Businesses and governmental agencies in receipt of customer or client information not accessible by the public must consider security and privacy implications prior to making disclosures to a contractor. These considerations are especially necessary for governmental agencies and critical for the governmental agencies entrusted with Federal tax information (FTI).
Agencies that are authorized by statute to receive FTI and authorized to re-disclose FTI to contractors must notify the IRS at least 45 days prior to executing any agreement to disclose FTI to a contractor. Any agencies wanting to disclose FTI to sub-contractors for authorized access to or possession of FTI must notify and receive the approval from the IRS prior to making any re-disclosures to subcontractors.
An agency’s failure to follow statutory/regulatory requirements with respect to safeguarding FTI may jeopardize an agency’s continued access to FTI. Unauthorized accesses to and disclosures of FTI in an agency’s possession could lead to civil and criminal penalties.
The procedures for agency notification of intent to enter into an agreement to make disclosures of FTI are as follows:
Proper notification is a letter, on agency letterhead over the head of agency’s signature that provides the specific information below and is sent to:
Associate Director, Office of Safeguards and sent in electronic format to email@example.com.
- Name, address, phone number, and email address of agency point of contact;
- Name and address of contractor;
- Contract number and date awarded;
- Contract period covered (e.g., 2014–2017);
- Type of service covered by the contract;
- Number of contracted workers;
- Name and description of agency program that contractor will support;
- Detailed description of FTI to be disclosed to contractor;
- Description of work to be performed by contractor, including phased timing, how FTI will be accessed, and how tasks may change throughout the different phases;
- Procedures for agency oversight on contractor access, storage, and destruction of FTI, disclosure awareness training, and incident reporting;
- Location where work will be performed (contractor site or agency location) and how data will be secured if it is moved from the secure agency location;
- Statement whether subcontractor(s) will have access to FTI;
- Name(s) and address(es) of all subcontractor(s), if applicable;
- Description of FTI to be disclosed to subcontractor(s);
- Description of work to be performed by subcontractor(s);
- Publication 1075 (September 2016) pages 139-140;
- Contractor 45-Day Notification Procedures Exhibit 6, pages 139-140;
- Location(s) where work will be performed by subcontractor(s) and how data will be secured if it is moved from a secure agency location;
- Certification that contractor personnel accessing FTI and contractor information systems containing FTI are all located within the United States or territories, given that FTI is not allowed offshore.
Agency disclosure personnel may want to discuss local procedures with their procurement colleagues so that they are part of the contract review process and the language is included from the beginning.
After receipt of an agency’s request IRS will send an acknowledgement along with a reminder of the requirements associated with the contract.
Contracts in local field offices are also bound by these provisions. For example, if auditors in a field office shred the FTI used for their work, then the contract for the vendor who removes that shredding must contain the Publication 1075 language. Agencies are also required to ensure that contractors (and any authorized subcontractors) meet confidentiality requirements that protect all FTI to the same level required of the Agency. This includes ensuring that contractors and subcontractors conduct disclosure and safeguards training.
Re-disclosing FTI by State tax agencies may be made to contractors but only to the extent necessary and only for the specific use for which the agency is statutorily authorized to receive the FTI. See Section 5.3 of IRS Publication 1075, Access to Federal Tax Information via State Tax Files or Through Other Agencies, for additional information. Further disclosure by contractors without written approval by the IRS is prohibited.
Publication 1075 is the first source for agencies to locate:
- the required contract language is available in Publication 1075 Exhibit 7
- the contract language (Exhibit 7, see below) required for contracts involving the redisclosure of FTI
- the standards for safeguarding FTI from unauthorized use, access, and disclosure which must be conveyed to and adhered to by a contractor granted access to or possession of FTI
- the reporting requirements and oversight responsibilities of an agency with respect to its contractors