part11-29

11.3.24 
Disclosures to Contractors

11.3.24.1 
(07-22-2008)
General

  1. This section provides instructions for assuring
    that Internal Revenue Service (IRS) contracts involving the inspection or
    disclosure of Federal tax returns and return information under IRC §6103(n), information covered by the Privacy
    Act of 1974 (Privacy Act), or documents classified as Sensitive But Unclassified
    (SBU) comply with all applicable laws, regulations and procedures.

  2. Initial contacts with contractors to engage their
    services and disclosures of tax information necessary in these circumstances
    are made pursuant to IRC §6103(k)(6) and
    are discussed in IRM 11.3.21,
    Investigative Disclosure    .

  3. Whenever possible business offices should structure procurement actions
    under the authority of IRC §6103(n) rather than under IRC §6103(k)(6).
    There are no re-disclosure restrictions under IRC §6103(k)(6). Safeguarding,
    accounting and penalty provisions are not applicable as well.

11.3.24.2 
(07-22-2008)
Authority

  1. IRC §6103(n) permits
    the Secretary of the Treasury, pursuant to regulations, to disclose returns
    and return information to any person, including persons described in IRC §7513(a), to the extent necessary in connection
    with procurement actions for tax administration purposes as defined in IRC §6103(b)(4), such as:

    • Equipment or other property or

    • Services relating to the processing, storage, transmission,
      and reproduction of returns and return information or

    • Services relating to the programming, maintenance,
      repair, testing of equipment or other property or

    • The providing of other services such as tow trucks,
      locksmiths, appraisers, court reporters and others

  2. Treasury Regulation 301.6103(n)-1 provides that
    the IRS and the Office of Chief Counsel may disclose returns and return information
    to contractors pursuant to IRC §6103(n).

    1. The regulation also places certain limitations on the disclosures; these
      are defined in Treasury Regulation 301.6103(n)-1(b).

  3. 5 U.S.C. 552a(b)(3), Routine Use
    , authorizes the disclosure of Privacy Act records provided the system
    of records notice includes appropriate language allowing contractors access
    to such information.

    1. “Disclosure pursuant to IRC §6103

      or similar language provides Privacy Act authorization
      to disclose.

    2. System of Records Notices are posted on Disclosures intranet website
      at:

      http://mysbse.web.irs.gov/CLD/GLD/Disclosure/Office/TechnicalResources/Privacy/SoR/4662.aspx

      .

  4. IRC§ 7513 authorizes
    the Secretary of Treasury to have any Federal agency or any person process
    films or other photo-impressions of any return, document, or other matter,
    and make reproductions from films or photo-impressions of any return, document
    or other matter. The Secretary shall prescribe regulations which shall provide
    such safeguards as in the opinion of the Secretary are necessary or appropriate
    to protect the film, photo-impressions, and reproductions made therefrom,
    against any unauthorized use, and to protect the information contained therein
    against any unauthorized disclosure.

11.3.24.3 
(07-22-2008)
Requirements

  1. In accordance with Treasury Regulation 301.6103(n)-1(d),
    contractors, agents, and subcontractors receiving tax information from the
    IRS are required to inform their employees, in writing, of the criminal and
    civil penalty provisions of IRC §7213,
    IRC §7213A, and
    IRC §7431.

  2. Treasury Regulation 301.6103(n)-1(e) requires
    that safeguard provisions be included in procurement actions involving the
    disclosure of returns and return information under
    IRC §6103(n):

    1. Subcontractors and agents of the contractor are held to the same provisions
      and penalties as the primary contractor.

    2. Safeguards for the subcontractors and agents are to be included in their
      contracts verbatim as contained in the primary contract for work.

  3. Treasury Regulation 301.7513-1 establishes safeguard
    requirements for contractors who process and reproduce films or photo impressions.

  4. The Federal Acquisition Regulation (FAR), subpart
    1.602-1(b), provides that no contract shall be entered into unless the contracting
    officer ensures that all requirements of law, executive orders, regulations,
    and all other applicable procedures, including clearances and approvals, have
    been met.

  5. Part 24 of the FAR implements the provisions of
    the Privacy Act. Contractors and their employees who contract for the design,
    development, operation, or maintenance of a system of records on individuals,
    on behalf of the IRS to accomplish an IRS function, are subject to the civil
    and criminal provisions of the Privacy Act.

    1. Pursuant to FAR, subpart 24.103(b)(1), the contracting officer will ensure
      that the contract work statement specifically identifies the system of records
      on individuals and the design, development, or operation work to be performed.

  6. Internal Revenue Service Acquisition Procedures
    (IRSAP) Manual, Part 1004.2, Administrative Matters (as
    developed by the IRS Agency-Wide Shared Services (AWSS), Office of Procurement
    Policy), provides instructions with respect to procedures to be followed where
    contractual procurement will be subject to the Privacy Act, the provisions
    of IRC §6103(n) or where access by a
    contractor to Sensitive But Unclassified material is
    contemplated.

11.3.24.4 
(07-22-2008)
Contract Compliance Reviews

  1. This section provides instructions to Disclosure
    personnel who are conducting reviews of IRS procurement actions for equipment,
    supplies or services that involve the design, development or use of a system
    of records or the disclosure of sensitive but unclassified (SBU) data, which
    includes:

    1. Federal tax returns or return information

    2. Solely protected Privacy Act records/information and

    3. Sensitive but Unclassified Information (SBU)).

11.3.24.4.1 
(07-22-2008)
Responsibilities

  1. The Office of Disclosure, will be responsible
    for reviewing the following documents that meet the criteria of IRM 11.3.24.2:

    1. Form 1334, Requisitions for Equipment, Supplies, or Services, electronic or
      paper

    2. Interagency Agreements

    3. Agreements for Reimbursable Purchase/Services; and

    4. Purchase/Delivery/Task/Service Orders against existing
      contracts, Blanket Purchase Agreements and GSA schedules.

  2. The Office of Disclosure (Headquarters) provides
    support for procurement actions issued by:

    1. Headquarters functions

    2. Martinsburg Computing Center

    3. Detroit Computing Center; or

    4. Where more than one Area is involved

  3. Field Disclosure Managers will establish procedures
    to review procurement actions in the Web Request Tracking System (webRTS)
    issued by local functions or by the functions in their respective servicing
    geographical areas which meet the criteria in IRM 11.3.24.4(1)
    .

    1. The local Disclosure Manager will review contractual documents and requisitions
      that are for the Tennessee Computing Center.

  4. Disclosure personnel will no longer approve procurement actions in webRTS.
    Instead it will conduct post award compliance reviews of procurement actions
    with disclosure or privacy implications.

    Note:

    Business operation units should
    not include the offices of Disclosure, Privacy, Safeguards and Information
    Technology in their WebRTS approval paths, but rather contact their respective
    Contracting Officers Technical Representatives (COTRs) for requisition guidance
    when preparing requisitions.

  5. Area Managers monitor the review activities of
    subordinate Disclosure Offices and will coordinate compliance reviews with
    other areas or Headquarters, when necessary.

  6. Reviews of existing procurement actions may be
    included as a part of every functional quality review to ensure appropriate
    safeguard language and other necessary clauses relating to the disclosure
    of information are present where appropriate or to ensure the function is
    properly identifying those situations where tax information or Privacy Act
    information is being provided to contractors.

  7. IRS Personnel Security has the responsibility for conducting background
    investigation pre-screening checks; and initiation of background investigations
    for contractors and their employees having access to IRS controlled facilities,
    sensitive but unclassified information, or involve the design, operation,
    repair, or maintenance of information systems. See
    IRM 10.23.2, Security, Privacy and Assurance, Personnel
    Security, Contractor Investigations    .

  8. MITS Cybersecurity administers policy for conducting mandatory briefings
    for contractors as mandated by the Federal Information Security Management
    Act (FISMA). Procurement oversees compliance (see Office of Procurement Policy
    Memorandum 39.1).

11.3.24.4.2 
(07-22-2008)
Review Instructions

  1. WebRTS has been enhanced to ensure that the appropriate
    IRSAP and FAR clauses are included in every procurement action involving the
    disclosure of sensitive but unclassified information.

  2. WebRTS users answer a series of questions, which upon doing so, the
    system will automatically insert the appropriate clauses.

    1. Procurement actions involving the design, development or operation of
      a system of records as defined by the Privacy Act will contain the Privacy
      Act Notification and a clause entitled “PRIVACY ACT”
      ,
      both of which are at FAR 52.224-1 and FAR 52.224-2, respectively.

    2. Federal Acquisition Regulation 39.107 states that Federal Acquisition
      Regulation clause 52.239-1, Privacy or Security Safeguards or other similar
      language, is to be included in all procurement actions for information technology
      which require security of information technology, and/or are for the design,
      development, or operation of a system of records using commercial information
      technology services or support services.

    3. Procurement actions involving the disclosure of Federal tax returns or
      return information will contain a clause entitled “SAFEGUARDS

      which will contain the terms outlined in Treasury Regulation 301.6103(n)-1(e).
      The IRSAP clause number is 1052.224-9000.

  3. In addition, webRTS includes a pop up menu containing numbers and titles
    only, there is no information on the contents of the System of Records Notices
    (SORNs).

  4. Local business offices are encouraged to contact the local Disclosure
    office for assistance with system of records selection.

  5. For National Office procurement actions, business units should contact
    Disclosure in headquarters.

  6. Post Award Compliance Reviews will be conducted by Disclosure personnel
    to monitor adherence to these requirements.

  7. Instructions for researching awards are found on webRTS Training Course
    Module 5 Search Award. HQ Disclosure will provide reviewers with a listing
    of contract award numbers consisting of disclosure or privacy requisitions
    and those not identified as disclosure or privacy requisitions.

  8. Disclosure personnel will use Post Award Compliance Check Sheet (See
    Exhibit 11.3.24 -1) to record findings.

  9. Findings will be reported to Headquarters to be compiled in a report
    to Bureau Chief Procurement Officer (BCPO) and to each effected business unit.

  10. All procurement actions for property or services
    which require or properly indicate disclosure to contractors of any Federal
    tax returns or return information, Privacy Act protected information, or other
    sensitive but unclassified (SBU) information , must contain the following
    as an attachment to the requisition:

    1. Statement, signed by the requesting activity management
      official, that the contractor will have access to information subject to disclosure
      limitations or include the official in the approval path on webRTS;

    2. A statement that the contract will or will not involve
      the design, development or operation of a system of records (Privacy Act);
      usually found by the function checking the appropriate box on the requisition
      that IRC §6103 and the Privacy Act either
      apply or don’t apply; and

    3. Documentation from the requesting management official
      that states why the disclosure of returns or return information is necessary
      if disclosures of tax information, sensitive but unclassified information
      or Privacy Act information are required.

      1. This documentation must demonstrate that the procurement cannot be reasonably,
        properly or economically carried out without such disclosure

        Note:

        See Treasury Regulation 301.6103(n)-1(b).

11.3.24.4.3 
(07-22-2008)
Coordination

  1. If an IRS function believes that safeguards may
    have been compromised, the Contracting Officers Technical Representative
    (COTR) should request that security personnel inspect the contractor’s
    facility.

    1. The IRS function responsible for the contract should brief AWSS Physical
      Security and MITS Cybersecurity of specific concerns that need to be addressed.

    2. All unauthorized willful disclosures should be reported to TIGTA.

  2. Based upon a review of the written findings and
    any discussions with them as well as other management officials involved in
    the contract activity, the contracting officer and the COTR will determine
    whether to continue disclosures to the contractor.

    1. Recommendations will be made to discontinue the contract when evidence
      is developed that the contractor has failed to satisfy the safeguard or privacy
      provisions of the contract and immediate remedial action cannot be taken by
      the contractor. Disclosure will make recommendations to procurement to terminate
      the contract.

  3. Disclosure personnel at all levels should maintain
    close coordination with Operating Divisions and functions that plan, design
    and use the services of contractors and provide guidance to them concerning
    disclosure, Privacy Act, and other issues that may arise related to dealing
    with contractors.

  4. To assure that the contractors are adhering to
    contractual safeguards, AWSS Physical Security and MITS Cybersecurity functions
    will be responsible for periodic safeguard reviews of contractors.

  5. Procurement will include the minimum mandatory
    System Security Requirements that are to be required of the contractors (and
    any subcontractors) facility, as determined by the IRS management official(s)
    responsible for the security of that information system/application (IRM 10.8.1.3.3.1)
    in solicitation documents.

    1. Contractors must address, in their proposal submission , how they intend
      to meet the minimum mandatory requirements, including the security of SBU
      information systems.

    2. An evaluation panel will review the information submitted to determine
      if the contractor complies with the mandatory minimum standards.

  6. After award, the IRS will conduct reviews to ensure
    the contractor has implemented security requirements as proposed, and in accordance
    with contract requirements. If a contractor is unable to meet IRS standards
    at any time during the contract, the contracting officer, together with the
    COTR, will decide whether to terminate the contract and recover all returns,
    return information, and IRS records, inclusive of SBU.

    1. Similarly, after meeting with MITS Cyber Security and Contracting representatives
      to discuss findings of a security review, if the contractor is unwilling to
      meet IRS standards, the contracting officer, together with the COTR, will
      decide whether to terminate the contract and recover the records.

  7. IRS functions that initiated procurement actions that involve the disclosure
    of Federal tax returns, return information, employee personnel information,
    and any SBU data/records that have been provided to a contractor, should be
    notified in writing if the IRS terminates the contract for failure to meet
    contract provisions. Under these circumstances, the IRS may terminate a contract
    for default once they have satisfied the conditions outlined in FAR Part 49.4.
    If default circumstances are not in the best interests of the IRS, Procurement
    may pursue and negotiate a termination for the convenience of the Government
    as outlined in FAR Parts 49.1, 49.2, and 49.3.

    1. In the event an award is terminated, Disclosure personnel will monitor
      recovery operations and, upon request, assist the contracting officer and
      the COTR to ensure unauthorized disclosures are avoided. Full recovery of
      Federal tax returns, return information, employee personnel information, and
      SBU data/records must include any duplications or transcribing onto magnetic
      or computer media and spoilage.

11.3.24.5 
(07-22-2008)
Disclosure of Returns and Return Information to Vendors

  1. To enable vendors to fully evaluate the parameters
    of the work involved when invited to submit a quote, proposal, or bid for
    a specific requirement, it may become necessary to provide them access to
    Federal tax returns, return information, or other SBU data at the solicitation
    phase of an acquisition.

  2. In such cases, the written solicitation must conform to the requirements
    of the IRSAP. It must incorporate the Safeguard provisions, the Privacy Act
    clauses, if applicable, and conform generally with the provisions of IRM 11.3.24.4.2. AWSS Physical and MITS Cybersecurity
    Security functions, as appropriate, must determine whether a pre-award on-site
    security inspection needs to be performed.

  3. IRS COTRs will ensure full recovery of all SBU
    data immediately upon completion of its necessitated use during the solicitation
    stage. Care should be exercised to place a limited time-frame on the length
    of time it takes for the bidder(s) to use the SBU data.

11.3.24.5.1 
(07-22-2008)
Disclosure of Returns and Return Information to Students/Trainees

  1. The IRS occasionally hires trainees through participation
    in certain work programs. Some of the students/trainees are of the ”
    direct-hire”
    while others are of the “hosting”
    type.

  2. “Direct-hire”
    trainees are
    employed and paid by the IRS and their right of access to returns or return
    information, when required as part of their duties, is the same as for other
    IRS employees. See IRC §6103(h)(1).

  3. “Hosting”
    trainees are hired
    and paid by non-Treasury Department organizations and assigned by these organizations
    to the IRS for training. They may not be given access to tax returns or return
    information or information governed by the Privacy Act.

    Note:

    If these trainees
    qualify as “students”
    under IRM
    11.3.24.5.2(4), those rules will govern.

  4. Uncompensated student volunteers have been deemed
    by statute (5 U.S.C. 3111) to be Treasury and/or IRS employees for purposes
    of both the Privacy Act and IRC §6103.
    As such, disclosures are permissible. However, the student must meet the following
    criteria.

    • Qualify as a Student – A student is defined as “an individual
      who is enrolled, not less than half-time, in a high school, trade school,
      technical or vocational institute, junior college, college, university, or
      comparable recognized educational institution.”
      Individuals from high
      schools or above who participate in a formal program with the IRS as part
      of their curriculum are considered student volunteers. To qualify, they must
      obtain the permission of the institution where they are enrolled as part of
      a program to provide educational experiences for students. They must be “uncompensated”
      and may not be used to displace any employee.
      Counsel has clarified the definition of uncompensated. Student volunteers
      compensated by other than Federal funds are considered uncompensated for 5
      U.S.C. Section 3111 purposes

      Note:

      Volunteers from other organizations such as American Association of
      Retired People (AARP) or welfare to work programs do not qualify for access
      to IRC §6103 or Privacy Act data.

11.3.24.5.2 
(07-22-2008)
Disclosure of Returns and Return Information to Assistors of Disabled
Employees

  1. The IRS hires a considerable number of disabled
    employees. To effectively use the skills of these individuals it is often
    necessary that they be assisted by non-IRS personnel. Several Federal, state
    and local agencies provide assistors at no cost to the IRS.

  2. Under 5 U.S.C. 3102(b), these assistors can be “hired”
    by IRS and are permitted to have access to returns or
    return information, under IRC §6103(h)(1),
    subject to its requirements, even if they are uncompensated by IRS.

11.3.24.5.3 
(07-22-2008)
Disclosure of Return Information to Title Search Companies

  1. The IRS procures the vast majority of title searches by use of contracts
    or purchase orders pursuant to IRC §6103(n).

  2. When low volume, rare, exigent circumstances exist, purchase cards may
    be used, rather than contracts or purchase orders, to procure title searches.
    The disclosures will be pursuant to IRC §6103(k)(6)
    , investigative disclosures, and the IRS business office/unit must:

    1. Incur very few needs for title searches on a monthly basis

    2. Demonstrate that vigorous, real effort has been made to procure a contract
      for title searches and

    3. Thoroughly document that no company contacted is willing (obtain written
      refusal where possible) to enter such a contract

    Note:

    Every effort should be made to locate a vendor (or vendors)
    who will enter into a contractual agreement (purchase order) to provide title
    searches upon request, for a specified geographical area.

11.3.24.5.4 
(07-22-2008)
Appraisers, Court Reporter and Interpreter Services

  1. Procurement actions involving the use of appraisers, court reporters,
    interpreters and others may require the selection of a System of Records Notice
    (SORN) on webRTS.

  2. Disclosure assistance may be required until the business units become
    familiar with SORN selection on webRTS. Local business offices should contact
    the local Disclosure office for assistance with determining the correct SORN.
    For HQ procurement actions, contact Disclosure HQ.

  3. It is important that the system of records notice routine use contains
    the appropriate language to permit disclosing Privacy Act records to a contractor.
    See IRM 11.3.24.2(3).

11.3.24.5.5 
(07-22-2008)
Contracts Involving Disclosure of “Sensitive But Unclassified
Information”
(SBU) or formerly Official Use Only Documents

  1. Sensitive but unclassified information documents
    may be disclosed to contractors when it is determined that such access is
    necessary to properly perform assigned tasks.

  2. This type of material is not protected by either
    the Privacy Act or the statutes governing release of returns and return information.

  3. SBU documents are the property of the IRS, and
    are construed to be “a thing of value”
    protected by statute
    (18 U.S.C. 641, as modified by 18 U.S.C. 3571).

  4. Access to SBU documents will not be routinely
    granted to contractors. Each case must be decided on its own merit, with the
    needs of the IRS being the foremost consideration.

  5. When access to this material is necessary in order
    for the contractor to perform the work on behalf of the IRS, the following
    paragraphs, modified as deemed appropriate to meet case needs, should be included
    in the contractual agreement:

    1. SAFEGUARDS

      • Any Treasury Department information made available, which is marked “Sensitive but Unclassified”
        information, shall be used only
        for the purpose of carrying out the provisions of this contract, and shall
        not be divulged or made known in any manner to any person except as may be
        necessary in the performance of the contract

    2. CRIMINAL/CIVIL SANCTIONS

      • Each officer or employee of the contractor or subcontractor at any tier
        to whom “Sensitive but Unclassified”
        information may be
        made available or disclosed shall be notified in writing by the contractor
        that “Sensitive But Unclassified”
        information disclosed
        to such officer or employee can be used only for a purpose and to the extent
        authorized herein, and that further disclosure of any such ”
        Sensitive But Unclassified”
        information, by any means, for a purpose
        or to an extent unauthorized herein, may subject the offender to criminal
        sanctions imposed by 18 U.S.C. Sections 641 and 3571. 18 U.S.C. Section 641
        provides, in pertinent part, that whoever knowingly converts to his use or
        the use of another, or without authority, sells, conveys, or disposes of any
        record of the United States or whoever receives the same with the intent to
        convert it to his use or gain, knowing it to have been converted, shall be
        guilty of a crime punishable by fine or imprisoned up to ten years or both

        Note:

        As of this writing, Procurement is in the process of revising all IRSAP
        clauses to reflect the term SBU.

11.3.24.5.6 
(07-22-2008)
Destruction of Returns and Return Information

  1. Contracts for the destruction of tax information
    falls within the scope of IRC §6103(n).

    1. A contractual agreement, in compliance with IRC §6103(n), is required
      if tax information to be destroyed does not remain in sealed containers or
      is otherwise protected from view by the contractor during the destruction
      process

  2. IRSAP clauses should be included when procuring services for the destruction
    of sensitive but unclassified information:

    1. IRSAP 1052.2249000(d) – DISCLOSURE OF “OFFICIAL USE ONLY

      INFORMATION SAFEGUARDS

    2. IRSAP 1052.2249001(b) – DISCLOSURE OF INFORMATION – OFFICIAL USE ONLY

    3. IRSAP 1052.2249002 – DISCLOSURE OF INFORMATION – INSPECTION

11.3.24.6 
(07-22-2008)
Glossary

  1. Procurement Actions – Solicitations, contract
    awards, purchase orders, task orders, delivery orders, modifications, interagency
    agreements, blanket purchase agreements (BPAs), and simplified acquisitions.

  2. Post Award Compliance Reviews – Conducted by Disclosure
    personnel to ensure that the appropriate language has been inserted into procurement
    actions involving the disclosure of SBU data and that other Disclosure requirements
    for contracts are met.

  3. Routine Use – The disclosure of a record for a
    purpose which is compatible with the purpose for which it was collected.

  4. Sensitive But Unclassified Information (SBU) -
    Any information, the loss, misuse, or unauthorized access to or modification
    of which could adversely affect the national interest or the conduct of Federal
    programs, or the privacy to which individuals are entitled under Section 552a
    of Title 5, United States Code (USC) (the Privacy Act) but which has not been
    specifically authorized under criteria established by an executive order or
    an act of Congress to be kept secret in the interest of national defense or
    foreign policy.

  5. System of Records (SOR) – A group of any records
    under the control of the Department (IRS) from which information is retrieved
    by the name of an individual, or by some other identifying number, symbol
    or particular assigned to an individual.

Exhibit 11.3.24-1 
(07-22-2008)
Disclosure Quality Review Check Sheet for Post-Award Contracts

Disclosure Office:

Area Manager:

Disclosure Manager:

Reviewer:

Date(s):

Award Number(s) Contracting
Officer Discretion (COD) or Correct/Resolve (C/R)		 Statement
of Work Attached With Required information?		 Disclosure
of SBU Data to a Contractor		 Correct Privacy
System of Records Identified		 Privacy
Act SOR Routine Use Identified		 Applicable
Clauses Inserted (This indicates the level of understanding questions 2-14)
  COD C/R Y N Y N Y N N/A Y N N/A Y/2-14 N N/A
1.                              
2.                              
3.                              
4.                              
5.                              
6.                              
7.                              
8.                              
9.                              
10.                              
11.                              
12.                              
13.                              
14.                              
General Comments:
   EDIMS Case
Number:
Time Applied:		  
   

Law Offices of Darrin T. Mish, PA

100 S. Edison Ave. Suite A, PO Box 3414, Tampa, FL 33606 (813) 229-7100
Made with Semiologic Pro • Colorblock-blue skin by Techie Coach