- 30.6.1 Security of Confidential Information, Official Documents, Tax Data, Personnel and Property
- 22.214.171.124 Policy and Guidelines
- 126.96.36.199 Security of Confidential Information, Official Documents and Tax Data
- 188.8.131.52.1 Documents Classified as "Official Use Only"
- 184.108.40.206.2 Disposition of SBU and OUO Information
- 220.127.116.11.3 Electronic Mail and Messaging
- 18.104.22.168.4 Records Statutes, Records Control Schedules and Disclosure
- 22.214.171.124 Security of Personnel and Property
Part 30. Administrative
Chapter 6. Security and Emergency Preparedness
Section 1. Security of Confidential Information, Official Documents, Tax Data, Personnel and Property
October 05, 2016
(1) This transmits revised CCDM 30.6.1, Security and Emergency Preparedness; Security of Confidential Information, Official Documents, Tax Data, Personnel and Property.
(1) CCDM 126.96.36.199.3 has been revised with respect to record retention policies for non-email messaging services, including OCS and Lync.
Associate Chief Counsel (Finance and Management)
This section establishes policies and guidelines for the security of information, documents, personnel, and property in the Office of Chief Counsel.
Security management and procedures will be determined by the Associate Chief Counsel (Finance & Management) in his/her role as the Designated Accrediting Authority (DAA), using the following as guidance after taking into account the risks and needs of the Office of Chief Counsel:
The Privacy Act of 1974
Federal Information Security Management Act (FISMA) of 2002
OMB Circulars A-123 and A-130
Treasury IT Security Program, TDP 85-01
Federal Information Processing Standards (FIPS)
Public Law 105-93
Additionally, such procedures will be consistent with the provisions of IRC sections 6103, 7213, 7217 and 7431.
Employees are responsible for the protection and proper disposition of all information, documents and property in their possession or control. They must make every effort to protect information, documents and other property entrusted to their care and prevent unauthorized entry into areas where the information, documents and property are located.
The guidelines included in this section are applicable to employees working in flexiplace locations. Files containing IRS information or data will be secured when not in use or in the possession of the employee.
For guidelines concerning Chief Counsel and IRS information systems, employees should consult their servicing MITS organization or IRM 10.8.1, Information Technology (IT) Security Policy and Guidance.
The responsibilities of managers are to:
Support safety and security programs and policies
Ensure adequate training of personnel in safety and security (e.g., fire drills)
Discuss safety and security procedures with employees at least annually
Ensure security measures are followed to protect life, information, facilities, and property within their areas
The responsibilities of employees are to:
Support safety and security programs and policies
Report accidents or incidents promptly
Assist in the investigation and removal of hazards
Be alert to strangers or suspicious packages in the work area
Sensitive But Unclassified (SBU) information is defined as any information that requires protection due to the risk and magnitude of loss or harm to the IRS or the privacy to which individuals are entitled under 5 U.S.C. (§) 552a (the Privacy Act), which could result from unintentional or deliberate disclosure, alteration or destruction.
SBU shall be the primary term used to mark sensitive but unclassified information originating within Chief Counsel offices. The SBU designation identifies information that, if released, could cause harm to a person's privacy or welfare; adversely impact economic, industrial, or international financial institutions; or compromise unclassified programs, essential operations or critical infrastructures. The "Official Use Only" and "Limited Official Use" designations, which are solely used to prevent the automatic distribution to the public of printed materials, should not be routinely used to identify SBU information contained in Office of Chief Counsel documents. For assistance in these matters, contact Branch 6 or 7 of the office of the Associate Chief Counsel (Procedure & Administration).
Although information that would be required to be disclosed under the Freedom of Information Act (FOIA) generally should not meet the criteria for SBU designation, simply because information bears the SBU designation does not mean it is automatically exempt from the FOIA. SBU information that becomes the subject of a FOIA request must be evaluated to determine in each instance whether one or more FOIA exemptions apply.
SBU information is categorized in one or more of the following groups:
Tax data (e.g. tax returns, returns information, and taxpayer information)
Law enforcement information (e.g., grand jury, informant, and undercover operations information)
Proprietary information (e.g., contracts, solicitations, information covered by the Trade Secrets Act, the Procurement Integrity Act, and similar statues)
Employee Information (e.g., personnel, payroll, and evaluation data)
Personally Identifiable Information (PII) (i.e., all taxpayer information or any combination of information that can be used to uniquely identify, contact, or locate a person)
All employees who have had access to tax data or privacy information are prohibited from disclosing such information except as authorized by law (and implementing regulations); see IRM 11.3, Disclosure of Official Information (various chapters). Employees should safeguard SBU information in order to avoid the loss or the unauthorized disclosure or destruction of files, irrespective of the format in which it is maintained (e.g., paper, electronic, or other media).
Standard practice is to maintain SBU files and documents in locked cabinets or compartments (e.g., desk drawers, overhead bins) during nonworking hours and during periods when the work area is vacant. The records may also be stored in a room with physical access control measures that prevent unauthorized access by the public, visitors, or other persons without a need-to-know. Examples of acceptable access control measures include, but ar not limited to, a locked room (both key or cipher locks) or a restricted-access work area controlled by a card reader.
Employees should store all electronic records containing SBU/PII on the Chief Counsel network.
All SBU/PII that is processed, stored, or transmitted by computer equipment (such as laptops and memory storage devices) outside of IRS facilities must be encrypted.
Employees should use measures appropriate to the circumstances to protect SBU information on desks, on workstations or in conference or other work rooms when they are not present during the workday, in order to prevent unauthorized access.
Employees should immediately report allegations or information regarding unauthorized disclosure of tax data or privacy information to their manager for referral to the Treasury Inspector General for Tax Administration (TIGTA) office.
Additional information is available in:
CCDM 30.9.1 , Case File Management
CCDM 37.1.1 , Written Determinations Under Section 6110
CCDM 37.1.2 , Disclosure of Information
CCDM 37.2.1 , Privacy Act of 1974
CCDM 39.1.2 , Government Ethics Programs
IRM 10.2.13, Information Protection
IRM 10.4.1, Managers Security Handbook
IRM 10.8.1, Information Technology (IT) Security, Policy, and Guidance
IRM 10.9.1, National Security Information
IRM 11.3.1, Introduction to Disclosure
IRM 11.3.12, Classification of Documents
Document 10281, Safeguarding Taxpayer Records — Renewing our Commitment
Within the Office of Chief Counsel, documents may be classified Official Use Only (OUO) by the persons authorized in Delegation Order No. 89, Administrative Control of Documents and Material, as revised (see IRM 1.2.49, Delegations of Authority for Communications, Liaison and Disclosure Activities). This classification is used for documents which may be made available only to authorized personnel.
The overall principle is that the greatest amount of information will be made available to the public whenever possible. The OUO classification will generally be used only for law enforcement matters if publication would hinder the law enforcement process. OUO classification is generally invoked word by word or line by line, so that only the specific words or lines that need to be classified are in fact classified.
The classification of materials as Official Use Only requires the concurrence of the office of the Director, Governmental Liaison and Disclosure, and shall be coordinated by the Deputy Associate Chief Counsel (Legislation and Policy).
For additional guidance on use of the Official Use Only classification, see IRM 11.3.12 , Classification of Documents.
All Sensitive But Unclassified (SBU) documents and documents classified "Official Use Only" (OUO) must be placed in a designated container for disposal, separate from wastepaper baskets or paper recycling receptacles.
In the Headquarters Office, each Administrative Officer will establish a pick-up point in the office for collection and proper disposal of SBU and OUO information.
In field offices, each Finance and Management (F&M) Office Manager is responsible for establishing procedures for the proper disposal of SBU and OUO information.
Electronic mail (e-mail) is provided for official business purposes.
Where appropriate, Enterprise Remote Access Protocol (ERAP) and encryption should be used for e-mail to IRS employees.
Routing and review procedures for e-mail are the same as for letters and memoranda. Unless otherwise requested or unless simultaneous review is necessary, work products should be sent to the addressee(s) through customary supervisory/review channels.
"Broadcast/All User" e-mail messages should receive pre-authorization in the headquarters office by an Associate Chief Counsel. In field offices, "All User" messages should be approved by the Area Counsel; cross-functional messages should be approved by the Managing Counsel or F&M Area Manager. "All User" e-mail messages should include the name and title of the authorizing official.
Office Communicator Service (OCS) and Microsoft Lync (Lync) are Microsoft Outlook messaging applications that facilitate informal, unofficial communication between employees. Chief Counsel has made an institutional decision to not conduct official business via OCS or Lync, or other non-email messaging applications, including text messaging. Outlook is not configured to automatically save OCS and Lync communications. If a conversation in OCS, Lync, or any other messaging application rises to the level of official business, the Chief Counsel user must take appropriate measures to preserve the conversation. Documents shared via OCS and Lync retain the status such documents had when originally created, and the appropriate document retention policies and discovery obligations remain applicable to those documents.
Confidentiality requirements for taxpayer returns and return information, as those terms are defined in IRC 6103(b)(1) and (2), are not changed by the use of e-mail or messaging.
E-mail and other forms of electronic messaging are potentially subject to disclosure under the Freedom of Information Act (FOIA) and the applicable rules of civil or criminal discovery in litigation, to the same extent as paper documents. Communications for which privileges may be available (e.g., attorney-client, attorney work product) apply to e-mail and other forms of electronic messaging as well as to traditional formats.
Record retention and preservation guidelines apply to e-mail and other forms of electronic messaging communications based on their content. Guidelines may be found in IRM 1.15.6, Managing Electronic Records, and in the records control schedule for Chief Counsel (see NARA Request for Records Disposition Authority for Chief Counsel Records, DAA-0058-2012-0005 (December 1, 2015) to be incorporated into Document 12990, Records Control Schedules).
For assistance with legal questions concerning the application of Federal records statutes or regulations, contact the Associate Chief Counsel (General Legal Services).
The records control schedules for Chief Counsel can be found at:
IRM 1.15.13 , Records Control Schedule for the Chief Counsel
IRM 1.15.14 , Records Control Schedule for Internal Revenue Service for Associate Chief Counsel Offices
IRM 1.15.15 , Records Control Schedule for Regional/District Counsel
Contact the National Records Officer or the local records officer with questions about the existence or identity of general records schedules or record control schedules covering a particular record or records.
For assistance with issues related to accessing or disclosing Service records pursuant to IRC § 6103, FOIA, or the Privacy Act, contact Branches 6 and 7 in the Office of the Associate Chief Counsel (Procedure and Administration).
The Office of Chief Counsel is committed to providing for the security of its employees and will seek to minimize or eliminate safety hazards and to encourage safe practices. Further information can be found in the following:
IRM 10.2.4, Overview of ID Media
IRM 10.2.5, Identification Card
IRM 1.14.5, Occupational Safety and Health Program
The Office of Chief Counsel will follow the guidelines established by IRS, Department of the Treasury, GSA, and the Department of Homeland Security.
Employees should ensure that information, documents and property entrusted to them are secured. Those who are in private offices have the responsibility of locking doors when leaving their work areas. Employees should keep personal valuables in their possession.
Employees are responsible for preventing unauthorized entry into areas where government information, documents and property are located.
At the close of business, managers should ensure that doors leading into areas under their control and supervision are locked.
Employees should immediately report burglary, robbery, or theft of government or personal property to their manager and to the servicing Security Office. All thefts, no matter how small, should be reported.
Employees are responsible for the security of pocket commissions, ID cards (badges) and other types of identification media issued to them. Identification media should be in the possession of employees and should never be left unattended in briefcases, unlocked desk drawers, vehicles, etc. When not in use they should be stored in a locked container or left with a manager.
Employees will display ID cards at all times while in IRS facilities.
Employees must immediately report the loss, theft or destruction of identification media through their manager to the servicing Security office. The report should explain the circumstances and describe the recovery attempts made.
The recovery of any type of identification media should be reported through channels to the issuing Security office.
The policy of the Office of Chief Counsel is to provide reasonable protection commensurate with the nature and value of the information or property involved. Protective measures will vary by location, function and facility.
In general, access to space, property and the information contained therein will be restricted to those with a need for access.
For Counsel-specific guidelines, see CCDM 30.5.1, Space, Property, Procurement, and Telecommunications.
For IRS access and protection standards, see:
IRM 10.2.14 , Methods of Providing Protection
IRM 10.2.15 , Minimum Protection Standards
Where feasible, reception areas will be provided. Conference rooms and other areas expected to be used by visitors will be placed near entrances and away from secured or restricted areas.
Employees will be required to sign a receipt for door keys, building keys and electronic access cards issued to them. Under no circumstances should keys be duplicated by employees.
Employees are responsible for reporting the loss of keys or access cards to the Administrative Officer (employees located in Headquarters offices) or F&M Office Manager (field offices). The Administrative Officer or Office Manager is responsible for reporting key reassignments and losses to the local IRS Security office.
Codes for combination locks and key pads should be changed:
At least once every six months
When anyone with the current combination leaves or is terminated
When an attempt to compromise the combination is made
Keyed locks should be changed periodically as the budget permits.
Electronic access cards, door keys and building keys must be returned when employees resign, retire, are reassigned to another office, or are terminated.
In response to various incidents in the US Postal Service (USPS) system, all Counsel mail, regardless of the source or method of delivery (e.g., overnight delivery services), will be opened prior to delivery. The only exceptions are bulk mail and mail that has been irradiated by USPS. Deliveries should be made to the area specified by the Agency-Wide Shared Services (AWSS) representative for the building.
Employees opening mail should take appropriate precautions; protective supplies will be provided by IRS or Counsel.
Office Managers and headquarters Administrative Officers should prominently post guidelines for processing mail and packages in the mail area, including phone numbers for appropriate Security personnel. They may obtain further information from their servicing Security office.
Employees should be alert to suspicious packages which may:
Carry excessive postage
Display restrictive endorsements such as "Personal" or "Confidential"
Contain misspelled or misidentified names, titles, addresses or organizations
Be unexpected mail from a foreign country
If a suspicious package is discovered, employees should not handle the package or remove any items from the area. They should leave the area, gently close the door, and contact their manager. If a biochemical substance is suspected, the employee should immediately contact the Security office and follow their direction.
The current USPS procedures in response to anthrax threats may cause delays in sending mail to the Tax Court, Department of Justice, or other Federal offices in the Washington, D.C. area.
Employees should be aware of possible delays and should consider whether overnight delivery or some form of electronic transmission (fax or e-mail) is a suitable alternative if the material is truly time sensitive.
Procedures for addressing legal issues resulting from delays in mail destined for the Tax Court are covered in more detail in CCDM Part 35.