- 11.3.14 Privacy Act General Provisions
- 188.8.131.52 Background
- 184.108.40.206 Purpose
- 220.127.116.11 Limitations
- 18.104.22.168 General Format
- 22.214.171.124 References
- 126.96.36.199 Spirit and Requirements of the Act
- 188.8.131.52 Privacy Principles
- 184.108.40.206 Responsibility
- 220.127.116.11.1 Division of Responsibility
- 18.104.22.168 Privacy Act Orientation and Training
- 22.214.171.124.1 Level of Involvement
- 126.96.36.199 Privacy Act Impact on Contracts
- 188.8.131.52 Privacy Act Fee
- 184.108.40.206 Controlling Information From Third Parties
- 220.127.116.11.1 Definitions
- 18.104.22.168.2 Acquiring Information From a Third Party
- 22.214.171.124.3 Request for Approval and Use of Information From a Third Party
- 126.96.36.199.4 Controlling Information From Third Parties
- 188.8.131.52.5 Quality Reviews of Controls on Information From Third Parties
Part 11. Communications and Liaison
Chapter 3. Disclosure of Official Information
Section 14. Privacy Act General Provisions
September 12, 2013
(1) This manual, IRM 11.3.14, Privacy Act General Provisions, was reviewed on May 31, 2013 and determined to be technically accurate. It is being reissued as a Non-procedural update and includes web link updates and links to citation references.
(1) Editorial changes have been made throughout to update IRM/statute/organizational references and terms. Web and citation references were added/updated throughout to make the text easier to research in electronic media.
The Governmental Liaison and Disclosure intranet home page can be found at:
Gregory T. Ricketts
Acting Director, Governmental Liaison and Disclosure
Congress, in a preamble to the Privacy Act of 1974, stated that the right to privacy is a personal and fundamental right protected by the Constitution of the United States.
Congress also found that the:
Privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information by Federal agencies;
Increasing use of computers and sophisticated information technology has greatly magnified the harm to individual privacy that can occur; and
Individual’s rights may be endangered by the misuse of some information systems.
Accordingly, Congress decided that it was necessary to regulate the collection, maintenance, use, and dissemination of information by Federal agencies in order to protect the privacy of individuals.
The purpose of the Act is to provide certain safeguards for an individual against an invasion of personal privacy by requiring Federal agencies, except as otherwise provided by law, to:
Permit an individual to determine what records pertaining to him or her are collected, maintained, used, or disseminated by Federal agencies;
Permit an individual to prevent records pertaining to him or her from being used or made available for another purpose without his or her consent;
Permit an individual to gain access to information pertaining to him or her, have copies made, and amend or correct such records;
Collect, maintain, use, or disseminate any record of identifiable personal information in a manner that ensures that such action is for a necessary and lawful purpose, that the information is current and accurate, for its intended use, and that adequate safeguards are provided to prevent misuse of such information.
Except as otherwise provided by law, agencies are subject to civil suit for any damages that occur as a result of willful or intentional action that violates any individual’s rights under the Act.
Criminal penalties are applicable to agency employees who make prohibited disclosures or who maintain records in violation of law.
The Privacy Act of 1974 applies to agency records that are retrieved by an identifier for an individual. The Privacy Act defines "individual" as a citizen of the United States or an alien lawfully admitted for permanent residence. Corporations, partnerships, estates, organizations, and other entities are not "individuals" for Privacy Act purposes. However, court opinion has determined that an individual acting in an entrepreneurial capacity (such as a sole proprietor) is an "individual" for purposes of the Act.
Most records maintained by the Internal Revenue Service (IRS) are subject to an extensive body of law (including the confidentiality and disclosure provisions of IRC § 6103 that is usually more specific and restrictive than the Privacy Act, and that therefore will generally be found to be the governing statute. It is important, in applying the Privacy Act, to take into consideration all statutory requirements that are applicable; the result should be that the safeguards against the invasion of an individual’s privacy should be not less than required by the Privacy Act.
Agencies may propose rules that exempt certain records from certain Privacy Act provisions. Such rules must be approved by Congress and OMB, and be published in the Federal Register.
The Act provides a series of definitions concerning records maintained on individuals. These definitions help to determine which records are subject to the Act.
In order for an agency to maintain records subject to the Act it must meet certain publishing and reporting requirements. These requirements are discussed in IRM 11.3.15, Privacy Act Publication and Reporting Requirements.
It is the responsibility of the owner of the system of records to prepare a Privacy Act Notice for publication in the Federal Register, and the required reports and transmittal memos. The owner then forwards the package to the Office of Governmental Liaison and Disclosure (GLD) for approval. GLD will then ensure that the package is cleared through the Office of the Assistant Chief Counsel, the Commissioner, and any other necessary Headquarters offices. GLD will then transmit the package to the Treasury Department Disclosure Office for clearance.
The component of the system owner that is most familiar with the records shall prepare the notice.
Having advised the public of the type of records being maintained (by meeting the publishing and reporting requirements) the agency must give individuals asked to supply information a notice with the request for information. This requirement and related matters are discussed in IRM 11.3.16, Privacy Act Notification Programs.
There are restrictions on the type of information an agency may obtain and use. These provisions are discussed in IRM 11.3.17, Privacy Act Recordkeeping Restrictions.
An individual may have access to certain records pertaining to him or her, and may under some circumstances amend such records. These provisions are discussed in IRM 11.3.18, Privacy Act Access and Amendment of Records.
Restrictions are placed upon the disclosure by the agency of the records maintained, and an accounting is required of the disclosures made. These provisions are discussed in IRM 11.3.19, Privacy Act Accounting for Disclosures .
Procedures relating to provisions of the Privacy Act that are not technically speaking "disclosure matters" will nevertheless be included in appropriate IRM sections, if they are of general or Servicewide interest. Detailed instructions provided by other functions to carry out the general Privacy Act requirements in this section will not be cross referenced back.
The Privacy Act of 1974 is also cited as 5 USC § 552a.
Department of the Treasury Regulations appear at Title 31, Part I, Subpart C, of the ode of Federal Regulations. Additional information specific to the IRS is in Appendix B of these regulations.
IRS employees should follow the legal requirements of the Privacy Act at all times and should make every effort consistent with law, regulations and good administrative practice, to promote the spirit of the Privacy Act by performing their duties in a manner that recognizes and enhances individual rights of privacy.
Disclosure of Privacy Act record information to other IRS employees is restricted to those who have a need to know the information in the performance of their official duties.
The Privacy Act generally provides that individuals may gain access to records about themselves.
A notice about agency systems of records that contain information about individuals that may be retrieved by an individual identifier must be published in the Federal Register upon establishment or revision of such records.
Each agency that maintains Privacy Act records shall:
Maintain only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required by statute or Executive Order;
Collect information, to the greatest extent practicable, from the subject individual when the information may result in adverse determinations about an individual’s rights, benefits and privileges under Federal programs; and
Inform each individual whom it asks to supply information, of the agency's authority for requesting the information; whether providing the information is voluntary or mandatory; the principal purpose(s) for which the information will be used; other routine uses of the information; and the effect(s), if any, on the individual of not providing all or part of the information requested. This statement may be made on the form used to collect the information, or on a separate form or sheet that the individual may retain.
Privacy protection within the IRS includes adherence by all IRS employees to the following principles, that are available on the Office of Privacy, Governmental Liaison and Disclosure website at:http://irweb.irs.gov/AboutIRS/bu/pipds/default.aspx
Protecting taxpayer privacy is a public trust;
Personal information will only be collected if it is necessary for tax administration or other legally authorized purposes;
Information will be used only for the purpose for which it was collected, or as specifically authorized by law;
Information will be collected, to the greatest extent practicable, directly from the individual to whom it relates. Information that is collected from third parties will be verified for accuracy with the subject, whenever possible, before final action is taken;
All IRS employees share in the responsibility for protecting the privacy of individuals whose information they have access to: taxpayers, employees, and visitors to IRS web sites.
Policy Statement P-1-1 also embodies these concepts. See IRM 184.108.40.206, Policies of the Internal Revenue Service - Administration.
Every employee of the IRS is responsible for being familiar with the provisions of the Privacy Act, commensurate with the level of his or her assigned duties, and for conforming to the requirements of the law as it applies to his or her activities. IRS employees are responsible for contacting the Office of GLD expeditiously concerning Privacy Act matters.
All IRS officials are responsible for administering the Privacy Act insofar as provisions of the Act are applicable to their functional areas and as provided by applicable regulations, published notices, and IRM instructions.
Chiefs and Division Directors are responsible as systems managers to the extent that they prescribe practices for maintaining any system of records. The components of the system owners/managers that are most familiar with the system of records shall write the notices and other required reports and documents for a system of records notice to be published in the Federal Register and any other required Privacy Act notifications, such as those required by section (e)(3) of the Act. See IRM 11.3.15, Privacy Act Publications and Reporting Requirements.
Overall coordination of IRS efforts to administer the Privacy Act, publication of required notices, preparation of general Internal Revenue Manual instructions, and administration of the access, amendment, and disclosure provisions of the Act are the responsibility of the Director, GLD.
Private contractors and their employees are subject to some provisions of the Privacy Act. See IRM 11.3.24,Disclosures to Contractors.
The IRS complies with the Privacy Act by integrating the Act’s provisions with the IRS’s existing procedural instructions, such as the IRM.
For most Systems of Records two types of systems managers (or responsible officials) have been designated—the official prescribing practices, and the official maintaining the system.
The official prescribing practices, generally a Headquarters Division Director, contributes to the administration of the Privacy Act by making certain that all procedures conform to the requirements of the Act.
The official maintaining the system, generally an Area Manager or Campus Director, contributes to the administration of the Privacy Act by making certain that all procedural requirements are followed. Thus an official operating a system of records or carrying out any other assignment will be in compliance with the Privacy Act if all actions taken are in strict accordance with the IRM.
The Office of Management and Budget (OMB) in Circular No. A-108 holds the IRS responsible for:
"Conducting training for all agency personnel who are in any way involved in maintaining systems of records to apprise them of their responsibilities under the Act and to indoctrinate them with respect to procedures established by the agency to implement the Act."
OMB provides the following guidelines:
"Effective compliance with the provisions of this Act will require informed and active support of a broad cross-section of agency personnel. It is important that all personnel who in any way have access to systems of records or who are engaged in the development of procedures or systems for handling records, be informed of the requirements of the Act and be adequately trained in agency procedures developed to implement the Act. Personnel with particular concerns include, but are not limited to, those engaged in personnel management, paperwork management (reports, forms, records, and related functions), computer systems development and operations, communications, statistical data collection and analysis, and program evaluation."
The highest level of involvement in training for Privacy Act purposes is required for Disclosure Managers, Disclosure Specialists, Policy Analyst and Tax Law Specialists serving in GLD. Accordingly, a Privacy Act segment has been included in the Disclosure Training Program.
Functions having key personnel identified as requiring a high degree of training in Privacy Act matters may direct a request to the Director, GLD, for space at a regularly scheduled session of the Privacy Act Training or for a special presentation of the Privacy Act segment of the program.
Functions revising existing training programs or establishing new training programs should include Privacy Act segments designed in accordance with their specific needs in order to meet the objectives of IRM 220.127.116.11. GLD assistance is available for constructing such specialized course segments.
For employees requiring a lesser degree of involvement, a periodic refresher or update can best be conducted by the inclusion of Privacy Act topics in regular group meetings and by discussing the impact of the Privacy Act on specific jobs. Disclosure Managers are available in field offices to conduct or assist at such sessions.
The impact of the Privacy Act of 1974 on contracts is discussed in IRM 11.3.24, Disclosures to Contractors.
The Privacy Act requires that agencies establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity that could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.
Agencies are required to maintain only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President.
The timely disposition, proper destruction, safe storage, physical protection and proper handling of records are therefore mandated by the Act.
The following IRM references contain important instructions related to information and document security:
IRM 10.9.1, National Security Information, provides instructions for the proper handling and disposition of all classified National Security information;
IRM 1.15, Records Management, provides instructions for the proper handling of all record material;
IRM 1.16, Physical Security Program, provides instructions for the protection of records;
IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, provides instructions for security requirements for electronic records.
The sole fee to the public pursuant to the Privacy Act is one that permits the Government to recover the expense incurred by providing photocopies of records. See IRM 11.3.5, Fees.
The Privacy Act generally authorizes Federal agencies to collect and maintain only information that is relevant and necessary to accomplish a purpose of the agency, and requires agencies to collect information directly from the subject individual to the greatest extent practicable. Therefore, the IRS has implemented the following procedures for use when an IRS function wants to obtain access to, or a copy of, a large volume of information that pertains to many individual taxpayers. These procedures provide a uniform methodology for acquiring, using, and disposing of information obtained in volume from third parties. These procedures are required to provide adequate controls of such information consistent with relevant statutes and policies concerning privacy, security, and disclosure.
These procedures apply to the solicitation or maintenance of information from third parties. They apply to all functions at all levels of the IRS. However, these procedures do not apply to:
Information needed to resolve specific cases;
Information about businesses, exempt organizations, or employee plans (procedures concerning businesses, exempt organizations, and employee plans will be developed later);
Information requested from state tax agencies when the information was used by the states in their tax administration, provided the information is not obtained from a state tax agency for the purpose of circumventing the intent of these controls;
Information gathered by Criminal Investigation under the provisions of IRM 9.4, Investigative Techniques, relating to general investigations, excluding multifunctional information gathering projects; and
Data gathering that requires a Compliance Initiative Project or is specifically exempted from the CIP process under IRM 18.104.22.168, Activities Not Subject to CIP Procedures. See IRM 4.17, Compliance Initiative Projects, for further information.
For purposes of this section, the following definitions apply.
Area Managers and Directors of Detroit, Martinsburg and Tennessee Computing Centers for their respective offices;
In Headquarters, division directors or equivalent positions.
Information From Third Parties: This is information collected about taxpayers from someone other than the taxpayer. It does not include the following:
Information received from the taxpayer or his/her representative;
Information required to be filed with IRS, such as Form W-2s from employers, Form 1099s from banks and other payers of income, etc;
Information furnished by anyone to resolve specific cases being worked by IRS.
Examination of a return, collection of taxes, resolution of match errors or information return discrepancies.
Information received from state tax agencies in accordance with an exchange agreement under IRC § 6103 (d).
Responsible Function: The function obtaining access to information from a Third Party.
The IRS will provide enhanced taxpayer privacy through controls over the gathering, use and dissemination of information obtained from third parties. These controls require that all functions obtain approval before receiving any such information, and that the local Disclosure Manager review the function’s compliance with these controls during regular quality reviews of the functions. The Disclosure Manager will provide a report to the approving official on the results of the reviews.
Information may be used only for approved purposes. If a new use is discovered for information already acquired, a separate approval must be obtained before beginning that use.
When information is no longer needed, it will be disposed of according to established procedures for destruction of return information.
Prior to obtaining access to information from a third party, the responsible function will provide a written request for approval from the head of the office to obtain the information. The request will include a Privacy Impact Statement that covers the following:
A description of the information to be acquired;
Why it is needed and how it will be used;
The Privacy Act System of Records (name and number) that will govern its use;
How and from whom it will be obtained;
An estimate of the return information’s reliability and accuracy;
Any procedures that will be used to test and validate the data information’s reliability;
How the information will be protected;
How long the information will be kept before it is disposed of (this should be a specific date), and the procedures for its ultimate disposition
Any limitations imposed by the source of the information on how it may or may not be used; and
The person responsible for receiving and controlling the information.
For security requirements, see IRM 1.16, Physical Security Program, IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance, IRM 1.15, Records Management, IRM 11.3, Disclosure of Official Information, IRC § 6103, and Policy Statements.
The gathering of information from a third party may require the completion of a Privacy Impact Assessment (PIA), that includes a description of the information and its uses. Contact the Director, Office of Privacy, Information Protection and Data Security, for further information on whether a PIA is required.
Functions must ensure that the information is timely, relevant and accurate for the purpose it is used. This should be an ongoing process. If, at any time, it is determined that the information is no longer reliable for its intended purpose, the responsible office must cease using it.
All requests to obtain or use information from a third party must be reviewed by the Disclosure Manager. The request must be approved in writing by the head of office.
Disclosure mangers will provide advice to the head of office on whether the request complies with the Privacy Act, the disclosure statutes, and IRS’s privacy policies and principles.
A copy of all approved requests will be given to the Disclosure Manager for subsequent review during normal quality reviews of functions as provided in IRM 11.3.38, Role and Responsibilities of Disclosure Managers.
The responsible function will maintain a file on the information received. At a minimum, the file will contain the following information:
The approved request for obtaining and using the information;
The date(s) information was received from a third party, its type and source;
Any duplication of the information;
To whom the information was given, when it was given, why it was given and when it was returned;
Any approved extensions for keeping the information;
The date and method of the final disposition of the information.
This file will be available to the Disclosure Manager when requested in conjunction with a quality review of the function as provided in IRM 11.3.38, Roles and Responsibilities of Disclosure Managers.
Disclosure managers will, as part of an established functional quality review process ensure the review of controls on information from third parties as provided in this section.
Upon completion of a review of the controls on information from third parties, the disclosure office will provide a report consistent with the quality review process described in IRM 11.3.38, Roles and Responsibilities of Disclosure Managers.
Disclosure managers will ensure, at a minimum, that the following areas are addressed during the quality review:
Was information obtained?
Was the required head-of-office approval obtained?
Has the function complied with the terms of the approval document concerning the intended use of the information and its timely final disposition?