Part 10. Security, Privacy, Assurance and Artificial Intelligence

Chapter 5. Privacy and Information Protection

Section 5. IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance, and Requirements

10.5.5 IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance, and Requirements

Manual Transmittal

April 21, 2026

Purpose

(1) This transmits revised IRM 10.5.5, Privacy and Information Protection, Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance and Requirements.

Material Changes

(1) IRM 10.5.5.1, Program Scope and Objectives, updated subsections as required in IRM 1.11.2.2.4, Address Management and Internal Controls.

(2) IRM 10.5.5.1.1, Background, updated with current information.

(3) IRM 10.5.5.1.2, Authority, updated title and added 26 USC 6103, Confidentiality and Disclosure of Returns and Return Information.

(4) IRM 10.5.5.1.3, Roles and Responsibilities, updated title to reflect correct language and, roles and responsibilities.

(5) IRM 10.5.5.1.4, Program Management and Review, updated subsection as required in IRM 1.11.2.2.4, Address Management and Internal Controls.

(6) IRM 10.5.5.1.5, Program Controls, updated subsection as required in IRM 1.11.2.2.4, Address Management and Internal Controls.

(7) IRM 10.5.5.1.6, Terms, updated subsection to define terms listed throughout this IRM.

(8) IRM 10.5.5.1.7, Acronyms, added new subsection as required in IRM 1.11.2.2.4, Address Management and Internal Controls.

(9) IRM 10.5.5.1.8, Related Resources, added and updated subsection with additional sources of guidance.

(10) IRM 10.5.5.2, Director, Identity and Records Protection, renamed and revised section to eliminate duplication of information and improve readability.

(11) IRM 10.5.5.3, Unauthorized Access (UNAX) Program Office, moved, revised, and renumbered from subsection 10.5.5.3.1. Revises previous section to eliminate duplication of information and improve readability.

(12) IRM 10.5.5.4, Treasury Inspector General for Tax Administration (TIGTA), added new section to eliminate duplication of information and improve readability.

(13) IRM 10.5.5.5, Human Capital Office (HCO) Employee Relations and Office of Chief Counsel (OCC), General Legal Services (GLS), added new section to eliminate duplication of information and improve readability.

(14) IRM 10.5.5.6, Human Capital Office (HCO) IRS University (IRSU), added new section to eliminate duplication of information and improve readability.

(15) IRM 10.5.5.7, Information Technology (IT), added new section to eliminate duplication of information and improve readability.

(16) IRM 10.5.5.8, Facilities Management and Security Services (FMSS), added new section to eliminate duplication of information and improve readability.

(17) IRM 10.5.5.9, IRS Chief Counsel, added new section to eliminate duplication of information and improve readability.

(18) IRM 10.5.5.10, Chief, Procurement, added new section to eliminate duplication of information and improve readability.

(19) IRM 10.5.5.11, PGLD, Incident Management (IM), added new section to eliminate duplication of information and improve readability.

(20) IRM 10.5.5.12, Mandatory Briefing Business Unit Points of Contact (POCs), added new section to eliminate duplication of information and improve readability.

(21) IRM 10.5.5.13, Head of Office Designee (HOD) UNAX Responsibilities, moved, revised, and renumbered from subsection 10.5.5.3.3. Revises previous section to eliminate duplication of information and improve readability.

(22) IRM 10.5.5.14, Contracting Officer’s Representative (COR) UNAX Responsibilities, moved, revised, and renumbered from subsection 10.5.5.3.4. Revises previous subsection to eliminate duplication of information and improve readability.

(23) IRM 10.5.5.15, Senior Executives and Senior Manager’s Responsibilities, added new section to eliminate duplication of information and improve readability.

(24) IRM 10.5.5.16, Manager UNAX Responsibilities, moved, revised, and renumbered from subsection 10.5.5.3.2. Revises previous subsection to eliminate duplication of information and improve readability.

(25) IRM 10.5.5.17, IRS Personnel UNAX Responsibilities, renamed section title from Employee UNAX responsibilities. Moved, revised, and renumbered from subsection 10.5.5.3.5. Revises previous subsection to eliminate duplication of information and improve readability.

(26) IRM 10.5.5.18, IRS Unauthorized Access, Attempted Access, or Inspection of Taxpayer Records (UNAX) Program, added new section to eliminate duplication of information and improve readability.

(27) IRM 10.5.5.19, Official Channels, - moved, revised, and renumbered from section 10.5.5.4. Revises previous subsection to eliminate duplication of information and improve readability.

(28) IRM 10.5.5.20, Covered Relationships, moved, revised, and renumbered from section 10.5.5.5. Revises previous subsection to eliminate duplication of information and improve readability.

(29) IRM 10.5.5.21, Violations of IRS UNAX Policy, moved, revised, and renumbered from section 10.5.5.6. Revises previous subsection to eliminate duplication of information and improve readability.

(30) IRM 10.5.5.22, PGLD/UNAX 7431(e) Notification, added new section to eliminate duplication of information and improve readability.

(31) Editorial changes are made throughout to update division and office names, references, hyperlinks, and terminology.

Effect on Other Documents

This IRM supersedes IRM 10.5.5 dated March 8, 2023. This IRM incorporates the following Interim Guidance Memorandum (IGM): PGLD-10-0124-003, Procedures for Applying the IRC 7431(e) Notification Tracking Indicator associated with Letter 6613, dated January 19, 2024.

Audience

All IRS employees and contractors (including subcontractors, non-IRS-procured contractors, vendors, and outsourcing providers who have staff-like access).

Effective Date

(04-21-2026)

Stephen E. Brooks
Acting Director, Identity and Records Protection

10.5.5.1 (04-21-2026)

Program Scope and Objectives

  1. Purpose: This IRM details the policies, procedures and requirements regarding unauthorized access, attempted access, or inspection of taxpayer records (UNAX). Policy Statement 1-1 provides that taxpayers "have the right to expect that the Service will collect, maintain, use, and disseminate personally identifiable information and data only as authorized by law and as necessary to carry out agency responsibilities." See IRM 1.2.1.2.1(9).

  2. Audience: Unless otherwise indicated, the policies, authorities, procedures, and guidance contained in this IRM apply to all business units.

  3. Policy Owner: Director, Identity and Records Protection (IRP) - Information Protection Projects (IPP).

  4. Program Owner: The Information Protection Projects (IPP) program office under Privacy, Governmental Liaison and Disclosure (PGLD)’s IRP is responsible for administering Servicewide policy, training, and communication provided by the UNAX Program Office.

  5. Primary Stakeholders: All IRS personnel and business units must follow this policy. Human Capital Office (HCO), PGLD, IT, Procurement, Counsel, FMSS, and Treasury Inspector General for Tax Administration (TIGTA) have a key UNAX program component role and responsibility in the UNAX program.

10.5.5.1.1 (04-21-2026)

Background

  1. Since the inception of the Integrated Data Retrieval System (IDRS) in 1972, IRS has worked continuously to prevent and detect unauthorized access, attempted access and inspection of taxpayer records (UNAX) in all IRS internal and external computer systems.

  2. After UNAX concerns were reported in 1993, the Service implemented an information system to perform detection analyses of audit trail information.

  3. On August 5, 1997, the Taxpayer Browsing Protection Act (Public Law No. 105-35) (codified at 26 USC 7213A, 7431) was signed into law, making willful unauthorized access or inspection of taxpayer records a crime. Under the law, willful UNAX of any taxpayer records, including electronic and hard copies of returns and return information, is a misdemeanor. Upon conviction, penalties can include fines up to $1,000 and/or up to one year in prison (together with the costs of prosecution), as well as mandatory termination of probationary employees and removal of employees and contractors.

  4. The Taxpayer Browsing Protection Act also established the right of taxpayers to seek civil damages in federal court. It requires the IRS to notify if any person is criminally charged by indictment when inspecting or disclosing the taxpayer’s return or return information without authorization.

    Note:

    The Taxpayer First Act (Public Law No. 116-25) (codified at 26 USC 7431), Section 3002 requires IRS to notify a taxpayer if IRS recommends disciplinary action against an employee found to have accessed the taxpayer’s return or return information without permission.

10.5.5.1.2 (04-21-2026)

Authority

  1. Taxpayer Browsing Protection Act (Public Law No. 105-35).

  2. 26 USC 7213A, Unauthorized inspection of returns or return information.

  3. 26 USC 7431, Civil Damages for Unauthorized Inspection or disclosure of returns and return information.

  4. 26 USC 6103, Confidentiality and disclosure of returns and return information Confidentiality and disclosure of returns and return information.

  5. Taxpayer First Act https://www.irs.gov/pub/irs-pdf/p5426.pdf.

10.5.5.1.3 (04-21-2026)

Roles and Responsibilities

  1. The Chief Privacy Officer, Governmental Liaison and Disclosure (PGLD) is the executive responsible for this IRM and overall Servicewide policy.

  2. The Privacy, Governmental Liaison and Disclosure, Identity and Records Protection (IRP) office is responsible for developing and publishing content in this IRM.

  3. The Privacy, Governmental Liaison and Disclosure, Information Protection Projects (IPP) office is responsible for the operation and administration of this IRM.

  4. The IRS is committed to preventing the willful unauthorized access, attempted access, and inspection of taxpayer records (UNAX). The UNAX Program Office, within PGLD, administers the Servicewide UNAX Program in partnership with TIGTA, HCO, IT, Counsel, and other stakeholders.

  5. The UNAX Program consists of six (6) distinct components:

    1. Prevention - Implementing policies, training, and other controls to prevent UNAX violations before they happen.

    2. Detection - Performing various activities to detect, review, and refer potential UNAX violations or behavioral anomalies indicating potential UNAX violations to TIGTA and IRS stakeholders.

    3. Investigation - Conducting necessary activities to investigate potential UNAX violations and refer substantiated cases to DOJ and IRS for adjudication.

    4. Adjudication - Evaluating intent and severity of substantiated UNAX cases to determine the appropriate disciplinary action and enforce accountability for violators.

    5. Notification - Notifying affected taxpayers of their right to take legal action when IRS personnel are criminally charged or administratively disciplined.

    6. Reporting - Monitoring, analyzing and reporting UNAX cases to identify trends and take action to mitigate risk and prevent future violations.

  6. Review IRM 10.5.5.2 through 10.5.5.17 for a complete listing of IRS-Wide Roles and Responsibilities.

10.5.5.1.4 (04-21-2026)

Program Management and Review

  1. The UNAX Program is responsible for managing:

    1. Annual Review of UNAX Awareness Briefing – Formal review of the UNAX mandatory briefing which includes updates when needed, and development of new UNAX vignettes periodically to keep employees engaged and mitigate potential UNAX violations.

    2. Oversight of UNAX Statistics and Metrics – Extracts applicable data from IT systems (e.g., Service Central, ALERTS, e-Trak) and analyze metrics to assess unauthorized access incidents by individuals.

    3. UNAX Taxpayer Notification - Provides written communication to taxpayers impacted by UNAX violations.

    4. Administration of UNAX policies and procedures - Maintain and modernize all applicable UNAX policies and procedures.

    5. Head of Office Designee Listing - Maintain a comprehensive list of individuals representing Servicewide business units that manage the storage of Form 11377.

    6. UNAX Media Publications - Provides documents, guidance and tools to IRS personnel on preventing, reporting, and documenting inadvertent accesses to taxpayer information and willful UNAX violations.

    7. UNAX Forums - Expands the awareness and education of unauthorized access prevention, bolster understanding consequence of noncompliance, address strategies to reduce the volume on unauthorized access investigations and promote IRS personnel vigilance in UNAX prevention.

10.5.5.1.5 (04-21-2026)

Program Controls

  1. UNAX Certification – The Service requires IRS personnel to complete the Annual UNAX Mandatory Awareness briefing and certify they completed the briefing regardless of whether they have access to taxpayer information. Every employee and contractor are responsible for protecting the confidentiality and privacy of taxpayer information.

  2. Annual UNAX Training Completion Report – Review information from HCO regarding completion rate for mandatory briefing cycle and share July – October completion reports with business unit points of contacts.

  3. UNAX Statistics and Metrics Reports - Reports used to monitor UNAX cases and determine trends.

10.5.5.1.6 (04-21-2026)

Terms

  1. Case - Once under investigation, a UNAX incident becomes part of a case as it is investigated by TIGTA and, subsequently, IRS. A closed case is an investigation that has been completed by both TIGTA and IRS.

  2. Contractors with staff-like access - A contracted individual that has been granted access to IRS facilities, systems, or information. IRM 10.23.2, Contractor Investigations, states staff-like access (SLA) is the authority granted to perform one or more of the following:

    1. Enter IRS facilities or space (owned or leased) unescorted (when properly badged).

    2. Possess login credentials to information systems (IRS or vendor-owned systems that store, collect, or process IRS information).

    3. Possess physical or logical access to (including the opportunity to see, read, transcribe, or interpret) SBU data, wherever the location.

    4. Possess physical access to (including the opportunity to see, read, transcribe, or interpret) security items and products (such as items you must store in a locked container, security container, or a secure room, wherever the location). These items include security devices, records, computer equipment, and identification media. Refer to IRM 10.2.14.3, Protecting Assets.

    5. Enter the physical areas, wherever the location, that have SBU data (unescorted).

      Note:

      SLA is granted to an individual who is not an IRS employee (and includes: contractors and subcontractors, whether procured by IRS or another entity, vendors, delivery persons, experts, consultants, paid or unpaid interns, other federal employees, and cleaning or maintenance employees), and is approved upon required completion of a favorable suitability or fitness determination conducted by IRS Personnel Security.

  3. Covered Relationship - Personal or outside business relationships that can raise questions about the employee’s and contractor’s impartiality in the handling of a tax matter.

  4. Criminal Information - The formal charge filed directly by a DOJ prosecutor without a grand jury.

  5. Employee - IRS employees, which include:

    1. Employees (part-time, full-time)

    2. Seasonal or temporary employees

    3. Interns, and

    4. Detailees.

      Note:

      Refer to IRM 10.5.1, Privacy and Information Protection, Privacy Policy.

  6. Federal Tax Information (FTI) - Any return or return information as defined in 26 USC 6103(b). This includes any information obtained, received, or generated by IRS or any Treasury component with respect to determining liability under the IRC. This includes returns and return information received directly by IRS or obtained through an authorized secondary source such as the Social Security Administration or another entity action on IRS’s behalf. Examples include paper and electronic forms such as Forms 1040, 941, 1099, 1120 and W-2.

  7. Final Disposition - The outcome of a UNAX and/or UNAD case. Dispositions can include prosecution, termination/removal, cleared, or other corrective actions/consequences.

  8. Inadvertent access - Occurs when an IRS employee or contractor accesses tax information unintentionally while performing official duties. Inadvertent access could be caused by many reasons including typographical errors and misrouted faxes.

  9. Incident - An unconfirmed instance of suspected willful unauthorized access or disclosure that is reported to the Treasury Inspector General for Tax Administration (TIGTA) for investigation.

  10. Indictment - The formal charge (written accusation) issued by a grand jury alleging the defendant committed a federal crime.

  11. Inspection - The terms “inspected” and “inspection” mean any observation, review, or examination of a return or return information (paper or electronic).

  12. 26 USC 7431 Taxpayer Notification Requirements - 26 USC 7431(e), Civil Damages for Unauthorized Inspection or Disclosure of Returns and Return Information, Notification of Unlawful Inspection and Disclosure requires taxpayer notification when any person has been criminally charged or administratively disciplined with the unauthorized disclosure or inspection of taxpayer returns or return information in violation of 26 USC 6103.

  13. Notification Letter - A written notification that an IRS employee(s) has been criminally charged and/or administratively disciplined with the unauthorized disclosure or inspection of the taxpayer’s tax return or return information. The letter references 26 USC or the TFA 3002 and advises taxpayers about the Crime Victims’ Rights Act (CVRA). Links with more information and emails to reach DOJ and IRS are included in the letter.

  14. Personnel - IRS personnel or users, which includes:

    1. Employees (part-time, full-time)

    2. Seasonal or temporary employees

    3. Interns

    4. Detailees

    5. Consultants

    6. IRS contractors (including contractors, subcontractors, non-IRS-procured contractors, vendors, and outsourcing providers), and

    7. Non-person entity (NPE), such as robotic process automation (RPA), bots, artificial intelligence (AI) workers, or digital assistants

      Note:

      Although these entities are not necessarily capable of following IRS privacy policy, the human parties using them are responsible. These entities must still follow the privacy controls. Refer to IRM 10.5.1, Privacy and Information Protection, Privacy Policy.

  15. Return - Any tax or information return, estimated tax declaration, or refund claim (including amendments, supplements, supporting schedules, attachments, or lists) required by or permitted under the IRC and filed with the IRS by, on behalf of, or with respect to any person or entity (IRC 6103(b)(1). Examples include paper and electronic forms such as Forms 1040, 941, 1099, and 1120.

  16. Return Information - In general, is any information collected or generated by the IRS with regard to any person’s liability or possible liability under the Internal Revenue Code (IRC), codified at Title 26 of the United States Code. 26 USC 6103(b)(2)(A) defines return information as very broad. For example, return information includes information extracted from a return, including names of dependents or the location of a business and the status of whether a return was filed.

  17. TIGTA Report of Investigation or Complaint - Forms TIGTA uses to refer employee and contractor UNAX and UNAD cases to the IRS for “Appropriate Administrative Action and Response.”

  18. Unauthorized Access (UNAX) - The willful unauthorized access, attempted access or inspection of taxpayer returns or return information. Occurs when a person gains willful logical or physical access to FTI without authority under 26 USC 6103 and without a need-to-know.

    Note:

    The Taxpayer Browsing Protection Act forbids the willful unauthorized access or inspection of taxpayer records.

  19. Unauthorized Disclosure (UNAD) - Occurs when an IRS employee and contractor intentionally discloses a return or return information to someone who is not authorized to receive the information without authority under IRC 6103.

    Note:

    See IRM 10.5.4, Privacy and Information Protection, Incident Management Program for more information.

  20. Violation - A case is a substantiated, willful unauthorized access or disclosure violation after IRS confirms an employee or a contractor willfully accessed federal tax information that was not part of the employee’s or contractor’s assigned duties or was prohibited or willfully disclosed tax information to someone without authorization to have this information, respectively. Violations are referred to as substantiated cases.

10.5.5.1.7 (04-21-2026)

Acronyms

  1. This table lists commonly used acronyms and their definitions:

    Acronyms Definition
    AI Artificial Intelligence
    AMS Accounts Management System
    BEARS Business Entitlement Access Request System
    CO Contracting Officer
    COR Contracting Officer’s Representative
    DOJ Department of Justice
    EIS Ethics and Investigation Support
    ER Employee Relations
    EUP Employee User Portal
    FMSS Facilities Management and Security Services
    FTI Federal Tax Information
    GLS General Legal Services
    HCO Human Capital Office
    HOD Head of Office Designee
    IDRS Integrated Data Retrieval System
    IGM Interim Guidance Memorandum
    IM Incident Management
    IPP Information Protection Projects
    IP PIN Identity Protection Personal Identification Number
    IRC Internal Revenue Code
    IRIS Information Return Intake System
    IRP Identity & Records Protection
    IRSU IRS University
    ISA Inadvertent Sensitive Access
    ITM Integrated Talent Module
    IT Information Technology
    MeF Modernized e-File
    MF Master File
    MOR Manager of Record
    NPE Non-person entity
    OCC Office of Chief Counsel
    PGLD Privacy, Governmental Liaison and Disclosure
    PII Personally Identifiable Information
    PIPD Privacy, Information Protection and Disclosure
    POC Point of Contact
    ROI Report of Investigation
    RPA Robotic Process Automation
    RM Records Management
    RUP Registered User Portal
    TDS Transcript Delivery System
    TFA Taxpayer First Act
    TIGTA Treasury Inspector General for Tax Administration
    UNAD Unauthorized Disclosure
    UNAX Unauthorized Access
10.5.5.1.8 (03-08-2023)

Related Resources

  1. UNAX Knowledge Base site at: UNAX - Unauthorized Access of Taxpayer Accounts.

  2. Document 10281, Safeguarding Taxpayer Records Renewing Our Commitment - UNAX Employee Booklet.

  3. Document 12612, Stop UNAX In Its Tracks.

  4. Document 12692, UNAX If/Then Chart.

  5. Document 11500, IRS Manager’s Guide to Penalty Determinations.

  6. Pub 1075, Tax Information Security Guidelines.

  7. Pub 4812, Contractor Security Controls.

  8. IRM 6.752.1, Addressing Employee Misconduct, Non-disciplinary, Disciplinary, and Adverse Actions.

  9. IRM 6.315.1, Career and Career-Conditional Employment.

  10. IRM 6.315.2, Probationary Period for Career and Career-Conditional Employment.

  11. IRM 6.316.1, Temporary or Term Appointments.

10.5.5.2 (04-21-2026)

Director, Identity & Records Protection

  1. The Director, IRP is responsible for protecting taxpayer data through the UNAX program. This includes policy, training, and communication.

10.5.5.3 (04-21-2026)

Unauthorized Access (UNAX) Program Office

  1. The UNAX Program Office’s mission is to ensure all employees, contractors, and stakeholders:

    1. Uphold their responsibility to protecting federal taxpayer information.

    2. Understand the meaning of UNAX.

    3. Understand the consequences of accessing or attempting to access unauthorized federal tax information (electronic, paper, etc.).

    4. Properly report suspected instances of UNAX to the appropriate parties.

    5. Properly document any and all suspected UNAX violations.

  2. The UNAX Program Office must develop and implement a Servicewide UNAX Program in partnership with and/or support from TIGTA, HCO, IT, Procurement, Counsel, and other stakeholders that encompasses:

    1. UNAX education for employees and contractors in the form of:

      • Annual mandatory training.

      • Annual COR training.

      • Live/virtual forum symposium(s).

      • Regular Servicewide communications on important UNAX topics.

      • Digital resource guides.

      • A current UNAX Knowledge Management webpage.

    2. UNAX incident identification and reporting.

    3. UNAX policy administration and compliance.

  3. The UNAX Program Office must, in partnership with and/or with support from TIGTA, HCO, IT, Procurement, and other stakeholders, take action to:

    1. Mitigate weaknesses in programs, systems, and policies that result in high rates of UNAX violations or instances of non-compliance.

    2. Regularly evaluate Servicewide compliance practices.

    3. Provide UNAX training that addresses operational weaknesses across the service.

    4. Implement other measures designed to foster voluntary UNAX compliance to include periodic communications, outreach ad hoc training and UNAX Forums.

    5. Reduce willful unauthorized access, attempted access, and inspection of taxpayer records.

  4. The UNAX Program Office must:

    1. Manage and maintain the IRS UNAX website and all applicable UNAX policies, procedures, and forms.

    2. Manage the Servicewide Annual UNAX Awareness Briefing Certification Program to include:

      • In partnership with all stakeholders, maintain UNAX briefing materials to keep information relevant and educational.

      • Obtain and monitor completion reports from HCO and provide relevant statistical data to IRS leadership for employees and contractors.

    3. Report all indictments upon TIGTA notification to PGLD’s Incident Management office using the online PII Reporting Breach form.

    4. In coordination with Incident Management, notify taxpayer victims when a person is charged criminally by indictment or information with unauthorized inspection as required by 26 USC 7431(e). Notification letters will be sent to victims to alert the taxpayer of permissible next steps.

    5. Provide all managers the guidance and tools needed to help them maintain an ongoing dialogue with their employees about UNAX violations and the consequences and penalties for willfully accessing, attempting to access, or inspecting taxpayer records for other than authorized tax administrative duties as officially assigned by management.

    6. Respond to UNAX organization mailbox inquiries from managers, employees, contractors, and taxpayers concerning UNAX reporting requirements and other UNAX inquiries or refer them to other UNAX subject matter experts and stakeholders as appropriate.

    7. Educate Senior officials and managers that all IRS personnel returning to work after UNAX disciplinary actions must complete UNAX mandatory briefing and UNAX recertification before they may access any system with taxpayer information.

    8. Develop and distribute comprehensive Servicewide communications for all employees and contractors to assist them in understanding the importance of the mandatory Annual UNAX Awareness Briefing and the rules for certifying that the briefing was completed.

    9. Complete ad hoc Servicewide reviews to ensure UNAX operational consistency and compliance as funding permits.

    10. Facilitate annual discussions with the COR Community of Practice or equivalent.

    11. Facilitate annual discussions with focused IRS employees and/or contractors.

10.5.5.4 (04-21-2026)

Treasury Inspector General for Tax Administration (TIGTA)

  1. Treasury Inspector General for Tax Administration (TIGTA) is responsible for investigating all potential UNAX allegations received and notifying appropriate management officials that a UNAX investigation has been initiated. More specifically, TIGTA is responsible for:

    1. Reviewing and investigating all UNAX incidents.

    2. Referring substantiated UNAX violations to the Department of Justice (DOJ) for criminal prosecution.

    3. Referring UNAX incidents and Reports of Investigation (ROI)/Complaint cases back to IRS (e.g., HCO) for adjudication (e.g., administrative action such as termination/contract removal).

    4. Regularly meeting with the UNAX Program Office to coordinate on existing UNAX cases and/or program enhancements/changes.

    5. Participating in Live/Virtual Forums with the UNAX Program Office to expand awareness of UNAX policies and educate employees and contractors about UNAX; and

    6. Supporting data reconciliation requests from HCO or PGLD if necessary.

10.5.5.5 (04-21-2026)

Human Capital Office (HCO)

  1. HCO coordinates with TIGTA and the Office of Chief Counsel (OCC), General legal Services (GLS) to ensure employees are treated fairly and equitably in every UNAX case. Specifically, HCO:

    1. Tracks and records UNAX case status for IRS employees from inception to final disposition.

    2. Investigates and researches IRS personnel complaint referral(s) and/or employee disciplinary history.

    3. Prepares the necessary documents in support of the administrative actions taken by management in UNAX cases concerning IRS employees.

    4. Forwards the necessary documents to management in cases concerning IRS employees. ROIs/complaints are sent to management with the delegated authority to issue corrective action. All persons must treat the ROI/complaint in a confidential manner.

    5. Provides consultative support to management for administration of appropriate discipline in cases concerning IRS employees. See IRM 6.752.1 for more details.

    6. Notifies management of their responsibility to remove employees from systems when a UNAX case is received or when management becomes aware of a potential UNAX violation.

    7. Provides UNAX case status and metrics to PGLD in accordance with agreed upon timelines.

    8. Personnel Security pre-screens and adjudicates security and suitability investigations to ensure that IRS employees and contractors meet federal security and suitability standards.

10.5.5.6 (04-21-2026)

Human Capital Office (HCO) IRS University (IRSU)

  1. HCO IRSU contributes to UNAX prevention by:

    1. Managing and uploading the IRS Mandatory Awareness Briefing Program into the Integrated Training Module (ITM). All employees and contractors must complete the UNAX Mandatory Awareness Briefing and annual recertification. The UNAX briefings are ITM #16412, Unauthorized Access for employees, and ITM #67085, Unauthorized Access for IRS Contractors. All employees and contractors must complete these courses before access is given to federal tax information.

    2. Conducting annual kick-off meetings with the UNAX Program Office content owner and their developers to provide updates and important timelines for submissions.

    3. Providing the UNAX Program Office content owners with biweekly briefing completion rates during the mandatory briefing cycle.

    4. Providing the UNAX Program Office a final completion rate report at the end of the mandatory briefing cycle.

10.5.5.7 (04-21-2026)

Information Technology (IT)

  1. IT is responsible for protecting IRS systems, services, and data, including taxpayer information, from internal and external cyber-related threats. IT is responsible for:

    1. Performing system tasks of detecting, reporting, escalating, and referring behavioral anomalies (e.g. questionable access, etc.) indicating potential UNAX violations to TIGTA and IRS stakeholders.

    2. Reviewing and certifying various data security reports. See IRM 10.8.34 for additional responsibilities and more details.

    3. Analyzing and partnering with management to determine the validity of account-related accesses.

    4. Providing UNAX metrics to the UNAX Program Office in accordance with agreed upon timelines.

    Note:

    See IRM 10.8.1 and 10.8.2 for additional guidance.

10.5.5.8 (04-21-2026)

Facilities Management and Security Services (FMSS)

  1. Facilities Management and Security Services (FMSS) ensure facility access is removed when an IRS employee or contractor separates or is being investigated for a potential UNAX violation.

    Note:

    See IRM 10.8 series for additional responsibilities.

10.5.5.9 (04-21-2026)

IRS Chief Counsel

  1. IRS Chief Counsel is responsible for collaborating with DOJ on civil litigation related to UNAX and UNAD. In addition, Chief Counsel:

    1. Provides advice/opinions to the UNAX Program Office on UNAX and UNAD compliance.

    2. Reports case data for UNAX/UNAD within their business unit to PGLD on a quarterly basis.

10.5.5.10 (04-21-2026)

Chief, Procurement

  1. Chief, Procurement is responsible for awarding contracts that may involve contractor use of federal tax information and complying with all applicable laws, regulations, and procedures.

    1. Contracting Officers (CO) must:

      • Ensure all IRS acquisition, procurement, and contract documents contain proper language holding contractors and other service providers accountable for following federal and IRS privacy policies and procedures.

      • Serve as a deciding official for UNAX-related complaints or investigations by contractors.

      • Retain, along with the Contracting Officer’s Representatives (CORs), the completed Form 11370 used by contractors in the contractor file until six years after the last payment on the contract. Follow IRS privacy policies and procurement procedures when handling contractor tax check information internally.

        Note:

        Procurement is not responsible for leading or conducting UNAX investigations. TIGTA is responsible for investigating all potential UNAX allegations received from various sources. If TIGTA determines there is sufficient evidence to validate that a UNAX violation occurred, TIGTA refers the case to the Department of Justice (DOJ) to determine if they would like to pursue criminal prosecution. TIGTA also refers the case to IRS for their decision on appropriate administrative response and action. CORs and other deciding officials determine appropriate administrative response/action, complete the reports of investigation (ROI)/complaints package, and return the package to TIGTA with final disposition of the penalty. The CORs should also provide a copy of the final disposition to HCO.

    2. The Business Unit has the responsibility to assign a COR to each contract for oversight of the contract and contractor personnel, to ensure the proper handling and release of SBU data. COR responsibilities are listed below in IRM 10.5.5.14, Contracting Officer’s Representative (COR) (UNAX) Responsibilities.

      Note:

      In some cases Contract Specialists may perform these responsibilities under the guidance of a CO.

10.5.5.11 (04-21-2026)

PGLD, Incident Management (IM)

  1. The Incident Management (IM) Program Office, within PGLD, is required to notify taxpayers when IRS proposes an administrative determination as to disciplinary or adverse action against an employee or contractor arising from the employee’s or contractor’s unauthorized inspection or disclosure of taxpayer’s return or return information, as required by 26 USC 7431. The notice must include the date of the unauthorized inspection or disclosure and the rights of the taxpayer under such administrative determination.

    Note:

    The IPP Program Office, within PGLD, is required to notify taxpayers if any person is criminally charged by indictment or information with inspection or disclosure of a taxpayer’s return or return information, as required by 26 USC 7431.

  2. IM is responsible for providing UNAX metrics to the UNAX Program Office in accordance with agreed upon timelines.

10.5.5.12 (04-21-2026)

IRS Mandatory Briefing Business Unit Points of Contact (POCs)

  1. IRS Mandatory Briefing Business Unit Points of Contact (POCs) are responsible for:

    1. Working with their business unit managers to ensure all their business unit personnel complete the required briefings and certifications.

    2. Reviewing the business unit’s completion statistics.

    3. Informing management officials of the business unit’s UNAX Awareness Briefing completion rates. This may include preparing and delivering reports to senior officials within their business units that track the number of employees who take the mandatory briefing.

    4. Contacting business unit POCs who have low rates of compliance, requesting their employees complete the UNAX briefing.

      Note:

      To be authorized, all personnel must have a need to know and must complete required training (IRS annual and role-based privacy, information protection, and disclosure training requirements, UNAX awareness briefings, records management briefings, and all other specialized privacy training) and background investigations before given access to federal tax information.

10.5.5.13 (04-21-2026)

Head of Office Designee (HOD) UNAX Responsibilities

  1. A HOD has a designated role with specific responsibilities related to protecting taxpayer information within the UNAX Program. This individual serves as the business unit’s point of contact or representative in reviewing, preparing, and uploading Forms 11377/11377-E, Taxpayer Data Access, to the Taxpayer Data Access Library (TDAL).

  2. In order to be a HOD, the individual

    1. Must be an active IRS federal employee,

    2. Must complete mandatory UNAX training requirements,

    3. Must not have a history of a previous substantiated UNAX violation that resulted in a significant disciplinary or criminal action.

    4. Must not be under a current investigation for a UNAX or UNAD violation, and

    5. Must be appointed by their manager in writing.

      Note:

      Managers are required to notify PGLD of any HOD permission list changes. The HOD list must be kept current for the business unit. PGLD will conduct a HCO listing review twice per year.

  3. All HODs are responsible for protecting the confidentiality and privacy of taxpayer information to which they have access.

  4. The HOD receives Form 11377 or Form 11377-E from managers and prepares them for storage.

  5. The HOD must return all unsigned forms to the appropriate manager for employee’s or contractor’s signature.

  6. The HOD is responsible for uploading signed Forms 11377/11377-E into the Taxpayer Data Access Library where they are maintained for six years.

  7. The HOD must participate in UNAX HOD meetings and data calls, as necessary.

    Note:

    More detailed instructions for these responsibilities are found in the HOD Guide located on the Taxpayer Data Access Library.

10.5.5.14 (04-21-2026)

Contracting Officer’s Representative (COR) UNAX Responsibilities

  1. The COR or Manager of Record (MOR) is responsible for ensuring contractors with staff-like access meet the mandatory briefing requirements. Upon on-boarding, all contractors with staff-like access must complete the UNAX mandatory briefing before being given access to taxpayer information and then repeat the training annually thereafter. In addition, all contractors must complete PGLD’s mandatory briefings which include Privacy, Information Protection and Disclosure and Records Management (RM) within prescribed mandatory training timeframe. For a definition of staff-like access Refer to IRM 10.5.5.1.6,Terms.

    Note:

    To be authorized, all personnel must have a need to know and must complete required training (IRS annual and role-based privacy, information protection, and disclosure training requirements, UNAX awareness briefings, records management briefings, and all other specialized privacy training) and background investigations before given access to SBU data (including PII and tax information).

  2. If the contractor does not have access to ITM, CORs must enter the training information into ITM so the contractor receives credit for completing the training. All CORs are responsible for collecting, signing, and retaining Forms 11370, Certification of Annual UNAX Awareness Briefing, received from contractors. Certification forms must be stored in a secured electronic file, locked container, security container or a secure room, wherever the location until six years after the last payment on the contract. For more information, please see IRM 10.2.18, Physical Access Control, and Internal Revenue Service Acquisition Policy 1052.

  3. When the COR receives a Form 11377/11377-E, Taxpayer Data Access, inadvertent access, the COR must submit the signed IRS Copy of the form to PGLD-IPP via Head of Office Designee (HOD). CORs must immediately return a signed “Employee/Contractor” copy of the form to the contractor and maintain a “Employee/Contractor” copy in the contractor file for the duration of the contract plus six years after final payment. COR must notify the Contracting Officer of the incident.

  4. If a COR receives a Report of Investigation (ROI) or Complaint package related to contractor UNAX, CORs must notify the contracting officer of the incident. CORs must review the package and coordinate with the deciding/designated official (e.g., contracting officer) for “Appropriate Action and Response.” After final adjudication has been issued by the deciding official, the COR must take appropriate actions (e.g., removal from the contract) and complete necessary items on TIGTA Forms 2070 or 2076. The COR must return the ROI or Complaint package with any applicable documentation (e.g., Decision Letters) concerning the action to TIGTA and provide a copy to HCO.

  5. At the end of the contract period, or if the contract is terminated within the contract period, the COR must ensure contractor access privileges to IRS information, IRS systems and facilities are revoked in a timely manner, as necessary.

  6. When the contract is officially closed out, the COR must ensure FTI provided to the contractor or created by the contractor is returned to the IRS or destroyed as directed in writing by the IRS. This includes copies of reports, extra copies, photo impressions, information system printouts, carbon paper, notes, stenographic notes, and work papers.

10.5.5.15 (04-21-2026)

Senior Executive’s and Senior Manager’s Responsibilities

  1. In addition to the responsibilities in IRM 10.5.5.17, IRS Personnel UNAX Responsibilities, all Senior executives and managers (including CORs and MORs) responsible to:

    1. Set clear expectations for compliance with IRM 10.5.5. Serve as an ambassador and advocate for the UNAX Program. Ensure UNAX policies and guidance are implemented in their organization.

    2. Ensure managers appoint primary and support HODs are appointed to cover TDAL requirements in their organization.

    3. Ensure UNAX is the topic of discussion at managerial meeting annually at a minimum.

    4. Make sure IRS personnel (managers, employees, and contractors) with authorized access to federal tax information have completed UNAX MB and other training to carry out their roles and responsibilities consistent with IRS UNAX policies. Ensure managers remove employees access to federal tax information if fail to comply with IRS training requirements.

    5. Ensure managers review and certify IDRS security reports timely; and that any required report actions are completed timely.

    6. Assign a POC to work with UNAX Program Office to schedule a UNAX Forum if identified for awareness and education opportunity. Allow IRS personnel to participate in Live or Virtual UNAX Forums.

    7. Allocate sufficient resources to follow UNAX policies and procedures.

    8. Participate in executive briefings, if necessary, to enhance UNAX education, awareness, oversight, and compliance in your organization. Review and UNAX statistics and analysis reports if received.

    9. Monitor, assign, or remove personnel access to IRS computing systems as needed based on assigned IRS duties. Systems that must be monitored include, but are not limited to:

      • Integrated Data Retrieval System (IDRS)

      • Modernized e-File (MeF)

      • Accounts Management System (AMS)

      • Transcript Delivery System (TDS)

      • Registered User Portal (RUP)

      • Employee User Portal (EUP)

      • Information Return Intake System (IRIS)

    10. Approve personnel access to any internal or external IRS computer system only when required to complete official IRS duties as assigned by management.

    11. Remove access to any internal or external computer system when it’s no longer required to complete official IRS duties as assigned by management. See IRM 10.8.34 for more details.

    12. Discuss necessary actions and possible discipline with servicing HCO and/or Procurement once notified of the investigation. See IRM 6.752.1 for more details.

10.5.5.16 (04-21-2026)

Manager UNAX Responsibilities

  1. Managers must take an active role to prevent willful and attempted unauthorized access, and inspection of taxpayer information. This involves overseeing employee and contractor’s work as well as continually stressing the importance of protecting and securing taxpayer records.

  2. IRS Manager’s Guide to Penalty Determinations (Document 11500) states that managers may be subject to written reprimand, suspension or removal for failure to adequately instruct, train, or supervise employees and contractors in their responsibilities for record and information protection.

  3. Managers must communicate with employees and contractors on a regular basis to ensure they are aware of UNAX prohibitions and penalties. Communications must also ensure subordinates know how to document and report inadvertent or unintentional access. Managers within business units that handle federal tax information must ensure UNAX is the topic of discussion at managerial meetings annually at a minimum.

  4. Managers are responsible for the timely and thorough review of available system security reports. Managers must immediately report suspected UNAX violations or unusual activity to TIGTA for investigation. Also, managers must report UNAX violations by a contractor to TIGTA, the CO, and COR. See and comply with IRM 10.8.34 for more details.

  5. Managers must ensure employees and contractors only have access to federal taxpayer information only when it is necessary to complete their assigned IRS duties.

  6. Managers must ensure employees and contractors who are being investigated for UNAX violations are promptly removed from IDRS and any other IRS computer system requiring administrative approval and containing taxpayer information. Managers must also ensure these employees and contractors are removed from other tax-related duties. See IRMs 6.752.1 and 10.8.34 for more details.

  7. UNAX misconduct carries penalties mandated by law, rule, regulation, or IRS policy. Pursuant to IRS UNAX policy, based on the Taxpayer Browsing Act of 1997, removal is required to be proposed for all substantiated UNAX violations. Conviction under 26 USC 7213A carries a mandatory penalty of removal.

  8. Managers must ensure employees and contractors complete their initial and annual UNAX Awareness mandatory briefing and complete the certification documentation either online or by filling out Form 11370, Certification of Annual UNAX Briefing, if the briefing was not completed online. Managers must ensure that employees and contractors who do not have access to Integrated Talent Management (ITM) system complete and submit Form 11370, Certification of Annual UNAX Awareness Briefing, after manual completion of the UNAX Briefing. Managers must remove employees access to federal tax information if they fail to comply with IRS training requirements.

    1. Managers of IRS employees are required to sign Form 11370 and record the completion in ITM.

    2. Managers of contractors are required to sign Form 11370 and submit a copy to their Contracting Officer’s Representative (COR), who must record completion in ITM and place the Completed Form 11370 in the contract case file.

  9. Managers are responsible for designating a primary and backup HOD and informing PGLD of any changes due to staffing, new assignments, etc. Managers must also sign and timely submit Form 11377 or Form 11377-E, Taxpayer Data Access, to the designated HOD. Form 11377 or Form 11377-E is used to document accesses to taxpayer information not supported by direct case assignment or which may otherwise appear questionable. A manager’s signature on this form does not imply authorization for documented accesses. The access may still be subjected for further review and investigation.

    Note:

    Managers are responsible for providing PGLD a primary and a support HOD for their business unit.

  10. Managers must make fair and timely reassignments whenever an employee or a contractor reports having a covered relationship with an individual or organization in an assigned tax matter, which may create a conflict of interest. Form 4442, Inquiry Referral, may be used by the employee or contractor to request such reassignments, thus avoiding a conflict of interest.

  11. Managers must educate employees and contractors on how to avoid UNAX violations and the consequences of their actions.

  12. Managers must ensure their employees’ and contractors’ access of IRS internal or external computer system is:

    1. Controlled through Business Entitlement Request System (BEARS) approval process.

    2. Granted only when required to complete official duties.

    3. Removed when no longer required to complete official duties. This includes for failure to complete their annual UNAX Awareness certification.

  13. Managers must ensure their employees’ and contractors’ access of FTI in M365 environments are controlled through the BEARS approval process, M365 permission request process via a SharePoint Site Collection Administrator (SCA), or other approval process.

  14. Managers must coordinate with HCO to effect timely disciplinary and/or performance actions to their subordinates to address UNAX violations. In addition, to properly maintain record of such actions taken to address employee non-compliance consistent with any statute, policy, rule, regulation, or contractual obligation.

10.5.5.17 (04-21-2026)

IRS Personnel UNAX Responsibilities

  1. All IRS personnel are responsible for:

    1. Protecting federal taxpayer information.

    2. Accessing IRS paper or electronic tax records or tax information only when it’s required to complete official IRS duties as assigned by management.

    3. Informing their managers and/or CORs when they no longer require access to a specific IRS internal or external computer system or command code requiring administrative approval.

    4. Refraining from unauthorized access of federal taxpayer information.

    5. Refraining from accessing their own records, or records of anyone with whom they have a covered relationship. Refer to IRM 10.5.5.20, Covered Relationships.

    6. Refraining from accessing information unless the access is required by their duties as assigned by management.

    7. Notifying their managers and/or CORs if they have inadvertently accessed federal taxpayer information. IRS personnel may use Form 11377 or Form 11377-E for reporting.

    8. Reporting suspected incidents of UNAX.

    9. Completing PGLD mandatory briefings, which include UNAX, PIPD, and RM.

  2. All IRS personnel including employees and contractors, managers and executives are responsible for protecting the confidentiality and privacy of taxpayer information to which they have access. Employees and contractors are responsible for understanding what UNAX means and what the potential consequences are for the willful unauthorized access, attempted access, or inspection of paper or electronic taxpayer records. If they are uncertain whether access or inspection is appropriate, they should first consult with a manager, TIGTA, or send questions via email to *UNAX. Employees and contractors are only allowed to access tax return information when it is needed to carry out their assigned tax administrative duties and there is no covered relationship.

  3. Employees and contractors are prohibited from browsing or inspecting a celebrity or politician’s return or return information without authorization, and a need-to-know. Employees and contractors are prohibited from browsing or inspecting a celebrity or politician’s return or return information when the information is not needed to carry out assigned tax related duties. This constitutes a UNAX violation with potential for fines, imprisonment, and dismissal. Employees and contractors have no legitimate tax-related reason to access the account of a celebrity or politician unless they receive the matter through official channels or in the normal course of business.

    Note:

    Celebrities are defined as a person who is famous, widely known, or frequently in the media/media interest, e.g., Government Officials, music industry, sports, entertainment, etc.

  4. The IRS relies on the ethics and integrity of its employees and contractors and enlists their support in eliminating all cases of UNAX.

  5. If an employee decides to use Form 11377 or Form 11377-E to report an inadvertent or questionable access, employees and contractors must fill out and sign Form 11377 or Form 11377-E by close of business on the day of the inadvertent or questionable access (electronic and paper) and forward the signed copy to their manager or COR to document certain inadvertent or questionable accesses that could include the following:

    1. Accessed electronic or paper tax return information in error (such as accidentally entering your own or an incorrect taxpayer identification number).

    2. Accessed electronic or paper tax return or tax information of another IRS employee on an assigned case before recognizing the individual as someone known to the employee or contractor.

    3. Accessed electronic or paper tax return or tax information on an assigned case of an individual or organization before recognizing it as belonging to a person or business with whom the employee or contractor has a personal or business relationship.

    4. Researched another taxpayer’s information because it was related to an assigned case.

    5. Received requests from management to access taxpayer information on cases not assigned to the employee or contractor.

  6. Employees and contractors must:

    1. Review and apply the guidance within this IRM, the Employee’s Guide to Safeguarding Taxpayer Records - Renewing Our Commitment, Document 10281 and other UNAX directives.

    2. Take the Annual UNAX Awareness Briefing and complete the certification documentation either online or by filling out Form 11370, Certification of Annual UNAX Briefing, if the briefing was not completed online.

      Note:

      When employees or contractors complete the annual UNAX Awareness Briefing outside of the Integrated Talent Management (ITM) system, they must submit Form 11370 to their manager or COR for signature and processing.

    3. Timely refer cases to management when the employee’s and contractor’s personal or business relationship can raise questions concerning a lack of impartiality in handling a tax matter. (Please see IRM 10.5.5.20, Covered Relationships for additional information). Employees should use Form 4442, Inquiry Referral for this purpose.

    4. Inform managers when approved access to an IRS internal or external computer system is no longer required to complete IRS officially assigned duties.

    5. Report any suspected UNAX violation to their local TIGTA office, to the TIGTA toll free hotline at: 1-800-366-4484, or the online TIGTA complaint form. TIGTA is responsible for investigating all UNAX allegations. IRS employees are protected by law from reprisals when they have reasonable cause to report suspected UNAX violations to TIGTA.

  7. Employees and contractors must refrain from:

    1. Accessing returns and return information of other employees and contractors known to them unless approved in writing by management.

    2. Accessing or asking other IRS employees and contractors to access information of individuals with whom they have a Covered Relationship. Refer to IRM 10.5.5.20, Covered Relationships.

    3. Accessing tax returns or tax return information in any IRS internal or external computer system (e.g., IDRS, AMS, TDS, RUP, EUP, etc.) unless the access is necessary to complete their official IRS duties as assigned by management.

    4. Accessing tax returns or tax return information on a personal computer if they are not authorized to access the information on their work computer. For example: An IRS employee or contractor had formerly held a position as an accountant prior to becoming employed by IRS. He kept his access to the IRS Registered Users Portal (RUP). The employee or contractor then accessed tax return information on the RUP of a former client using his personal computer when performing his IRS official duties. This is an unauthorized access of the taxpayer record and a UNAX violation. IRS personnel can only access those accounts assigned to them by IRS management as part of their official IRS tax duties.

10.5.5.18 (04-21-2026)

IRS Unauthorized Access, Attempted Access, or Inspection of Taxpayer Records (UNAX) Program

  1. In implementing the requirements of the Taxpayer Browsing Protection Act (Public Law No. 105-35), the IRS created the willful unauthorized access, attempted access or inspection of taxpayer records (UNAX) Program Office. The Taxpayer Browsing Protection Act is summarized by the following:

    1. When employees and contractors are criminally charged, the IRS is required to notify taxpayers as soon as possible that their records have been accessed without authorization.

    2. Taxpayers who are victims of unlawful access or inspection have the right to take civil action, even if the taxpayer’s information is never revealed to a third party.

    3. Under 26 USC 7213A, IRS employees and contractors are subject to the following penalties (upon conviction):

      • Fine; not to exceed $1,000

      • Imprisonment; not to exceed one year; and/or

      • Costs of prosecution.

        Note:

        UNAX violations are not limited to only UNAX crimes. Using information gained from a UNAX violation can lead to additional criminal charges.

    4. IRS employees are subject to non-criminal penalties pursuant to IRS UNAX policy with or without criminal conviction. These penalties include, but are not limited to:

      • Termination of employment;

      • Suspension of employment; and/or

      • Other disciplinary or non-disciplinary action(s).

        Note:

        For non-criminal penalties, removal is to be proposed for all UNAX violations. The penalty may be mitigated by the deciding official. Additional information on penalties for UNAX violations can be found in Document 11500, IRS Manager’s Guide to Penalty Determinations.

    5. IRS contractors are subject to non-criminal penalties pursuant to IRS UNAX policy with or without criminal conviction. These penalties include, but are not limited to:

      • Removal from contract; and

      • Other corrective actions.

  2. Employees and contractors who have knowledge of a potential UNAX violation must immediately report it to TIGTA and/or their managers, supervisor, and/or COR.

10.5.5.19 (04-21-2026)

Official Channels

  1. The IRS policy on access to paper and electronic tax returns and return information states employees and contractors “are only allowed access to tax returns and return information when the information is received through official channels and is needed to carry out official IRS tax duties.”

  2. Official Channels include:

    1. Cases officially assigned by a manager for official IRS business purposes.

    2. Taxpayer walk-ins.

    3. Telephone calls from taxpayers.

    4. Official correspondence.

    5. Related case inquiries.

  3. Unofficial Channels include:

    1. Requests from individuals at social functions and non-work environments.

    2. Requests received from close friends, close relatives, close neighbors or co-workers whom you know.

10.5.5.20 (04-21-2026)

Covered Relationships

  1. Covered Relationships are those personal or business relationships that can raise questions about the appearance of a lack of impartiality in the handling of a tax matter. As a result, individuals or businesses can be perceived as receiving expedited or preferential treatment that is unavailable to the general taxpayer public. Requests that are not received through the normal course of business or through official or administrative channels can indicate a covered relationship. Employees and contractors are not authorized to access the tax records or tax information of anyone with whom they have a covered relationship. Covered relationships include:

    1. Spouses and ex-spouses

    2. Children

    3. Parents and grandparents

    4. Relatives

    5. Friends or neighbors

    6. Co-workers and supervisors

    7. Individuals(s) or organization(s) where their spouse is an officer, trustee, general partner, agent, attorney, consultant, employee, or member, and

    8. Individuals(s) or organization(s) with whom they may have a personal or business relationship with

10.5.5.21 (04-21-2026)

Violations of IRS UNAX Policy

  1. The willful unauthorized access or inspection of taxpayer information, both electronic and paper, is a crime. Upon conviction, employees and contractors may be subject to penalties ranging from job loss to prison terms.

  2. The IRS established the IRS Manager’s Guide to Penalty Determinations (Document 11500) to cover UNAX violations that are not criminally prosecuted.

  3. Non-criminal/administrative penalties for violating the UNAX policy range from removal from federal service to a letter of admonishment.

    1. The agency can take disciplinary action against employees and contractors for violating the agency’s UNAX policy even when they are not criminally charged with violating the Taxpayer Browsing Protection Act.

    2. Temporary employees and contractors in a probationary or trial period may be terminated or removed from contracts for UNAX violations.

  4. Criminal penalties assessed upon conviction for violating the Taxpayer Browsing Protection Act Include:

    1. A fine in any amount not exceeding $1,000.

    2. Imprisonment of not more than one year.

    3. Both the fine and imprisonment.

    4. Cost of prosecution.

  5. Civil penalties: Taxpayers have the right to take legal action against the IRS when they are victims of unlawful access or inspection even if their information is never revealed to a third party. The IRS is required to notify taxpayers that their records have been accessed without authorization when an employee or contractor is criminally charged or administratively disciplined.

10.5.5.22 (04-21-2026)

PGLD/UNAX 7431(e) Notification Letter

  1. 26 USC 7431(e), Civil Damages for Unauthorized Inspection or Disclosure of Returns and Return Information, Notification of Unlawful Inspection and Disclosure requires taxpayer notification when any person has been criminally charged with the unauthorized disclosure or inspection of taxpayer returns or return information in violation of 26 USC 6103.

  2. The IRS, through the IPP Program Office, is required to notify taxpayers when a person has been criminally charged with the unauthorized disclosure or inspection of their tax records as soon as practicable.

  3. The IRS, through the Incident Management Program Office, is required to notify taxpayers when IRS proposes an administrative determination as to disciplinary or adverse action against an employee or contractor arising from the employee’s or contractor’s unauthorized inspection or disclosure of the taxpayer’s return or return information, as required by 26 USC 7431.