11.3.17 Privacy Act Recordkeeping Restrictions

Manual Transmittal

May 02, 2018

Purpose

(1) This transmits revised IRM 11.3.17, Disclosure of Official Information, Privacy Act Recordkeeping Restrictions.

Material Changes

(1) Editorial changes have been made throughout to update IRM/statute/organizational references and terms. Web references were added/updated throughout to make the text easier to research in electronic media.

(2) Changed ownership and responsibilities throughout from Governmental Liaison and Disclosure (GLD) to Privacy Policy and Compliance (PPC).

(3) IRM 11.3.17.1 - Revised the title to Program, Scope and Objectives, to properly reflect the information communicated in this subsection. Included important information to conform to the new internal and management control standards under the following titles:

  1. IRM 11.3.17.1.1, Background - Information from prior subsection 11.3.17.1 was incorporated into this new subsection.

  2. IRM 11.3.17.1.2, Authorities - Added legal authorities governing Privacy Act record keeping restrictions.

  3. IRM 11.3.17.1.3, Responsibilities - Information from prior subsection 11.3.17.2 was incorporated into this new subsection.

  4. IRM 11.3.17.1.4, Terms and Definitions - Information from prior subsections 11.3.17.6.1 and 11.3.17.7 were incorporated into this new subsection.

  5. IRM 11.3.17.1.5, Acronyms - Compiled a list of frequently used acronyms and their definitions for Privacy Act record keeping restrictions.

(4) IRM 11.3.17.3 - Added reference to the civil liberties information in IRM 10.5.1.

(5) IRM 11.3.17.5.2 and IRM 11.3.17.6.2 - Added references to privacy principles in IRM 10.5.1.

(6) IRM 11.3.17.5.3 - Added records management references.

Effect on Other Documents

This supersedes IRM 11.3.17 dated September 12, 2013.

Audience

All Operating Divisions and Functions.

Effective Date

(05-02-2018)

Related Resources

The Disclosure and Privacy Knowledge Base is available at:
https://portal.ds.irsnet.gov/sites/vl003/pages/default.aspx.

Frances Kleckley
Director, Privacy Policy and Compliance

Program Scope and Objectives

  1. Purpose: This IRM provides Privacy Act record keeping restriction information and instructions to IRS staff that are designed to implement fair information practices, including:

    • Providing Constitutional rights, such as First Amendment compliance, by not gathering information that is not authorized by statute or presidential executive order

    • Reducing the chances of receiving less accurate information from third parties by collecting information, to the greatest extent practicable, directly from the subject individual when the information may result in adverse determinations about an individual’s rights, benefits and privileges under federal programs

    • Maintaining only such information about an individual as is relevant and necessary to accomplish an agency purpose required by statute or by presidential executive order

  2. Audience: The information and guidance in this IRM applies to all IRS employees and contractors.

  3. Policy Owner: Privacy Policy and Compliance (PPC) is responsible for Privacy Act oversight.

  4. Program Owner: The PPC office, under Privacy, Governmental Liaison and Disclosure (PGLD), is the program office responsible for oversight of the Servicewide Privacy Act recordkeeping matters.

Background

  1. The Privacy Act of 1974 provides that agencies will maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless:

    1. Expressly authorized by statute;

    2. Expressly authorized by the individual about whom the record is maintained; or

    3. Pertinent to and within the scope of an authorized law enforcement activity.

  2. The First Amendment states:

    "Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof, or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for redress of grievances."

  3. Congress intended that in determining whether or not a particular activity constitutes the exercise of a right guaranteed by the First Amendment, agencies should apply the broadest reasonable interpretation.

  4. No file should be kept of persons who are merely exercising their constitutional rights. See IRM 11.3.17.2, Permissible Records, below for types of records that may be kept.

  5. Voluntary compliance with the tax laws necessitates maintaining the highest possible degree of public confidence in the integrity of the IRS. The IRS, therefore, has a special responsibility to respect the rights of taxpayers concerning this aspect of the Privacy Act.

Authorities

  1. The Privacy Act of 1974, as amended, 5 United States Code (USC) § 552a.

  2. Department of the Treasury Regulations appear at Title 31, Part I, Subpart C, of the Code of Federal Regulations. Additional information specific to the IRS is in Appendix B of these regulations.

Responsibilities

  1. All IRS employees involved in the design, development, operation, or maintenance of any system of records subject to the Privacy Act should be aware of the requirement prohibiting the maintenance of exercise of First Amendment information and should be alert to any potential violation of that prohibition.

  2. Employees recognizing any questionable practices in regard to this prohibition should report the details, through channels, to the official responsible for prescribing the system of records, for evaluation and correction.

  3. Employees receiving any inquiry from a member of the public questioning the content of any system of records in regard to the exercise of First Amendment rights should forward the inquiry, with a memorandum providing any available background information, through channels, to the managing official for response and appropriate action.

  4. Officials requiring guidance concerning any information being recorded in a system of records under their control should seek PPC’s assistance through the *Privacy mailbox. PPC may collaborate with Disclosure, as needed.

  5. All supervisory or other personnel having review responsibilities for case records should be alert to First Amendment considerations and include them in their reviews.

Terms and Definitions

  1. For purposes of this IRM section, the following definitions apply:

    Term Definition
    Agency Includes any executive department, military department, government corporation, government controlled corporation, or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency.
    Determination Any decision affecting the individual that is in whole or in part based on information contained in the record and that is made by any person or any agency.
    Individual A citizen of the United States or an alien lawfully admitted for permanent residence (including sole proprietors). The Act does not apply to any entity which is not a natural person, such as a partnership, corporation, decedent, estate or trust.
    Maintain Includes the retention, collection, use, and dissemination of information about an individual.
    Necessary Requisite or needful in accomplishing a given task.
    Principal purpose(s) The reason the information is needed, which is the overall reason for which the IRS performs the operation in which the information is to be used, rather than the detailed processing which it is to undergo.
    Relevant Means pertinent to and bearing upon the matter at hand.
    Routine uses The disclosure of a record outside the Department of the Treasury for a purpose which is compatible with the purpose for which it was collected.

Acronyms

  1. The following acronyms are used in this IRM section:

    Acronym Definition
    PGLD Privacy, Governmental Liaison and Disclosure
    PPC Privacy Policy and Compliance
    USC United States Code

Permissible Records

  1. Records describing the exercise of First Amendment rights may be maintained only if one of the following conditions is met.

    1. A statute specifically authorizes it.


      1) Specific authorization means that a statute explicitly provides that an agency may maintain records on activities whose exercise is covered by the First Amendment; not merely that the agency is authorized to establish a system of records.
      2) The statute need not specifically address the maintenance of records of First Amendment activities if it specifies that such activities are relevant to a determination concerning the individual.

      Example:

      Taxpayers are required to provide information necessary to verify deductions on their tax returns. Such information may be recorded although, in some instances, it may reveal how individuals exercise their First Amendment rights; such as, religious affiliation, group membership, or political preference.

    2. The individual expressly authorizes it.

      Example:

      IRS employees may offer information concerning their activities in a community group in order to enhance their chances for advancement by demonstrating the acquisition of some specialized experience or leadership skill.

    3. The record is required by the agency for an authorized law enforcement function. Congress intended to make certain that political and religious activities are not used as a cover for illegal activities.

      Example:

      Individuals who advocate, or who are active in organizations that advocate, noncompliance with the tax laws may reasonably be considered as possibly being involved in actual violations of the tax laws. Appropriate records of such activities may be maintained for compliance purposes.

Equal Treatment

  1. The impetus of this section of the Privacy Act is that all persons should be treated fairly and equally under applicable laws. The absence of First Amendment information from agency records helps to prevent selective treatment of persons on the basis of religion, opinion or group membership.

  2. IRS employees are responsible for avoiding any possible inference of selective treatment of taxpayers on the basis of their exercise of First Amendment rights.

  3. See also the civil liberties section of IRM 10.5.1, Privacy and Information Protection, Privacy Policy.

Collecting Information Relating to Individuals from Third Party Sources

  1. Subsection (e)(2) of the Privacy Act states that an agency should:

    "Collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual’s rights, benefits and privileges under Federal programs."

  2. This provision stems from a concern that information obtained from third party sources could be erroneous, outdated, irrelevant, or biased.

  3. This provision establishes that decisions under Federal programs that affect an individual should be made on the basis of information supplied by that individual, but recognizes the practical limitations by qualifying the requirement with the words "to the extent practicable."

Inquiries Affected

  1. Most inquiries made by the IRS, both in determining tax liability and in dealing with its employees, are subject to the requirement of subsection (e)(2) of the Privacy Act.

  2. Inquiries in connection with criminal investigations, that are maintained as systems of records exempt under subsection (j)(2) of the Privacy Act, are not subject to the requirements of subsection (e)(2).

  3. Although the IRS will "collect information to the greatest extent practicable directly from the subject individual," it is recognized that compliance with internal revenue laws cannot be determined solely with reference to information on returns and documents filed with the IRS and that the IRS will have to obtain information from outside sources.

  4. Inquiries to third parties in connection with the gathering, solicitation and documentation of evidence necessary in developing cases that have been assigned for collection of taxes or examination or investigation of a tax liability, will continue to be governed by the guidelines set forth in those portions of the IRM that relate to the collection of information from third-party sources, including IRM 11.3.14 , Privacy Act General Provisions, and IRM 11.3.14.11, Controlling Information From Third Parties. See IRC § 7602 for rules relating to recordations of third party contacts. (See also IRM 11.3.21, Investigative Disclosure.)

Responsibilities

  1. Officials responsible for systems of records which contain information collected from third-party sources should include in their periodic review of procedures consideration of whether their practices are consistent with the intent of subsection (e)(2) of the Privacy Act and IRM 11.3.14, Privacy Act General Provisions.

  2. This consideration should include a review of those portions of the IRM that relate to the collection of information from third-party sources.

Practical Considerations

  1. In analyzing each situation in which personal information is collected from a third-party source, each functional activity should consider the following:

    1. The nature of the program, i.e., it may well be that the kind of information needed can only be obtained from a third party, such as investigations where the taxpayer’s records are not available.

    2. The cost of collecting the information directly from the individual as compared with the cost of collecting it from a third party.

    3. The risk that the particular elements of information proposed to be collected from third parties, if inaccurate, could result in an adverse determination.

    4. The need to ensure the accuracy of information supplied by an individual by verifying it with a third party or to obtain a qualitative assessment (e.g., in verifying information submitted on a tax return or in connection with the review of an application for employment).

    5. The opportunities for verifying, whenever practicable, any such third-party information by consulting with the individual before making a determination based on third-party information.

  2. The objective, however, should be to obtain information directly from the individual involved whenever it is practical to do so.

Restrictions on the Maintenance of Information About Individuals

  1. Subsection (e)(1) of the Privacy Act provides that each agency that maintains a system of records shall:

    "Maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President."

  2. This provision is intended to reduce the amount of personal information collected by Federal agencies, thus reducing the risk of intentional or inadvertent improper use of personal data.

  3. See IRM 11.3.17.1.4 above for definitions for the following terms, which are used throughout the remainder of this IRM:

    • Maintain

    • Relevant

    • Necessary

Records Affected

  1. Subsection (e)(1) of the Privacy Act is applicable to all records maintained by the IRS (including those pertaining to taxpayers, IRS employees, and other individuals) unless otherwise exempted.

  2. The IRS has asserted exemptions provided by the Privacy Act with regard to subsection (e)(1) for various systems of records.

  3. The exempt systems are primarily those that are investigative in nature and have been exempted in order to permit an orderly collection of data without challenge until such time as the relevance and necessity of the data has been determined. It is not possible to determine the relevance or necessity of specific information during the early stages of an investigation. Relevance and necessity are questions of judgment and timing. What appears relevant and necessary when collected may subsequently be determined to be irrelevant or unnecessary. It is only after the information is evaluated that the relevance and necessity of such information can be established with certainty.

  4. When information is received by the IRS relating to violations of law within the jurisdiction of other agencies, the IRS maintains this information in order to forward the material to the appropriate agencies and/or to respond to valid requests from those agencies to the extent provided by law or regulation.

  5. The handwritten notes of an agent taken during the interview of a witness continue to be relevant and necessary, and should not be destroyed even though they may have been included in a formal report. Court decisions have held that such notes must be preserved and are discoverable.

  6. The IRS will limit its inquiries to information that is necessary for the enforcement and administration of tax laws and the internal administration of the IRS.

  7. Although it may have been necessary to exempt some systems of records from subsection (e)(1), the principles of relevance and necessity nevertheless remain applicable to all records to the extent that we are able to apply them. These provisions will be applied to exempt systems of records to the extent that it is practical to do so.

    Caution:

    Employees should not collect, maintain, use or disseminate non-tax related information concerning taxpayers, except as necessary for the enforcement and administration of the internal revenue laws.

Guidelines

  1. In order for the IRS to maintain information in its records, the information must serve a purpose that is required by statute or executive order of the President.

  2. The authority of the IRS to maintain a system of records does not give it the authority to maintain any information which is merely useful, nor may information be maintained merely because it is relevant. The information must be both relevant and necessary to accomplish the authorized purpose for which it is maintained.

  3. In the final analysis, a determination that information is relevant and necessary is judgmental. Such judgments should, however, be based upon a realistic evaluation of the purpose to be served by the information being maintained and a sound understanding of the principles underlying the Privacy Act. The IRS privacy principles are in IRM 10.5.1 .

  4. The standards used to define necessity and relevance will vary widely depending upon the type of activity involved and the specific needs of a particular type of case.

  5. Some examples of factors that may be considered in determining whether information is relevant and necessary are listed below.

    1. How does the information relate to the legal purpose for which the system is maintained?

    2. What are the adverse consequences, if any, of not collecting this particular information?

    3. Could the need be met through the use of information not in individually identifiable form?

    4. Does the information need to be collected on every individual who is the subject of a record in the system, or would a sampling procedure suffice?

    5. At what point will the information have satisfied the purpose for which it was collected, i.e., how long is it necessary to retain the information?

    6. Is the information, while generally relevant and necessary to accomplish a statutory purpose, specifically relevant and necessary only in certain areas?

  6. In addition to providing a standard that protects the privacy of the individual, the concepts of relevance and necessity can contribute to effective operations. The maintenance of information that is not relevant and necessary constitutes an ineffective use of IRS resources, that should be avoided. This standard can therefore be useful in promoting efficiency and good management.

  7. This provision is not intended, however, to interfere with the maintenance, evaluation, or presentation of evidence in civil or criminal matters.

Actions to be Taken

  1. A detailed review of the contents of each record within a system is not required and should not be attempted. It is important, however, that we consider the legality, relevance, and necessity of the general categories of information maintained to ensure compliance with the Act.

  2. A review of systems of records to ensure compliance with these requirements should be made:

    1. In connection with the initial design of a new system of records;

    2. Whenever any change is proposed to an existing system of records;

    3. As part of the republication of the Notice of Systems of Records;

    4. Whenever an individual requests deletion of information on the basis that it is not relevant and necessary; and

      Note:

      Review of such request should cause PPC to consider whether the inappropriate information constitutes an isolated occurrence or is characteristic of the system of records. If the inclusion of inappropriate information appears to be characteristic of the system of records or sufficiently widespread to warrant broad remedial action, PPC will refer the concern to the official responsible for prescribing the system of records who will take appropriate action.

    5. Whenever information indicative of a need for such review is received by the official responsible for prescribing the system of records.

  3. All IRS employees involved in the design, development, operation, or maintenance of any system of records subject to the Privacy Act should be aware of the provisions concerning the legality, relevance and necessity of information maintained concerning an individual.

  4. Employees recognizing any questionable or undesirable practices in regard to these provisions should report the details, through channels, to the official prescribing the system of records for evaluation and appropriate action.

  5. Each Headquarters official who prescribes the maintenance of a system of records or issues IRM instructions to employees involved in the design, development, operation, or maintenance of any system of records, should expand such instructions to include appropriate or necessary guidance to achieve compliance with the relevance and necessity provisions of the Privacy Act, as outlined in (6) and (7) below.

  6. Automated systems of records characteristically involve a limited number of data elements that are applicable to a large number of records. The inclusion of inappropriate information therefore tends to be characteristic of any system of records in which it occurs. Emphasis should be placed upon proper evaluation of the information to be recorded at the time the system is designed or updated. Since all the data elements to be included are known at the time of initial design, careful consideration of each element should result in an extremely high degree of compliance with the Privacy Act requirements.

  7. Systems of records that consist primarily of information entered upon preprinted forms require a somewhat different approach. Emphasis should be placed upon the design of the form, that should request only relevant and necessary information. In addition to designing or revising forms, consideration of these aspects must also be included in the instructions on the use and preparation of the forms.

  8. Far more complex problems exist when a system of records consists of information that was gathered by personal interviews or investigative procedures and recorded in narrative form. The unstructured nature of such information gathering creates a risk of abuse in individual instances, that is difficult to detect and correct. Instructions for designing or maintaining such records should stress the following:

    1. Guidelines to assist employees in conforming with the relevance and necessary provisions, keeping in mind the wide variance between activities and the specific needs of particular types of cases. Guidelines should, to the extent possible, help prevent inappropriate inquiries without hampering investigative techniques.

    2. Every employee engaged in investigative inquiries is expected to use mature judgment and to exercise self-discipline in determining the types of information to be requested and recorded.

    3. Extreme caution should be used when dealing with information of a highly personal nature relating to the relationships between individuals or personal activities that would not generally be made public by the individual involved.

    4. The mere fact that a person volunteers personal information does not serve as authority to record it, as it may nevertheless be irrelevant and unnecessary.

    5. In a pluralistic society, employees may have contact with individuals who follow a variety of life styles, some of which may involve relationships or practices that may seem strange or even abhorrent to the investigator. Such factors would not generally be tax related, and information concerning them should not be collected unless it can be shown to be relevant and necessary to a particular case.

    6. If possible, opinions or subjective impressions of individuals should generally be avoided. However, certain cases may require recording such impressions, especially those involving potential assaults upon IRS personnel, cases located in high crime areas, cases pertaining to uncollectible accounts, and cases recommending further investigation. Opinions or subjective impressions should be specifically identified as such, and, whenever appropriate, be accompanied by factual substantiation.

      Caution:

      Extreme caution should be used when dealing with information of a highly personal nature relating to the relationships between individuals or personal activities that would not generally be made public by the individual involved.

    7. Existing supervisory or other review procedures should be utilized to identify instances of employees maintaining information that is not relevant or necessary. If a record is created or discovered that is irrelevant to the system of records (SOR), in which it is currently filed, it should be removed from the SOR and placed in the correct filing or recordkeeping location. Do not dispose of the record until its authorized destruction date (if there is one) as identified in either Document 12829, General Records Schedules, or Document 12990, Records Control Schedules. See also IRM 1.15, Records and Information Management, for additional information on records management responsibilities. If erroneous or incorrect information is discovered, it should be corrected and the file annotated, to indicate the date the correction was made. Reviewers should advise employees of the irrelevant entry to assist them in clearly understanding the meaning and importance of relevance and necessity; and whatever trends are identified, make recommendations to the responsible official for further guidelines or other corrective actions.

    8. In appropriate situations, awareness and responsiveness to Privacy Act principles should be developed as factors for use in employee evaluations.

Individual Recourse

  1. Any employee who believes he or she has been directed to maintain a record that is not relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President or to maintain a record describing how any individual exercises rights guaranteed by the First Amendment (except as provided by the Privacy Act), or who otherwise believes he or she has been directed to violate the Privacy Act, should bring such matter to the attention of his or her immediate supervisor.

  2. Supervisors requiring assistance in responding to inquiries pursuant to (1) above should refer the matter to PPC through the *Privacy mailbox. PPC may collaborate with Disclosure, as needed.

  3. Any employee and/or supervisor who has complied with (1) or (2) above and is not satisfied with the response or who prefers not to comply with the above, may submit an allegation of violation of the Privacy Act directly to the Treasury Inspector General for Tax Administration (TIGTA).

Privacy Act Requirement to Maintain Accurate, Relevant, Timely and Complete Records

  1. Subsection (e)(5) of the Privacy Act provides that each agency that maintains a system of records shall:

    "... Maintain all records that are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination."

    1. The objective of this provision is to minimize, if not eliminate, the risk that an agency will make an adverse determination about an individual on the basis of inaccurate, incomplete, irrelevant or out-of-date records. See IRM 11.3.17.1.4 above for the definition of the term determination.

    2. The phrase as is reasonably necessary recognizes the difficulty of establishing absolute standards of data quality.

      Note:

      Emphasis is placed on assuming the quality of the record in terms of its use in making decisions affecting the rights, benefits, entitlements, or opportunities (including employment) of the individual. Accordingly, it is at the time of making a determination that the standards need to be applied.

  2. Subsection (e)(6) of the Privacy Act provides that:

    "... prior to disseminating any record about any individual to any person other than an agency, unless the dissemination is made pursuant to subsection (b)(2) of this section (the Freedom of Information Act), make reasonable efforts to assure that such records are accurate, complete, timely, and relevant for agency purposes."

    1. The primary objective of this provision is to assure the quality of records disclosed to persons that are not subject to the provisions of subsection (e)(5).

      Note:

      It is, therefore applicable, whenever a disclosure is made to a person other than the individual to whom it pertains.

    2. The provision also recognizes that information disclosed to other agencies is subject to the standards of accuracy, etc., established by those agencies.

      Note:

      Therefore, this provision does not apply to disclosures made to an agency. See IRM 11.3.17.1.4 above for the definition of the term agency.

    3. Reminder:

      Technical employees such as Revenue Agents and Revenue Officers should be advised to keep their files clean of unrelated materials.

      Example:

      When employees print information from third party data or asset information services or other such system, they should immediately discard all material on unrelated parties unless such information is functionally declared necessary (e.g., to detail specific search methodology).

Exempt Systems

  1. Various systems of records have been designated exempt under subsection (j)(2) of the Privacy Act from the provisions of subsection (e)(5).

  2. All systems of records are subject to the provisions of subsection (e)(6) of the Privacy Act.

Actions Required

  1. Privacy Act instructions are applicable to all employees who maintain, collect, use or disseminate information about individuals in published systems of records.

  2. When information is put into any system, the language should be carefully phrased so as not to misrepresent the facts, or be subject to an inaccurate or misleading interpretation.

    Note:

    Statements made by witnesses about an individual should be reflected as such and should not be indicated as established facts.

  3. Information collected should be relevant, timely, and complete.

  4. Information put into IRS records should relate to some matter that the IRS is authorized and required to maintain in order to carry out its lawful mission.

    Note:

    Information maintained about employees should relate only to their employment.

  5. Completeness is vital in order not to misrepresent or to be unfair, or to present an unfair picture of a situation which could result in a determination harmful to the rights of the individual.

    1. Caution:

      Employees should be careful in meeting the completeness standard in that they should not collect irrelevant or unnecessary information. Records should include only those elements of information that clearly bear on the determination for which the records are intended to be used, but should include all elements necessary for the determination to be made.

  6. Prior to disseminating any record about an individual to a person (not an agency) other than the individual to whom it pertains, make reasonable efforts to assure that the requirements of subsection (e)(6) relating to accuracy, completeness, timeliness, and relevance have been fulfilled and that the record relates to the purposes of the IRS.

  7. Any record disclosed must be as accurate as when the IRS made the determination about the individual. If the information does not meet this standard, the record must be corrected before dissemination.

  8. The actions required by (6) and (7) do not lend themselves to specific periodic actions. However, this does not reduce the importance of IRS responsibility to comply with the provisions.

    1. Meeting the demands of these provisions will require all employees to have an awareness of the rights of individuals.

    2. Employees must be alert to the fact that notations made and actions taken may have far-reaching effects.

    3. Employees should make every effort to ensure that the records they help to create would not result in an unfair determination about any individual.

    4. IRS privacy principles are in IRM 10.5.1.