10.5.5 IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance, and Requirements

Manual Transmittal

July 10, 2018

Purpose

(1) This transmits revised IRM 10.5.5, Privacy and Information Protection, Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements.

Material Changes

(1) IRM 10.5.5, Program Scope and Objectives - Revised the title to properly reflect the information communicated in this IRM subsection. Rearranged existing IRM content to place information involving internal controls under this subsection to conform to the new rules described in IRM 1.11.2. Subsections added under Program Scope and Objectives applicable to this program include:

  1. IRM 10.5.5.1.1, Background - Added historical information about the unauthorized access (UNAX) program.

  2. IRM 10.5.5.1.2, Authorities - Add UNAX authorities.

  3. IRM 10.5.5.1.3, UNAX Program Roles - Refers to subsequent subsections within IRM 10.5.5.

  4. IRM 10.5.5.1.4, Terms - Lists frequently used UNAX program terms from prior versions of IRM 10.5.5.

  5. IRM 10.5.5.1.5, Acronyms - Compiled a list of frequently used abbreviations and their terms in the UNAX program.

  6. IRM 10.5.5.1.6, Related Resources - Added resources containing additional information on the UNAX program.

(2) IRM 10.5.5.2 - Added details and clarifications to the UNAX program summary.

(3) IRM 10.5.5.3 - Added clarifications to Servicewide roles and responsibilities for administering the IRS UNAX program.

(4) IRM 10.5.5.3.3 - Added subsection detailing Head of Office Designee (HOD) UNAX responsibilities.

(5) IRM 10.5.5.3.4 - Added contractors to the subsection detailing employee UNAX responsibilities.

(6) IRM 10.5.5.4 - Removed "Covered Relationships" from this subsection and created a new "Covered Relationships" subsection in IRM 10.5.5.5.

(7) Made other editorial clarifications throughout.

Effect on Other Documents

There are no effects on other documents.

Audience

All IRS employees and IRS contractors (including contractors, subcontractors, non-IRS-procured contractors, vendors, and outsourcing providers).

Effective Date

(07-10-2018)

Celia Doggette, Director,
Identity and Records Protection

Program Scope and Objectives

  1. Purpose: This IRM section details the comprehensive, uniform unauthorized access (UNAX) policies, procedures, and requirements to be followed by all IRS organizations. Policy Statement 1-1 provides that taxpayers "have the right to expect that the Service will collect, maintain, use, and disseminate personally identifiable information and data only as authorized by law and as necessary to carry out agency responsibilities." See IRM 1.2.10.2. This IRM section details the comprehensive, uniform unauthorized access (UNAX) policies, procedures, and requirements to be followed by all IRS organizations.

  2. Audience: All IRS employees and contractors.

  3. Program Owner: The Identity and Records Protection (IRP) office under Privacy, Governmental Liaison and Disclosure (PGLD) is responsible for oversight of the Servicewide UNAX program.

Background

  1. Since the inception of the Integrated Data Retrieval System (IDRS) in 1972, IRS has worked continuously to prevent and detect unauthorized access, attempted access and inspection of taxpayer records in all IRS internal and external computer systems.

  2. After UNAX concerns were reported in 1993, the Service implemented an information system to help perform detection analyses of audit trail information.

  3. On August 5, 1997, the Taxpayer Browsing Protection Act (Public Law No. 105-35) was signed into law, adding civil penalties for willful unauthorized disclosure, access, or inspection of taxpayer records to the prior statues. It also makes all cases of f UNAX - electronic and paper - a crime that carries with it penalties ranging from loss of job to fines and prison terms if an individual is convicted.

Authorities

  1. Taxpayer Browsing Protection Act (Public Law No. 105-35).

  2. IRC 7213A, Unauthorized inspection of returns or return information.

  3. IRC 7431, Civil Damages for Unauthorized Inspection.

UNAX Responsibilities

  1. IRM 10.5.5.3 through IRM 10.5.5.3.4 contain UNAX roles and responsibilities for:

    1. Servicewide applications

    2. The IRP office

    3. IRS managers

    4. Head of Office Designee (HOD)

    5. IRS employees and contractors

Terms and Definitions

  1. UNAX: The willful unauthorized access, attempted access or inspection of taxpayer returns or return information.

  2. Covered Relationships: Personal or outside business relationships that can raise questions about the employee’s impartiality in the handling of a tax matter.

Acronyms

  1. The following table contains definitions for the acronyms most commonly used in this IRM:

    Acronym Definition
    AMS Accounts Management System
    EUP Employee User Portal
    HCO Human Capital Office
    HOD Head of Office Designee
    IDRS Integrated Data Retrieval System
    IRP Identity and Records Protection
    IT Information Technology
    PGLD Privacy, Governmental Liaison and Disclosure
    RUP Registered User Portal
    TIGTA Treasury Inspector General for Tax Administration
    TDS Transcript Delivery System
    UNAX Unauthorized access, attempted access, or inspection

Related Resources

  1. UNAX Knowledge Base site at: https://portal.ds.irsnet.gov/sites/vl003/lists/unax1/landingview.aspx.

  2. Document 10281, Safeguarding Taxpayer Records Renewing Our Commitment - UNAX Employee Booklet.

  3. Document 12612, Stop UNAX In Its Tracks.

  4. Document 12692, UNAX If/Then Chart.

IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program

  1. To implement the requirements of the Taxpayer Browsing Protection Act (Public Law No. 105-35), the IRS created the willful unauthorized access, attempted access or inspection of taxpayer records (UNAX) program. The Taxpayer Browsing Protection Act, in conjunction with the UNAX program, provides the following:

    1. Willful unauthorized access or inspection of taxpayer records is a crime, punishable upon conviction, by fines, imprisonment, and termination of employment. Taxpayer records include hard copies of returns and return information, as well as returns and return information maintained on a computer;

    2. When IRS employees are criminally charged, the IRS is required to notify taxpayers that their records have been accessed without authorization;

    3. A taxpayer who is a victim of unlawful access or inspection has the right to take legal action even if the taxpayer's information is never revealed to a third party;

    4. For contractors, the willful unauthorized access or inspection of taxpayer records can result in removal from the contract. Furthermore, upon conviction, it can result in fines, and imprisonment.

    5. Criminal UNAX violations result from intentional unauthorized inspection of returns and return information. Under 26 USC 7213A, the violation is punishable by a fine not to exceed $1,000 or imprisonment of not more than 1 year, or both, together with the costs of prosecution. Upon conviction, the employee is terminated;

    6. UNAX violations may also result in penalties for misuse of a government computer;

    7. Non-Criminal Penalties – pursuant to IRS UNAX policy, removal is to be proposed for all UNAX violations. The penalty can be mitigated by the deciding official at the decision stage;

    8. Using information gained from a UNAX violation can lead to additional criminal charges such as falsification of records, fraud, embezzlement and identity theft; and

    9. This willful unauthorized disclosure of tax return or return information is a felony.

  2. IRS UNAX Policy provides that employees may be subject to administrative penalties for the willful and unauthorized attempted access of their own or another taxpayer's records.

    1. Administrative penalties include but are not limited to:

      • Removal of employee

      • Suspension of employee

    2. Additional information on penalties for UNAX violations can be found in Document 11500, IRS Manager’s Guide to Penalty Determinations.

  3. The IRS relies on the ethics and integrity of its employees and contractors and enlists their support in eliminating all cases of UNAX. Employees who have knowledge of a suspected UNAX violation, must report it to the U.S. TIGTA, or their managers.

Servicewide Roles and Responsibilities for Administering the IRS UNAX Program

  1. Human Capital Office (HCO) Workforce Relations Division is responsible for managing the administrative adjudication of confirmed UNAX cases. This office coordinates with TIGTA and the Office of Chief Counsel, General Legal Services (GLS) to ensure employees are treated fairly and equitably in every UNAX case. Workforce Relations is responsible for :

    1. tracking and reporting UNAX case status from inception to final disposition;

    2. preparing the necessary documents in support of the administrative actions taken by management;

    3. forwarding the necessary documents to management; and

    4. providing consultative support to management for administration of appropriate discipline.

  2. Information Technology (IT) Cybersecurity is responsible for reviewing and certifying various data security reports. Cybersecurity must analyze and partner with management to determine the validity of account-related accesses. Questionable accesses are referred to TIGTA as potential UNAX violations.

  3. The IRS organizations assign business unit Points of Contact (POCs) for the annual UNAX briefing and eCertification process. They are responsible for the following:

    1. attending meetings to discuss data security – including UNAX;

    2. working with the Privacy, Governmental Liaison and Disclosure (PGLD) UNAX team and their business unit managers to ensure all of their business unit employees complete the required briefings and certifications;

    3. supporting the Annual UNAX Briefing process by collecting and accounting for Form 11370, Certification of Annual Awareness Briefing within their business unit that are unable to be completed online;

    4. submitting completed Forms 11370 to National Archive Record Administration (NARA) for inclusion in employee’s Official Personnel Folders;

    5. reviewing the business unit’s completion statistics; and

    6. informing management officials of the business unit’s UNAX Awareness Briefing completion rates.

  4. Facilities Management and Security Services (FMSS). Contractor Security Management (CSM) manages contractors' completion of the Annual UNAX Awareness Briefing and ensures system and facility accesses are removed when a contractor separates. IRS contractors (including contractors, subcontractors, non-IRS-procured contractors, vendors, and outsourcing providers), like all IRS employees, are required to complete an Annual UNAX Awareness Briefing and provide a completed Form 11370, to their Contracting Officer’s Representative (COR).

  5. TIGTA is responsible for investigating all potential UNAX allegations received. This responsibility includes but is not limited to potential computer inspection techniques and computer system generated audit trails. Substantiated UNAX violations will be referred to the Department of Justice for Criminal Prosecution.

  6. The IRP UNAX Program Team, within PGLD, is responsible for the development and distribution of UNAX educational materials, including the Annual UNAX Awareness Briefing aimed at preventing and reducing the number of UNAX incidents.

  7. All Senior Executives and managers are responsible for:

    1. monitoring, assigning or removing employee or contractor access to IRS (internal or external) computing systems as needed based on assigned IRS duties. Systems that must be monitored include (but are not limited to): Integrated Data Retrieval System (IDRS), Modernized e-File (MeF), Accounts Management System (AMS), Transcript Delivery System (TDS), Registered User Portal (RUP), Employee User Portal (EUP) etc.,

    2. approving employee access to any internal or external IRS computer system only when required to complete official IRS duties as assigned by management, and

    3. removing access to any internal or external computer system when it is no longer required to complete official IRS duties as assigned by management.

  8. All IRS employees and contractors - are responsible for:

    1. accessing IRS paper or electronic tax records or tax information only when it is required to complete official IRS duties as assigned by management;

    2. informing their managers when they no longer require access to a specific IRS internal or external computer system or command code requiring administrative approval;

    3. refraining from accessing unauthorized tax information; and

    4. refraining from accessing their own records, or records of anyone with whom they have a covered relationship. This includes:

      • Their spouse and any ex-spouses;

      • Their children;

      • Their parents and grandparents;

      • Anyone living in their household;

      • Their other close relatives;

      • Friends or neighbors with whom they have close relationships;

      • Celebrities, when the information is not needed to carry out tax related duties;

      • An individual or organization for which they or their spouse is an officer, trustee, general partner, agent, attorney, consultant, contractor, employee, or member; and

      • Any other individual or organization with which they may have a personal or outside business relationship that could raise questions about their lack of impartiality in handling the tax matter.

      Any other individual unless access is required by their duties as assigned by management.

IRP UNAX Program Team Roles and Responsibilities

  1. The IRS is committed to preventing the willful unauthorized access, attempted access and inspection of taxpayer records. The IRP UNAX Program Team's mission is to ensure all employees and contractors:

    1. Understand what UNAX is;

    2. Understand what the consequences are if an employee accesses or inspects taxpayer records or tax information (electronic or paper ) for other than management authorized tax administration reasons; and

    3. Work to prevent all instances of UNAX violations. Please refer to the UNAX website for additional information:https://portal.ds.irsnet.gov/sites/vl003/Lists/UNAX1/DispItemForm.aspx?ID=1

  2. The UNAX Program Team shall, in partnership with TIGTA, HCO, IT Cybersecurity, and other stakeholders develop and implement a comprehensive Servicewide UNAX program that includes:

    1. UNAX education;

    2. UNAX detection;

    3. UNAX compliance for employees and contractors.

  3. The UNAX Program Team shall, in partnership with TIGTA, HCO, IT Cybersecurity, and other stakeholders take action to:

    1. Mitigate weaknesses in programs and systems that lead to UNAX low compliance rates;

    2. Identify areas for compliance improvement;

    3. Re-train and certify employees and contractors;

    4. Implement other measures designed to foster voluntary UNAX compliance; and

    5. Stop all willful and attempted unauthorized access, and inspection of taxpayer records.

  4. The UNAX Program Team shall:

    1. Update, administer and maintain the IRS UNAX website containing information, policies, procedures, forms and links that support the UNAX program;

    2. Communicate and administer the Servicewide Annual UNAX Awareness Briefing Certification Program (for employees only) to include:

      Item Description
      I Review and update, in partnership with all stakeholders, UNAX briefing materials to keep information current, relevant and effective;
      ii Track the numbers of employees who take the annual UNAX mandatory briefing, and provide relevant statistical data to IRS executive leadership;
      iii Request Senior officials to designate UNAX coordinators for their respective organizations on a yearly basis;
      iv Provide instruction and guidance to business unit UNAX coordinators prior to and during the annual Servicewide mandatory briefing cycle to ensure accurate reporting of the numbers of employees who complete the briefing;
      v Prepare and deliver reports to senior officials that track the numbers of employees who take the mandatory briefing , and
      vi Investigate reasons for business units with low rates of compliance.
    3. Notify taxpayer victims when a person is charged criminally by indictment with unauthorized inspection or disclosure (prior to any possible conviction) as provided/reported by TIGTA, as required by 26 USC 7431(e). Notification letters will be sent to victims to alert the taxpayer of permissible next steps;

    4. Brief newly appointed executives regarding the UNAX program focusing on their UNAX responsibilities;

    5. Provide all managers the guidance and tools needed to help them maintain an ongoing dialogue with their employees and contractors about UNAX violations and the consequences and penalties for willfully accessing or inspecting taxpayer records for other than authorized tax administrative duties as assigned by management;

    6. Respond to inquiries from managers, employees and taxpayers concerning UNAX reporting requirements and other UNAX inquiries, or refer them to other UNAX subject matter experts and stakeholders as appropriate;

    7. Educate Senior officials and managers of recertification requirements to ensure that all employees returning to work from UNAX disciplinary actions or after an extended absence or furlough complete recertification within thirty days if they had previously completed the mandatory briefing during the preceding 12 months and immediately upon return to duty, if they had not.

    8. Develop and distribute comprehensive "just-in-time" Servicewide communications for all employees to understand the importance of the mandatory Annual UNAX Awareness Briefing and the rules for certifying that the briefing was completed; and

    9. Ensure Senior officials, managers and employees understand the procedures, next steps and consequences for employees who refuse to take the mandatory Annual UNAX Awareness Briefing.

Manager UNAX Responsibilities

  1. All managers must take an active role to prevent willful and attempted unauthorized access, and inspection of taxpayer information in electronic and paper form. This involves overseeing employees’ work as well as continually stressing the importance of protecting and securing taxpayer records;

  2. IRS Manager’s Guide to Penalty Determinations (Doc. 11500) states that managers may be subject to written reprimand, suspension or removal for failure to adequately instruct, train, or supervise employees in their responsibilities for record and information protection;

  3. Communicating with employees on a regular basis ensures they are aware of UNAX prohibitions and the penalties. Communication also ensures employees know how to document and report inadvertent or unintentional access;

  4. Managers are responsible for the timely and thorough review of available system security reports. Managers must report suspected UNAX violations or any unusual activity to TIGTA for investigation;

  5. Managers must monitor and ensure that employees have access to IRS internal or external computer systems containing taxpayer information only when necessary to complete their IRS officially assigned duties;

  6. Managers must ensure employees who are being investigated for UNAX violations are promptly removed from IDRS and any other IRS computer system requiring administrative approval and containing taxpayer information. Managers must also ensure these employees are removed from other tax related duties;

  7. Signing and submitting timely Form 11377 or Form 11377-E, Taxpayer Data Access, to the designated head of office designee. Form 11377 or Form 11377-E are to document accesses to taxpayer information not supported by direct case assignment or which may otherwise appear questionable. A manager’s signature on this form does not imply authorization for documented accesses. The access may still be subjected to further review and investigation. Referring all questionable accesses to TIGTA;

  8. Making fair and timely reassignments whenever an employee reports having a covered relationship with an individual or organization in an assigned tax duty which may cause a conflict of interest. Form 4442, Inquiry Referral, may be used by the employee to request such reassignments, thus avoiding a possible conflict of interest;

  9. Educating employees to avoid UNAX violations, and assuring employees know the consequences of their actions;

  10. Leading by example; and

  11. Ensuring their employees’ access of IRS internal or external computer system is:

    1. controlled through the OL5081 approval process,

    2. granted only when required to complete official duties, and

    3. removed when no longer required to complete official duties.

Head of Office Designee (HOD) UNAX Responsibilities

  1. All HODs are responsible for protecting the confidentiality and privacy of taxpayer information to which they have access.

  2. The HODs receive Form 11377 or Form 11377-E from managers and prepare them for storage.

  3. The HODs are responsible for uploading Form 11377/11377-E into the Taxpayer Data Access Library where it is maintained for six years.

    Note:

    More detail instructions for these responsibilities are found in the HOD Guide within the Taxpayer Data Access Library.

Employee and Contractor UNAX Responsibilities

  1. All IRS employees (including managers, executives and contractors) are responsible for protecting the confidentiality and privacy of taxpayer information to which they have access. They are responsible for understanding what UNAX means and what the potential consequences are for the willful or attempted unauthorized access, or inspection of paper or electronic taxpayer records. Employees should always err on the side of caution. If they are uncertain whether an access or inspection is appropriate, they should first consult with their managers. Employees are only allowed to access tax return information when it is needed to carry out their assigned tax administrative duties.

  2. The IRS relies on the ethics and integrity of its employees and enlists their support in eliminating "all" cases of UNAX.

  3. Employees may complete Form 11377 or Form 11377-E by close of business on the day of the access and forward the signed copy to their manager to document certain inadvertent accesses when one of the following situations occurs:

    • Accessed tax return information in error (such as accidentally entering an incorrect taxpayer identification number);

    • Accessed tax return or tax information of another IRS employee on an assigned case before recognizing the individual as someone known to the employee;

    • Accessed tax return or tax information on an assigned case of an individual or organization before recognizing it as belonging to a person or business with whom the employee has a personal or business relationship;

    • Researched other taxpayer's information as it related to an assigned case; and

    • Received requests from management to access taxpayer information on cases not assigned to the employee.

  4. Review and apply the guidance within this IRM, the Employee's Guide to Safeguarding Taxpayer Records - Renewing Our CommitmentDocument 10281 and other local UNAX directives

  5. Take the Annual UNAX Awareness Briefing and complete the Certification documentation either online or by filling out Form 11370, Certification of Annual UNAX Awareness Briefing, if the briefing was not completed online.

  6. Timely refer to management cases where the employee's personal or business relationship can raise questions concerning a possible lack of impartiality in handling a tax matter. (Please see covered relationships in 10.5.5.5 for additional information) Employees should use Form 4442, Inquiry Referral for this purpose.

  7. Refrain from accessing returns and return information of other employees known to them unless approved in writing by management;

  8. Inform their managers when access to an IRS internal or external computer system or command code, requiring administrative approval and not available to the general public, or is no longer required to complete IRS officially assigned duties;

  9. Refrain from accessing or asking other IRS employees to access information of individuals with whom they have a "covered relationship" ;

  10. Report any knowledge of a suspected UNAX violation to their local TIGTA office or to the TIGTA toll free hotline at: 1-800-366-4484. TIGTA is responsible for investigating all UNAX allegations. IRS employees are protected by law from reprisals when they have reasonable cause to report suspected UNAX violations to TIGTA;

  11. Refrain from accessing tax returns or tax return information in any IRS internal or external computer system (e.g., IDRS, AMS, TDS, RUP, EUP, etc.) unless the access is necessary to complete their official IRS duties as assigned by management; and

  12. Refrain from accessing tax returns or tax return information on a personal computer that they are not authorized to access on their work computer. For example: An IRS employee had formerly held a position as an accountant prior to becoming employed by IRS. He kept his access to the IRS Registered Users Portal (RUP). The employee accessed tax return information on the RUP of a former client on his personal computer. This is an unauthorized access and a UNAX violation. IRS employees can only access those accounts assigned to them by IRS management as part of their official IRS tax duties.

Official Channels

  1. The IRS policy on access to paper and electronic tax returns and return information states “Employees are only allowed access to tax returns and return information when the information is received through official channels and is needed to carry out official IRS tax duties”;

  2. Official Channels include:

    1. Cases assigned by a manager;

    2. Taxpayer walk-ins;

    3. Telephone calls from taxpayers;

    4. Official correspondence; and

    5. Related case inquiries.

  3. Unofficial Channels include:

    1. Requests from individuals at social functions and non-work environments; and

    2. Requests received from close friends, close relatives, close neighbors or co-workers whom you know.

  4.  

Covered Relationships

  1. Covered Relationships are those personal or business relationships that can raise questions on the appearance of a lack of impartiality in the handling of a tax matter. As a result, individuals or businesses can perceived as receiving expedited or preferential treatment that is unavailable to the general taxpayer public. Requests that are not received through the normal course of business or through official or administrative channels can indicate a covered relationship.. Employees are not authorized to access the tax records or tax information of anyone with whom they have a covered relationship:

    1. Their spouse and any ex-spouses;

    2. Their children;

    3. Their parents and grandparents;

    4. Anyone living in their household;

    5. Their other close relatives;

    6. Friends or neighbors with whom they have close relationships;

    7. Celebrities, when the information is not needed to carry out tax related duties;

    8. An individual or organization for which they or their spouse is an officer, trustee, general partner, agent, attorney, consultant, contractor, employee, or member; and

    9. Any other individual or organization with whom they may have a personal or outside business relationship that could raise questions about their lack of impartiality in handling the tax.

  2. Celebrity browsing or inspection of a celebrity's return or return information constitutes a serious UNAX violation with potential for fines, imprisonment, and dismissal. Employees have no legitimate tax-related reason to access the account of a celebrity unless they receive the matter through official channels or in the normal course of business.

Violations of IRS Policy on UNAX

  1. The willful unauthorized access or inspection of taxpayer information - both electronic and paper - is a crime. Upon conviction, employees can be subject to penalties ranging from job loss to fines and prison terms.

  2. The IRS established the IRS Manager’s Guide to Penalty Determinations (Document 11500) to cover UNAX violations that are not criminally prosecuted.

  3. Non-Criminal/Administrative penalties for violating the UNAX Policy range from admonishment to removal from Federal Service.

    1. The Agency can still take disciplinary action against employees for violating the Agency’s UNAX policy even though they may not be criminally charged with violating the Taxpayer Browsing Protection Act.

    2. Temporary employees and employees in a probationary or trail period may be terminated for UNAX violations.

  4. Criminal Penalties Assessed Upon Conviction for Violating the Taxpayer Browsing Protection Act Include:

    1. A fine in any amount not exceeding $1,000;

    2. Imprisonment of not more than one year;

    3. Both the fine and imprisonment; and

    4. Cost of prosecution.

  5. Civil Penalties: Taxpayers have the right to take legal action against the IRS when they are victims of unlawful access or inspection even if their information is never revealed to a third party. IRS is required to notify taxpayers that their records have been accessed without authorization when an employee or manager is criminally charged.