11.3.1 Introduction to Disclosure

Manual Transmittal

March 13, 2018


(1) This transmits revised IRM 11.3.1, Disclosure of Official Information, Introduction to Disclosure.

Material Changes

(1) Editorial changes have been made throughout to update IRM/statute/organizational references and terms. Web and citation references were added or updated to make the text easier to research in electronic media.

(2) IRM - Revised title to Program Scope and Objectives to properly reflect the information communicated in this subsection. Included important information to conform to the new internal and management control standards under the following titles:

  1. IRM, Background - Added information about the background of policies pertaining to Disclosures of Information.

  2. IRM, Authority - Added legal authorities governing Disclosures of Information.

  3. IRM, Roles and Responsibilities - This IRM is applicable for all IRS employees to help comply with disclosure provisions.

  4. IRM, Terms/Definitions/Acronyms - Compiled a list of frequently used terms and acronyms and their definitions regarding Disclosures of Information.

  5. IRM, Related Resources - Added related resources applicable to the Disclosure process.

All other subsequent subsections were renumbered accordingly.

(3) IRM was renamed Disclosure Code, Authority and Procedure (CAP). New (1) and (2) added to this section, and information from prior IRM Introduction was incorporated into (3), (4) and (5) of this section.

(4) Items a) and b) were removed from (2) of IRM Items a) through g) updated and/or added to (3) of this section to capture some of the disclosure topics available on the Disclosure and Privacy Knowledge Base.

(5) Removed hours of operation of the Disclosure Help Desk in IRM Updated (3) of this section to reference the IRS.gov website as applicable as a resource for external callers. Also added Note to this paragraph to provide reference to the IRS Freedom of Information website. Added link to the TIGTA Office locations in (5) of this section.

(6) Added information in IRM to reference the Disclosure and Privacy Knowledge Base and the Disclosure Help Desk as IRS employee resources.

(7) Reorganized the paragraphs in IRM for clarity, no changes were made to the information in this section.

(8) Added new IRM, Safeguarding Sensitive But Unclassified (SBU), Personally Identifiable Information (PII) and Other Sensitive Information, to provide guidance on protecting sensitive information. All other subsequent sections were renumbered accordingly.

(9) Added new IRM, Federal Tax Information Guidelines in IRS Training Programs, to provide guidance on the use of tax or other sensitive data in training materials and during group meetings. All other subsequent sections were renumbered accordingly.

(10) Updated IRM to reference the CAP process introduced in IRM as well as provide distinction between unauthorized disclosures handled by TIGTA and those handled by IRS management. Added new (2) to this section to state that disclosure prohibitions apply to IRS employees, former employees, contractors, state employees and others mentioned in IRC §7213(a)(2). Also, added new (3) to this section to discuss the reporting procedures for non willful disclosures and added a new (4) to this section to capture the IRC §6103(e)(11) provisions.

(11) Added note to IRM to state that Criminal Penalty provisions apply to IRS employees, former employees, contractors, state employees and others mentioned in IRC §7213(a)(2).

(12) Added information in (2) of IRM to include a link to the TIGTA Office locations. Also updated Note in (3) to reference the Computer Security Incident Response Center (CSIRC). Added new (4) to this section to provide guidance on the use of Form 11377, Taxpayer Data Access. Subsequent paragraph was renumbered accordingly.

(13) Added Note to IRM and moved the §6103(l) examples in that paragraph to the note as well as added additional types of disclosures under §6103(l) that have re-disclosure provisions.

(14) Added reference to the FOIA/PA Delegation Order (located in IRM 11.3.13-1) to paragraph (2) of IRM

(15) Updated title of IRM to Facsimile (FAX), Electronic Facsimile (E-FAX) and IRS Internal Enterprise Electronic Facsimile (EEFAX) Transmission of Tax Information. Also updated information in this section to match the current IT policy on Fax, e-fax and EEfax transmissions of tax information. New paragraphs added to discuss the e-fax and EEfax processes.

(16) Updated (4) in IRM to provide guidance on "Take Your Children to Work Day" activities.

(17) Added new (5) and (6) to IRM to provide guidance on personal use of government technology and use of personally owned IT equipment.

(18) Removed (1) or IRM since this IRM guidance no longer exists. Updated (2) to clarify the voice mail system policy.

(19) Updated (1) in IRM, Electronic Mail and Secure Messaging, to remove items a) through e). Added new (2) through (9) to provide additional guidance on transmission of information through electronic mail.

(20) Added new section, Cellular Telephone Use, to provide guidance on use of cellular phones for government business.

(21) Removed Exhibit 11.3.1-1, Notice 129, and Exhibit 11.3.1-2, Notice 129A, since these are published notices found in the catalog and do not need to be included as a separate exhibit. All references to these exhibits were updated to link to the published Notice, as applicable.

Effect on Other Documents

This material supersedes 11.3.1, Disclosure of Official Information, Introduction to Disclosure, dated March 29, 2011.


All Operating Divisions and Functions.

Effective Date


Related Resources

The Disclosure and Privacy Knowledge Base can be found at: https://portal.ds.irsnet.gov/sites/vl003/pages/default.aspx.

Phyllis T. Grimes
Director, Governmental Liaison, Disclosure and Safeguards

Program Scope and Objectives

  1. The Disclosure program provides oversight of servicewide Disclosure policy, including guidance in administering the Freedom of Information Act (FOIA), Privacy Act (PA), and Internal Revenue Code (IRC) section (§) 6103.

  2. Purpose: This IRM provides an introduction to the Disclosure program and provides a general overview of every IRS employee’s responsibility to protect confidentiality of records and information entrusted to the IRS.

  3. Audience: These procedures and guidance apply to all IRS employees and contractors.

  4. Policy Owner: The Disclosure office, under Governmental Liaison, Disclosure and Safeguards (GLDS) is responsible for oversight of Disclosure policy.

  5. Program Owner: The GLDS office, under Privacy, Governmental Liaison and Disclosure (PGLD) is the program office responsible for oversight of the servicewide Disclosure policy.

  6. Primary Stakeholders: All IRS business units and functions, state tax agencies and federal agencies that receive tax returns and return information, external individuals and organizations that request IRS records, the Treasury Inspector General for Tax Administration (TIGTA) and Congress.


  1. Every IRS employee, contractor and stakeholder who has access to tax returns, return information, personally identifiable information (PII) and sensitive but unclassified information (SBU) is responsible to protect it from unauthorized access, use or disclosure. Likewise, every person has a responsibility to know when a disclosure is authorized. This is a basic tenant of tax administration. This IRM section provides an overview and basic introduction to disclosure.


  1. The primary law governing the authority for disclosure of federal tax information is 26 USC §6103, commonly referred to as the Internal Revenue Code §6103.IRC 6103(a) establishes the confidentiality of returns and return information and prohibits any disclosure not authorized by the Code.

  2. In addition, the following laws set forth other federal disclosure legal requirements, rules and related statutes at the IRS. These laws relating to IRS disclosure or non-disclosure of tax and other PII are codified at 5 USC §§552 (Freedom of Information Act) and 552a (Privacy Act); 26 USC §§6104, 6105, 6110, 7213; 7213A, 7217, 7431, and 18 USC §1905.

    1. Administrative Procedure Act of June 11, 1946, Ch. 324, 60 Stat. 237;

    2. Budget and Accounting Procedures Act of 1950, Pub. L. No. 80-784 (September 12, 1950);

    3. Electronic Freedom of Information Act Amendments of 1996, Pub. L. No. 104-231 (October 2, 1996);

    4. Federal Records Act of 1950, Act of June 30, 1949, Ch. 288, Title V, 64 Stat. 583, which requires, among other things, that the head of each federal agency establish and maintain an active, continuing program for the economical and efficient management of agency records;

    5. Federal Records Management Amendments of 1976, Pub. L. No. 94-575 (October 21, 1976);

    6. Freedom of Information Act, Pub. L. No. 89-487 (July 4, 1966) (as amended);

    7. Government Paperwork Elimination Act, Pub. L. No. 105-277 (Division C) (October 21, 1998);

    8. Information Technology Management Reform Act of 1996, Pub. L. No. 104-106 (Division E) (February 10, 1996);

    9. National Archives and Records Administration (NARA) Act of 1984, Pub. L. No. 98-497 (October 19, 1984);

    10. Paperwork Reduction Act of 1980, Pub. L. No. 96-511 (December 11, 1980) (as amended);

    11. Paperwork Reduction Act of 1995, Pub. L. No. 104-13 (May 22, 1995);

    12. Paperwork Reduction Reauthorization Act of 1986, Pub. L. No. 104-13 (October 18, 1986) (as amended);

    13. Privacy Act of 1974, Pub. L. No. 93-579 (December 31, 1974) (as amended);

    14. Records Disposal Act of 1943, Act of July 7, 1943, Ch. 192, 57 Stat. 380 (as amended);

    15. Tax Reform Act of 1976, Pub. L. No. 94-455 (October 4, 1976) (as amended), providing for punishment by imprisonment, fine or both of IRS employees and contractors who disclose tax information to unauthorized individuals or who access tax information in an unauthorized fashion; and

    16. Act of June 25, 1948, Ch. 645, §1, 62 Stat. 795 (as amended), which prohibits the concealment, removal, or mutilation of federal records and punishes same by fine or imprisonment or both, and which is set forth at 18 USC §2071. See also 18 USC §§641, 793-794, 798, and 952.

  3. Other provisions which govern the disclosure of information include:

    • Code sections which provide the IRS with authority

    • Congressional Acts which outline additional authorities and responsibilities

    • Delegation Orders and re-delegations of authority

    • Policy Statements that provide authority for the work being done, and

    • Court cases or other Constitutional obligations which require certain disclosures of information. (i.e. Brady v. Maryland, 373 U.S. 83 (1963), Jencks Act 18 USC 3500.) See IRM 11.3.35, Requests and Demands for Testimony and Production of Documents for additional information.

Roles and Responsibilities

  1. This IRM is used by all IRS employees and contractors to help comply with the disclosure provisions of IRC 6103 and the related statutes pertaining to disclosure of federal tax returns and return information, which may include PII.

  2. The Director, GLDS is responsible for executive oversight and direction of the Disclosure program.

  3. The Associate Director, Disclosure is responsible for the oversight and management of Disclosure policy, program operations, case processing, project management and program development.

  4. The Deputy Associate Directors, Disclosure East and West are responsible for the oversight and management of the field disclosure offices and managers.

  5. The Disclosure Manager, Disclosure Policy and Program Operations (PPO), is responsible for day to day oversight and supervision over Senior Disclosure Analysts and Government Information Specialists who develop and implement disclosure policy, projects, guidance and awareness products.

  6. The Disclosure Managers, Disclosure Area Operations are responsible for the day to day oversight of case and program work of the field disclosure offices, including front-line supervision of Tax Law Specialists, Senior Disclosure Specialists, Disclosure Specialists and Disclosure Assistants.

  7. The Disclosure Centralized Processing Unit is responsible for accurately creating cases based upon information requested by taxpayers and agencies in order to provide the best foundation possible to support the Disclosure function.


  1. The tables below list commonly used terms, definitions and acronyms used throughout this IRM Section.


    Term Definition
    Disclosure The making known to any person in any manner whatever a return or return information. See IRC 6103(b)(2) for the statutory definition of disclosure.
    Personally Identifiable Information Any information: (1) that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and (2) that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
    Return Any tax or information return, declaration of estimated tax, or claim for refund required by, or provided for or permitted under, the provisions of title 6103 which is filed with the Secretary by, on behalf of, or with respect to any person, and any amendment or supplement thereto, including supporting schedules, attachments, or lists which are supplemental to, or part of, the return so filed. See IRC 6103(b) for additional information.
    Return Information The definition of Return Information is very broad and includes such things as a taxpayer's identity, the nature, source, or amount of his income, payments, receipts, deductions, exemptions, credits, assets, liabilities, net worth, tax liability, tax withheld, deficiencies, overassessments, or tax payments; whether the taxpayer’s return is subject to collection, examination, investigation, or any other actions taken by the Secretary with respect to Federal filing requirements. See IRC 6103(b)(2) for the statutory definition of return information.
    Sensitive But Unclassified Any information which if lost, stolen, misused, or accessed or altered without proper authorization, may adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under the Privacy Act.



    Acronym Definition
    BYOD Bring Your Own Device
    CAF Centralized Authorization File
    CAP Code, Authority and Procedure
    CFR Code of Federal Regulations
    CSIRC Computer Security Incident Response Center
    DAS Discriminant Analysis System
    DIF Discriminant Index Function
    E-FAX Electronic Facsimile
    EEFAX Enterprise Electronic Facsimile
    FAX Facsimile
    FMSS Facilities and Security Services
    FOIA Freedom of Information Act
    GLDS Governmental Liaison, Disclosure and Safeguards
    GRS General Records Schedules, Document 12829
    IDRS Integrated Data Retrieval System
    IRC Internal Revenue Code
    IT Information Technology
    NARA National Archives and Records Administration
    OGE Office of Government Ethics
    OSC Office of Special Counsel
    PA Privacy Act
    PGLD Privacy, Governmental Liaison and Disclosure
    PII Personally Identifiable Information
    POA Power of Attorney
    PPO Policy and Program Operations, Disclosure
    RCS IRS Records Control Schedules, Document 12990
    RIM Records and Information Management
    SBU Sensitive But Unclassified
    SERFE Selection of Exempt Returns for Examination
    TEGE Tax Exempt Government Entities
    TIA Tax Information Authorization
    TIGTA Treasury Inspector General for Tax Administration
    TIN Taxpayer Identification Number
    UIDIF Underreported Income DIF
    USC United States Code
    VMS Voice Messaging System


Related Resources

  1. Sources of guidance on disclosures of official information may also be found at these related resources:

    • IRM 11.3 series, Disclosure of Official Information

    • Disclosure and Privacy Knowledge Base

    • Disclosure Basics: using the CAP process

    • Document 6986, Disclosure Awareness Guide

Disclosure Code, Authority and Procedure (CAP)

  1. A disclosure is the making known to any person in any manner whatever, a return or return information. IRC 6103 governs the rules for how, when, to whom and what federal tax information can or cannot be disclosed.

  2. Before making any disclosure every IRS employee must consider the Code-Authority-Procedure (CAP) process. Using a combination of the Code (usually the Internal Revenue Code), Authority (such as Delegation Order 11-2, found in IRM, and other authorizations), and Procedures (contained in the IRM and other written guidance) ensures accurate determinations prior to disclosing, inspecting or recommending the release of IRS records.

    1. Code: The Internal Revenue Code (26 USC §6103) provides the statutory basis for prohibiting or allowing disclosure of returns or return information.

    2. Authority: The authority, generally established by Delegation Orders, lists the IRS officials with the authority to make the disclosure (or decision not to disclose). This includes:

      • Authorization to release and receive the information

      • Authentication of the recipient

      • Acceptance of information and any obligation placed on the recipient to protect the information disclosed

      • Access controls - i.e. "need to know"

    3. Procedures: Established written procedures (in the IRM or other guidance) that explain the business process to follow for making a disclosure, and when required accounting for that disclosure. Procedures should help mitigate risks and prevent unauthorized disclosures.

  3. Each of us in the IRS is affected by laws governing the confidentiality of records and information in performing our assigned duties. Using the CAP process, we determine what information is confidential, who may have access to it and for what purposes, and how we must account for its release. Using the CAP process, we also determine what information must be made public and, if so, whether the information must be published, made generally available, or made available only upon request. Additionally, the CAP process helps us determine how we restrict the types of personal information we may gather and maintain about individuals, and grant certain individuals the rights to inspect and amend records about themselves.

  4. The disclosure laws are principally composed of certain sections of the IRC, (especially IRC §6103, IRC §6104, IRC §6105, IRC §6110, IRC §7213, IRC §7213A, and IRC §7431. It also includes the Freedom of Information Act (5 USC §552) and the Privacy Act (5 USC §552a). Disclosure laws balance the competing interests of protecting the public's personal and financial privacy while maintaining open and effective administration of government.

  5. This IRM provides the instructions, guidelines, and procedures necessary to fulfill our obligations under the disclosure laws.

Disclosure Research Tools

  1. There are various web-based products available for both Disclosure personnel and all IRS employees that are useful in either responding to disclosure technical inquiries and in understanding their disclosure responsibilities.

  2. The tools available for Disclosure personnel can be found on the Disclosure home page on Share Point.

  3. The tools available to assist other IRS employees in understanding and applying their disclosure responsibilities are found on the Disclosure web page in the Disclosure and Privacy Knowledge Base. Examples of disclosure topics that are available:

    1. Access and Authentication

    2. Power of Attorney (POA) and Tax Information Authorization (TIA)

    3. Risks at Work

    4. Unique Situations

    5. Respond Directly

    6. FOIA and Privacy Act

    7. Disclosure contacts, including the Disclosure Help Desk

Disclosure Help Desk for IRS Employees

  1. Disclosure personnel operate an internal toll-free site to assist IRS employees in understanding their disclosure responsibilities and in answering their disclosure related questions.

  2. Disclosure related questions should be referred to the Disclosure Help Desk at 1-866-591-0860.

  3. The Disclosure Help Desk is for IRS EMPLOYEES ONLY. IRS employees should first research their functional IRM regarding disclosure issues. IRS employees may also direct external callers to the IRS website at https://www.irs.gov/.


    For FOIA inquiries, refer the public to the IRS Freedom of Information irs.gov website. This website includes mailing addresses and contact information to the FOIA Public Liaisons.

  4. If a Disclosure employee receives a call from the outside and the caller is abusive, it should be noted that we should not be subjected to this type of behavior. Take the following steps when dealing with an abusive caller:

    1. Remain calm and listen effectively and courteously.

    2. Explain that this phone line is intended for IRS employees and, if not a disclosure question, offer to refer the caller to the proper function.

    3. Respond to any disclosure related questions from the caller.

    4. If the abusive language persists, advise the caller that you will end the call if the abuse continues.

    5. If you need to terminate the call, be sure to advise the caller that you are doing so prior to hanging up.

    6. Advise your manager of the circumstances of the call and note this in your call log.

  5. If you receive a threat during the call, obtain as much information as possible such as the following:

    • the caller’s name and location

    • Taxpayer Identification Number (TIN)

    • time of the call and

    • any statements made by the caller

    Then, report the contact to TIGTA. TIGTA Office locations can be found at the Treasury Inspector General for Tax Administration web page.

Requests for Advice or Legal Opinions on Disclosure Matters

  1. The Office of Governmental Liaison, Disclosure and Safeguards (GLDS) is responsible for the IRS Disclosure program. To meet this responsibility, GLDS personnel must be kept informed of the problems and questions that the various IRS functions encounter. IRS employees can find many disclosure resources on the Disclosure and Privacy Knowledge Base. If an IRS employee still has a disclosure question they can contact the Disclosure Help Desk for advice on disclosure matters. See IRM, Disclosure Research Tools, and IRM, Disclosure Help Desk for IRS Employees.

  2. Disclosure personnel will often respond to such inquiries directly since many of the questions raised are either procedural in nature or involve legal issues that have already been addressed by the Office of Associate Chief Counsel (Procedure and Administration). Disclosure personnel needing assistance on technical disclosure matters should seek assistance, through appropriate channels and procedures, from the staff of the Disclosure Policy and Program Operations (PPO) office.

  3. Disclosure will refer issues that require legal advice to the Office of Associate Chief Counsel (Procedure and Administration) using agreed upon procedures and will provide guidance to the requester after receiving advice from Counsel.

Safeguarding and Disposing of Tax Returns, Return Information, and Other Confidential Records

  1. In its administration of federal tax laws, the IRS receives, collects, and maintains vast amounts of personal and financial information. All IRS officials and employees must be aware of information that must be protected, how to protect it, and how to dispose of, or destroy, the information when it is no longer required. Proper destruction of protected records is an important step in the prevention of unauthorized disclosures that could occur when protected records are merely discarded.

  2. Document 12990, IRS Records Control Schedules (RCS), provides the National Archives and Records Administration (NARA) approved disposal authorizations for records accumulated by organizations/business units within IRS.

  3. Document 12829, General Records Schedules (GRS), provides the NARA issued disposal authorizations for temporary administrative records common to all federal agencies.

  4. IRM 1.15.2, Records and Information Management: Types of Records and Their Life Cycle, and IRM 10.2.1, Physical Security Program - Physical Security, provide specific guidelines and procedures for safeguarding and disposing of protected records.

  5. IRC §6103(a) prohibits unauthorized disclosure of tax returns and return information. In addition to criminal and civil sanctions under IRC §7213, IRC §7213A, and IRC §7431, other statutes also prohibit unauthorized disclosure. Title 18 USC §1905 prohibits unauthorized disclosure of certain types of confidential financial and commercial information. The Privacy Act, 5 USC §552a, prohibits unauthorized disclosures of information from systems of records pertaining to individuals.

Safeguarding Sensitive But Unclassified (SBU), Personally Identifiable Information (PII) and Other Sensitive Information

  1. IRS employees are required to ensure that sensitive information is protected from unauthorized disclosure and access. This includes returns and return information but also includes other non-tax information, documents, records and processes.

  2. Definitions:

    1. Personally Identifiable Information (PII) – See IRM and IRM

    2. Sensitive But Unclassified (SBU) – See IRM

    3. Safeguarding – Any administrative, technical or physical system, process, act or action taken to reduce the risk of improper disclosure of information through its entire life cycle. Establishing proper safeguards are necessary to protect individuals, taxpayers and the IRS from reasonable anticipated threats of unauthorized access, alteration or disclosure.

    4. Safeguarding PII – Under the Privacy Act (5 USC §552a(e)(10)), all federal agencies are required to establish safeguards that insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.

    5. Safeguarding Returns and Return Information - IRC §6103(p)(4) contains safeguarding requirements for external recipients, such as federal and state agencies, receiving returns and return information under certain provisions of section 6103. The responsibility for oversight of IRC §6103(p)(4) safeguarding requirements is under the Office of Safeguards, GLDS.


      See Pub 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, and IRM 11.3.36, Safeguard Review Program, for additional information.

Federal Tax Information Guidelines in IRS Training Programs

  1. IRS training programs are an essential part of tax administration. Training materials are available to the public so the IRS must ensure no PII, including tax returns or return information, is included when developing and publishing these documents.

  2. Use of taxpayer data also raises issues about compliance with the IRS Taxpayer Bill of Rights. While IRC §6103(h)(1) authorizes IRS and Treasury employees to access and disclose returns and return information in performing tax administration duties (including training), taxpayers generally have an expectation of privacy that their information will not be disclosed in a classroom setting solely for training purposes. See IRM 11.3.22, Disclosure to Federal Officers and Employees for Tax Administration Purposes, for additional information on IRC §6103(h)(1).

  3. When training material includes returns or return information, this increases the risk of an unauthorized disclosure and may subject the IRS to civil damages for unauthorized disclosure actions. This may also subject employees to criminal prosecution and penalties under IRC §7213 or IRC §7213A, and disciplinary actions up to and including termination of employment.

  4. All content containing names, identification numbers, addresses or other details that could appear to represent real taxpayer information must be entirely fictional. Removing taxpayer identifiers does not change the character of the remaining information as it is still tax information (see IRM, Use of Tax Returns in Training Material).

  5. Difficulty of creating fictional examples to illustrate training points should not be a consideration in justifying the use of federal tax information or PII.

  6. Each IRS business unit may establish policies on the use of taxpayer information in its training documents. This may create vulnerabilities and increase the potential for unauthorized disclosures. Because training documents are available to the public, the business unit will assume the risk of any unauthorized disclosure and also assume the responsibility for identifying any PII subject to redaction prior to publishing.

  7. Employee publications and technical updates may cite publicly available tax information from public sources, such as news releases or articles. However, those employee publications must provide the source of the tax information and attribute the released information to the public source document.

  8. On occasion, and only in conjunction with an official tax administration purpose, employees may need to discuss actual taxpayer cases they are working with other employees. These discussions may occur in the context of a group meeting. While these meetings are not formal training, the official “need to know” standard under IRC §6103(h)(1) applies for disclosure of return information to other employees. The "need to know" standard is not a cannot function without it test; rather, it is a question of whether the employee can perform the duties more efficiently, more accurately, and/or more timely with the information than without it. In general, employees only have a “need to know” for return information of taxpayers assigned to them. Employees may disclose limited return information in these meetings when the purpose is to solicit input from group members to resolve relevant tax issues or to ensure consistent treatment of the same issue in other cases. To the extent possible, the information disclosed should not include taxpayer identifying information and should be limited to only those facts of the case that are necessary to obtain the desired purpose. See IRM 11.3.22, Disclosure to Federal Officers and Employees for Tax Administration Purposes, for additional information on "need to know."

Unauthorized Access and Disclosures of Returns or Return Information

  1. IRC §6103(a) prohibits the disclosure of returns and return information unless authorized by one of its subsections. Although a disclosure may be authorized by statute, the person making the disclosure must also have the authority and follow the proper procedures or the disclosure is not authorized. See IRM, Disclosure Code, Authority and Procedure (CAP). An unauthorized disclosure may be inadvertent or intentional. An unauthorized access or disclosure is willful when it is done voluntarily and intentionally with full knowledge that it is wrong. Intentional (or willful) unauthorized disclosures carry severe penalties. TIGTA is responsible for investigating and recommending for prosecution all intentional unauthorized disclosures. IRS management is responsible for investigating and addressing inadvertent unauthorized disclosures.

  2. The prohibitions against unauthorized access and disclosures of returns and/or return information apply to current and former IRS employees and also pertain to contractors, as well as former IRS employees, employees of other federal and state agencies and others mentioned in IRC §7213(a)(2).

  3. Unauthorized disclosures where no willfulness is involved are not willful and are therefore excepted from the TIGTA reporting procedures. Employees must follow the procedures in IRM, Inadvertent Unauthorized Disclosures and Losses or Thefts of IT Assets and Hardcopy Records/Documents, to report violations of this nature.

  4. IRC §6103(e)(11) authorizes the Department of Treasury to disclose certain information to a taxpayer when that taxpayer provides information alleging an unauthorized inspection or disclosure of the taxpayer’s return or return information. See IRM, Unauthorized Disclosure Investigations.

Criminal Penalties Under IRC §7213

  1. IRC §7213 makes the willful unauthorized disclosure of a return or return information a felony punishable by a fine of up to $5,000, or imprisonment of not more than 5 years, or both, together with the costs of prosecution.


    The prohibitions against unauthorized disclosures of returns and/or return information apply to all current and former IRS employees and also pertain to contractors, as well as former IRS employees, employees of other federal and state agencies and others mentioned in IRC §7213(a)(2).

  2. Upon conviction, officers or federal employees, including Treasury and IRS employees will also be dismissed from office or discharged from employment.


    IRC §7213 also covers willful disclosures of software source code data protected by IRC §7612.

Criminal Penalties Under IRC §7213A

  1. IRC §7213A makes unauthorized access to returns or return information a misdemeanor punishable by a fine of up to $1,000, or imprisonment of not more than one year, or both, together with the costs of prosecution.

  2. Upon conviction, officers or employees of the United States will also be dismissed from office or discharged from employment.

Criminal Penalties Under IRC §7217

  1. IRC §7217 prohibits Executive Branch influence over taxpayer audits and other investigations.

  2. IRC §7217 applies to:

    1. the President,

    2. any employee of the Executive Office of the President,

    3. the Vice President,

    4. any employee of the Executive Office of the Vice President, and

    5. any person (other than the Attorney General of the United States) serving in a position specified in 5 USC §5312 (generally, cabinet positions).

  3. It is unlawful for any person described in (2) above to directly or indirectly request any officer or employee of the IRS to conduct or terminate any audit or other investigation of any particular taxpayer with respect to the tax liability of such taxpayer.


    Requests for information accompanied with a consent pursuant to IRC §6103(c), by the Secretary of Treasury as a result of a change in tax policy, or by an applicable person (see (2) above), if such a request is in accordance with the requirements of IRC §6103, do not fall under IRC §7217.

  4. Willful violation of IRC §7217 is punishable, upon conviction, by a fine in any amount not exceeding $5,000, or imprisonment of not more than 5 years, or both, together with the costs of prosecution.

  5. IRC §7217 requires that any officer or employee of the IRS receiving any request prohibited by IRC §7217 shall report the receipt of such request to the Treasury Inspector General for Tax Administration (TIGTA). Failure to do so is a felony subject to the sanctions in (4) above.

Civil Liability Under IRC §7431

  1. In addition to the criminal penalties imposed on individuals by IRC §7213 and IRC §7213A, Congress established a civil remedy for any taxpayer whose return or return information is unlawfully inspected or disclosed.

  2. IRC §7431 provides that where a federal officer or employee knowingly or negligently inspects or discloses a taxpayer's return or return information in violation of IRC §6103, the taxpayer may bring a civil action for damages against the United States.

  3. Non-Federal employees, including state agency employees and contractors with access to return information, may be sued personally for damages under IRC §7431, if they violate IRC §6103.

  4. No liability shall arise under IRC §7431 where the disclosure was the result of a good faith, but erroneous, interpretation of IRC §6103, or was requested by the taxpayer.

Reporting Unauthorized Accesses or Disclosures

  1. For a discussion of the rules concerning unauthorized accesses or disclosures of confidential tax information, see IRM 10.5.4, Privacy and Information Protection, Incident Management Program.

  2. Indications of willful (voluntarily and intentional with full knowledge of wrongdoing) unauthorized accesses or disclosures of returns or return information must be reported to TIGTA. Field employees should report these matters to the local TIGTA office. Washington, D.C., metro area employees should report these matters to TIGTA's main office. TIGTA Office locations can be found at the Treasury Inspector General for Tax Administration web page. See IRM for additional information.

  3. Unauthorized disclosures where no willfulness is involved are not willful and are therefore excepted from the above TIGTA reporting procedures. Employees must follow the procedures in IRM, Inadvertent Unauthorized Disclosures and Losses or Thefts of IT Assets and Hardcopy Records/Documents, to report violations of this nature.


    Mail sent to an address of record but opened by a third party is not an unauthorized disclosure. Disclosures resulting from machine malfunctions, such as mail stuffing errors, are not required to be reported. Nonetheless, these disclosures should be brought to the attention of the reporting employee’s immediate supervisor who should take appropriate action to address the issue. Reports of loss or theft of government property including laptop computers are to be reported in accordance with the guidance issued by Information Technology through the Computer Security Incident Response Center (CSIRC) found at: https://www.csirc.web.irs.gov/about/contact.html. They are not to be reported to Disclosure. See IRM and IRM for additional information.

  4. Inadvertent accesses of taxpayer information are reported on the hard copy Form 11377, Taxpayer Data Access, or the fillable Form 11377-E, Taxpayer Data Access. See IRM, Inadvertent Accesses of Taxpayer Information.

  5. Generally, employees commit inadvertent disclosure errors once (e.g., because of a misunderstanding of rules or procedures), and no further corrective action is necessary once the employee and the manager discuss the matter. Occasionally errors are repeated by the same employee or are serious enough even in one incident to warrant corrective action. When a manager thinks corrective action is necessary, he or she should consult the Labor Relations staff to determine if conduct or performance action is appropriate. If the manager believes an unauthorized disclosure is willful or deliberate, he or she should report it to TIGTA.

Notice to Recipients of Returns or Return Information

  1. Generally, persons or agencies to whom IRS directly discloses returns or return information pursuant to IRC §6103 will be informed in writing of the applicable criminal and civil sanctions for unauthorized inspections or disclosures as provided by IRC §7213, IRC §7213A, and IRC §7431. This may be accomplished by the use of Notice 129. If the use of Notice 129 is not practical, insert text equivalent to Notice 129 in the response, fax cover sheet or transmittal letter to the requester.

  2. Notice 129A (as revised) should be affixed to each magnetic media provided. With the migration to a secure electronic transmittal of this information, Notice 129A cannot currently be embedded in the electronic control file. Agencies receiving these transmittals have been previously notified of the content of the Notice 129A and are subject to on-going safeguard reviews that verify the agency's compliance with the disclosure laws and statutes discussed in the Notice.

  3. Notices are not necessary for disclosures under IRC §6103(h)(1), IRC §6103(h)(6), IRC §6103(k)(6), or to congressional committees.

  4. Some recipients of returns or return information who are covered by IRC §6103(a) do not receive the information directly from the IRS. Instead they receive the information from other Federal agencies that have the authority to make a re-disclosure . The IRS will not be able to provide notices to these recipients. Instead, the IRS in its initial dealings with the recipient agency and in its written agreements, includes cautions for dissemination of confidential tax information.


    IRC §6103(I)(6) or IRC §6103(I)(10) disclosures to state or local child support enforcement agencies that receive information through the Health and Human Services Office of Child Support Enforcement, IRC §6103(l)(7) and (l)(8) authorize the Social Security Administration to disclose wage and earning records to administer federal benefit programs or IRC §6103(I)(12) disclosures to employees and officers of qualified employers or groups health plans from the Centers for Medicare & Medicaid Services. All of these provisions are covered by IRC §6103(p)(4) safeguards and compliance with Pub 1075.

Authority to Make Disclosures

  1. The latest revision of Delegation Order 11-2, Authority to Permit Disclosure of Tax Information and to Permit Testimony or the Production of Documents, found in IRM, should be used to determine proper delegated authority. Additionally, local or function specific re-delegations of 11-2 authority should be consulted.

  2. Delegation of authority to respond to Freedom of Information Act and Privacy Act requests is issued by the Director, GLDS. See IRM Exhibit 11.3.13-1, FOIA/PA Delegation Order, for additional information.

Records Disposition For Disclosure

  1. Records and files, created or maintained in the administration and execution of the disclosure program, must be disposed of in accordance with applicable legal and administrative requirements. IRM for information about IRS-wide records management issues.

  2. Records or files must never be destroyed while they are the subject of a pending request, appeal, or lawsuit under 5 USC §552 (FOIA), notwithstanding applicable disposition schedules.

  3. IRM 1.15.1, Records and Information Management; The Records and Information Management Program, provides instructions for the management of records in the IRS. Records Management also requires that all records be retained and disposed of in accordance with established Records Control Schedules.

  4. Records created within, or for, the Disclosure function derive their retention periods from National Archives and Records Administration General Records Schedule 14 (See Document 12990) or approved authorizations from the IRS Records Analyst or Archivist of the United States.

  5. The GLDS Records Control Schedule contains records control schedules for Disclosure specific records and should be consulted as needed.

  6. All non-record copies or reference materials may be destroyed when no longer needed.

  7. Disposition instructions must be requested from the Director, GLDS, and cleared through the Records Analyst for any item that is not included in the schedule.

  8. Any item that has historical significance must be scheduled for offer to the National Archives and Records Administration. Disposition instructions will be issued on a case by case basis for records believed to have historical significance after approval of written justification for permanent retention. Forward such written justification to the Director, GLDS, who will clear it through the Records Analyst of the IRS before disposition instructions are issued.

Facsimile (FAX), Electronic Facsimile (E-FAX), and IRS Internal Enterprise Electronic Facsimile (EEFAX) Transmission of Tax Information

  1. Faxing and/or e-faxing of tax information to other IRS offices, or to taxpayers and/or their authorized representatives within the United States, U.S. possessions, commonwealths, and territories, is permitted consistent with existing internal rules. See IRM, Information Technology (IT) Security Policy and Guidance, Facsimile and Facsimile Devices, which sets forth overall facsimile and facsimile devices policy and contains several clarifying examples.

  2. Facsimile transmission of sensitive but unclassified (SBU) material (including tax information) to foreign countries is governed by the Department of State. If operational requirements demand that SBU information be sent by unclassified fax to overseas locations, the originator must carefully review the document and comply with all requirements. The transmission of SBU information must be restricted to the conduct of official U.S. business. The custodian of the information must ensure that the recipient’s facsimile phone number is correct, that the recipient is authorized to receive the information, and when faxed to a number outside U.S. Government control, that the recipient is present to receive the information.

  3. The legal authority for permitting facsimile transmission of tax information is consistent with that which allows for the telephonic disclosures of tax information and the mailing of tax information. However, since faxing presents more security vulnerabilities, careful consideration of all IRC §6103 requirements is especially important. Information shall be disclosed only in accordance with the Internal Revenue Code.

  4. Faxing or e-faxing of tax or Privacy Act information should be used only in those situations where the authorized recipient has approved use of the faxing method for the information involved.

  5. The facts and circumstances of each case should be considered prior to making a disclosure via facsimile transmission.

  6. Careful consideration should be given to accepting faxed return information in conjunction with examination activity, collection activity, and criminal investigations. Employees must consider and evaluate the need to examine original documents as opposed to faxed copies.

  7. Issues concerning the acceptance of a faxed return, document, signature, etc., as opposed to obtaining the original, must be addressed individually. See IRM, Customer Account Services, Use of Fax for Taxpayer Submissions. In situations concerning the legality of accepting a fax in lieu of original documents, assistance and guidance of Counsel should be sought.

  8. Each office establishing formal guidelines for faxing should address the potential need for a paper trail, such as a centralized log. Logs should be maintained based upon local office need; however, all applicable statutory requirements must be met.

  9. Procedures for facsimile transmissions of tax information to taxpayers and their authorized representatives include:

    1. Obtaining the requester's identity and verifying the requester's entitlement to receive the requested information consistent with established program requirements. Information will be faxed only if the taxpayer or authorized representative has approved the use of fax. Requesters should also be informed of the security limitations inherent in the use of the fax. If the fax number for the taxpayer is a fax machine not situated at the location of the taxpayer/representative, see (h) below. For electronic fax (e-fax) guidance see paragraph (11) below.

    2. Obtain specific information concerning the nature of the inquiry, such as the type of tax involved and the tax period(s) covered.

    3. If someone other than the taxpayer calls, identify the caller and his or her capacity in acting on behalf of the taxpayer.

    4. Prior to faxing any tax information to a taxpayer’s representative, first determine whether that person has a valid disclosure authorization on file with the IRS. A disclosure authorization could be a formal Power of Attorney (POA) on Form 2848, Power of Attorney and Declaration of Representative, or a general written disclosure consent from the taxpayer. Form 8821, Tax Information Authorization (TIA), can be used for this purpose. When appropriate, an oral disclosure authorization (see IRM, Requirements for Verbal or Electronic Requests) may be used to permit faxing to authorized third parties. Disclosure authorizations must meet the requirements of IRC §6103(c) and 26 Code of Federal Regulations (CFR) §301.6103(c)-1, or the Conference and Practice Requirements. The same general rules apply to requests from individuals or attorneys-in-fact with a material interest under IRC §6103(e). Faxing tax information to/through a third party requires a reasonable expectation that the third party will have access to the faxed information.


      In response to whether an authorization can be verbal, the answer will depend upon circumstances and whether or not the third party will be assisting the taxpayer in resolving a tax matter or just receiving the fax on behalf of the taxpayer. A verbal authorization should not be accepted from a taxpayer to send tax information to a third party simply because the taxpayer will not be present to receive it or just for the convenience of the taxpayer. You cannot accept a verbal authorization to fax and provide tax information to a third party if that third party is not assisting the taxpayer in resolving a tax matter. Sending a transcript of account to a mortgage loan company for the purpose of securing a student loan is an example where written authorization is required. This is because the third party will not be assisting the taxpayer in resolving a tax matter. IRS may accept a verbal authorization from a taxpayer to fax tax information to a third party, if that third party can help the taxpayer resolve a tax matter. If the third party will be able to use the tax information to assist the taxpayer in resolving a collection or an examination issue, IRS can accept a verbal authorization from the taxpayer to fax this information to the third party. Functional guidance should be followed in documenting verbal authorization and the scope of that authorization.

    5. If there is not a valid disclosure authorization on file with the IRS, the caller should be requested to first provide this information. At this time, the IRS employee can ask the caller to include a fax number on the authorization. IRS procedures permit the acceptance of a faxed Power of Attorney or Tax Information Authorization form. Entry onto the Centralized Authorization File (CAF) may be appropriate.

    6. If there is a current and valid disclosure authorization on file with the IRS, the employee must determine whether the individual calling is the authorized recipient of record and whether the authorization covers the specific tax matter or issue. The CAF or the Integrated Data Retrieval System (IDRS) may be used by employees when making these determinations.

    7. Employees should determine the specific information required to properly respond to the caller’s question. Only pertinent tax information should be faxed.

    8. The caller’s fax number and the address where the information will be faxed should be obtained. This may provide another source for address information to assist in verifying the correctness of the disclosure authorization or may help to verify the taxpayer’s address of record. Case files should be properly documented to show where the tax information was faxed, who received it, and how receipt was acknowledged. If no history/documentation is kept as part of a particular program, then no notation is possible or needed. If case files are kept, functional management will determine the methodology that most makes sense. There is no intent to create additional files where they are not already a part of a program.


      The above procedures do not require taxpayers or other authorized third parties to stay on the telephone to acknowledge receipt of the fax. A copy of the fax confirmation sheet is sufficient and satisfies any documentation requirement.


      If any doubt exists as to the validity of the caller’s identity, entitlement, or intent, information should be mailed to the taxpayer’s address of record.

  10. Use of electronic facsimile for outgoing documents containing tax information.

    1. Today’s technological advances offer various options (capabilities/solutions) for faxing beyond the traditional standalone fax machine. This section addresses utilizing electronic faxing methods where tax information is transmitted from the IRS.

    2. Electronic facsimile (e-fax) is the general term used to describe computer based faxing and is widely utilized by taxpayers, tax professionals and other stakeholders. E-fax uses a combination of fax and internet applications to transmit a document to a receiving party. For purposes of this IRM section, we will use “e-fax” to refer to the electronic fax capabilities used by customers and stakeholders external to the IRS.

    3. E-fax services are available in several formats. Verify what type of e-fax service the taxpayer is using to determine if the taxpayer is required to fax a written consent. The list of e-fax solutions below is not all inclusive. For additional information see IRM, Using Electronic Fax Services.

      • The e-fax application may be a software program stored on the fax recipient’s computer. This program receives the fax transmission and converts it into a digital format.

      • The e-fax service may be software and/or hardware leased to the recipient. An e-fax service provider assigns a dedicated fax number to the fax recipient. Faxed information is transmitted directly to this number similar to the method in the first bullet above.

      • The e-fax service may be a third party serving as a conduit for the fax transmission. Using this method, the fax is transmitted from the sender, is processed through the third party e-fax service provider, and is delivered to the intended recipient via email or other means.


      When the IRS faxes tax information and the recipient uses a third party e-fax service provider, a written authorization designating the e-fax provider is required from the taxpayer. This written authorization is required, regardless of the faxing method used by the IRS.


      Sending a fax to the taxpayer’s cell phone, through an online fax service provider/third-party, requires written authorization.

    4. Enterprise Electronic Facsimile (EEfax) specifically refers to the electronic fax solution used by the IRS.

      • EEfax resides completely within the IRS firewall and provides electronic faxing capability for IRS employees.

      • The EEfax system converts electronic documents to a fax format and transmits the information over public telephone lines to fax recipients.

      • Faxed documents that the IRS receives are converted to an electronic format (PDF) that can be easily delivered and read by IRS employees using a standard email client.

      • EEfax does not use a third-party service provider and does not transmit documents over the internet.

      • The use of EEfax does not require the taxpayer’s written consent.


        If the fax recipient uses a third-party e-fax service provider and tax information is being transmitted from the IRS; then a written consent is required to authorize the e-fax service provider to receive the tax information.

      For additional information about EEfax, see Enterprise Electronic Fax (EEFAX).

    5. If the intended fax recipient (taxpayer, representative, third-party) states that he/she is using a third party e-fax service provider as defined in c) above, then a valid, written consent designating the e-fax service provider as a recipient of tax information is required. An oral consent cannot be accepted because the e-fax third-party service provider is not assisting in the resolution of a tax matter.

    • The taxpayer must execute the written consent. The Power of Attorney is not authorized to execute the written consent unless specifically authorized per IRM, Disclosure of Information, General Requirements for Disclosure to Designee.

    • The written consent must contain the required elements as described in IRM

    • If a Form 8821, Tax Information Authorization, is used to authorize the disclosure, a separate Form 8821 must be submitted naming the third-party e-fax service provider. For guidance refer to IRM, Nature of Tax Information Disclosed Under a Tax Information Authorization.

    • Form 2848, Power of Attorney and Declaration of Representative, cannot be used to authorize a third-party e-fax service provider as that entity cannot represent the taxpayer before the IRS.

    • If the taxpayer cannot provide a written consent, the information must be sent using an alternate delivery method, such as mailing or sending to a traditional fax machine.

  11. While faxed information is not sealed and little protection may be guaranteed at the receiving end, certain precautions are to be used to protect confidential tax information. At a minimum, a cover sheet, identifying the intended recipient of the information and the number of pages being faxed, must be used. (See Form 10321 , Fax Transmission Cover Sheet.) This cover sheet should not contain specific confidential information of the taxpayer other than name and phone number, assuming the fax is directed to the taxpayer. If faxing to an authorized third party, put the name of the third party on the cover sheet, not the taxpayer's name, TIN, or other confidential information. The information should be faxed in an order where the cover sheet will become the first page covering the faxed tax information.

  12. Use the following statement on all cover sheets:

    "This communication is intended for the sole use of the individual to whom it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this communication is not the intended recipient or the employee or agent for delivering the communication to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication may be strictly prohibited. If you have received this communication in error, please notify the sender immediately by telephone call and return the communication to the address above via the United States Postal Service. Thank you."

  13. IRS policy is that we accept collect calls in misdirected fax notifications. This is based on the fact that we must take reasonable steps to correct the error and get the faxed information to the correct party. Also, the number of misdirected fax situations should be few. Any perceived conflict with a general IRS policy about accepting collect calls can be mitigated by using a toll free number to report misdirected faxes.

  14. If an IRS employee receives a phone call notification regarding a misdirected fax and determines, after talking to the recipient, that the caller will properly destroy (e.g., shred) the misdirected information, the employee does not need to ask the recipient to return the information to the IRS. If the IRS employee is concerned that the unintended recipient may not properly destroy the faxed information, the employee may request that the information be mailed back to the IRS and take necessary steps for the Government to cover the costs of mailing.


    The IRS employee may take into consideration such matters as whether the unintended recipient brought the error in transmission to the attention of the IRS or whether the unintended recipient has a known relationship with the taxpayer whose information is in the faxed material.

  15. For the use of non-encrypted fax machines to transmit SBU information (including returns and return information) between IRS offices in the United States, see IRM, Information Technology (IT) Security Policy and Guidance, Facsimile and Facsimile Devices. This is permissible as long as the following physical security and management controls are used:

    1. Having a trusted staff member at both the sending and receiving fax machines, or having a locked room for the fax machine with custodial coverage over outgoing and incoming transmissions,

    2. Accurately maintaining broadcast lists and other preset numbers of frequent recipients of SBU data, and

    3. Including a cover sheet on fax transmissions that explicitly provides guidance to the recipient.

  16. IRS Fax machines should be secured at the end of the day.

Access by the Office of Government Ethics (OGE)

  1. The United States Office of Government Ethics (OGE) has no independent right of access to tax information under IRC §6103. OGE's statutory mandate is not tax administration.

  2. When IRS employees report ethics violations to the OGE, no tax information may be disclosed. OGE's authorizing statute recognizes that OGE will not have access to agency records prohibited from disclosure by law.

Relatives of IRS employees and Protecting Confidentiality

  1. Relatives of IRS employees have no right to access or receive confidential information based on their relationship to the IRS employee. Potential criminal and civil penalties under IRC §7213, IRC §7213A, IRC §7431, 5 USC §552, and 18 USC §1905, among others, could apply to such accesses/disclosure.

  2. When IRS employees bring confidential information home, all applicable security rules must be followed (e.g., Telework guidelines found in IRM 6.800.2, Telework (Flexiplace) Program).

  3. When IRS employees bring relatives (e.g., children) into their work environment, care must be exercised to ensure that the visitors are not exposed to confidential information verbally, on computer screens or in hard copy. It does not matter whether the visitors have an interest in the material or understand the technical work-related meaning of the information. During "Take Your Children to Work Day," children cannot have access to confidential information while parents explain their job or tour the work environment, etc. Even simple tasks such as photocopying could involve inappropriate access to confidential information. Exposure to confidential information is not allowed and can have severe consequences.

  4. Limit "Take Your Children to Work Day" activities to training rooms or other parts of the office free of sensitive information. Relatives, including children, must not enter IRS areas where the clean desk policy cannot be enforced. IRM, Implementation of Clean Desk Policy, provides additional guidance on the IRS space and clean desk policy.

Security and Disclosure

  1. Security and disclosure are not synonymous. Practicing security awareness reduces the risk of unauthorized or inappropriate access or disclosure. The Disclosure function has no jurisdiction over the rules applicable to physical and computer security, but does work closely with the security functions in the setting and communicating of standards.

  2. Physical security standards fall under the oversight of Facilities Management and Security Services (FMSS) Physical Security and Emergency Preparedness. See IRM 10.2.1, Physical Security Program - Physical Security.

  3. Computer and electronic security, including use of email and Secure Messaging (defined as any mechanism to encrypt SBU data for email), fall under the oversight of Information Technology (IT) Policy and Guidance. See IRM 10.8.1, Information Technology Services (IT) Security: Policy and Guidance and IRM 1.10.3 , Office of Commissioner Internal Revenue - Standards for Using Email.

  4. Information Technology has final jurisdiction over security policy as it applies to faxing and use of cordless devices. They have concurred with the guidelines on faxing and cordless devices as detailed respectively in subsection IRM above, and IRM, Use of Cell Phones and Cordless Devices.

  5. IT also has jurisdiction over security policy as it pertains to personal use of government technology resources. Specific requirements for the use of government technology and databases for non-official duties is detailed in IRM, Specific Requirements.

  6. Personally owned and other equipment not supplied by the government should not be connected to any IRS systems or networks. Equipment furnished by the government should not be connected to any personally owned equipment. For additional information see IRM, Personally Owned and Other Non-Government Furnished Equipment.

Voice Mail Systems

  1. When calling other IRS employees about taxpayers, do not leave confidential tax information on IRS internal voice mail systems. The IRS voice mail system is not secure. You may leave a message to "call me regarding the Joe Jones case," if necessary. It would be better not to mention the case name if possible, and to limit the message to "the Jones case," or "the case we discussed earlier," or similar language. Sensitive information may not be transmitted on IRS voicemail systems. From an IRC §6103 standpoint, information transmitted on IRS voicemail is secure; the policy is based on security concerns with the voicemail system.

  2. IRM, Leaving Information on Answering Machines/Voice Mail, provides guidance on the use of answering machines/voicemail during taxpayer contacts.

Electronic Mail and Secure Messaging

  1. For all disclosures of SBU data via email, follow the Disclosure Code, Authority, and Procedures (CAP) process section found in IRM

  2. Encrypt SBU data in emails using IT-approved encryption technology. For details on encryption, see IRM, Electronic Mail (Email) Security.

  3. Do not include SBU data in email subject line. Encryption methods do not encrypt the subject line or the header (email address information).

  4. For emails within the IRS network, use Outlook’s Secure Messaging system to encrypt the email body and attachments.

  5. For emails outside the IRS network, do not include SBU data in the body of the email. Encrypt attachments with password-protected SecureZip or another IT-approved encryption method. Remember that SecureZip only encrypts the attachment, not the body of the email.

  6. SBU data includes returns and return information, Privacy Act protected information, some law enforcement information, and other information protected by statute, regulation, or policy. See IRM, Sensitive But Unclassified (SBU) Data, for an exact definition of SBU.

  7. Do not send emails containing SBU data to taxpayers or their authorized representatives, even if requested, because of the risk of improper disclosure or exposure. For limited allowable situations for emailing with SBU data, see IRM, Email.

  8. Do not email SBU data to other external stakeholders unless specifically authorized (see the Disclosure CAP process in IRM above).

  9. As a general rule, employees may not use non-IRS email addresses to conduct IRS business. This includes sending work-related information or SBU to non-IRS email addresses. Employees participating in the IT-approved "Bring Your Own Device" (BYOD) program, may use the BYOD application on their approved personal device. See IRM, Bring Your Own Device (BYOD) and IRM 1.10.3, Standards for Using Email, for additional information.

  10. Refer to IRM 1.15.6, Managing Electronic Records, on the procedures for electronic mail management for the creation, maintenance, use, and disposition of federal records. The Office of Management and Budget (OMB) M-12-18, Managing Government Records Directive, requires all federal agencies to manage all email records in an electronic format. Email records must be retained in an appropriate electronic system that supports records management and litigation requirements.

Cellular Telephone Use

  1. When official government business is conducted in non-IRS work locations, IRS employees may use cellular telephones to conduct official government business. IRS employees using a cellular telephone must safeguard sensitive information and ensure the privacy of taxpayer data.

  2. Use of text messaging services on a cellular telephone must not be used to conduct official government business. See IRM, Telecommunication Devices, for additional information on the use of cellular devices.

Records Management

  1. Records management is the planning, controlling, directing, organizing, training, promoting, and other related activities related to the creation, maintenance, use, and disposition of records for proper documentation of an agency's policies and transactions. Records management in IRS is under the jurisdiction of the IRS Records and Information Management (RIM) Program, part of Privacy, Governmental Liaison and Disclosure (PGLD) Identity and Records Protection Unit.

  2. A Federal record is any recorded information relating to work of an office regardless of the medium, who created the record, or how it was created. Some records are paper documents, but most records are now electronically generated and maintained (e.g., Word, Excel, and email documents). Other types of records include photographs, maps, microfilm and fiche, video and sound recordings, and computer tapes or diskettes, and CDs, DVDs, thumb drives, etc.

  3. The Federal Records Act of 1950, as amended, governs the creation and preservation of government files. Other statutes and policies also apply. IRS works closely with the National Archives and Records Administration to ensure compliance with records management requirements.

  4. IRM 1.15.1, The Records and Information Management Program, IRM 1.15.2, Types of Records and Their Life Cycle, IRM 1.15.3, Disposing of Records, and IRM 1.15.7, Files Management, should be consulted for guidance on the records management program.

Security Inspections

  1. In today's climate, security checks are everywhere - IRS offices, airports, and at other buildings IRS employees must access during the performance of official duties.

  2. Certain precautions are needed to mitigate the risk of disclosures that might occur when employees are subject to a security check and their briefcase, laptop case or suitcase contains tax information or other sensitive data.

Transporting Documents

  1. When carrying sensitive documents, even within IRS buildings, certain steps should be taken to limit the risk of disclosure.

  2. Inadvertent disclosure of confidential data can be avoided by taking a few simple precautions. Employees will:

    1. Carry sensitive information only when necessary.

    2. Protect sensitive information by covering it with a blank piece of paper, placing it in an envelope large enough to cover any tabs or other identifying information and labeling the envelope confidential.

Planning and Consequences

  1. Proper planning, along with consideration of proper security measures, should allow employees to perform their normal duties with minimal disclosure concerns. When a concern arises, Disclosure personnel will help to analyze the issue, alleviate the concern, and advise the employee about the best course of action.

  2. An unauthorized disclosure is considered willful only when it is made voluntarily and intentionally, with full knowledge that it is wrong. Any inadvertent disclosure that might occur when clearing security should not meet the criteria of a willful disclosure when the employee has exercised care.

Redacting Transcripts

  1. Whenever providing tax information to taxpayers or their representatives, it is important to ensure that only authorized information is disclosed.

  2. Often, tax transcripts (including computer printouts) must be sanitized by redacting information that:

    1. Belongs to a different taxpayer,

    2. Includes a type of tax or a period not covered by a disclosure authorization,

    3. Is prohibited by statute from being disclosed (e.g., DIF, UIDIF, DAS or SERFE score), or

    4. If released, will impair federal tax administration.

    Any such redactions must be authorized by a functional employee having authorization to do so. See Delegation Order 11-2, found in IRM, or established functional guidelines on transcript redacting.

  3. Functional IRMs and various sections of IRM 11.3 provide guidance about redacting standards.

  4. While some transcripts are specifically designed for taxpayer use others are not, and require greater scrutiny and deliberation before release to a taxpayer.

  5. Freedom of Information Act redaction guidelines must be followed when applicable. For more information, see IRM 11.3.13, Freedom of Information Act (FOIA).

  6. Disclosure personnel can be consulted with questions regarding redactions.

Office of Special Counsel

  1. The Office of Special Counsel (OSC) is an independent federal investigative agency whose primary mission is to safeguard the merit system by protecting federal employees and applicants from prohibited personnel practices, such as reprisal for whistle-blowing. Occasionally in the context of an OSC investigation, or the use of tax information in a court proceeding, a question arises as to whether tax information may be accessed by OSC.


    An IRS employee alleges that his manager retaliated against him for making a complaint that the audit selection process in a particular location was racially discriminatory and OSC opens an investigation. During the investigation, OSC determines that it needs tax information from the employee's case to complete the investigation.

  2. The OSC investigation is a proceeding affecting the personnel rights of the employee. Tax information may be disclosed to the OSC investigator under IRC §6103(l)(4)(B) if the IRS determines that the disclosure is necessary to advance or protect the interests of the United States. Generally, OSC should be asked to make a written request explaining the reasons why tax information is needed. Data should be stripped of identifiers unless inclusion of identifying information is necessary to advance or protect the interests of the United States. If the investigation's focus turns to the actions of a specific manager, then the OSC investigation is also a proceeding affecting the personnel rights of the manager. At that point, the manager (or his private attorney) may make an IRC §6103(l)(4)(A) request for relevant and material tax information. Disclosures must be approved by officials having Delegation Order 11-2 authority, found in IRM For more information on IRC §6103(l)(4), see IRM, Disclosure Pursuant to IRC §6103(l)(4).

  3. The Privacy Act may be involved if OSC requests non-tax information, such as personnel records, from the IRS. Personnel records may be turned over to OSC pursuant to the routine use authority of Treasury/IRS System of Records Notice 36.003, General Personnel and Payroll Records.