10.5.6 Privacy Act

Manual Transmittal

January 31, 2020

Purpose

(1) This transmits new IRM 10.5.6, Privacy and Information Protection, Privacy Act.

Material Changes

(1) This IRM consolidates and moves the Privacy Act IRMs into the 10.5 series:

  1. IRM 11.3.14, Disclosure of Official Information, Privacy Act General Provisions, dated 05/02/2018, moved into IRM 10.5.6.2.

  2. IRM 11.3.15, Disclosure of Official Information, Privacy Act Publication and Reporting Requirements, dated 05/03/2018, moved into IRM 10.5.6.3.

  3. IRM 11.3.16, Disclosure of Official Information, Privacy Act Notification Programs, dated 05/02/2018, moved into IRM 10.5.6.4.

  4. IRM 11.3.17, Disclosure of Official Information, Privacy Act Recordkeeping Restrictions, dated 05/02/2018, moved into IRM 10.5.6.5.

  5. IRM 11.3.18, Disclosure of Official Information, Privacy Act Access and Amendment of Records, dated 08/20/2018, moved into IRM 10.5.6.6.

  6. IRM 11.3.19, Disclosure of Official Information, Privacy Act Accounting for Disclosures, dated 05/02/2018, moved into IRM 10.5.6.7.

  7. IRM 11.3.20, Disclosure of Official Information, Personnel Records, dated 08/21/2018, moved into IRM 10.5.6.8.

  8. Program scopes and objectives of IRM 11.3.14 through 11.3.20 moved into IRM 10.5.6.1.

(2) Removed language, where appropriate, no longer relevant or necessary under OMB requirements.

(3) Clarified information throughout where necessary to align with existing policy.

(4) Made editorial changes throughout to update IRM/statute/organizational references and terms. Web and citation references added/updated throughout to make the text easier to research in electronic media.

(5) Made grammatical changes throughout to improve or clarify voice, pronouns, etc.

(6) Changed the terms “should,” “shall,” or “will” to “must,” where appropriate, in compliance with the Plain Writing Act, as these are long-standing statutory requirements of the Privacy Act. Where statutory language quoted, kept the term “shall.”

(7) Removed outdated processes and updated/simplified where appropriate.

Effect on Other Documents

This combines, supersedes, and makes obsolete:
1. IRM 11.3.14, Disclosure of Official Information, Privacy Act General Provisions, dated 05/02/2018
2. IRM 11.3.15, Disclosure of Official Information, Privacy Act Publication and Reporting Requirements, dated 05/03/2018
3. IRM 11.3.16, Disclosure of Official Information, Privacy Act Notification Programs, dated 05/02/2018
4. IRM 11.3.17, Disclosure of Official Information, Privacy Act Recordkeeping Restrictions, dated 05/02/2018
5. IRM 11.3.18, Disclosure of Official Information, Privacy Act Access and Amendment of Records, dated 08/20/2018
6. IRM 11.3.19, Disclosure of Official Information, Privacy Act Accounting for Disclosures, dated 05/02/2018
7. IRM 11.3.20, Disclosure of Official Information, Personnel Records, dated 08/21/2018

Audience

All Operating Divisions and Functions.

Effective Date

(01-31-2020)

Peter Wade__
Director, Privacy Policy and Compliance

Program Scope and Objectives

  1. Purpose: This IRM discusses general Privacy Act of 1974, 5 United States Code (USC) § 552a, as amended (Privacy Act), provisions and their application to the IRS. The purpose of the Privacy Act is to provide certain safeguards for an individual against an invasion of personal privacy by requiring Federal agencies, except as otherwise provided by law, to:

    • Permit individuals to determine what records pertaining to them are collected, maintained, used, or disseminated by Federal agencies.

    • Permit individuals to prevent records pertaining to them from being used or made available for another purpose without their consent.

    • Permit individuals to gain access to information pertaining to them, have copies made, and amend or correct such records.

    • Collect, maintain, use, or disseminate any record of identifiable personal information in a manner that ensures that such action is for a necessary and lawful purpose, that the information is current and accurate, for its intended use, and that adequate safeguards are provided to prevent misuse of such information.

    Except as otherwise provided by law, agencies are subject to civil suit for damages as a result of willful or intentional action that violates any individual’s rights under the Privacy Act. Criminal penalties are applicable to agency employees who make prohibited disclosures or who maintain records in violation of law.

  2. This IRM does not intend to address all Privacy Act requirements, only those most applicable to IRS privacy policy. For example, the Privacy Act’s Computer Matching requirements fall under IRM 11.3.39, Disclosure of Official Information, Computer Matching and Privacy Protection Act.

  3. Where this IRM refers to agency requirements, the intention is to apply the requirement to the IRS as a bureau of the Department of the Treasury throughout.

  4. Audience: The information and guidance in this IRM applies to all IRS personnel, which includes:
    1. Employees
    2. Consultants
    3. Detailees
    4. Temporary employees
    5. Interns/Externs
    6. IRS contractors.

  5. Policy Owner: Privacy Policy and Compliance (PPC) is responsible for Privacy Act oversight. The Director, PPC, reports to the IRS Chief Privacy Officer (CPO). The CPO is the executive director who oversees Privacy, Governmental Liaison and Disclosure (PGLD) and who has responsibility for the IRS privacy program

  6. Program Owner: The PPC office, under PGLD, is the program office responsible for oversight of the Servicewide Privacy Act policy, recordkeeping matters, access and amendment matters, accounting for disclosures program, and personnel records matters. PGLD’s Disclosure office is responsible for operational casework related to requests for access to and disclosure of Privacy Act information via the Central Processing Unit.

  7. Primary Stakeholders: All business units are stakeholders regarding privacy.

Background

  1. The Senate Preface to the Legislative History of the Privacy Act stated that, "The Bill of Rights guarantees to each American protections which we equate with specific rights of citizenship in a free society. This legislation is a major first step in a continuing effort to define the "penumbra" of privacy which emanates from specific guarantees in the Bill of Rights and which helps to give them life and substance as recognized in Griswold v. Connecticut."

  2. Congress also found that the:

    1. Privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information by Federal agencies;

    2. Increasing use of computers and sophisticated information technology has greatly magnified the harm to individual privacy that can occur; and

    3. Individual’s rights may be endangered by the misuse of some information systems.

  3. Accordingly, Congress decided that it was necessary to regulate the collection, maintenance, use, and dissemination of information by Federal agencies to protect the privacy of individuals.

  4. Section 3 of the Privacy Act became effective September 27, 1975. It is intended to provide safeguards for an individual against invasions of personal privacy.

  5. The Privacy Act permits, with limited exceptions under very specific conditions, an individual to examine agency records pertaining to that individual and limits the conditions under which such records may otherwise be disclosed.

Authorities

  1. The Privacy Act.

  2. The Freedom of Information Act, as amended, 5 USC § 552 (FOIA).

  3. Federal Acquisition Regulations Part 24 FAR -- Part 24 Protection of Privacy and Freedom of Information.

  4. IRC § 6103, Confidentiality and disclosure of returns and return information.

  5. IRC §7852(e), Statutory exemption for tax records from certain provisions of the Privacy Act.

  6. Department of the Treasury Regulations .

  7. E-Government Act (2002), Public Law 107-347.

  8. Office of Management and Budget (OMB) Circulars A-108 and A-130.

  9. OMB Guidelines at 40 Fed. Reg. 28,948 (July 9, 1975)

  10. The Civil Service Reform Act of 1978, 5 USC, Title VII, § 7114, Part (b).

  11. Department of the Treasury Privacy Act Handbook.

Responsibilities

  1. The IRS complies with the Privacy Act by integrating its provisions with the IRS’s existing procedural instructions, such as the IRM.

  2. The IRS CPO is responsible for the overall IRS privacy program.

  3. All IRS personnel are responsible for being familiar with the provisions of the Privacy Act, commensurate with the level of their assigned duties, and for conforming to the requirements of the law as it applies to their activities.

  4. All IRS officials are responsible for administering the Privacy Act insofar as its provisions are applicable to their functional areas and as provided by applicable regulations, published notices, and IRM instructions.

  5. For most Systems of Records, as defined in Exhibit 10.5.6-5, two types of systems managers (or responsible officials) have been designated—the official prescribing practices, and the official maintaining the system.

    1. The official prescribing practices, generally a Headquarters Division Director, contributes to the administration of the Privacy Act by making certain that all procedures conform to its requirements.

    2. The official maintaining the system, generally an Area Manager or Campus Director, contributes to the administration of the Privacy Act by making certain that all procedural requirements are followed. Thus an official operating a system of records or carrying out any other assignment will be in compliance with the Privacy Act if all actions taken are in strict accordance with the IRM.

  6. The functional offices of the system owners/managers that are most familiar with the system of records must write the notices and other required reports and documents for a system of records notice to be published in the Federal Register and any other required Privacy Act notifications, such as those required by section (e)(3) of the Privacy Act. See the Publications and Reporting Requirements section of this IRM.

  7. Privacy policy and overall coordination of the IRS efforts to administer the Privacy Act are the responsibility of the Director, PPC, with support from PGLD headquarters. Direct questions to the *Privacy mailbox.

  8. PGLD’s Disclosure office will control and process written Privacy Act requests for access and amendment via the Central Processing Unit (CPU) .

  9. The individual business units have responsibility for responding to requests for records subject to the Privacy Act. Business units must forward any formal written Privacy Act requests for records to Disclosure via the CPU. See the Disclosure Requests shelf on the PGLD Virtual Library.

  10. PPC processes Privacy Act Complaints. See the Section 803 Reports Pertaining to Privacy Act section of this IRM.

  11. Private contractors and their personnel are subject to some provisions of the Privacy Act. See IRM 11.3.24, Disclosures to Contractors.

  12. All IRS personnel must ensure IRS records (hard copy and electronic) are appropriately managed, retained, and archived in accordance with the IRM 1.15 series, Records and Information Management, for records retention and disposition requirements before documents can be destroyed. See the Records Management shelf on the PGLD Virtual Library. Refer to Document 12990, IRS Records Control Schedules (RCS), for the National Archives and Records Administration (NARA)-approved IRS records disposition to prevent unauthorized/unlawful destruction of records. Refer to Document 12829, General Records Schedules (GRS), for the NARA-issued disposal authorizations for temporary administrative records common to all Federal agencies.

    Caution:

    In situations when litigation has been initiated or reasonably anticipated, keep in mind that records (hard copy as well as electronic) must be retained beyond the normal record retention period. For more information, see IRM 25.3.1.7.6, What is a litigation hold?

Privacy Act General Provisions (formerly IRM 11.3.14)

  1. This section discusses general Privacy Act provisions and their application to the IRS as a bureau of the Department of the Treasury. The purpose of the Privacy Act is to provide certain safeguards for an individual against an invasion of personal privacy by requiring Federal agencies, except as otherwise provided by law, to:

    • Permit individuals to determine what records pertaining to them are collected, maintained, used, or disseminated by Federal agencies

    • Permit individuals to prevent records pertaining to them from being used or made available for another purpose without their consent

    • Permit individuals to gain access to information pertaining to them, have copies made, and amend or correct such records

    • Collect, maintain, use, or disseminate any record of identifiable personal information in a manner that ensures that such action is for a necessary and lawful purpose, that the information is current and accurate, for its intended use, and that adequate safeguards are provided to prevent misuse of such information

    Except as otherwise provided by law, agencies are subject to civil suit for damages as a result of willful or intentional action that violates any individual’s rights under the Privacy Act. Criminal penalties are applicable to agency personnel who make prohibited disclosures or who maintain records in violation of law.

  2. The Privacy Act applies to agency records that are retrieved by an identifier for an individual. The Privacy Act defines individual as a citizen of the United States or an alien lawfully admitted for permanent residence. Corporations, partnerships, estates, organizations, and other entities are not individuals for Privacy Act purposes. An individual acting in an entrepreneurial capacity (such as a sole proprietor) is an individual for purposes of the Privacy Act.

  3. Most of the IRS records are subject to an extensive body of law, including the confidentiality and disclosure provisions of IRC § 6103 that are usually more specific and restrictive than the Privacy Act, and that therefore will generally be found to be the governing statute. It is important, in applying the Privacy Act, to take into consideration all statutory requirements that are applicable; the result should be that the safeguards against the invasion of an individual’s privacy should be not less than required by the Privacy Act.

  4. Agencies may propose rules that exempt certain records from certain Privacy Act provisions. Such rules must be approved by Congress and the Office of Management and Budget (OMB), and be published in the Federal Register. Treasury specifies whether exemptions apply to a specific IRS system of records in published Federal Register notices.

  5. In order for the IRS to maintain records subject to the Privacy Act it must meet certain publishing and reporting requirements. The Publication and Reporting Requirements section of this IRM discusses these requirements.

  6. Having advised the public of the type of records being maintained (by meeting the publishing and reporting requirements), the IRS generally must give individuals asked to supply information a notice with the request for information. The Notification Programs section of this IRM discusses this requirement and related matters.

  7. There are restrictions on the type of information the IRS may obtain and use. The Recordkeeping Restrictions section of this IRM discusses these provisions.

  8. Individuals may have access to certain records pertaining to them, and may under some circumstances amend such records. The Access and Amendment of Records section of this IRM discusses these provisions.

    Note:

    IRC §7852(e) provides that subsections (d)(2), (d)(3), (d)(4), and (g), of the Privacy Act (such as the amendment provisions) shall not be applied, directly or indirectly, to the determination of liability of any person for any tax, penalty, interest, fine, forfeiture, other imposition or offense to which the provisions of the IRC apply.

  9. Restrictions are placed upon the disclosure by the agency of the records maintained, and an accounting is generally required of the disclosures made. The Accounting for Disclosures section of this IRM discusses these provisions.

  10. The Privacy Act provisions are applicable to those personnel records which are maintained by a personal identifier and contain personal information. The Personnel Records section of this IRM discusses these provisions.

Requirements of the Privacy Act

  1. IRS personnel must follow the legal requirements of the Privacy Act at all times and must make every effort consistent with law, regulations and good administrative practice, to promote the spirit of the Privacy Act by performing their duties in a manner that recognizes and enhances individual rights of privacy.

  2. Restrict disclosure of Privacy Act record information to other IRS personnel to those who have a need to know the information in the performance of their official duties.

  3. With respect to Privacy Act records, the IRS must:

    1. Maintain only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required by statute or Executive Order.

    2. Collect information, to the greatest extent practicable, from the subject individual when the information may result in adverse determinations about an individual’s rights, benefits and privileges under Federal programs.

    3. Inform each individual whom it asks to supply information, of the agency's authority for requesting the information; whether providing the information is voluntary or mandatory; the principal purpose(s) for which the information will be used; other routine uses of the information; and the effect(s), if any, on the individual of not providing all or part of the information requested. This statement may be made on the form used to collect the information, or on a separate form or sheet that the individual may retain.

  4. The Privacy Act requires that agencies establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity that could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.

  5. The Privacy Act mandates the timely disposition, proper destruction, safe storage, physical protection, and proper handling of records.

  6. The IRS meets these requirements by adhering to its policies found throughout the IRM. Refer to specific references in IRM 10.5.1, Privacy Policy.

Privacy Principles

  1. Privacy protection within the IRS includes adherence by all IRS personnel to the Privacy Principles listed in that section of IRM 10.5.1, Privacy Policy.

  2. Policy Statement 1-1, Mission of the Service, also embodies these concepts. See that section in IRM 1.2.1, Servicewide Policies and Authorities, Servicewide Policy Statements.

Privacy Act Training

  1. The Office of Management and Budget (OMB) in Circular No. A-130 states:

    "Agencies shall develop, maintain, and implement mandatory agency-wide privacy awareness and training programs for all employees and contractors.."

    Note:

    See Section (e)(9) of the Privacy Act.

  2. The highest level of involvement in training for Privacy Act purposes is required for managers, government information specialists, and policy analysts serving in PGLD.

  3. Functions having key personnel identified as requiring a high degree of training in Privacy Act matters may direct a request to the *Privacy mailbox for space at a regularly scheduled session of the Privacy Act Training or for a special presentation of the Privacy Act segment of the program.

  4. Functions revising existing training programs or establishing new training programs must include Privacy Act segments designed in accordance with their specific needs to meet the objectives of the Privacy Act Requirement to Maintain Accurate, Relevant, Timely and Complete Records section of this IRM. PPC assistance is available at the *Privacy mailbox for constructing such specialized course segments.

  5. For personnel requiring a lesser degree of involvement, a periodic refresher or update can best be conducted by the inclusion of Privacy Act topics in regular group meetings and by discussing the impact of the Privacy Act on specific jobs. Contact PPC at the *Privacy mailbox for information or assistance.

OMB Privacy Act Guidance

  1. OMB revised Circulars A-130 and A-108 in 2016 to emphasize Privacy Act compliance. The documents emphasize the importance of this by placing responsibility with a Senior Agency Official for Privacy (SAOP).

    Note:

    Treasury houses the SAOP for the IRS, while the IRS CPO is the executive director who has responsibility for the IRS privacy program.

  2. To ensure that agencies effectively carry out the privacy-related functions described in law and OMB policies, Presidential Executive Order 13719 requires the head of each agency to designate or re-designate an SAOP who has agency-wide responsibility and accountability for the agency’s privacy program. The SAOP must be a senior official at the Deputy Assistant Secretary or equivalent level who serves in a central leadership position at the agency, has visibility into relevant agency operations, and is positioned highly enough within the agency to regularly engage with other agency leadership, including the head of the agency. See OMB Memo M-16-24.

  3. The revised OMB A-108 replaced the prior OMB requirement for agencies to conduct annual Privacy Act reviews with the requirement to establish and maintain a privacy continuous monitoring (PCM) program. The IRS PCM strategy is outlined in the IRS Privacy Program Plan.

    Note:

    See Exhibit 10.5.6-1, Agency Review Requirements, and Exhibit 10.5.6-2, Agency Public Website Posting Requirements.

  4. OMB requires the IRS to design its privacy control selection process to include privacy controls that ensure compliance with applicable requirements in the Privacy Act and related OMB guidance. At a minimum, the controls selected for an information system that contains information in a system of records must address the following elements:

    1. Minimization: Ensure systems of records include only information about an individual that is relevant and necessary to accomplish a purpose required by statute or executive order.

    2. Systems of Records Notices (SORNs): Ensure that all SORNs remain accurate, up-to-date, and appropriately scoped; that all SORNs are published in the Federal Register; that all SORNs include the information required by OMB Circular A-108; and that all significant changes to SORNs have been reported to OMB and Congress (see section 7 of OMB Circular A-108 for information about reporting a modified system of records).

    3. Routine Uses: Ensure that all routine uses remain appropriate and that the recipient’s use of the records continues to be compatible with the purpose for which the information was collected (see section 6(k) of OMB Circular A-108 for information about routine uses).

    4. Privacy Act Exemptions: Ensure that each exemption claimed for a system of records remains appropriate and necessary (see section 11 of Circular A-108 for information about Privacy Act exemptions).

    5. Contracts: Ensure compliance with the contract requirements (as discussed in the Privacy Act Contract Requirements section of this IRM), and that the applicable requirements in the Privacy Act and OMB policies are enforceable on the contractor and its personnel (see section 6(j) of Circular A-108 for information about systems of records operated by contractors).

    6. Privacy Training: Ensure training practices are sufficient and that personnel understand the requirements of the Privacy Act, OMB guidance, the IRS’s implementing regulations and policies, and any job-specific requirements.

    Note:

    For more information on privacy controls, see IRM 10.5.1, Privacy Policy.

Privacy Act Contract Requirements
  1. OMB A-108 requires privacy review of procurement solicitations involving Privacy Act records, approval of contracts, and Privacy Act clauses in contracts.

  2. Reissued OMB A-108 specifically prescribes:

    1. Agencies must design their procurement practices to ensure that all contracts that involve the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of information that identifies and is about individuals are reviewed and approved by the SAOP before award to help evaluate whether a system of records will be established and, if so, to include appropriate clauses in the contract. The SAOP must have access to a complete and accurate list of all of the agency’s contracts involving information that identifies and is about individuals. The SAOP must establish a process to ensure that the language of each contract is sufficient and that the applicable requirements in the Privacy Act and OMB policies are enforceable on the contractor and its personnel consistent with the agency’s authority.

    2. Agencies must ensure that the language of each contract that involves the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of information that identifies and is about individuals, is sufficient, and that the applicable requirements in the Privacy Act and OMB policies are enforceable on the contractor and its personnel (see section 6(j) of OMB Circular A-108 for information about systems of records operated by contractors).

  3. Federal Acquisition Regulations (FAR) Subpart 24.3 requires a Privacy Act Training Contract Clause for contractors whose personnel will have authorized access to Privacy Act information to complete training that addresses protection of privacy in accordance with the Privacy Act and the handling and safeguarding of Personally Identifiable Information (PII). These personnel must complete initial privacy training and annual privacy training thereafter.

  4. A contractor who has personnel involved in these activities is also required to maintain records indicating that its personnel have completed the requisite training and provide these records to the contracting officer upon request. In addition, the prime contractor is required to flow-down these requirements to all applicable subcontracts.

  5. At a minimum, contractor privacy training must cover the following:

    1. The provisions of the Privacy Act, including penalties for violations of the Privacy Act.

    2. The appropriate handling and safeguarding of PII.

    3. The authorized and official use of a system of records or any other PII.

    4. Restrictions on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access, or store PII.

    5. The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII or systems of records.

    6. Procedures to follow in the event of a potential or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of PII.

  6. See FAR Subpart 24.3 and FAR 52.224-3 for additional information.

  7. The impact of the Privacy Act on contracts is discussed in IRM 11.3.24, Disclosures to Contractors.

    Caution:

    A contractor and its personnel are not considered employees of the Department of the Treasury for purposes of the Privacy Act. Therefore, Privacy Act protected records cannot be disclosed to contractors pursuant to Privacy Act Section (b)(1). Disclosures of such records to contractors may be made only if one of the statutory disclosure provisions applies. The most commonly applicable disclosure provisions are 1) a published "routine use" in the appropriate system of records notice, and 2) written consent to the disclosure from the individual whose records are at issue.

    Caution:

    A contractor and its personnel are subject to the Privacy Act’s criminal penalties pursuant to Section (m)(1) if the contract is to operate a system of records for the agency. The IRS routinely includes disclosure prohibitions in contracts that authorize contractor access to Privacy Act protected records.

    Caution:

    For tax returns and return information, IRC § 6103 subsumes the Privacy Act. Disclosure of tax returns and return information is controlled by IRC § 6103. Returns and return information must not be disclosed to a contractor unless the requirements of IRC § 6103 are met (regardless of whether the Privacy Act authorizes disclosure). See IRM 11.3.24 for tax return and return information contract requirements pertaining to disclosure.

Privacy Act Publication and Reporting Requirements (formerly IRM 11.3.15)

  1. To facilitate the purposes of the Privacy Act, the IRS (via the Department of the Treasury) is required to publish in the Federal Register a notice of the existence and character of each system of records which it maintains. Any document that is retrieved by an identifier for an individual who is a citizen of the United States or an alien lawfully admitted for permanent residence must be covered in a published systems of record notice (SORN).

    Note:

    Take care in preparing the notice since the use or maintenance of a system of records, except in accordance with the published notice, would be prohibited by the Privacy Act.

  2. Any officer or employee of an agency who willfully maintains a system of records without meeting the notice requirements of the Privacy Act may be found guilty of a misdemeanor and fined not more than $5,000.

  3. The usefulness of the Privacy Act to the public and the ability of the IRS to readily comply with the requirements of the Privacy Act will, to a great extent, be determined by the care and accuracy with which these notices and related materials are prepared.

  4. Ensure that the tone, language, level of detail and length of the public notice are considered to ensure that the notice achieves the objective of informing the public of the nature and purposes of agency systems of records.

  5. There are several different circumstances under which a SORN may be submitted for publication. The circumstances outlined in the following subsections will determine the timing and the processing of the notice and must be explained in the accompanying transmittal memorandum.

  6. The transmittal memorandum directs the notice package from the records owner to PGLD, PGLD to Counsel, back to PGLD, and from PGLD to the Department of the Treasury.

  7. See Exhibit 10.5.6-4, Federal Register Publication Requirements.

  8. Contact the *Privacy mailbox for assistance with SORN or reporting requirements.

Publication and Reporting Requirements Responsibilities

  1. With support of PGLD headquarters, the Director, PPC, is responsible for:

    • Serving as Privacy Act Liaison Officer for the IRS and maintaining contact with the Departmental Privacy Act Coordinator for the Department of the Treasury, to ensure that materials submitted meet all Departmental requirements.

    • Reviewing all submissions for conformance with this section and ensuring that all submissions comply with the requirements of the Privacy Act.

    • Ensuring that all submissions adequately inform the public and protect the rights of individual members of the public as established by the Privacy Act.

    • Ensuring the adequacy of all notices, with special regard to routine uses of records maintained in a system, and general Privacy Act matters.

    • Accumulating notices involving deletions, editorial changes, or limited changes for inclusion in the Republication of Notices of Systems of Records, or for submission at such other intervals as would be appropriate.

    • Review of the materials required for the Republication of Notices of Systems of Records, the Federal Inventory of Personal Data Systems, and the Annual Report.

    • Preparing the reports described in this IRM.

  2. Systems owners are responsible for:

    • Preparation of Reports of New Systems of Records in final form.

    • Preparation of input materials required by this section and submission to PGLD via the *Privacy mailbox.

    Note:

    The business unit office that is most familiar with the system of records must write the notice.

    Note:

    Changes that require a new Privacy Act system of records or altered system notice usually will require a new or amended Privacy and Civil Liberties Impact Assessment (PCLIA) pursuant to the E-Government Act, section 208, P.L. 107-347. See IRM 10.5.2.2, Privacy and Civil Liberties Impact Assessment, for information about PCLIAs.

  3. Records owners are responsible for:

    1. Resolving inquiries and recommendations from officials and personnel within their functions.

    2. Determining the adequacy of existing notices.

    3. Assuring that existing practices conform to Privacy Act requirements.

    4. Preparing new notices as necessary.

  4. Records owners must have a continuing program for carrying out these objectives and monitoring business unit activities. All contacts with business units to ensure compliance and adequate input to the development of new or revised notices will be along functional lines similar to the IRM provisions authorizing the maintenance of the system of records.

  5. Direct inquiries and recommendations from personnel concerning the adequacy of existing notices to the official identified in the published notice as maintaining the system. Process inquiries and recommendations concerning systems of records which do not appear to be covered by an existing notice through normal supervisory channels within the function whose records are involved. The responsibility for the system of records lies with the official who instructed the records to be accumulated.

  6. Officials identified in notices as maintaining a system of records are to forward any matters they are unable to resolve and their own inquiries and recommendations to the official who issued the governing instructions authorizing or prescribing the existence or maintenance of the systems of records.

When to Publish a System of Records Notice

  1. Responsible IRS personnel must publish a System of Records Notice (SORN) in the Federal Register when establishing a new system of records, before collecting the information for inclusion in a system of records.

  2. Responsible IRS personnel also must publish notice in the Federal Register when making significant changes to an existing system of records. As a general matter, significant changes are those that are substantive in nature and therefore warrant a revision of the SORN to provide notice to the public of the character of the modified system of records. Examples of significant changes include:

    1. A substantial increase in the number, type, or category of individuals about whom records are maintained in the system. For example, a system covering physicians that is being expanded to include other types of health care providers (such as nurses or technicians) would require a revised SORN. Increases attributable to normal growth in a single category of individuals generally would not require a revised SORN.

    2. A change that expands the types or categories of records maintained in the system. For example, a benefit system that originally included only earned income information that is being expanded to include unearned income information would require a revised SORN.

    3. A change that modifies the scope of the system. For example, the combining of two or more existing systems of records.

    4. A change that modifies the purpose(s) for which the information in the system of records is maintained.

    5. A change in the IRS’s authority to maintain the system of records or maintain, collect, use, or disseminate the records in the system.

    6. A change that modifies the way in which the system operates or its location(s) in such a manner as to modify the process by which individuals can exercise their rights under the statute (such as to seek access to or amendment of a record).

Scope of a System of Records

  1. Before developing a SORN, responsible IRS personnel must carefully consider the proper scope of the system of records. Agencies have discretion in determining what constitutes a system of records for purposes of preparing a notice. However, responsible IRS personnel must consider the following general factors when determining whether a group of records will be treated as a single system or multiple systems for the purposes of the Privacy Act:

    1. The IRS’s ability to comply with the requirements of the Privacy Act and facilitate the exercise of the rights of individuals.

    2. The informative value of the notice. Responsible IRS personnel must consider whether a single SORN or multiple SORNs would provide the most informative notice to the public about the existence and character of the system(s).

    3. The IRS’s ability to be responsive to individual access requests. Responsible IRS personnel must consider whether a single SORN or multiple SORNs would provide the best notice to individuals regarding how and where they may request access to their records maintained in the system(s) and would allow the IRS to respond to such requests most effectively.

    4. The purpose(s) and use(s) of the records. If different groups of records are used for distinct purposes, it may be appropriate to treat those different groups of records as separate systems. Although different groups of records may serve a general common purpose, responsible IRS personnel must also consider whether different routine uses or security requirements apply to the different groups, or whether different personnel of the IRS regularly access the groups.

    5. The cost and convenience to the IRS, but only to the extent consistent with the above considerations regarding compliance and individual rights. Considerable latitude is left to agencies in defining the scope or grouping of records that constitute a system of records. The IRS may choose to consider the entire group of records for a particular program as a single system, or the IRS may consider it appropriate to segment a group of records (such as by function or geographic unit) and treat each segment as a system of records to provide better notice to the public. When an agency chooses to segment a group of records into separate systems of records, the agency must nevertheless ensure that the SORN for each segment clearly describes any linkages that exist between the different systems of records based on the retrieval of the records. For example, if records described in different SORNs are in fact linked together through a central indexing or retrieval capability such that an employee or contractor retrieving records described in one SORN would necessarily also retrieve and gain access to records described in another SORN, the agency must explain this linkage in the "Policies and Practices for Retrieval of Records" section of both SORNs.

  2. A government-wide system of records is where one agency has regulatory authority over records in the custody of multiple agencies, and the agency with regulatory authority publishes a SORN that applies to all of the records regardless of their custodial location. The application of a government-wide SORN ensures that privacy practices with respect to the records are carried out uniformly across the Federal Government in accordance with the rules of the responsible agency. For a government-wide system of records, all agencies – not just the agency with government-wide responsibilities – are responsible for complying with the terms of the SORN and the applicable requirements in the Privacy Act, including the access and amendment provisions that apply to records under an agency’s control.

  3. As a general matter, a government-wide system of records is appropriate when one agency has government-wide responsibilities that involve administrative or personnel records maintained by other agencies. For example, the Office of Personnel Management has published a number of government-wide SORNs relating to the operation of the Federal Government’s personnel programs.

  4. A Treasury-wide system of records covers many Treasury bureaus, including the IRS.

  5. See the Systems of Records Notices page on IRS.gov for more information on SORNs, including links to government-wide, Treasury-wide, and IRS SORNs.

Content of a System of Records Notice

  1. Each SORN must include the following information:

    1. Identification: Always shown as Treasury/IRS.

    2. System Number: Each system of records is assigned a system number. When preparing a new notice (SORN), request a system number from the Director, PPC via email addressed to the *Privacy mailbox. For a list of IRS systems of records and numbers, go to:http://www.treasury.gov/privacy/issuances/Pages/default.aspx#IRS

    3. System Name: The system name should be a title which generally reflects the categories of individuals in the system and/or the objective of maintaining the system, to be informative to the user of the notice. However, it is not intended that systems having established names should be renamed for this purpose. The system name should be followed by a dash and the identifier Treasury/IRS.

    4. Security Classification: A Security classification should only be shown if the entire system is classified Top Secret, Secret, or Confidential.

    5. System Location: Because the IRS is a decentralized organization, a System will usually have segments at various locations. For notice purposes these separate segments will be considered to be part of an overall system, although they function separately. The System location should be shown as Headquarters, IRS offices, Posts of Duty (PODs), campuses, or a computing center (as may be applicable) followed by the legend "(See IRS Appendix A)." Appendix A will cite the addresses for Headquarters, area offices, territory offices, campuses, and Computing Centers. Individual notices citing one or more of the above should not repeat the address. Any Notice which cites a location other than the above (except Post of Duty) should specify the city and street address or building name at which the System of Records is located.

    6. Categories of Individuals Covered by the System: The purpose of the requirement to state categories of individuals covered by the system is to assist individuals to determine if information on them might be in the system. The description of the categories should therefore be clearly stated in non-technical terms understandable to individuals unfamiliar with data collection techniques. The more specific and limited the categories described are, the fewer inquiries are likely to result from persons wondering if they are included in the system. However, any future broadening of the categories of individuals on whom records are maintained would require publication of a revised public notice before the change is put into effect.

    7. Categories of Records in the System: The categories should describe the types of information contained therein using non-technical terms. The addition of any new categories of records not within the categories described in a current notice would require the issuance of a revised public notice before the change is put into effect.

    8. Authority for maintenance of the system: Each system of records should identify the specific statutory authority or Executive Order which authorizes maintaining the system. In the absence of a more specific authority, 5 USC 301 should be shown.

    9. Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses: Each system of records should identify:

      1. The types of disclosures made from the system pursuant to Privacy Act Section (b)(3).

      2. The category of recipients and the purpose of disclosure. Include disclosures required by other statutes and appropriate citations.

        Note:

        Release of information to a member of Congress in response to written authorization of the constituent is a Section(b) release and not a routine use release.

        Note:

        Any new routine use or change in an existing routine use which has the effect of expanding the availability of the information in the system will require publication of a revised public notice before the change is put into effect.

    10. Policies and Practices for the storing, retrieving, accessing, retaining, and disposing of records in the system: Each system of records requires four separate entries as follows.

      1. Storage: Each system of records should list the type of medium in which records are maintained (such as paper records, machine readable, digital media, magnetic media, etc.).

      2. Retrievability: Each system of records should state the individual identifiers used to retrieve records from the system (such as by name, SSN, etc.).

      3. Safeguards: Each system of records should explain what measures have been taken to prevent unauthorized disclosure of records (such as physical security, personnel screening, etc.). A statement that Access Controls and Protections will be not less than provided for by chapter 10.2, Physical Security Program, chapter 10.5, Privacy and Information Protection, and chapter 10.8, Information Technology (IT) Security, may be used when appropriate.

      4. Retention and Disposal: Each system of records should explain how long the records are maintained, if and when they are removed to a Federal Records Center or to the Archives, and if and when they are destroyed. The entry may be based upon, or may make reference to, an appropriate records disposition schedule. See the IRM 1.15 series, Records and Information Management.

    11. System manager(s) and addresses: Each system of records will generally require two entries:

      1. The title of the official who prescribed the system.

      2. The official or, in a dispersed system, the officials, who have physical control of the system as "Officials maintaining the system."

        Note:

        The official who prescribed the system will generally be a management official or executive. The official maintaining the system will generally be an executive. Locations will be given for maintaining officials only.

    12. Notification procedure: Each system of records should include:

      1. The title and office of the official to whom an inquiry should be addressed.

      2. A citation to applicable regulations.

      3. A statement of exemption.

    13. Record Access Procedure: Each system of records should contain information naming the business unit that owns the records and how to request a copy of the records in the system.

    14. Contesting Record Procedure: Each system of records should contain appropriate elements similar to those in (k). In appropriate circumstances, this entry may call attention to IRC 7852(e), which precludes use of the Privacy Act to contest tax liability.

    15. Record Source Categories: Each system of records should indicate in general terms the sources of the information in the system. It is not the intention of this section to make available information concerning sources in investigations whose records would be exempt from the inspection provision.

    16. Exemptions Claimed for the System: Systems exempted from certain provisions of the Privacy Act is an entry intended to permit ready identification of those items which have been published in the Federal Register as part of a Notice of Exempt Systems. "None" is stated, or no entry is made for systems which are not exempt.

  2. Take special care in wording the entries for Routine Uses, Notification, Record Access, and Contesting Record Procedures.

Notice to Establish an Exempt System of Records

  1. The requirement to publish a public notice applies to all systems of records maintained by the IRS. The Privacy Act also allows agencies to exempt systems of records from certain provisions of the Act by publishing a rule stating which provisions and why the exemptions are appropriate. Such notices are published in the Federal Register and may be found at 31 CFR § 1.36.

  2. The contents of some systems of records may be exempted from the requirement that individuals be permitted access to those records and other requirements. Whenever a new SORN is proposed for a system that is intended to be exempt from some provision of the Privacy Act, an appropriate revision to the Notice of Exempt Systems must be submitted for the Commissioner's approval.

  3. Systems of Record are never automatically exempt from provisions in the Privacy Act. Exemptions require an agency head to make a determination that a system is allowed to be exempt and publish it as a rule subject to the Administrative Procedure Act, that a system falls within one of the categories of systems which are permitted to be exempted. That notice must include the specific provisions from which the system is proposed to be exempted and why the agency considers the exemption necessary.

  4. Whenever this exemption is exercised, the SORN may be somewhat less detailed or may be simplified, especially in regard to the statement of sources of information since in many investigative situations a suitable source of information can only be determined by the needs of the particular investigation.

  5. Any meaningful change in the categories of individuals covered by the system or the categories of records in the system may make it advisable to republish the Notices of Exempt Systems.

  6. Notices of Exempt Systems must be accompanied by a report identifying the changes or additions being made, and describing the nature, effect, and reasons for the proposed exemption in greater detail than in the Notice itself.

New Notices of Systems of Records

  1. The IRS cannot collect information about individuals for inclusion in a system of records until it issues a public notice of that system.

  2. The notice must be accompanied or preceded by a Report on New Systems. For more information on such reports, see the Report on New Systems of Records section of this IRM.

  3. The transmittal memorandum must indicate any necessary expeditious handling and must include a proposed schedule for implementing the various related actions such as:

    • Submission of the Report of New System.

    • Publication of proposed and final Notice of Exempt System.

    • Consideration of any public comments.

    • Issuance of data collection forms and/or instructions.

    • Issuance of Request for Proposal or Invitation to Bid for computer or communications systems.

    • Installation of equipment.

    • Implementation of the system.

  4. In some cases, a statute may require that a system of records begin functioning before the agency can comply with all Privacy Act requirements; any such conflict must be identified in the transmittal memorandum.

Modified System

  1. A change to a SORN, which modifies an existing system of records falling within the criteria established for submission of a Report on New Systems, must be treated as a notice for a new system. The transmittal memorandum must include the information specified for a new system.

  2. For more information on such reports, see the Report on New Systems of Records section of this IRM.

Editorial Changes

  1. Editorial changes consist of:

    • Corrections of typographical errors.

    • Correction of spelling or grammatical errors.

    • Minor rewording intended to clarify an existing notice.

    • Similar revisions.

  2. An editorial change reissues the SORN, but does not reflect any change in the system of records. It requires very little justification in the accompanying memorandum.

Limited Changes

  1. Limited changes reflect modifications of an existing system of records that do not fall within the criteria established for submission of a Report on New Systems.

  2. They do not involve any interruption or delay in operating the system pending the submission of such Report and the publication of a new SORN.

  3. A proposed limited change must be fully justified in the accompanying memorandum to demonstrate that the requirements for Report and Notice prior to operating the system have been considered and found to be inapplicable.

  4. For more information on such reports, see the Report on New Systems of Records section of this IRM.

Deleting a System of Records Notice

  1. A SORN may be deleted because the system:

    • Was submitted in error,

    • Was not subject to the Privacy Act, or

    • System has been discontinued.

  2. If it is important that the public be informed as soon as possible of a SORN deletion, prepare a suitable announcement for insertion in the Federal Register. When time is not a factor, delete the SORN by memorandum as part of the regular republishing of notices.

  3. Once a SORN is deleted, any subsequent proposal to reinstate the same system of records must follow reporting requirements as a new system.

Records Not Subject to Notice Requirements

  1. Files consisting of records which constitute input to another system of records are not subject to the notice requirement. If the input records contain personal information which is retrieved but not input to the reported system, they would constitute a separate system of records. Files that have a continued existence of their own may be subject to the notice requirement despite the fact that they may be part of another system of records.

  2. Files consisting of records produced from another system of records are not subject to the notice requirement if all personal information contained in the output is derived from the system being reported. If additional information is subsequently added to the output, or if the records are subsequently used for an unrelated or different purpose, or if they have a retention period longer than the system being reported, they would constitute a separate system of records.

  3. Files set up to assist in processing a reported system of records – but having no meaningful existence of their own and containing no personal information other than that being corrected, correlated, or otherwise moved to or from one or more reported systems of records – are not subject to the notice requirement.

  4. Copies of records, whether in the same or altered format, are not subject to the notice requirement, if all personal information contained in the copy merely reflects information contained in the system being reported. If additional information is subsequently given a different characterization, they would constitute a separate system of records.

  5. A file that temporarily contains records for processing purposes which will be returned to a reported system upon completion, is not subject to the notice requirement if information contained in the temporary file can be located by reference to the reported file.

  6. Information derived from a reported file for temporary use such as work planning, scheduling field visits, controlling individual inventories, reviewing case loads, or other activities related to the management of the IRS and not reflective of any individual information not recorded in a reported file will not be considered subject to the notice requirement.

  7. Telephone directories and similar lists which do not assign any characterization to any person listed are not considered subject to the notice requirement.

  8. Directories, industrial guides, reference works, and other source materials prepared commercially are not systems of records subject to the notice requirement.

  9. Separate notices are not required for the closed portions of files which have been reported as a system of records.

  10. The officials who had responsibility for records when they were open are responsible for preparing notices for closed or retired files that have no active counterpart. This must not be considered an instruction to search for and account for any document files from which records are no longer retrieved for IRS purposes.

Privacy Act Reports and Reports With Sections Requiring Privacy Act Information

  1. PGLD headquarters generally will prepare the following reports, except that PGLD prepares the privacy section for the FISMA report and submits it to IT. However, other business units are responsible for providing PGLD requested information to complete sections of the report.

Report on New Systems of Records
  1. Submit a Report on New Systems when the establishment of a new system of records subject to the Privacy Act is proposed or when any change to an existing system meets any of the following criteria:

    1. Increases the number, or changes the types, of individuals about whom records are maintained. Changes involving the number of individuals about whom records are kept need only be reported when that change significantly alters the character and purpose of the system of records.

      Note:

      Normal increases in historical files or other increases in the number of records in a file that can be attributed to normal growth patterns need not be reported.

    2. Expands the type or categories of information maintained.

    3. Alters the manner in which the records are organized or the manner in which the records are indexed or retrieved to change the nature or scope of those records.

      Example:

      The combining of two or more existing systems or splitting an existing system into two or more different systems such as might occur in a centralization or decentralization of organizational responsibilities would require a report. However, the combining or splitting of notices without any significant change to the system does not require a report.

      Example:

      A reorganization which placed a system or a portion of a system formerly maintained by SB/SE under the control of Criminal Investigation would require a report. A mere physical relocation, such as would occur if a State formerly served by one Campus were to be served by another Campus, or if the number or location of area offices were to change, would not require a new report.

    4. Alters the purposes for which the information is used. A proposal to establish or change the "routine uses" of the system will not require the submission of a Report on New System if such use is compatible with the purposes for which the system is maintained (if it does not, in effect, create a new purpose). Any new or changed "routine use" would be subject to the requirements to give 30 days prior notice of such change in the Federal Register, if the effect were to expand the release of information, but not if the effect were to restrict the release.

    5. Changes the equipment configuration (such as hardware and/or software) on which the system is operated to create the potential for either greater or easier access.

      Example:

      The addition of a telecommunications capability that would increase the risk of unauthorized access would require a report. However, the routine acquisition of equipment meant to effectively utilize processing capabilities, which is consistent with the development of the existing system and which does not involve a risk of improper access or create a capability for a massive release of information outside the agency, does not require a report.

      Example:

      The use of automated equipment for preparing an analysis of information maintained in a manual system without creating a continuing storage or retrieval capacity does not constitute a change in equipment configuration.

  2. The Report on New Systems is not intended to inhibit the application of technology to data processing or to reduce the efficiency with which the IRS serves the public. It is intended to provide an opportunity to examine the impact of new or altered data systems on citizens, the provision for confidentiality and security in those systems, and the extent to which the creation of the system will alter or change interagency or intergovernmental relationships related to information programs. The application of this reporting criteria must be consistent with these objectives.

  3. In applying the submission criteria, use a reasonable standard to avoid excessive reporting of insignificant details that would have no meaningful effect upon any Privacy Act consideration.

Report Contents
  1. The Report on New Systems must consist of a brief narrative description and supporting documentation. The report is prepared by the business unit that owns the records.

  2. The narrative description must be a brief statement, normally not to exceed four pages in length, which:

    1. Describes the purposes of the system of records.

    2. Identifies the authority under which the system of records is to be maintained.

    3. Provides the IRS’s evaluation of the probable or potential effect of such proposal on the privacy including compliance with section (e)(7) of the Privacy Act, which provides that agencies shall "maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity."

    4. Provides a brief description of steps taken by the IRS to minimize the risk of unauthorized access to the system of records, including a discussion of higher or lower risk alternatives which were considered for meeting the requirements of the system. A more detailed assessment of the risks and specific administrative, technical, procedural, and physical safeguards established must be available on request.

  3. The narrative statement should make reference, as appropriate, to information in the supporting documentation rather than restate such information.

  4. Where changes to computer installations, communications networks, or any other general changes in information collection, handling, storage, or dissemination are made which affect multiple systems of records, a single consolidated new system report may be submitted. In such cases, the narrative statement should address the overall privacy implications of the proposed change, identify all systems of records affected by the change, and briefly describe any unique effect on any specific system of records.

Supporting Documentation
  1. Supporting documentation, as defined in the subsequent paragraphs, must be provided for each system of records.

  2. An advance copy of the new or revised system notice.

    1. For proposed alterations of existing systems, the documentation should be provided in the same form as the IRS proposes to publish the public notice of such changes. If the IRS proposes to publish changes in the form of a revision to the public notice, a copy of the proposed notices of revision should be provided.

    2. If the IRS plans to supersede the entire existing notice, changes from the currently published notice should be highlighted by underlining all new or revised portions. In some situations, the modification of the system may involve aspects which are not reflected in the SORN, which, therefore, requires no change; a copy of the existing notice should be submitted with an appropriate explanation. In situations in which the planned modifications will be complex and will take place over a period of years, it may not be possible to provide an advance copy of the system notice; however, a tentative outline or a suitable explanation may be submitted instead.

  3. If the IRS proposes new exemption rules or changes to published exemption rules for the new or altered system, include an advance copy. If no change to existing exemption rules is required for the proposed new or altered system, the report must state that. Proposed changes to existing exemption rules must be provided in a manner similar to that described for the system notices.

  4. An advance copy of any proposed rules setting forth the reasons why the system is to be exempted from any specific provision, if applicable.

  5. The Narrative Statement and Supporting Documentation should be submitted with a transmittal memorandum identifying the materials attached. Existing descriptive materials may be included in the Supporting Documentation. Copies of SORN, Notices of Exemptions or proposed rules should, to the extent possible, be consistent with the established publishing requirements for such materials.

Reporting Systems of Records to OMB and Congress
  1. General. The Privacy Act requires each agency that proposes to establish or significantly modify a system of records to provide adequate advance notice of any such proposal to OMB, the Committee on Oversight and Government Reform of the House of Representatives, and the Committee on Homeland Security and Governmental Affairs of the Senate. This advance notice is separate from the public comment period for new or modified routine uses required by subsection (e)(11) of the Privacy Act and discussed in section 6 of OMB Circular A-108. Agencies provide advance notice to OMB and the committees of jurisdiction in Congress in order to permit an evaluation of the probable or potential effect of such a proposal on the privacy or other rights of individuals.

  2. Advance Notice of a New or Modified System of Records. Agencies must report to OMB and Congress any proposal to establish or significantly modify a system of records at least 30 days prior to the submission of the notice to the Federal Register for publication. OMB will have 30 days to review the proposal and provide any comments to the agency. The 30-day review period is separate from – and may not run concurrently with – the publication period in the Federal Register. Only significant changes to a system of records that require revision to the SORN, as described in section 6 of OMB Circular A-108, need to be reported to OMB and Congress; changes that are not significant do not need to be reported. Advance notice to OMB and Congress is required by subsection (r) of the Privacy Act. The purpose of the advance notice to OMB and Congress is to permit an evaluation of the potential effect of the proposal on the privacy and other rights of individuals.

  3. Although the review period will generally require no more than 30 days, OMB has the discretion to extend the 30-day review period based on the specific circumstances of the proposal. If an agency has questions about the timing of the review, the agency’s SORN liaison must consult with OMB’s Office of Information and Regulatory Affairs (OIRA).

  4. In circumstances where it is not feasible for the agency to wait until the 30-day review period for OMB and Congress has expired to publish the notice in the Federal Register, the agency may submit a formal written request from the SAOP to OIRA for an expedited advance review period (see section 7(d) of OMB Circular A-108 for information about expedited review requests.

  5. See Exhibit 10.5.6-3, Reporting Requirements, for new or altered Privacy Act Systems of Records reporting requirements.

Privacy Act Request Report
  1. The IRS files an annual report with the Department of the Treasury for inclusion in the Freedom of Information Act Annual Report submission to the Department of Justice that contains statistical data concerning Privacy Act and Freedom of Information Act requests, administrative appeals, and litigation.

  2. IRM 11.3.13.10 provides additional information on this report.

Annual FISMA Privacy Review and Report
  1. The Privacy Act originally required the President to submit a biennial report to Congress describing the administration of the statute. However, this requirement was subsequently repealed. In place of the biennial Privacy Act report, OMB now reports to Congress on agencies’ compliance with privacy requirements through the annual Federal Information Security Modernization Act of 2014 (FISMA) report to Congress.

  2. Each year, OMB issues guidance instructing each SAOP to review the administration of the agency’s privacy program and report compliance data to OMB. OMB uses the reports from agencies to develop its annual FISMA report to Congress.

Annual Matching Activity Review and Report
  1. At the end of each calendar year, the Data Integrity Board of each agency that has participated in a matching program during the year must conduct a review of that year’s matching programs and submit a report to the head of the agency and to OMB.

  2. The report for the preceding calendar year must be submitted to OMB at privacy-oira@omb.eop.gov by June 1 and posted on Treasury’s website at www.treasury.gov/privacy (see section 15 of OMB Circular A-108 for further information).

  3. The Data Integrity Board’s annual matching activity report must include the following elements:

    Element Description
    A. Current information about the composition of the Data Integrity Board, including:
    1. A list of the names and positions of the members of the Data Integrity Board.

    2. The name and contact information of the Data Integrity Board’s secretary.

    3. Any changes in membership or structure of the Data Integrity Board that occurred during the year.

    B. A list of each matching program in which the agency participated during the year. For each matching program, the report must include:
    1. A brief description of the matching program, including the names of all participating Federal and non-Federal agencies.

    2. Links to the matching notice and matching agreement posted on the agency’s website at www.Treasury.gov/privacy.

    3. An account of whether the agency has fully adhered to the terms of the matching agreement.

    4. An account of whether all disclosures of agency records for use in the matching program continue to be justified.

    5. An indication of whether a cost-benefit analysis was performed, the results of the cost-benefit analysis, and an explanation of why the agency proceeded with any matching program for which the results of the cost-benefit analysis did not demonstrate that the program is likely to be cost effective.

    C. For each matching program for which the Data Integrity Board waived the requirement for a cost-benefit analysis, the reasons for the waiver.
    D. A description of any matching agreement that the Data Integrity Board disapproved and the reasons for the disapproval.
    E. A description of any violations of matching agreements that have been alleged or identified, and a discussion of any action taken in response.
  4. The Data Integrity Board’s annual matching activity report may also include a review of any agency matching activities that are not matching programs.

Section 803 Reports Pertaining to Privacy Act Complaints
  1. Section 803 of the Implementing Recommendations of the 9/11 Commission Act of 2007 requires certain executive branch departments, agencies, and elements to designate at least one senior official as a "privacy and civil liberties officer." In enacting the statute, Congress explained that such officers are meant "to function as a source of advice and oversight on privacy and civil liberties matters to the agency." More specifically, Section 803 directs that each privacy and civil liberties officer "serve as the principal advisor" to the agency with respect to three issues:

    1. Assisting the agency in appropriately considering privacy and civil liberties concerns in the development and implementation of laws and policies related to efforts to protect the nation against terrorism.

    2. Investigating and reviewing agency actions and procedures to ensure that the agency is adequately considering privacy and civil liberties in its actions.

    3. Ensuring that the agency has adequate procedures to respond to complaints from individuals who allege that the agency has violated their privacy or civil liberties.

  2. Each agency’s privacy and civil liberties officer must issue semiannual reports on the discharge of each of their functions under the statute. PGLD headquarters is responsible for preparing sections of the report that pertain to privacy and the Privacy Act and forwarding the information to Treasury, which compiles the Department’s reports.

  3. Privacy Complaints formal and informal: For Report purposes a privacy complaint is a written allegation filed with the Department concerning a problem with or violation of privacy protections in the administration of the programs and operations of the Department that may be the cause of harm or violation of personal or information privacy. This information may include:

    • Process and procedural issues, such as consent, collection, and appropriate notice.

    • Non-Privacy Act issues or identity theft mitigation.

    • Privacy Act issues.

  4. Civil Liberties Complaints formal and informal: For Report purposes, a civil liberties complaint is a written allegation filed with the Department alleging harm or violation of an individual’s constitutional rights. Types of civil liberties complaints include:

    • First Amendment (Freedom of speech, religion, assembly, and association).

    • Fourth Amendment (Protection against unreasonable search and seizure).

    • Fifth Amendment or Fourteenth Amendment, § 1 (Due process and equal protection).

Privacy Act Notification Programs (formerly IRM 11.3.16)

  1. This section provides instructions, guidelines, and procedures necessary for notification programs when Privacy Act Notices are required on forms and when Privacy Policy Notices are required online.

  2. The section also explains when the Privacy Act requires notice of disclosure of a person's information due to compulsory legal process.

Notification Programs Responsibilities

  1. The PPC office within PGLD has oversight for Servicewide compliance with Privacy Act notification programs.

  2. The business units must be familiar with the requirements because they prepare documents that ask individuals to fill out forms providing personal information.

  3. Records owners are responsible for the inclusion of necessary Privacy Act notices in administrative and tax forms.

  4. Media and Publications Services control the forms creation process, which includes routing necessary approvals of Privacy Act and Paperwork Reduction Act notices (PAPRANs).

    Note:

    Federal agencies collect a wide variety of information to ensure the public is kept safe from harm, receive benefits to which they are entitled, and fulfill their missions. Such collections can also impose significant burdens on the public. The goal of the PRA is to minimize the burden of these collections and maximize their utility. To help accomplish this, the PRA requires agencies to estimate the burden and consult with the public on these estimates.

  5. Office of Chief Counsel (Procedure and Administration) approves changes to PAPRANs on forms related to tax administration when necessary. Counsel may coordinate with PPC staff if necessary.

  6. Privacy Act notices on administrative (non-tax, such as personnel) forms require approval of the Director, PPC, via the *Privacy mailbox.

  7. If necessary, Director, PPC staff may coordinate with the Office of Chief Counsel (Procedure and Administration) regarding Privacy Act notices.

Notice to Individuals Asked to Supply Information (Privacy Act Notice)

  1. The Privacy Act (Section (e)(3) requires each agency that maintains a system of records, to inform each individual requested to supply information (either on the form it uses to collect the information, or on a separate form that can be retained by the individual) of:

    1. The authority (whether granted by statute or by Executive Order of the President) which authorizes the solicitation of the information and whether disclosure of such information is mandatory or voluntary.

    2. The principal purpose(s) for which the information is intended to be used.

    3. The routine uses that may be made of the information.

    4. The effects on the individual, if any, of not providing all or any part of the requested information.

      Note:

      See Exhibit 10.5.6-5, Glossary and Acronyms, for the definitions of applicable terms used in this list.

      Caution:

      Do not mislead or inadvertently coerce the individual.

  2. This provision is intended to ensure that individuals from whom information about themselves is collected are informed of the reasons for requesting the information, how it may be used, and what the consequences are, if any, of not providing the information.

  3. Implicit in this provision is the notion of informed consent since an individual should be provided with sufficient information about the inquiry to make an informed decision on whether to respond.

  4. The intent of the Privacy Act is that the notice be informative to the recipient. To be meaningful to the average person, it should avoid the use of technical language and should not be so lengthy as to discourage or confuse the reader. The content should summarize rather than itemize the information required to avoid unnecessary detail.

  5. This provision of the Privacy Act is applicable only to inquiries in which individuals are requested to provide information about themselves or their own affairs. It does not pertain to inquiries directed to third parties asking for information about someone else.

  6. The provision applies both to taxpayers and to other persons to whom inquiries about themselves may be addressed, such as IRS employees.

    Note:

    Pursuant to Privacy Act Section (j), Treasury has exempted IRS Criminal Investigation records from the application of the Section (e)(3) notification requirement.

Notice to Individuals Asked to Disclose Their Social Security Number

  1. Section 7 of the Privacy Act provides that it is unlawful for any Federal, State, or local government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose that individual’s social security number (SSN).

  2. The Tax Reform Act of 1976 allows a State or political subdivision to require the disclosure of SSNs to establish the identity of any person affected by:

    • Any tax law.

    • Any general public assistance law.

    • Any driver's license law.

    • Any motor vehicle registration law.

    • In the issuance of birth certificates and enforcement of child support orders.

    Exception:

    An exception is made for any disclosures which are required by Federal statute, and for a disclosure to any Federal, State, or local government agency maintaining a system of records in existence and operating before January 1, 1975, if such disclosure was required under statute or regulation adopted prior to such date for the purpose of verifying the identity of an individual.

  3. An agency which requests an individual to disclose that individual’s SSN is to inform the individual:

    1. Whether the disclosure is mandatory or voluntary.

    2. By what statutory or other authority such number is solicited.

    3. What uses will be made of it.

  4. The authority for requiring the use of SSNs as identifying numbers for tax administration purposes is provided by IRC § 6109.

The "Umbrella" Approach for Tax Returns

  1. The various inquiries made of individuals by the IRS in the course of tax administration are basically part of a single process. Rather than include the identical Privacy Act notice information in numerous forms or letters which represent repeated contacts with the same individual pertaining to the same situation, the IRS has adopted an "umbrella" approach in which the initial contact of a series includes a notice which the individual may retain and which would be applicable to all future inquiries related to that situation. This approach spares the recipient from receiving repetitious and unnecessary identical notices.

  2. A universal Privacy Act notice included in the Form 1040 instruction packages applies to:

    1. U.S. Individual Income Tax Returns.

    2. Declarations of estimated tax.

    3. Any forms or other returns required to be filed as an attachment to, or in conjunction with, the Form 1040 series form.

    4. Schedules, statements, or other documents related to the returns.

    5. Subsequent inquiries necessary to complete, correct and process the returns of taxpayers.

    6. Determining the correct tax liability.

    7. Collection of any unpaid tax, interest or penalty.

  3. This initial notice fulfills the Privacy Act notice requirements insofar as any further inquiries are concerned in the normal course of IRS Campus processing, including initial billing of tax due on the returns.

  4. Although the notice provided with the return instruction package would be legally adequate for subsequent inquiries, the IRS makes available a further notice, designated as Notice 609, Privacy Act Notice, for use when a distinct series of actions takes place beyond Campus processing.

  5. Notice 609 is revised as necessary to conform to the wording used for the universal notice approved for inclusion in the Form 1040 instruction packages.

  6. Notice 609 is distributed to:

    1. Taxpayers subject to collection activity on Taxpayer Delinquent Accounts.

    2. Taxpayers subject to Taxpayer Delinquency Investigations (in accordance with instructions provided by the appropriate Division Commissioner).

    3. Taxpayers whose returns are selected for examination in accordance with instructions provided by the appropriate Division Commissioner.

  7. Additional copies of Notice 609 are provided to any taxpayer upon request.

  8. The distribution of Notice 609 described in (6) and (7) does not require any individual documentation, as such distribution is made in addition to the minimal legal requirement.

  9. The distribution of the universal notice, plus the distribution of separate Notice 609 for the collection related stream and the examination related stream, should satisfy the Privacy Act notice requirement for all tax administration inquiries that can be anticipated.

    Note:

    For Notice 609 purposes, the Appeals process is considered a continuation of the examination and collection processes.

  10. If officials encounter circumstances requiring additional notices, they may further distribute Notice 609, if the wording appears appropriate to the circumstances.

  11. Do not adopt separate Privacy Act notices for tax administration purposes without prior approval of the:

    1. Appropriate Headquarters function.

    2. Director, PPC. Contact PPC via the *Privacy mailbox.

    3. Office of Chief Counsel (Procedure and Administration).

Notices Not Related to Tax Administration

  1. The Privacy Act requirements for a notice to individuals asked to supply information, and a notice to individuals asked to disclose their SSNs also apply to inquiries not related to tax administration, such as requests for information from IRS personnel for administrative purposes (such as personnel forms).

  2. The variety of information requested on such forms has made the use of a universal notice inappropriate. Accordingly, such forms generally will have individual Privacy Act notices. The notices should be included in the form itself, whenever feasible.

  3. The inclusion of necessary Privacy Act notices in administrative forms is the responsibility of the records owner. Such notices require approval of the Director, PPC (contact PPC via the *Privacy mailbox). If necessary, Director, PPC staff will coordinate with the Office of Chief Counsel (Procedure and Administration) regarding Privacy Act notices not related to tax administration.

Online Privacy Policy Notices

  1. For online data, the E-Government Act requires online privacy policy notices consistent with Privacy Act notice requirements, and OMB policy requires other notices. Online data may require several types of notices, such as:

    1. An IRS-approved IT system use notification message (see the AC-8 System-Use Notifications section of IRM 10.8.1).

    2. Link to IRS.gov Privacy Policy.

    3. Unique website or application Privacy Policy notice.

    4. Privacy Policy Departure Notice.

  2. Online privacy policy notices also require PPC approval via the *Privacy mailbox.

  3. For more information on Online Data and Privacy Policy Notices, see those sections of IRM 10.5.1, Privacy Policy.

Notifying Individuals That Their Records Were Made Available to a Person Under Compulsory Legal Process

  1. Subsection (e)(8) of the Privacy Act requires that agencies "make reasonable efforts to serve notice on an individual when any record on such individual is made available to any person under compulsory legal process when such process becomes a matter of public record."

  2. This provision applies to disclosures made pursuant to:

    1. Subpoenas and summonses.

    2. The order of a court of "competent jurisdiction," as authorized by subsection (b)(11) of the Privacy Act.

    3. An IRC § 6103(i) ex parte order. See the Notification Procedure section of this IRM for details.

      Note:

      See also IRM 11.3.28 and IRM 11.3.35 for disclosure of tax return and return information, and IRM 11.3.37 for the accountings required by IRC § 6103(p)(3).

    4. This provision does not apply to disclosures from a system of records exempt pursuant to subsection (j)(2) of the Privacy Act, as they are not subject to the subsection (e)(8) notification requirement.

  3. This provision does not apply to disclosures made pursuant to a written request by, or with the written consent of, the individual to whom the record pertains. Consequently, it does not apply if the process leading to disclosure is at the behest or on the behalf of the subject of the record.

  4. While this provision does not apply to disclosures made pursuant to subsections (b)(1), (2), (4)-(10), and (12) of the Privacy Act, this provision does apply when a disclosure is made pursuant to a routine use as provided by subsection (b)(3) that authorizes disclosures in response to subpoenas or court orders.

Notification Procedure
  1. This procedure will be carried out by the person authorized to make the disclosure following established procedures for the compulsory legal process.

  2. Any compulsory legal process which appears to make an individual’s record (which is subject to the Privacy Act) available to a third party should be carefully examined to determine whether it is subject to the notification procedure.

    Note:

    The notification procedure only becomes effective if the record is actually disclosed. Do not interpret this instruction as authorization for any disclosure.

  3. Provide notice within five working days of making a disclosure pursuant to compulsory legal process, except as provided in (4).

  4. If the disclosure is made in response to a grand jury subpoena or an ex parte order pursuant to IRC § 6103(i)(1), (5), or (7)(C), do not give the notice until the subpoena or order becomes a matter of public record. If the subpoena or order does not indicate whether it is a matter of public record, it may be necessary to request the issuing authority to advise the IRS when the matter becomes public, so that the required notice may be issued. See also IRM 11.3.28 and IRM 11.3.35 for notification rules involving ex parte orders in judicial, administrative, or grand jury situations.

  5. The notice will be mailed to the individual’s last known address. One copy of the notice should be maintained in the administrative or other file from which the disclosed documents originated. One copy should be associated with the record disclosed, if practical.

Privacy Act Recordkeeping Restrictions (formerly IRM 11.3.17)

  1. This section provides Privacy Act recordkeeping restriction policies that are designed to implement fair information practices, including:

    • Protecting civil liberties and Constitutional rights, such as First Amendment compliance, by not gathering information that is not authorized by statute or presidential executive order.

    • Reducing the chances of receiving less accurate information from third parties by collecting information, to the greatest extent practicable, directly from the subject individual when the information may result in adverse determinations about an individual’s rights, benefits, and privileges under federal programs.

    • Maintaining only such information about an individual as is relevant and necessary to accomplish an agency purpose required by statute or by presidential executive order.

  2. The Privacy Act provides that agencies will maintain no record describing how any individual exercises their rights guaranteed by the First Amendment unless at least of one of these applies:

    1. Expressly authorized by statute.

    2. Expressly authorized by the individual about whom the record is maintained.

    3. Pertinent to and within the scope of an authorized law enforcement activity.

  3. The First Amendment states:

    "Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof, or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for redress of grievances."

  4. Congress intended that in determining whether or not a particular activity constitutes the exercise of a right guaranteed by the First Amendment, agencies should apply the broadest reasonable interpretation.

  5. No file should be kept of persons who are merely exercising their constitutional rights. See the Permissible Records section of this IRM for types of records that may be kept.

  6. Voluntary compliance with the tax laws necessitates maintaining the highest possible degree of public confidence in the integrity of the IRS. The IRS, therefore, has a special responsibility to respect the rights of taxpayers concerning this aspect of the Privacy Act.

Recordkeeping Restrictions Responsibilities

  1. All IRS personnel involved in the design, development, operation, or maintenance of any system of records subject to the Privacy Act should be aware of the requirement prohibiting the maintenance of exercise of First Amendment information and should be alert to any potential violation of that prohibition.

  2. Personnel recognizing any questionable practices in regard to this prohibition should report the details to the official responsible for prescribing the system of records, for evaluation, and correction.

  3. Personnel receiving any inquiry from a member of the public questioning the content of any system of records in regard to the exercise of First Amendment rights should forward the inquiry, with a memorandum providing any available background information, through channels, to their management for response and appropriate action.

  4. Personnel and management requiring guidance concerning any information being recorded in a system of records under their control should seek PPC’s assistance through the *Privacy mailbox.

  5. All supervisory or other personnel having review responsibilities for case records should be alert to First Amendment considerations and include them in their reviews.

Permissible Records

  1. The IRS may maintain records describing the exercise of First Amendment rights only if one of the following conditions is met.

    1. A statute specifically authorizes it.


      1) Specific authorization means that a statute explicitly provides that an agency may maintain records on activities whose exercise is covered by the First Amendment, not merely that the agency is authorized to establish a system of records.
      2) The statute need not specifically address the maintenance of records of First Amendment activities if it specifies that such activities are relevant to a determination concerning the individual.

      Example:

      Taxpayers must provide information necessary to verify deductions on their tax returns. Such information may be recorded although, in some instances, it may reveal how individuals exercise their First Amendment rights, such as, religious affiliation, group membership, or political preference.

    2. The individual expressly authorizes it.

      Example:

      IRS employees may offer information concerning their activities in a community group to enhance their chances for advancement by demonstrating the acquisition of some specialized experience or leadership skill.

    3. The agency requires the record for an authorized law enforcement function. Congress intended to make certain that political and religious activities are not used as a cover for illegal activities.

      Example:

      Individuals who advocate, or who are active in organizations that advocate, noncompliance with the tax laws may reasonably be considered as possibly being involved in actual violations of the tax laws. Appropriate records of such activities may be maintained for compliance purposes.

Equal Treatment

  1. The impetus of this section of the Privacy Act is that all persons should be treated fairly and equally under applicable laws. The absence of First Amendment information from agency records helps to prevent selective treatment of persons on the basis of religion, opinion, or group membership.

  2. IRS personnel are responsible for avoiding any possible inference of selective treatment of taxpayers on the basis of their exercise of First Amendment rights.

  3. See also the Civil Liberties section of IRM 10.5.1, Privacy and Information Protection, Privacy Policy.

Collecting Information Relating to Individuals from Third Party Sources

  1. Subsection (e)(2) of the Privacy Act states that an agency should:

    "Collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual’s rights, benefits and privileges under Federal programs."

  2. This provision stems from a concern that information obtained from third party sources could be erroneous, outdated, irrelevant, or biased.

  3. This provision establishes that decisions under Federal programs that affect an individual should be made on the basis of information supplied by that individual, but recognizes the practical limitations by qualifying the requirement with the words "to the greatest extent practicable."

Inquiries Affected
  1. Most inquiries made by the IRS, both in determining tax liability and in dealing with its personnel, are subject to the requirement of subsection (e)(2) of the Privacy Act.

  2. Inquiries in connection with criminal investigations, that are maintained as systems of records exempt under subsection (j)(2) of the Privacy Act, are not subject to the requirements of subsection (e)(2).

  3. Although the IRS will "collect information to the greatest extent practicable directly from the subject individual," it is recognized that compliance with internal revenue laws cannot be determined solely with reference to information on returns and documents filed with the IRS and that the IRS will have to obtain information from outside sources.

  4. Inquiries to third parties – in connection with the gathering, solicitation and documentation of evidence necessary in developing cases that have been assigned for collection of taxes or examination or investigation of a tax liability – will continue to be governed by the guidelines set forth in those portions of the IRM that relate to the collection of information from third-party sources, including the General Provisions section and the Controlling Information From Third Parties section of this IRM.

  5. See IRC § 7602 for rules relating to recordations of third party contacts. (See also IRM 11.3.21, Investigative Disclosure.)

Responsibilities Regarding Information from Third Parties
  1. Officials responsible for systems of records which contain information collected from third-party sources must include in their periodic review of procedures consideration of whether their practices are consistent with the intent of subsection (e)(2) of the Privacy Act and the General Provisions section of this IRM.

  2. This consideration must include a review of those portions of the IRM that relate to the collection of information from third-party sources.

Practical Considerations
  1. In analyzing each situation in which personal information is collected from a third-party source, each functional activity should consider the following:

    1. The nature of the program. It may well be that the kind of information needed can only be obtained from a third party, such as investigations where the taxpayer’s records are not available.

    2. The cost of collecting the information directly from the individual as compared with the cost of collecting it from a third party.

    3. The risk that the particular elements of information proposed to be collected from third parties, if inaccurate, could result in an adverse determination.

    4. The need to ensure the accuracy of information supplied by an individual by verifying it with a third party or to obtain a qualitative assessment (such as in verifying information submitted on a tax return or in connection with the review of an application for employment).

    5. The opportunities for verifying, whenever practicable, any such third-party information by consulting with the individual before making a determination based on third-party information.

  2. The objective, however, should be to obtain information directly from the individual involved whenever it is practical to do so.

Restrictions on the Maintenance of Information About Individuals

  1. Subsection (e)(1) of the Privacy Act provides that each agency that maintains a system of records shall:

    "Maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President."

  2. This provision is intended to reduce the amount of personal information collected by Federal agencies, thus reducing the risk of intentional or inadvertent improper use of personal data.

  3. See Exhibit 10.5.6-5, Glossary and Acronyms, for definitions for the following terms, which are used throughout the remainder of this IRM:

    • Maintain

    • Relevant

    • Necessary

  4. See the Monitoring of Individuals section of IRM 10.5.1.

Records Affected
  1. Subsection (e)(1) of the Privacy Act applies to all records maintained by the IRS (including those pertaining to taxpayers, IRS personnel, and other individuals), unless otherwise exempted.

  2. The IRS has asserted exemptions provided by the Privacy Act with regard to subsection (e)(1) for various systems of records.

  3. The exempt systems are primarily those that are investigative in nature and have been exempted to permit an orderly collection of data without challenge until such time as the relevance and necessity of the data has been determined. It is not possible to determine the relevance or necessity of specific information during the early stages of an investigation. Relevance and necessity are questions of judgment and timing. What appears relevant and necessary when collected may subsequently be determined to be irrelevant or unnecessary. It is only after the information is evaluated that the relevance and necessity of such information can be established with certainty.

  4. When information is received by the IRS relating to violations of law within the jurisdiction of other agencies, the IRS maintains this information to forward the material to the appropriate agencies and/or to respond to valid requests from those agencies to the extent provided by law or regulation.

  5. The handwritten notes of an agent taken during the interview of a witness continue to be relevant and necessary, and should not be destroyed even though they may have been included in a formal report. Court decisions have held that such notes must be preserved and are discoverable.

  6. The IRS will limit its inquiries to information that is necessary for the enforcement and administration of tax laws and other matters within its jurisdiction or delegated authority, and the internal administration of the IRS.

  7. Although it may have been necessary to exempt some systems of records from subsection (e)(1), the principles of relevance and necessity nevertheless remain applicable to all records to the extent that the IRS can apply them. These provisions will be applied to exempt systems of records to the extent that it is practical to do so.

    Caution:

    IRS personnel must not collect, maintain, use, or disseminate non-tax related information concerning taxpayers, except as necessary for the enforcement and administration of the internal revenue laws.

Relevant and Necessary Guidelines
  1. In order for the IRS to maintain information in its records, the information must serve a purpose that is required by statute or executive order of the President.

  2. The authority of the IRS to maintain a system of records does not give it the authority to maintain any information which is merely useful, nor may information be maintained merely because it is relevant. The information must be both relevant and necessary to accomplish the authorized purpose for which it is maintained.

  3. In the final analysis, a determination that information is relevant and necessary is judgmental. Such judgments should, however, be based upon a realistic evaluation of the purpose to be served by the information being maintained and a sound understanding of the principles underlying the Privacy Act. The IRS privacy principles are in IRM 10.5.1.

  4. The standards used to define necessity and relevance will vary widely depending upon the type of activity involved and the specific needs of a particular type of case.

  5. Some examples of factors that may be considered in determining whether information is relevant and necessary are:

    1. How does the information relate to the legal purpose for which the system is maintained?

    2. What are the adverse consequences, if any, of not collecting this particular information?

    3. Could the need be met through the use of information not in individually identifiable form?

    4. Does the information need to be collected on every individual who is the subject of a record in the system, or would a sampling procedure suffice?

    5. At what point will the information have satisfied the purpose for which it was collected, such as how long is it necessary to retain the information?

    6. Is the information, while generally relevant and necessary to accomplish a statutory purpose, specifically relevant and necessary only in certain areas?

  6. In addition to providing a standard that protects the privacy of the individual, the concepts of relevance and necessity can contribute to effective operations. The maintenance of information that is not relevant and necessary constitutes an ineffective use of IRS resources, that should be avoided. This standard can therefore be useful in promoting efficiency and good management.

  7. This provision is not intended, however, to interfere with the maintenance, evaluation, or presentation of evidence in civil or criminal matters.

Recordkeeping Restrictions Required
  1. A detailed review of the contents of each record within a system is not required and should not be attempted. It is important, however, that IRS personnel consider the legality, relevance, and necessity of the general categories of information maintained to ensure compliance with the Privacy Act.

  2. Responsible officials must review systems of records to ensure compliance with these requirements:

    1. In connection with the initial design of a new system of records.

    2. Whenever any change is proposed to an existing system of records.

    3. As part of the republication of the Notice of Systems of Records.

    4. Whenever an individual requests deletion of information on the basis that it is not relevant and necessary.

      Note:

      Review of such request should cause PPC to consider whether the inappropriate information constitutes an isolated occurrence or is characteristic of the system of records. If the inclusion of inappropriate information appears to be characteristic of the system of records or sufficiently widespread to warrant broad remedial action, PPC will refer the concern to the official responsible for prescribing the system of records who will take appropriate action.

    5. Whenever information indicative of a need for such review is received by the official responsible for prescribing the system of records.

  3. All IRS personnel involved in the design, development, operation, or maintenance of any system of records subject to the Privacy Act must be aware of the provisions concerning the legality, relevance, and necessity of information maintained concerning an individual.

  4. Personnel recognizing any questionable or undesirable practices in regard to these provisions should report the details, through channels, to the official prescribing the system of records for evaluation and appropriate action.

  5. Each Headquarters official who prescribes the maintenance of a system of records or issues IRM instructions to personnel involved in the design, development, operation, or maintenance of any system of records, should expand such instructions to include appropriate or necessary guidance to achieve compliance with the relevance and necessity provisions of the Privacy Act, as outlined in (6) and (7).

  6. Automated systems of records characteristically involve a limited number of data elements that are applicable to a large number of records. The inclusion of inappropriate information therefore tends to be characteristic of any system of records in which it occurs. Place emphasis on proper evaluation of the information to be recorded at the time the system is designed or updated. Since all the data elements to be included are known at the time of initial design, careful consideration of each element should result in an extremely high degree of compliance with the Privacy Act requirements.

  7. Systems of records that consist primarily of information entered upon preprinted forms require a somewhat different approach. The form design should request only relevant and necessary information. In addition to designing or revising forms, consideration of these aspects must also be included in the instructions on the use and preparation of the forms.

  8. Far more complex problems exist when a system of records consists of information that was gathered by personal interviews or investigative procedures and recorded in narrative form. The unstructured nature of such information gathering creates a risk of abuse in individual instances, which is difficult to detect and correct. Instructions for designing or maintaining such records should stress the following:

    1. Guidelines to assist personnel in conforming with the relevance and necessity provisions, keeping in mind the wide variance between activities and the specific needs of particular types of cases. Guidelines should, to the extent possible, help prevent inappropriate inquiries without hampering investigative techniques.

    2. Personnel engaged in investigative inquiries are expected to use mature judgment and to exercise self-discipline in determining the types of information to request and record.

    3. Use extreme caution when dealing with information of a highly personal nature relating to the relationships between individuals or personal activities that would not generally be made public by the individual involved.

    4. The mere fact that a person volunteers personal information does not serve as authority to record it, as it may nevertheless be irrelevant and unnecessary.

    5. In a pluralistic society, personnel may have contact with individuals who follow a variety of lifestyles, some of which may involve relationships or practices that may seem strange or even abhorrent to the investigator. Such factors would not generally be tax-related, and information concerning them should not be collected unless it can be shown to be relevant and necessary to a particular case.

    6. If possible, opinions or subjective impressions of individuals should generally be avoided. However, certain cases may require recording such impressions, especially those involving potential assaults upon IRS personnel, cases located in high crime areas, cases pertaining to uncollectible accounts, and cases recommending further investigation. Opinions or subjective impressions should be specifically identified as such, and, whenever appropriate, be accompanied by factual substantiation.

      Caution:

      Use extreme caution when dealing with information of a highly personal nature relating to the relationships between individuals or personal activities that would not generally be made public by the individual involved.

    7. Use existing supervisory or other review procedures to identify instances of personnel maintaining information that is not relevant or necessary. If a record is created or discovered that is irrelevant to the system of records (SOR) in which it is currently filed, remove it from the SOR and place it in the correct filing or recordkeeping location. Do not dispose of the record until its authorized destruction date (if there is one), as identified in either Document 12829, General Records Schedules, or Document 12990, Records Control Schedules. See also the IRM 1.15 series, Records and Information Management, for additional information on records management responsibilities. If erroneous or incorrect information is discovered, it should be corrected and the file annotated, to indicate the date the correction was made. Reviewers should advise personnel of the irrelevant entry to assist them in clearly understanding the meaning and importance of relevance and necessity; and whatever trends are identified, make recommendations to the responsible official for further guidelines or other corrective actions.

    8. In appropriate situations, develop awareness and responsiveness to Privacy Act principles as factors for use in employee evaluations.

Individual Personnel Recourse
  1. Personnel who believe they have been directed to maintain a record that is not relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President, or to maintain a record describing how any individual exercises rights guaranteed by the First Amendment (except as provided by the Privacy Act), or who otherwise believe they have been directed to violate the Privacy Act, should bring such matter to the attention of their immediate supervisor.

  2. Supervisors who need assistance responding to such inquiries should contact PPC through the *Privacy mailbox. PPC may collaborate with Disclosure, as needed.

  3. Personnel who have complied with (1) or (2) and are not satisfied with the response or who prefer not to comply, may submit an allegation of violation of the Privacy Act directly to the Treasury Inspector General for Tax Administration (TIGTA).

Privacy Act Requirement to Maintain Accurate, Relevant, Timely, and Complete Records

  1. Subsection (e)(5) of the Privacy Act provides that each agency that maintains a system of records shall:

    "... Maintain all records that are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination."

    1. The objective of this provision is to minimize, if not eliminate, the risk that an agency will make an adverse determination about an individual on the basis of inaccurate, incomplete, irrelevant or out-of-date records. See Exhibit 10.5.6-5, Glossary and Acronyms, for the definition of the term Determination.

    2. The phrase "as is reasonably necessary" recognizes the difficulty of establishing absolute standards of data quality.

      Note:

      Place emphasis on assuming the quality of the record in terms of its use in making decisions affecting the rights, benefits, entitlements, or opportunities (including employment) of the individual. Accordingly, apply the standards at the time of making a determination.

  2. Subsection (e)(6) of the Privacy Act provides that:

    "... prior to disseminating any record about any individual to any person other than an agency, unless the dissemination is made pursuant to subsection (b)(2) of this section (the Freedom of Information Act), make reasonable efforts to assure that such records are accurate, complete, timely, and relevant for agency purposes."

    1. The primary objective of this provision is to assure the quality of records disclosed to persons that are not subject to the provisions of subsection (e)(5).

      Note:

      This applies whenever a disclosure is made to a person other than the individual to whom it pertains.

    2. The provision also recognizes that information disclosed to other agencies is subject to the standards of accuracy, etc., established by those agencies.

      Note:

      Therefore, this provision does not apply to disclosures made to an agency. See Exhibit 10.5.6-5, Glossary and Acronyms, for the definition of the term Agency.

      Reminder:

      Technical employees such as Revenue Agents and Revenue Officers should be advised to keep their files clean of unrelated materials.

      Example:

      When personnel print information from third-party data or asset information services or other such system, they should immediately discard all material on unrelated parties unless such information is functionally declared necessary (such as to detail specific search methodology).

Exempt Systems
  1. Various systems of records have been designated exempt, under subsection (j)(2) of the Privacy Act from the provisions of subsection (e)(5).

  2. All systems of records are subject to the provisions of subsection (e)(6) of the Privacy Act.

Actions Required to Ensure Accurate, Relevant, Timely, and Complete Records
  1. Privacy Act instructions apply to all IRS personnel who maintain, collect, use, or disseminate information about individuals in published systems of records.

  2. When information is put into any system, phrase the language so as not to misrepresent the facts, or subject it to an inaccurate or misleading interpretation.

    Note:

    Record statements made by witnesses about an individual as such and do not indicate them as established facts.

  3. Information collected must be relevant, timely, and complete.

  4. Information put into IRS records must relate to some matter that the IRS is authorized and required to maintain in order to carry out its lawful mission.

    Note:

    Information maintained about personnel must relate only to their employment.

  5. Information must be complete to avoid misrepresentation or unfairness, or to avoid presenting an unfair picture of a situation which could result in a determination harmful to the rights of the individual.

    1. Caution:

      Personnel should be careful in meeting the completeness standard in that they should not collect irrelevant or unnecessary information. Records should include only those elements of information that clearly bear on the determination for which the records are intended to be used, but should include all elements necessary for the determination to be made.

  6. Prior to disseminating any record about an individual to a person (not an agency) other than the individual to whom it pertains, make reasonable efforts to assure that the requirements of subsection (e)(6) relating to accuracy, completeness, timeliness, and relevance have been fulfilled and that the record relates to the purposes of the IRS.

  7. Any record disclosed must be as accurate as when the IRS made the determination about the individual. If the information does not meet this standard, the record must be corrected before dissemination.

  8. The actions required by (6) and (7) do not lend themselves to specific periodic actions. However, this does not reduce the importance of the IRS responsibility to comply with the provisions.

    1. Meeting the demands of these provisions requires all IRS personnel to have an awareness of the rights of individuals.

    2. Personnel must be alert to the fact that notations made and actions taken may have far-reaching effects.

    3. Personnel should make every effort to ensure that the records they help to create would not result in an unfair determination about any individual.

    4. The IRS privacy principles are in IRM 10.5.1.

Privacy Act Access and Amendment of Records (formerly IRM 11.3.18)

  1. This section contains instructions for processing an individual’s formal written Privacy Act request for information contained in IRS systems of records.

  2. The Privacy Act affords individuals certain rights as to records contained in agency systems of records. Such rights, subject to various exemptions and restrictions, include the rights of being informed, in response to a request, if any system of records named contains a record pertaining to the requester; obtaining access to such records; requesting amendment of such records; and accounting for disclosures made from such records.

Access to Records

  1. Disclosure processes written requests under the FOIA or Privacy Act, whichever gives greater access. Refer to IRM 11.3.13, Freedom of Information Act.

  2. Individuals making a written request to Disclosure via the CPU for notification and access to IRS systems of records should:

    1. Furnish their name and address and sign the request.

    2. Clearly mark the request, "Request for Notification and Access."

    3. Insert a statement that the request is being made under the Privacy Act.

    4. Provide their SSN if the system being accessed is accessed by SSN. Requests for records maintained in the name of two or more individuals (such as husband and wife) must contain the names, addresses and SSNs (if necessary) of both individuals.

    5. Specify the name and location of the system of records being accessed.

    6. Indicate whether the requester wishes merely to be notified whether the system contains a record pertaining to that requester; whether that requester wishes to inspect the record in person; or whether that requester wishes to have a copy made and furnished by the IRS. If the individual requests copies, the request must include an agreement to pay the fee for copying records, if such fee is anticipated to be for $25.00 or more.

      Note:

      See the Privacy Act Fee section of this IRM for more information.

    7. In the case of records which are maintained by specific dates or periods, indicate whether the requester wishes notification and access to other than the latest period available. Unless otherwise specified, requests will be deemed to be limited to the latest period available.

    8. In the case of requests for notification and access to material maintained in a system of records which is exempt from notification and access under Privacy Act Section (k)(2), establish that the requester has been denied a right, privilege, or benefit that the requester would have otherwise been entitled to under Federal law as a result of the maintenance of such material.

  3. Although individuals are encouraged to meet all the requirements stated, all of the requested information may not be necessary to process every request. Managers are to exercise discretion in accepting requests as filed if they substantially meet procedural requirements and are adequate to permit processing.

  4. If a request for access to a system of records mentions the FOIA, process the request in accordance with procedures for administering that Act to the extent that the description reasonably permits the identification of the records. See IRM 11.3.13, Freedom of Information Act, for further instructions. A Privacy Act access request, like a first-party FOIA request, will be processed under the statute that provides the greatest right of access to the individual regardless of the statute cited by the individual.

Access to Records of Deceased Employees
  1. The Privacy Act only applies to living individuals. See OMB Guidelines, 40 Fed. Reg. 28,948, 28,951 (July 9, 1975). While the Privacy Act does not provide deceased employees confidentiality, their surviving families and friends have some expectations of privacy concerning certain aspects of records of deceased employees.

  2. Generally, the IRS privacy policy is to keep information about employees who died confidential. Sometimes the IRS may be required to disclose limited information about the deceased person to executors and relatives when the disclosure is necessary for implementation of a will or other necessary business to finalize the deceased person's affairs.

  3. If a surviving family member warrants protection of particularly sensitive graphic details about a death or other very sensitive information when disclosure would cause mental anguish and pain to the survivor. Keep the following in mind:

    • Survivors have the right to keep their privacy from being invaded by the disclosure of embarrassing, painful, or distressing information about the employee who died.

    • When feasible, only share basic information about an employee’s death (name, date of death, date/time/location of announced memorial services) with co-workers.

    • Treat the cause of death or the identities of surviving relatives and friends as confidential, until/unless the next of kin states that the IRS may share the information.

    • As with ill employees, information provided unofficially by the next of kin is not an agency record.

    • Be clear about what the next of kin wants co-workers to be told. Ask if there is a newspaper announcement to share, or invite the family/friend to ensure the accuracy of the information by sending a message to forward to co-workers.

  4. Email privacy and security standards require the use of encryption to protect sensitive but unclassified (SBU) information (including PII), unless the information is meant for the public (such as a death announcement). See the Email section of IRM 10.5.1, for additional information.

Processing Privacy Act Requests for Notification and Access

  1. Guidance for processing requests for notification and access is found in section 3, Appendix B of Title 31, Part I, Subpart C, of the Code of Federal Regulations.

  2. IRS personnel should follow routine procedures for information on data available under other procedures. For example, a taxpayer requesting a copy of their own tax return, or information relating to the balance due on their account, or an employee seeking to review their personnel folder. Personnel may provide such information under existing procedures, although the request may mention the Privacy Act.

  3. Individuals will not be required to submit Privacy Act requests for data available to them under other procedures.

  4. All written requests citing the Privacy Act for notification and access to IRS systems of records will be routed to the Disclosure Managers via the CPU.

  5. Disclosure Managers will determine if the request is processed under the Privacy Act or FOIA. If the request is processed under the FOIA, refer to IRM 11.3.13. If greater access is provided by processing under the Privacy Act, the following procedures apply:

    1. If a request for notification and access omits any information which is essential to processing the request: advise the requester within 10 working days of the additional information which must be submitted before the request can be processed. Then close the case.

    2. Disclosure will contact the business unit that has jurisdiction over the requested records. Disclosure will respond directly to the requester after the business unit provides a response.

    3. If a request extends to numerous systems of records, or systems which could not possibly contain information relating to the requester, the Disclosure employee should correspond with or telephone the requester to assist the requester in refining the request.

    4. Disclosure will provide a copy of any valid request for records to the official having control of the records, requesting that notification information, records, and/or a disclosure recommendation be provided.

    5. Notify the requester whether the system of records contains a record pertaining to the requester, unless the system is exempt from the notification requirement.

    6. Permit access to requested records (by inspection or copying), unless the system of records is exempt from the access provision.

    7. When access is requested to medical records, including psychological records, the Disclosure employee will consult with the system manager to determine if release could have an adverse effect on the individual, and that release will be made only to a physician authorized in writing to have access to such records.

    8. All disclosures made pursuant to the access and notification provisions must be consistent with all other disclosure requirements. Deletions may be necessary to protect information pertaining to persons other than the requester. Adhere to all provisions of IRC § 6103 accordingly.

    9. A response authorizing disclosure must be signed by the system manager, or by a Disclosure employee having an appropriate delegation from the system manager, and having obtained the concurrence of the function responsible for the records being disclosed.

    10. Make the determination to grant or deny access within 30 working days after receipt of a valid request. If the response cannot be made within 30 days, the Disclosure Manager will advise the requester of the reasons for the delay and of the approximate date the request will be answered.

    11. There is no provision for the administrative appeal of access denials under the Privacy Act. Responses should not mention any right to judicial review when a request does not substantially comply with appropriate regulations and is not adequate to permit processing. No mention should be made of a right to judicial review when requested records are contained in an exempt system of records, or where the requester has not established that the requester was denied a specific right, privilege, or benefit to which the requester would otherwise be entitled under Federal law as a result of the maintenance of such material.

Verification of Identity

  1. IRS employees assisting individuals in making requests for notification and access pursuant to the Privacy Act should verify that the requester is actually the person to whom the record pertains before processing the request. Ask the requester to establish the requester’s identity by presenting either one document bearing a photograph (such as a passport or identification badge) or two items of identification which do not bear a photograph, but do bear both a name and address and a signature.

  2. Use discretion in decedent Privacy Act situations. The IRS should disclose only the minimum information necessary to a person who has documentation to prove he/she has legal responsibilities to the decedent to allow that person to fulfill his/her legal duties. For further information about deceased employees, see the Access to Records of Deceased Employees section of this IRM.

  3. Requests received by IRS personnel and forwarded to the Disclosure Manager should include or be accompanied by a statement, signed by the IRS employee, indicating if the requester’s identity had been established and containing a short, written explanation of the substantiating documents that were reviewed to establish the identity of the requester.

  4. Requests for notification and access received by mail by the Disclosure Manager must not be processed unless the requester has established the requester’s identity in the request. The requester’s identity can be established by a signature, address, and one other item of identification such as a photocopy of a driver's license or other document bearing the individual's signature.

  5. Individuals may also establish their identity either in person or by mail by providing a notarized statement swearing or affirming to their identity, and to the fact that they understand the penalties provided in Privacy Act Section (i)(3) for requesting or obtaining access to records under false pretenses.

  6. Although the requirements for identification are discussed above, the employee receiving or processing the written request may require additional proof of an individual's identity before action will be taken if necessary to protect against an unauthorized disclosure.

  7. A parent of any minor, the attorney-in-fact of a person, or the legal guardian of any individual who has been declared to be incompetent due to physical or mental incapacity by a court of competent jurisdiction, must (in addition to the identification requirements) provide adequate proof of legal relationship and authority before the parent, attorney-in-fact, or guardian may act on behalf of such minor or individual.

Requests to Amend Records

  1. Guidance for processing requests to amend records, including any review and adjudication of an adverse determination, are found in section 4, Appendix B of Title 31, Part I, Subpart C, of the Code of Federal Regulations.

  2. Submit requests to amend a record under the Privacy Act to PPKM via the *Privacy mailbox. PPKM will coordinate with the office of the official designated in the access section for a particular system of records.

Statutory Exemption for Amendment of Tax Records
  1. IRC §7852(e) provides that subsections (d)(2), (d)(3), (d)(4), and (g), of the Privacy Act (the amendment and civil litigation provisions) shall not be applied, directly or indirectly, to the determination of liability of any person for any tax, penalty, interest, fine, forfeiture, other imposition or offense to which the provisions of the IRC apply.

  2. Respond to Privacy Act requests to correct tax records which may affect a person's liability by citing or quoting IRC §7852(e), within the context of an appropriate explanation. Furnish no statement explaining appeal rights.

Review of Refusal to Amend a Record

  1. Submit requests for review of a refusal to amend a record to PPKM via the *Privacy mailbox.

  2. PPKM will refer the request and proposed response to the appropriate reviewing officer for review and final determination.

Statement of Disagreement

  1. An individual who disagrees with a final determination not to amend a record that is subject to amendment under the Privacy Act may submit a concise statement for insertion in the record, stating the reasons for disagreement with the refusal of the reviewing officer.

  2. Submit statements of disagreement to PPKM via the *Privacy mailbox. .

  3. PPKM will forward the statement to the appropriate designated official for insertion in the individual's record.

    Note:

    Whenever physically possible, the contested entries in the record will be bracketed and a notation placed on the record: "See attached Statement of Disagreement."

  4. The Statement of Disagreement will be provided to all future recipients of the applicable portion of the record.

Privacy Act Fee

  1. The sole fee to the public pursuant to the Privacy Act is one that permits the Government to recover the expense incurred by providing copies of records. For more information, see IRM 11.3.5, Fees.

Privacy Act Accounting for Disclosures (formerly IRM 11.3.19)

  1. This section contains instructions for accounting required by the Privacy Act of non-tax disclosures.

  2. This requirement applies to disclosures of non-tax records under subsection (c) of the Privacy Act.

  3. Accounting for disclosure of tax records falls under IRC§6103(p)(3)(A).See IRM 11.3.37, Recordkeeping and Accounting for Disclosures.

Privacy Act Accounting for Disclosures Responsibilities

  1. Employees authorized to make disclosures of non-tax Privacy Act records must account for such disclosures.

  2. PPC has responsibility for Servicewide compliance oversight with Privacy Act accounting provisions.

  3. Disclosure will control and process written requests for access to accountings for disclosure of Privacy Act records.

Accounting Requirements

  1. The Privacy Act requires each agency to keep an accurate accounting of the date, nature, and purpose of each non-tax disclosure of an individual’s record to any person or to another agency and the name and address of the person or agency to whom the disclosure is made. See Privacy Act Section (c). This requirement only applies to records maintained in a system of records. See Privacy Act Section (a)(5).

  2. The accounting is not required when the disclosure has been to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties.

  3. Accountings are only required to be made when the non-tax record disclosure is pursuant to subsection (b) of the Privacy Act.

  4. The accounting is not required if the disclosure is made or would be required to be made pursuant to a FOIA) request. Release of publicly available information maintained in a Privacy Act System of Records released pursuant to a FOIA request does not require an accounting. Routinely this occurs when no FOIA exemption is applicable to withhold the records.

  5. For accounting of non-tax disclosures under the Privacy Act, use Form 5482, Record of Disclosure (Privacy Act of 1974). See the Form 5482 section of this IRM.

  6. Retain the accounting for at least five years or the record retention period of the subject record, whichever is longer.

  7. See IRM 11.3.37, Recordkeeping and Accounting for Disclosures, for detailed information about disclosures of tax returns and return information pursuant to IRC § 6103(p)(3)(A) accounting.

General Rules

  1. When accounting for disclosures of non-tax records under the Privacy Act, the number of sources from which information is furnished determines how many accounting records must be prepared. A source is information collected, developed, or maintained by a function from a system of records. .

  2. Though a function might disclose non-tax information about an individual taxpayer from more than one of its systems of records, the function should prepare an accounting record for only the system of records where the greatest amount of information is provided.

    Note:

    This procedure is consistent with the spirit of subsection (c) of the Privacy Act. It is more practical for administrative reasons to limit the number of sources when several systems of records are involved in order to avoid confusion over the amount of information disclosed.

    Example:

    Non-tax disclosure by Labor Relations: In a labor dispute, Labor Relations (LR) receives an Information Request from an authorized party (such as an employee’s representative) for related personnel files, which are non-tax Privacy Act information. A Human Resources Specialist (HRS) reviews the Information Request and determines what information may be released and forwards the request for that specific information the employee’s manager. That manager responds to LR with the requested documents. The HRS reviews the documents and works with the employee’s manager to ensure a complete response, with proper redactions. The HRS then sends the complete response of information to the Chief of LR for that Section to sign the release of information memo. Then LR provides the information to the requestor. In this example, the manager’s disclosure to LR is in the normal performance of duties to another agency official, under the Privacy Act, and does not require an accounting. The LR disclosure to the requestor requires a Privacy Act accounting. File Form 5482 with the records disclosed and keep for 5 years or the life of the record, whichever is longer. However, managers and LR specialists should discuss the accounting requirement in addressing such responses.

    Example:

    Non-tax disclosure in an emergency: A manager, whose Post of Duty is in on the east coast, has employees in several locations throughout the US. During a string of heavy spring storms in the Midwest, water levels continue to rise around the area where one of his employees live. They remain in regular contact and the employee is able to continue performing duties remotely, from home throughout, with no concerns. Suddenly, a single storm in the employee’s area causes widespread power outages and heavy localized flooding. The employee is not online the next day and doesn’t respond to phone calls. Concerned for the employee’s safety during this emergency, the manager reaches out to local emergency services to complete a "wellness check" of the employee, providing name, address, and reasonably related contact information (all non-tax Privacy Act information). This disclosure by the manager to local authorities is permissible under Privacy Act subsection (b)(8) and requires an accounting. The manager must document the accounting on Form 5482 and retain it in the employee’s file for five years, or the life of the file, whichever is longer. Managers are encouraged to work with Labor Relations Specialists in such events to ensure all procedures are followed and documented.

Form 5482 Procedure

  1. Each employee who makes a disclosure of a non-tax record subject to the accounting requirement, must prepare Form 5482, Record of Disclosure (Privacy Act of 1974).

  2. Maintain the original Form 5482 (electronic or paper) in a separate Form 5482 file held by the official having custody of the system of records. File forms in alphabetical order by name of the subject in a separate section for each (calendar) year. Maintain this file for five years. At the end of each year, destroy all the forms in the section which become five years old . See Document 12990, Records Control Schedules, RCS 8, Item 44.

  3. Copy the Form 5482 and associate the duplicate with the non-tax record disclosed and retain it for the retention period of that record.

  4. If the record is maintained on tape or some other format which precludes attaching Form 5482, no duplicate need be prepared.

  5. For multiple non-tax disclosures, in which all entries would be identical, except the identity of the subject, a single Form 5482 may be prepared by leaving the name block blank. A list of all persons involved would be attached to the original form which should be placed in front of the alphabetical items in the Form 5482 file. However, the list must not be attached to the copy placed in the record disclosed. The Form 5482 should be photocopied (one for each person whose records are disclosed) and the appropriate individual’s name inserted before association with the disclosed record.

  6. A Form 5482 recording a non-tax disclosure made pursuant to (b)(7) of the Privacy Act may be associated with the record disclosed only if the system of records has an exemption which would preclude the subject from obtaining the Form 5482 or learning of the (b)(7) disclosure. If the system of records would be generally available for the subject’s inspection (such as the official personnel folder) the Form 5482 should not be associated with the record. It should be marked for retention to be kept for as long its associated record file exists in the agency and filed in a special section of the Form 5482 file. The Form 5482 may be destroyed whenever the associated record disclosed is known to have been actually destroyed.

  7. Research to determine the existence of the underlying record should not be undertaken simply to permit destruction of Forms 5482.

Requests for Access to Accountings of Disclosure of a Privacy Act Record

  1. Subsection (c)(3) of the Privacy Act provides that accountings of disclosures (non-tax) made pursuant to the Privacy Act will be available to the individuals named in the records at their request.

    Exception:

    IRC §6103(p)(3)(A) exempts certain tax disclosures from the Privacy Act accounting requirements.

  2. Certain systems of records are exempt from the above requirement in accordance with the Notice of Exempt Systems.

  3. A further exemption is provided for accountings of disclosures made pursuant to subsection (b)(7):

    "...to another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request to the agency which maintains the record specifying the particular portion desired and the law enforcement activity for which the record is sought."

Form of Request
  1. The request must originate from an individual and must be for an accounting of disclosures that relates to records subject to the Privacy Act.

  2. The request must be in writing and signed by the individual.

  3. Identification sufficient to meet the requirements discussed in the Verification of Identity section of this IRM, must be provided.

  4. Requests seeking access to accountings of disclosures maintained on non-tax records, such as Form 5482, Record of Disclosure (Privacy Act of 1974), must be sufficiently specific (generally stating the particular record and/or system of records, and the location in which maintained) to permit an orderly search of Form 5482 files.

  5. See IRM 11.3.37, Recordkeeping and Accounting for Disclosures, for processing requests for access to accountings of tax disclosures.

Processing Requests
  1. Time limits and general processing steps for requests for access to Privacy Act (non-tax) accountings of disclosures are the same as those provided for general access requests in the Processing Privacy Act Requests for Notification and Access section of this IRM.

  2. Responsible personnel will obtain the Forms 5482 necessary to process a request pertaining to non-tax records.

  3. Once the Forms 5482 are located, the responsible personnel must interpret the entries and prepare a response, informing the requester that the listed items represent those accountings of disclosures which are maintained and required to be made available pursuant to the Privacy Act.

  4. The listed items should consist of:

    1. Date, nature, and purpose of the disclosure.

    2. System of records or specific record disclosed.

    3. Name of recipient agency, activity or person.

    4. City and state address of recipient, if available.

  5. The response will be signed by the Disclosure Manager or other delegated official.

    Reminder:

    No appeal rights are provided.

    Caution:

    Do not release information from a Form 5482 if the disclosure was made from an exempt system or the box for (b)(7) is checked.

    Note:

    There is no responsibility to perform additional research to establish a basis for releasing a (b)(7) disclosure.

Exemptions
  1. To prevent a requester from obtaining premature knowledge of the existence of an investigation and thereby defeating the law enforcement process, review accountings of disclosures prior to release and withhold those which are exempt.

  2. The method for determining which accountings of disclosures are to be withheld will be a process of elimination. By following these instructions in the order presented, the largest and most obvious categories to be withheld or to be released can be eliminated first, leaving only a small residue of determinations requiring a more careful analysis.

  3. If Then
    The entry does not identify a current or former Privacy Act system of records Withhold the accounting of disclosures, as no right of access exists, and eliminate from further consideration.
    The entry identifies a current or former Privacy Act system of records for which any exemption has been established Withhold the accounting of disclosures and eliminate from further consideration.
  4. The remaining accountings of disclosures will consist exclusively of items that are subject to the Privacy Act and that are not exempt from being made available to the subject by virtue of a (j) or (k) exemption.

    Caution:

    Further analysis will be required to determine if the accounting should be withheld because it relates to a (b)(7) request.

  5. If the accounting was not eliminated by a prior step, further research will be necessary to obtain information to determine if a (b)(7) disclosure which should be withheld was involved.

    1. Utilize the name of the taxpayer and the date of disclosure to search disclosure files or correspondence controls.

  6. If the foregoing search fails to produce information necessary to make a determination, withhold the accounting.

  7. In applying the foregoing instructions pertaining to (b)(7) disclosures, it will not be necessary to withhold an accounting of disclosure if information is:

    1. Available that the investigation which prompted the disclosure has become a matter of public record.

    2. Known to the requester.

    3. No longer needing to be protected.

      Note:

      There is no responsibility to perform additional research to establish a basis for releasing a (b)(7) disclosure.

Personnel Records (formerly IRM 11.3.20)

  1. This section provides guidelines for the disclosure of particular Privacy Act records or categories of records maintained by the Human Capital Office (HCO) or division employees with personnel responsibilities and certain records controlled by Office of Personnel Management (OPM).

  2. Personnel records were subject to disclosure requirements prior to the enactment of the FOIA and Privacy Act.

  3. The Office of Personnel Management (OPM) promulgated rules and regulations concerning federal records required for personnel management. Such rules and regulations granted individuals access to most records pertaining to themselves. The OPM rules and regulations are contained in several Parts of Chapter 1, Subpart B, of Title 5, Code of Federal Regulations (CFR), which instructs agencies to maintain records in confidence and to release personnel records only to those individuals within or outside the agency who have a definite need for the information.

  4. The exclusive representative (National Treasury Employees Union (NTEU) in the case of the IRS) is granted access to certain information by virtue of its rights defined under 5 USC § 7114(b)(4).

  5. Personnel/human resources issues are handled by the appropriate HCO function.

  6. For simplicity, HCO Personnel is used throughout this IRM to denote the responsible function for personnel/human resources issues.

Privacy Act Requirements for Personnel Records

  1. The Privacy Act provisions are applicable to those personnel records which are maintained by a personal identifier and contain personal information.

  2. The IRS personnel systems of records are patterned after those of OPM. The records are grouped into systems of records (SORs) according to similar purposes for establishing the files, similar handling of records, and similar types of records.

  3. Most personnel records are subject to the Privacy Act as they are maintained by employee name, SSN, or Standard Employee Identifier (SEID) and are therefore in one or more of the personnel systems of records.

  4. The OPM also has Privacy Act responsibilities for certain personnel records that are maintained by federal agencies. See the Personnel section of this IRM, which defines these shared responsibilities. The OPM's Privacy Act rules and regulations are found in 5 CFR § 297.

  5. The system manager for most IRS personnel records is HCO management. Requests for access to IRS employee personnel records is made through the office maintaining the records.

  6. Access to those records not under the control of HCO can be requested from the system managers or designees listed under each system of records in the Notice of Systems of Records.

Personnel Systems of Records
  1. The Privacy Act requires Notices of Systems of Records to be published in the Federal Register. The IRS’s Notices of Systems of Records are published as a part of the Department of the Treasury's publication.

  2. A specific coding designates the systems of records as belonging to Treasury and the IRS. This coding is part of the title of each system of records. The coded title for each system is Treasury/IRS followed by a five digit number that has a period after the second digit. Each of the first two digits indicates the functional organization and the division which controls the records.

    Example:

    The systems of records controlled by HCO Personnel functions all have a "3" as the first digit. The systems of records controlled by HCO all have a "6" as the second digit. The last three digits following the period designate the specific system of records controlled by HCO.

  3. A title for the system is also used with the coding structure.

    Example:

    Treasury/IRS 36.001, Appeals, Grievances and Complaints Records would indicate that the records are under the control of Treasury, the IRS, HCO Personnel function and Personnel Services and that appeals, grievances and complaints are in this system.

  4. The personnel systems of records under the control of HCO Personnel are the following:

    • Treasury/IRS 36.001, Appeals, Grievance and Complaints Records

    • Treasury/IRS 36.003, General Personnel and Payroll Records

  5. A similar coding is used by each department or agency in the federal government. The OPM has control over certain personnel records maintained by other federal agencies. The OPM uses a coding system which designates whether the particular system contains records of federal employees or only OPM employees. This coding is accomplished by the following method:

    • OPM/GOVT-1, General Personnel Records , is a government-wide system of records controlled by the OPM and contains records about federal employees.

    • OPM/Internal-7, Complaints and Inquiries Records, is a system of records controlled by OPM and contains records on OPM employees only.

  6. The OPM also has a third type of system of records. This third type contains records on all federal employees that are both controlled and maintained by OPM. The coding for these systems uses the words OPM/Central.

    Example:

    OPM/Central-1, Civil Service Retirement and Insurance Records.

  7. There are two other Federal agencies which have government-wide systems:

    • The Equal Employment Opportunity Commission controls and maintains the EEO complaint records maintained by agencies in the system EEO/GOVT-1, Equal Employment Opportunity in the Federal Government Complaint and Appeal Records.

    • The Department of Labor controls and maintains records on all Federal employees who have filed Workers Compensation claims. These records are in entitled DOL/GOVT-1, Office of Workers Compensation Program, Federal Employees Compensation Act File.

Conditions of Disclosure Under the Privacy Act

  1. The Privacy Act (section (b) limits access to a record without the prior written consent of the individual to whom the record pertains. It lists Conditions of Disclosure where a record may be disclosed without prior written consent of the individual.

    Caution:

    When tax records protected by IRC § 6103 are involved, the requirements of that section take precedence over the generalized provisions of the Privacy Act.

  2. The following table outlines the most common conditions that IRS personnel will encounter:

    Condition of Disclosure Description
    (b)(1) Internally to officers and employees of the agency who have a need for the information in the performance of their official duties.
    (b)(2) For the release of a record as required by the FOIA. The existence of an actual FOIA request is a prerequisite for application of this provision.
    (b)(3) The routine use provision, which allows for the disclosure of a record for a use which is compatible with the purpose for which the record was collected.

    A routine use generally involves disclosure to another agency, State or local government or other organization, and must be specified in the Notice of Systems of Records.

    Under this condition, disclosures are also made to unions recognized as exclusive bargaining representatives pursuant to 5 USC § 7114.
    (b)(5) This provision is for statistical research or reporting purposes. The record may only be provided in a format that is not individually identifiable.
    (b)(7) For civil and criminal law enforcement activities. This condition of disclosure is applicable when Federal, State, and local governments request information for investigations of welfare fraud, tax matters, unemployment compensation and other civil or criminal law enforcement activities.

    The requirements for granting a (b)(7) request are specific. Responsible personnel must determine whether the request meets the four requirements of the (b)(7) condition as follows:
    1. The request must be made in writing.

    2. The request must specify the particular portion of the record(s) desired on a given individual(s).

    3. The request must state that the information is for a civil or criminal law enforcement activity which is authorized by law, including investigations related to such activities, and must specify the law enforcement purpose for which the record is sought.

    4. The request must be made by the head of a Federal, State or local agency or an appropriate official of the agency. The head of a city or county department, District Attorney, Chief of Police, Chairperson of a county board or committee, tax commissioner, or deputy tax commissioner among others, would be considered an appropriate official. If the individual executing the request is below this level, contact may be made with the requester to obtain either a new request from the appropriate level or a statement which authorizes the requester to execute such requests.


    When the request involves payroll data, the request is sent to the appropriate Payroll Center with responsibility for the employee's function. Responsible personnel may consult the Public Information Listing (PIL) to determine the appropriate Payroll Center to contact. See IRM 11.3.13.9.10.1, Public Information Listing, for the PIL website access procedures.

    Note:

    In the case of a subpoena and/or summons for payroll records, see also the charts attached as exhibits to Delegation Order 11-2 (which is also IRM 1.2.2.11.2) and IRM 11.3.35, Requests and Demands for Testimony and Production of Documents.



    The IRS has adopted the policy of allowing the IRS function processing the (b)(7) request to also authorize the (b)(7) release. The level of authority official should be specified in functional procedures.
    (b)(8) When there is a compelling circumstance affecting the health or safety of the individual. This provision is strictly interpreted and the release is limited to emergency situations.
    (b)(10) To the Comptroller General or the Government Accountability Office in the performance of its duties. This condition includes any GAO audit or request for a Comptroller General decision where information from a record, subject to the Privacy Act, is disclosed. See IRM 11.3.23, Disclosure to the Government Accountability Office (GAO).
    (b)(11) Disclosure pursuant to an order of a court of competent jurisdiction. See the Disclosure Under Court Order section of this IRM for specific instructions on disclosures under this condition.
Disclosure Under Court Order
  1. Documents controlled by OPM, such as the right (long term) side of the Official Personnel Folder (OPF), are disclosed in accordance with the instructions in 5 CFR § 297.402 and 5 CFR § 297.403.

  2. A court order, demand (subpoena or summons), or an order from an administrative body, such as a State unemployment compensation board, which requires testimony or the production of documents by an IRS official will be processed in accordance with procedures for subsequent approval by the appropriate official authorized by Delegation Order 11-2 (see also IRM 1.2.2.11.2 ).

  3. In accordance with the Civil Service Reform Act of 1978, Title VII, Section 7132, Part (a)(2):

    " No subpoena shall be issued under this section which requires the disclosure of intra-management guidance, advice, counsel, or training within an agency or between an agency and the Office of Personnel Management."

  4. Personnel should review IRM 11.3.35, Requests and Demands for Testimony and Production of Documents, and IRM 11.3.13, Freedom of Information Act, for further guidance on processing requests for personnel and payroll records.

  5. After an employee has left the IRS for any reason, HCO will forward the OPF within 90 days to OPM for maintenance and retention. After the OPF has been transferred, OPM is the appropriate agency to respond to subpoenas or other requests for personnel records. OPM requires a subpoena or court order signed by a judge. Subpoenas should be directed to:

    The Office of General Counsel
    Office of Personnel Management
    1900 E Street, NW
    Washington, DC 20415

Exemption from Disclosure Under the Privacy Act

  1. The Privacy Act provides that certain records may be exempt from access and amendment. The following table contains the Privacy Act exemptions and their descriptions:

    Privacy Act Exemption Description
    (d)(5) Exempts from disclosure information compiled in anticipation of a civil action or proceeding. This provision may be used to exempt information prepared for use in litigation and otherwise protected from release by the FOIA or rules of civil procedure.
    (k)(5) Applies to:
    • Information which would reveal the identity of a source of the information who was provided an express promise of confidentiality.

    • Investigatory material compiled solely for the purpose of determining suitability, eligibility, and qualifications for Federal civilian employment or access to classified material.

    • A source who supplied information prior to the effective date of the Privacy Act (September 27, 1975) under an implied promise of confidentiality.

    (k)(6)
    • Used for testing or examination materials used solely to determine individual qualifications for appointment or promotion in the Federal service.

    • Claimed because the disclosure of the testing and examination materials would compromise the objectivity or fairness of the examination process.

Accounting for Disclosures of Personnel Records under the Privacy Act

  1. The Privacy Act requires each agency to keep an accurate accounting of the date, nature, and purpose of each disclosure of an individual's record to any person or to another agency and the name and address of the person or agency to whom the disclosure is made. See the Privacy Act Accountings for Disclosures section of this IRM for specific information.

  2. Some disclosures of Privacy Act information are exempt from the accounting requirement. These include disclosures made under section (b)(1) and (b)(2) of the Privacy Act as well as those made to the individual or another recipient at the individual's request, and those tax disclosures made expressly exempt under IRC § 6103(p)(3)(A). For tax disclosures, see IRM 11.3.37, Recordkeeping and Accounting for Disclosures.

Freedom of Information Act (FOIA) and Personnel Records

  1. The FOIA provides access to federal government records by the public. The public includes:

    • Federal employees.

    • Employee organizations with exclusive bargaining representation rights.

    • All other individuals or organizations seeking access to government records.

  2. This Act is applicable to all federal government agency personnel documents. There are, however, exemptions which allow the denial of certain documents or parts of documents as they pertain to personnel matters.

  3. The OPM also has FOIA responsibilities for personnel records that are maintained by agencies. These responsibilities are detailed in each of the sections describing the various records. Processing FOIA requests will be consistent with OPM regulations at 5 CFR § 293 and 5 CFR § 297, and with IRM 11.3.13, Freedom of Information Act.

  4. The Privacy Act only applies to living employees. See OMB Guidelines, 40 Fed. Reg. 28,948, 28,951 (July 9, 1975). However, while the Privacy Act does not grant deceased employees confidentiality, their surviving families and friends have some expectations of privacy concerning certain aspects of records of deceased employees. Requests for deceased employee records under FOIA do allow for information to be exempted to maintain the privacy of surviving families and friends even if the Privacy Act may not. For further information about disclosure of information concerning deceased employees, see the Access to Records of Deceased Employees section of this IRM.

Commercial Solicitation
  1. The OPM regulations at 5 CFR § 294.103 provide guidance on how commercial solicitation firms can obtain access to public information items on employees.

  2. When a commercial solicitation firm requests information on employees, the public information items, to the extent requested, are to be provided.

Public Information Listing
  1. There are six items of information which have been designated by the OPM as public or official information. See 5 CFR § 293.311. This information is available from both the Official Personnel Folder (OPF) and Employee Performance Files (EPFs), their automated equivalent records, and from other personnel record files that constitute an agency record within the meaning of the FOIA.

  2. Requests for the Public Information Listing (PIL) do not have to be processed pursuant to FOIA unless the requester specifically requests processing under the FOIA..

  3. Public information for employees in "sensitive" and/or "cybersecurity" designated positions from the PIL is mostly exempt, with the exception of certain "base salary" information, pursuant to discussions with OPM. Whether information may be disclosed often needs to be considered on a case-by-case basis. The PIL available through Disclosure does not contain the names of employees who have been assigned an approved IRS pseudonym.

  4. See IRM 11.3.13.9.10.1 for more information on the PIL.

Disclosure Under 5 USC § 7114

  1. As part of the agency's and exclusive representative's (NTEU, in the case of the IRS) duty to negotiate in good faith, the Civil Service Reform Act of 1978 (Title VII, Section 7114, Part (b)) delineates the agency's obligation to furnish to the exclusive representative involved or its authorized representative, upon request and, to the extent not prohibited by law, data:

    1. Which is normally maintained by the agency in the regular course of business.

    2. Which is reasonably available and necessary for full and proper discussion, understanding, and negotiation of subjects within the scope of collective bargaining.

    3. Which does not constitute guidance, advice, counsel, or training provided for management officials or supervisors relating to collective bargaining.

  2. Requests from the NTEU under the collective bargaining rights are directed to the Labor Relations (LR) office of HCO or other designated LR function.

Disclosure Pursuant to IRC § 6103(l)(4)

  1. Tax returns and return information may be used in disciplinary/adverse actions, suitability determinations and other personnel decisions when relevant. These include unemployment compensation and workers compensation cases filed by IRS employees or former employees where the IRS is the employer involved. Also included are EEO cases or Merit System Protection Board (MSPB) cases where the IRS is one of the named parties.

  2. Such use may prompt an employee, former employee, or legal representative thereof, to seek access to such records, or it may permit the Service to disclose returns and return information to advance or protect the interests of the United States.

  3. Any employee called upon to release files under IRC § 6103(l)(4) should use caution. Coordination with the local Disclosure Manager is recommended. Coordination with the Office of Chief Counsel, General Legal Services (CC:GLS) is often necessary.

Disclosure of Tax Records Permitted by IRC § 6103(l)(4)(A)
  1. IRC § 6103(l)(4)(A) authorizes disclosure of relevant and material returns and return information, upon written request, to an employee or former employee or their authorized legal representative for use in a personnel action or proceeding. Release of the employee's own tax information is governed by IRC § 6103(c) and IRC § 6103(e). IRC § 6103(l)(4)(A) is also relevant to persons and their legal representatives whose rights are or may be affected by an administrative action or proceeding under 31 USC § 330. These actions relate to conference and practice matters under the jurisdiction of the Office of Professional Responsibility (OPR).

  2. Authorized legal representative refers to any individual designated by the employee and who has signed a form letter which, among other things, acknowledges his/her awareness of the disclosure ramifications and penalties associated with accessing confidential tax information. Such form letter is generally attached to letters proposing a disciplinary suspension or adverse action and advises the employee of his/her right to request a copy of the evidence file. The signature on the form letter is necessary even where the methodology of taxpayer identity protection includes using coded identities and a key to the code. See IRM 6.432.1, Reduction in Grade and Removal Based on Unacceptable Performance - Policies, Authorities, Requirements, and Procedures , and IRM 6.751.1, Discipline and Disciplinary Actions - Policies, Responsibilities, Authorities, and Guidance, for more information including sample form letters.

    1. Note:

      Those persons who come into contact with the tax return or return information contained in an evidence file as supervisors or reviewers of the designated representative(s) need not sign the form letter.

      Note:

      NTEU, as an entity, is not the legal representative of a bargaining unit employee. Only specifically authorized-designated Union employees who have signed the form letter may receive information from the IRS under IRC § 6103(l)(4)(A).

  3. Release of the evidence file (material relied upon) in an unredacted form may be made to the employee and/or authorized representative if a written request is made under IRC § 6103(l)(4)(A) and the request is approved by the appropriate official. Equitable treatment claims by requesters do not qualify as "material relied upon" so IRC § 6103(l)(4) will not allow disclosure of such tax information.

  4. When a proper IRC § 6103(l)(4)(A) request is received, HCO and/or the appropriate functional will determine whether the records meet the relevant and material criteria of the statute.

    1. The Disclosure Manager will be available to give advice and assistance, if needed

    2. A recommendation is then made to the official authorized to release the records under Delegation Order 11-2 (see also IRM 1.2.2.11.2).

  5. Generally, only such information that has been relied upon by the Service in the proceeding should be disclosed.

    Example:

    The employee or his/her legal representative may normally have access to audit administrative files which were prepared by the employee only if they are being used by the Service as the basis for the action.

    1. If additional files are requested that are material and relevant to the issue in controversy in the personnel action or proceeding, IRC § 6103(l)(4)(A) will also permit disclosure of these files. IRC § 6103(l)(4)(A) does not compel the disclosure of any tax information.

    2. The administrative file must clearly reflect what tax information, if any, has been disclosed. As a safeguard, taxpayer identities should be coded by the releasing official ( Taxpayer A, Taxpayer B, etc.) and a key which includes the actual taxpayers' identities should be attached to the letter to the employee. The body of the letter itself should contain a strong admonition against disclosure of returns or return information.

  6. When dealing with returns or return information in proposing disciplinary suspensions or adverse actions, the following practical steps should be followed:

    1. Prepare the proposal letter with all return information coded.

    2. Attach a key to the coded information and include a strong admonition against disclosure of returns or return information in the body of the proposal letter.

    3. The evidence file should be coded to correspond to the key attached to the proposal letter.

    4. If the employee or his/her duly authorized representative executes a request for disclosure under IRC § 6103(l)(4)(A), and the written request is approved, the employee's representative may be provided the returns or return information.

    5. If the disciplinary action is appealed to arbitration, to the Equal Employment Opportunity Commission (EEOC), or to the MSPB, the appeal or grievance file may be transmitted to the arbitrator, the EEOC, or the MSPB with returns or return information, to the extent relevant and necessary.

  7. The employee and his/her representative should be advised that the tax returns and return information provided pursuant to a request made under IRC § 6103(l)(4)(A) are confidential and may be used solely in preparation for, or in, the action. The employee and his/her representative should also be advised of the criminal penalty and civil liability provisions of IRC §§ 7213, 7213A, and 7431, respectively, regarding unauthorized inspection or disclosure. The representative (NTEU officer) may not use the information for other cases. Use can only be made relevant to the actual case for which the information was disclosed. See IRM 6.751.1, Discipline and Disciplinary Actions - Policies, Responsibilities, Authorities, and Guidance for further guidance and sample forms.

  8. Disclosures of tax information made pursuant to IRC § 6103(l)(4)(A) must be accounted for in accordance with IRC § 6103(p)(3)(A).

  9. In personnel matters, employees may not release confidential tax information to the NTEU or their representative outside of the provisions of IRC § 6103(l)(4). It is immaterial whether the Union official or representative is an IRS/Treasury employee. IRC § 6103(h)(1) does not cover such a release. An IRS employee is not authorized to disclose tax information in the employee’s own matter, regardless of whether an IRC 6103(l)(4)(A) request has been made.

  10. In matters falling under OPR's conference and practice jurisdiction, the standards of this IRM as well as statutory and procedural rules will be used to respond to requests.

  11. TIGTA has its own procedures relative to IRC § 6103(l)(4)(A) but uses form letters like those discussed in (2).

Disclosures to Treasury Permitted by IRC § 6103(l)(4)(B)
  1. IRC § 6103(l)(4)(B) permits disclosure of returns and return information to Treasury officers and employees for use in a personnel action or proceeding, or in preparation for such action or proceeding, to the extent necessary to advance or protect the Government's interests. Such proceedings encompass those described in the Disclosure of Tax Records Permitted by IRC § 6103(l)(4)(A) section of this IRM, but the rest of this subsection focuses on OPM procedures in particular.

  2. This provision permits the IRS to disclose returns and return information to OPM when needed in a personnel action of any kind. OPM's reclassification of position grade levels is an "administrative action" within the meaning of IRC § 6103(l)(4), and OPM's desk audits are part of the preparation for an OPM reclassification action.

  3. Although IRC § 6103(l)(4)(B) allows the disclosure of returns and return information to OPM, this provision does not condone blanket disclosures of returns and return information to OPM. Need and relevance must be considered.

  4. When returns and return information are considered for use in a personnel action or in preparation for such an action, the need for confidentiality must be balanced against the need for specificity of information. To attain the proper balance, these guidelines should be followed:

    1. To the extent possible, returns and return information should not be disclosed in administrative personnel actions before OPM.

    2. If it is determined that it is necessary to disclose returns and return information to OPM, to the extent possible, portions of the returns and return information rather than the entire document should be disclosed.

    3. Identifying information should be deleted from returns and return information to the extent disclosure of this information is not necessary.

    4. OPM may not remove returns and return information from the IRS premises unless it is determined that they have established a compelling need to do so.

    5. OPM may not include returns and return information in their reports without approval from the IRS;


      1) When the appropriate management official identified in Delegation Order 11-2 has determined that OPM has established a compelling need to include such information in their reports, they may authorize OPM's use for this limited purpose
      2) Under no circumstances will OPM be permitted to include taxpayer identifying information in their reports;

    6. Officers and employees of OPM receiving or having access to returns and return information should be cautioned relative to the criminal penalty and civil liability provisions of IRC §7213, IRC §7213A, and IRC §7431, respectively, for unlawful access or disclosure of tax information. In this regard, officers and employees of OPM should be informed that returns and return information retain their status as returns and return information even if taxpayer identifying information is removed.

    7. The disclosure of certain returns and return information such as grand jury or tax treaty/convention information is governed by provisions in addition to IRC § 6103. Such information may be disclosed only in accordance with both applicable provisions. IRM 11.3.27, Disclosure of Returns and Return Information to Grand Juries, discusses confidentiality of grand jury information; IRM 11.3.25, Disclosure to Foreign Countries Pursuant to Tax Treaty, deals with disclosures to foreign countries and tax treaty/convention information.

  5. As necessary, HCO will be available to assist the official authorized to release records under Delegation Order 11-2, and the employees being interviewed, in evaluating OPM's need for returns and return information. The Disclosure Manager will also be available to provide advice and assistance.

  6. Disclosures of tax information made pursuant to IRC § 6103(l)(4)(B) are exempt from the accounting requirements of IRC § 6103(p)(3)(A) and the Privacy Act.

Processing Requests for Personnel Records

  1. Disclosure and HCO share the disclosure responsibilities for the release of personnel information. There may be instances where a functional area Payroll Center will also be involved with the disclosure of certain information. Direct policy questions to PPKM via the *Privacy mailbox.

  2. HCO will process, in accordance with the Privacy Act:

    1. Informal requests by employees relating to their own records.

    2. Routine requests which can be processed pursuant to OPM rules or negotiated labor agreements.

    3. Matters which traditionally fall within the area of HCO activities, provided that tax returns or return information subject to IRC §6103 are not involved.

  3. HCO will provide timely assistance to Disclosure Managers on requests subject to disclosure processing, such as records search, copying services, and recommendations on the HCO aspects of releasing or withholding records.

  4. The Disclosure Manager will process requests citing the FOIA or Privacy Act involving tax returns or return information subject to IRC § 6103, and any requests involving novel or complex disclosure problems.

  5. The precise distinction between a routine matter falling within HCO responsibilities and a novel or complex disclosure problem requiring processing by Disclosure may be locally determined by mutual agreement.

  6. Records requiring the review, recommendation or involvement of functional areas other than HCO and Disclosure, should be coordinated with HCO.

  7. The Disclosure Manager will be available to assist and advise HCO on disclosure matters.

  8. Requests which require payroll information should be worked by HCO. If the IRS employee whose payroll records are requested consents to release and salary information is all that is needed by a third party, the appropriate system or website should be used.

  9. Requests from the exclusive representative under its rights defined in 5 USC § 7114(b)(4) should be forwarded to the Workforce Relations office.

  10. Requests from the exclusive representative under FOIA should be handled by Disclosure in coordination, as appropriate, with the servicing Workforce Relations office of HCO.

Promotion/Selection Files

  1. The term "Promotion Files" is used in this section to include all files established for the purpose of selecting individuals for vacant positions.

  2. The promotion file is maintained according to the vacancy announcement number or Promotion Certificate Number. While the information in the file may be found in other systems of records, the promotion file itself is not subject to the Privacy Act.

  3. The promotion file includes those documents used or initiated in the selection process.

Documents in the Promotion/Selection File
  1. For each individual, the file may contain any or all of these:

    • An Application for Reassignment/Promotion form

    • A Promotion Appraisal form

    • A Ranking Panel Evaluation Sheet

    • OF-612 or resume

    • USAJOBS resume

    • Examples of employee's work products

    • Interview sheets

    • Supervisory Potential evaluation

    • Statement of Accomplishments

    • Memorandum of Interest

    • Special application forms

  2. Information which would compromise the objectivity or validity of the selection process should be withheld. This would include test items and answer keys, crediting plans, or ranking criteria and may include interview plans and information on other selection methods. The policy on release of crediting plans may be found on the Strategic Human Resources website..

    Note:

    Each employee entrusted with such information has a positive duty to know what should be released and what should not, and to act accordingly.

Maintenance of the Promotion/Selection File
  1. The promotion file is maintained in the HCO Office for two years.

  2. The documents in the file are established for a particular selection and should not be reused for any other personnel action.

  3. However, the Performance Appraisal, prepared by an employee's supervisor and which remains current for six or twelve months, is the exception. The copy of the Performance Appraisal can be used in any promotion action during its currency.

Disclosure to the Exclusive Representative Pursuant to 5 USC § 7114
  1. If a grievance is filed pursuant to the negotiated agreement between the parties, a grieving employee as well as the steward representing the grieving employee, upon request, will be provided the evaluative materials used by the ranking panel in rating eligible employees.

  2. The local chapter may also request a copy of the complete promotion file used in filling a bargaining unit position in anticipation of filing a grievance.

  3. The local chapter is also provided a copy of the promotion certificate previously given to the selecting official, identifying the selected candidate(s).

    Note:

    This pertains only to bargaining-unit positions.

  4. To align with the Privacy Act and the FOIA, the evaluative materials are to be edited, with deletion of sensitive and damaging personal information, prior to their release.

  5. The editing should only delete such items as:

    • Mental and/or physical health

    • Allegations of employee misconduct

    • Training course grades

    • Date of birth

    • SSN

    • Marital status

  6. Information that pertains solely to a person's Government service may be disclosed, such as:

    • Tenure

    • Salary

    • Grade

    • Position title

    • Work schedule

    • Agency-sponsored training and awards received

  7. Names of employees may also be disclosed. Requests for names of employees using pseudonyms require additional scrutiny. Refer to the Employee Privacy Matters section of IRM 11.3.13.

  8. Requests from the NTEU under the collective bargaining rights are directed to the Labor Relations office.

  9. To the extent tax information of third parties is included in these files, the grievant's access, as well as the grievant's representative's access, will only be in accordance with IRC § 6103(l)(4)(A). See the Disclosure of Tax Records Permitted by IRC § 6103(l)(4)(A) section of this IRM.

Disclosure to Employees
  1. Employees, acting independently of the exclusive representative, do not receive the same amount of information as the exclusive representative when requesting information on a bargaining unit position. See the Disclosure to the Exclusive Representative Pursuant to 5 USC § 7114 section of this IRM.

  2. Additional deletions must be made to protect the other employees' information:

    • Names

    • Dates of training

    • Schooling

    • Particular assignments

    Note:

    Pronouns and other similar identifying information should also be deleted.

  3. Sufficient information should also be provided to permit an employee to grieve the file.

  4. These procedures are also applicable for all non bargaining unit promotion files, regardless of the Union status of the employee requesting the file.

  5. If request is pursuant to the FOIA, process as a FOIA request. See IRM 11.3.13, Freedom of Information Act.

Disclosure to the Public
  1. When a member of the public, (aside from the exclusive representative exercising its 5 USC § 7114 rights) seeks a promotion file, only that information which shows that the file was processed in accordance with merit principles, should be disclosed. The Union is treated like a member of the public when it submits a FOIA request.

Selection from an OPM Register
  1. HCO Personnel should only keep documents pertaining to the selected individual.

  2. Documents received from the OPM, except for those of the selectee, should be returned to the OPM and any copies destroyed.

  3. Copies of the Certificate of Eligibles maintained by the HCO office are not to be disclosed. The certificate is an OPM record and the requester should be directed to the appropriate OPM office.

  4. If, during an interview, an applicant discloses tax information which causes a negative suitability determination, OPM may be advised that the applicant was not selected for employment, but the IRS is prohibited by IRC §6103 from disclosing any tax information to OPM.

  5. If additional information concerning the specific grounds for non-selection is requested, OPM should be advised that such information is confidential tax information which is protected from disclosure by IRC § 6103 and may not be released unless the applicant consents, in writing, to such release in accordance with IRC § 6103(c) and the regulation promulgated thereunder.

Selection from an IRS Register
  1. The term "IRS Register" is used here to include all files established and maintained by an IRS Special Examining Unit for the purpose of examining and certifying individuals for selection to vacant positions.

  2. These files may include:

    • Personal qualifications statements

    • Supplemental qualifications statements

    • Other applicant-submitted materials

    • Notations made by raters or reviewers showing earned ratings and veterans preference

    • Register cards

    • Index cards

    • Answer sheets

    • Certification history which may include certificates of eligibles

  3. Information which compromises the objectivity or validity of the examination and certification process must not be released. This would include such items as:

    • Test items and answer keys

    • Rating schedules including crediting plans, ratings sheets, test booklets, and transmutation tables

    Note:

    These records are in OPM/GOVT-5, Recruiting, Examining and Placement Records, system of records and are exempt under the Privacy Act (Section (k)(5)).

Agency Grievance Files

  1. Agency grievance records are those which are compiled and maintained by the HCO Personnel office as the result of an employee filing a grievance pursuant to IRM 6.771.1, Internal Revenue Service Employee Grievance System and Grievance Examiner Handbook - Agency Grievance System (AGS).

  2. These files are generally a part of Treasury/IRS 36.001, Appeals, Grievances and Complaints Records, and are maintained by the employee grievant's name.

Documents in the Agency Grievance File
  1. The documents in the file may include:

    • Form 5877, Agency Grievance and Authorization for Representative's Access to Official Records

    • The employee's written notice of filing a formal grievance

    • Selection of Fact Finder

    • Documentary evidence

    • Interview records

  2. If the grievance is resolved prior to conclusion of the grievance process, the file may or may not include:

    • Fact finder’s recommendations and report

    • Deciding official's decision or statement of objections

Access to the Agency Grievance File
  1. These files are subject to the Privacy Act, which governs access by the individual to whom the record pertains.

  2. The grievance procedure instructs the IRS to provide a copy of the file to the grievant and the grievant's representative upon written request.

  3. Those individuals who are named or who have been interviewed (other than the grievant) do not have access under the Privacy Act since the file is in another individual's name.

  4. However, documents such as an affidavit provided by a third party would generally be available to the same third party. Access by a third party should be evaluated in accordance with the FOIA. The final decision letter and other portions of the file may be disclosed under FOIA with that information deleted which would be a clearly unwarranted invasion of personal privacy, or which is otherwise exempt from disclosure under FOIA.

Negotiated Agreement Grievance Files

  1. Negotiated Agreement Grievance Files are those records which are compiled and maintained by the HCO Personnel office as the result of an employee filing a grievance under one of the negotiated agreements.

  2. These files are a part of Treasury/IRS 36.001, Appeals, Grievances and Complaint Records, and are maintained by the grievant's name.

Documents in the Negotiated Agreement Grievance File
  1. The documents in the file will vary, based upon the grievance issue.

  2. At a minimum, the file should contain the written decision made at the first step of the negotiated procedure in the applicable collective bargaining agreement.

  3. The appeals and written answers for each step of the grievance must also be maintained per the governing agreement.

Access to the Negotiated Agreement Grievance File
  1. These files are subject to the Privacy Act, which governs access by the individual to whom the record pertains. Routine use and the other disclosure provisions in subsection (b) of the Privacy Act are applicable.

  2. The major portion of the file is available to the grievant and the grievant's representative upon written request.

  3. Under 5 USC § 7114 and the negotiated agreements, the Union has the right to be present at grievance meetings and receive copies of each step's decision, whether or not the grievant chose Union representation.

  4. When the Union is not representing the grievant, the disclosure is made as a routine use. This routine use provides for the disclosure of information to the exclusive representative when required or relevant to its duties.

  5. The intra-management documents discussing the grievance should be reviewed under 5 USC § 7114(b)(4)(C). See the Disclosure Under 5 USC § 7114 section of this IRM.

  6. Additionally, the documents may receive protection from disclosure under the (d)(5) provision of the Privacy Act.

  7. To the extent third party tax information is included in these files, the grievant's access, as well as the grievant's representative's access, will only be in accordance with IRC § 6103(l)(4)(A). See the Disclosure of Tax Records Permitted by IRC § 6103(l)(4)(A) section of this IRM.

  8. There may be grievances with tangential files which are not subject to the Privacy Act, such as promotion files. The disclosure of these accessory files are to be considered separately from the grievance.

  9. To the extent a request for Negotiated Agreement Grievance Files is received and cites the FOIA, see IRM 11.3.13 for additional information on appropriate FOIA exemptions and Personnel files.

Retirement Records

  1. Retirement records are those records compiled as a result of an employee applying for voluntary retirement or disability retirement, and those retirements initiated by the IRS.

  2. These records are completed by both the HCO Personnel office and the Union in accordance with instructions in the negotiated agreement.

  3. Retirement records in the control of the HCO Personnel office are a part of Treasury/IRS 36.003, General Personnel and Payroll Records.

  4. When the HCO Personnel office has completed necessary processing, the records are transmitted to the Payroll Center for payroll and final IRS processing.

  5. The Payroll Center is responsible for:

    1. Maintaining the SF-2806, Individual Retirement Record.

    2. Preparing the SF-2807, Register of Separations & Transfers for retirement actions.

    Note:

    The SF-2806 and SF-2807 are included in Treasury/IRS 36.003, General Personnel and Payroll Records.

  6. The retirement records, once they are received by OPM, are included in OPM/Central-1, Civil Service Retirement and Insurance Records.

Voluntary Retirement
  1. Documents such as health and life insurance forms that are maintained as a permanent part of the OPF, are included in the retirement records once a retirement application is received.

  2. SF-2801, Application for Retirement , is completed when an employee indicates a desire to retire.

  3. A retirement file by employee name is not usually established per se, but those documents necessary to process the retirement application are handled as a group.

  4. In some instances where it is anticipated that difficulties may arise in a particular case, a file may be established by employee name so that the necessary documents are maintained.

  5. Copies of certain documents may be maintained by the HCO Personnel office after the employee's separation, but should be destroyed within six months.

Disability Retirement
  1. The personnel records necessary for disability retirement, other than medical records, are the same as for voluntary retirement. A preliminary submission to the OPM for approval of the retirement is required for the disability retirement.

  2. Once the preliminary disability retirement records are received by the OPM and a claim number has been assigned, the records are included in OPM/Central-1, Civil Service Retirement and Insurance Records.

  3. The Medical Records Pertaining to Disability Retirement section of this IRM discusses medical records associated with a disability retirement.

Access to Retirement Records
  1. These records are subject to the access provisions of the Privacy Act by the individual to whom the records pertain.

  2. The special provisions for access under the Privacy Act for medical records are described in the Access to Medical Records section of this IRM.

  3. Intra-management memorandums and discussions that may occur during an agency initiated disability retirement may receive protection from disclosure under the (d)(5) provision of the Privacy Act.

  4. Once retirement records are received by OPM, all requests should be addressed to OPM.

  5. Guidelines for processing FOIA requests for these records can be found at IRM 11.3.13.9.10.

Medical Records

  1. Medical records are compiled and maintained by the agency at the request of both the employee and the agency.

  2. Medical files for HCO Personnel purposes are maintained in the HCO offices.

  3. The medical records associated with the Health Unit are maintained in the Health Unit.

  4. Medical records are maintained by employee name and the purpose of the file will determine its inclusion in a system of records.

  5. Most medical records are included in OPM/GOVT-10, Employee Medical File System Records.

  6. OPM also includes medical records associated with the OPF In OPM/GOVT-1, General Personnel Records.

Medical Records Pertaining to Disability Retirement
  1. This addresses only the medical records associated with a disability retirement.

  2. A separate file is not required for disability retirement. The confidentiality associated with medical records should be maintained, and a file by employee name would prevent unnecessary observation of the records.

  3. OPM requires approval by an OPM medical officer prior to an employee separating by disability retirement and the agency may wish to maintain a copy of the records while the OPM medical officer performs the review. In certain circumstances, the employee's physician may provide the agency with the SF-3112-C, Physician's Statement, in a sealed envelope.

  4. Disability retirement records are listed in both OPM/GOVT-10, Employee Medical File System Records, and Treasury/IRS 36.003, General Personnel and Payroll Records. The medical records associated with a disability retirement should be accessed under Treasury/IRS 36.003.

  5. The documents which are to be included in the disability retirement package include:

    • SF-2801, Application for Immediate Retirement (CSRS).

    • SF-3112, Documentation in Support of Disability Retirement.

    • SF-3112-A, Supervisor's Statement.

    • SF-3112-D, Agency Certification of Reassignment and Accommodation Efforts.

    • SF-3112-E, Disability Retirement Application Checklist.

Medical Determination Records
  1. OPM procedures for establishing the records and file are addressed in 5 CFR § 831.1203 and 1204.

  2. These records are listed in both OPM/GOVT-10 and Treasury/IRS 36.003. Access to these records should be made under Treasury/IRS 36.003.

  3. The same documents necessary for a disability retirement must also be completed for an agency initiated disability retirement.

Health Unit Records
  1. Agency Health Unit records are initiated at the request of an employee seeking medical attention or advice.

  2. These records are maintained by employee name in the Health Units. The records are included in OPM/GOVT-10, Employee Medical file System Records.

  3. Records maintained in Health Units operated by the IRS and private units contracted by the IRS are included in OPM/GOVT-10.

  4. Those records maintained in Health Units operated by the Public Health Service or other agencies are contained in systems of records published by the agency controlling the Health Unit.

Alcohol, Drug Abuse and Employee Assistance Program Records
  1. These records are included in OPM/GOVT-10, Employee Medical File System Records.

  2. When access is requested by either the individual to whom the record pertains or a third party, the restrictions of 5 CFR § 297.205 must be considered. Disclosure offices should coordinate with HCO Personnel.

Medical Qualification Records
  1. Medical qualification forms are required by the OPM so that agencies may make a medical fitness determination regarding an individual's physical or mental fitness for a position.

  2. These forms are completed by the applicant or employee and are included in OPM/GOVT-1, General Personnel Records, system of records.

  3. The forms may be filed in the OPF, but those parts of the forms which contain medical information are to be filed separately in the HCO Personnel office.

  4. OPM instructions regarding these records are contained in 5 CFR § 339.301 through 306.

Injury Compensation Records
  1. The injury compensation records are compiled when an employee incurs a work related injury or illness.

  2. The injury compensation records are completed by the employee, employee's supervisor, and the employee's physician.

  3. The HCO/WCC (Worker's Compensation Center) office sends the original documents to the Department of Labor (DOL). The HCO office maintains a copy of the documents.

  4. These records are included in government-wide systems of records DOL/GOVT-1, Office of Workers' Compensation Programs, Federal Employees' Compensation Act File.

  5. Consult the Employee Resource Center website for instructions for injury compensation forms.

Access to Medical Records
  1. Medical records are available to the individual to whom the record pertains under the provisions of the Privacy Act.

  2. Congress, however, enacted Section (f) , which allows agencies to establish special procedures for the disclosure of medical records.

  3. These special procedures as outlined in 5 CFR § 297.205 are to be used when medical records, including psychological evaluation records, contain information of which a prudent physician would hesitate to inform the individual.

    1. The records, under these conditions, are to be released to the employee's designated physician rather than to the employee. When the medical records contain information that is unfamiliar or for which the Disclosure Manager or HCO Personnel office hesitates to release, the requested medical records should be reviewed by a physician to determine whether the records can be released to the individual or designated physician.

    2. In those offices which have a physician, the review may be made locally. If a geographic area has a Medical Officer, this individual may complete the review. If neither a local physician nor geographic area Medical Officer is available, OPM will provide the services of its Regional Medical Officer.

Release to a Designated Physician
  1. When a determination has been made by a medical authority that the records are to be released to a designated physician, the employee must be so informed. The employee must also be requested to provide the name and address of a designated physician to whom the records are to be provided.

  2. In those circumstances in which the employee declines to designate a physician, the services of the Health Unit physician or geographic area Medical Officer, if available, may be used.

  3. When the IRS Health Unit physician or Medical Officer is unavailable and the employee refuses to designate a physician, the records cannot be released, however, the requirements of the Privacy Act are considered to have been met.

  4. Once the medical records are sent to the designated physician, the disclosure to the employee and any financial charges involved are the responsibility of the employee and the employee's physician.

Official Personnel Folder (OPF)

  1. The Official Personnel Folder (OPF) is an OPM file which is maintained by and in the custody of the agency which is currently employing the individual.

  2. The OPF is included in OPM/GOVT-1, General Personnel Records, and includes those records on the right/permanent side of the OPF. The records on the left/temporary side of the OPF are agency records and solely under the control of the agency and are included in Treasury/IRS 36.003, General Personnel and Payroll Records system of records.

Documents in the OPF
  1. The OPF is the official record of an individual's career in the federal government.

  2. The documents in the OPF record the qualifications, training, experience, promotions, and other items concerning an employee.

  3. Certain records that are maintained in the OPF while an employee is employed are removed when the employee retires.

  4. When an employee retires and receives a Civil Service or Federal Employee retirement annuity, the records, OPF and retirement, are solely under the control of OPM.

  5. When an employee separates from federal service, the OPF, including the remaining SF-7, Service Record Card, are solely under the control of OPM. Access to the OPF by a separated employee is to be made in accordance with the instructions in OPM/GOVT-1.

Access to OPF Records Pursuant to the Freedom of Information Act
  1. Guidelines for processing FOIA requests for OPF records can be found at IRM 11.3.13.9.10.

Access to the OPF Pursuant to the Privacy Act
  1. The release of information (other than public information) from the right (long term) side of the Official Personnel Folder (OPF) is to be in accordance with the routine uses published by OPM rather than the routine uses published by the IRS.

  2. The OPM has provided agencies with a routine use (OPM/GOVT-1, General Personnel Records) to release information from the OPF to other prospective employing Federal agencies for the purpose of selecting the employee for a position.

  3. OPM/GOVT-1, also provides a routine use for other prospective employers at the request of the individual.

  4. OPM/GOVT-1, designates four additional items that may be released to prospective non-Federal employers without the prior written consent of the employee. They are:

    1. Tenure of employment.

    2. Civil service status.

    3. Length of service in the agency and the Government.

    4. When separated, the date and nature of actions as shown on the Notification of Personnel Action, Standard Form 50.

  5. When prospective non-Federal employers request information (other than public information and the four additional items above), prior written consent must be secured from the employee.

  6. The release of information to such agencies as State unemployment compensation boards is provided by routine use of OPM/GOVT-1, General Personnel Records.

  7. The IRS Personnel Notices of Systems of Records parallel those of OPM. The records maintained by the IRS include the OPF as well as those records controlled solely by the IRS.

  8. The SF-78 (prior to 1969) should not be maintained in the OPF and examination papers should be destroyed one year after appointment.

  9. A request to access the OPF by the individual to whom the record pertains may be granted by the agency maintaining it.

  10. If the OPF is properly filed, all documents should be available to the employee. The charge out card is also available to the employee.

Amendment Request
  1. A request to amend a record in the OPF may be granted or denied by the agency maintaining the OPF.

  2. If denied, the appeal rights must be directed to OPM.

Position Classification Files

  1. These records and files are compiled and maintained in the HCO office to meet the requirements of OPM in classifying and describing positions at the proper grade or level.

  2. These files and records are maintained by position designation or numbers rather than by an individual identity. The documents describe position and the organization of a functional area.

  3. These files and records are not subject to the Privacy Act but may be available under the FOIA.

Position Descriptions and Related Documents
  1. Each position within the IRS has a position description.

  2. A position description is the written record of the basic duties and responsibilities that are assigned to a position.

  3. There are certain positions, such as Revenue Officer, which have identical duties and responsibilities at a particular grade, nationwide. For these positions, the OPM encourages the use of a multi-position description or standard position description.

  4. When a standard position description is developed for a position, the description is used by all HCO offices. Standard position descriptions may also be developed for positions within a Campus when there are substantially identical positions.

  5. Infrequently, a position description with a particular grade may be assigned to "incumbent only." This occurs when an individual brings particular skills and responsibilities to a position. Even in these cases, the position description depicts the duties and responsibilities of a position, not the personal information of the individual. As such, a position description is not subject to the Privacy Act.

  6. Each position description should have an evaluation statement. The evaluation statement is a written explanation of how the classification determination was made. The instructions for preparation of evaluation statements are found in IRM 6.511, Position Classification and Position Management.

  7. Each position description is assigned a number. To search for a specific position description, search the Intranet website through HCO Personnel or use HR Connect.

Annual Position Review
  1. The documents and records are maintained according to organizational areas, except for narrative reports which include recommendations for management's consideration, and may be accessible under the provisions of the FOIA.

  2. The annual position review is conducted jointly by HCO Personnel and management officials .

  3. The files contain the schedule for the review, size of the desk audit sample, positions to be desk audited, the type of review, and the explanation of the selection of positions being reviewed.

  4. Supervisors have the responsibility of performing the initial review concerning the accuracy of the position descriptions and position needs. The supervisor then provides Personnel/Human Resources with recommendations concerning the descriptions and position needs.

  5. Personnel/Human Resources prepares narrative reports of findings with advice and recommendations for consideration by management based on the results of the review.

  6. Refer to IRM 6.511.1.8.7, Position Review Program (PRP) for guidance and additional information.

  7. The Desk Audits section of this IRM discusses desk audits, including those made as a part of the annual position review.

  8. To the extent a request for Annual Position Review Files is received and cites the FOIA, see IRM 11.3.13 for additional information on appropriate FOIA exemptions and Personnel files.

Desk Audits
  1. These records are maintained in the HCO Personnel with the position description of the particular position.

  2. A desk or work audit is a review of the duties and responsibilities of a position which is accomplished by interviewing the employee in the position and the supervisor of the position.

  3. Desk audits may be performed when an employee appeals the position description; during an annual or other position review; anytime management is considering a change to a particular position; or when OPM is requesting a review of a particular position under the Factor Evaluation System. When audits by OPM require access to returns and return information, procedures outlined in the Disclosures to Treasury Permitted by IRC § 6103(l)(4)(B) section of this IRM, Disclosures permitted by IRC §6103(l)(4)(B) will apply.

  4. The desk audit provides the classifier with first-hand knowledge of the responsibilities of the position so that changes, if necessary, may be made to the position description.

  5. The information contained in the desk audit report relates solely to the position and contains no evaluative information concerning the work performance of the employee in the position.

  6. The notes made by the classifier are preliminary thoughts which may later be researched for applicability to changes in the position description.

  7. To the extent a request for Desk Audit Files is received and cites the FOIA, see IRM 11.3.13 for additional information on appropriate FOIA exemptions and Personnel files.

Position Management Program Files

  1. These files are maintained in the HCO Personnel offices and in the organizational area management offices.

  2. These files contain information concerning reorganization of IRS human resources.

  3. The files contain surveys and studies regarding the organization of a functional area and the changing needs of the function. Also included are recommendations and draft proposals for the reorganization of the function and the allocation or reallocation of the human resources.

  4. Documents which prescribe the allocation of resources would be available under the FOIA unless the disclosure would identify areas of interest and concentration of efforts which would affect civil and criminal law enforcement.

  5. To the extent a request for Position Management Program Files is received and cites the FOIA, see IRM 11.3.13 for additional information on appropriate FOIA exemptions and Personnel files

Classification Appeal Files

  1. The Classification Appeal File is established, compiled, and maintained as a result of an employee's formal written request for a change in the classification of the employee's position.

  2. The classification appeal is to be maintained in the HCO Office by position, title, series, and grade. If old files are maintained by employee's name, the files are included in Treasury/IRS 36.001, Appeal, Grievances, and Complaints Records.

  3. The instructions for the classification appeal procedure are addressed in IRM 6.511.

Documents in the Classification Appeal File
  1. The file should include:

    • The employee's request for a change in classification.

    • Documentation of discussions.

    • Desk audit report.

    • Decision on the appeal.

  2. If an appeal is filed with the Department of the Treasury or OPM, the records and file are under Treasury's or OPM's control.

Access to the Classification Appeal File
  1. The documents in the file are available to the appellant.

  2. The documents in the file can be disclosed to a third party after deletions of personal identifiers have been made.

Disciplinary Action Files

  1. These records are compiled in anticipation of a proposed disciplinary action against an employee. Disciplinary action matters under 31 USC § 330 (conference and practice) are handled by OPR who will follow the general rules of this subsection in processing requests.

  2. The definition and requirements of the various types of disciplinary action are found in IRM 6.751 and 6.752.

  3. These files are a part of Treasury/IRS 36.003, General Personnel and Payroll Records. Copies may also exist in Treasury/IRS 00.007, Employee Complaint and Allegation Referral Records.

Documents in the Disciplinary Action File
  1. The documents and records that must be included in the file are described in IRM 6.711.2, Labor-Management Relations, Processing Information Requests.

  2. The specific records will depend upon the basis for the action. Certain records must be included. They are as follows:

    1. Proposed letters of charges.

    2. The final notice of decision.

    3. The employee's replies, if any.

    4. The basis for the action which may include records from other systems.

  3. Only copies of those portions of the investigation report that are used as the basis of the proposed action are to be maintained in the HCO Office.

Access to the Disciplinary Action File
  1. Since these records are maintained as a part of Treasury/IRS 36.003, the file is accessed under the provisions of the Privacy Act.

  2. These files may contain intra-management memorandums and discussions which may receive protection from access by the individual to whom a file pertains under the (d)(5) provision of the Privacy Act.

  3. Disclosure of tax information from these files is subject to the confidentiality provisions of IRC §6103.

  4. To the extent a request for Disciplinary Action Files is received and cites the FOIA, see IRM 11.3.13 for additional information on appropriate FOIA exemptions and Personnel files.

Adverse Action Files

  1. These records are compiled in anticipation of proposing and taking adverse action against an employee.

  2. These files are maintained by the employee's name in the HCO Office and are included in Treasury/IRS 36.003, General Personnel Records.

Documents in the Adverse Action File
  1. Certain documents are required by the instructions listed in IRM 6.752, Disciplinary Suspensions and Adverse Actions. These documents must be maintained in the file and consist of the following:

    1. Copy of notice of proposed disciplinary suspension.

    2. Any written reply and affidavits, evidence or material attached thereto.

    3. Transcript or summary of oral reply (if any) and exhibits thereto.

    4. Copy of final decision.

    5. Copies of all correspondence to and from the employee and/or representative.

    6. Proof of delivery of the notice and decision.

  2. If a Treasury Inspector General for Tax Administration (TIGTA) report is used to document the charges, only copies of those portions that relate to the charges are to be retained by HCO Personnel.

Access to the Adverse Action File
  1. These files are part of Treasury/IRS 36.003 and are accessed under the provisions of the Privacy Act.

  2. The employee and/or designated representative, upon request, are to receive copies of the information used to support the proposed changes.

  3. Those documents of intra-management discussion and recommendations may be protected under the (d)(5) provision of the Privacy Act.

  4. Tax information in these files should be disclosed only as authorized by IRC § 6103.

  5. To the extent a request for Adverse Action Files is received and cites the FOIA, see IRM 11.3.13 for additional information on appropriate FOIA exemptions and Personnel files.

Equal Employment Opportunity Complaint Files

  1. The Equal Employment Opportunity (EEO) complaint files consist of materials compiled in connection with an informal complaint against the agency.

  2. The EEO formal complaint files are housed with the Treasury Office of Civil Rights and Diversity.

  3. The EEO complaint files are included in Treasury/IRS 36.001, Appeals, Grievances and Complaints Records and EEO/GOVT-1, Equal Employment Opportunity in the Federal Government Complaint and Appeal Records.

Access to the EEOC Complaint File
  1. The complainant and/or representative is entitled to the complaint/investigative file as described in Part III of the Grievance Examiner Handbook (Handbook).

  2. Access to the investigative file is described in Part III of the Handbook.

  3. A request for access to an EEO complaint/investigative file by an individual, other than the complainant (the subject of the file) and/or his/her representative, or an EEO Program official who is responsible for the processing of the complaint, is to be evaluated under the FOIA.

  4. Requests to access a complaint file must be submitted to the agency in which the complaint file originated. Upon denial to access the file, the requester must be advised of his/her appeal rights under the Privacy Act and the FOIA.

  5. The EEOC has oversight responsibility for access to complaint/investigative files under both the Privacy Act and the FOIA.

  6. When a complainant has appealed a final agency decision or order on an equal employment opportunity matter to the EEOC, to the MSPB, or requested the EEOC to review a final decision in a negotiated grievance action, subsequent requests for such records should be made to the EEOC or MSPB, as appropriate.

  7. Requests received by the EEOC for records that originated in another agency, but which are now in the custody of the EEOC will be coordinated with the originating agency in accordance with 29 CFR § 1610.6.

  8. If access to records that originated in another agency, but which are now in the custody of the EEOC is denied, the appeal rights will be those given by the EEOC to the requester.

Supervisory Documentation Files

  1. These records are compiled and maintained at the discretion of the supervisor except in those functional areas which require the supervisor to maintain such files as described in the IRM.

  2. The Supervisory file, to the extent it is an agency record, is included in Treasury/IRS 36.003, General Personnel Records.

  3. The records maintained in these files are primarily used to evaluate and counsel employees on work performance.

  4. These files contain information prescribed by the negotiated contracts as well as those prescribed by the IRM.

Documents in the Supervisory Documentation File
  1. The Supervisory File may include promotion appraisal forms, narrative recordation, commendations, copies of awards, copies of SF-50s and SF-1126s, requests for training, and training evaluations.

  2. These files may also include documents required by functional managers. These documents contain information such as case loads, time reports, and other work related information.

  3. Do not maintain outdated and irrelevant material, which could adversely affect an employee.

Access to the Supervisory Documentation File
  1. Access by the individual to whom the record pertains is to be processed under the Privacy Act.

  2. The records that are maintained in the supervisory file may at times be included in other files such as grievance and promotion files. Tax information in these files should be disclosed only as authorized by IRC § 6103. Those records containing labor relations advice are subject to 5 USC § 7114(b)(4)(C).

  3. To the extent a request for Supervisory Documentation Files is received and cites the FOIA, see IRM 11.3.13 for additional information on appropriate FOIA exemptions and Personnel files.

Access to the Supervisory Documentation File by Employee Representatives
  1. In certain circumstances, an employee is entitled to representation by a NTEU official in a meeting with a supervisor. Personal information (about the employee) contained in the employee's records may be discussed in such meetings. The employee and an accompanying individual of the employee's choice may have access to such personal information.

  2. The NTEU official may also contact the supervisor for copies of documents discussed and/or reviewed in a previous meeting at which the employee and representative were in attendance. The supervisor cannot discuss additional topics or expand upon the discussion with the representative without the prior written consent or presence of the employee.

Upward Mobility Records

  1. The Upward Mobility records on employees who have applied for the program are maintained in the HCO Personnel offices.

  2. The records are maintained by the employee's name and are maintained as a part of Treasury/IRS 36.003, General Personnel and Payroll Records, and/or OPM/GOVT-5, Recruiting, Examining and Placement Records.

  3. The employee's file may consist of an employee's application which includes a skills and education inventory, supervisory evaluation, and development plans.

  4. The employee has access to all information in his/her file.

Program Evaluation Records

  1. The program evaluation records are those intra-management and inter-office records which are compiled and maintained within HCO Personnel Offices as the result of the review and evaluation of the program requirements and responsibilities of the HCO.

  2. These records are maintained at Headquarters level.

  3. The program evaluation records are reports of visitations, recommendations for improvements, suggestions for corrective actions where necessary, concerns and requests for action, and discussion of findings.

  4. Requests for such documents must be evaluated in accordance with the FOIA. These documents, or portions thereof, may be exempt under the (b)(2) and (b)(5) exemptions.

Congressional Inquiries on Individuals

  1. Routine uses for systems relating to disclosures to Congressional offices are limited to inquiries made at the written request of the individual who is the subject of the record(s).

  2. For those requests where there is either no indication that the request originated from the subject of the record(s) or when the original request was made by a family member, spouse, etc., disclosure to the Congressional office is not authorized. The Congressional office should be so advised and asked if it has any additional information which would enable the IRS to obtain the authorization. The requested information can be released immediately upon receipt of such written authorization. If the subject of the record is an IRS employee who, when contacted, authorizes, in writing, the release of the information, the requested information can be released.

  3. Public information may be provided to the Congressional office without any contact with the subject of the record(s).

  4. Letters or referrals from Congressional offices are maintained either as a part of the general correspondence files or are in files such as adverse or disciplinary files.

  5. For additional guidance with respect to Congressional inquiries, see IRM 11.3.4, Congressional Inquiries.

Correspondence Files

  1. The Correspondence Files maintained by HCO Personnel offices include:

    1. Documents pertaining to employees, individuals, and various personnel management areas.

    2. Inter/intra-office memorandums.

    3. Inter/intra-agency correspondence.

    4. Congressional correspondence.

    5. Correspondence with members of the public.

  2. The correspondence pertaining to an individual is generally included in the system of records related to the purpose of the correspondence.

    Example:

    When an individual requests information concerning employment with the IRS, the correspondence is generally considered a part of OPM/GOVT-5, Recruiting, Examining and Placement Records.

  3. Correspondence which relates to various personnel management areas may be available under the FOIA.

  4. The correspondence files are located in local, campus, and Headquarters HCO Personnel Offices.

  5. Correspondence may also be included in Treasury/IRS 00.001, Correspondence Files and Correspondence Control Files.

Office of Professional Responsibility (OPR)

  1. OPR conducts investigations of persons involved in practice before the IRS. Disciplinary action may be taken. Disclosures to subjects of these actions will be handled by OPR. Refer to IRM 1.25.4, Processing Circular 230 Disciplinary Cases.

Agency Review Requirements (Exhibit 1 formerly in IRM 11.3.14)

The following table is from OMB Circular A-108 and lists Privacy Act agency review requirements, which are met through privacy continuous monitoring:

Review Description Timing Reviewer Citation(s)
Minimization – Continuous Monitoring Agencies shall ensure that no system of records includes information about an individual that is not relevant and necessary to accomplish a purpose required by statute or executive order. Agencies shall perform assessments of privacy controls with a frequency sufficient to ensure compliance and manage risks. Senior Agency Official for Privacy 5 USC § 552a(e)(1); section 12 of Circular A-108.
System of Records Notices – Continuous Monitoring Agencies shall ensure that all SORNs remain accurate, up-to-date, and appropriately scoped; that all SORNs are published in the Federal Register; that all SORNs include the information required by OMB Circular A-108; and that all significant changes to SORNs have been reported to OMB and Congress. Agencies shall perform assessments of privacy controls with a frequency sufficient to ensure compliance and manage risks. Senior Agency Official for Privacy 5 USC § 552a(e)(4); section 12 of Circular A-108.
Routine Uses – Continuous Monitoring Agencies shall ensure that all routine uses remain appropriate and that the recipient’s use of the records continues to be compatible with the purpose for which the information was collected. Agencies shall perform assessments of privacy controls with a frequency sufficient to ensure compliance and manage risks. Senior Agency Official for Privacy 5 USC § 552a(a)(7); section 12 of Circular A-108.
Privacy Act Exemptions – Continuous Monitoring Agencies shall ensure that each exemption claimed for a system of records pursuant to 5 USC § 552a(j) and (k) remains appropriate and necessary. Agencies shall perform assessments of privacy controls with a frequency sufficient to ensure compliance and manage risks. Senior Agency Official for Privacy 5 USC § 552a(j)-(k); section 12 of Circular A-108.
Contracts – Continuous Monitoring Agencies shall ensure that the language of each contract that involves the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of information that identifies and is about individuals, is sufficient and that the applicable requirements in the Privacy Act and OMB policies are enforceable on the contractor and its employees. Agencies shall perform assessments of privacy controls with a frequency sufficient to ensure compliance and manage risks. Senior Agency Official for Privacy 5 USC § 552a(m); section 12 of Circular A-108.
Privacy Training – Continuous Monitoring Agencies shall ensure that the agency’s training practices are sufficient and that agency personnel understand the requirements of the Privacy Act, OMB guidance, the agency’s implementing regulations and policies, and any job-specific requirements. Agencies shall perform assessments of privacy controls with a frequency sufficient to ensure compliance and manage risks. Senior Agency Official for Privacy 5 USC § 552a(e)(9); section 12 of Circular A-108.
FISMA Review – Annual The Senior Agency Official for Privacy shall review the administration of the agency’s privacy program as part of the annual FISMA reporting process. Agencies shall refer to OMB’s annual FISMA guidance for review instructions. Senior Agency Official for Privacy 44 USC §§ 3551-3558; section 13 of Circular A-108.
Review of Matching Programs – Annual (see also IRM 11.3.39, Computer Matching and Privacy Protection Act) Agencies’ Data Integrity Boards shall review all matching programs in which the agency has participated during the calendar year. Agencies’ Data Integrity Boards shall conduct the review at the end of the calendar year and report to OMB by June 1. Agency’s Data Integrity Board 5 USC § 552a(u)(3)(B)-(C); section 14 of Circular A-108.
Review of Other Matching Activities – Annual (see also IRM 11.3.39) Agencies’ Data Integrity Boards may also review any agency matching activities that are not matching programs. Agencies’ Data Integrity Boards shall conduct any review at the end of the calendar year and report to OMB by June 1. Agency’s Data Integrity Board 5 USC § 552a(u)(3)(H); section 14 of Circular A-108.

Agency Public Website Posting Requirements (Exhibit 2 formerly in IRM 11.3.14)

The following table is from OMB Circular A-108 and lists Privacy Act agency public website posting requirements:

Posting Description Location Citation(s)
Compilation of agencies’ system of records notices and Privacy Act implementation rules The Office of the Federal Register shall post a compilation of agencies’ system of records notices and Privacy Act implementation rules. The website of the Federal Register at https://www.federalregister.gov/. 5 USC § 552a(f).
System of Records Notices Agencies shall list and provide links to complete, up-to-date versions of all agency SORNs. www.treasury.gov/privacy

Note:

https://www.irs.gov/privacy for IRS

5 USC § 552a(e)(4); section 15 of Circular A-108.
Matching Notices and Agreements Agencies shall list and provide links to up-to-date matching notices and agreements for all active matching programs. www.treasury.gov/privacy 5 USC § 552a(o), (r); section 15 of Circular A-108.
Privacy Act Exemptions Agencies shall provide citations and links to all Privacy Act exemption rules www.treasury.gov/privacy 5 USC § 552a(j)-(k); section 15 of Circular A-108.
Privacy Act Implementation Rules Agencies shall list and provide links to all Privacy Act implementation rules. www.treasury.gov/privacy 5 USC § 552a(f); section 15 of Circular A-108.
Instructions for Submitting a Privacy Act Request Agencies shall provide instructions for individuals who wish to submit an access or amendment request. www.treasury.gov/privacy 5 USC § 552a(d); section 15 Circular A-108.

Reporting Requirements (Exhibit 1 formerly in IRM 11.3.15)

The following table is from OMB Circular A-108 and reflects various Privacy Act reporting requirements for exemption rule, new or significantly modified systems of records, matching programs and FISMA. The IRS submits the reports to Treasury for approval. Upon approval, Treasury submits the reports to OMB.

Report Description Timing Recipient(s) Citation(s)
Privacy Act Implementation and Exemption Rules Agencies shall submit Privacy Act rules to OMB under applicable regulatory review procedures and as part of a proposal to establish or significantly modify a system of records. Agencies shall provide proposed and/or final rules before publication and consult OMB regarding applicable review procedures. OMB (via ROCIS system). 5 USC § 552a(f), (j)-(k); Executive Orders 12866 and 13563; sections 10 and 11 of Circular A-108.
Report of New or Significantly Modified System of Records Agencies shall report any proposal to establish or significantly modify a system of records. Agencies shall submit reports at least 30 days prior to submission of the notice to the Federal Register. OMB (via ROCIS system) and Congress (via mail). 5 USC § 552a(r); section 7 of Circular A-108.
Report of New or Significantly Modified Matching Program Agencies shall report any proposal to establish, re-establish, or significantly modify a matching program. Agencies shall submit reports at least 30 days prior to submission of the notice to the Federal Register. OMB (via ROCIS system) and Congress (via mail). 5 USC § 552a(r); section 9 of Circular A-108.
Annual Matching Activity Report Agencies’ Data Integrity Boards shall submit a report describing any matching programs that occurred during the calendar year. Agencies shall submit the annual report for the preceding calendar year to OMB by June 1. OMB (via email to privacy-oira@omb.eop.gov) and the head of the agency. 5 USC § 552a(u)(3)(D); section 14 of Circular A-108.
Annual FISMA Privacy Report The Senior Agency Official for Privacy shall report privacy compliance information to OMB as part of the annual FISMA reporting process. Agencies shall refer to OMB’s annual FISMA guidance for reporting instructions. OMB (see OMB’s annual FISMA guidance for reporting instructions). 44 USC §§ 3551-3558; section 13 of Circular A-108.

Federal Register Publication Requirements (Exhibit 2 formerly in IRM 11.3.15)

The following table is from OMB Circular A-108 and lists the requirements for creating a Federal Register notice and accompanying reports for OMB and the Congressional committees that oversee the Privacy Act:

Publication Description Timing Citation(s)
System of Records Notices Agencies shall publish a notice in the Federal Register describing the existence and character of a new or significantly modified system of records. Agencies shall also publish a notice of rescindment when the agency stops maintaining a system of records. A new or revised SORN is effective upon publication in the Federal Register, with the exception of any new or modified routine uses, which require a minimum of 30 days after publication in the Federal Register before they can become effective. 5 USC § 552a(e)(4); section 6 of Circular A-108.
Matching Notices Agencies shall publish a notice in the Federal Register describing an established, re-established, or significantly modified matching program. A new or revised matching notice is not effective until at least 30 days after its publication in the Federal Register. 5 USC § 552a(e)(12); section 8 of Circular A-108.
Privacy Act Implementation Rules Agencies shall promulgate rules to implement the provisions of the Privacy Act. Agencies must publish a final rule before the rule is effective. 5 USC § 552a(f); section 10 of Circular A-108.
Privacy Act Exemption Rules In certain circumstances, agencies may promulgate a rule to exempt a system of records from certain requirements of the Privacy Act. Agencies must publish a final rule before the exemption is effective. 5 USC § 552a(j)-(k); section 11 of Circular A-108.

Glossary and Acronyms

Term Definition or description
Agency Includes any executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the [federal] government (including the Executive Office of the President), or any independent regulatory agency.
Annual Report The report by the President to the Speaker of the House and the President of the Senate, required by 5 USC 552a(s). See the Annual FISMA Privacy Review and Report section of this IRM.
Approving Official
  1. Area Managers and Directors of IRS Computing Centers for their respective offices;

  2. In Headquarters, division directors or equivalent positions.

Authority The authority that authorizes the solicitation of the information would generally be the applicable sections of the Internal Revenue Code.
CIP Compliance Initiative Project
CFR Code of Federal Regulations
CPO Chief Privacy Officer
CPU Central Processing Unit
Determination Any decision affecting the individual that is in whole or in part based on information contained in the record and that is made by any person or any agency.
DOL Department of Labor
EEO Equal Employment Opportunity
EEOC Equal Employment Opportunity Commission
Effects on individual The effects upon an individual for not providing all or part of the requested information, including incidental effects such as possible accrual of interest, loss of benefits, initiation of enforcement action, or other applicable results of that individual’s refusal.
EPF Employee Personnel Folder
FAR Federal Acquisition Regulations
Federal Inventory of Personal Data Systems The requirement that Notices of System of Records be published in a form available to the public at low cost, pursuant to 5 USC § 552a(f). See the What Must Be Included in a System of Records Notice section of this IRM.
FISMA Federal Information Security Modernization Act of 2014
FOIA Freedom of Information Act
GAO Government Accountability Office
GLDS Governmental Liaison, Disclosure and Safeguards
GRS General Records Schedule
HCO Human Capital Office
HRS Human Resources Specialist
Individual A citizen of the United States or an alien lawfully admitted for permanent residence (including sole proprietors). The Privacy Act does not apply to any entity which is not a natural person, such as a partnership, corporation, decedent, estate or trust.
Information from Third Parties Information collected about individuals from someone other than the individual. It does not include the following:
  • Information received from the individual or his/her representative.

  • Information required to be filed with the IRS, such as a Form W-2 from an employer or Form 1099 from banks and other payers of income, etc.

  • Information furnished by anyone to resolve specific cases being worked by the IRS.

    Example:

    Examination of a return, collection of taxes, resolution of match errors or information return discrepancies.

  • Information received from state tax agencies in accordance with an exchange agreement under IRC § 6103(d)

IRC Internal Revenue Code
IT Information Technology
LR Labor Relations
Maintain Includes the retention, collection, use, and dissemination of information about an individual.
Mandatory or voluntary disclosure Whether the individual is required to provide the information requested or may refuse to do so.
MSPB Merit Systems Protection Board
NARA National Archives and Records Administration
Necessary Requisite or needful in accomplishing a given task.
Notice of Exempt System Rules promulgated by a head of agency to exempt any system of records from provisions of the Privacy Act pursuant to 5 USC § 552a(j) and/or (k).
NTEU National Treasury Employees Union
OMB Office of Management and Budget
OIRA (OMB’s) Office of Information and Regulatory Affairs
OPF Official Personnel Folder
OPM Office of Personnel Management
OPR Office of Professional Responsibility
PAPRAN Privacy Act and Paperwork Reduction Act Notice
PCLIA Privacy and Civil Liberties Impact Assessment
PCM Privacy Continuous Monitoring
PGLD Privacy, Governmental Liaison and Disclosure
PIA Privacy Impact Assessment
PII Personally Identifiable Information
PIL Public Information Listing
POD Post of Duty
PPC Privacy Policy and Compliance
PPKM Privacy Policy and Knowledge Management
Principal purpose(s) The reason the information is needed, which is the overall reason for which the IRS performs the operation in which the information is to be used, rather than the detailed processing which it is to undergo.
RCS Records Control Schedule
Record Defined in 5 USC § 552a(a)(4) as any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to education, financial transactions, medical history, and criminal or employment history and that contains name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.
  1. A record can include as little as one descriptive item about an individual.

  2. A file or list containing only names but headed by a label which conveys some information about the people named could constitute a record if it is retrieved by an individual identifier.

    Note:

    Congressional intent was to encompass all records and record systems whereby specific information on an individual is retrieved in any fashion. However, such lists occurring within a system of records do not constitute separate systems.

  3. The physical form of a record within a system is irrelevant. A record which contains information pertaining to an individual and is retrievable by an individual identifier may be in any form which technology permits and would nevertheless be subject to the Privacy Act.

Relevant Means pertinent to and bearing upon the matter at hand.
Report on New Systems The advance notice to Congress and the Office of Management and Budget of any proposal to establish or alter any system of records, which is required by 5 USC § 552a(r). For more information on such reports, see the Report on New Systems of Records section of this IRM.
Responsible Function The function obtaining access to information from a Third Party.
RISC Regulatory Information Service Center
ROCIS RISC/OIRA Consolidated Information System
Routine uses The disclosure of a record outside the Department of the Treasury for a purpose which is compatible with the purpose for which it was collected.
SAOP Senior Agency Official for Privacy
SB/SE Small Business/Self Employed
SBU Sensitive But Unclassified
SEID Standard Employee Identifier
SOR System of Records
SORN System of Records Notice
SSN Social Security Number
System of records A group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.
System of Records Notice Information which is required to be published in the Federal Register by 5 USC § 552a(e)(4). See the Content of a System of Records Notice section of this IRM.
TIGTA Treasury Inspector General for Tax Administration
USC United States Code

References and Resources

Resource Title or Description
U.S. Department of Justice, Office of Privacy and Civil Liberties home page https://www.justice.gov/opcl
Chief Counsel Directives Manual (CCDM) 37.2.1, Privacy Act of 1974  
IRM 10.9.1, National Security Information Provides instructions for the proper handling and disposition of all classified National Security information.
IRM 1.15 series, Records Management Provides instructions for the proper handling of information (hard copy and electronic) in the creation, maintenance, retrieval, preservation, and disposition of all records.
Document 12829 IRS Records Control Schedules.
Document 12990 General Records Schedules.
IRM 10.2, Physical Security Program Provides instructions for the protection of records.
IRM 10.5.1, Privacy Policy Provides privacy policy information and instructions.
IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance Provides instructions for security requirements for electronic records.
IRM 11.3, Disclosure of Information Provides instructions for disclosure of tax records in conjunction with the Privacy Act requirements.