part11-19
- 11.3.14.1
Background - 11.3.14.2
Purpose - 11.3.14.3
Limitations - 11.3.14.4
General Format - 11.3.14.5
References - 11.3.14.6
Spirit and Requirements of the Act - 11.3.14.7
Privacy Principles - 11.3.14.8
Responsibility - 11.3.14.9
Privacy Act Orientation and Training - 11.3.14.10
Privacy Act Impact on Contracts - 11.3.14.11
Privacy Act Fee - 11.3.14.12
Controlling Information From Third Parties
-
Congress, in a preamble to the Privacy Act of
1974, stated that the right to privacy is a personal and fundamental right
protected by the Constitution of the United States. -
Congress also found that the:
-
Privacy of an individual is directly affected by
the collection, maintenance, use, and dissemination of personal information
by Federal agencies -
Increasing use of computers and sophisticated information
technology has greatly magnified the harm to individual privacy that can occur;
and -
Individual’s rights may be endangered by the
misuse of some information systems
-
-
Accordingly, Congress decided that it was necessary
to regulate the collection, maintenance, use, and dissemination of information
by Federal agencies in order to protect the privacy of individuals.
-
The purpose of the Act is to provide certain safeguards
for an individual against an invasion of personal privacy by requiring Federal
agencies, except as otherwise provided by law, to:-
Permit an individual to determine what records pertaining
to him or her are collected, maintained, used, or disseminated by Federal
agencies -
Permit an individual to prevent records pertaining
to him or her from being used or made available for another purpose without
his or her consent -
Permit an individual to gain access to information
pertaining to him or her, have copies made, and amend or correct such records -
Collect, maintain, use, or disseminate any record
of identifiable personal information in a manner which ensures that such action
is for a necessary and lawful purpose, that the information is current and
accurate, for its intended use, and that adequate safeguards are provided
to prevent misuse of such information
-
-
Except as otherwise provided by law, agencies
are subject to civil suit for any damages which occur as a result of willful
or intentional action which violates any individual’s rights under the
Act. -
Criminal penalties are applicable to agency employees who make prohibited
disclosures or who maintain records in violation of law.
-
The Privacy Act of 1974 applies to agency records
that are retrieved by an identifier for an individual. The Privacy Act defines “individual”
as a citizen of the United States or an alien lawfully
admitted for permanent residence. Corporations, partnerships, estates, organizations,
and other entities are not “individuals”
for Privacy Act
purposes. However, court opinion has determined that an individual acting
in an entrepreneurial capacity (such as a sole proprietor) is an ”
individual”
for purposes of the Act. -
Most records maintained by the Internal Revenue
Service (IRS) are subject to an extensive body of law (including the confidentiality
and disclosure provisions of IRC §6103 which
is usually more specific and restrictive than the Privacy Act, and which therefore
will generally be found to be the governing statute. It is important, in applying
the Privacy Act, to take into consideration all statutory requirements which
are applicable; the result should be that the safeguards against the invasion
of an individual’s privacy should be not less than required by the Privacy
Act. -
Agencies may propose rules that exempt certain
records from certain Privacy Act provisions. Such rules must be approved by
Congress and OMB, and be published in the Federal Register.
-
The Act provides a series of definitions concerning
records maintained on individuals. These definitions help to determine which
records are subject to the Act. -
In order for an agency to maintain records subject
to the Act it must meet certain publishing and reporting requirements. These
requirements are discussed in IRM 11.3.15, Privacy Act Publication and Reporting Requirements. -
It is the responsibility of the owner of the system
of records to prepare a Privacy Act Notice for publication in the Federal
Register, and the required reports and transmittal memos. The owner then forwards
the package to the Office of Governmental Liaison and Disclosure (GLD) for
approval. GLD will then ensure that the package is cleared through the Office
of the Assistant Chief Counsel, the Commissioner, and any other necessary
Headquarters offices. GLD will then transmit the package to the Treasury Department
Disclosure Office for clearance.Note:
The component of the system owner
that is most familiar with the records shall prepare the notice. -
Having advised the public of the type of records
being maintained (by meeting the publishing and reporting requirements) the
agency must give individuals asked to supply information a notice with the
request for information. This requirement and related matters are discussed
in IRM 11.3.16,Privacy Act
Notification Programs . -
There are restrictions on the type of information
an agency may obtain and use. These provisions are discussed in IRM 11.3.17,Privacy Act Recordkeeping
Restrictions. -
An individual may have access to certain records
pertaining to him or her, and may under some circumstances amend such records.
These provisions are discussed in IRM 11.3.18, Privacy Act Access and Amendment of Records. -
Restrictions are placed upon the disclosure by
the agency of the records maintained, and an accounting is required of the
disclosures made. These provisions are discussed in
IRM 11.3.19, Privacy Act Accounting for Disclosures
. -
Procedures relating to provisions of the Privacy
Act which are not technically speaking “disclosure matters”
will
nevertheless be included in appropriate IRM sections, if they are of general
or Servicewide interest. Detailed instructions provided by other functions
to carry out the general Privacy Act requirements in this section will not
be cross referenced back.
-
The Privacy Act of 1974 is also cited as 5 USC
552a. -
Department of the Treasury Regulations appear
at Title 31, Part I, Subpart C, of the ode of Federal Regulations. Additional
information specific to the IRS is in Appendix B of these regulations.
-
IRS employees should follow the legal requirements
of the Privacy Act at all times and should make every effort consistent with
law, regulations and good administrative practice, to promote the spirit of
the Privacy Act by performing their duties in a manner which recognizes and
enhances individual rights of privacy. -
Disclosure of Privacy Act record information to
other IRS employees is restricted to those who have a need to know the information
in the performance of their official duties. -
The Privacy Act generally provides that individuals
may gain access to records about themselves. -
A notice about agency systems of records that
contain information about individuals that may be retrieved by an individual
identifier must be published in the Federal Register upon
establishment or revision of such records. -
Each agency that maintains Privacy Act records
shall:-
Maintain only such information about an individual
as is relevant and necessary to accomplish a purpose of the agency required
by statute or Executive Order -
Collect information, to the greatest extent practicable,
from the subject individual when the information may result in adverse determinations
about an individual’s rights, benefits and privileges under Federal
programs and -
Inform each individual whom it asks to supply information,
of the agencys authority for requesting the information; whether providing
the information is voluntary or mandatory; the principal purpose(s) for which
the information will be used; other routine uses of the information; and the
effect(s), if any, on the individual of not providing all or part of the information
requested. This statement may be made on the form used to collect the information,
or on a separate form or sheet that the individual may retain
-
-
Privacy protection within the IRS includes adherence by all IRS employees
to the following principles, which are available on the Office of Privacy,
Information Protection and Data Security website at:
http://irweb.irs.gov/Privacy/default.html-
Protecting taxpayer privacy is a public trust
-
Personal information will only be collected if it is necessary for tax
administration or other legally authorized purposes -
Information will be used only for the purpose for which it was collected,
or as specifically authorized by law -
Information will be collected, to the greatest extent practicable, directly
from the individual to whom it relates. Information that is collected from
third parties will be verified for accuracy with the subject, whenever possible,
before final action is taken -
All IRS employees share in the responsibility for protecting the privacy
of individuals whose information they have access to: taxpayers, employees,
and visitors to IRS web sites
-
-
Policy Statement P-1-1 also embodies these concepts. See IRM 1.2.1.2, Policies of the Internal
Revenue Service – Administration.
-
Every employee of the IRS is responsible for being
familiar with the provisions of the Privacy Act, commensurate with the level
of his or her assigned duties, and for conforming to the requirements of the
law as it applies to his or her activities. IRS employees are responsible
for contacting the Office of Governmental Liaison and Disclosure expeditiously
concerning Privacy Act matters. -
All IRS officials are responsible for administering
the Privacy Act insofar as provisions of the Act are applicable to their functional
areas and as provided by applicable regulations, published notices, and IRM
instructions. -
Chiefs and Division Directors are responsible
as systems managers to the extent that they prescribe practices for maintaining
any system of records. The components of the system owners/managers that are
most familiar with the system of records shall write the notices and other
required reports and documents for a system of records notice to be published
in the Federal Register and any other required Privacy
Act notifications, such as those required by section (e)(3) of the Act. See IRM 11.3.15, Privacy Act Publications
and Reporting Requirements. -
Overall coordination of IRS efforts to administer
the Privacy Act, publication of required notices, preparation of general Internal
Revenue Manual instructions, and administration of the access, amendment,
and disclosure provisions of the Act are the responsibility of the Director,
Office of Governmental Liaison and Disclosure. -
Private contractors and their employees are subject
to some provisions of the Privacy Act. See IRM 11.3.24
, Disclosures to Contractors.
-
The IRS complies with the Privacy Act by integrating
the Act’s provisions with the IRS’s existing procedural instructions,
such as the IRM. -
For most Systems of Records two types of systems
managers (or responsible officials) have been designated—the official
prescribing practices, and the official maintaining the system. -
The official prescribing practices, generally
a Headquarters Division Director, contributes to the administration of the
Privacy Act by making certain that all procedures conform to the requirements
of the Act. -
The official maintaining the system, generally
an Area Manager or Campus Director, contributes to the administration of the
Privacy Act by making certain that all procedural requirements are followed.
Thus an official operating a system of records or carrying out any other assignment
will be in compliance with the Privacy Act if all actions taken are in strict
accordance with the IRM.
-
The Office of Management and Budget (OMB) in Circular
No. A-108 holds the IRS responsible for:“Conducting
training for all agency personnel who are in any way involved in maintaining
systems of records to apprise them of their responsibilities under the Act
and to indoctrinate them with respect to procedures established by the agency
to implement the Act.”Note:
See 5 USC 552a(e)(9).
-
OMB provides the following guidelines:
“Effective compliance with the provisions of this Act will require
informed and active support of a broad cross-section of agency personnel.
It is important that all personnel who in any way have access to systems of
records or who are engaged in the development of procedures or systems for
handling records, be informed of the requirements of the Act and be adequately
trained in agency procedures developed to implement the Act. Personnel with
particular concerns include, but are not limited to, those engaged in personnel
management, paperwork management (reports, forms, records, and related functions),
computer systems development and operations, communications, statistical data
collection and analysis, and program evaluation.”
-
The highest level of involvement in training for
Privacy Act purposes is required for Disclosure Managers, Disclosure Specialists,
Policy Analyst and Tax Law Specialists serving in the Office of Governmental
Liaison and Disclosure. Accordingly, a Privacy Act segment has been included
in the Disclosure Training Program. -
Functions having key personnel identified as requiring
a high degree of training in Privacy Act matters may direct a request to the
Director, Office of Governmental Liaison and Disclosure, for space at a regularly
scheduled session of the Privacy Act Training or for a special presentation
of the Privacy Act segment of the program. -
Functions revising existing training programs
or establishing new training programs should include Privacy Act segments
designed in accordance with their specific needs in order to meet the objectives
of IRM 11.3.17.7. Office of Governmental
Liaison and Disclosure assistance is available for constructing such specialized
course segments. -
For employees requiring a lesser degree of involvement,
a periodic refresher or update can best be conducted by the inclusion of Privacy
Act topics in regular group meetings and by discussing the impact of the Privacy
Act on specific jobs. Disclosure Managers are available in field offices to
conduct or assist at such sessions.
-
The impact of the Privacy Act of 1974 on contracts
is discussed in IRM 11.3.24,
Disclosures to Contractors.
-
The Privacy Act requires that agencies establish
appropriate administrative, technical, and physical safeguards to ensure the
security and confidentiality of records and to protect against any anticipated
threats or hazards to their security or integrity which could result in substantial
harm, embarrassment, inconvenience, or unfairness to any individual on whom
information is maintained. -
Agencies are required to maintain only such information
about an individual as is relevant and necessary to accomplish a purpose of
the agency required to be accomplished by statute or by executive order of
the President. -
The timely disposition, proper destruction, safe
storage, physical protection and proper handling of records are therefore
mandated by the Act.
-
The following IRM references contain important
instructions related to information and document security:-
IRM 1.9, National Security
Information, provides instructions for the proper handling and disposition
of all classified National Security information -
IRM 1.15, Records Management
, provides instructions for the proper handling of all record material -
IRM 1.16, Physical Security
Program, provides instructions for the protection of records -
IRM 10.8.1, Information
Technology (IT) Security, Policy and Guidance, provides instructions
for security requirements for electronic records
-
-
The sole fee to the public pursuant to the Privacy
Act is one which permits the Government to recover the expense incurred by
providing photocopies of records. See IRM 11.3.5, Fees.
-
The Privacy Act generally authorizes Federal agencies
to collect and maintain only information that is relevant and necessary to
accomplish a purpose of the agency, and requires agencies to collect information
directly from the subject individual to the greatest extent practicable. Therefore,
the IRS has implemented the following procedures for use when an IRS function
wants to obtain access to, or a copy of, a large volume of information that
pertains to many individual taxpayers. These procedures provide a uniform
methodology for acquiring, using, and disposing of information obtained in
volume from third parties. These procedures are required to provide adequate
controls of such information consistent with relevant statutes and policies
concerning privacy, security, and disclosure. -
These procedures apply to the solicitation or maintenance of information
from third parties. They apply to all functions at all levels of the IRS.
However, these procedures do not apply to:-
Information needed to resolve specific cases
-
Information about businesses, exempt organizations,
or employee plans (procedures concerning businesses, exempt organizations,
and employee plans will be developed later) -
Information requested from state tax agencies when the information was
used by the states in their tax administration, provided the information is
not obtained from a state tax agency for the purpose of circumventing the
intent of these controls -
Information gathered by Criminal Investigation under
the provisions of IRM 9.4,
Investigative Techniques, relating to general investigations, excluding
multifunctional information gathering projects and -
Data gathering that requires a Compliance Initiative Project or is specifically
exempted from the CIP process under IRM 4.17.1.3, Activities Not Subject to CIP Procedures. See
IRM 4.17, Compliance Initiative Projects,
for further information
-
-
For purposes of this section, the following definitions
apply. -
Approving Official:
-
Area Managers and Directors of Detroit, Martinsburg
and Tennessee Computing Centers for their respective offices -
In Headquarters, division directors or equivalent
positions
-
-
Information From Third Parties:
This
is information collected about taxpayers from someone other than the taxpayer.
It does not include the following:-
Information received from the taxpayer or his/her
representative -
Information required to be filed with IRS, such
as Form W-2s from employers, Form 1099s from banks and other payers of income, etc. -
Information furnished by anyone to resolve specific
cases being worked by IRSExample:
Examination of a return, collection
of taxes, resolution of match errors or information return discrepancies. -
Information received from state tax agencies in
accordance with an exchange agreement under IRC §6103
(d)
-
-
Responsible Function:
The
function obtaining access to information from a Third Party.
-
The IRS will provide enhanced taxpayer privacy
through controls over the gathering, use and dissemination of information
obtained from third parties. These controls require that all functions obtain
approval before receiving any such information, and that the local Disclosure
Manager review the function’s compliance with these controls during
regular quality reviews of the functions. The Disclosure Manager will provide
a report to the approving official on the results of the reviews. -
Information may be used only for approved purposes.
If a new use is discovered for information already acquired, a separate approval
must be obtained before beginning that use. -
When information is no longer needed, it will
be disposed of according to established procedures for destruction of return
information.
-
Prior to obtaining access to information from
a third party, the responsible function will provide a written request for
approval from the head of the office to obtain the information. The request
will include a Privacy Impact Statement which covers the following:-
A description of the information to be acquired
-
Why it is needed and how it will be used
-
The Privacy Act System of Records (name and number) that will govern its
use -
How and from whom it will be obtained
-
An estimate of the return information’s reliability and accuracy
-
Any procedures that will be used to test and validate the data information’s
reliability -
How the information will be protected
-
How long the information will be kept before it is disposed of (this should
be a specific date), and the procedures for its ultimate disposition -
Any limitations imposed by the source of the information on how it may
or may not be used and -
The person responsible for receiving and controlling the information
-
For security requirements see IRM 1.16, Physical Security Program, IRM 25.10.1
, Information Technology (IT) Security Policy and
Standards, IRM 1.15,
Records Management, IRM 11.3, Disclosure of Official Information,
IRC §6103, and Policy Statements -
The gathering of information from a third party may require the completion
of a Privacy Impact Assessment (PIA), which includes a description of the
information and its uses. Contact the Director, Office of Privacy, Information
Protection and Data Security, for further information on whether a PIA is
required
-
-
Functions must ensure that the information is
timely, relevant and accurate for the purpose it is used. This should be an
ongoing process. If, at any time, it is determined that the information is
no longer reliable for its intended purpose, the responsible office must cease
using it. -
All requests to obtain or use information from
a third party must be reviewed by the Disclosure Manager. The request must
be approved in writing by the head of office. -
Disclosure mangers will provide advice to the head of office on whether
the request complies with the Privacy Act, the disclosure statutes, and IRS’s
privacy policies and principles. -
A copy of all approved requests will be given to the Disclosure Manager
for subsequent review during normal quality reviews of functions as provided
in IRM 11.3.38, Role and Responsibilities of Disclosure Managers.
-
The responsible function will maintain a file
on the information received. At a minimum, the file will contain the following
information:-
The approved request for obtaining and using the information
-
The date(s) information was received from a third party, its type and
source -
Any duplication of the information
-
To whom the information was given, when it was given, why it was given
and when it was returned -
Any approved extensions for keeping the information
-
The date and method of the final disposition of the information
-
-
This file will be available to the Disclosure
Manager when requested in conjunction with a quality review of the function
as provided in IRM 11.3.38,
Roles and Responsibilities of Disclosure Managers.
-
Disclosure managers will, as part of an established
functional quality review process ensure the review of controls on information
from third parties as provided in this section. -
Upon completion of a review of the controls on
information from third parties, the disclosure office will provide a report
consistent with the quality review process described in
IRM 11.3.38, Roles and Responsibilities of Disclosure
Managers. -
Disclosure managers will ensure, at a minimum,
that the following areas are addressed during the quality review:-
Was information obtained?
-
Was the required head-of-office approval obtained?
-
Has the function complied with the terms of the approval document concerning
the intended use of the information and its timely final disposition?
-
