11.3.15 Privacy Act Publication and Reporting Requirements

Manual Transmittal

May 03, 2018

Purpose

(1) This transmits revised IRM 11.3.15, Disclosure of Official Information, Privacy Act Publication and Reporting Requirements.

Material Changes

(1) Editorial changes have been made throughout to update IRM/statute/organizational references and terms. Web and citation references were added/updated throughout to make the text easier to research in electronic media.

(2) Changed ownership and responsibilities throughout from Governmental Liaison and Disclosure and Safeguards (GLDS) to Privacy Policy and Compliance (PPC).

(3) IRM 11.3.15.1 - Revised the title to Program, Scope and Objectives, to properly reflect the information communicated in this subsection. Information from prior subsection 11.3.15.1 was incorporated into this new subsection. Included important information to conform to the new internal and management control standards under the following titles:

  1. IRM 11.3.15.1.1, Background - Information from prior subsection 11.3.15.2 was incorporated into this new subsection.

  2. IRM 11.3.15.1.2, Authorities - Added legal authorities governing Privacy Act publication and reporting requirements.

  3. IRM 11.3.15.1.3, Responsibilities - Information from prior subsection 11.3.15.9 was incorporated into this new subsection.

  4. IRM 11.3.15.1.4, Terms and Definitions - Information from prior subsection 11.3.15.3 was incorporated into this new subsection.

  5. IRM 11.3.15.1.5, Acronyms - Compiled a list of frequently used acronyms and their definitions for Privacy Act publication and reporting requirements.

  6. IRM 11.3.15.1.6, Related Resources - Added related resources applicable to the Privacy Act publication and reporting requirements.

(4) The following table reflects additional migration of content from the 9/16/2013 revision of IRM 11.3.15 to the current revision:

9/16/2013 Revision Subsection Number Title New Subsection Number
11.3.15.4 Systems of Records 11.3.15.2
11.3.15.5 through 11.3.15.5.3 Notices of Systems of Records changed to What Must be Included in a System of Records Notice 11.3.15.3 through 11.3.15.3.2
11.3.15.6 through 11.3.15.6.5 Publishing Notices of Systems of Records 11.3.15.4 through 11.3.15.4.5
11.3.15.7 Republishing Notices of Systems of Records 11.3.15.4.6
11.3.15.8 through 11.3.15.8.3 Report on New Systems of Records 11.3.15.5.1 through 11.3.15.5.1.3
11.3.15.10 Privacy Act Request Report 11.3.15.5.2

(5) Added reissued Office of Management and Budget (OMB) Circular A-108 Privacy Act review and reporting requirements to the following new subsections:

  • IRM 11.3.15.2.1, When to Publish a System of Records Notice, describes Systems of Records Notice publishing requirements.

  • IRM 11.3.15.2.2, Scope of a System of Records, describes general factors for determining whether a group of records will be treated as a single system or multiple systems.

  • IRM 11.3.15.5.1.4, Reporting Systems of Records to OMB and Congress, contains information on advance notice requirements for proposals to establish or significantly modify a system of records.

  • IRM 11.3.15.5.4, Annual Matching Activity Review and Report, describes the required elements of the agency’s annual matching program review and report.

  • IRM 11.3.15.5.5, Section 803 Reports Pertaining to Privacy Act Complaints, contains privacy reporting requirements for Section 803 reports.

  • IRM Exhibit 11.3.15-2, Federal Register Publication Requirements, contains requirements for creating a Federal Register notice and accompanying reports for OMB and the Congressional committees that oversee the Privacy Act.

(6) Changed title of IRM 11.3.15.3 from Notices of Systems of Records to What Must Be Included in a System of Records Notice.

(7) Changed title of IRM 11.3.15.3.1 from Notices of Exempt Systems of Records to How to Write a Proposed Rule to Exempt a System of Records from Certain Provisions of the Privacy Act

(8) IRM 11.3.15.4 - added reference to new Exhibit 11.3.15-2.

(9) Added IRM 11.3.15.5.3, Annual FISMA Privacy Review and Report, contains information on OMB’s annual privacy program review and compliance reporting guidance to Senior Agency Officials for Privacy.

(10) Added new IRM Exhibit 11.3.15-1, Reporting Requirements, contains various Privacy Act reporting requirements for exemption rule, new or significantly modified systems of records, matching programs and Federal Information Security Modernization Act (FISMA).

Effect on Other Documents

This supersedes IRM 11.3.15 dated September 16, 2013.

Audience

All Operating Divisions and Functions.

Effective Date

(05-03-2018)

Related Resources

The Disclosure and Privacy Knowledge Base is available at:
https://portal.ds.irsnet.gov/sites/vl003/pages/default.aspx.

Frances W. Kleckley
Director, Privacy Policy and Compliance (PPC)

Program Scope and Objectives

  1. Purpose: This IRM provides instructions for the preparation and publication of notices of the existence and character of each system of records concerning individuals maintained by any segment of the IRS, and the preparation and submission of reports of agency intention to establish or alter systems of records subject to the Privacy Act of 1974, 5 United States Code (USC) § 552a, and other Privacy Act publication and reporting requirements. The publication and reporting requirements are carried out by systems owners and Privacy Policy and Compliance (PPC) employees in Headquarters. It is not anticipated that instructions provided by this section will require any involvement by field offices, unless specifically requested by the PPC office.

  2. Audience: The information and guidance in this IRM applies to all IRS employees and contractors.

  3. Policy and Program Owner: PPC, which is under Privacy, Governmental Liaison and Disclosure (PGLD), is responsible for Privacy Act oversight.

Background

  1. Section 3 of the Privacy Act of 1974 (Public Law 93–579, codified as 5 USC § 552a) became effective September 27, 1975. The Act is intended to provide safeguards for an individual against invasions of personal privacy.

  2. The Act permits, with limited exceptions under very specific conditions, an individual to examine agency records pertaining to him/her and limits the conditions under which such records may otherwise be disclosed.

  3. In order to facilitate the purposes of the Act, every agency is required to publish in the Federal Register a notice of the existence and character of each system of records which it maintains. Any document that is retrieved by an identifier for an individual who is a citizen of the United States or an alien lawfully admitted for permanent residence must be covered in a published systems of record notice.

    Note:

    Care must be taken in preparing the notice since the use or maintenance of a system of records, except in accordance with the published notice, would be prohibited by the Privacy Act.

  4. Any officer or employee of an agency who willfully maintains a system of records without meeting the notice requirements of the Act may be found guilty of a misdemeanor and fined not more than $5,000.

  5. The usefulness of the Act to the public and the ability of the IRS to readily comply with the requirements of the Act will, to a great extent, be determined by the care and accuracy with which these notices and related materials are prepared.

  6. Care must be exercised to ensure that the tone, language, level of detail and length of the public notice are considered to ensure that the notice achieves the objective of informing the public of the nature and purposes of agency systems of records.

Authorities

  1. The Privacy Act of 1974, as amended, 5 USC § 552a.

  2. Department of the Treasury Regulations appear at Title 31, Part I, Subpart C, of the Code of Federal Regulations. Additional information specific to the IRS is in Appendix B of these regulations.

  3. E-Government Act (2002), Public Law 107-347.

  4. Office of Management and Budget (OMB) Circular A-108.

Responsibilities

  1. The Director, PPC is responsible for:

    • Serving as Privacy Act Liaison Officer for the IRS and maintaining close contact with the Departmental Privacy Act Coordinator for the Department of the Treasury, to ensure that materials submitted meet all Departmental requirements

    • Reviewing all submissions for conformance with this section and ensuring that all submissions comply with the requirements of the Privacy Act

    • Ensuring that all submissions adequately inform the public and protect the rights of individual members of the public as established by the Privacy Act

    • Ensuring the adequacy of all notices, with special regard to routine uses of records maintained in a system, and general Privacy Act matters

    • Accumulating notices involving deletions, editorial changes or limited changes for inclusion in the Republication of Notices of Systems of Records, or for submission at such other intervals as would be appropriate

    • Review of the materials required for the Republication of Notices of Systems of Records, the Federal Inventory of Personal Data Systems, and the Annual Report

    • Preparing the reports described in this IRM

  2. Owners of systems are responsible for:

    • Preparation of Reports of New Systems of Records in final form

    • Preparation of input materials required by this section and submission to the Director, PPC.

    Note:

    The component of the Head of Office that is most familiar with the system of records shall write the notice.

    Note:

    Changes that require a new Privacy Act system of records or altered system notice usually will require a new or amended Privacy and Civil Liberties Impact Assessment (PCLIA) pursuant to the E-Government Act, section 208, P.L. 107-347. See IRM 10.5.2.2, Privacy and Civil Liberties Impact Assessment, for information about PCLIAs.

  3. Every IRS manager and employee has responsibilities to prevent unauthorized disclosure of Privacy Act records. Protecting privacy helps maintain confidence in the tax system.

  4. All employees and contractors have responsibility for ensuring IRS records (hard copy and electronic) are appropriately managed, retained, and archived in accordance with IRM series 1.15, Records and Information Management, for records retention and disposition requirements before documents can be destroyed. Refer to Document 12990, IRS Records Control Schedules (RCS), for the National Archives and Records Administration (NARA)-approved IRS records disposition to prevent unauthorized/unlawful destruction of records. Refer to Document 12829, General Records Schedules (GRS), for the NARA-issued disposal authorizations for temporary administrative records common to all Federal agencies.

Terms and Definitions

  1. For purposes of this IRM section, the following definitions apply:

    Term Definition
    Annual Report The report by the President to the Speaker of the House and the President of the Senate, required by 5 USC 552a(s). See IRM 11.3.15.5.3.
    Federal Inventory of Personal Data Systems The requirement that Notices of System of Records be published in a form available to the public at low cost, pursuant to 5 USC § 552a(f). See IRM 11.3.15.3.
    Individual A citizen of the United States or an alien lawfully admitted for permanent residence (including sole proprietors). The Act does not apply to any entity which is not a natural person, such as a partnership, corporation, decedent, estate or trust.
    Notice of Exempt System Rules promulgated by a head of agency to exempt any system of records from provisions of the Privacy Act pursuant to 5 USC § 552a(j) and/or (k). See IRM 11.3.15.3.1.
    Record Defined in 5 USC § 552a(a)(4) as "any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to education, financial transactions, medical history, and criminal or employment history and that contains name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph."
    1. A record can include as little as one descriptive item about an individual.

    2. A file or list containing only names but headed by a label which conveys some information about the people named could constitute a record if it is retrieved by an individual identifier.

      Note:

      Congressional intent was to encompass all records and record systems whereby specific information on an individual is retrieved in any fashion. However, such lists occurring within a system of records do not constitute separate systems.

    3. The physical form of a record within a system is irrelevant. A record which contains information pertaining to an individual and is retrievable by an individual identifier may be in any form which technology permits and would nevertheless be subject to the Act.

    Report on New Systems The advance notice to Congress and the Office of Management and Budget of any proposal to establish or alter any system of records, which is required by 5 USC § 552a(r). See IRM 11.3.15.5.1.4.
    Republication of System of Records Notice The publishing in the Federal Register of a notice of the revised or continuing existence and character of previously published systems of records, required by 5 USC § 552a(e)(4). See IRM 11.3.15.4.6.
    Routine use The disclosure of a record outside the Department of the Treasury for a purpose which is compatible with the purpose for which it was collected.
    System of records A group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.
    System of Records Notice Information which is required to be published in the Federal Register by 5 USC § 552a(e)(4). See IRM 11.3.15.3.

Acronyms

  1. The following acronyms are used in this IRM section:

    Acronym Definition
    FAR Federal Acquisition Regulations
    FISMA Federal Information Security Modernization Act of 2014
    OMB Office of Management and Budget
    OIRA (OMB’s) Office of Information and Regulatory Affairs
    PCM Privacy Continuous Monitoring
    PGLD Privacy, Governmental Liaison and Disclosure
    POD Post of Duty
    PPC Privacy Policy & Compliance
    PPKM Privacy Policy & Knowledge Management
    SAOP Senior Agency Official for Privacy
    SB/SE Small Business/Self Employed
    SOR System of Records
    SORN System of Records Notice
    USC United States Code

Related Resources

  1. The following table contains resources related to Privacy Act publication and reporting requirements:

    Resource Title or Description
    PGLD’s Privacy Act home page https://portal.ds.irsnet.gov/sites/vl003/Lists/FOIAandPrivacyAct/DispItemForm.aspx?ID=7
    U.S. Department of Justice, Office of Privacy and Civil Liberties home page https://www.justice.gov/opcl
    OMB Circular A-108 Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act
    FAR Subpart 24-3 Privacy training requirements for contractors
    IRM 10.5.1, Privacy and Information Protection, Privacy Policy This IRM serves as the framework for IRS privacy policy
    Chief Counsel Directives Manual (CCDM) 37.2.1, Privacy Act of 1974 Provides instructions and guidelines to the Office of Chief Counsel for implementing the Privacy Act of 1974
    IRM 10.9.1, National Security Information Provides instructions for the proper handling and disposition of all classified National Security information
    IRM 1.15 series, Records Management Provides instructions for the proper handling of information (hard copy and electronic) in the creation, maintenance, retrieval, preservation, and disposition of all records
    Document 12829 IRS Records Control Schedules
    Document 12990 General Records Schedules
    IRM 1.16, Physical Security Program Provides instructions for the protection of records
    IRM 10.5.1, Privacy Policy Provides privacy policy information and instructions
    IRM 10.8.1, Information Technology (IT) Security, Policy and Guidance Provides instructions for security requirements for electronic records

Systems of Records

  1. Files consisting of records which constitute input to another system of records are not subject to the notice requirement. If the input records contain personal information which is retrieved but not input to the reported system they would constitute a separate system of records. Files which have a continued existence of their own may be subject to the notice requirement despite the fact that they may be part of another system of records.

  2. Files consisting of records produced from another system of records are not subject to the notice requirement if all personal information contained in the output is derived from the system being reported. If additional information is subsequently added to the output, or if the records are subsequently used for an unrelated or different purpose, or if they have a retention period longer than the system being reported, they would constitute a separate system of records.

  3. Files set up to assist in processing a reported system of records but having no meaningful existence of their own and containing no personal information other than that being corrected, correlated, or otherwise moved to or from one or more reported systems of records are not subject to the notice requirement.

  4. Copies of records, whether in the same or altered format, are not subject to the notice requirement, if all personal information contained in the copy merely reflects information contained in the system being reported. If additional information is subsequently given a different characterization, they would constitute a separate system of records.

  5. Correspondence controls are subject to the notice requirement, if the correspondence is retrieved by the name of the initiator or the individual upon whose behalf the correspondence was initiated, or by the identity of the subject of the correspondence, or if the file contained correspondence from a class of persons whose inclusion in the file lent them a particular characterization.

  6. A file which temporarily contains records for processing purposes which will be returned to a reported system upon completion, is not subject to the notice requirement if information contained in the temporary file can be located by reference to the reported file.

  7. Information derived from a reported file for temporary use such as work planning, scheduling field visits, controlling individual inventories, reviewing case loads, or other activities related to the management of the IRS and not reflective of any individual information not recorded in a reported file will not be considered subject to the notice requirement.

  8. Telephone directories and similar lists which do not ascribe any characterization to any person listed are not considered subject to the notice requirement.

  9. Directories, industrial guides, reference works and other source materials prepared commercially are not to be considered systems of records subject to the notice requirement.

  10. Separate notices are not required for the closed portions of files which have been reported as a system of records.

  11. The officials who had responsibility for records when they were open are responsible for preparing notices for closed or retired files which have no active counterpart. This should not be considered an instruction to search for and account for any document files from which records are no longer retrieved for IRS purposes.

When to Publish a System of Records Notice

  1. Agencies are required to publish a System of Records Notice (SORN) in the Federal Register when establishing a new system of records and must also publish notice in the Federal Register when making significant changes to an existing system of records. As a general matter, significant changes are those that are substantive in nature and therefore warrant a revision of the SORN in order to provide notice to the public of the character of the modified system of records. The following are examples of significant changes:

    1. A substantial increase in the number, type, or category of individuals about whom records are maintained in the system. For example, a system covering physicians that is being expanded to include other types of health care providers (e.g., nurses or technicians) would require a revised SORN. Increases attributable to normal growth in a single category of individuals generally would not require a revised SORN.

    2. A change that expands the types or categories of records maintained in the system. For example, a benefit system that originally included only earned income information that is being expanded to include unearned income information would require a revised SORN.

    3. A change that modifies the scope of the system. For example, the combining of two or more existing systems of records

    4. A change that modifies the purpose(s) for which the information in the system of records is maintained.

    5. A change in the agency’s authority to maintain the system of records or maintain, collect, use, or disseminate the records in the system.

    6. A change that modifies the way in which the system operates or its location(s) in such a manner as to modify the process by which individuals can exercise their rights under the statute (e.g., to seek access to or amendment of a record).

Scope of a System of Records

  1. Before developing a SORN, agencies shall carefully consider the proper scope of the system of records. Agencies have discretion in determining what constitutes a system of records for purposes of preparing a notice. However, agencies shall consider the following general factors when determining whether a group of records will be treated as a single system or multiple systems for the purposes of the Privacy Act:

    1. The agency’s ability to comply with the requirements of the Privacy Act and facilitate the exercise of the rights of individuals.

    2. The informative value of the notice. Agencies shall consider whether a single SORN or multiple SORNs would provide the most informative notice to the public about the existence and character of the system(s).

    3. The agency’s ability to be responsive to individual access requests. Agencies shall consider whether a single SORN or multiple SORNs would provide the best notice to individuals regarding how and where they may request access to their records maintained in the system(s) and would allow the agency to most effectively respond to such requests.

    4. The purpose(s) and use(s) of the records. If different groups of records are used for distinct purposes, it may be appropriate to treat those different groups of records as separate systems. Although different groups of records may serve a general common purpose, agencies shall also consider whether different routine uses or security requirements apply to the different groups, or whether the groups are regularly accessed by different employees of the agency.

    5. The cost and convenience to the agency, but only to the extent consistent with the above considerations regarding compliance and individual rights Considerable latitude is left to agencies in defining the scope or grouping of records that constitute a system of records. An agency may choose to consider the entire group of records for a particular program as a single system, or the agency may consider it appropriate to segment a group of records (e.g., by function or geographic unit) and treat each segment as a system of records to provide better notice to the public. When an agency chooses to segment a group of records into separate systems of records, the agency shall nevertheless ensure that the SORN for each segment clearly describes any linkages that exist between the different systems of records based on the retrieval of the records. For example, if records described in different SORNs are in fact linked together through a central indexing or retrieval capability such that an employee or contractor retrieving records described in one SORN would necessarily also retrieve and gain access to records described in another SORN, the agency shall explain this linkage in the “Policies and Practices for Retrieval of Records” section of both SORNs.

  2. A government-wide system of records is where one agency has regulatory authority over records in the custody of multiple agencies, and the agency with regulatory authority publishes a SORN that applies to all of the records regardless of their custodial location. The application of a government-wide SORN ensures that privacy practices with respect to the records are carried out uniformly across the Federal Government in accordance with the rules of the responsible agency. For a government-wide system of records, all agencies – not just the agency with government-wide responsibilities – are responsible for complying with the terms of the SORN and the applicable requirements in the Privacy Act, including the access and amendment provisions that apply to records under an agency’s control.

  3. As a general matter, a government-wide system of records is appropriate when one agency has government-wide responsibilities that involve administrative or personnel records maintained by other agencies. For example, the Office of Personnel Management has published a number of government-wide SORNs relating to the operation of the Federal Government’s personnel programs.

  4. A Treasury-wide system of records covers many Treasury bureaus, including IRS.

  5. See the Systems of Records Notices page on IRS.gov for more information on SORNs, including links to government-wide, Treasury-wide, and IRS SORNs.

What Must Be Included in a System of Records Notice

  1. Each SORN will include the following information:

    1. Identification: Always shown as Treasury/IRS.

    2. System Number: Each system of records is assigned a system number. When preparing a new notice, request a system number from the Director, PPC via email addressed to the *Privacy mailbox. For a list of IRS systems of records and numbers, go to:http://www.treasury.gov/privacy/issuances/Pages/default.aspx#IRS
      or IRS intranet website: https://portal.ds.irsnet.gov/sites/vl003/lists/foiaandprivacyact/privacyact.aspx

    3. System Name: The system name should be a title which generally reflects the categories of individuals in the system and/or the object of maintaining the system, so as to be informative to the user of the notice. However, it is not intended that systems having established names should be renamed for this purpose. The system name should be followed by a dash and the identifier Treasury/IRS.

    4. Security Classification: A Security classification should only be shown if the entire system is classified Top Secret, Secret, or Confidential. The initial submission of Notices of Systems of Records did not indicate the existence of any classified system in the IRS.

    5. System Location: Because the IRS is a decentralized organization, a System will usually have segments at various locations. For notice purposes these separate segments will be considered to be part of an overall system, although they function separately. The System location should be shown as Headquarters, IRS offices, Posts of Duty (PODs), campuses, or a computing center (as may be applicable) followed by the legend "(See IRS Appendix A)." Appendix A will cite the addresses for Headquarters, area offices, territory offices, campuses, and Computing Centers. Individual notices citing one or more of the above should not repeat the address. Any Notice which cites a location other than the above (except Post of Duty) should specify the city and street address or building name at which the System of Records is located.

    6. Categories of Individuals Covered by the System: The purpose of the requirement to state categories of individuals covered by the system is to assist an individual to determine if information on him/her might be in the system. The description of the categories should therefore be clearly stated in non-technical terms understandable to individuals unfamiliar with data collection techniques. The more specific and limited the categories described are, the fewer inquiries are likely to result from persons wondering if they are included in the system. However, any future broadening of the categories of individuals on whom records are maintained would require publication of a revised public notice before the change is put into effect.

    7. Categories of Records in the System: The categories should describe the types of information contained therein using non-technical terms. The addition of any new categories of records not within the categories described in a current notice would require the issuance of a revised public notice before the change is put into effect.

    8. Authority for maintenance of the system: Each system of records should identify the specific statutory authority or Executive Order which authorizes maintaining the system. In the absence of a more specific authority, 5 USC § 301 should be shown.

    9. Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses: Each system of records should identify:

      1. The types of disclosures made from the system pursuant to 5 USC § 552a(b)(3) and

      2. The category of recipients and the purpose of disclosure. Care should be taken to include disclosures required by other statutes and appropriate citations.

        Note:

        Release of information to a member of Congress in response to written authorization of the constituent is a (d) release and not a routine use release.

        Note:

        Any new routine use or change in an existing routine use which has the effect of expanding the availability of the information in the system will require publication of a revised public notice before the change is put into effect.

    10. Policies and Practices for the storing, retrieving, accessing, retaining, and disposing of records in the system: Each system of records requires four separate entries as follows.

      1. Storage: Each system of records should list the type of medium in which records are maintained (i.e., paper records, digital media, magnetic media, etc.).

      2. Retrievability: Each system of records should explain how the system is indexed (i.e., by name, social security number, etc.).

      3. Safeguards: Each system of records should explain what measures have been taken to prevent unauthorized disclosure of records (i.e., physical security, personnel screening, etc.). A statement that Access Controls will be not less than provided for by chapter 10.2, Physical Security Program, and chapter 10.8, Information Technology (IT) Security, may be used when appropriate.

      4. Retention and Disposal: Each system of records should explain how long the records are maintained, if and when they are removed to a Federal Records Center or to the Archives, if and how they are destroyed. The entry may be based upon, or may make reference to, an appropriate records disposition schedule. See IRM 1.15, Records and Information Management.

    11. System manager(s) and addresses: Each system of records will generally require two entries:

      1. The title of the official who prescribed the system and

      2. The official or, in a dispersed system, the officials, who have physical control of the system as "Officials maintaining the system"

        Note:

        The official who prescribed the system will generally be an Area Manager or Head of Office. The official maintaining the system will generally be the Head of Office. Locations will be given for maintaining officials only.

    12. Notification procedure: Each system of records should include:

      1. The title and office of the official to whom an inquiry should be addressed;

      2. A citation to applicable regulations; and/or

      3. A statement of exemption.

    13. Record Access Procedure: Each system of records should contain information naming the business unit that owns the records and how to request a copy of the records in the system.

    14. Contesting Record Procedure: Each system of records should contain appropriate elements similar to k) above. In appropriate circumstances, this entry may call attention to IRC § 7852(e) which precludes use of the Privacy Act to contest tax liability.

    15. Record Source Categories: Each system of records should indicate in general terms the sources of the information in the system. It is not the intention of this section to make available information concerning sources in investigations whose records would be exempt from the inspection provision.

    16. Exemptions Claimed for the System: Systems exempted from certain provisions of the Act is an entry intended to permit ready identification of those items which have been published in the Federal Register as part of a Notice of Exempt Systems. No entry is made for systems which are not exempt.

  2. Special care should be taken in wording the entries for Routine Uses, Notification, Record Access, and Contesting Record Procedures.

How to Write a Proposed Rule to Exempt a System of Records from Certain Provisions of the Privacy Act

  1. The requirement to publish a public notice applies to all systems of records maintained by an agency.

  2. The contents of some systems of records may, however, be exempted from the requirement that individuals be permitted access to those records and other requirements. Whenever a new SORN is proposed for a system that is intended to be exempt from some provision of the Privacy Act, an appropriate revision to the Notice of Exempt Systems must be submitted for the Commissioner’s approval.

  3. Whenever this exemption is exercised, the SORN may be somewhat less detailed or may be simplified, especially in regard to the statement of sources of information since in many investigative situations a suitable source of information can only be determined by the needs of the particular investigation.

  4. No system of records is automatically exempt from any provision of the Act. To obtain an exemption from any requirement of the Act requires that the agency head make a determination, and publish it as a rule subject to the Administrative Procedure Act, that a system falls within one of the categories of systems which are permitted to be exempted. That notice must include the specific provisions from which the system is proposed to be exempted and why the agency considers the exemption necessary.

  5. Any meaningful change in the categories of individuals covered by the system or the categories of records in the system may make it advisable to republish the Notice of Exempt Systems.

  6. Assistance in drafting a revision to the Notice of Exempt Systems should be requested from the Office of Chief Counsel (Procedure and Administration).

  7. Notices of Exempt Systems must be accompanied by a report identifying the changes or additions being made, and describing the nature, effect and reasons for the proposed exemption in greater detail than in the Notice itself.

New Notices of Systems of Records

  1. Information about individuals cannot be collected for inclusion in a system of records until a public notice of that system has been issued.

  2. Every employee who believes he or she may be maintaining a system of records subject to the Act, should satisfy himself or herself that such system is being maintained in accordance with IRS instructions and that the Notice requirements have been met.

  3. Inquiries and recommendations from employees concerning the adequacy of existing notices should be directed to the official identified in the published notice as maintaining the system. Inquiries and recommendations concerning systems of records which do not appear to be covered by an existing notice, should be processed through normal supervisory channels within the function whose records are involved. The responsibility for the system of records lies with the official who is the issuing authority for the instructions which caused the records to be accumulated.

  4. Officials identified in notices as maintaining a system of records are to forward any matters they are unable to resolve and their own inquiries and recommendations to the official who issued the governing instructions authorizing or prescribing the existence or maintenance of the systems of records.

  5. Officials maintaining systems of records are responsible for conforming those systems to all Privacy Act requirements. Those officials are responsible for preparing systems of records notices and packages for records they own. Heads of Office are responsible for preparing SORN packages for records they own.

    Note:

    Special care should be taken to observe established Records Disposition Schedules, since a file consisting extensively of records which should have been disposed of could be a system of records which does not meet the notice requirement or otherwise violates the Privacy Act.

  6. Heads of Office are responsible for:

    1. Resolving inquiries and recommendations from officials and employees within their functions;

    2. Determining the adequacy of existing notices;

    3. Assuring that existing practices conform to Privacy Act requirements; and

    4. Preparing new notices as necessary.

  7. Heads of Office should have a continuing program for carrying out these objectives and monitoring field activities. All contacts with field components to ensure compliance and adequate field input to the development of new or revised notices will be along functional lines similar to the Internal Revenue Manual provisions authorizing the maintenance of the system of records.

Publishing Notices of Systems of Records

  1. There are several different circumstances under which a SORN may be submitted. The circumstances will determine the timing and the processing of the notice and should be explained in the accompanying transmittal memorandum. Heads of Office of the component that owns the record are responsible for preparing the package.

    Note:

    The owners of the records are responsible for preparing all notices and reports for a system of records package. PGLD is responsible for providing a technical review of the package.

  2. See Exhibit 11.3.15-2, Federal Register Publication Requirements.

Deleting a Notice

  1. A notice may be deleted because the system:

    • Was submitted in error

    • Was not subject to the Privacy Act or

    • System has been discontinued

  2. The deletion action may be taken by preparing a suitable announcement for insertion in the Federal Register, if it is considered important that the public be informed as soon as possible of the deletion. When time is not a factor, the deletion may be accomplished by memorandum as part of the annual republishing of notices.

  3. Once deleted, any subsequent proposal to reinstate the same system of records will be subject to reporting requirements as a new system.

Editorial Changes

  1. Editorial changes consist of:

    • Corrections of typographical errors

    • Correction of spelling or grammatical errors

    • Minor rewording intended to clarify an existing notice and

    • Similar revisions

  2. An editorial change reissues the notice, but does not reflect any change in the system of records and therefore requires very little justification in the accompanying memorandum.

Limited Changes

  1. Limited changes reflect modifications of an existing system of records which do not fall within the criteria established for submission of a Report on New Systems.

  2. They do not involve any interruption or delay in operating the system pending the submission of such Report and the publication of a new notice.

  3. A proposed limited change should be fully justified in the accompanying memorandum in order to demonstrate that the requirements for Report and Notice prior to operating the system have been considered and found to be inapplicable.

Modified System

  1. A change to a Systems of Records Notice, which modifies an existing system of records falling within the criteria established for submission of a Report on New Systems, should be treated as a notice for a new system and the transmittal memorandum should include the information specified for a new system.

New System

  1. The component that owns the records is responsible for submission of a modified system or a proposed system package, that is accompanied by a detailed transmittal memorandum.

  2. The submission must be accompanied or preceded by a Report on New Systems.

  3. The transmittal memorandum should indicate any necessary expeditious handling and should include a proposed schedule for implementing the various related actions such as:

    • Submission of the Report of New System

    • Publication of proposed and final Notice of Exempt System

    • Consideration of any public comments

    • Issuance of data collection forms and/or instructions

    • Issuance of Request for Proposal or Invitation to Bid for computer or communications systems

    • Installation of equipment and

    • Implementation of the system

  4. In some cases, a statute may require that a system of records begin functioning before the agency can comply with all Privacy Act requirements; any such conflicts should be identified in the transmittal memorandum.

Republishing Notices of Systems of Records

  1. Each Head of Office whose component owns the records is responsible for submitting the necessary materials for the republishing of Notices of Systems of Records.

  2. The submission will consist of a transmittal memorandum, including as attachments any revised Notices of Systems of Records, prepared in accordance with the instructions appearing in this section.

  3. Revisions which would necessitate a Report of New Systems or an expansion of the Notice of Exempt Systems are not appropriate for inclusion in the republication.

  4. A negative report is required if there are no changes whatsoever. Any item not identified for revision will be reprinted automatically. In order to ensure that every existing notice has been considered, the memorandum should list the name and identifying number of each system of records which is to be continued unchanged.

  5. Each memorandum should contain a statement that the appropriate official has a continuing program for ensuring that systems of records under his or her control conform to the requirements of the Privacy Act, the field activities are being adequately monitored, and that the appropriate official is satisfied that these objectives are being met.

  6. The republication effort is performed periodically as initiated by the Department of the Treasury in order to permit routine revision and updating of notices so that reasonably current information is readily available to the public.

Privacy Act Reports and Reports With Sections Requiring Privacy Act Information

  1. PGLD will generally prepare the following reports, except that PGLD prepares the privacy section for the FISMA report and submits it to IT. However, other business units are responsible for providing PGLD requested information to complete sections of the report.

  2. The following subsections list the reports.

Report on New Systems of Records

  1. A Report on New Systems must be submitted when the establishment of a new system of records subject to the Privacy Act is proposed or when any change to an existing system meets any of the following criteria.

Submission Criteria
  1. A Report is necessary when any change or new system:

    1. Increases the number, or changes the types, of individuals about whom records are maintained. Changes involving the number of individuals about whom records are kept need only be reported when that change significantly alters the character and purpose of the system of records.

      Note:

      Normal increases in historical files or other increases in the number of records in a file which can be attributed to normal growth patterns need not be reported.

    2. Expands the type or categories of information maintained.

    3. Alters the manner in which the records are organized or the manner in which the records are indexed or retrieved so as to change the nature or scope of those records.

      Example:

      The combining of two or more existing systems or splitting an existing system into two or more different systems such as might occur in a centralization or decentralization of organizational responsibilities would require a report. However, the combining or splitting of notices without any significant change to the system does not require a report.

      Example:

      A reorganization which placed a system or a portion of a system formerly maintained by SB/SE under the control of Criminal Investigation would require a report. A mere physical relocation, such as would occur if a State formerly served by one Campus were to be served by another Campus, or if the number or location of area offices were to change would not require a new report.

    4. Alters the purposes for which the information is used. A proposal to establish or change the "routine uses" of the system will not require the submission of a Report on New System if such use is compatible with the purposes for which the system is maintained, i.e., does not, in effect, create a new purpose. Any new or changed "routine use" would be subject to the requirements to give 30 days prior notice of such change in the Federal Register, if the effect were to expand the release of information, but not if the effect were to restrict the release.

    5. Changes the equipment configuration (i.e., hardware and/or software) on which the system is operated so as to create the potential for either greater or easier access.

      Example:

      The addition of a telecommunications capability which would increase the risk of unauthorized access would require a report. However, the routine acquisition of equipment meant to effectively utilize processing capabilities which is consistent with the development of the existing system and which does not involve a risk of improper access or create a capability for a massive release of information outside the agency does not require a report.

      Example:

      The use of automated equipment for preparing an analysis of information maintained in a manual system without creating a continuing storage or retrieval capacity does not constitute a change in equipment configuration.

  2. The Report on New Systems is not intended to inhibit the application of technology to data processing or to reduce the efficiency with which agencies serve the public. It is intended to provide an opportunity to examine the impact of new or altered data systems on citizens, the provision for confidentiality and security in those systems and the extent to which the creation of the system will alter or change interagency or intergovernmental relationships related to information programs. The application of the above reporting criteria should be consistent with these objectives.

  3. In applying the submission criteria, a reasonable standard should be used so as to avoid excessive reporting of insignificant details which would have no meaningful effect upon any Privacy Act consideration.

Report Contents
  1. The Report on New Systems shall consist of a brief narrative description and supporting documentation. The report is prepared by the component that owns the records.

  2. The narrative description shall be a brief statement, normally not to exceed four pages in length, which:

    1. Describes the purposes of the system of records.

    2. Identifies the authority under which the system of records is to be maintained.

    3. Provides the agency’s evaluation of the probable or potential effect of such proposal on the privacy including compliance with section (e)(7) of the Privacy Act, which provides that agencies shall "maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity."

    4. Provides a brief description of steps taken by the agency to minimize the risk of unauthorized access to the system of records, including a discussion of higher or lower risk alternatives which were considered for meeting the requirements of the system. A more detailed assessment of the risks and specific administrative, technical, procedural, and physical safeguards established shall be available on request.

  3. The narrative statement should make reference, as appropriate, to information in the supporting documentation rather than restate such information.

  4. Where changes to computer installations, communications networks, or any other general changes in information collection, handling, storage or dissemination are made which affect multiple systems of records, a single consolidated new system report may be submitted. In such cases, the narrative statement should address the overall privacy implications of the proposed change, identify all systems of records affected by the change and briefly describe any unique effect on any specific system of records.

Supporting Documentation
  1. Supporting documentation, as defined in the subsequent paragraphs, shall be provided for each system of records.

  2. An advance copy of the new or revised system notice.

    1. For proposed alterations of existing systems, the documentation should be provided in the same form as the agency proposes to publish the public notice of such changes. If the agency proposes to publish changes in the form of a revision to the public notice, a copy of the proposed notices of revision should be provided.

    2. If the agency plans to supersede the entire existing notice, changes from the currently published notice should be highlighted by underlining all new or revised portions. In some situations, the modification of the system may involve aspects which are not reflected in the SORN, which, therefore, requires no change; a copy of the existing notice should be submitted with an appropriate explanation. In situations in which the planned modifications will be complex and will take place over a period of years, it may not be possible to provide an advance copy of the system notice; however, a tentative outline or a suitable explanation may be submitted instead.

  3. An advance copy of any new rules or changes to published rules which the agency proposes to issue for the new or altered system. If no change to existing rules is required for the proposed new or altered system, the report shall so state. Proposed changes to existing rules shall be provided in a manner similar to that described for the system notices.

  4. An advance copy of any proposed rules setting forth the reasons why the system is to be exempted from any specific provision, if applicable.

  5. The Narrative Statement and Supporting Documentation should be submitted with a transmittal memorandum identifying the materials attached. Existing descriptive materials may be included in the Supporting Documentation. Copies of SORN, Notices of Exemptions or proposed rules should, to the extent possible, be consistent with the established publishing requirements for such materials.

Reporting Systems of Records to OMB and Congress
  1. General. The Privacy Act requires each agency that proposes to establish or significantly modify a system of records to provide adequate advance notice of any such proposal to OMB, the Committee on Oversight and Government Reform of the House of Representatives, and the Committee on Homeland Security and Governmental Affairs of the Senate. This advance notice is separate from the public comment period for new or modified routine uses required by subsection (e)(11) of the Privacy Act and discussed in section 6 of OMB Circular A-108. Agencies provide advance notice to OMB and the committees of jurisdiction in Congress in order to permit an evaluation of the probable or potential effect of such a proposal on the privacy or other rights of individuals.

  2. Advance Notice of a New or Modified System of Records. Agencies shall report to OMB and Congress any proposal to establish or significantly modify a system of records at least 30 days prior to the submission of the notice to the Federal Register for publication. OMB will have 30 days to review the proposal and provide any comments to the agency. The 30-day review period is separate from – and may not run concurrently with – the publication period in the Federal Register. Only significant changes to a system of records that require revision to the SORN, as described in section 6 of OMB Circular A-108, need to be reported to OMB and Congress; changes that are not significant do not need to be reported. Advance notice to OMB and Congress is required by subsection (r) of the Privacy Act. The purpose of the advance notice to OMB and Congress is to permit an evaluation of the potential effect of the proposal on the privacy and other rights of individuals.

  3. Although the review period will generally require no more than 30 days, OMB has the discretion to extend the 30-day review period based on the specific circumstances of the proposal. If an agency has questions about the timing of the review, the agency shall consult with OIRA.

  4. In circumstances where it is not feasible for the agency to wait until the 30-day review period for OMB and Congress has expired to publish the notice in the Federal Register, the agency may submit a formal written request from the Senior Agency Official for Privacy to OIRA for an expedited advance review period (see section 7(d) of OMB Circular A-108 for information about expedited review requests.

  5. See Exhibit 11.3.15-1, Reporting Requirements, for new or altered Privacy Act Systems of Records reporting requirements.

Privacy Act Request Report

  1. The IRS files an annual report with the Department of Treasury for inclusion in the Freedom of Information Act Annual Report submission to the Department of Justice that contains statistical data concerning Privacy Act and Freedom of Information Act requests, administrative appeals and litigation.

  2. IRM 11.3.13.10 provides additional information on this report.

Annual FISMA Privacy Review and Report

  1. The Privacy Act originally required the President to submit a biennial report to Congress describing the administration of the statute. However, this requirement was subsequently repealed. In place of the biennial Privacy Act report, OMB now reports to Congress on agencies’ compliance with privacy requirements through the annual Federal Information Security Modernization Act of 2014 (FISMA) report to Congress.

  2. Each year, OMB issues guidance instructing each Senior Agency Official for Privacy to review the administration of the agency’s privacy program and report compliance data to OMB. OMB uses the reports from agencies to develop its annual FISMA report to Congress.

Annual Matching Activity Review and Report

  1. At the end of each calendar year, the Data Integrity Board of each agency that has participated in a matching program during the year shall conduct a review of that year’s matching programs and submit a report to the head of the agency and to OMB. The report for the preceding calendar year shall be submitted to OMB at privacy-oira@omb.eop.gov by June 1 and posted on Treasury’s website at www.treasury.gov/privacy (see section 15 of OMB Circular A-108 for further information).

  2. The Data Integrity Board’s annual matching activity report shall include the following elements:

    Element Description
    A. Current information about the composition of the Data Integrity Board, including:
    1. a list of the names and positions of the members of the Data Integrity Board;

    2. the name and contact information of the Data Integrity Board’s secretary; and

    3. any changes in membership or structure of the Data Integrity Board that occurred during the year.

    B. A list of each matching program in which the agency participated during the year. For each matching program, the report shall include:
    1. a brief description of the matching program, including the names of all participating Federal and non-Federal agencies;

    2. links to the matching notice and matching agreement posted on the agency’s website at www.Treasury.gov/privacy;

    3. an account of whether the agency has fully adhered to the terms of the matching agreement;

    4. an account of whether all disclosures of agency records for use in the matching program continue to be justified; and

    5. an indication of whether a cost-benefit analysis was performed, the results of the cost-benefit analysis, and an explanation of why the agency proceeded with any matching program for which the results of the cost-benefit analysis did not demonstrate that the program is likely to be cost effective.

    C. For each matching program for which the Data Integrity Board waived the requirement for a cost-benefit analysis, the reasons for the waiver.
    D. A description of any matching agreement that the Data Integrity Board disapproved and the reasons for the disapproval.
    E. A description of any violations of matching agreements that have been alleged or identified, and a discussion of any action taken in response.
  3. The Data Integrity Board’s annual matching activity report may also include a review of any agency matching activities that are not matching programs.

Section 803 Reports Pertaining to Privacy Act Complaints

  1. Section 803 of the Implementing Recommendations of the 9/11 Commission Act of 2007 requires certain executive branch departments, agencies, and elements to designate at least one senior official as a "privacy and civil liberties officer." In enacting the statute, Congress explained that such officers are meant "to function as a source of advice and oversight on privacy and civil liberties matters to the agency." More specifically, Section 803 directs that each privacy and civil liberties officer "serve as the principal advisor" to the agency with respect to three issues:

    1. Assisting the agency in appropriately considering privacy and civil liberties concerns in the development and implementation of laws and policies related to efforts to protect the nation against terrorism;

    2. Investigating and reviewing agency actions and procedures to ensure that the agency is adequately considering privacy and civil liberties in its actions; and

    3. Ensuring that the agency has adequate procedures to respond to complaints from individuals who allege that the agency has violated their privacy or civil liberties.

  2. Each agency’s privacy and civil liberties officer (“P/CL officer”) must issue semiannual reports on the discharge of each of his or her functions under the statute. PGLD is responsible for preparing sections of the report that pertain to privacy and the Privacy Act and forwarding the information to Treasury, which compiles the Department’s reports.

  3. Privacy Complaints formal and informal: For Report purposes a privacy complaint is a written allegation filed with the Department concerning a problem with or violation of privacy protections in the administration of the programs and operations of the Department that may be the cause of harm or violation of personal or information privacy. This information may include:

    • Process and procedural issues, such as consent, collection, and appropriate notice

    • Non-Privacy Act of 1974 issues or identity theft mitigation

    • Privacy Act of 1974 issues

  4. Civil Liberties Complaints formal and informal: A written allegation filed with the Department alleging harm or violation of an individual’s constitutional rights. Types of civil liberties complaints include:

    • First Amendment (Freedom of speech, religion, assembly, and association)

    • Fourth Amendment (Protection against unreasonable search and seizure)

    • Fifth Amendment or Fourteenth Amendment, § 1 (Due process and equal protection)

Reporting Requirements

The following table is from OMB Circular A-108 and reflects various Privacy Act reporting requirements for exemption rule, new or significantly modified systems of records, matching programs and FISMA. IRS submits the reports to Treasury for approval. Upon approval, Treasury submits the reports to OMB.

Report Description Timing Recipient(s) Citation(s)
Privacy Act Implementation and Exemption Rules Agencies shall submit Privacy Act rules to OMB under applicable regulatory review procedures and as part of a proposal to establish or significantly modify a system of records. Agencies shall provide proposed and/or final rules before publication and consult OMB regarding applicable review procedures. OMB (via ROCIS system). 5 U.S.C. § 552a(f), (j)-(k); Executive Orders 12866 and 13563; sections 10 and 11 of Circular A-108.
Report of New or Significantly Modified System of Records Agencies shall report any proposal to establish or significantly modify a system of records. Agencies shall submit reports at least 30 days prior to submission of the notice to the Federal Register. OMB (via ROCIS system) and Congress (via mail). 5 U.S.C. § 552a(r); section 7 of Circular A-108.
Report of New or Significantly Modified Matching Program Agencies shall report any proposal to establish, re-establish, or significantly modify a matching program. Agencies shall submit reports at least 30 days prior to submission of the notice to the Federal Register. OMB (via ROCIS system) and Congress (via mail). 5 U.S.C. § 552a(r); section 9 of Circular A-108.
Annual Matching Activity Report Agencies’ Data Integrity Boards shall submit a report describing any matching programs that occurred during the calendar year. Agencies shall submit the annual report for the preceding calendar year to OMB by June 1. OMB (via email to privacy-oira@omb.eop.gov) and the head of the agency. 5 U.S.C. § 552a(u)(3)(D); section 14 of Circular A-108.
Annual FISMA Privacy Report The Senior Agency Official for Privacy shall report privacy compliance information to OMB as part of the annual FISMA reporting process. Agencies shall refer to OMB’s annual FISMA guidance for reporting instructions. OMB (see OMB’s annual FISMA guidance for reporting instructions). 44 U.S.C. §§ 3551-3558; section 13 of Circular A-108.

Federal Register Publication Requirements

The following table is from OMB Circular A-108 and lists the requirements for creating a Federal Register notice and accompanying reports for OMB and the Congressional committees that oversee the Privacy Act:

Publication Description Timing Citation(s)
System of Records Notices Agencies shall publish a notice in the Federal Register describing the existence and character of a new or significantly modified system of records. Agencies shall also publish a notice of rescindment when the agency stops maintaining a system of records. A new or revised SORN is effective upon publication in the Federal Register, with the exception of any new or modified routine uses, which require a minimum of 30 days after publication in the Federal Register before they can become effective. 5 U.S.C. § 552a(e)(4); section 6 of Circular A-108.
Matching Notices Agencies shall publish a notice in the Federal Register describing an established, re-established, or significantly modified matching program. A new or revised matching notice is not effective until at least 30 days after its publication in the Federal Register. 5 U.S.C. § 552a(e)(12); section 8 of Circular A-108.
Privacy Act Implementation Rules Agencies shall promulgate rules to implement the provisions of the Privacy Act. Agencies must publish a final rule before the rule is effective. 5 U.S.C. § 552a(f); section 10 of Circular A-108.
Privacy Act Exemption Rules In certain circumstances, agencies may promulgate a rule to exempt a system of records from certain requirements of the Privacy Act. Agencies must publish a final rule before the exemption is effective. 5 U.S.C. § 552a(j)-(k); section 11 of Circular A-108.