IRS-specific marking requirements are also addressed in IRM 11.3.12, Designation of Documents. The lack of SBU markings, however, does not relieve the holder from safeguarding responsibilities. Unmarked SBU information already in records storage does not need to be removed, marked, and restored. However, when individual items are temporarily removed from storage that have no markings (and are subsequently deemed to be SBU), those will be appropriately marked to reflect the correct status as SBU before being re-filed.

    1. Items containing SBU information will be prominently marked at the top/bottom of the front/back cover and each individual page with the marking "SENSITIVE BUT UNCLASSIFIED" or "SBU" . Information system prompts may be adjusted to incorporate SBU markings in headers and footers.

    2. Portions, paragraphs, and subject titles containing SBU information will be marked with the abbreviation "SBU" to differentiate it from the remaining text. Only when the entire text contains SBU information are individual portion markings optional.

    3. Controlling, decontrolling, or originator information markings are not required.

    4. When sent outside IRS, SBU information documents will include a statement alerting the recipient in a transmittal letter or directly on the document containing SBU information, for example: "This document belongs to the IRS. It may not be released without the express permission of (creating office). Refer requests and inquiries for the document to: (insert name and address of originating office and contact number(s))" .

  2. Protective measures start when markings are applied and end when such markings are cancelled or the records are destroyed. SBU information may be reproduced on regular office copiers to the extent needed to carry out official business. Flawed or otherwise unusable reproductions will be destroyed via shredding or placement in burn-bags.

  3. Although SBU is Treasury’s standard for identifying sensitive information, some types of SBU information might be more sensitive than others and warrant additional safeguarding measures beyond the minimum requirements established herein. Certain information might be extremely sensitive based on repercussions if the information is released or compromised – potential loss of life or compromise of a law enforcement informant or operation. IRS and its personnel must use sound judgment coupled with an evaluation of the risks, vulnerabilities, and the potential damage to personnel or property/equipment as the basis for determining the need for safeguards in excess of the minimum requirements contained herein.

  4. A green"SENSITIVE BUT UNCLASSIFIED cover sheet" Form TD F 15-05.11, must be placed on documents that contain SBU material to prevent unauthorized or inadvertent disclosure when SBU information is removed from an authorized storage location and persons without a need-to-know are present or casual observation would reveal SBU information.

    1. When forwarding SBU information, place a SBU cover sheet inside the envelope and on top of the transmittal letter, memorandum, or document.

    2. When receiving SBU or equivalent information from another U.S. Government agency, handle it in accordance with the guidance provided by the other U.S. Government agency. Where no guidance is provided, handle it in accordance with IRS policy as described herein.

Storage

  1. For storage of SBU data (including PII and tax information), refer to IRM 10.8.1 about limiting access to need-to-know personnel and for encryption requirements.

  2. For storage of federal records, refer to IRM 1.15 series, Records and Information Management.

  3. For managers handling employee performance files (EPFs), refer to the sections:

    • Maintaining Tax Return Information in Employee Performance Files section in IRM 11.3.22.

    • Employees in Critical Job Elements in IRM 6.430.2, Performance Management, Performance Management Program for Evaluating Bargaining Unit and Non Bargaining Unit Employees Assigned to Critical Job Elements (CJEs).

    • Performance Management Program for Evaluating Managers, Management Officials and Confidential Management/Program Analysts in IRM 6.430.3, Performance Management, Performance Management Program for Evaluating Managers, Management Officials and Confidential Management/Program Analysts..

Transmission

  1. SBU data (including PII and tax information) transmitted from one location to another must be provided adequate safeguards.

  2. Refer to the Transporting Documents section of IRM 11.3.1.

Field and Travel
  1. If IRS personnel carry SBU data (including PII and tax information) in connection with a trip or in the course of daily activities, they must keep it with them to the extent possible.

  2. If SBU data (including PII and tax information) must be left in an automobile, lock it in the trunk. If the vehicle does not have a trunk, conceal the material from plain view and secure it in some manner.

    Note:

    In either case, lock the vehicle and leave the material unattended for only a short period.

  3. If the SBU data (including PII and tax information) must be left in hotel or motel room, lock it in a briefcase and conceal it to the extent possible.

    Caution:

    Do this as a last resort as a hotel or motel room is usually not a good location to leave tax information.

  4. If SBU data (including PII and tax information) is being moved from one building to another (even within the same fence line) or one location to another even if it is a short distance, take necessary steps to protect the information from unauthorized disclosure, loss, damage or destruction.

  5. Field employees might have sensitive information needing protection while temporarily stored at the taxpayer's site.

    1. Sensitive tax information (such as agent's work papers, original returns, examination plans, probes, fraud data, etc.) housed at the taxpayer's site must be stored in a container under the control of the responsible IRS employee.

      Note:

      If possible, use an IRS-furnished security container. If necessary, use a taxpayer-furnished container, but modify the taxpayer-furnished container (such as with bars and locks) so that the IRS is assured that the taxpayer cannot access the container.

    2. During duty-hours, the tax information must be under the personal custody of the IRS employee if it is not properly secured in approved containers.

    3. If a lockable and suitable container cannot be provided, tax information will not be left at the taxpayer's site.

  6. For more information about how to protect taxpayer location when using GPS and location services, see the Global Positioning Systems (GPS) and Location Services secton.

Mail
  1. When sending SBU data by mail within the U.S. and Territories (serviced by United States Postal Service [USPS]):

    1. Place SBU data in a single opaque envelope/container.

    2. Seal it to prevent inadvertent opening and to reveal evidence of possible tampering.

    3. Clearly identify the complete name and address of the sender and intended recipient or program office on the envelope/container.

      Note:

      SBU data may be opened and examined by mail room personnel in the same manner in which other incoming mail is evaluated and determined to be safe for internal delivery. SBU data must be mailed by USPS First Class Mail. Use of express mail services or commercial overnight delivery service is authorized, as warranted.

  2. When sending SBU data to offices Overseas:

    1. If serviced by a military postal facility (i.e., APO/FPO), mail SBU data directly to the recipient.

    2. Where the overseas office is not serviced by a military postal facility, send the information through the Department of State’s (DOS’s) unclassified diplomatic pouch. Coordinate in advance with DOS officials to ensure delivery at the final destination meets Treasury/IRS needs and DOS schedule for such deliveries.

Shipping
  1. IRS personnel must follow proper data protection procedures when shipping PII.

  2. Letters and packages containing PII that weigh less than 13 ounces may be mailed via United States Postal Service (USPS). These packages do not require double packaging and double labeling.

  3. Packages containing PII that weigh 13 ounces or more must be shipped through a private delivery carrier.

  4. If the package contains PII and is being shipped through a private delivery carrier, the sender must follow the procedures included below for properly double packaging, double labeling, and tracking the shipment, including the use of Form 3210, Document Transmittal,

    Exception:

    Mail to Post Office Boxes must continue to be sent via USPS.

  5. When shipping PII through private delivery carrier, the use of UPS CampusShip is mandatory at all locations except Campus locations and offices serviced by a FMSS contract mailroom. UPS CampusShip is an Internet-based shipping system that can be accessed from any location that has Internet access. UPS CampusShip has been rolled out across the country to IRS field offices that are not serviced by a FMSS contract mail room. Training material can be found in the following UPS CampusShip documents:

    • Document 12888, UPS CampusShip: Electronic Shipping Methods.

    • Document 12889, UPS CampusShip: Advanced Features.

  6. CampusShip allows employees to:

    1. Generate labels electronically.

    2. Secure current IRS address information from corporate address repository to improve accuracy of delivery. CampusShip features a Corporate Address Book which contains addresses for over 700 IRS locations; this improves accuracy of delivery since addresses are current.

    3. Track packages via the Internet to easily verify their shipments arrived at the intended destination and to quickly identify a missing shipment, reducing the likelihood that PII could be lost or exposed to an unauthorized individual.

  7. Packages containing PII must be double-packaged and double-labeled prior to shipping. Double-packaging helps ensure the contents are protected if the outer package is damaged or destroyed during the shipping process. Duplicate shipping labels allow the contents to be properly delivered without potential disclosure if the external package is damaged or destroyed.

    Caution:

    Shrink wrapping the external packaging or wrapping the external packaging in paper does not satisfy double packaging requirements.

  8. Employees shall evaluate the size of the PII shipment to be sent and identify appropriate packing materials. The appropriate type of internal and external packaging depends upon the size and weight of the package to be shipped. Use the smallest size packaging possible to reduce shipping costs and ensure minimal shifting of contents during shipment.

  9. The sender must also determine whether to ship via ground service or express (Overnight and Second Day Air) services:

    • Ground service should be used for shipping whenever possible. Ground service should always be the first choice; use express services only when absolutely necessary. There is no requirement that PII must be mailed via express services. For distances up to 500 miles, the regular ground service offered by the small package or motor freight carriers (depending on weight of shipment) can deliver your shipment within one or two days. For ground shipments, the business operating divisions provide the packaging material.

    • Express Services are generally the fastest mode of transportation available, but are also much more expensive. This mode should only be used when transit time requirements are very short and the urgency of the shipment outweighs the additional costs involved; for example, remittances, statute cases, tax court cases, etc. Small package carrier provided packaging (carrier branded envelopes and boxes) can only be used for express services and are provided at no cost.

  10. The sender must prepare Form 3210, Document Transmittal, identifying the package contents for all packages containing PII. For easier tracking, the sender may include the small package carrier tracking number in the "Remarks" area of Form 3210 on Part 4 (sender’s copy).

    1. If the sender is using the small package carrier's web-based system to electronically generate shipping labels, the tracking number is immediately available on the pre-printed shipping label.

    2. If the sender is using a contract mailroom, the sender should complete the sender's email address section of Form 9814, Request for Mail/Shipping Service:
      The mailroom must enter this email address when preparing the shipping label, and the small package carrier must send an email to the sender providing the tracking number. The sender can then place the tracking number on Part 4 of Form 3210 for proper record keeping.

    Caution:

    According to current instructions, SSNs appearing on Form 3210 should be redacted to show only the last four digits. Do not include the full SSN on Form 3210.

  11. Securely package the PII by placing the contents and the properly completed Form 3210 in an appropriately sized internal package. The sender retains Part 4, Sender's copy, of Form 3210 and includes Part 1, Recipient’s copy, and Part 3, Acknowledgement copy, with the shipment. When possible, when sending the package to a specific individual, the sender may choose to notify the recipient via email, phone, or other method prior to shipment that the package containing PII is being sent. The sender may also choose to send an electronic PDF version of Form 3210 via secure email to the intended recipient so the recipient is aware of the expected shipment.

  12. Internal packaging may include any of the following:

    • An envelope: an E-20, Confidential Information envelope, is acceptable for this purpose.

    • A plastic bag: should be sturdy enough to support the weight of the contents without tearing; should be black, green, or a similar color so the contents are not readable through the plastic bag.

      Note:

      This is recommended as the easiest and most cost effective method for double packaging large case file shipments.

    • A small box: an undamaged smaller box that fits within the external shipping box.

  13. Label the internal package with the following information:

    1. Send To Address, including Mail Stop and/or Drop Point Number, if applicable.

    2. Return Address, including Mail Stop and/or Drop Point Number, if applicable.

    3. Sender's phone number.

    4. Small Carrier tracking number, if available.

  14. The sender may use a copy of the exterior small package carrier shipping label for the internal label.

    1. If using a small package carrier web based shipping system to label packages, print two copies of the generated label and attach one to the internal package.

    2. If using a hardcopy small package carrier shipping document to label packages, photocopy the original form and attach it to the internal package.

    3. If using Form 9814 prepare an internal label with the required information. A copy of Form 9814 can also be included with the internal label.

  15. Place the properly labeled, packaged, and sealed internal package into the external package. External packaging materials may include:

    1. Envelope: For shipping smaller case files and documents via ground service, use an IRS issued non-confidential envelope (E-44; minimum size 9 ½” X 12”). Use an envelope or padded pack provided by the Small Package Carrier only when time constraints require shipping via express services.

    2. Box: Use an undamaged box specifically designed for shipping. Choose a box strength that is suitable for the size and weight of the contents you are shipping. For shipping smaller packages up to 10 pounds, use a small box ordered from an office supply vendor for ground shipments. Use boxes provided free of charge by the small package carrier only when time constraints require shipping via express services. For shipments over 10 pounds, the external box should be a suitable flap top, corrugated cardboard box rated with a bursting strength to support the contents. Never exceed the maximum gross weight for the box, which is usually printed on the box maker's certificate on the bottom flap of the box.

      Note:

      A standard Shipping Record Box (size 14.75” X 12” X 9.5”) that is used to retire files meets this requirement. If possible, use the Shipping Record Box Sleeve as the external packaging. File boxes used for Federal Record Center storage, combined with a sleeve box, will have a bursting strength exceeding 125 pounds per square inch and will be more than adequate for most ground shipments.

      Caution:

      Used copy paper boxes and other boxes with lids do not meet this requirement; boxes with lids can get caught on conveyer belts and damage or destroy the shipment.

  16. Whenever possible, use a new box; however undamaged packaging materials may be re-used to ship PII. Only reuse a box if it is rigid and in good condition with no punctures, tears, rips, or corner damages, and all flaps are intact. Remove any existing labels and all other shipment markings if a box is being reused.

  17. If appropriately sized packaging is not available, use cushioning material inside the package so the contents do not move or shift when the package is shaken. Cushioning material should consist of materials that are readily available, and they can be re-used. It is not necessary to purchase prefabricated materials specifically designed to cushion packages for this purpose. Examples of cushioning material include non-confidential paper, shredded administrative paper, obsolete forms, newspaper, and/or commercially purchased Styrofoam peanuts, air bags, etc. Place the cushioning material around the items in the box. Close and shake the box to see whether you have enough cushioning material; add more cushioning material if you hear or feel the contents shifting.

  18. External packaging material shall not be marked or labeled with information indicating that package contents include sensitive information. Packages can still be marked as "time sensitive" or "process immediately" as applicable to ensure documents are processed timely. Labels that indicate sensitive contents include, but are not limited to:

    • "Remittance" labels indicating package contents contain remittances.

    • Labels indicating package contents contain case files or re-files; an acceptable alternative method would be to indicate "Sort and Sequence" .

      Note:

      Do not remove references to IRS from an envelope since it is necessary to include IRS on Return Address and Send To Address labels to ensure that the package is delivered to the intended location if any of the address information is incorrect.

  19. Seal the package with strong clear shipping tape that is two inches or more in width. Do not use string, paper over-wrap, shrink wrap, and/or plastic straps.

  20. Place the shipping label on the top of the package and ensure it is properly adhered and will not separate from the box. Do not place the label over a seam or closure or on top of sealing tape since this could cause it to be damaged or removed from the package.

  21. The sender shall be responsible for monitoring the delivery of the shipment. Employees should follow their organization’s established time frames for Form 3210 acknowledgement follow-up. Where there is no established time frame in an individual organization, the follow-up action should take place in three business days for overnight shipments and ten business days for ground shipments.

  22. Once the shipment is received, the recipient will verify the contents were received and sign the acknowledgment copy of the Form 3210. The recipient will return the Form 3210 acknowledgement to the sender using secure email (electronic or scanned copy), fax, or mail. If the SSN was not redacted as required on the Form 3210, redact all but the last four digits of the SSN prior to returning it to the sender. After receiving the acknowledgement copy, the sender will associate it with the original Form 3210.

    Note:

    No further action is required if the Form 3210 acknowledgment is received.

  23. If the Form 3210 acknowledgement isn't received within the established time frame, the sender should access the small package carrier's website to track the shipment to determine if it was delivered successfully. The tracking number should have been included on Form 3210 when the shipping labels were prepared or after the number was received from the carrier if Form 9814 was used.

  24. If the tracking information indicates the package was delivered, the sender must call the intended recipient to confirm actual receipt of the package.

    1. If the recipient did receive the package, ask the recipient to complete and return the Form 3210 Acknowledgement.

    2. If the recipient didn’t receive the package, the package is considered lost within the IRS facility and the sender must follow the procedures for reporting a loss of hardcopy documents. The intended recipient should also initiate a search in their IRS facility when the carrier shows an individual signed for the package.

  25. If the tracking information indicates the package was not successfully delivered, the sender should closely monitor the tracking information for up to 48 hours (2 business days) after the anticipated delivery date for air services and up to 72 hours (3 business days) after the anticipated delivery date for ground services. If the package is not delivered within these time frames, the package is considered lost and the sender should follow the procedures for reporting a loss of hardcopy documents.

  26. Immediately upon discovery of identifying a package is lost, report the loss according to IRM 10.5.4. Refer to the Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets website in the PGLD Virtual Library.

  27. Managers shall perform, at a minimum, quarterly audits of the Form 3210 Acknowledgement process for packages containing PII to ensure appropriate follow-up is occurring. This procedure will allow IRS managers the opportunity to validate that PII senders are following up on Form 3210 Acknowledgments within defined time frames so that lost shipments are identified quickly. This reduces the likelihood that the PII could be exposed to an unauthorized user. Local management must determine the proper follow-up time frame as part of the manager’s operational review. Form 3210 must be maintained in accordance with the existing record retention schedule for each Business Unit.

  28. For more information, refer to the PII Hardcopy Shipping webpage in the PGLD Virtual Library.

Faxing
  1. Protect faxed SBU data (including PII and tax information) as with any other transmission of SBU data.

  2. Use secure encrypted email internally, if possible, as an alternate way to send SBU data, instead of using a stand-alone fax machine. Scan, encrypt, and internally email documents containing SBU data. Do not email taxpayers or their representatives. See the Email section of this IRM for more information.

  3. If the information must be faxed, do not send SBU data to a fax machine without contacting the recipient to arrange for its receipt.

  4. When transmitting SBU data via fax, use Enterprise Electronic Fax (EEFax) as the preferred method of faxing documents. Refer to IRS Electronic Fax System section of IRM 21.2.3, Systems and Research Programs, Transcripts, or the EEFax website on the IRS intranet.

  5. For more information on securely faxing documents, refer to the Facsimile Transmission of Tax Information section of IRM 11.3.1 and the Facsimile and Facsimile Devices section of IRM 10.8.1.

Phone
  1. When communicating SBU data (including PII and tax information) via phone, IRS personnel must:

    1. Confirm speaking to an authorized person before discussing the information.

    2. Inform the person that the forthcoming discussion will include sensitive information.

    3. Refer to the section Methods for Communication of Confidential Information in IRM 11.3.2, Disclosure to Persons of Material Interest.

Text Messaging (Texting)
  1. IRS personnel must not use text messaging (texting) for official business.

  2. Refer to the Preserving Electronic Messages section of IRM 1.15.6, Managing Electronic Records.

  3. Refer to the Telecommunication Devices section of IRM 10.8.1.

Electronic
  1. Electronic transmission addresses uploading or downloading, secure file transfer, file sharing, peer-to-peer (P2P), firewall rules, collaborative technology and systems, and blacklisted sites.

  2. For more information about securing electronic transmissions, refer to IRM 10.8.1 and the CSIRC Firewall Rule Set Configuration Management section in IRM 10.8.54, Information Technology (IT) Security, Minimum Firewall Administration Requirements.

  3. For more information about secure emailing, see the Email section in this IRM.

Information Privacy During Office Moves
  1. When moving an office or material, make plans to protect and account for all SBU data (including PII and tax information), as well as government property. Consider the relevant factors of the move (such as the distance involved and the method to be used in making the move).

    1. Keep SBU data in locked cabinets or sealed packing cartons while in transit.

    2. Maintain accountability to ensure that cabinets or cartons do not become misplaced or lost during the move.

  2. Take precautions commensurate with the type and value of property and data involved.

Email

  1. IRS personnel must use IRS email accounts to conduct IRS official business. (TD P 85-01)

  2. The Protecting Americans from Tax Hikes (PATH) Act of 2015, §402, Division Q of the Consolidated Appropriations Act of 2016 reads:

    No officer or employee of the Internal Revenue Service may use a personal email account to conduct any official business of the government.

    Note:

    This policy applies to IRS officers, employees, and contractors alike, as noted in the Audience (Overview) section of this IRM. Law enforcement employees must refer to their divisional or law enforcement manuals for special rules.

  3. Manage emails used for business communications as IRS records.

  4. IRS personnel hold a legal responsibility to protect all IRS SBU data (including PII and tax information) entrusted to us by taxpayers, fellow personnel, and other individuals.

  5. For more information about emailing outside the IRS, see the following subsections in this IRM for policy about taxpayers and representatives, other external stakeholders, IRS accounts, and personal email.

    Note:

    Different policies apply for emails to taxpayers and representatives, other stakeholders, those with IRS accounts, and personal email. For more information and requirements about emailing outside the IRS, see the Emails to Taxpayers and Representatives, Emails to Other External Stakeholders, Emails to IRS Accounts, and Emails with Personal Accounts sections in the Email section of this IRM.

  6. When authorized to email SBU data, encrypt SBU data in emails using IRS IT-approved encryption technology. Do not include SBU data in email subject line.

    Caution:

    Encryption methods do not encrypt the subject line or the header (email address information).

    Note:

    See the Emails to Taxpayers and Representatives section of this IRM for subject line and header requirements.

  7. IRS IT-approved encryption technology includes:

    1. Internal email (within the IRS network): Microsoft Outlook’s Secure Enterprise Messaging System (SEMS), which is secure email certificate encryption.

    2. External email (outside the IRS network):Password-protected encrypted attachments or previously authorized secure email certificate encryption, for example, see the LBI Secure Email program website.
      Refer to IRM 10.8.52, Information Technology (IT) Security, IRS Public Key Infrastructure (PKI) X.509 Certificate Policy, for more information about secure email certificate encryption.

    3. Attachments: SecureZip password-protected encrypted attachments, or Symantec Endpoint Encryption Removable Storage (SEERS, formerly known as Guardian Edge Removable Storage, GERS) encrypted attachments.

      Note:

      Methods such as SecureZip and SEERS only encrypt the attachment, not the body of the email or the address or subject information. These methods do not encrypt the channel or authenticate the recipient, which is why this method is not allowed for emails with taxpayers and their representatives. For those requirements, see the Emails to Taxpayers and Representatives section in this IRM.

  8. Refer to these IRMs for additional policy:

    • IRM 1.10.3, Standards for Using Email.

    • IRM 1.15.6, Managing Electronic Records.

    • IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, (in the Electronic Mail Security section).

    • IRM 10.8.27, Personal Use of Government Furnished Information Technology Equipment and Resources.

    • IRM 11.3.1, Disclosure of Official Information, Introduction to Disclosure (in the Electronic Mail and Secure Messaging section).

Emails to Taxpayers and Representatives
  1. Do not send emails containing SBU data (including PII and tax information) to taxpayers or their authorized representatives, even if requested, because of the risk of improper disclosure or exposure.

  2. When taxpayers request email contact and accept the risk of such, limited allowable situations include:

    1. Message sent under a previously authorized privacy- and IT-approved secure email program (rare). For example, see the LBI Secure Email program website.

    2. Brief, unencrypted message confirming the date, time, or location of an upcoming appointment, but not the nature of the appointment. Include no SBU data (including PII and tax information) in the email, subject line, or attachment. Permit no follow-up email discussion of any taxpayer account or case.

    3. Link to the publicly available forms and publications sections of IRS.gov. Avoid sending information about specific tax matters (revenue rulings, court cases, and specific IRS forms), which might unintentionally disclose the nature of a tax matter to an unauthorized third party.

  3. When responding to unsolicited emails from taxpayers or tax professionals, respond by letter or phone; if address or phone number not available, respond by email. IRS personnel must:

    1. Delete any SBU data (including PII and tax information) appearing in the original email. Some examples of phrases to watch for are "my situation" or "my information."

    2. Discourage the taxpayer from continuing the discussion by email. Sample response:

      To ensure your privacy, we discourage you from sending your personal information to us by email. Further, IRS doesn’t allow its personnel to exchange unencrypted personally identifiable or other sensitive information with email accounts outside of the IRS network, even with your permission. For further discussion about the matters included in your original email, please contact us by telephone, fax, or mail.

Emails to Other External Stakeholders
  1. Do not email SBU data (including PII and tax information) to other external stakeholders unless specifically authorized. Refer to IRM 11.3.1, Disclosure of Official Information, Introduction to Disclosure.

  2. Send SBU data (including PII and tax information) through password-protected encrypted attachments or through a previously authorized privacy- and IT-approved secure email program. For example, see the LBI Secure Email program website.

  3. Email SBU data (including PII and tax information) outside the Service in encrypted, password-protected attachments or secure email only when:

    1. Individual authorized to receive it under law or regulation, such as IRC § 6103. Authority may be established by a formal request for information processed using established written procedures, or a memorandum of understanding or executed agreement which also establishes email as the secure method of transmission for the data.

    2. Recipient need for the information related to official duties.

    3. Recipient authenticated.

    4. Recipient accepted information and any obligation to protect.

    5. Access controls limited to those with need to know.

    6. The applicable System of Records Notice (SORN) includes the use as a published routine use. Refer SORN page in the PGLD Virtual Library website.

    7. Adherence to policy in the IRM 11.3 series, Disclosure of Official Information.

  4. See the section Emails to Taxpayers and Representatives in this IRM when receiving emails from external parties that contain SBU data (including PII and tax information).

  5. Interact with applicants or prospective contractors by email only to answer questions about their information, qualifications, or administrative matters; minimize the exposure of their personal information (such as PII).

  6. For those who must provide IRS with their SBU data (such as PII) to facilitate a business arrangement, ask them to fax, mail, or upload their SBU data to a secure system, such as USAJobs.

Emails to IRS Accounts
  1. IRS personnel must use IRS email for email communications with other IRS personnel about official business matters. They must encrypt all internal email messages that contain SBU data (including PII and tax information) with IT-approved encryption, which includes secure messaging or password-protected encrypted attachments.

  2. For contractors, when provided with an IRS workstation as part of a contract, they must use their IRS workstation and account for all official communication (e.g., email, instant messaging). Refer to the Contractor section of IRM 10.8.2 , IT Security Roles and Responsibilities.

Emails with Personal Accounts
  1. No officer, employee, or contractor of the IRS may use a personal email account to conduct any official business of the government. Three limited allowable circumstances include:

    1. Personal Information – IRS personnel may send their own SBU data (including their PII and their tax information) to or from their personal email accounts, as long as it is in a password-protected encrypted attachment. Examples may include, but are not limited to:
      - Personnel forms or records.
      - Financial records being used to prepare an OGE Form 450 or OGE Form 278 or other form for financial reporting related to the job.
      - Records needed for a personal transaction.
      - Job application, resume, self-assessment or appraisal.
      - Health records or fitness for duty information.
      - Travel itinerary (by adding personal email address for ConcurGov notifications related to their own travel, not approvals for others).

      Exception:

      The encryption policy does not apply to a person’s own PII that the IRS proactively makes available to all employees on resource sites (including, but not limited to, Discovery Directory, Outlook (calendar, profile information [including profile photos], and address book), intranet, and SharePoint site collections [including profile photos]), such as names and business contact information.

    2. Training or publicly available information – IRS personnel may transmit content, including links, to and from themselves when IT Security constraints prevent access. Examples of this include online training or meetings, such as webinars and seminars, as well as publicly available information (including public profile photos or business photos intended for publication with permission of pictured individuals).

    3. Exigent circumstances, such as in emergencies. This includes when the IRS network is down and there is an urgent need to communicate or in disaster recovery situations. Refer to IRM 10.8.60 and IRM 10.8.62. Limit SBU data to that necessary for the situation. Examples may include, but are not limited to:
      - Reporting for work.
      - The condition or availability of the workplace.
      - An emergency situation.
      - The well-being of IRS personnel.

      Note:

      In all instances, personnel must copy an IRS email account at the same time to ensure they retain a record of the communication in the IRS email system for transparency and information management purposes.

    For further guidance, refer to:

    • Frequently asked questions (FAQs) on email scenarios (right side of the PGLD webpage).

    • The Email section of the Disclosure and Privacy Knowledge Base in the PGLD Virtual Library.

Limited Exceptions to Email SBU Data Encryption
  1. The general rule for encrypting SBU data (including PII and tax information) in emails reflects the IRS’s priority to protect sensitive information from unauthorized disclosure causing a risk of loss or harm to individual privacy or to IRS data.

  2. Having evaluated business needs in relation to potential risk, the following limited exceptions regarding external emails are appropriate:

    1. Subject line of case-related emails to the Department of Justice
      1. When IRS personnel communicate with the Department of Justice regarding established cases, personnel may include the case name and filing number in the subject line of those emails. If the full name is not part of the case name, then do not use the full name.
      2. This information fits within the judicially created public records exception to IRC § 6103, recognized in most jurisdictions. Refer to IRM 11.3.11.13, Information Which Has Become Public Record, for more information on the public records exception.
      3. However, if the body of an email or any attachment contains additional SBU data, IRS personnel must encrypt both the email and attachment using IT-approved technology (such as certificate encryption).

    2. Emails generated to taxpayers by approved online applications
      1. The IRS online applications may issue emails to taxpayers, without encryption, when the messages contain only incidental information (such as name and email address) and are for e-authentication purposes, or to inform a user that a secure message is available for viewing on the IRS website.
      2. This exception is limited to the following circumstances:
      a. The email is automatically generated by an approved IRS application developed by or in conjunction with the Office of Online Services, and
      b. The taxpayer consented to these notices by completing the application’s enrollment process. During this enrollment process, the taxpayer must have received clear notice of the Service’s intent to send such notices via email.

    3. IRS employees sending their personal SBU data via encrypted email attachment
      1. IRS employees may choose to send their personal SBU data outside the IRS via an attachment encrypted with SecureZip or SEERS (formerly GERS). Use SecureZip to send one or more encrypted files, or use SEERS to send a single encrypted file.
      2. Employees must send this information only if the attachment(s) is encrypted and contains only their personal SBU data. Personal SBU data is information pertaining only to an individual employee.
      3. This exception does not include IRS usernames and passwords.
      4. Refer to the SecureZip and SEERS (formerly GERS) brochures in the Encryption webpage in the PGLD Virtual Library
      5. Instructions for using SecureZip and SEERS to encrypt attachments also are available on the FindIT website.
      6. To open a SecureZip file on an external computer, the receiving computer must have SecureZip installed. SecureZip is a commercial product that can be purchased through the manufacturer’s website (free trials are available). Mobile users can obtain the free SecureZip Reader app for both iOS and Android platforms. To open a SEERS file on an external computer, it must run a Windows operating system.

    4. Emergency emails by Facilities Management and Security Services (FMSS)
      1. Where significant incidents (as defined in IRM 10.2.8, Incident Reporting) occur, and FMSS employees need to supply law enforcement entities with detailed information, but cannot do it expediently by phone, they may use unencrypted email to send the necessary details, including SBU data.
      2. FMSS employees must make every effort to minimize the amount of SBU data within those messages (for example, no SSNs).

Surveys by Email
  1. Special rules apply when transmitting customer satisfaction or other surveys by email. Because no Servicewide IT-approved solution exists for encrypted email with taxpayers, this policy refers to unencrypted email throughout.

  2. For details on the Survey process, see the User's Guide to the Survey PIA, and the Servicewide Research Council Survey Subgroup website.

  3. The following IRS Privacy Principles apply to analysis of whether to allow a survey by email.

    1. Purpose Limitation [PVR-2]
      1. The IRS must have a business need to send a survey by email, instead of by other methods such as telephone or mail.
      2. Organizations should use other survey methods (such as telephone or mail) if feasible.

    2. Accountability [PVR-1]
      1. The requesting organization must submit a Survey PCLIA for approval.
      2. Refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program for details on the Survey PCLIA program.
      3. Refer to the Privacy Risk Assessment webpage from the PCLIA webpage in the PGLD Virtual Library.

    3. Openness and Consent, Notice and Verification [PVR-4, PVR-8]
      1. The IRS must give the recipient notice that the survey, or web link to the survey, will be sent by email.
      2. This notice includes who will send the email (if not the IRS), the email address from which it will come, and the expected survey time frame.

    4. Minimizing Collection, Use, Retention, and Disclosure; Openness and Consent [PVR-3, PVR-4]
      1. When the IRS collects the email address, it must inform the recipient it may use the email address for a survey. The IRS must use the email address only for the intended purposes.
      2. If the recipient provides the email address through online interaction with the IRS, the IRS Privacy Policy on IRS.gov serves as this notice. However, the IRS may provide specific notice as warranted.

    5. Openness and Consent; Data Quality [PVR-4, PVR-7]
      1. The recipient must consent to the email survey method.
      2. The recipient providing the email address, after notification the IRS will use it for a survey, gives implied consent.

    6. Security [PVR-6]
      1. Surveys by email must comply with email policy in this IRM and in IRM 10.8.1. Surveys by email that do not contain SBU data (including PII or tax information) do not need encrypting.
      2. Email addresses, by themselves as the method of the email conveyance, generally do not need encrypting. However, when combined with information in the email sent to an individual taxpayer, the email address may become SBU data.
      3. To prevent online fraud, the IRS should limit hyperlinks in emails and refrain from including an IRS brand in the emails.

    7. Strict Confidentiality [PVR-5]
      1. If surveys go to individual email addresses, they must not disclose the existence of a return or return information.
      2. For example, if the IRS were to survey individual taxpayers who had recently undergone compliance activities, and the survey sent to the taxpayers referred to the compliance activity, the IRS must not email that survey. Doing so would risk unauthorized disclosure of return information (compliance activities).

    8. Minimizing Collection, Use, Retention, and Disclosure; Strict Confidentiality; Security [PVR-3, PVR-5, PVR-6]
      1. Survey questions must not ask recipients for PII or tax information. The IRS must not request the recipient to email other SBU data, including answers to open-ended questions.
      2. If the survey is on a web application, it must be a secure channel to receive other SBU data.

    9. Openness and Consent; Access, Correction, and Redress [PVR-4, PVR-9]
      1. To prevent online fraud, if a vendor sends the survey on behalf of the IRS, the vendor must not try to appear as the IRS or that the emails are coming from the IRS.
      2. The IRS should put information about the survey on IRS.gov, so participants who want to avoid online fraud can verify the IRS is conducting the survey by email.
      3. The IRS must ensure contact employees know about the survey and know questions to ask, so they can verify the survey is legitimate.

Disposition and Destruction

  1. Documents with SBU data (including PII and tax information) must be destroyed by properly shredding, burning, mulching, pulping, or pulverizing beyond recognition and reconstruction.

    1. For disposition and destruction requirements for the different types of media (hardcopy, electronic, etc.), including shredding specifications, refer to the MP-6 Media Sanitization section in IRM 10.8.1 and follow NIST SP 800-88, Guidelines for Media Sanitization. [TD P 15-71, Treasury Security Manual, Chapter III, Section 16, Destruction of Classified and Sensitive Information]

      Note:

      If the sources for the requirements conflict, use the most stringent requirements.

    2. While PGLD owns this policy, FMSS owns the Secure Document Destruction (SDD) program. Refer to the FMSS SDD program website..

  2. Waste material (hardcopy, electronic, etc.) with SBU data must be placed in locked receptacles specifically marked for sensitive information (shred material, burn, sensitive, etc.). This includes material shredded with non-compliant equipment that does not meet Treasury requirements cited in (1)(a) above. Sensitive waste material must not be discarded in regular trash bins. The guidelines provided below must be followed in order to ensure the proper destruction of sensitive waste material.

    Exception:

    Burn bags/shred boxes for Temporary Storage. [TD P 15-71, Treasury Security Manual, Chapter III, Section 16, Destruction of Classified and Sensitive Information]

    1. Managers and Contracting Officer Representatives (CORs) will periodically review work areas to ensure that sensitive waste material is being discarded in an appropriate manner.

    2. CORs will conduct periodic unannounced inspections at the off-site contractor facilities (including cloud service providers) where sensitive IRS information or data is handled. Results of these inspections will be documented, including identification of any privacy or security issues, and documented verification that the contractor has taken appropriate corrective actions on any privacy or security issues observed and/or identified.

  3. Exception to locked receptacles requirement: Burn bags/shred boxes for Temporary Storage:

    1. SBU data to be destroyed may be torn and placed in sealedopaque containers commonly know as burn bags/shred boxes (or classified waste containers) so that the sensitive information is not visible.

    2. Burn bags/shred boxes awaiting destruction must be protected while in the employee’s custody.

    3. Burn bags/shred boxes must only be collected and contents destroyed by cleared contractor personnel or facilities maintenance personnel, and/or persons authorized by IRS privacy or security officials.

    4. Burn bags/shred boxes may also be stored within a Sensitive Compartmented Information Facility (SCIF) or security-approved open storage area pending collection by authorized personnel.

    5. Burn bags/shred boxes that are located outside a SCIF or open-storage area must not be left unattended at any time.

    [TD P 15-71, Treasury Security Manual, Chapter III, Section 16, Destruction of Classified and Sensitive Information]

  4. The fact that material has been identified for destruction does not change the requirement to provide appropriate protective measures. Waste material with SBU data must be provided the protection equal to that required by the most protected item.

    1. This material may include, but is not limited to, extra copies, photo impressions, microfilm, printouts, computer tape printouts, IDRS printouts, notes, work papers, or any other material containing tax information which has served its purpose.

    2. Policy and procedures for sanitization and disposal of digital media (magnetic media, diskettes, hard disks, or other storage devices, etc.) containing sensitive information can be found in IRM 10.8.1.

  5. Ensure IRS records (hard copy and electronic), including those containing PII, are managed appropriately and in accordance with the Records Control Schedules (RCS) Document 12990 and General Records Schedules (GRS) Document 12829 to prevent unlawful/unauthorized destruction of records. Disposition and destruction of tax information must be in accordance with the IRM 1.15.2, Records and Information Management, Types of Records and Their Life Cycle, and IRM 1.15.3, Records and Information Management, Disposing of Records.

  6. Although IRS personnel might know the proper methods of destroying tax data, management must reinforce this knowledge by including document destruction as a topic in orientation sessions, periodic group meetings, and other awareness sessions.

  7. Unshredded sensitive information may be turned over to a contractor provided the contract includes necessary safeguards that will ensure compliance with IRC 6103(n) requirements, provides for periodic safeguard reviews, and includes language describing methods of collection, pick-up, storage, and disposition. The contract must also include provisions for Form 11671, Certificate of Records Disposal for Paper or Electronic Records.

  8. In the event tax information media is to be collected and destroyed by an independent contractor, to preclude the necessity of having an IRS employee present during destruction, the contract must include the safeguard provisions required by IRC 6103(n) and regulations therein.

    1. The provisions of the contract must allow for IRS inspection of the contractor facility and operations to ensure the safeguarding of IRS information.

    2. Waste material must be maintained in a secured (locked) container in a secured area to prevent sensitive information from unauthorized disclosure or access.

      Note:

      The only exception to this policy is for pipeline activities subject to a Clean Desk Policy waiver. See the Clean Desk Policy section of this IRM.

    3. The contractor must provide Form 11671, Certificate of Records Disposal for Paper or Electronic Records.

  9. There may be areas or activities where the volume of paper documents containing tax information is sufficient to make it more practical to destroy all documents in the area of activity.

Recycling
  1. Tax information or other sensitive information may not be placed in regular recycling containers, but must be placed in secured containers and must be clearly marked.

  2. The preferred approach is that sensitive information be segregated and shredded in accordance with guidelines contained in the Disposition and Destruction section of this IRM, prior to turning it over to the recycler.

  3. Another method is to have IRS personnel observe the destruction of sensitive information upon delivery to the recycler. This allows for destruction of sensitive information while maintaining custody of the material up to the moment of destruction. Again, the contractor must be in compliance with IRC 6103(n) requirements which provides for safeguards and periodic safeguard reviews. However, this method is not recommended because of the resources that would be required.

Global Positioning Systems (GPS) and Location Services

  1. Policy regarding personally owned GPS device usage and location services (geolocation) on devices balances the business needs of field employees voluntarily using these devices and the privacy and security concerns related to the SBU data that might be contained in the devices. The purpose of the following is to minimize the risk of exposing SBU data and to prevent unauthorized disclosures. [IRC § 6103, Privacy Act]

Global Positioning Systems (GPS)
  1. This exception for the use of personally owned GPS devices is limited to GPS functions only. For example, this does not apply to the use of the non-GPS functions on personally owned mobile computing devices.

  2. Input only taxpayer address information into the GPS device, and delete this information from the device once it is no longer necessary. Never input individual or business taxpayer names into the device.

  3. Do not connect the GPS device to an IRS computer, as the device has the potential to introduce computer viruses and malware into the IRS network.

  4. If available, use a security personal identification number (PIN) code with the device to help protect the privacy of tax information in the event the device is lost or stolen.

  5. Take every precaution to prevent the GPS device from being left unattended or unsecured.

  6. Remove the GPS device from vehicle when not in use as circumstances permit. In those limited instances where a device is left in a locked vehicle, store it out of sight in the trunk or glove compartment.

  7. Never leave GPS device in vehicle overnight.

  8. Do not leave the GPS device and any mounts in an unattended vehicle in plain sight. After removing mount, clean the suction cup mount area because it can leave marks on the windshield/dashboard indicating that a GPS or other device may be present in the vehicle, increasing the risk of a break-in.

  9. Report the loss or theft of a GPS device with taxpayer addresses (whether a government-issued GPS or a personally-owned GPS), as a potential breach of PII:

    1. Immediately upon discovery of the loss or theft, the employee must report the potential breach to the employee’s manager and the appropriate organizations based on what was lost or disclosed.

    2. For more information about how to report an incident, see IRM 10.5.4, Privacy and Information Protection, Incident Management Program, or the IM website in the PGLD Virtual Library.

Location Services
  1. IRS personnel are strongly encouraged not to use their personal devices (phones, tablets, fitness watches, etc.) to identify taxpayer or work addresses with location services, geotagging, or GPS features or any social media accounts (FaceBook Check In, Find My Friends, etc.). Geotagging pinpoints location, which might inadvertently reveal a taxpayer’s home or business, or disclose activities and location at an IRS office. Personnel should use a government-furnished device (if issued) when locating and receiving directions to taxpayer addresses.

  2. When using services that need location, try to avoid using an exact taxpayer address if it might pinpoint the IRS has an interest in the taxpayer.

Telework

  1. Special privacy considerations arise in the telework environment. Like all personnel, teleworking personnel have a responsibility to safeguard SBU data (including PII and tax information). Unique potential risks, such as family members accidentally taking case files left out on a desk, or overhearing phone calls with tax information, create the need for additional guidelines.

  2. For more information on Telework requirements, refer to IRM 6.800.2, Employee Benefits, IRS Telework Program.

  3. Personnel should be aware of their environment as they conduct business at an approved telework location.

  4. When establishing a home office, personnel should evaluate the nature of their work and the level of sensitivity around the information they handle on a day-to-day basis, per the Equipment and Furniture section of IRM 6.800.2.

  5. No unsecured wireless access point (w-fi hotspot) can be used as a regular telework location. For more information about secured wireless access points (wi-fi hotspots), refer to the Access Control section in IRM 10.8.1.

  6. Teleworking personnel should adhere to the following guidelines. For bargaining unit employees, should any of the guidelines conflict with a provision of a negotiated agreement, the agreement will prevail. Individual office practices may supplement this information.

  7. Teleworking personnel should consider:

    1. If possible, set home office designated workspace apart from the rest of the house, ideally with a door that can be secured.

    2. Avoid frequent interruptions or working within listening distance of others, per the Relatives of IRS employees and Protecting Confidentiality section of IRM 11.3.1.

    3. Apply the Clean Desk requirements to data left out in work areas, credenzas, desktops, fax, copy machines, and in/out baskets. When away from the desk, secure SBU data in a locked room, locked file cabinet, or a locked desk, per the Clean Desk Policy section of this IRM.

    4. Whenever possible, conduct phone conversations in private settings or in locations that minimize the potential for eavesdropping. Contain telephone calls that include audible SBU data within a closed office environment or out of the listening range of others, per the Use of Cell Phones and Cordless Devices section of IRM 11.3.2.

    5. To properly transmit SBU data, follow the Transmission section of this IRM. This includes securely transporting SBU data to the office for shredding.

    6. To properly dispose of SBU data, see the Disposition and Destruction section of this IRM.

  8. Digital assistants, smart devices, Internet of Things (IoT), and other devices that can record or transmit sensitive audio or visual information must not be allowed to compromise privacy in the work or telework environment. These devices typically contain sensors, microphones, cameras, data storage components, speech recognition, GPS or location options, and other multimedia capabilities. These features could put the privacy of personnel and/or taxpayers at risk due to the personal information that might be unwittingly disclosed. When working on any form of SBU data (including PII and tax information), follow these rules:

    1. Treat the device as if it were another person in the room because many such devices and applications can record and/or transmit data when activated. To protect privacy, the personnel must mute or disable the listening/detecting features of the device so that SBU data is not sent to the device or anything to which it is connected.

    2. If the device or application can take photos or record video or sound, then the personnel must not do sensitive work within visual or audio range.

    These devices/applications include (but are not limited to the examples provided):

    • Digital assistants (such as Dot or Echo hardware using Alexa software, HomePod using Siri, etc.).

    • Voice-activated devices and smartphone applications (such as Siri, Google Now (“Okay Google”), or Alexa on phones, tablets, etc.).

    • Non-IRS-approved video-chatting apps (FaceTime, SnapChat, etc.).

    • Internet of Things (IoT) equipment (devices, systems, etc.).

    • Internet-connected toys (Cloud Pet, Smart Toy, Hello Barbie, etc.) that might record and transmit.

    • Security systems and webcams in the telework environment.

    • Smart TVs or auxiliary equipment (if includes voice activation).

    • Operating systems/applications (such as Windows 10, Cortana, etc.) that allow voice commands.

    • Home surveillance, security, and video/audio: Webcams on personal devices in the home, security cameras/microphones.

    For more information about privacy risks of Internet-connected toys, refer to the FBI’s Public Service Announcement, “Consumer Notice: Internet-Connected Toys Could Present Privacy and Contact Concerns for Children:”
    https://www.ic3.gov/media/2017/170717.aspx

Bring Your Own Device (BYOD)

  1. Bring your own device (BYOD) is a concept that allows personnel to utilize their personally‐owned technology devices to stay connected to, access data from, or complete tasks for their organizations. At a minimum, BYOD programs allow users to access employer‐provided services and/or data on their personal tablets/e-readers, smartphones, and other devices.

  2. To protect the privacy of the tax information, BYOD participants must:

    1. Use only IRS-approved applications.

    2. Refrain from using devices in public settings where conversations involving tax information might be overheard or where screens with tax information might be seen. Refer to the Use of Cell Phones and Cordless Devices section in IRM 11.3.2, Disclosure to Persons of Material Interest.

    3. Follow the terms in the Personally-Owned Mobile Device Acceptable Use Agreement, including, but not limited to:
      1. Report lost or stolen devices timely and accurately.
      2. Follow procedures for removal of the IRS-approved mobile device business software if changing which device will be used or leaving the program.
      3. Adhere to all applicable laws, regulations, rules, policies, and procedures, including Federal Records Act, Office of Government Ethics Standards of Ethical Conduct, and the Department of the Treasury Employee Rules of Conduct.

    Note:

    This program protects the privacy of the taxpayer. All BYOD users must acknowledge having no expectation of privacy regarding any use of the IRS-approved mobile device business software on their mobile devices.

  3. For the privacy of the BYOD employee, the employee may block the outgoing phone number of the personal device per IT4U BYOD guidance on their website..

    Note:

    The Fair Debt Collection Practices Act (FDCPA) does not apply. The IRS is not a creditor or debt collector under the FDCPA. Section 803 (6) of the FDCPA defines the term "debt collector," and specifically excludes in (C) "any officer or employee of the United States or any State to the extent that collecting or attempting to collect any debt is in the performance of his official duties."

  4. Refer to IRM 10.8.26, Government Furnished and Personally Owned Mobile Computing Device Security Policy, and IRM 10.8.27, IRS Policy on Limited Personal Use of Government IT Resources.

  5. For more information about BYOD, see also the IT4U BYOD website.

Civil Liberties

  1. Privacy and civil liberties often overlap.

  2. Civil liberties are the rights of people to do or say things that are not illegal without being stopped or interrupted by the government (due process). For example, the U.S. Constitution’s Bill of Rights guarantees civil liberties:
    https://www.archives.gov/founding-docs/bill-of-rights

  3. The Privacy Act provides for privacy and civil liberties protections, outlined in the First Amendment section of this IRM and detailed in the Recordkeeping Restrictions section of IRM 10.5.6, Privacy Act.

  4. Through the Taxpayer Bill of Rights, the IRS makes taxpayer privacy (with due process) and confidentiality essential rights that help protect their civil liberties:
    https://www.irs.gov/taxpayer-bill-of-rights

  5. The Privacy Act also allows for due process rights, as it forms the basis for the IRS Privacy Principles on the internal PGLD Virtual Library website.

  6. Many existing privacy policy and compliance requirements, including the IRS Privacy Principles, also protect civil liberties. For example, the principle of Data Quality ensures fair treatment [PVR-07]. The principle of Access, Correction, and Redress ensures due process [PVR-09], as do the principles of Openness and Consent [PVR-04], and Verification and Notification [PVR-08].

  7. The IRS further addresses civil liberties protections through the PCLIA. The PCLIA reinforces Privacy Act requirements regarding the collection of First Amendment activities information and monitoring of individuals (see the Monitoring of Individuals section of this IRM).

  8. Refer to IRM 10.5.2 for more information on the PCLIA process.

  9. For more information, refer to the Recordkeeping Restrictions section of IRM 10.5.6, Privacy Act.

  10. For more information, refer to Treasury’s Privacy and Civil Liberties Impact Assessment (PCLIA) Template and Guidance .

First Amendment
  1. The Privacy Act prohibits federal agencies from maintaining records on how any individual exercises their First Amendment rights unless certain exceptions apply.

  2. These First Amendment rights include religious and political beliefs, freedom of speech and of the press, and freedom of assembly and petition.

  3. Congress intended agencies to apply the broadest reasonable interpretation when determining whether a particular activity is a right guaranteed by the First Amendment.

  4. IRS personnel must not keep files of persons who are merely exercising their constitutional rights.

  5. IRS personnel involved in the design, development, operation, or maintenance of any system of records subject to the Privacy Act must be aware of the prohibitions against maintaining records on the exercise of First Amendment rights and alert to any potential violation of that prohibition.

  6. Taxpayers must report income and provide information necessary to verify deductions on their tax returns. The IRS may collect such information although, in some instances, this data may reveal how individuals exercise their First Amendment rights, such as religious affiliation, group membership, or political preference. The IRS may collect this information because statutory exceptions apply. [Privacy Act; PVR-02]

  7. For more information, refer to the Recordkeeping Restrictions section of IRM 10.5.6, Privacy Act .

Recordings in the Workplace
  1. Widely available electronic recording and monitoring equipment (such as digital cameras and smartphones) raise privacy and security concerns. IRS personnel must not make recordings or conduct monitoring of any type (including, but not limited to, audio, video, photographic, or infrared) in IRS facilities without a business need and prior FMSS approval (except audio recordings, which require direct supervisor approval) or at alternative duty stations duties remote to the conventional office site (e.g., satellite locations, employee’s residence). Refer to the Photography Prohibited and the Alternative Duty Stations - Telework sections of IRM 10.2.11, Physical Security Program, Basic Security Concepts.

  2. Privacy concerns for recording in the workplace center around individual employee privacy and the potential disclosure of SBU data (including PII and tax information).

  3. The law for recording others in the workplace varies by state, but many states require consent of both the recording individual and the recorded individual. To protect individual employee privacy, IRS policy prohibits most recordings because of such variations.

  4. IRS personnel may use their smartphones (or other devices with recording capabilities) in the workplace. However, they must take reasonable precautions that no unauthorized recordings or disclosures occur. When working on any form of SBU data (including PII and tax information), such precautions include muting or disabling voice-activated devices and smartphone applications (such as FaceTime, Siri or Google Now (“Okay Google”) on phones, tablets, etc.). For more information about precautions, see the Telework section of this IRM about digital assistants, smart devices, IoT, and other devices that can record or transmit sensitive audio or visual information.

  5. Certain circumstances allow for limited recording in the IRS workplace. They include:

    1. Approval and Consent: When approval authority approves the business need, and all participants consent to the recording beforehand, an employee may make a recording in the IRS workplace.

    2. Service Quality Control: Employees may make recordings when performed to determine the quality of service delivery, such as with Contact Recording.

    3. Taxpayer Interviews: Taxpayers may request to audio record in-person interviews, with prior notice to the IRS, and the IRS may record those interviews, under IRC § 7521(a)
      Refer to IRM 4.10.3, Examination of Returns, Examination Techniques; IRM 5.1.12, Field Collecting Procedures, Cases Requiring Special Handling, and IRM 25.5.5, Summons, Summons for Taxpayer Records and Testimony.

    4. Investigation: This policy does not apply to criminal investigations or official investigations relating to the integrity of any officer or employee of the IRS. See IRC § 7521(d)

    5. Employee Education: When used for employee education, employees may make recordings using IRS-issued software applications or platforms, such as Adobe Articulate, Skype, or Saba Centra.

    6. Reasonable Accommodation: When performed by an individual with a disability as part of an approved reasonable accommodation, certain recordings may be allowed. Refer to IRM 1.20.2, Equal Employment Opportunity and Diversity, Providing Reasonable Accommodation for Individuals with Disabilities.

    7. Labor Relations: The policy is not intended to and should not be interpreted to interfere with employee rights to engage in concerted activity under the National Labor Relations Act. For more information, refer to IRM 6.432, Performance Base Reduction in Grade and Removal Actions; IRM 6.711, Labor-Management Relations; IRM 6.751, Discipline and Disciplinary Actions; IRM 6.752, Disciplinary Suspensions and Adverse Actions; and IRM 6.771, Agency Grievance System.

  6. If any personnel receives proper approval and consent to make a recording or take a photograph, that person must not record or photograph SBU data (including PII and tax information), ensuring those items are not in view or earshot of the device.

  7. If SBU data (including PII and tax information) appears in an electronic recording nonetheless, an employee must protect the recording as SBU data and must not disclose the information unless a statutory exemption applies under IRC § 6103 or the Privacy Act (depending on the nature of the data).

  8. For more information, refer to IRM 10.8.26 ; IRM 11.3.1, Introduction to Disclosure; and IRM 10.5.6.

Monitoring Individuals
  1. The IRS needs to conduct some monitoring of individuals to protect federal systems, information, and personnel. Examples of such monitoring include access logs to IRS facilities and audit trails that monitor IT usage. [Privacy Act]

  2. However, limitations still exist on use of any PII collected, with sharing on a need-to-know basis for its intended use only. [Privacy Act]

  3. Monitoring of the public outside IRS facilities must not occur without first consulting Privacy Policy[Treasury’s Privacy and Civil Liberties Impact Assessment Template and Guidance]. For assistance, email *Privacy.

    Note:

    This policy does not apply to criminal investigation activities. Refer to IRM 9.4.6, Surveillance and Non-Consensual Monitoring.

  4. For more information about the limitation of monitoring individuals, refer to the Privacy Act Recordkeeping Restrictions section of IRM 10.5.6, Privacy Act.

  5. The IRS PCLIA addresses these limitations. For more information about PCLIAs, refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program.

Contractors

  1. The IRS has privacy obligations for contractors with access to SBU data (including PII and tax information). As outlined in the IRS Privacy Principle of Accountability and NIST Privacy Control AR-3, Privacy Requirements for Contractors and Service Providers, the IRS must:

    1. Establish privacy roles, responsibilities, oversight, and access requirements for contractors and service providers throughout the privacy lifecycle. [OMB A-130]

    2. Include privacy requirements for all relevant stages of the privacy lifecycle in contracts and other acquisition-related documents.

    3. Follow Privacy Act requirements regarding contractors, outlined in the Publication and Reporting section of IRM 10.5.6, Privacy Act.

  2. Employees responsible for procurement activities on contracts that involve SBU data (including PII and tax information) must therefore:

    1. Ensure all tax, privacy, and security clauses are included in contracts as required in IRM 11.3.24, Disclosures to Contractors.

    2. Ensure necessary clauses are included in all contracts and the appropriate safeguards are in place before disclosing any necessary SBU data (including PII and tax information) and/or Privacy Act information to a contractor.

    3. Ensure contractors (including non-IRS procured contractors) take required privacy, security, disclosure, and UNAX training and complete Non-Disclosure Agreements (NDAs) within the required time frames per CSM instructions. [OMB A-130]

    4. Ensure the contractor receives a copy of the approved PCLIA, if one is required. For more information on the PCLIA process, refer to IRM 10.5.2.

    5. Ensure each contractor employee receives a background investigation appropriate for the risk level designation associated with the contracted work (often Moderate for access to SBU data).

      Note:

      Any staff-like access (facilities, systems, or SBU data) requires completion of a favorable suitability/fitness determination (background investigation) conducted by IRS Personnel Security.

    6. Ensure contractors with access to SBU data comply with IRM 10.8.1, as well as the relevant 10.8 series IRMs or Pub 4812, Contractor Security Controls, which requires:
      1. All contracting actions with SBU data (including PII and tax information), with some exceptions, carry a Moderate impact security level.
      2. Contracts with staff-like access to FISMA systems carry a High impact security level.

      Note:

      These are security impact levels, not background investigation levels.

    [PVR-01; AR-3]

  3. Refer to IRM 10.23.2, Contractor Investigations, or the internal Procurement website.

Online Data

  1. Do not post SBU data (including PII and tax information) online, including internal or external websites, unless secured with access controls. [NIST SP 800-122, TD P 85-01]

    Note:

    However, this policy does not apply to SBU data the IRS proactively makes available to all IRS personnel on internal resource sites (including, but not limited to, Discovery Directory, Outlook (calendar, profile information, and address book), intranet, and SharePoint site collections), such as names, SEID, and business contact information.

  2. Persistent cookies or other tracking devices to monitor the public's visits may not be used on an IRS Internet site except as authorized by OMB regulations.

  3. Online data may require several types of notices:

    1. An IRS-approved IT system use notification message (see the AC-8 System-Use Notifications section of IRM 10.8.1).

    2. Link to IRS.gov Privacy Policy (see the IRS.gov Privacy Policy section).

    3. A website or application Privacy Policy notice (see the Website or Application Privacy Policy Notice section).

    4. Privacy Policy Departure Notice (see Privacy Policy Departure Notice section).

    5. Privacy Act Notice (if collecting data on a form).

      Note:

      Online privacy policy statements differ from Privacy Act notices required by the Privacy Act on forms that ask individuals to supply Privacy Act-protected information. For more information on the Privacy Act notification programs, see IRM 10.5.6, Privacy Act.

  4. For any Privacy Policy notice approval, contact *Privacy.

IRS.gov Privacy Policy Notice
  1. The IRS Internet privacy policy notices on IRS.gov inform the public of the information collection procedures and the privacy measures in place for a particular Internet website or activity. [e-Government Act, OMB A-130, OMB-03-22]

  2. The IRS privacy policy notices must be posted at every major entry point to an IRS Internet website or application, as well as on any page collecting substantial personal information from the public. The requirement includes, at a minimum, a link to the IRS.gov privacy policy. It also may include a unique privacy policy for that website.

  3. The IRS privacy policy notice is:

    1. An overview of IRS privacy practices.

    2. A description of any information collected and stored automatically by the system and how this information will be used.

    3. An explanation of how IRS will use any PII submitted by the Internet visitor.

    4. A notice that security and intrusion protection measures are in place.

    5. See the overarching IRS.gov Internet Privacy Policy notice:
      https://www.irs.gov/privacy-disclosure/irs-privacy-policy

Website or Application Privacy Policy Notice
  1. A unique privacy policy for a website or application can detail the differences from the IRS.gov privacy policy. This policy applies to any website or application hosted by or on behalf of the IRS. [e-Government Act, OMB A-130, OMB-03-22]

    Note:

    If the website or application is asking for SBU data (including PII or tax information), then the website or application needs to explain its use of the data.

  2. The website or application privacy policy must still link to the IRS.gov Privacy Policy.

  3. A simple example, with blanks to fill in the details pertinent to the website or application, is:

    _____ Privacy Policy
    This privacy policy described the use of your personal information including _____.
    To prevent fraud and identity theft, the IRS does not send unsolicited emails or text messages to taxpayers or businesses containing any IRS related information or requesting your personal information such as name, address, social security number (SSN), taxpayer identification number (TIN), Employer Identification Number (EIN) and tax history.
    To participate in _____, you will be required to provide _____ in order for the IRS to _____. By agreeing to use the IRS _____, you give the IRS permission to _____. You will have the ability to opt-out of this at any time by_____.

  4. More complicated policy notices might be needed if the website or application is more complex.

Privacy Policy Departure Notice
  1. Any IRS Internet website (or link to a third-party site on behalf of IRS) that links to external sites must post a departure notice. This notice alerts Internet visitors that they are about to leave the IRS website and its privacy practices. It advises them to review the website privacy practices for the website they are about to enter. Refer to the IRS Internet Departure Notice webpage on the IRS intranet.

Intranet Privacy Policy
  1. IRS Intranet (for example, irssource) privacy policy notices inform personnel of the information collection procedures and the privacy measures in place at a particular intranet website or activity.

  2. The IRS privacy policy notice must be posted at every major entry point to an intranet website, as well as on any page collecting personal information from an individual.

  3. The IRS privacy policy notice is:

    1. An overview of IRS privacy practices.

    2. A description of any information collected and stored automatically by the system and how this information will be used.

    3. An explanation of how the IRS will use any PII submitted by the individual.

    4. A notice that security and intrusion protection measures are in place.

    5. The notice is available on the IRS intranet through the Privacy Policy link.:

  4. Any IRS intranet website or page that links to external sites must post a departure notice. This notice alerts IRS personnel that they are about to leave the IRS website and its privacy practices. It advises them to review the privacy practices on the website that they are about to enter. Refer to the IRS Intranet departure notice webpage on the IRS intranet.

  5. Persistent cookies or other tracking devices to monitor an individual's visit to IRS intranet sites may not be used except as authorized by OMB regulations.

Social Media

  1. The IRS uses social media to share the latest information on tax changes, initiatives, products, and services. To expand reach to taxpayers and stakeholders, the IRS shares information on several social media platforms, including Twitter, Facebook, and LinkedIn.

  2. Because the use of social media allows potential direct interaction with the public, the IRS implemented specific rules to ensure only authorized employees speak in an official capacity. With the exception of approved IRS communicators handling official IRS media initiatives, IRS employees are not authorized to use social media in an official capacity. Refer to the Social Media Guidelines for IRS Employees website on the IRS intranet.

  3. For more information about Internet research guidelines, refer to the Use of Social Networking and Other Internet Sites by IRS Employees for Compliance Research or for Other Purposes section in IRM 11.3.21, Investigative Disclosure.

  4. Personal, non-work usage of these social media tools on personal devices must not compromise the confidentiality of SBU data (including PII or tax information) or the integrity of the IRS. With the exception of approved IRS communicators handling official IRS media initiatives, IRS personnel are not authorized to use social media in an official capacity and should adhere to the Communications and Liaisons guidelines. Refer to the Social Media website on the IRS intranet.

  5. To use any existing IRS social media tools in communications plans or outreach initiatives, business units must use the appropriate social media authorization form or contact the appropriate social media platform owner.

  6. If an IRS organization would like to consider use of a new social media platform, they must submit a New Media Use Authorization Form for approval by the IRS Social Media Governance Council, along with a Social Media PCLIA.

  7. For more information on Social Media PCLIAs, refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program, or the Social Media website on the IRS intranet.

Data on Collaborative Technology and Systems

  1. This policy does not apply to PII the IRS proactively makes available to all personnel on resource sites (including, but not limited to, Discovery Directory, Outlook (calendar, profile information, and address book), intranet, and SharePoint site collections), such as names and business contact information.

  2. Some of the privacy risks associated with collaborative data sites include:

    1. Breaches and inadvertent disclosures.

    2. Unauthorized access of data without a need to know.

    3. Sharing data without proper permissions or authorizations.

  3. The data residing on collaborative data sites require privacy protections. These protections must include:

    1. Controlling access to the sites (both as a user and as an administrator).

    2. Controlling what data is shared on the sites.

    3. Ensuring privacy and security controls are in place.

  4. Refer to the SC-15 Collaborative Computing Devices section in IRM 10.8.1 for additional information.

Outlook Calendar
  1. IRS personnel may place information that is not SBU data (including PII and tax information) on all calendars without restriction.

  2. Personnel must not post SBU data (including PII and tax information) on public calendars with uncontrolled access.

  3. The following applies any time a business need requires some form of SBU data (including PII and tax information) on the Microsoft Outlook calendar:

    1. Personnel must assign permissions on the calendar to limit access to only those people with a need to know the information.

    2. Personnel must encrypt any attachments to the calendar that contain SBU data (including PII and tax information) other than noted in the following sections.

    Note:

    This encryption policy does not apply to SBU data (including PII and tax information) the IRS proactively makes available to all personnel on resource sites (including, but not limited to, Discovery Directory, Outlook (calendar, profile information, and address book), Intranet, and SharePoint site collections), such as names and business contact information.

  4. For Business Unit Calendar Meetings/Appointments Regarding Taxpayers:

    1. Personnel may place on the calendar only a portion of the taxpayer's name, the last two digits of the tax year, and any business unit-specific codes that are not sensitive PII (such as a case control number that is not an SSN and not easily linked to a taxpayer by an outside party).

    2. The abbreviated name should consist of the first four significant characters of the taxpayer entity's name (the name control):
      i. For individual taxpayers, these significant characters could include the first four letters of the individual taxpayer's last name (for example, John Smith would be "SMIT" , or the IDRS name control could be used). If the taxpayer's name consists of only four characters or fewer, it is appropriate to use the entire name.
      ii. For corporations, partnerships, trusts or other such entities, the first four letters of the entity's name, excluding articles, could be the first four significant letters used (for example, "The Corporation Company" would be "CORP" , or "Taxpayer Foundation" would be "TAXP" ).

  5. For Calendars for Offices with Regulatory, Investigative, and/or Advocacy Responsibilities (docketed case meetings):

    1. These requirements apply to calendars for Appeals, Chief Counsel (Counsel), Criminal Investigation (CI), Taxpayer Advocate Service (TAS), and other functions with regulatory, investigative, and/or advocacy responsibilities).

    2. When the subject matter of the meeting is a case docketed in the United States Tax Court or other judicial forum, calendar the meeting as the case name (for example, the name of the taxpayer with case number).

      Note:

      This does not violate privacy principles, as the name of the case is public record information. It falls under the judicially created public records exception. (For more information, refer to the Information Which Has Become Public Record section in IRM 11.3.11.)

    3. This practice also applies for unsealed CI matters (such as an indictment, where testimony occurred in an open proceeding, or if an official press release is issued). It would not apply for sealed federal court matters.

  6. For Calendars for Offices with Regulatory, Investigative, and/or Advocacy Responsibilities (particular taxpayer meetings):

    1. Counsel's calendar entry may use a succinct description of the subject matter and include the case control number assigned to the matter in Counsel's management information system (CASE-MIS). For example, an Outlook entry for a meeting to discuss whether to pursue enforcement of a summons in the examination of taxpayer A would appear as "Summons enforcement/POSTF-123456-08." Except for assignments of cases docketed in the U.S. Tax Court (see previous section), this case control number is public record and not PII that must be protected. An invitee could then access CASE-MIS to ascertain the identity of the taxpayer with respect to whom the summons enforcement matter is to be discussed.

    2. CI may use the Criminal Investigation Management Information System (CIMIS) investigation number.

    3. TAS, as well as Counsel to the National Taxpayer Advocate, may use the Taxpayer Advocate Management Information System number plus the first four (4) significant letters of the taxpayer entity's name.

  7. For Non-Taxpayer-Related Meetings/Appointments:

    1. An entry on the calendar for meetings with external parties doing business with the IRS (Enrolled Agents, for example) that does not concern specific taxpayers, would consist of the name of the external representative, the name of the organization (where appropriate), and/or the subject matter of the meeting.

    2. Personnel may send any meeting-related non-taxpayer-related PII or SBU data in a separate email (with encrypted, password-protected attachments using IT-approved encryption methods) with directions in the calendar invite to look for the separate email.

    3. Examples of situations where this practice would be used include, but are not limited to:
      i. Where Counsel hosts informational meetings with external parties, such as trade groups or other professional organizations, in conjunction with its published guidance program.
      ii. Where IRS organizations meet with external parties for the purposes of planning or delivering presentations or for procurement matters.
      iii. Examples of emails requiring encrypted PII or SBU data attachments in these scenarios include details on speakers (such as resumes) or procurement issues (such as contract information).

    4. Personnel may voluntarily include their personal appointments on the calendar to ensure business appointments do not conflict.

    5. Supervisors may note absences of direct reports on the calendar so that the supervisor may schedule meetings, assign work, and manage his/her work unit more efficiently.

    6. The supervisor may not include additional information such as the whereabouts of those direct reports. However, official travel status and telework notations (without addresses) are acceptable supervisor calendar entries.

    7. Leave and other personal information on shared group calendars may be included only with the permission of the affected personnel.

Online Meeting Tools
  1. Online meeting tools include Skype for Business, Saba Centra, Webex, etc. Use only Enterprise Architecture-approved tools.

  2. Skype for Business is an encrypted method of communicating within the IRS network.

  3. For Saba Centra, Webex, and other approved virtual meeting tools with encrypted communication capability:

    1. Ensure that the audience/recipients are authorized to view the material.

    2. Share SBU data (including PII and tax information) on a need-to-know basis.

  4. Online meeting tools may convey SBU data; however, do not use instant messaging (such as Skype) to conduct official business without saving an official record. Refer to the Use of Agency-approved Electronic Messaging Systems section in IRM 1.15.6

Shared Drives
  1. The IRS shared network drives (such as I drive, S drive, home directories or other shared resource) are governed in part by the section SC-28 Protection of Information at Rest in IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance. This policy makes it clear that only those with a need to know may have access to SBU data (including PII and tax information) on shared drives, with tight access and controls in place. Because of these controls, encryption is not required.

  2. To protect the privacy of employee and tax information, the law and IRS policy require a PIA when an agency uses PII in Information Technology to ensure examination and mitigation of privacy risks, with few exceptions.

  3. When a shared drive contains SBU data (such as PII, tax, or employee information), site owners must submit a PIA through the Privacy Impact Assessment Management System (PIAMS) available through the IRS intranet.

    1. Use the PIAMS SharePoint PIA questionnaire because of the similar collaborative data use.

    2. Prepare the PIA at the highest shared drive level (such as \\<server>\<share>\<department>), not the individual file or folder level. Indicate whether the SBU data is housed on a shared drive or SharePoint site and also note whether database(s) are included and what type.

    3. Correctly align personnel access to the shared drives and create a process for documenting access approvals.

    4. Meet requirements outlined in IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, in the Access to Sensitive Information section. When automated checks can’t be performed, business units are expected to perform due diligence and develop the appropriate awareness training, operational instructions, and job aids (e.g., banners, standard operating procedures, or handouts) to aid personnel in self-reporting.

  4. For databases (unsupported by IT) on shared drives (i.e., Access databases):

    1. Identify databases with SBU data (including PII and tax information).

    2. Review shared drive content. Delete databases no longer needed or consolidate to shared drive(s) with SBU data (including PII and tax information).

      Note:

      Prior to the deletion of unwanted databases/shared drives, owners must ensure adherence to appropriate records retention policies. For any databases or shared drives that contain federal records, it is good practice to fill out Form 11671, Certificate of Records Disposal.

    3. For databases remaining on shared drives, site owners must ensure compliance with one of the following options:
      - Complete a PIA for the shared drives with SBU data (including PII and tax information). Use the PIAMS SharePoint PIA questionnaire because of the similar collaborative data use.

      Note:

      These PIAs are valid for three years. Within three years of the approved PIA, the site owner must ensure deletion of the database from the shared drive or migration of the data to SharePoint (along with an updated PIA).


      - Move the data to an IT-supported platform (such as SharePoint) and complete a SharePoint PIA at the site collection level.
      - Complete a system PIA on the individual application/database.

    4. For more information on databases unsupported by IT, refer to the Enterprise Architecture website on the IRS intranet.

  5. For more information on PIAs and PCLIAs, refer to IRM 10.5.2, Privacy Compliance and Assurance.

SharePoint
  1. Sharing data in collaborative data environments, such as SharePoint, might offer valuable benefits while having inherent privacy risks. Understanding the risks involved with sharing data on these sites allows for risk management.

  2. SharePoint access controls shall limit access using site, folder, and file permissions as appropriate.

  3. Site collection owners also must ensure SharePoint users follow rules and protect privacy.

  4. A SharePoint PIA is required any time a SharePoint site collection contains SBU data(including PII and tax information). The IRS reviews these privacy protections through the SharePoint PIA process. For more information on SharePoint PCLIAs, refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program.

  5. For more information on Collaborative Environments, refer to IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

Cloud Computing
  1. Before contracting for cloud services, address the necessary privacy and security policies.

  2. All procurements of cloud computing services that include SBU data (including PII and FTI) must be approved by PGLD via the Privacy and Civil Liberties Impact Assessment (PCLIA) process (required by the ELC).

  3. The IRS PCLIA process addresses privacy concerns for IRS systems with SBU data (including PII and tax information) using cloud computing. These issues include, but are not limited to:

    • Who is the Cloud Service Provider (CSP)?

    • Who has access to the information at the Cloud Service Provider?

    • Do other CSPs service this CSP (subcontract with), such as performing updates, maintenance, or other services?

    • What is the Cloud Service Provider’s Federal Risk and Authorization Management Program (FedRAMP) compliance status?

    • What deployment model (private, hybrid, etc.)?

    • Where does the information go?

    • Where is it stored, transmitted?

    • How is it secured? What security categorization (Low, Moderate, High)?

    • How reliable and secure is the audit trail?

    • How will monitoring be done and how often?

    • Does the CSP contract include all required privacy and security contract clauses, including those for protecting SBU data (including PII and tax information)?

  4. Except for systems principally supporting overseas Federal/Treasury personnel and/or activities, Treasury systems shall be located and operated within the U.S. [TD P 85-01, control SA-4_T.193]

    Note:

    This includes Treasury contractor systems.

  5. PGLD and COR must provide written notification to the contractor when the contractor is permitted to maintain Government data at a location outside the U.S.

  6. Failure to comply with privacy and security policies and processes might necessitate contract modifications.

  7. For more information on cloud computing issues and cloud deployment models, refer to IRM 10.8.24. Information Technology (IT) Security, Cloud Computing Security Policy, and IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

Training

  1. Although IRC §6103(h) (1) permits the disclosure of tax information to IRS personnel for the purposes of tax administration to the extent the individual obtaining that access has a "need to know," IRS employees must avoid the use of tax information in training.

    1. Using tax information increases the risks of unauthorized disclosure and might subject the Internal Revenue Service to civil unauthorized disclosure actions which might then result in disciplinary actions against the offending employee(s).

    2. Use of tax information also raises issues about compliance with the IRS Taxpayer Bill of Rights. While 6103(h) authorizes disclosure when information is helpful in performing tax administration duties, returns and return information should not be used for training purposes when hypothetical or fictional cases will serve the training requirements.

      Note:

      Avoiding extra effort is not justification for increasing risk.

    3. Employee publications, training and presentation materials are publicly available under the Freedom of Information Act and in the Electronic Reading Room on IRS.gov. That makes it critical that all IRS employees follow published guidelines to prevent the unauthorized disclosure of tax information.

  2. For more information about fictionalizing data, see the Disclosure Requirements section of IRM 6.410.1, Learning and Education, Learning and Education Policy.

  3. For more information about training material and official use only requirements, refer to IRM 11.3.12, Designation of Documents, and IRM 1.11.2, Internal Management Documents System, Internal Revenue Manual (IRM) Process.

Introduction to Privacy-Related Programs

  1. The IRS promotes a robust privacy program leveraging the use of technology and privacy processes. The IRS privacy program improves taxpayer service by protecting the privacy of taxpayers’ and employees’ data and enhancing their trust. Designing privacy into the IRS modernization initiative (people, systems, processes, and technology) further improves the protection of SBU data(including PII and tax information) throughout the IRS.

  2. Privacy issues are integral to IRS business. Because of the complexity, scope, and importance of privacy to the IRS mission, PGLD is not the single point of contact for all privacy-related programs.

  3. This IRM and IRM 10.5.2, Privacy Compliance Assurance (PCA) Program, provide links and references to other IRMs and programs that work closely with PPC or contain elements of privacy within those programs. IRS personnel must familiarize themselves with and utilize all links/reference IRMs, as appropriate. This includes, but is not limited to, the following privacy-related programs, not all of which PGLD manages.

  4. For more information about PGLD, refer to IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD), and the PGLD Virtual Library website.

IRS Privacy Council

  1. Privacy Policy and Knowledge Management (PPKM), within PGLD’s PPC, oversees and coordinates the IRS Privacy Council. [AR-1]

  2. The purpose of the IRS Privacy Council is to:

    1. Develop a cohesive privacy vision to implement and oversee Servicewide privacy and disclosure policies.

    2. Serve as a high-level strategy and policy development group charged with identifying and effectively addressing significant current and emerging information privacy, disclosure, and related policy issues.

    3. Centralize the Chief Privacy Officer’s (CPO) policy-making role in the development and evaluation of legislative, regulatory, and other policy proposals, which implicate information privacy issues. In so doing, the Council takes a central role in ensuring the IRS is fully compliant with federal laws, regulations, and policies relating to information privacy while enabling continued progress and innovation.

  3. To accomplish these objectives, the IRS Privacy Council members will:

    1. Engage the Business Units and Operating Divisions for purposes of multi-level identification of issues appropriate for Council action.

    2. Partner with cross-functional working groups to identify and work issues appropriate for Council action.

    3. Generate policy guidance to be issued from the CPO.

    4. Establish communications and web strategies to ensure successful dissemination of guidance and additional tools for ongoing Servicewide education and assistance.

    5. Conduct periodic reviews of established policy guidance to ensure sufficiency and consistency.

    6. Partner with Office of Chief Counsel for consultative purposes, and to identify and develop needed legislative and regulatory proposals.

    7. Review and comment on circulated draft legislation, Executive Orders, Office of Management and Budget memoranda, executive agency white papers, and other inter-governmental documents.

    8. Provide subject matter expertise on broad-scope Servicewide initiatives.

    9. Partner with program offices to ensure information privacy and disclosure policies are appropriately included in training modules. [PVR-01; AR-1]

  4. The IRS privacy community participates in the Federal Privacy Council (FPC) to identify Federal agency best practices, build and strengthen collaboration with other agencies, and conduct outreach as appropriate. See the References section of this IRM for the link to the FPC website and resources.

  5. For more information, email *Privacy or refer to the IRS Privacy Council website on the IRS intranet.

Privacy and Civil Liberties Impact Assessment (PCLIA)

  1. Privacy Compliance and Assurance (PCA), within PGLD’s PPC, supports the IRS in recognizing the importance of protecting the privacy of taxpayers and employees, balancing the need for information collection with the privacy risks. The vehicle for addressing privacy issues in a system is the PCLIA. [OMB A-130]

  2. For more information about the PCLIA process, refer to IRM 10.5.2, Privacy Compliance and Assurance (PCA) Program, or the PCLIA website in the PGLD Virtual Library.

Business PII Risk Assessment (BPRA)

  1. Privacy Compliance and Assurance (PCA), within PGLD’s PPC, uses the Business PII Risk Assessment (BPRA) program to assess privacy risks in IRS processes. The BPRA addresses the impact of privacy risks in the same way an IT security risk assessment addresses the impact of security risks to the IRS. [OMB A-130]

  2. For more information about the BPRA program, email *Privacy or see the BPRA page on the PCA website in the PGLD Virtual Library.

Treasury PII Holdings Report

  1. Treasury is mandated by Congress to maintain a listing of all systems that contain PII. The database is designed to assist the Treasury in maintaining a detailed inventory of its PII holdings. [SE-1, OMB A-130]

  2. For more information about the Treasury PII Holdings Report, email *Privacy.

Unauthorized Access (UNAX)

  1. Information Protection Projects (IPP), under PGLD’s Identity and Records Protection (IRP), administers the Unauthorized Access to Taxpayer Accounts (UNAX) program.

  2. The term UNAX is used to define the act of committing an unauthorized access, attempted access or inspection (commonly referred to as UNAX) of any tax information contained on paper or within any electronic format without a management-assigned IRS business need.

  3. For more information, refer to IRM 10.5.5, IRS Unauthorized Access, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements.

  4. Refer to the UNAX website in the PGLD Virtual Library.

Mandatory Briefings

  1. Mandatory briefings deliver required Servicewide training – including the Privacy Information Protection and Disclosure and UNAX briefings managed by the PGLD offices of PPKM and IPP, respectively.

  2. For more information about mandatory briefings, refer to the Mandatory Briefings page in the PGLD Virtual Library.

Records and Information Management (RIM)

  1. Records and Information Management (RIM) Office within IRP supports the IRS mission and programs by promoting current information, guidance, and awareness of the importance of managing records throughout the IRS. The RIM program addresses the requirements for recordkeeping, protection, review, storage, and disposal.

  2. The public expects that IRS records are available where and when they are needed, to whom they are needed, for only as long as they are needed, in order to conduct business, adequately document IRS activities, and protect the interests of the federal government and American taxpayer. All IRS records are required under the Federal Records Act to be efficiently managed until final disposition.

  3. Refer to IRM 1.15.7, Records and Information Management, Files Management, for additional information.

Disclosure

  1. Disclosure, within PGLD’s Governmental Liaison, Disclosure and Safeguards (GLDS), supports the Disclosure program. Disclosure safeguards confidential records, from the mailroom to the Commissioner’s office. The word "sensitive" encompasses every type of SBU data from tax records to personal employee data.

  2. Tax returns and return information are to be considered SBU data. 26 USC 6103 provides the general rule that tax returns and return information are confidential and can not be disclosed except as provided by Title 26.

    Note:

    IRC 7213 and IRC 7431 include civil and criminal penalties for willful or negligent disclosure of returns or return information.

  3. IRM 11.3 series, Disclosure of Official Information, contains guidelines governing whether tax returns and other information contained in Service files may be disclosed. Disclosure may not be made unless IRC 6103 authorizes disclosure and not before requirements in IRC 6103 and IRM 11.3 series are met. The Office of Government, Liaison and Disclosure must approve proposed disclosures and ensure they meet the requirements of an exception in Title 26 before disclosure.

  4. Before disclosing IRS information (tax information, proprietary information, processes, system information, etc.), contact Disclosure to ensure that the information may be disclosed or what can/should be redacted.

  5. See the internal Disclosure website in the PGLD Virtual Library.

  6. See also the external Disclosure office information for submitting a FOIA Request:
    https://www.irs.gov/privacy-disclosure/irs-disclosure-offices

Digital Identity Risk Assessment (DIRA) [formerly Electronic Risk Assessment (e-RA)]

  1. Digital Identity Risk Assessment (DIRA) [formerly Electronic Risk Assessment (e-RA]) is a joint effort between IT Cybersecurity and Online Services to establish a framework for establishing authentication risk consistently across electronic transactions.

  2. To ensure privacy and security, agencies must authenticate users of their web-based or online transactions before permitting access to information entrusted to them. The DIRA process evaluates the risk of a transaction to determine the applicable assurance level on three component parts, referred to as Identity Assurance Level (IAL), Authenticator Assurance Level (AAL), and Federation Assurance Level (FAL).

    Note:

    The DIRA process applies to online web-based transactions.

Electronic Authentication (e-Authentication)

  1. To ensure privacy and security, agencies must authenticate web-based or online transaction users before permitting access to information. In the Identity and Access Management domain, the e-Authentication (eAuth) framework uses this process to guide business units with the implementation of online applications/transactions.

  2. For more information, see the DIRA section of this IRM. Refer to the Secure Access e-Authentication section in IRM 21.2.1, Systems and Research Programs, Systems. Refer to the e-Authentication website on the IRS intranet.

Enterprise Life Cycle (ELC)

  1. The IT Enterprise Life Cycle (ELC) office manages the ELC program.

  2. The IRS ELC is the methodology by which the IRS manages project activities through established standard processes.

    1. The Enterprise Architecture (EA) is an integral component of ELC compliance process particularly from Milestone 1 through Milestone 4a.

    2. The ELC provides the direction, processes, tools, and assets necessary to accomplish business change in a consistent and repeatable manner as they implement the EA.

  3. For more information about the ELC, refer to IRM 2.16.1, Enterprise Life Cycle (ELC), ELC Guidance, or the ELC website on the IRS intranet.

Governmental Liaison (GL)

  1. Governmental Liaison (GL) facilitates, develops, and maintains relationships with federal, state, and local governmental agencies and IRS operating and functional divisions on strategic IRS programs. All IRS personnel should contact GL prior to contacting any governmental agency regarding initiatives or data exchanges.

  2. GL maintains the IRS Agreement Database (IAD), which includes:
    Formal agreements that GL established with U.S. federal, state and local governmental agencies and IRS business units to exchange data, and tax and non-tax information that require PGLD oversight for privacy, disclosure, and safeguarding. (Internet service agreements, LB&I treaty and Foreign Account Tax Compliance Act agreements, Agreements with 6103(k)(6) disclosures and IRC 6103(c) consent-based disclosures with non-government agencies are excluded.)
    https://irssource.web.irs.gov/PGLD/Lists/News/DispItemForm.aspx?ID=67

  3. For more information about GL, see IRM 11.4.1, Communications and Liaison, Office of Governmental Liaison, Governmental Liaison Operations.

  4. For more information about GL’s programs, see the website:
    https://portal.ds.irsnet.gov/sites/vl003/lists/governmentalliaison/landingview.aspx

Identity Assurance Office (IAO)

  1. Identity Assurance Office (IAO) provides oversight and strategic direction for authentication, authorization, and access processes of taxpayer information. IAO also delivers externally facing IRS services across all channels while protecting taxpayer data from fraudsters and identity thieves.

  2. For more information about IAO, see the IAO website on the IRS intranet.

IT Security

  1. Architecture and Implementation under Cybersecurity supports IT security policy and implementation.

  2. IT security and privacy issues go hand-in-hand. Information Technology security policy describes how to protect IT environments, while privacy policy describes how to protect individuals’ information in those IT environments. Information Technology focuses on protecting the systems, the network, and the applications that house the data. Privacy focuses on protecting the individual represented by the data.

  3. For more information about IT security policy and references, see IRM 10.8.1 and the rest of the IRM 10.8 family.

  4. For more information about the Cybersecurity program, see the Cybersecurity website on the IRS intranet.

Incident Management (IM)

  1. Incident Management (IM), within PGLD’s PPC, is dedicated to assisting taxpayers and personnel potentially impacted by IRS breaches by working quickly and thoroughly to investigate breaches to decrease the possibility that information will be compromised and used to perpetrate identity theft or other forms of harm.

  2. The IM program manages reports of IRS losses, thefts, and inadvertent disclosure of SBU data (including PII and tax information).

  3. Immediately upon discovery of an inadvertent unauthorized disclosure of sensitive information, or the loss or theft of an IT asset or hardcopy record or document containing sensitive information, personnel must report an incident/breach to the manager and the appropriate organizations based on what was lost or disclosed.

  4. Anyone discovering a breach must report the breach to the appropriate organizations.

  5. For more information about how to report an incident/breach, see IRM 10.5.4, Privacy and Information Protection, Incident Management Program, or the Report Losses, Thefts or Disclosures of Sensitive Data; Report Lost or Stolen IT Assets website in the PGLD Virtual Library.

Pseudonym

  1. Employee Protection (EP), within PGLD’s PPC, manages the IRS Pseudonym program.

  2. Under certain conditions (protection of personal safety, adequate justification, pre-approval, etc.), the Pseudonym program provides for the use of pseudonyms by IRS employees. The IRS Office of Employee Protection (OEP, under PGLD’s PPC) helps employees protect the privacy of these pseudonyms.

  3. See IRM 10.5.7, Use of Pseudonyms by IRS Employees, for more information about the terminology, program, process, and requirements.

Safeguards

  1. The Safeguards program and staff are responsible for ensuring that federal, state, and local agencies receiving federal tax information protect it as if the information remained in IRS’s hands.

  2. For more information about Safeguards, see the Safeguards website on the IRS intranet.

Social Security Number Elimination and Reduction (SSN ER)

  1. Information Protection Projects (IPP), under PGLD’s Identity and Records Protection (IRP), administers the Social Security Number Elimination and Reduction (SSN ER) program.

  2. This program’s goal is to implement regulatory requirements to eliminate or reduce the collection and use of SSNs in programs, processes, and forms. [OMB A-130]

  3. For more information, refer to the SSN ER website in the PGLD Virtual Library.
    or email *PGLD SSN Reduction.

Acceptable Use of SSNs
  1. Use of SSNs is acceptable when any of these options mandates such use:

    • Law/statute.

    • Executive orders.

    • Federal regulations.

    • Business need (e.g., the inability to alter systems, processes, or forms due to costs or unacceptable level of risk).

SSN Necessary-Use Criteria
  1. SSN ER compliance requires owners of forms, notices, letters, and systems to apply the following SSN necessary-use criteria to determine whether SSN use is justifiable and necessary:

    1. Apply the SSN Necessary-Use Criteria
      Based on the definition of the necessary and/or acceptable use of SSNs:
      1. Provide an accurate and complete citation of what authority (legislative mandate, regulation, or executive order) justifies SSN usage.
      2. Consider how the SSN is used throughout the information lifecycle (reviewing all forms, notices, letters, and systems), and take into account the following regarding SSN data:
      - Acquisition/collection
      - Conversion/use and display
      - Migration/transmission
      - Storage
      - Deletion/disposal
      3. Determine whether the SSN is a critical component to the business process, which cannot be performed or achieved without the use of the SSN. The owner must describe in detail those existing operational dependencies.

      Note:

      Procedures for completing and submitting Form 14132, Social Security Number Elimination and Reduction Inventory, are contained in step c).

    2. Identify SSN Elimination and Reduction Solutions
      After identifying potential areas to reduce or eliminate SSN use, collaborate with business unit stakeholders to explore and identify feasible short- and long-term mitigation solutions, and submit a written mitigation plan to IPP @ *PGLD SSN Reduction.

    3. Develop a Mitigation Strategy for Existing Inventories
      Whether SSN use is determined to be necessary or unnecessary, develop and provide to PGLD/IPP a mitigation strategy for existing forms, notices, and letters inventories on Form 14132.

    4. When Creating New Forms, Notices, Letters, and Systems
      Business/system owners must practice due diligence when creating new forms, notices, letters and systems to ensure they apply the necessary-use criteria.

      For New... The Process Is...
      Forms W&I Media and Publications will ask form owners to consider the necessary use of SSNs on newly created forms. Justification must be provided for all forms requiring an SSN. The justification will become part of the form history folder. (For required Privacy Act Notification information, see the Notification Section of IRM 10.5.6 .)
      Notices/letters The Office of Taxpayer Correspondence will ask owners to consider use of SSNs on all newly created notices/letters. These questions and answers will become part of the interview file and maintained for documentation purposes.
      Systems Owners are required to complete a Privacy and Civil Liberties Impact Assessment (PCLIA) for any system that will contain any personally identifiable information, including SSNs. The purpose of a PCLIA is to demonstrate that program/project managers and system owners and developers have consciously incorporated privacy and civil liberties protections throughout the entire lifecycle of a system. The Privacy Impact Assessment Management System will maintain the justification for SSN usage.
    5. Manage Inventory
      PGLD will use completed Forms 14132 to manage the SSN ER Program and to periodically report progress to Treasury and IRS executive leadership.

    6. Reassess Periodically
      Once every three years, business/systems owners must reassess any forms, notices, letters or systems to determine if conditions have changed that allow for the elimination or masking the SSN on their products.

SBU Data Use for Non-Production Environments

  1. Privacy Compliance and Assurance (PCA), within PGLD’s PPC, manages the SBU Data Use process for non-production environments.

  2. The SBU Data Use or non-production environments process helps Information Owners (IOs) and Authorizing Officials (AOs) know when SBU data (including PII or tax information) is being used in additional non-production environments, when appropriate. This process helps IOs and AOs, tasked with accepting risk on behalf of the IRS, to know and understand the movement of the SBU data outside the production environment and to ensure its protection. [DM-3]

  3. See IRM 10.5.8 (formerly IRM 10.8.8), Sensitive But Unclassified (SBU) Data Policy: Protecting SBU in Non-Production Environments and the SBU website in the PGLD Virtual Library.

Glossary and Acronyms

Term Definition or description
AO Authorizing Official.
ATO Authorization to Operate.
Authorization To Operate (ATO) An Authorization to Operate (ATO) is a formal declaration by a Designated Approving Authority (DAA) that authorizes operation of a Business Product and explicitly accepts the risk to agency operations. The ATO is signed after a Certification Agent (CA) certifies that the system has met and passed all requirements to become operational. Systems continue to operate under the same ATO following the Information System Continuous Monitoring (ISCM) process.
Authorizing Official (AO) The Authorizing Official (AO) or accrediting official, shall be a senior management/executive official government employee with the authority to formally assume responsibility for operating a system at an acceptable level of risk. (Refer to IRM 10.8.2 for more information.)
civil liberties The basic rights guaranteed to individual citizens by law.
CSP Cloud Service Provider.
Data Owner See Information Owner.
DIRA Digital Identity Risk Assessment.
employee information All employee information covered by the Privacy Act of 1974 (5 U.S.C. 552a, as amended). Examples include personnel, payroll, job applications, disciplinary actions, performance appraisals, drug tests, health exams and evaluation data.
ELC Enterprise Life Cycle.
electronic mail message (email) A record created or received on an electronic mail system including briefing notes, more formal or substantive narrative documents, and any attachments, such as word processing and other electronic documents, which may be transmitted with the message. Email is normally not encrypted and may be exchanged with recipients who are operating in a separate technology environment (domain), outside IRS control.
electronic media Electronic media are electronic copy or devices containing bits and bytes such as hard drives, random access memory (RAM), read-only memory (ROM), disks, flash memory, memory devices, phones, mobile computing devices, networking devices, office equipment, and many other types listed in Appendix A. [NIST Special Publication 800-88, Guidelines for Media Sanitization]
employees IRS employees, which includes:
1. Employees
2. Seasonal/temporary employees
3. Interns
4. Detailees
EP Employee Protection, within PGLD’s Privacy Policy and Compliance (PPC).
Federal tax information (FTI) Any return or return information received from the IRS or secondary source, such as SSA etc. FTI includes any information created by the recipient that is derived from return or return information. (Internal Revenue Code (IRC) § 6103, Confidentiality and disclosure of returns and return information.)
FedRAMP Federal Risk and Authorization Management Program.
fictionalized data Fictional examples of similar situations that contain neither the identity of the taxpayer nor any information that could be considered attributable to a particular taxpayer. Such examples would not require any designation as sensitive.
FIPS Federal Information Processing Standards.
FISMA Federal Information Security Modernization Act of 2014.
GL Governmental Liaison.
GRS General Records Schedules -Document 12829.
hardcopy Hard copy media are physical representations of information, most often associated with paper printouts. However, printer and facsimile ribbons, drums, and platens are all examples of hard copy media. The supplies associated with producing paper printouts are often the most uncontrolled. Hard copy materials containing sensitive data that leave an organization without effective sanitization expose a significant vulnerability to "dumpster divers" and overcurious employees, risking unwanted information disclosures. [NIST Special Publication 800-88, Guidelines for Media Sanitization]
FTI Federal Tax Information.
IAD IRS Agreement Database.
IAO Identity Assurance Office.
IM Incident Management, within PGLD’s PPC.
Information Owner (IO) Official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal.
IO Information Owner.
IoT Internet of Things.
  • IoT involves sensing, computing, communication, and actuation. [NIST SP 800-183]

  • The Internet of Things (IoT) is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. IoT devices are an outcome of combining the worlds of information technology (IT) and operational technology (OT). Many IoT devices are the result of the convergence of cloud computing, mobile computing, embedded systems, big data, low-price hardware, and other technological advances. IoT devices can provide computing functionality, data storage, and network connectivity for equipment that previously lacked them, enabling new efficiencies and technological capabilities for the equipment, such as remote access for monitoring, configuration, and troubleshooting. IoT can also add the abilities to analyze data about the physical world and use the results to better inform decision making, alter the physical environment, and anticipate future events. [NIST IR 8228]

IPP Information Protection Projects, under PGLD’s Identity and Records Protection (IRP).
IRC Internal Revenue Code.
IRP Identity and Records Protection, under PGLD.
law enforcement sensitive information This includes grand jury, informant, and undercover operations information, and procedural guide.
layered security Where layered and complementary privacy and security controls are deemed sufficient to deter and detect unauthorized entry within the area. Examples include, but are not limited to, use of perimeter fences, employee and visitor access controls, use of an intrusion detection system, random guard patrols throughout the facility during non-working hours, closed circuit video monitoring or other safeguards that mitigate the vulnerability of open storage areas without alarms and security storage cabinets during non-working hours. Also sometimes referred to as Security in depth (refer to IRM 10.2.11).
live data Production data in use.
MCD Major Change Determination.
MER Milestone Exit Release.
NDA Non-Disclosure Agreement.
NIST National Institute of Standards & Technology.
OFDP Online Fraud Detection and Prevention, within IT Cybersecurity.
other protected information Other protected information includes any knowledge or facts received by or created by IRS in support of IRS work. This includes all information covered by the Trade Secrets Act, the Procurement Integrity Act, and similar statutes. Examples include, but are not limited to:
  • Records about individuals requiring protection under the Privacy Act.

  • Information that is not releasable under the Freedom of Information Act.

  • Proprietary data.

  • Procurement sensitive data, such as contract proposals.

  • Information, which if modified, destroyed or disclosed in an unauthorized manner could cause: loss of life, loss of property or funds by unlawful means, violation of personal privacy or civil rights, gaining of an unfair procurement advantage by contractors bidding on government contracts, or disclosure of proprietary information entrusted to the Government.

  • Information related to the design and development of application source code.

  • Specific IT configurations, where the information system security configurations could identify the state of security of that information system; Internet Protocol (IP) addresses that allow the workstations and servers to be potentially targeted and exploited; and source code that reveals IRS processes that could be exploited to harm IRS programs, employees or taxpayers.

  • Security information containing details of serious weaknesses and vulnerabilities associated with specific information systems and/or facilities.

  • Any information, which if improperly used or disclosed could adversely affect the ability of the agency to accomplish its mission.

PCA Privacy Compliance and Assurance.
PCLIA Privacy and Civil Liberties Impact Assessment; replaced PIA.
personnel IRS personnel or users, which includes:
1. Employees
2. Seasonal/temporary employees
3. Interns
4. Detailees
5. Consultants
6. IRS contractors (including contractors, subcontractors, non-IRS-procured contractors, vendors, and outsourcing providers)
personally identifiable information (PII) Per OMB Circular A-130: ‘Personally identifiable information’ means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

Because there are many different types of information that can be used to distinguish or trace an individual’s identity, the term PII is necessarily broad. To determine whether information is PII, the agency shall perform an assessment of the specific risk that an individual can be identified using the information with other information that is linked or linkable to the individual. In performing this assessment, it is important to recognize that information that is not PII can become PII whenever additional information becomes available – in any medium and from any source – that would make it possible to identify an individual.
PGLD Privacy, Government Liaison and Disclosure.
PHI Personal Health Information; can be a type of SBU data.
PIA Privacy Impact Assessment; replaced by PCLIA.
PIAMS Privacy Impact Assessment Management System.
PII Personally Identifiable Information.
PPC Privacy Policy and Compliance.
PPKM Privacy Policy and Knowledge Management, under PGLD’s Privacy Policy and Compliance (PPC).
privacy Privacy at the IRS reflects the combined effort of the IRS, its personnel, and individual taxpayers to protect, control, and exercise rights over the collection, use, retention, dissemination, and disposal of personal information.
Privacy Compliance and Assurance (PCA) Organization that owns and manages the PCLIA, BPRA, SBU Data Use programs for IRS.
privacy culture Where all personnel think about privacy before taking action. In such an environment or culture, protecting privacy guides the day-to-day practices and routines of each individual.
privacy lifecycle The series of uses and status of information. It includes the creation, collection, receipt, use, processing, maintenance, access, inspection, display, storage, disclosure, dissemination, or disposal of SBU data (including PII and tax information) regardless of format.
PVR IRS Privacy Requirements.
QQ Qualifying Questionnaire (see PCLIA).
RAFT Risk Acceptance Form and Tool.
RBD Risk-Based Decision.
RCS Records Control Schedules -Document 12990
return Any tax or information return, estimated tax declaration, or refund claim (including amendments, supplements, supporting schedules, attachments, or lists) required by or permitted under the IRC and filed with the IRS by, on behalf of, or with respect to any person or entity (IRC § 6103(b)(2)(B)).
return information In general, is any information collected or generated by the IRS with regard to any person’s liability or possible liability under the IRC. IRC § 6103(b)(2)(A) defines return information as very broad.
RIM Records and Information Management.
SBU Sensitive But Unclassified.
SBU data Any information which, if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs (including IRS operations), or the privacy to which individuals are entitled under the Privacy Act (5 U.S.C. 552a). [TD P 15-71]
SBU data includes but is not necessarily limited to:
  • Federal Tax Information (FTI), Personally Identifiable Information (PII), Protected Health Information (PHI), certain procurement information, system vulnerabilities, case selection methodologies, system information, enforcement procedures, investigation information.

  • Live data, which is defined as production data in use. Live means that when changing the data, it changes in production. The data may be extracted for testing, development, etc., in which case, it is no longer live. Live data often contains SBU data.

For more information regarding security protections of Sensitive But Unclassified (SBU) data, refer to IRM 10.8.1.
SCIF Sensitive Compartmented Information Facility (an enclosed area within a building that is used to process sensitive data).
SLA Staff-Like Access.
SP Special Publication (NIST).
SSN ER Social Security Number Elimination and Reduction.
staff-like access [From IRM 10.23.2 ] Staff-like access (SLA) is the authority granted to perform one or more of the following:
  • Enter IRS facilities or space (owned or leased) unescorted (when properly badged).

  • Possess login credentials to information systems (IRS or vendor-owned systems that store, collect, and/or process IRS information).

  • Possess physical and/or logical access to (including the opportunity to see, read, transcribe, and/or interpret) Sensitive but Unclassified (SBU) data, wherever the location. (See IRM 10.5.1 for examples of SBU data.)

  • Possess physical access to (including the opportunity to see, read, transcribe, and/or interpret) security items and products (e.g., items that must be stored in a locked container, security container, or a secure room, wherever the location. These items include, but are not limited to security devices/records, computer equipment, Identification media. For details see IRM 1.4.6.5.1, Minimum Protection Standards).

  • Enter physical areas, wherever the location, that store/process SBU information (unescorted).


SLA is granted to an individual who is not an IRS employee (and includes, but is not limited to: contractors/subcontractors, whether procured by IRS or another entity, vendors, delivery persons, experts, consultants, paid/unpaid interns, other federal employees, cleaning/maintenance employees, etc.), and is approved upon required completion of a favorable suitability/fitness determination conducted by IRS Personnel Security.
survey Any data collection method, including but not limited to surveys, focus groups, interviews, pilot studies, and field tests. Refer to IRM 10.5.2 for more information.
synthetic data Data that does not contain SBU data; however, it imitates data as it appears in an actual taxpayer’s file and does not require the submission of a SBU Data Usage and Protection request.
tax information Any information that is obtained or used in the preparation of a tax return (Pub 4557, Safeguarding Taxpayer Data: A Guide for Your Business).

For the purpose of this IRM, the terms tax data and tax information include return and return information as defined in IRC 6103(b).
TIGTA Treasury Inspector General for Tax Administration.
UNAX Unauthorized Access to taxpayer accounts. The Taxpayer Browsing Protection Act (1997) forbids the willful unauthorized access or inspection of taxpayer records.
  • UNAX website on the IRS intranet

  • IRM 10.5.5, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements

References

This section lists the primary privacy statutes, regulations, guidelines, OMB Memoranda, and other materials that drive the privacy programs. Many of these can be found on the Federal Privacy Council’s website in the law library section.
https://www.fpc.gov/law-library/

Laws, Acts, Mandates, and OMB Memos

  • Privacy Act of 1974 (5 U.S.C. § 552a; Pub. L. No. 93-579), December 1974.

  • Computer Matching and Privacy Protection Act (1988).

  • Freedom of Information Act (FOIA) (1974).

    Note:

    FOIA was amended by the OPEN Government Act of 2007, Pub. L. No. 110-175, 121 Stat. 2524 (2007).

  • IRC 6103

  • E-Government Act (2002) [Pub.L. 107–347, 116 Stat. 2899, 44 U.S.C. § 101, H.R. 2458/S. 803], December 2002.

    • Federal Information Security Modernization Act of 2014 (FISMA, Pub. L. No. 113-283, Title II), December 2014.

  • Protecting Americans from Tax Hikes Act of 2015
    https://www.congress.gov/bill/114th-congress/house-bill/2029/text

  • Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. § 2510 et seq.

  • Taxpayer First Act of 2019.

Executive Orders

The link for Executive Orders is:
https://www.federalregister.gov/executive-orders

  • Executive Order 10450, Security Requirements for Government Employment, April 1953.

  • Executive Order 13556, Controlled Unclassified Information, November 2010.

  • Executive Order 13636, Improving Critical Infrastructure Cybersecurity, February 2013.

  • Executive Order 13681, Improving the Security of Consumer Financial Transactions, October 2014.

OMB Circulars
https://www.whitehouse.gov/omb/information-for-agencies/circulars/

  • OMB Circular No. A-11, Preparation, Submission, and Execution of the Budget

  • OMB Circular No. A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act

  • OMB Circular No. A-130, Management of Federal Information Resources

OMB Memos
https://www.whitehouse.gov/omb/information-for-agencies/memoranda/https://www.archives.gov/federal-register/codification

The list of OMB Memos is:

  • M–01–05 – Guidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy.

  • M–03–22 – OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.

  • M–06–16 – Protection of Sensitive Agency Information.

  • M–10–22 – Guidance for Online Use of Web Measurement and Customization Technologies.

  • M–10–23 – Guidance for Agency Use of Third-Party Websites and Applications.

  • M–12–18 – Managing Government Records Directive.

  • M–12–20 – FY 2012 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. [FAQ 51]

  • M–14–04 – Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. [FAQ 60]

  • M–15–01 – Fiscal Year 2014-2015 Guidance on Improving Federal Information Security and Privacy Management Practices.

  • M–16–24 – Role and Designation of Senior Agency Officials for Privacy.

  • M–17–06 – Policies for Federal Agency Public Websites and Digital Services.

  • M–17–09 – Management of Federal High Value Assets.

  • M–17–12 – Preparing for and Responding to a Breach of Personally Identifiable Information.

  • M–19–17 – Enabling Mission Delivery through Improved Identity, Credential, and Access Management.

Department of Treasury

IRS

On the IRS intranet (links in Hyperlinks for Other Privacy-Related Programs document on PGLD Virtual Library:

  • Cybersecurity

  • Authorized software

  • Office of Disclosure (*Disclosure)

  • Office of Safeguards (*Safeguard Reports)

  • Privacy, Governmental Liaison and Disclosure (*Privacy)

  • SA&A

  • Taxpayer Bill of Rights:
    https://www.irs.gov/taxpayer-bill-of-rights

Related IRMs:

  • IRM 1.1.27, Organization and Staffing, Privacy, Governmental Liaison and Disclosure (PGLD)

  • IRM 11.3 series, Disclosure of Official Information.

  • IRM 1.15 series, Records and Information Management.

  • IRM 10.8 series, especially:

    • IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance.

    • IRM 10.8.2, Information Technology (IT) Security, Roles and Responsibilities.

    • IRM 10.8.24, Information Technology (IT) Security, Cloud Computing Security Policy.

    • IRM 10.8.26, Information Technology (IT) Security, Government Furnished and Personally Owned Mobile Computing Device Security Policy.

    • IRM 10.8.27, Information Technology (IT) Security, Personal Use of Government Furnished Information Technology Equipment and Resources.

  • IRM 10.23.2, Personnel Security, Contractor Investigations.

NIST

The link for National Institute of Standards and Technology (NIST) Special Publication (SP):
https://csrc.nist.gov/publications/sp

  • SP 800-18, Guide for Developing Security Plans for Federal Information Systems, February 2006.

  • SP 800-28 Version 2, Guidelines on Active Content and Mobile Code, March 2008.

  • SP 800-30 Rev. 1, Guide for Conducting Risk Assessments, September 2012.

  • SP 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, December 2018.

  • SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, March 2011.

  • SP 800-44 Version 2, Guidelines on Securing Public Web Servers, September 2007.

  • SP 800-45 Version 2, Guidelines on Electronic Mail Security, February 2007.

  • SP 800-46 Rev. 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, July 2016.

  • SP 800-47, Security Guide for Interconnecting Information Technology Systems, August 2002.

  • SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, January 2015.

    • Appendix J, Privacy Control Catalog.

  • SP 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans, December 2014.

  • SP 800-55 Rev. 1, Performance Measurement Guide for Information Security, July 2008.

  • SP 800-59, Guideline for Identifying an Information System as a National Security System, August 2003.

  • SP 800-60 Rev. 1, Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008.

  • SP 800-63, Electronic Authentication Guideline, July 2017.

  • SP 800-63-3, Digital Identity Guidelines, December 2017:

    1. Digital Identity Guidelines: Enrollment and Identity Proofing.

    2. Digital Identity Guidelines: Authentication and Lifecycle Management.

    3. Digital Identity Guidelines: Federation and Assertions.

  • SP 800-83 Rev. 1, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, July 2013.

  • SP 800-88 Rev. 1, Guidelines for Media Sanitization, December 2014.

  • SP 800-89, Recommendation for Obtaining Assurances for Digital Signature Applications, November 2006.

  • SP 800-92, Guide to Computer Security Log Management, September 2006.

  • SP 800-95, Guide to Secure Web Services, August 2007.

  • SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), April 2010.

  • SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations, September 2011.

  • SP 800-163 Rev. 1, Vetting the Security of Mobile Applications, April 2019.

  • SP 800-183, Networks of ‘Things’, July 2016.

  • IR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, June 2019.

The link for FIPS publications is:
https://csrc.nist.gov/publications/fips

  • Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems.

  • Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems.

  • Federal Information Processing Standards (FIPS) Publication 201, Personal Identity Verification of Federal Employees and Contractors.

National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity.

National Institute of Standards and Technology Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management.

Additional information regarding the NIST publications noted above is available on the NIST website:
https://csrc.nist.gov/

NIST Appendix J Privacy Controls

  1. AP Authority and Purpose
    This family ensures that organizations: (i) identify the legal bases that authorize a particular PII collection or activity that impacts privacy; and (ii) specify in their notices the purpose(s) for which PII is collected.

    1. AP-1 Authority to Collect
      The organization determines and documents the legal authority that permits the collection, use, maintenance, and sharing of PII, either generally or in support of a specific program or information system need.

    2. AP-2 Purpose Specification
      The organization describes the purpose(s) for which PII is collected, used, maintained, and shared in its privacy notices.

  2. AR Accountability, Audit, and Risk Management
    This family enhances public confidence through effective controls for governance, monitoring, risk management, and assessment to demonstrate that organizations are complying with applicable privacy protection requirements and minimizing overall privacy risk.

    1. AR-1 Governance and Privacy Program
      The organization:

      1. Appoints a Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of PII by programs and information systems;

      2. Monitors federal privacy laws and policy for changes that affect the privacy program;

      3. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program;

      4. Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;

      5. Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs, information systems, or technologies involving PII; and

      6. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially].

    2. AR-2 Privacy Impact and Risk Assessment
      The organization:

      1. Documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, use, and disposal of PII; and

      2. Conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy, or any existing organizational policies and procedures.

    3. AR-3 Privacy Requirements for Contractors and Service Providers
      The organization:

      1. Establishes privacy roles, responsibilities, and access requirements for contractors and service providers; and

      2. Includes privacy requirements in contracts and other acquisition-related documents.

    4. AR-4 Privacy Monitoring and Auditing
      The organization monitors and audits privacy controls and internal privacy policy [Assignment: organization-defined frequency] to ensure effective implementation.

    5. AR-5 Privacy Awareness and Training
      The organization:

      1. Develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures;

      2. Administers basic privacy training [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacy training for personnel having responsibility for PII or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and

      3. Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements [Assignment: organization-defined frequency, at least annually].

    6. AR-6 Privacy Reporting
      The organization develops, disseminates, and updates reports to the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates, and to senior management and other personnel with responsibility for monitoring privacy program progress and compliance.

    7. AR-7 Privacy-Enhanced System Design and Development
      The organization designs information systems to support privacy by automating privacy controls.

    8. AR-8 Accounting of Disclosures
      The organization:

      1. Keeps an accurate accounting of disclosures of information held in each system of records under its control, including:
        1. Date, nature, and purpose of each disclosure of a record; and
        2. Name and address of the person or agency to which the disclosure was made;

      2. Retains the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer; and

      3. Makes the accounting of disclosures available to the person named in the record upon request.

  3. DI Data Quality and Integrity
    This family enhances public confidence that any PII collected and maintained by organizations is accurate, relevant, timely, and complete for the purpose for which it is to be used, as specified in public notices.

    1. DI-1 Data Quality
      The organization:

      1. Confirms to the greatest extent practicable upon collection or creation of PII, the accuracy, relevance, timeliness, and completeness of that information;

      2. Collects PII directly from the individual to the greatest extent practicable;

      3. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs or systems [Assignment: organization-defined frequency]; and

      4. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information.

    2. DI-2 Data Integrity and Data Integrity Board
      The organization:

      1. Documents processes to ensure the integrity of PII through existing security controls; and

      2. Establishes a Data Integrity Board when appropriate to oversee organizational Computer Matching Agreements and to ensure that those agreements comply with the computer matching provisions of the Privacy Act.

  4. DM Data Minimization and Retention
    This family helps organizations implement the data minimization and retention requirements to collect, use, and retain only PII that is relevant and necessary for the purpose for which it was originally collected. OrganizatioSns retain PII for only as long as necessary to fulfill the purpose(s) specified in public notices and in accordance with a National Archives and Records Administration (NARA)-approved record retention schedule.

    1. DM-1 Minimization of Personally Identifiable Information
      The organization:

      1. Identifies the minimum PII elements that are relevant and necessary to accomplish the legally authorized purpose of collection;

      2. Limits the collection and retention of PII to the minimum elements identified for the purposes described in the notice and for which the individual has provided consent; and

      3. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment: organization-defined frequency, at least annually] to ensure that only PII identified in the notice is collected and retained, and that the PII continues to be necessary to accomplish the legally authorized purpose.

    2. DM-2 Data Retention and Disposal
      The organization:

      1. Retains each collection of PII for [Assignment: organization-defined time period] to fulfill the purpose(s) identified in the notice or as required by law;

      2. Disposes of, destroys, erases, and/or anonymizes the PII, regardless of the method of storage, in accordance with a NARA-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized access; and

      3. Uses [Assignment: organization-defined techniques or methods] to ensure secure deletion or destruction of PII (including originals, copies, and archived records).

    3. DM-3 Minimization of PII Used in Testing, Training, and Research
      The organization:

      1. Develops policies and procedures that minimize the use of PII for testing, training, and research; and

      2. Implements controls to protect PII used for testing, training, and research.

  5. IP Individual Participation and Redress
    This family addresses the need to make individuals active participants in the decision-making process regarding the collection and use of their PII. By providing individuals with access to PII and the ability to have their PII corrected or amended, as appropriate, the controls in this family enhance public confidence in organizational decisions made based on the PII.

    1. IP-1 Consent
      The organization:

      1. Provides means, where feasible and appropriate, for individuals to authorize the collection, use, maintaining, and sharing of PII prior to its collection;

      2. Provides appropriate means for individuals to understand the consequences of decisions to approve or decline the authorization of the collection, use, dissemination, and retention of PII;

      3. Obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected PII; and

      4. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initially described in the public notice that was in effect at the time the organization collected the PII.

    2. IP-2 Individual Access
      The organization:

      1. Provides individuals the ability to have access to their PII maintained in its system(s) of records;

      2. Publishes rules and regulations governing how individuals may request access to records maintained in a Privacy Act system of records;

      3. Publishes access procedures in System of Records Notices (SORNs); and

      4. Adheres to Privacy Act requirements and OMB policies and guidance for the proper processing of Privacy Act requests.

    3. IP-3 Redress
      The organization:

      1. Provides a process for individuals to have inaccurate PII maintained by the organization corrected or amended, as appropriate; and

      2. Establishes a process for disseminating corrections or amendments of the PII to other authorized users of the PII, such as external information-sharing partners and, where feasible and appropriate, notifies affected individuals that their information has been corrected or amended.

    4. IP-4 Complaint Management
      The organization implements a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices.

  6. SE Security
    This family supplements the security controls in Appendix F to ensure that technical, physical, and administrative safeguards are in place to protect PII collected or maintained by organizations against loss, unauthorized access, or disclosure, and to ensure that planning and responses to privacy incidents comply with OMB policies and guidance. The controls in this family are implemented in coordination with information security personnel and in accordance with the existing NIST Risk Management Framework.

    1. SE-1 Inventory of Personally Identifiable Information
      The organization:

      1. Establishes, maintains, and updates [Assignment: organization-defined frequency] an inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing PII; and

      2. Provides each update of the PII inventory to the CIO or information security official [Assignment: organization-defined frequency] to support the establishment of information security requirements for all new or modified information systems containing PII.

    2. SE-2 Privacy Incident Response
      The organization:

      1. Develops and implements a Privacy Incident Response Plan; and

      2. Provides an organized and effective response to privacy incidents in accordance with the organizational Privacy Incident Response Plan.

  7. TR Transparency
    This family ensures that organizations provide public notice of their information practices and the privacy impact of their programs and activities.

    1. TR-1 Privacy Notice
      The organization:

      1. Provides effective notice to the public and to individuals regarding: (i) its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of PII; (ii) authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the organization uses PII and the consequences of exercising or not exercising those choices; and (iv) the ability to access and have PII amended or corrected if necessary;

      2. Describes: (i) the PII the organization collects and the purpose(s) for which it collects that information; (ii) how the organization uses PII internally; (iii) whether the organization shares PII with external entities, the categories of those entities, and the purposes for such sharing; (iv) whether individuals have the ability to consent to specific uses or sharing of PII and how to exercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PII will be protected; and

      3. Revises its public notices to reflect changes in practice or policy that affect PII or changes in its activities that impact privacy, before or as soon as practicable after the change.

    2. TR-2 System of Records Notices and Privacy Act Statements
      The organization:

      1. Publishes System of Records Notices (SORNs) in the Federal Register, subject to required oversight processes, for systems containing PII;

      2. Keeps SORNs current; and

      3. Includes Privacy Act Statements on its forms that collect PII, or on separate forms that can be retained by individuals, to provide additional formal notice to individuals from whom the information is being collected.

    3. TR-3 Dissemination of Privacy Program Information
      The organization:

      1. Ensures that the public has access to information about its privacy activities and is able to communicate with its Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO); and

      2. Ensures that its privacy practices are publicly available through organizational websites or otherwise.

  8. UL Use Limitation
    This family ensures that organizations only use PII either as specified in their public notices, in a manner compatible with those specified purposes, or as otherwise permitted by law. Implementation of the controls in this family will ensure that the scope of PII use is limited accordingly.

    1. UL-1 Internal Use
      The organization uses PII internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices.

    2. UL-2 Information Sharing with Third Parties
      The organization:

      1. Shares PII externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes;

      2. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used;

      3. Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and

      4. Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required.