11.3.14 Privacy Act General Provisions

Manual Transmittal

May 02, 2018

Purpose

(1) This transmits revised IRM 11.3.14, Disclosure of Official Information, Privacy Act General Provisions.

Material Changes

(1) Editorial changes have been made throughout to update IRM/statute/organizational references and terms. Web and citation references were added/updated throughout to make the text easier to research in electronic media.

(2) Changed ownership and responsibilities throughout from Governmental Liaison, Disclosure and Safeguards (GLDS) to Privacy Policy and Compliance (PPC).

(3) IRM 11.3.14.1 - Revised the title to Program, Scope and Objectives to properly reflect the information communicated in this subsection. Information from prior section 11.3.14.2 was incorporated into this new subsection. Included important information to conform to the new internal and management control standards under the following titles:

  1. IRM 11.3.14.1.1, Background - Information from prior section 11.3.14.1 was incorporated into this new subsection.

  2. IRM 11.3.14.1.2, Authorities - Information from prior section 11.3.14.5 was incorporated into this new subsection.

  3. IRM 11.3.14.1.3, Responsibilities - Information from prior section 11.3.14.8 was incorporated into this new subsection.

  4. IRM 11.3.14.1.3.1, Division of Responsibilities - Information from prior section 11.3.14.8.1 was incorporated into this new subsection.

  5. IRM 11.3.14.1.4, Terms and Definitions - Information from prior section 11.3.14.12.1 was incorporated into this new subsection.

  6. IRM 11.3.14.1.5, Acronyms - Compiled a list of frequently used acronyms and their definitions general Privacy Act provisions.

  7. IRM 11.3.14.1.6, Related Resources - Added related resources applicable to the general Privacy Act provisions. Information from prior section 11.3.14.10.2 was incorporated into this new subsection.

(4) IRM 11.3.14.3 - Added Note referring to IRC §7852(e) and its specific provisions relating to Privacy Act amendment provisions.

(5) IRM 11.3.14.5 - Removed list of general privacy principles and replaced with reference to IRM 10.5.1, Privacy Policy, which maintains a current list.

(6) IRM 11.3.14.6 - Added reference to the Federal Register.

(7) IRM 11.3.14.7.1 - Added references to records management resources.

(8) Added IRM 11.3.14.8, OMB 2016 Circular A-108 Revision of Privacy Act Guidance, summarizes Privacy Act guidance in the Office of Management and Budget’s December 2016 reissued OMB Circular A-108.

(9) Added IRM 11.3.14.8.1, New Privacy Act Contract Review Requirements, contains new requirements for Senior Agency Official for Privacy (SAOP) review of procurement solicitations involving Privacy Act records and approval of contracts, and a caution that for tax returns and return information IRC 6103 must authorize disclosure to a contractor regardless of whether the Privacy Act authorizes disclosure. The caution also explains that a provision of the Privacy Act must authorize disclosure either under one of the 12 Privacy Act statutory exceptions that authorize disclosure or there must be a valid written Privacy Act consent that authorizes disclosure.

(10) Added IRM 11.3.14.8.1.1, Federal Acquisition Regulation Specific Privacy Act Training Clause Required in All Contracts Where Contractors Will Have Authorized Access to Privacy Act Information, contains the Federal Acquisition Regulations (FAR) training clauses in contracts.

(11) Added IRM 11.3.14.9, Requirements and OMB Privacy Act Controls for Systems of Records, contains required system of records privacy control elements.

(12) Removed prior IRMs 11.3.14.12.1 through 11.3.14.12.5 - These procedures were created before the enactment of the e-Government Act. The Privacy Impact Assessment and Privacy Controls implemented by IRS satisfies the procedural requirements in these deleted susbections.

(13) Added IRM Exhibit 11.3.14-1, Agency Review Requirements, lists reviews that OMB requires to ensure Privacy Act compliance.

(14) Added IRM Exhibit 11.3.14-2, Agency Public Website Posting Requirements, contains OMB requirements for posting Privacy Act information on agency websites accessible to the public.

Effect on Other Documents

This supersedes IRM 11.3.14 dated September 12, 2013.

Audience

All Operating Divisions and Functions.

Effective Date

(05-02-2018)

Related Resources

The Disclosure and Privacy Knowledge Base is available at:
https://portal.ds.irsnet.gov/sites/vl003/pages/default.aspx.

Frances Kleckley
Director, Privacy Policy and Compliance

Program Scope and Objectives

  1. Purpose: This IRM discusses general Privacy Act provisions and their application to the IRS. The purpose of the Privacy Act is to provide certain safeguards for an individual against an invasion of personal privacy by requiring Federal agencies, except as otherwise provided by law, to:

    • Permit an individual to determine what records pertaining to him or her are collected, maintained, used, or disseminated by Federal agencies

    • Permit an individual to prevent records pertaining to him or her from being used or made available for another purpose without his or her consent

    • Permit an individual to gain access to information pertaining to him or her, have copies made, and amend or correct such records

    • Collect, maintain, use, or disseminate any record of identifiable personal information in a manner that ensures that such action is for a necessary and lawful purpose, that the information is current and accurate, for its intended use, and that adequate safeguards are provided to prevent misuse of such information

    Except as otherwise provided by law, agencies are subject to civil suit for damages as a result of willful or intentional action that violates any individual’s rights under the Privacy Act. Criminal penalties are applicable to agency employees who make prohibited disclosures or who maintain records in violation of law.

  2. Audience: The information and guidance in this IRM applies to all IRS employees and contractors.

  3. Policy Owner: Privacy Policy and Compliance (PPC) is responsible for Privacy Act oversight.

  4. Program Owner: The PPC office, under Privacy, Governmental Liaison and Disclosure (PGLD), is the program office responsible for oversight of the Servicewide Privacy Act policy.

Background

  1. The Senate Preface to the Legislative History of the Privacy Act of 1974 stated that, "The Bill of Rights guarantees to each American protections which we equate with specific rights of citizenship in a free society. This legislation is a major first step in a continuing effort to define the "penumbra" of privacy which emanates from specific guarantees in the Bill of Rights and which helps to give them life and substance as recognized in Griswold v. Connecticut."

  2. Congress also found that the:

    1. Privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information by Federal agencies;

    2. Increasing use of computers and sophisticated information technology has greatly magnified the harm to individual privacy that can occur; and

    3. Individual’s rights may be endangered by the misuse of some information systems.

  3. Accordingly, Congress decided that it was necessary to regulate the collection, maintenance, use, and dissemination of information by Federal agencies in order to protect the privacy of individuals.

Authorities

  1. The Privacy Act of 1974, which is also cited as 5 USC § 552a.

  2. Federal Acquisition Regulations Part 24 FAR -- Part 24 Protection of Privacy and Freedom of Information.

  3. Department of the Treasury Regulations appear at Title 31, Part I, Subpart C, of the Code of Federal Regulations. 31 CFR §301. Additional information specific to the IRS is in Appendix B of these regulations.

Responsibilities

  1. Every employee of the IRS is responsible for being familiar with the provisions of the Privacy Act, commensurate with the level of his or her assigned duties, and for conforming to the requirements of the law as it applies to his or her activities. IRS employees are responsible for expeditiously contacting PPC at the *Privacy mailbox (privacy@irs.gov) concerning Privacy Act matters.

  2. All IRS officials are responsible for administering the Privacy Act insofar as its provisions are applicable to their functional areas and as provided by applicable regulations, published notices, and IRM instructions.

  3. Chiefs and Division Directors are responsible as systems managers to the extent that they prescribe practices for maintaining any system of records. The components of the system owners/managers that are most familiar with the system of records shall write the notices and other required reports and documents for a system of records notice to be published in the Federal Register and any other required Privacy Act notifications, such as those required by section (e)(3) of the Privacy Act. See IRM 11.3.15, Privacy Act Publications and Reporting Requirements.

  4. Privacy policy and overall coordination of IRS efforts to administer the Privacy Act are the responsibility of the Director, PPC.

  5. Private contractors and their employees are subject to some provisions of the Privacy Act. See IRM 11.3.24, Disclosures to Contractors.

  6. All employees and contractors have responsibility for ensuring IRS records (hard copy and electronic) are appropriately managed, retained, and archived in accordance with IRM 1.15 series, Records and Information Management, for records retention and disposition requirements before documents can be destroyed. Refer to Document 12990, IRS Records Control Schedules (RCS), for the National Archives and Records Administration (NARA)-approved IRS records disposition to prevent unauthorized/unlawful destruction of records. Refer to Document 12829, General Records Schedules (GRS), for the NARA-issued disposal authorizations for temporary administrative records common to all Federal agencies.

Division of Responsibility
  1. The IRS complies with the Privacy Act by integrating its provisions with the IRS’s existing procedural instructions, such as the IRM.

  2. For most Systems of Records two types of systems managers (or responsible officials) have been designated—the official prescribing practices, and the official maintaining the system.

  3. The official prescribing practices, generally a Headquarters Division Director, contributes to the administration of the Privacy Act by making certain that all procedures conform to its requirements.

  4. The official maintaining the system, generally an Area Manager or Campus Director, contributes to the administration of the Privacy Act by making certain that all procedural requirements are followed. Thus an official operating a system of records or carrying out any other assignment will be in compliance with the Privacy Act if all actions taken are in strict accordance with the IRM.

Terms and Definitions

  1. For purposes of this IRM section, the following definitions apply:

    Term Definition
    Approving Official
    1. Area Managers and Directors of IRS Computing Centers for their respective offices;

    2. In Headquarters, division directors or equivalent positions.

    Information from Third Parties Information collected about individuals from someone other than the individual. It does not include the following:
    • Information received from the individual or his/her representative

    • Information required to be filed with IRS, such as a Form W-2 from an employer or Form 1099 from banks and other payers of income, etc.

    • Information furnished by anyone to resolve specific cases being worked by IRS

      Example:

      Examination of a return, collection of taxes, resolution of match errors or information return discrepancies.

    • Information received from state tax agencies in accordance with an exchange agreement under IRC § 6103(d).

    Responsible Function The function obtaining access to information from a Third Party.

Acronyms

  1. The following acronyms are used in this IRM section:

    Acronym Definition
    CIP Compliance Initiative Project
    FAR Federal Acquisition Regulations
    FISMA Federal Information Security Modernization Act of 2014
    FOIA Freedom of Information Act
    GLDS Governmental Liaison, Disclosure and Safeguards
    OIRA (OMB’s) Office of Information and Regulatory Affairs
    OMB Office of Management and Budget
    PIA Privacy Impact Assessment
    PGLD Privacy, Governmental Liaison and Disclosure
    PCLIA Privacy and Civil Liberties Impact Assessment
    PPC Privacy Policy & Compliance
    RISC Regulatory Information Service Center
    ROCIS RISC/OIRA Consolidated Information System
    SAOP Senior Agency Official for Privacy
    SORN System of Records Notice
    USC United States Code

Related Resources

  1. The following table contains Privacy Act resources:

    Resource Title or Description
    PGLD’s Privacy Act home page https://portal.ds.irsnet.gov/sites/vl003/Lists/FOIAandPrivacyAct/DispItemForm.aspx?ID=7
    U.S. Department of Justice, Office of Privacy and Civil Liberties home page https://www.justice.gov/opcl
    Chief Counsel Directives Manual (CCDM) 37.2.1, Privacy Act of 1974  
    IRM 10.9.1, National Security Information Provides instructions for the proper handling and disposition of all classified National Security information
    IRM 1.15 series, Records Management Provides instructions for the proper handling of information (hard copy and electronic) in the creation, maintenance, retrieval, preservation, and disposition of all records
    Document 12829 IRS Records Control Schedules
    Document 12990 General Records Schedules
    IRM 10.2, Physical Security Program Provides instructions for the protection of records
    IRM 10.5.1, Privacy Policy Provides privacy policy information and instructions
    IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance Provides instructions for security requirements for electronic records
    IRM 11.3, Disclosure of Information Provides instructions for disclosure of tax records in conjunction with the Privacy Act requirements

Limitations

  1. The Privacy Act of 1974 applies to agency records that are retrieved by an identifier for an individual. The Privacy Act defines "individual" as a citizen of the United States or an alien lawfully admitted for permanent residence. Corporations, partnerships, estates, organizations, and other entities are not "individuals" for Privacy Act purposes. However, court opinion has determined that an individual acting in an entrepreneurial capacity (such as a sole proprietor) is an "individual" for purposes of the Privacy Act.

  2. Most IRS records are subject to an extensive body of law ,including the confidentiality and disclosure provisions of IRC § 6103 that are usually more specific and restrictive than the Privacy Act, and that therefore will generally be found to be the governing statute. It is important, in applying the Privacy Act, to take into consideration all statutory requirements that are applicable; the result should be that the safeguards against the invasion of an individual’s privacy should be not less than required by the Privacy Act.

  3. Agencies may propose rules that exempt certain records from certain Privacy Act provisions. Such rules must be approved by Congress and the Office of Management and Budget (OMB), and be published in the Federal Register. Treasury specifies whether there are exemptions applicable to a specific IRS system of records in published Federal Register notices.

General Format

  1. The Privacy Act provides a series of definitions concerning records maintained on individuals. These definitions help to determine which records are subject to the Privacy Act.

  2. In order for an agency to maintain records subject to the Privacy Act it must meet certain publishing and reporting requirements. These requirements are discussed in IRM 11.3.15, Privacy Act Publication and Reporting Requirements.

  3. It is the responsibility of the owner of the system of records to prepare a Privacy Act Notice for publication in the Federal Register, and the required reports and transmittal memos. The owner then forwards the package to PPC for approval at the *Privacy mailbox (privacy@irs.gov). PPC will then ensure that the package is cleared through the Office of Chief Counsel, the Commissioner, and any other necessary Headquarters offices. PPC will then transmit the package to the Treasury's Privacy Transparency and Records Office for clearance.

    Note:

    The component of the system owner that is most familiar with the records shall prepare the notice.

  4. Having advised the public of the type of records being maintained (by meeting the publishing and reporting requirements) the agency must generally give individuals asked to supply information a notice with the request for information. This requirement and related matters are discussed in IRM 11.3.16, Privacy Act Notification Programs.

  5. There are restrictions on the type of information an agency may obtain and use. These provisions are discussed in IRM 11.3.17, Privacy Act Recordkeeping Restrictions.

  6. An individual may have access to certain records pertaining to him or her, and may under some circumstances amend such records. These provisions are discussed in IRM 11.3.18, Privacy Act Access and Amendment of Records.

    Note:

    IRC §7852(e) provides that subsections (d)(2), (d)(3), (d)(4), and (g), of the Privacy Act of 1974 (i.e., the amendment provisions) shall not be applied, directly or indirectly, to the determination of liability of any person for any tax, penalty, interest, fine, forfeiture, other imposition or offense to which the provisions of the Internal Revenue Code apply.

  7. Restrictions are placed upon the disclosure by the agency of the records maintained, and an accounting is generally required of the disclosures made. These provisions are discussed in IRM 11.3.19, Privacy Act Accounting for Disclosures .

Spirit and Requirements of the Privacy Act

  1. IRS employees should follow the legal requirements of the Privacy Act at all times and should make every effort consistent with law, regulations and good administrative practice, to promote the spirit of the Privacy Act by performing their duties in a manner that recognizes and enhances individual rights of privacy.

  2. Disclosure of Privacy Act record information to other IRS employees is restricted to those who have a need to know the information in the performance of their official duties.

  3. The Privacy Act generally provides that individuals may gain access to records about themselves.

  4. A notice about agency systems of records that contain information about individuals that may be retrieved by an individual identifier must be published in the Federal Register upon establishment or revision of such records.

  5. Each agency that maintains Privacy Act records shall:

    1. Maintain only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required by statute or Executive Order;

    2. Collect information, to the greatest extent practicable, from the subject individual when the information may result in adverse determinations about an individual’s rights, benefits and privileges under Federal programs; and

    3. Inform each individual whom it asks to supply information, of the agency's authority for requesting the information; whether providing the information is voluntary or mandatory; the principal purpose(s) for which the information will be used; other routine uses of the information; and the effect(s), if any, on the individual of not providing all or part of the information requested. This statement may be made on the form used to collect the information, or on a separate form or sheet that the individual may retain.

Privacy Principles

  1. Privacy protection within the IRS includes adherence by all IRS employees to the principles listed in IRM 10.5.1 , Privacy Policy.

  2. Policy Statement P-1-1 also embodies these concepts. See IRM 1.2.1.2, Policies of the Internal Revenue Service - Administration.

Privacy Act Orientation and Training

  1. The Office of Management and Budget (OMB) in Circular No. A-108 holds the IRS responsible for:

    "Conducting training for all agency personnel who are in any way involved in maintaining systems of records to apprise them of their responsibilities under the Act and to indoctrinate them with respect to procedures established by the agency to implement the Act."

    Note:

    See 5 USC § 552a(e)(9).

  2. OMB provides the following guidelines:

    "Effective compliance with the provisions of this Act will require informed and active support of a broad cross-section of agency personnel. It is important that all personnel who in any way have access to systems of records or who are engaged in the development of procedures or systems for handling records, be informed of the requirements of the Act and be adequately trained in agency procedures developed to implement the Act. Personnel with particular concerns include, but are not limited to, those engaged in personnel management, paperwork management (reports, forms, records, and related functions), computer systems development and operations, communications, statistical data collection and analysis, and program evaluation." See information in the Federal Register at 40 FR 28965-66.

Level of Involvement

  1. The highest level of involvement in training for Privacy Act purposes is required for managers, government information specialists, and policy analysts serving in PGLD.

  2. Functions having key personnel identified as requiring a high degree of training in Privacy Act matters may direct a request to the *Privacy mailbox for space at a regularly scheduled session of the Privacy Act Training or for a special presentation of the Privacy Act segment of the program.

  3. Functions revising existing training programs or establishing new training programs should include Privacy Act segments designed in accordance with their specific needs in order to meet the objectives of IRM 11.3.17.7. PPC assistance is available at the *Privacy mailbox for constructing such specialized course segments.

  4. For employees requiring a lesser degree of involvement, a periodic refresher or update can best be conducted by the inclusion of Privacy Act topics in regular group meetings and by discussing the impact of the Privacy Act on specific jobs. Contact PPC at the *Privacy mailbox for information or assistance.

Privacy Act Impact on Contracts

  1. The impact of the Privacy Act of 1974 on contracts is discussed in IRM 11.3.24, Disclosures to Contractors.

Related Document Security Requirements

  1. The Privacy Act requires that agencies establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity that could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.

  2. Agencies are required to maintain only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President.

  3. The timely disposition, proper destruction, safe storage, physical protection and proper handling of records are therefore mandated by the Privacy Act. IRS meets these requirements by adhering to the requirements found in IRM 1.15, Records and Information Management, Document 12829 , General Records Schedules, and Document 12990 , Records Control Schedules.

OMB 2016 Circular A-108 Revision of Privacy Act Guidance

  1. OMB revised A-130 and A-108 in 2016 to emphasize Privacy Act compliance. The documents emphasize the importance of this by placing responsibility with a Senior Agency Official for Privacy (SAOP).

    Note:

    Treasury houses the SAOP for IRS. The Chief Privacy Officer (CPO) is the executive director who oversees PGLD. The CPO is the executive director who has responsibility for the IRS privacy program.

  2. To ensure that agencies effectively carry out the privacy-related functions described in law and OMB policies, Presidential Executive Order 13719 requires the head of each agency to designate or re-designate an SAOP who has agency-wide responsibility and accountability for the agency’s privacy program. The SAOP shall be a senior official at the Deputy Assistant Secretary or equivalent level who serves in a central leadership position at the agency, has visibility into relevant agency operations, and is positioned highly enough within the agency to regularly engage with other agency leadership, including the head of the agency. See OMB memo M-16-24.

  3. With the reissuance of Circular A-108 in 2016 , OMB revised and relocated the guidance that since 1985 had been included in Appendix I to Circular A-130. The reissued Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act, replaces the November 28, 2000 version of Appendix I to Circular A-130 and supplements OMB’s Privacy Act Guidelines, which remain in effect.

  4. The revised OMB A-108 specifically states on page 27 that "The requirement to establish and maintain a PCM [privacy continuous monitoring] program has replaced the prior OMB requirement for agencies to conduct annual Privacy Act reviews." Footnote 109 states "A PCM strategy is a formal document that catalogs the available privacy controls implemented at an agency across the agency risk management tiers and ensures that the controls are effectively monitored on an ongoing basis by assigning an agency-defined assessment frequency to each control that is sufficient to ensure compliance with applicable privacy requirements and to manage privacy risks."

  5. See Exhibit 11.3.14-1, Agency Review Requirements, and Exhibit 11.3.14-2, Agency Public Website Posting Requirements.

New Privacy Act Contract Review Requirements

  1. Reissued OMB A-108 contains new requirements for SAOP review of procurement solicitations involving Privacy Act records and approval of contracts as detailed below, as well as training clauses in contracts.

    Caution:

    A contractor and its employees are not considered employees of the Department of the Treasury for purposes of 5 USC § 552a. Therefore, Privacy Act protected records cannot be disclosed to contractors pursuant to 5 USC § 552a(b)(1). Disclosures of such records to contractors may be made only if one of the statutory disclosure provisions applies. The most commonly applicable disclosure provisions are 1) a published “routine use” in the appropriate system of records notice, and 2) written consent to the disclosure from the individual whose records are at issue.

    Caution:

    A contractor and its employees are subject to the Privacy Act’s criminal penalties pursuant to 5 USC § 552a(m)(1) if the contract is to operate a system of records for the agency. The IRS routinely includes disclosure prohibitions in contracts that authorize contractor access to Privacy Act protected records.

    Caution:

    For tax returns and return information, IRC § 6103 preempts the Privacy Act. Disclosure of tax returns and return information is controlled by IRC § 6103. Returns and return information may not be disclosed to a contractor unless the requirements of IRC § 6103 are met (regardless of whether the Privacy Act authorizes disclosure). See IRM 11.3.24 for tax returns and return information contract requirements pertaining to disclosure.

  2. Reissued OMB A-108 specifically prescribes:

    1. Agencies shall design their procurement practices to ensure that all contracts that involve the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of information that identifies and is about individuals are reviewed and approved by the SAOP before award to help evaluate whether a system of records will be established and, if so, to include appropriate clauses in the contract. The SAOP shall have access to a complete and accurate list of all of the agency’s contracts involving information that identifies and is about individuals, and shall establish a process to ensure that the language of each contract is sufficient and that the applicable requirements in the Privacy Act and OMB policies are enforceable on the contractor and its employees consistent with the agency’s authority.

    2. Agencies shall ensure that the language of each contract that involves the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of information that identifies and is about individuals, is sufficient and that the applicable requirements in the Privacy Act and OMB policies are enforceable on the contractor and its employees (see section 6(j) of OMB Circular A-108 for information about systems of records operated by contractors).

  3. See also IRM 11.3.24, Disclosures to Contractors.

Federal Acquisition Regulation Specific Privacy Act Training Clause Required in All Contracts Where Contractors Will Have Authorized Access to Privacy Act Information
  1. Federal Acquisition Regulations (FAR) Subpart 24.3 requires contractors whose employees will have authorized access to Privacy Act information to complete training that addresses protection of privacy in accordance with the Privacy Act and the handling and safeguarding of Personally Identifiable Information (PII). These employees are required to complete initial privacy training and annual privacy training thereafter.

  2. A contractor who has employees involved in these activities is also required to maintain records indicating that its employees have completed the requisite training and provide these records to the contracting officer upon request. In addition, the prime contractor is required to flow-down these requirements to all applicable subcontracts.

  3. At a minimum, privacy training shall cover the following:

    1. The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Privacy Act;

    2. The appropriate handling and safeguarding of PII;

    3. The authorized and official use of a system of records or any other PII;

    4. Restrictions on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access, or store PII;

    5. The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII or systems of records; and

    6. Procedures to be followed in the event of a potential or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of PII.

  4. The clause at FAR §52.224-3 must be present if contractor employees:

    1. Have access to a system of records;

    2. Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information; or

    3. Design, develop, maintain, or operate a system of records.

    Note:

    Use Alternate I clause shown in the FAR §52.224-3 clause whenever IRS specifies that IRS-provided training is required.

  5. See FAR Subpart 24.3 and FAR 52.224-3 for additional information.

  6. See also IRM 11.3.24, Disclosures to Contractors.

Requirements and OMB Privacy Act Controls for Systems of Records

  1. Agencies shall design their privacy control selection process to include privacy controls that allow the agency to ensure compliance with applicable requirements in the Privacy Act and related OMB guidance. At a minimum, the controls selected for an information system that contains information in a system of records shall address the following elements:

    1. Minimization. Agencies shall ensure that no system of records includes information about an individual that is not relevant and necessary to accomplish a purpose required by statute or executive order.

    2. Systems of Records Notices. Agencies shall ensure that all SORNs remain accurate, up-to-date, and appropriately scoped; that all SORNs are published in the Federal Register; that all SORNs include the information required by OMB Circular A-108; and that all significant changes to SORNs have been reported to OMB and Congress (see section 7 of OMB Circular A-108 for information about reporting a modified system of records).

    3. Routine Uses. Agencies shall ensure that all routine uses remain appropriate and that the recipient’s use of the records continues to be compatible with the purpose for which the information was collected (see section 6(k) of OMB Circular A-108 for information about routine uses).

    4. Privacy Act Exemptions. Agencies shall ensure that each exemption claimed for a system of records pursuant to 5 U.S.C. § 552a(j) and (k) remains appropriate and necessary (see section 11 of Circular A-108 for information about Privacy Act exemptions).

    5. Contracts. Agencies shall ensure that the language of each contract that involves the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of information that identifies and is about individuals, is sufficient and that the applicable requirements in the Privacy Act and OMB policies are enforceable on the contractor and its employees (see section 6(j) of Circular A-108 for information about systems of records operated by contractors). See also IRM 11.3.24, Disclosures to Contractors.

    6. Privacy Training. Agencies shall ensure that the agency’s training practices are sufficient and that agency personnel understand the requirements of the Privacy Act, OMB guidance, the agency’s implementing regulations and policies, and any job-specific requirements.

Privacy Act Fee

  1. The sole fee to the public pursuant to the Privacy Act is one that permits the Government to recover the expense incurred by providing copies of records. See IRM 11.3.5, Fees.

Controlling Information From Third Parties

  1. The Privacy Act generally authorizes Federal agencies to collect and maintain only information that is relevant and necessary to accomplish a purpose of the agency, and requires agencies to collect information directly from the subject individual to the greatest extent practicable. Therefore, the IRS has implemented the following procedures for use when an IRS function wants to obtain access to, or a copy of, a large volume of information that pertains to many individuals. These procedures provide a uniform methodology for acquiring, using, and disposing of information obtained in volume from third parties. These procedures are required to provide adequate controls of such information consistent with relevant statutes and policies concerning privacy, security, and disclosure.

  2. These procedures apply to the solicitation or maintenance of information from third parties. They apply to all functions at all levels of the IRS. However, these procedures do not apply to:

    1. Information needed to resolve specific cases;

    2. Information about businesses, exempt organizations, or employee plans (procedures concerning businesses, exempt organizations, and employee plans will be developed later);

    3. Information requested from state tax agencies when the information was used by the states in their tax administration, provided the information is not obtained from a state tax agency for the purpose of circumventing the intent of these controls;

    4. Information gathered by Criminal Investigation under the provisions of IRM 9.4, Investigative Techniques, relating to general investigations, excluding multifunctional information gathering projects; and

    5. Data gathering that requires a Compliance Initiative Project (CIP) or is specifically exempted from the CIP process under IRM 4.17.1.3, Activities Not Subject to CIP Procedures. See IRM 4.17, Compliance Initiative Projects, for further information.

Agency Review Requirements

The following table is from OMB Circular A-108 and lists Privacy Act agency review requirements, which are met through privacy continuous monitoring:

Review Description Timing Reviewer Citation(s)
Minimization – Continuous Monitoring Agencies shall ensure that no system of records includes information about an individual that is not relevant and necessary to accomplish a purpose required by statute or executive order. Agencies shall perform assessments of privacy controls with a frequency sufficient to ensure compliance and manage risks. Senior Agency Official for Privacy 5 U.S.C. § 552a(e)(1); section 12 of Circular A-108.
System of Records Notices – Continuous Monitoring Agencies shall ensure that all SORNs remain accurate, up-to-date, and appropriately scoped; that all SORNs are published in the Federal Register; that all SORNs include the information required by OMB Circular A-108; and that all significant changes to SORNs have been reported to OMB and Congress. Agencies shall perform assessments of privacy controls with a frequency sufficient to ensure compliance and manage risks. Senior Agency Official for Privacy 5 U.S.C. § 552a(e)(4); section 12 of Circular A-108.
Routine Uses – Continuous Monitoring Agencies shall ensure that all routine uses remain appropriate and that the recipient’s use of the records continues to be compatible with the purpose for which the information was collected. Agencies shall perform assessments of privacy controls with a frequency sufficient to ensure compliance and manage risks. Senior Agency Official for Privacy 5 U.S.C. § 552a(a)(7); section 12 of Circular A-108.
Privacy Act Exemptions – Continuous Monitoring Agencies shall ensure that each exemption claimed for a system of records pursuant to 5 U.S.C. § 552a(j) and (k) remains appropriate and necessary. Agencies shall perform assessments of privacy controls with a frequency sufficient to ensure compliance and manage risks. Senior Agency Official for Privacy 5 U.S.C. § 552a(j)-(k); section 12 of Circular A-108.
Contracts – Continuous Monitoring Agencies shall ensure that the language of each contract that involves the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, or disposal of information that identifies and is about individuals, is sufficient and that the applicable requirements in the Privacy Act and OMB policies are enforceable on the contractor and its employees. Agencies shall perform assessments of privacy controls with a frequency sufficient to ensure compliance and manage risks. Senior Agency Official for Privacy 5 U.S.C. § 552a(m); section 12 of Circular A-108.
Privacy Training – Continuous Monitoring Agencies shall ensure that the agency’s training practices are sufficient and that agency personnel understand the requirements of the Privacy Act, OMB guidance, the agency’s implementing regulations and policies, and any job-specific requirements. Agencies shall perform assessments of privacy controls with a frequency sufficient to ensure compliance and manage risks. Senior Agency Official for Privacy 5 U.S.C. § 552a(e)(9); section 12 of Circular A-108.
FISMA Review – Annual The Senior Agency Official for Privacy shall review the administration of the agency’s privacy program as part of the annual FISMA reporting process. Agencies shall refer to OMB’s annual FISMA guidance for review instructions. Senior Agency Official for Privacy 44 U.S.C. §§ 3551-3558; section 13 of Circular A-108.
Review of Matching Programs – Annual (see also IRM 11.3.39, Computer Matching and Privacy Protection Act) Agencies’ Data Integrity Boards shall review all matching programs in which the agency has participated during the calendar year. Agencies’ Data Integrity Boards shall conduct the review at the end of the calendar year and report to OMB by June 1. Agency’s Data Integrity Board 5 U.S.C. § 552a(u)(3)(B)-(C); section 14 of Circular A-108.
Review of Other Matching Activities – Annual (see also IRM 11.3.39) Agencies’ Data Integrity Boards may also review any agency matching activities that are not matching programs. Agencies’ Data Integrity Boards shall conduct any review at the end of the calendar year and report to OMB by June 1. Agency’s Data Integrity Board 5 U.S.C. § 552a(u)(3)(H); section 14 of Circular A-108.

Agency Public Website Posting Requirements

Posting Description Location Citation(s)
Compilation of agencies’ system of records notices and Privacy Act implementation rules The Office of the Federal Register shall post a compilation of agencies’ system of records notices and Privacy Act implementation rules. The website of the Federal Register at https://www.federalregister.gov/. 5 U.S.C. § 552a(f).
System of Records Notices Agencies shall list and provide links to complete, up-to-date versions of all agency SORNs. www.treasury.gov/privacy

Note:

https://www.irs.gov/uac/irs-privacy-policy for IRS

5 U.S.C. § 552a(e)(4); section 15 of Circular A-108.
Matching Notices and Agreements Agencies shall list and provide links to up-to-date matching notices and agreements for all active matching programs. www.treasury.gov/privacy 5 U.S.C. § 552a(o), (r); section 15 of Circular A-108.
Privacy Act Exemptions Agencies shall provide citations and links to all Privacy Act exemption rules www.treasury.gov/privacy 5 U.S.C. § 552a(j)-(k); section 15 of Circular A-108.
Privacy Act Implementation Rules Agencies shall list and provide links to all Privacy Act implementation rules. www.treasury.gov/privacy 5 U.S.C. § 552a(f); section 15 of Circular A-108.
Instructions for Submitting a Privacy Act Request Agencies shall provide instructions for individuals who wish to submit an access or amendment request. www.treasury.gov/privacy 5 U.S.C. § 552a(d); section 15 Circular A-108.