As businesses and governmental agencies explore new or more cost effective ways to deliver programs and/or services, employing contractors frequently arises. Both businesses and governmental agencies in receipt of customer or client information not accessible by the general public must consider security and privacy implications prior to making disclosures to a contractor. These considerations are especially necessary for governmental agencies and absolutely critical for the governmental agencies entrusted with Federal tax information (FTI).
State Tax Agencies that are authorized by statute to receive FTI and to re-disclose FTI to contractors must notify the IRS at least 45 days prior to executing any agreement to disclose FTI to a contractor. Further, any contractors authorized access to or possession of FTI must notify and secure the approval of the IRS prior to making any re-disclosures to subcontractors.
An agency’s failure to follow statutory/regulatory requirements with respect to safeguarding FTI may jeopardize an agency’s continued access to FTI. Unauthorized accesses to and disclosures of FTI in an agency’s possession could lead to civil and criminal penalties.
The procedures for agency notification of intent to enter into an agreement to make disclosures of FTI are as follows:
Proper notification is a letter, on agency letterhead over the head of agency’s signature that provides the specific information below and is sent to:
Director, Office of Safeguards and sent in electronic format to SafeguardReports@IRS.gov.
- name and address of contractor
- name, address and phone number of agency point of contact
- type of service covered by the contract
- brief description of agency procedures for oversight of contractor access, storage and destruction of FTI
- brief description of agency procedures for oversight of contractor disclosure awareness training and incident reporting
- description of FTI to be disclosed to the subcontractor, if applicable
- contract number and date awarded
- period contract covers, e.g. 2003-2008
- number of contracted workers
- name of agency program contractors support
- description of FTI disclosed to contractor
- brief description of the work performed by contractor
- description of any phased timing of work performed by the contractor and how access to FTI and work may change during the different phases
- location where work is performed: contractor site or at agency
- brief description of how data will be secured if it is moved out of the secure agency location
- statement as to whether subcontractor(s) have access to FTI
- name and address of subcontractor(s), if applicable
- brief description of the work performed by subcontractor(s)
- location where work is performed by subcontractor(s).
- brief description of how data will be secured if it is moved out of the secure agency location
Agency disclosure personnel may want to discuss local procedures with their procurement colleagues so that they are part of the contract review process and the language is included from the beginning.
After receipt of an agency’s request IRS will send an acknowledgement along with a reminder of the requirements associated with the contract.
Contracts in local field offices are also bound by these provisions. For example, if auditors in a field office shred the FTI used for their work, then the contract for the vendor who removes that shredding must contain the Publication 1075 language. Agencies are also required to ensure that contractors (and any authorized subcontractors) meet confidentiality requirements that protect all FTI to the same level required of the Agency. This includes ensuring that contractors and subcontractors conduct disclosure and safeguards training.
Re-disclosing FTI by State tax agencies may be made to contractors but only to the extent necessary and only for the specific use for which the agency is statutorily authorized to receive the FTI. Treasury Regulation 301.6103(n)-1 requires that agencies notify the IRS prior to executing any agreement to disclose to such a person (contractor), but in no event less than 45 days prior to the disclosure of FTI. See Section 5.4 of IRS Publication 1075, Access to Federal Tax Information via State Tax Files or Through Other Agencies, for additional information. Further disclosure by contractors without written approval by the IRS is prohibited.
Publication 1075 is the first source for agencies to locate:
- the contract language (Exhibit 7, see below) required for contracts involving the redisclosure of FTI
- the standards for safeguarding FTI from unauthorized use, access, and disclosure which must be conveyed to and adhered to by a contractor granted access to or possession of FTI
- the reporting requirements and oversight responsibilities of an agency with respect to its contractors
Exhibit 7: Contract Language for General Services
In performance of this contract, the contractor agrees to comply with and assume responsibility for compliance by his or her employees with the following requirements:
- All work will be done under the supervision of the contractor or the contractor's employees.
- Any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material will be treated as confidential and will not be divulged or made known in any manner to any person except as may be necessary in the performance of this contract. Disclosure to anyone other than an officer or employee of the contractor will be prohibited.
- All returns and return information will be accounted for upon receipt and properly stored before, during, and after processing. In addition, all related output will be given the same level of protection as required for the source material.
- The contractor certifies that the data processed during the performance of this contract will be completely purged from all data storage components of his or her computer facility, and no output will be retained by the contractor at the time the work is completed. If immediate purging of all data storage components is not possible, the contractor certifies that any IRS data remaining in any storage component will be safeguarded to prevent unauthorized disclosures.
- Any spoilage or any intermediate hard copy printout that may result during the processing of IRS data will be given to the agency or his or her designee. When this is not possible, the contractor will be responsible for the destruction of the spoilage or any intermediate hard copy printouts, and will provide the agency or his or her designee with a statement containing the date of destruction, description of material destroyed, and the method used.
- All computer systems processing, storing, or transmitting Federal tax information must meet the requirements defined in IRS Publication 1075. To meet functional and assurance requirements, the security features of the environment must provide for the managerial, operational, and technical controls. All security features must be available and activated to protect against unauthorized use of and access to Federal tax information.
- No work involving Federal tax information furnished under this contract will be subcontracted without prior written approval of the IRS.
- The contractor will maintain a list of employees authorized access. Such list will be provided to the agency and, upon request, to the IRS reviewing office.
- The agency will have the right to void the contract if the contractor fails to provide the safeguards described above.
- (Include any additional safeguards that may be appropriate.)
II. Criminal/Civil Sanctions:
- Each officer or employee of any person to whom returns or return information is or may be disclosed will be notified in writing by such person that returns or return information disclosed to such officer or employee can be used only for a purpose and to the extent authorized herein, and that further disclosure of any such returns or return information for a purpose or to an extent unauthorized herein constitutes a felony punishable upon conviction by a fine of as much as $5,000 or imprisonment for as long as 5 years, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized further disclosure of returns or return information may also result in an award of civil damages against the officer or employee in an amount not less than $1,000 with respect to each instance of unauthorized disclosure. These penalties are prescribed by IRC sections 7213 and 7431 and set forth at 26 CFR 301.6103(n)-1.
- Each officer or employee of any person to whom returns or return information is or may be disclosed shall be notified in writing by such person that any return or return information made available in any format shall be used only for the purpose of carrying out the provisions of this contract. Information contained in such material shall be treated as confidential and shall not be divulged or made known in any manner to any person except as may be necessary in the performance of the contract. Inspection by or disclosure to anyone without an official need to know constitutes a criminal misdemeanor punishable upon conviction by a fine of as much as $1,000 or imprisonment for as long as 1 year, or both, together with the costs of prosecution. Such person shall also notify each such officer and employee that any such unauthorized inspection or disclosure of returns or return information may also result in an award of civil damages against the officer or employee [United States for Federal employees] in an amount equal to the sum of the greater of $1,000 for each act of unauthorized inspection or disclosure with respect to which such defendant is found liable or the sum of the actual damages sustained by the plaintiff as a result of such unauthorized inspection or disclosure plus in the case of a willful inspection or disclosure which is the result of gross negligence, punitive damages, plus the costs of the action. These penalties are prescribed by IRC section 7213A and 7431.
- Additionally, it is ncumbent upon the contractor to inform its officers and employees of the penalties for improper disclosure imposed by the Privacy Act of 1974, 5 U.S.C. 552a. Specifically, 5 U.S.C. 552a(i)(1), which is made applicable to contractors by 5 U.S.C. 552a(m)(1), provides that any officer or employee of a contractor, who by virtue of his/her employment or official position, has possession of or access to agency records which contain individually identifiable information, the disclosure of which is prohibited by the Privacy Act or regulations established thereunder, and who knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.
The IRS and the Agency shall have the right to send its officers and employees into the offices and plants of the contractor for inspection of the facilities and operations provided for the performance of any work under this contract. On the basis of such inspection, specific measures may be required in cases where the contractor is found to be noncompliant with contract safeguards.