The Senate preface to the legislative history of the Privacy Act stated that, "The Bill of Rights guarantees to each American protections which we equate with specific rights of citizenship in a free society. This legislation is a major first step in a continuing effort to define the ‘penumbra’ of privacy which emanates from specific guarantees in the Bill of Rights and which helps to give them life and substance as recognized in Griswold v. Connecticut" [Legislative History of the Privacy Act of 1974 – S. 3418 (Pub. L. No. 93-579) Source Book on Privacy (1976)].

Congress also found that the:

Congress decided that it was necessary to regulate the collection, maintenance, use, and disclosure of information by federal agencies to protect the privacy of individuals.

Section 3 of the Privacy Act became effective September 27, 1975, with the intent to provide safeguards for an individual against invasions of personal privacy.

The Privacy Act allows, with limited exceptions under very specific conditions, an individual to examine agency records about that individual and limits the conditions under which such records may otherwise be disclosed.

The Privacy Act defines the term maintain as maintain, collect, use, or disseminate. In this IRM, the terms maintenance, maintain, or keep refer to the privacy lifecycle of information: creation, collection, receipt, use, processing, maintenance, access, inspection, display, storage, disclosure, dissemination, or disposal.

The Privacy Act, 5 USC 552a.

The Freedom of Information Act, as amended, 5 USC 552 (FOIA).

Federal Acquisition Regulations Part 24 FAR -- Part 24 Protection of Privacy and Freedom of Information.

Internal Revenue Code (IRC) 6103, Confidentiality and disclosure of returns and return information.

IRC 7852(e), Statutory exemption for tax records from certain provisions of the Privacy Act.

The Taxpayer Bill of Rights (TBOR) lists rights that already existed in the tax code, putting them in simple language and grouping them into 10 fundamental rights. Employees hold responsibility for being familiar with and acting in accord with taxpayer rights. See IRC 7803(a)(3), Execution of Duties in Accord with Taxpayer Rights. For more information about the TBOR, see https://www.irs.gov/taxpayer-bill-of-rights. The TBOR includes the rights to privacy and confidentiality.

Department of the Treasury Regulations.

E-Government Act (2002), P.L. 107-347.

Office of Management and Budget (OMB) Circulars A-130 and A-108.

OMB Privacy Act Implementation: Guidelines and Responsibilities (OMB Guidelines), 40 Fed. Reg. 28,948

The Civil Service Reform Act of 1978, 5 USC.

Department of the Treasury Privacy Act Handbook.

To reference the origin of a privacy policy cited later in this IRM (National Institute of Standards and Technology (NIST), Treasury, etc.), this IRM may reference a requirement’s origin in brackets at the end of the guidance, such as [Strict Confidentiality] (IRS Privacy Principles), [AC-1] (NIST SP 800-53 Security and Privacy Controls), or [TD P 85-01] (Treasury Directive Publications). If no specific origin reference appears, multiple origins may apply. Lack of a reference citation does not mean that no origin applies.

The IRS cites the authorities and purposes (namely tax administration) for processing PII on its System of Records Notices (SORNs) published in the Federal Register and on other required privacy documentation, such as the Privacy and Civil Liberties Impact Assessment (PCLIA), before information collection. All IRS personnel must restrict the processing of PII to only that which is authorized and for the purposes collected. [Privacy Act; NIST SP 800-53]

Primary authorities for processing PII include:

This section addresses the following NIST SP 800-53 security and privacy controls: PT-2 Personally Identifiable Information Processing and Transparency -- Authority to Process Personally Identifiable Information. Refer to that section of IRM 10.5.1.

The IRS follows the Privacy Act by integrating its provisions with the IRS’s existing procedural instructions, such as the IRM.

The IRS CPO holds responsibility for the overall IRS privacy program.

The Director, PPC, with support from PGLD headquarters, holds responsibility for IRS privacy policy and overall coordination of the IRS efforts to administer the Privacy Act. Direct questions internally to the *Privacy mailbox.

PGLD’s Disclosure office holds responsibility for operational intake of Privacy Act requests from the public through GLDS Support Services (GSS) via mail or online from the IRS Privacy Act Request via the FOIA Public Access Portal. Refer to IRM 11.3.41.3, the General Disclosure Case Processing Procedures section. Disclosure also processes requests for notification and access.

All IRS personnel hold responsibility for being familiar with the provisions of the Privacy Act, in line with the level of their assigned duties, and for following the law as it applies to their activities. This includes following the protections outlined in IRM 10.5.1, Privacy Policy.

All IRS personnel must report Privacy Act or PII incidents and data breaches immediately upon discovery to:

All IRS officials hold responsibility for administering the Privacy Act as it applies to their business units and as regulations, published notices, and IRM instructions dictate.

Managers must:

Most systems of records (SORs), as defined in Exhibit 10.5.6-5, Terms and Acronyms, name two system managers (or responsible officials): the official prescribing practices, and the official maintaining the SOR.

The business unit of the SOR owner most familiar with the SOR must write the notices and other required reports and documents to publish a system of records notice (SORN) in the Federal Register. They must write any other required Privacy Act notifications, such as those required by section (e)(3) of the Privacy Act. See IRM 10.5.6.3, Privacy Act System of Records Notices (SORNs).

The individual business units hold responsibility for responding to requests under the Privacy Act. See IRM 10.5.6.6, Privacy Act Requests for Non-Tax Records.

Contractors (and subcontractors) and their personnel must follow Privacy Act provisions. See IRM 10.5.6.2.9.1, Privacy Act Contract Requirements. Also refer to IRM 11.3.24, the Disclosures to Contractors, the Requirements section.

All IRS personnel must properly manage, keep, and archive IRS records (hard copy and electronic) as required by the IRM 1.15 series, Records and Information Management, for records retention and disposition requirements before destroying documents. See the Records Management page on the PGLD Virtual Library. Refer to Document 12990, IRS Records Control Schedules (RCS), for the National Archives and Records Administration (NARA)-approved IRS records disposition to prevent unauthorized or unlawful destruction of records. Refer to Document 12829, General Records Schedules (GRS), for the NARA-issued disposal authorizations for temporary administrative records common to all federal agencies.

This Roles and Responsibilities section addresses the following NIST SP 800-53 security and privacy controls. Refer to these sections of IRM 10.5.1:

Business units hold responsibility for managing their program and establishing how they measure effectiveness and objectives within the scope of this IRM.

For PGLD program management and review, the IRS formally documents its privacy program in the IRS Privacy Program Plan.

Business units hold responsibility for establishing and documenting the program controls developed to oversee their program as well as ensuring employee compliance with all applicable elements of this IRM.

The NIST technical security and privacy controls address federal IT systems. For all the controls relevant to privacy, refer to IRM 10.5.1.8, NIST SP 800-53 Security and Privacy Controls.

See Exhibit 10.5.6-5, Terms and Acronyms.

See Exhibit 10.5.6-6, References and Resources.

IRS personnel must always follow the legal requirements of the Privacy Act and must make every effort consistent with law, regulations, and good administrative practice, to promote the spirit of the Privacy Act by performing their duties in a manner that recognizes and enhances individual rights of privacy.

Restrict disclosure of Privacy Act information to Department of Treasury personnel who have a need to know the information in the performance of their official duties.

With respect to Privacy Act records, the IRS must:

Through these requirements, the Privacy Act mandates the prompt disposition, proper destruction, safe storage, physical protection, and proper handling of records.

The IRS meets these requirements by adhering to its policies found throughout the IRS-wide IRMs and this IRM specifically. Also, IRM 10.5.1 lays the foundation for protecting Privacy Act information.

The following NIST SP 800-53 security and privacy controls address these Privacy Act requirements. Refer to these sections of IRM 10.5.1.8:

The Privacy Act section (b) limits access to a record without the prior written consent of the individual to whom the record relates, unless it meets one of these conditions. See IRM 10.5.6.2.3, Privacy Act Consent to Disclosure.

The Privacy Act section (b) lists Conditions of Disclosure where the IRS may disclose a record without prior written consent of the individual. Refer to 31 CFR 1.24.

The following table outlines the most common conditions of disclosure under the Privacy Act that IRS personnel encounter:

Whenever IRS policy refers to consent or permission to disclose non-tax information (usually personnel records) under section (b) of the Privacy Act, follow the requirements in this section.

Privacy Act consent for disclosure must be in writing, but the format depends on the circumstances, context, and data collected. Email may be enough in most cases.

To document consent, IRS personnel may use internal Form 15293, IRS Privacy Act Disclosure Consent, to note the information to be disclosed and identify the recipient, unless directed otherwise. Use of this form is optional.

This process includes, but is not limited to, consent for disclosure of photos, recordings, contact information, or other non-tax information covered by the Privacy Act. Refer to IRM 10.5.1, the Recordings in the Workplace section.

Documenting written consent meets the requirement for accounting of disclosures under the Privacy Act. Keep the written consent the same as you would a Privacy Act accounting. See IRM 10.5.6.7, Privacy Act Accounting of Disclosures.

For more information, including examples, of when to document consent, refer to the Privacy Act Consent site on the PGLD Disclosure and Privacy Knowledge Base on IRS Source.

The Privacy Act section (b)(8) allows us to disclose employee information in a compelling circumstance affecting the health or safety of the individual. This provision is strictly interpreted. Limit release to emergency situations. We must also tell the employee in writing of such disclosure and account for the disclosure following IRM 10.5.6.7.1, Form 5482 Procedure.

In a situation affecting the health or safety of an individual, if you feel the circumstance is a compelling emergency, you may disclose an employee’s identity to appropriate local officials or management to make sure the employee gets the immediate necessary attention.

The emergency and compelling nature of this exception includes valid life and death situations such as an airplane crash, pandemic, or a threat to themselves or others.

If you make such a disclosure, immediately tell your manager. Refer to IRM 11.3.34.3, Expedited Procedures in Emergency Situations.

Upon disclosure under the health and safety exception, the officer who made or authorized the disclosure must notify the subject in writing within 5 days of the disclosure. Meet this requirement by making reasonable effort to locate the individual and mail the notification to the last known employment or home address. Notification must include the following information:

Disclose documents controlled by OPM, such as the right (long-term) side of the Official Personnel Folder (OPF), according to the instructions in 5 CFR 297.402 and 5 CFR 297.403.

Process a court order, demand (subpoena or summons), or an order from an administrative body (such as a state unemployment compensation board), which requires testimony or the production of documents by an IRS official, per procedures for later approval by the proper official authorized by Delegation Order 11-2 in IRM 1.2.2.12.2. Process a court order, demand (subpoena or summons), or an order from an administrative body (such as a state unemployment compensation board), which requires testimony or the production of documents by an IRS official, per procedures for later approval by the proper official authorized by Delegation Order 11-2 in IRM 1.2.2.12.2.

According to the Civil Service Reform Act of 1978, Title VII, Section 7132, Part (a)(2):

Refer to IRM 11.3.35, Requests and Demands for Testimony and Production of Documents, and IRM 11.3.13, Freedom of Information Act, for further guidance on processing requests for personnel and payroll records.

After an employee has left the IRS for any reason, the Human Capital Office (HCO) sends the OPF within 90 days to OPM for maintenance and retention. After the OPF transfer, OPM is the proper agency to respond to subpoenas or other requests for personnel records. OPM requires a subpoena or court order signed by a judge. Direct subpoenas to:

The Privacy Act explicitly exempts, or allows agencies to exempt, certain categories of records, or information within a record, from certain Privacy Act provisions, including access and amendment requirements. Exempt SORs include those that contain records compiled in anticipation of a civil action or proceeding [(d)(5)], information compiled to investigate or enforce criminal laws [(j)(2)], or investigatory material compiled for non-criminal law enforcement purposes [(k)(2)]. Refer to 31 CFR 1.36 and a system’s SORN to determine if the records it contains are exempt from access and amendment requirements pursuant to Privacy Act sections (d)(5), (j), or (k).

The IRS Privacy Principles reflect the Privacy Act requirements outlined in IRM 10.5.6.2.1, Requirements of the Privacy Act.

Privacy protection within the IRS includes adherence by all IRS personnel to the IRS Privacy Principles listed in that section of IRM 10.5.1, Privacy Policy.

Policy Statement 1-1, Mission of the Service, also embodies these concepts. See that section in IRM 1.2.1, Servicewide Policies and Authorities, Servicewide Policy Statements.

The following NIST SP 800-53 security and privacy control addresses these Privacy Act requirements: PM-11 Program Management -- Mission and Business Process Definition. Refer to that section of IRM 10.5.1.

The OMB in Circular A-130 says:

Annual Mandatory Privacy Information Protection and Disclosure Briefing offers basic Privacy Act training for all IRS personnel who handle PII. Refer to Integrated Talent Management (ITM) course number 49403-22 and the Mandatory Briefings section of IRM 10.5.1.

The IRS requires the highest level of involvement in training for Privacy Act purposes for managers, government information specialists, and policy analysts serving in PGLD. This includes training beyond the mandatory briefings, such as ITM course number 78413, The Privacy Act, and the Privacy Advocate Certification Program courses, numbers 61972, 81027, and 81084.

Business units with key personnel identified as requiring a high degree of training in Privacy Act matters may direct them to ITM course number 78413, The Privacy Act. For tailored Privacy Act presentations, send a request to the *Privacy mailbox

Business units revising existing training programs or starting new training programs must include Privacy Act segments designed by their specific needs to follow IRM 10.5.6.5.6, Privacy Act Requirement to Maintain Accurate, Relevant, Timely and Complete Records. Contact Privacy at the internal *Privacy mailbox for help with such specialized course segments.

For personnel requiring less involvement, conduct a periodic refresher or update by including Privacy Act topics in regular group meetings and by discussing the impact of the Privacy Act on specific jobs. Contact Privacy at the *Privacy mailbox for information or help.

The following NIST SP 800-53 security and privacy controls address these Privacy Act requirements. Refer to these sections of IRM 10.5.1:

The OMB revised Circulars A-130 and A-108 in 2016 to emphasize Privacy Act compliance. The documents assert its importance by placing responsibility with a Senior Agency Official for Privacy (SAOP).

To make sure that agencies effectively carry out the privacy-related functions described in law and OMB policies, Presidential Executive Order 13719 requires the head of each agency to designate or re-designate an SAOP who holds agency-wide responsibility and accountability for the agency’s privacy program. The SAOP must be a senior official at the Deputy Assistant Secretary or equivalent level who serves in a central leadership position at the agency, has visibility into relevant agency operations, and is positioned highly enough within the agency to regularly engage with other agency leadership, including the head of the agency. See OMB Memo M-16-24.

The revised OMB A-108 replaced the prior OMB requirement for agencies to conduct annual Privacy Act reviews with the requirement to set up and maintain a privacy continuous monitoring (PCM) program. The IRS PCM strategy is outlined in the Pub 5499, IRS Privacy Program Plan.

The OMB requires the IRS to design its privacy control selection process to include privacy controls that ensure compliance with applicable requirements in the Privacy Act and related OMB guidance. Controls selected for an information system that has information in a SOR must address the following elements:

The following NIST SP 800-53 security and privacy controls address these Privacy Act requirements. Refer to these sections of IRM 10.5.1:

While record owners most familiar with the SOR must write and maintain the SORN, they must work with PGLD and other stakeholders to complete the process. For more details on SORN responsibilities, refer to the internal PGLD PPC SORN Development, Review, and Updates Standard Operating Procedure (SOP).

With support of PGLD headquarters, the Director, PPC, holds responsibility for:

Systems owners hold responsibility for:

Records owners hold responsibility for:

Records owners must have a continuing program for carrying out these goals and monitoring business unit activities. All contacts with business units to ensure compliance and adequate input to the development of new or revised notices will be along business unit lines with their IRM provisions authorizing the maintenance of the SOR.

Direct inquiries and recommendations from personnel about the adequacy of existing notices to the official identified in the published notice as maintaining the system. Process inquiries and recommendations about SORs that do not appear to be covered by an existing notice through normal supervisory channels within the business unit whose records are involved. The responsibility for the SOR lies with the official who instructed the records be accumulated.

Officials identified in notices as maintaining a SOR must send any matters they are unable to resolve and their own inquiries and recommendations to the official who issued the governing instructions authorizing or prescribing the existence or maintenance of the SORs.

The following NIST SP 800-53 security and privacy controls address these Privacy Act requirements. Refer to these sections of IRM 10.5.1:

When considering any new collection of Privacy Act information (in IT systems, paper, or any other format) retrieved by an identifier, you must verify a SORN covers those records. If not, the business unit of the record owner must publish or amend a SORN.

Responsible IRS personnel must publish a SORN in the Federal Register when setting up a new SOR, before collecting the information for inclusion in a SOR.

Responsible IRS personnel also must publish notice in the Federal Register when making significant, substantive changes to an existing SOR. Examples of significant changes include:

Records not retrieved by an identifier do not need a SORN.

Files consisting of records input to another SOR are not subject to the SORN requirement. If the input records have personal information that is retrieved but not input to the reported system, they will form a separate SOR. Files that have a continued existence of their own may be subject to the SORN requirement even though they may be part of another SOR.

Files with records produced from another SOR are not subject to the SORN requirement if all personal information in the output is derived from the system being reported. If more information is later added to the output, if the records are later used for an unrelated or different purpose, or if they have a retention period longer than the system being reported, they will form a separate SOR.

Files set up to help process a reported SOR – but with no meaningful existence of their own and with no personal information other than that being corrected, correlated, or otherwise moved to or from one or more reported systems of records – are not subject to the SORN requirement.

Copies of records, whether in the same or altered format, are not subject to the SORN requirement, if all personal information in the copy merely shows information in the system being reported. If more information is later given a different characterization, the records will form a separate SOR.

A file that temporarily has records for processing purposes that will be returned to a reported system upon completion is not subject to the SORN requirement if information in the temporary file can be located by reference to the reported file.

Information derived from a reported file for temporary use (such as work planning, scheduling field visits, controlling individual inventories, reviewing caseloads, or other activities related to the management of the IRS) and not reflective of any individual information not recorded in a reported file is not subject to the SORN requirement.

Telephone directories and similar lists that do not assign any characterization to any person listed are not considered subject to the SORN requirement.

Directories, industrial guides, reference works, and other source materials prepared commercially are not SORs subject to the SORN requirement.

Separate SORNs are not required for the closed parts of files that have been reported as a SOR.

The officials who had responsibility for records when they were open hold responsibility for preparing SORNs for closed or retired files that have no active counterpart. This must not be considered an instruction to search for and account for any document files from which records are no longer retrieved for IRS purposes.

Before developing a SORN, responsible IRS personnel must consider the proper scope of the SOR. Agencies have discretion in determining what forms a SOR for purposes of preparing a notice. However, responsible IRS personnel must consider the following general factors when determining whether to treat a group of records as a single system or multiple systems for the purposes of the Privacy Act:

A government-wide SOR is where one agency has regulatory authority over records in the custody of multiple agencies, and the agency with regulatory authority publishes a SORN that applies to all the records regardless of their custodial location. The application of a government-wide SORN makes sure that privacy practices with respect to the records are carried out uniformly across the federal government according to the rules of the responsible agency. For a government-wide SOR, all agencies – not just the agency with government-wide responsibilities – must follow the terms of the SORN and the applicable requirements in the Privacy Act, including the access and amendment provisions that apply to records under an agency’s control.

As a general matter, a government-wide SOR is proper when one agency has government-wide responsibilities that involve administrative or personnel records maintained by other agencies. For example, the Office of Personnel Management (OPM) has published some government-wide SORNs relating to the operation of the federal government’s personnel programs.

A Treasury-wide SOR covers many Treasury bureaus, including the IRS.

For information on SORNs, refer to the internal Privacy Act Systems of Records site. Also refer to the System of Records Notices page on IRS.gov for more information on SORNs, including links to government-wide, Treasury-wide, and IRS SORNs.

Each SORN must include the following information:

The following NIST SP 800-53 security and privacy controls address these Privacy Act requirements. Refer to these sections of IRM 10.5.1:

The requirement to publish a public notice applies to all SORs maintained by the IRS. The Privacy Act also allows agencies to exempt SORs from certain provisions of the Act by publishing a rule stating which provisions and why the exemptions are proper. Find such notices published in the Federal Register at 31 CFR 1.36.

The contents of some SORs may be exempted from the requirement that individuals be allowed access to those records and other requirements. When proposing a new SORN for a system intended to be exempt from some provision of the Privacy Act, send a revision to the Notice of Exempt Systems for the Commissioner's approval.

Systems of records are never automatically exempt from provisions in the Privacy Act.

Exemptions require an agency head to decide that a system is allowed to be exempt and publish it as a rule subject to the Administrative Procedure Act, that a system falls within one of the categories of systems allowed to be exempted. That notice must include the specific provisions from which the system is proposed to be exempted and why the agency considers the exemption necessary.

Consider exemptions on a case-by-case basis. The broad exemption for criminal law enforcement comes under (j)(2) and does not apply to most typical IRS uses.

Whenever this exemption is exercised, the SORN may be less detailed or simplified, especially about the statement of sources of information since in many investigative situations a suitable source of information can only be decided by the needs of the investigation.

Any meaningful change in the categories of individuals covered by the system or the categories of records in the system may make it advisable to republish the Notices of Exempt Systems.

A report identifying the changes or additions, and describing the nature, effect, and reasons for the proposed exemption in greater detail than in the notice itself, must go with Notices of Exempt Systems.

The IRS cannot collect information about individuals for inclusion in a SOR until it issues a public notice of that system.

A Report on New Systems must go with or precede the notice. For more information on such reports, see IRM 10.5.6.3.12, SORN Reports.

The transmittal memorandum must note any necessary expeditious handling and must include a proposed schedule for carrying out the various related actions such as:

In some cases, a statute may require that a SOR begin functioning before the agency can follow all Privacy Act requirements; identify any such conflict in the transmittal memorandum.

Treat a change to a SORN, which modifies an existing SOR falling within the criteria established for submission of a Report on New Systems, as a notice for a new system. The transmittal memorandum must include the information specified for a new system.

For more information on such reports, see IRM 10.5.6.3.12, SORN Reports.

Editorial changes consist of:

An editorial change reissues the SORN but does not show any change in the SOR. It requires very little justification in the associated memorandum.

Limited changes show modifications of an existing SOR that do not fall within the criteria established for submission of a Report on New Systems.

They do not involve any interruption or delay in operating the system pending the submission of such Report and the publication of a new SORN.

Fully justify a proposed limited change in the associated memorandum to show the business unit of the record owner considered and found inapplicable the requirements for report and notice before operating the system.

For more information on such reports, see IRM 10.5.6.3.12, SORN Reports.

Delete a SORN because the system:

If the business unit of the record owner must inform the public as soon as possible of a SORN deletion, prepare a suitable announcement for insertion in the Federal Register. When time is not a factor, delete the SORN by memorandum as part of the regular republishing of notices.

Once a SORN is deleted, any later proposal to reinstate the same SOR must follow reporting requirements as a new system.

Submit a report on a new SOR when proposing setting up a new SOR subject to the Privacy Act or when any change to an existing system meets any of the following criteria:

The Report on New Systems does not intend to inhibit the application of technology to data processing or to reduce the efficiency with which the IRS serves the public. It allows examination of the impact of new or altered data systems on citizens, the provision for confidentiality and security in those systems, and the extent to which the creation of the system will alter or change interagency or intergovernmental relationships related to information programs. The application of this reporting criteria must be consistent with these goals.

In applying the submission criteria, use a reasonable standard to avoid excessive reporting of insignificant details that would have no meaningful effect upon any Privacy Act consideration.

Report Contents: The Report on New Systems must consist of a brief narrative description and supporting documentation. The business unit that owns the records prepares the report.

The narrative description must be a brief statement, no more than four pages, that:

The narrative statement should refer to any information in the supporting documentation rather than restate such information.

Where changes to computer installations, communications networks, or any other general changes in information collection, handling, storage, or disclosure affect multiple SORs, submit a single combined new system report. In such cases, the narrative statement should address the overall privacy implications of the proposed change, identify all SORs affected by the change, and briefly describe any unique effect on any specific SOR.

Supporting Documentation: Include an advance copy of the new or revised system notice.

If the IRS proposes new exemption rules or changes to published exemption rules for the new or altered system, include an advance copy. If no change to existing exemption rules is required for the proposed new or altered system, the report must say that. Give proposed changes to existing exemption rules like that described for the system notices.

Include an advance copy of any proposed rules setting forth the reasons why the system is to be exempted from any specific provision, if applicable.

Submit the Narrative Statement and Supporting Documentation with a transmittal memorandum identifying the materials attached. Include existing descriptive materials in the Supporting Documentation. Copies of SORN, Notices of Exemptions or proposed rules should, to the extent possible, be consistent with the established publishing requirements for such materials.

The following NIST SP 800-53 security and privacy controls address these Privacy Act requirements. Refer to these sections of IRM 10.5.1:

The Privacy office oversees IRS compliance with Privacy Act notification programs.

The business units must be familiar with the requirements because they prepare documents that ask individuals to fill out forms supplying personal information.

Records owners hold responsibility for including necessary Privacy Act notices in administrative and tax forms and updating them when necessary.

Media and Publications Services control the forms creation process, which includes routing necessary approvals of Privacy Act and Paperwork Reduction Act notices (PAPRANs). For more information on this process, refer to the Paperwork Reduction Act Clearances page on IRS Source.

Office of Chief Counsel (Procedure and Administration) approves changes to PAPRANs on forms related to tax administration when necessary. Counsel may coordinate with Privacy staff if necessary.

Privacy Act notices on administrative (non-tax, such as personnel) forms require approval of Privacy, via email to the *Privacy mailbox.

If necessary, Privacy may coordinate with the Office of Chief Counsel (Procedure and Administration) about Privacy Act notices.

The Privacy Act (Section (e)(3) requires each agency that maintains a SOR to inform each individual requested to supply information (either on the form it uses to collect the information, or on a separate form that can be kept by the individual) of:

The Privacy Act, OMB and NIST all include notice requirements for public information collections, including online (such as the privacy control PT-5, Privacy Notice). For Online Data Collection and Privacy Policy Notices, see those sections of IRM 10.5.1, Privacy Policy.

A simple example or template, with brackets [like this] to fill in the details pertinent to the website or application, is:

This provision makes sure agencies inform individuals from whom personal information is collected of the reasons for requesting the information, how it may be used, and what the consequences are, if any, of not supplying the information.

The notion of informed consent is implicit in this provision, since agencies must give an individual with sufficient information about the inquiry to make an informed decision on whether to respond.

The notice must inform the recipient. To be meaningful to the average person, it should avoid using technical language and should not be so lengthy as to discourage or confuse the reader. The content should summarize rather than itemize the information required to avoid unnecessary detail.

This provision of the Privacy Act applies only to inquiries where agencies request individuals to give information about themselves or their own affairs, not about inquiries directed to third parties asking for information about someone else.

Section 7 of the Privacy Act says it is unlawful for any federal, state, or local government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose that individual’s social security number (SSN).

The Tax Reform Act of 1976 allows a state or political subdivision to require the disclosure of SSNs to establish the identity of any person affected by:

An agency that requests an individual to disclose that individual’s SSN is to inform the individual:

IRC 6109 gives the authority for requiring SSNs as identifying numbers for tax administration purposes.

For more information on SSN Elimination and Reduction (SSN ER) efforts, refer to that section of IRM 10.5.1.

The following NIST SP 800-53 security and privacy control addresses these Privacy Act requirements: PT-7(1) Personally Identifiable Information Processing and Transparency – Specific Categories of Personally Identifiable Information – Social Security Numbers. Refer to that section of IRM 10.5.1.

The various inquiries made of individuals by the IRS during tax administration are part of a single process. Rather than include the same Privacy Act notice information in many forms or letters that are repeated contacts with the same individual about the same situation, the IRS has adopted an "umbrella" approach where the first contact of a series includes a notice that the individual may keep and that would apply to all future inquiries related to that situation. This approach spares the recipient from receiving repetitious and unnecessary identical notices.

A universal Privacy Act notice in the Form 1040 instructions applies to:

This umbrella notice fulfills the Privacy Act notice requirements for any further inquiries in the normal course of IRS campus processing, including initial billing of tax due on the returns.

Although the notice given with the return instruction package would be legally adequate for later inquiries, the IRS makes available a further notice, Notice 609, Privacy Act Notice, for use when a distinct series of actions takes place beyond campus processing.

The IRS revises Notice 609 as necessary to conform to the wording used for the universal notice approved for inclusion in the Form 1040 instruction packages.

The IRS distributes Notice 609 to:

The IRS gives more copies of Notice 609 to any taxpayer upon request.

The distribution of Notice 609 described in (6) and (7) does not require any individual documentation, as such distribution is made in addition to the minimal legal requirement.

The distribution of the universal notice, plus the distribution of separate Notice 609 for the collection- and examination-related stream, should satisfy the Privacy Act notice requirement for all expected tax administration inquiries.

If officials meet circumstances requiring more notices, they may further distribute Notice 609, if the wording appears proper to the circumstances.

Do not adopt separate Privacy Act notices for tax administration purposes without prior approval of the:

The Privacy Act requirements for a notice to individuals asked to supply information, and a notice to individuals asked to disclose their SSNs, also apply to inquiries not related to tax administration, such as requests for information from IRS personnel for administrative purposes (such as personnel forms).

The variety of information requested on such forms has made using a universal notice inappropriate, so those forms have individual Privacy Act notices. Include the notices in the form itself, whenever workable.

The inclusion of necessary Privacy Act notices in administrative forms is the responsibility of the records owner. Such notices require approval of Privacy (via the *Privacy mailbox). If necessary, Privacy coordinates with the Office of Chief Counsel (Procedure and Administration) about Privacy Act notices not related to tax administration.

For more information on Online Data Collection and Privacy Policy Notices, see those sections of IRM 10.5.1, Privacy Policy.

The following NIST SP 800-53 security and privacy controls address these Privacy Act requirements. Refer to these sections of IRM 10.5.1:

Subsection (e)(8) of the Privacy Act requires that agencies "make reasonable efforts to serve notice on an individual when any record on such individual is made available to any person under compulsory legal process when such process becomes a matter of public record."

This provision applies to disclosures made under:

This provision does not apply to disclosures made under a written request by, or with the written consent of, the individual to whom the record relates. It does not apply if the process leading to disclosure is at the request or on the behalf of the subject of the record.

While this provision does not apply to disclosures made under subsections (b)(1), (2), (4)-(10), and (12) of the Privacy Act, this provision does apply when a disclosure is made under a routine use as provided by subsection (b)(3) that authorizes disclosures in response to subpoenas or court orders.

All IRS personnel involved in the design, development, operation, or maintenance of any SOR subject to the Privacy Act must be aware of the Act’s recordkeeping restrictions outlined in IRM 10.5.6.5, Privacy Act Recordkeeping Restrictions (Civil Liberties Protections). You should be alert to any potential violation of such.

If you recognize any questionable practices of this prohibition, report the details to the official responsible for prescribing the SOR, for evaluation, and correction.

If you receive any inquiry from a member of the public questioning the content of any SOR about the exercise of First Amendment rights, you must send the inquiry, supplying any available background information, through channels, to their management for response and proper action.

Personnel and management requiring guidance about any information being recorded in a SOR under their control should seek Privacy’s help by email to the *Privacy mailbox.

All supervisory or other personnel that have review responsibilities for case records should be alert to First Amendment issues and include them in their reviews.

The IRS may maintain records describing the exercise of First Amendment rights only if one of the following conditions is met.

This section of the Privacy Act requires agencies to treat all persons fairly and equally under applicable laws. The absence of First Amendment information from agency records helps to prevent selective treatment of persons based on religion, opinion, or group membership.

IRS personnel hold responsibility for avoiding any possible inference of selective treatment of individuals based on their exercise of First Amendment rights.

Refer to the Data Quality IRS Privacy Principle and Civil Liberties sections of IRM 10.5.1.

Subsection (e)(2) of the Privacy Act says that an agency must:

This provision stems from a concern that information collected from third party sources could be erroneous, outdated, irrelevant, or biased.

This provision requires that agencies make decisions under federal programs that affect an individual based on information supplied directly by that individual "to the greatest extent practicable."

Officials responsible for SORs with information collected from third-party sources must consider in their periodic review of procedures whether their practices are consistent with the intent of subsection (e)(2) of the Privacy Act and IRM 10.5.6.2, Privacy Act General Provisions. This periodic review of procedures must include a review of those parts of the IRM about the collecting information from third-party sources.

In analyzing each situation where the IRS collects personal information from a third-party source, each business unit should consider the following:

The aim is to get information directly from the individual involved whenever practical to do so.

Refer to the Data Quality IRS Privacy Principle section of IRM 10.5.1.

To protect civil liberties and avoid unnecessary intrusion upon individual privacy, subsection (e)(1) of the Privacy Act says that each agency that maintains a SOR must:

Use or collect PII only when necessary and relevant for legitimate IRS purposes, namely tax administration and other authorized purposes. Refer to IRM 10.5.1, the Purpose Limitation section.

To reduce risk of intentional or inadvertent improper use of personal data, limit the collection, use, retention, and disclosure of PII to what is minimally necessary for the specific purposes for which it was collected, unless specifically authorized. Refer to IRM 10.5.1, the Minimizing Collection, Use, Retention, and Disclosure section.

See Exhibit 10.5.6-5, Terms and Acronyms, for definitions for the following terms, which are used throughout the rest of this IRM:

See the Monitoring of Individuals section of IRM 10.5.1.

Subsection (e)(5) of the Privacy Act says each agency that maintains a SOR must:

Subsection (e)(6) of the Privacy Act says:

Refer to the IRM 10.5.1, sections on Data Quality and Verification and Notification.

The following NIST SP 800-53 security and privacy controls address these Privacy Act requirements. Refer to these sections of IRM 10.5.1:

This policy applies to current internal personnel for non-tax Privacy Act records. For members of the public, refer them to How to write a Privacy Act request on the IRS.gov Privacy Policy page.

Current internal personnel may request access to, amendment of, or disclosure of information about themselves through established procedures directly from the business unit in control of the record. For most, this means asking your manager or HCO about your personnel records. Give enough information for them to find the records, using the elements in this section. Cite this IRM section in your request to help the record owner understand their responsibility.

If you still need your records after asking for them directly, make a formal Privacy Act request via *Privacy, including the required elements in this section. Privacy works with the business unit with control of the records for them to respond.

This policy applies to all Privacy Act requests. The types of requests are described in these sections:

For all Privacy Act requests, follow the regulations in section 3, Appendix B of Title 31, Part I, Subpart C, of the CFR and include these elements. They must:

A request for notification of and access to non-tax Privacy Act records comes from an individual wanting to know what non-tax records the IRS has about them and asking for access to such records.

This section explains how we respond to requests for notification of and access to non-tax Privacy Act records. We may receive requests internally or externally.

For managers, if your employee asks for their own records directly, allow them access (subject to any access exemptions and restrictions) under established agency procedures, if possible, without the need for a formal Privacy Act request.

For HCO, if you receive a request from an employee for their own records directly, allow them access (subject to any access exemptions and restrictions).

If you have questions about Privacy Act requests, email *Privacy. Disclosure works with the business unit in control of the records to help the business unit to respond.

Disclosure helps the business unit with control of the requested records respond to Privacy Act requests for notification and access as follows:

A request for amendment of non-tax Privacy Act records comes from an individual wanting to correct non-tax records the IRS has about them that they feel are not correct, relevant, timely, or complete.

This section explains how we respond to requests for amendment of non-tax Privacy Act records. We may receive requests internally or externally.

For managers, if your employee asks for you to amend their records directly, respond to them (subject to any access exemptions and restrictions).

For HCO, if you receive a request from an employee to amend their records directly, respond to them (subject to any access exemptions and restrictions).

If you have questions about Privacy Act requests, email *Privacy. Privacy works with the business unit in control of the records to help the business unit respond.

For responsibilities, time limits, and processing steps to amend records, including any review and adjudication of an adverse determination, refer to section 3, Appendix B of Title 31, Part I, Subpart C, of the CFR. This guidance mirrors that in IRM 10.5.6.6.2, Requests for Notification of and Access to Privacy Act Records, including IRM 10.5.6.6.2.1, Verification of Identity, and IRM 10.5.6.6.2.2, Duplication Fee.

Send requests to amend a non-tax record under the Privacy Act to the business unit with control of the requested records (usually the official named in the SORN). Refer the business unit to this IRM section and tell them to email *Privacy with any questions.

As needed, Privacy helps the business unit with control of the requested records (usually the official named in the SORN) respond to Privacy Act requests for amendment following the regulations and this policy. The responder in the responsible office must:

Externally, members of the public may send requests for disclosure of non-tax Privacy Act records following the How to write a Privacy Act request on the IRS.gov Privacy Policy page. Disclosure processes external requests.

Internally, as IRS personnel, if you need to request disclosure of your non-tax Privacy Act record to a third party, ask the business unit in control of your non-tax record (usually HCO or management) in writing. You may use Form 15293, IRS Privacy Act Disclosure Consent. See IRM 10.5.6.2.3, Privacy Act Consent to Disclosure.

Send questions about requests for disclosure of non-tax Privacy Act records to Privacy via internal email to the *Privacy mailbox.

A privacy complaint is a written allegation about a problem with or violation of privacy protections in the administration of our programs and operations that may cause harm or violation of personal or information privacy. This information may include:

The OMB NIST security and privacy controls require agencies to implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices. [A-130; PM-26]

Externally, for how the public files a Privacy Act complaint, refer to the Privacy Complaints section of the IRS.gov Privacy Policy page.

Internally, email privacy complaints to Privacy via the *Privacy mailbox.

To resolve privacy complaints, Privacy follows the procedures outlined in the internal Management of Privacy Complaints and Inquiries from the Public standard operating procedure.

To resolve a privacy complaint, Privacy can answer the privacy policy aspects and help those responsible resolve issues. We defer to management, Counsel, and Labor Relations for any managerial, legal, and labor issues respectively. Privacy does not have the authority to discipline misconduct of employees outside its organization.

For individuals seeking action beyond the complaint resolution, they may personally follow legal options under the Privacy Act. See IRM 10.5.6.2, Privacy Act General Provisions, for civil remedies and criminal penalties for willful Privacy Act violations. If you know of a willful violation of law by an IRS employee, you may report that to TIGTA for investigation.

This Privacy Act Complaints section addresses the following NIST SP 800-53 security and privacy control: PM-26 Program Management -- Complaint Management. Refer to that section of IRM 10.5.1.

Subsection (c)(3) of the Privacy Act says that accounting of disclosures made under the Privacy Act are available to the individuals named in the records at their request.

The request must:

If your office receives a request for Privacy Act accounting of records your business unit does not have, send it to the responsible office, if known, or email it to *Privacy for privacy to contact responsible personnel. Otherwise, if your office has the records, follow these procedures.

For responsibilities, time limits, and processing steps for accounting requests, including any review and adjudication of an adverse determination, refer to section 3, Appendix B of Title 31, Part I, Subpart C, of the CFR. This guidance mirrors that in IRM 10.5.6.6.2, Requests for Notification of and Access to Privacy Act Records, including IRM 10.5.6.6.2.1, Verification of Identity, and IRM 10.5.6.6.2.2, Duplication Fee.

Privacy helps the business unit with control of the requested records respond to Privacy Act requests for accounting of disclosures.

To prevent a requester from getting premature knowledge of the existence of an investigation and defeating the law enforcement process, review accountings before release and withhold those that are exempt.

If a SORN lists an exemption, those records are exempt from the accounting request. Respond to the requester that the records are exempt.

Also exempt are disclosures made under subsection (b)(7) (if Form 5482 shows box for (b)(7) checked). Respond to the requester that the records are exempt, unless the information is:

Using the information in the request, responsible personnel must find the Form 5482 necessary to process the Privacy Act accounting request.

After finding the Form 5482, the responsible personnel must prepare a response, informing the requester that the listed items are those accountings of disclosures the Privacy Act requires the IRS to make available.

The listed items in the response include:

Responsible personnel must send the response to the requester.

For accounting of disclosures under the Privacy Act, use Form 5482, Procedure, Record of Disclosure (Privacy Act of 1974).

If your business unit has procedures for Form 5482, follow them. For example:

Each employee who makes a disclosure of a record subject to the accounting requirement, must prepare Form 5482.

Though a business unit might disclose information about an individual from more than one of its SORs, the business unit should prepare an accounting record for only the SOR where the greatest amount of information is given.

The business unit making the Privacy Act disclosure must maintain the original Form 5482 (electronic or paper) in a separate Form 5482 file held by the official with custody of the SOR. File forms in alphabetical order by name of the subject in a separate section for each calendar year. Maintain this file for five years or the record retention period of the subject record, whichever is longer. At the end of each year, destroy all the forms that have reached the retention period. See Document 12990, Records Control Schedules, RCS 8, Item 44.

For paper records, copy the Form 5482 and associate the duplicate with the record disclosed and keep it for the retention period of that record.

For non-paper records that prevent attaching Form 5482, do not prepare a duplicate.

For multiple disclosures, where all entries would be the same, except the identity of the subject, prepare a single Form 5482 by leaving the name block blank. Attach a list of all persons involved to the original form, and place in front of the alphabetical items in the Form 5482 file. However, do not attach the list to the copy placed in the record disclosed. Copy the Form 5482 (one for each person whose records are disclosed) and insert the proper individual’s name before association with the disclosed record.

Associate a Form 5482 recording a disclosure made under (b)(7) of the Privacy Act with the record disclosed only if the SOR has an exemption that would prevent the subject from getting the Form 5482 or learning of the (b)(7) disclosure. If the SOR would be generally available for the subject’s inspection (such as the official personnel folder), do not associate the Form 5482 with the record. Mark it for retention to be kept for as long as its associated record file exists in the agency and file it in a special section of the Form 5482 file. Destroy the Form 5482 whenever the associated record disclosed is known to have been destroyed.

The IRS patterns its personnel SORs after those of OPM. The IRS groups the records into SORs according to similar purposes for setting up the files, similar handling of records, and similar records.

The Privacy Act applies to most personnel records, as we usually maintain them by employee name, SSN, or Standard Employee Identifier (SEID). They are in one or more of the personnel SORs.

The OPM also has Privacy Act responsibilities for certain personnel records maintained by federal agencies. If records have gone to OPM, refer requests for such records to OPM. Refer to 5 CFR 297 for the OPM's Privacy Act rules and regulations.

HCO management serves as the system manager for most IRS personnel records. Make requests for access to IRS employee personnel records through the office maintaining the records.

Request access to those records not under the control of HCO from the system managers or designees listed under each SOR in the SORN.

The Privacy Act requires agencies to publish SORNs in the Federal Register. The IRS publishes its SORNs as a part of the Department of the Treasury's publication.

A specific coding shows the SORs belong to Treasury and the IRS. This coding is part of the title of each SOR. The coded title for each system is Treasury/IRS followed by a five-digit number with a period after the second digit. The first two digits show the business unit and the division that controls the records.

A title for the system is also used with the coding structure.

The personnel SORs under the control of HCO Personnel include:

Each department or agency in the federal government uses similar coding. The OPM controls certain personnel records maintained by other federal agencies. The OPM uses a coding system that shows whether the system has records of federal employees or only OPM employees, as follows:

The OPM also has a third SOR. This SOR has records on all federal employees that are both controlled and maintained by OPM. The coding for these systems uses the words OPM/Central.

Two other federal agencies have government-wide systems:

If an individual requests their own personnel records, allow them access under established procedures, subject to any access exemptions and restrictions. See IRM 10.5.6.6, Privacy Act Requests for Non-Tax Records.

The HCO usually handles the release of personnel information, with a functional area Payroll Center sometimes involved. For HCO procedures, refer to the Litigations, Grievances, Arbitrations and Information Requests with Servicewide Impact section of IRM 6.300.1, Employment (General), and IRM 6.711.2, Processing Information Requests.

HCO processes, under the Privacy Act:

Send requests citing the FOIA or involving tax returns or return information subject to IRC 6103 to Disclosure.

Privacy is available to help and advise HCO on personnel records matters via the *Privacy mailbox.

HCO works requests that require payroll information. If the IRS employee whose payroll records are requested consents to release, and salary information is all that is needed by a third party, use the proper system or website.

Send requests from the exclusive representative, under their rights defined in 5 USC 7114(b)(4), to the Workforce Relations office.

The Privacy Act only applies to living individuals. See OMB Guidelines, 40 Fed. Reg. 28,948. While the Privacy Act does not give deceased employees confidentiality, their surviving families and friends have some expectations of privacy about certain aspects of records of deceased employees.

Generally, the IRS privacy policy is to keep information about employees who died confidential. Sometimes the IRS may be required to disclose limited information about the deceased person to executors and relatives when the disclosure is necessary for implementation of a will or other necessary business to complete the deceased person's affairs.

If a surviving family member calls for protection of sensitive graphic details about a death or other very sensitive information when disclosure would cause mental anguish and pain to the survivor, keep the following in mind:

Email privacy and security standards require encryption to protect sensitive but unclassified (SBU) information (including PII), unless the information is meant for the public (such as a death announcement). See the Email section of IRM 10.5.1, for more information.

If a request for access to a SOR mentions the FOIA, process the request per procedures for administering the FOIA. Refer to IRM 11.3.13, Freedom of Information Act, for further instructions.

Process an access request under the statute that gives the greatest right of access to the individual regardless of the statute cited by the individual.

As part of the agency's and exclusive representative's (NTEU, in the case of the IRS) duty to negotiate in good faith, the Civil Service Reform Act of 1978 (5 USC 7114(b)) defines the agency's obligation to give to the exclusive representative involved or its authorized representative, upon request and, to the extent not prohibited by law, data:

Direct requests from the NTEU under the collective bargaining rights to the Labor Relations (LR) office of HCO or other designated LR functional unit.

For FOIA policy, refer to IRM 11.3.13, the Personnel Records section.

For HCO policy, refer to IRM 6.711.2, Processing Information Requests.

Tax returns and return information may be used in disciplinary or adverse actions, suitability determinations, and other personnel decisions when relevant, under IRC 6103(I)(4). These include unemployment compensation and workers compensation cases filed by IRS employees or former employees where the IRS is the employer involved. Also included are EEO cases or Merit System Protection Board (MSPB) cases where the IRS is one of the named parties.

The IRC applies here, not the Privacy Act. Refer to the Disclosure of Returns and Return Information for use in Personnel or Claimant Representative Matters - IRC 6103(l)(4) section of IRM 11.3.29.

You must account for tax disclosures under the IRC, not the Privacy Act. For tax disclosure accounting procedures, refer to IRM 11.3.37, Recordkeeping and Accounting for Disclosures.

Most Congressional inquiries on individuals relate to tax accounts. Process these under the IRC, not the Privacy Act. Refer to IRM 11.3.4, Congressional Inquiries, the Processing Requests for Disclosure section.

This policy addresses non-tax Congressional Privacy Act inquiries for Privacy Act information, such as employee requests.

Do not disclose Privacy Act information to the Congressional office without written consent of the individual. Routine uses for systems relating to disclosures to Congressional offices limit disclosures to inquiries made at the written request and consent of the individual who is the subject of the record(s). See IRM 10.5.6.2.3, Privacy Act Consent to Disclosure.

Give publicly available non-tax information to the Congressional office without any contact with the individual subject of the record(s).

Maintain letters or referrals from Congressional offices either as a part of the general correspondence files or in files such as adverse or disciplinary files.

The term "promotion files" refers to all files set up for the purpose of selecting individuals for vacant positions. The promotion file includes those documents used or started in the selection process.

The IRS maintains the promotion file by the vacancy announcement number or Promotion Certificate Number. While the information in the file may be found in other SORs, the promotion file itself is not subject to the Privacy Act unless retrieved by a personal identifier.

For promotion file disclosure to employees, see that section in IRM 10.5.6.8.8.1.

For promotion file disclosure to an exclusive representative under 5 USC 7114, see IRM 10.5.6.8.5, Disclosure Under 5 USC 7114.

For HCO policy, refer to the Documentation and Release of Evaluative Information to Employees, Unions and Others sections of IRM 6.335.1.

For promotion file disclosure to the public, refer to the Personnel Records section of IRM 11.3.13, Freedom of Information Act.

Agency grievance records are those that are compiled and maintained by HCO as the result of an employee filing a grievance under IRM 6.771.1, Agency Grievance System (AGS). Negotiated Agreement Grievance Files are those records that are compiled and maintained by HCO as the result of an employee filing a grievance under one of the negotiated agreements.

These files, maintained by the employee grievant’s name, generally fall under the SOR for Treasury/IRS 36.001, Appeals, Grievances and Complaints Records.

These files are subject to the Privacy Act, which governs access by the individual to whom the record relates. Routine use and the other disclosure provisions in subsection (b) of the Privacy Act apply.

For HCO procedures, refer to the Litigations, Grievances, Arbitrations and Information Requests with Servicewide Impact section of IRM 6.300.1, Employment (General), and IRM 6.711.2, Processing Information Requests.

Certain documents may receive protection from disclosure under the (d)(5) provision of the Privacy Act about information compiled in reasonable anticipation of a civil action or proceeding.

To the extent third party tax information is in these files, the grievant's access, as well as the grievant's representative's access, is only under IRC 6103(l)(4)(A). Refer to the Disclosure of Returns and Return Information for use in Personnel or Claimant Representative Matters - IRC 6103(l)(4) section of IRM 11.3.29.

There may be grievances with related files that are not subject to the Privacy Act, such as promotion files. Consider the disclosure of these files separately from the grievance.

To the extent a request for negotiated agreement grievance files cites the FOIA, refer to the Personnel Records section of IRM 11.3.13 for more information on the right FOIA exemptions and personnel files.

Retirement records are those records compiled because of an employee applying for voluntary retirement or disability retirement, and those retirements started by the IRS.

Retirement records fall under the access provisions of the Privacy Act by the individual to whom the records relate.

For disability retirement, the special provisions for access under the Privacy Act for medical records are described in IRM 10.5.6.8.11, Medical Records.

Intra-management memoranda and discussions that may occur during an agency-initiated disability retirement may receive protection from disclosure under the (d)(5) provision of the Privacy Act relating to information compiled in reasonable anticipation of a civil action or proceeding

Both voluntary and disability retirement records in the control of HCO fall under the SOR for Treasury/IRS 36.003, General Personnel and Payroll Records. They include information on both voluntary and disability retirement and such documents as SF-2801, Application for Retirement, health and life insurance forms, and medical records.

Find disability retirement records listed in both OPM/GOVT-10, Employee Medical File System Records, and Treasury/IRS 36.003, General Personnel and Payroll Records. Access medical records associated with a disability retirement under Treasury/IRS 36.003.

The retirement records, once OPM receives them, fall under the SOR for OPM/Central-1, Civil Service Retirement and Insurance Records. Once OPM receives retirement records, refer all requests to OPM.

For processing FOIA requests for these records, refer to the Personnel Records section in IRM 11.3.13, Freedom of Information Act.

We must keep all medical information confidential in a separate file from the individual's personnel file. Refer to HCO policy in the Requests for Medical Information and Confidentiality and Disclosure sections of IRM 1.20.2, Providing Reasonable Accommodation for Individuals with Disabilities.

The IRS compiles and maintains medical records at the request of both the employee and the agency.

The HCO maintains medical files for HCO personnel purposes.

The Health Unit maintains medical records associated with the Health Unit.

The IRS maintains medical records by employee name. The purpose of the file determines its inclusion in a SOR.

Most medical records are in:

OPM also includes medical records associated with the OPF In OPM/GOVT-1, General Personnel Records.

Medical records are available to the individual to whom the record relates under the Privacy Act, subject to special procedures outlined in 5 CFR 297.205, Access to Medical Records.

When medical records fall under the special handling of 5 CFR 297.205, Access to Medical Records:

For medical determination records, refer to IRM 1.20.2, Providing Reasonable Accommodation for Individuals with Disabilities.

For alcohol, drug abuse and Employee Assistance Program records, refer to IRM 6.800.3, Employee Assistance & Worklife Referral Program.

For medical qualification records, refer to IRM 6.339.1, Medical Qualification Determination Requirements.

For injury compensation records, refer to IRM 6.800.1, Workers' Compensation Program.

The OPF is the official record of an individual's career in the federal government. For HCO policy, refer to IRM 6.300.1, the Litigations, Grievances, Arbitrations and Information Requests with Servicewide Impact section.

While the OPF is an OPM file, the agency employing the individual maintains it during employment.

The OPF is in OPM/GOVT-1, General Personnel Records, and includes those records in the permanent (right) part of the OPF. The temporary records on the temporary (left) part of the OPF are agency records and solely under the control of the agency and are in Treasury/IRS 36.003, General Personnel and Payroll Records SORNs.

Follow the routine uses in OPM/GOVT-1 for release of information (other than public information) from the permanent part of the OPF. Follow the routine uses in Treasury/IRS 36.003 for release of information from the temporary part of the OPF.

OPM/GOVT-1, designates four more items we may release to prospective non-federal employers without the prior written consent of the employee. They are:

When an employee retires and receives a Civil Service or Federal Employee Retirement annuity or separates from federal service, the OPM takes control of the OPF and retirement records. Refer requests for such records to OPM under OPM/GOVT-1.

For FOIA requests for OPF records, refer to IRM 11.3.13, the Personnel Records section.

When prospective non-federal employers request information (other than public information and the four items above), you must get prior written consent from the employee.

The IRS may allow access to the OPF by the individual to whom the record relates. See IRM 10.5.6.6.2, Requests for Notification of and Access to Privacy Act Records.

The IRS may grant or deny a request to amend a record in the OPF; however, if denied, direct the appeal rights to OPM. See IRM 10.5.6.6.3.1, Review of Refusal to Amend a Record.

The HCO compiles and maintains these records and files. For HCO policy, refer to IRM 6.511.1 , Position Management and Classification Policy and Operational Guidance.

The IRS maintains these files and records by position designation or numbers rather than by an individual identity. Because we do not retrieve these files by an identifier, they are not Privacy Act records.

The IRS compiles these records in anticipation of a proposed disciplinary action against an employee. OPR handles disciplinary action matters under 31 USC 330 (conference and practice). The OPR follows the general rules of this subsection in processing requests.

Refer to the definition and requirements of the various disciplinary actions in IRM 6.751 , Discipline and Disciplinary Actions: Policies, Responsibilities, Authorities, and Guidance, and IRM 6.752 , Disciplinary Suspensions and Adverse Actions.

These files are a part of Treasury/IRS 36.003, General Personnel and Payroll Records. Copies may also exist in Treasury/IRS 00.007, Employee Complaint and Allegation Referral Records.

For the documents and records in the file, refer to IRM 6.711.2, Processing Information Requests.

The HCO maintains only copies of those parts of the investigation report used as the basis of the proposed action.

Since these records are maintained as a part of Treasury/IRS 36.003, the Privacy Act allows access by employees to their own disciplinary action files.

These files may include intra-management memoranda and discussions that may receive protection from access by the individual to whom a file relates under the (d)(5) provision of the Privacy Act.

Disclosure of tax information from these files is subject to the confidentiality provisions of IRC 6103.

To the extent a request for Disciplinary Action Files is received and cites the FOIA, refer to IRM 11.3.13 for more information on the right FOIA exemptions and personnel files.

The IRS compiles these records in anticipation of proposing and taking adverse action against an employee.

The HCO maintains these files by the employee's name and are in Treasury/IRS 36.003, General Personnel Records. The Privacy Act allows access by employees to their own adverse action files.

For certain required documents, refer to IRM 6.752, Disciplinary Suspensions and Adverse Actions.

If a Treasury Inspector General for Tax Administration (TIGTA) report is used to document the charges, HCO keeps only copies of those parts about the charges.

The employee or chosen representative, upon request, receives copies of the information used to support the proposed changes.

These files may include intra-management memoranda and discussions that may receive protection from access by the individual to whom a file relates under the (d)(5) provision of the Privacy Act.

Disclosure of tax information from these files is subject to the confidentiality provisions of IRC 6103.

To the extent a request for Adverse Action Files is received and cites the FOIA, refer to IRM 11.3.13 for more information on the right FOIA exemptions and Personnel files.

The Equal Employment Opportunity (EEO) complaint files consist of materials compiled in connection with an informal complaint against the agency. For EEO policy, refer to Equal Employment Opportunity and Diversity IRM 1.20.

Find EEO formal complaint files with the Treasury Office of Civil Rights and Equal Employment Opportunity (OCRE).

The EEO complaint files are in Treasury/IRS 36.001, Appeals, Grievances and Complaints Records, and EEO/GOVT-1, Equal Employment Opportunity in the Federal Government Complaint and Appeal Records. The Privacy Act allows access by employees to their own complaint files.

Evaluate a request for access to an EEO complaint or investigative file by an individual, other than the complainant (the subject of the file) or their representative, or an EEO Program official who holds responsibility for the processing of the complaint, under the FOIA, not the Privacy Act. Refer to IRM 11.3.13, Freedom of Information Act, for how to process under FOIA.

Treasury OCRE is the official repository of EEO formal complaint files. Refer requests for such files to Treasury OCRE. The IRS Office of Equity, Diversity and Inclusion, Civil Rights and Anti-Harassment Division, assesses requests for information related to EEO complaint processing that did not advance to the formal complaint stage.

The IRS compiles and maintains these records at the discretion of the supervisor and as required (such as the Employee Performance File, EPF) by the HCO IRM 6.430 , Performance Management series.

The SORN Treasury/IRS 36.003, General Personnel Records, covers supervisory files. The Privacy Act allows access by employees to their own documentation files.

Supervisors use the records in these files primarily to evaluate and counsel employees on work performance and must protect them under 5 CFR 293, Personnel Records. Refer to IRM 1.4.1, the Employee Performance File (EPF) section.

Supervisory files may include promotion appraisal forms, narrative recordation, commendations, copies of awards, copies of SF-50s and SF-1126s, requests for training, and training evaluations. These files may also include documents required by functional managers. These documents have information such as caseloads, time reports, emergency contact lists, and other work-related information.

Do not maintain outdated and irrelevant material, which could adversely affect an employee.

The records maintained in the supervisory file may at times be in other files such as grievance and promotion files. Disclose tax information in these files only as authorized by IRC 6103. Those records with labor relations advice are subject to 5 USC 7114(b)(4)(C).

To the extent a request for Supervisory Documentation Files is received and cites the FOIA, refer to IRM 11.3.13 for more information on the right FOIA exemptions and Personnel files.

In certain circumstances, an employee may have an NTEU official in a meeting with a supervisor. You might discuss personal information (about the employee) in the employee's records in such meetings. They may have access to such personal information.

The NTEU official may also contact the supervisor for copies of documents discussed or reviewed in an earlier meeting at which the employee and representative were in attendance. The supervisor cannot discuss more topics or expand upon the discussion with the representative without the prior written consent or presence of the employee.

See IRM 10.5.6.3.12, SORN Reports.

The IRS files an annual report with the Department of the Treasury for inclusion in the Freedom of Information Act Annual Report submission to the Department of Justice that has statistical data about Privacy Act and FOIA requests, administrative appeals, and litigation.

Refer to IRM 11.3.13, the Report Submission section, for more information on this report.

The Privacy Act originally required the president to send a biennial report to Congress describing the administration of the statute. However, this requirement was later repealed. In place of the biennial Privacy Act report, OMB now reports to Congress on agencies’ compliance with privacy requirements through the annual Federal Information Security Modernization Act of 2014 (FISMA) report to Congress.

Each year, OMB issues guidance instructing each SAOP to review the administration of the agency’s privacy program and report compliance data to OMB. OMB uses the reports from agencies to develop its annual FISMA report to Congress.

The PGLD office of Privacy Policy and Compliance contributes the privacy elements to this report.

The Computer Matching and Privacy Protection Act IRM covers this content. Refer to the Annual Matching Activity Review and Report section of IRM 11.3.39.

The following NIST SP 800-53 security and privacy control addresses these Privacy Act requirements: PM-24 Program Management -- Data Integrity Board. Refer to that section of IRM 10.5.1.

Section 803 of the Implementing Recommendations of the 9/11 Commission Act of 2007 requires certain executive branch departments, agencies, and elements to designate at least one senior official as a "privacy and civil liberties officer." In enacting the statute, Congress explained that such officers are meant "to function as a source of advice and oversight on privacy and civil liberties matters to the agency." More specifically, Section 803 directs that each privacy and civil liberties officer "serve as the principal advisor" to the agency with respect to three issues:

Each agency’s privacy and civil liberties officer must issue semiannual reports on the discharge of each of their functions under the statute. PGLD headquarters holds responsibility for preparing sections of the report about privacy and the Privacy Act and sending the information to Treasury, which compiles the department’s reports.

Privacy Complaints formal and informal: For report purposes, a privacy complaint is a written allegation filed with the department about a problem with or violation of privacy protections in the administration of the programs and operations of the department that may be the cause of harm or violation of personal or information privacy. This information may include:

Civil Liberties Complaints formal and informal: For report purposes, a civil liberties complaint is a written allegation filed with the Department alleging harm or violation of an individual’s constitutional rights. Civil liberties complaints include:

The following NIST SP 800-53 security and privacy control addresses these Privacy Act requirements: PM-26 Program Management -- Complaint Management. Refer to that section of IRM 10.5.1.