Privacy Impact Assessment - IDRS Online Reports Services (IORS)
IORS System Overview
The IDRS Online Reports Services (IORS) is a web based application that supports the distribution of the IDRS Security reports to the Mission Assurance and Security Services (MA&SS) and the other IRS business organizations’ security and managerial personnel. IDRS security reports represent extracts and summaries of the IDRS audit trails. These reports are provided to security and managerial staffs in support of Treasury requirements to perform regular and periodic reviews of major application audit trails. In addition because of IRS requirement to protect taxpayer privacy, managers and security staffs have the requirement to help ensure that users are not inappropriately accessing taxpayer accounts.
Data in the System
1. Generally describe the information to be used in the system in each of the following categories:
IDRS reports as presented and created through IORS include information about actions taken by IDRS security personnel to add, remove or modify IDRS user accesses. IDRS reports also show when users have accessed or attempted to access their own taxpayer accounts or the account of a current or former spouse and when IDRS users have accessed or attempted to access the tax account of another IRS employee or the spouse or former spouse of an IRS employee. IDRS Security reports do not show transactions to taxpayer accounts however these reports do show the command code activity for each user for the reporting period.
Taxpayer
IDRS security reports only show taxpayer data transactions as it relates to IRS employees who also are taxpayers.
Employee
IDRS security reports show transactions for IDRS security personnel in MA&SS and other IRS business organizations when
- an IDRS unit has been added, deleted or modified
- an IDRS user access account has been added, modified, or deleted,
- a system generated IDRS password has been generated,
- a new IDRS functionality has been provided or removed from a user’s.
- an user performed an inappropriate or unauthorized security transaction such as
o an incomplete or inappropriate sign-on (i.e. incorrect SSN, name, or password), attempts to use command codes not in the users profile,
o an attempted or actual access to a tax file on their prohibited access file, and
o an attempted sign-on when the user’s IDRS account was been locked.
Other
The data items included in IORS represent IORS users who request archive IDRS reports, certify IDRS security report, or submit or approve IDRS security forms.
2. What are the sources of the information in the system?
a. What IRS files and databases are used?
IORS receives data from two other systems, the IDRS Security and Communication System (SACS) which extracts and summarizes IDRS audit trail transactions to produce the IDRS security reports and the IDRS Unit and USR Database (IUUD) which maintains a listing of all IDRS security personnel from MA&SS and the other IRS business organizations. Data inputs for IUUD are entered by MA&SS security personnel but SACS does provide periodic updates to IUUD to identify all active IDRS units.
b. What Federal Agencies are providing data for use in the system?
No Federal Agencies provide data to IORS.
c. What State and Local Agencies are providing data for use in the system?
No State and Local Agencies provide data to IORS.
d. From what other third party sources will data be collected?
IORS does not collect data from third party sources.
e. What information will be collected from the taxpayer/employee?
IORS collects and stores input from security personnel in MA&SS and the IRS business organizations on their reviews and actions associated with data in the IDRS security reports.
3. a. How will data collected from sources other than IRS records and the taxpayer be verified for accuracy?
No data is collected from sources other than IRS records.
b. How will data be checked for completeness?
No data is collected from sources other than IRS records and therefore is deemed to be complete.
c. Is the data current? How do you know?
No data is collected from sources other than IRS records, and therefore is deemed to be current.
4. Are the data elements described in detail and documented? If yes, what is the name of the document?
Yes. The informational data elements are documented in the IDRS Online Reports Services System Operations Guide, dated March 11, 2004 (See also Attachment 1.)
Access to the Data
1. Who will have access to the data in the system (users, managers, system administrators, developers, other)?
IORS users include MA&SS IDRS security staffs and the designated security personnel and the IRS managers of IDRS users from the business organizations. IORS enables its users to view the IDRS security reports for the purposes of verifying that: (1) entered security transactions are authorized and documented, (2) user attempted and actual IDRS accesses were not done with the intent to perform unauthorized accesses to taxpayer accounts or inappropriate actions on IDRS.
2. How is access to the data by a user determined? Are criteria, procedures, controls, and responsibilities regarding access documented?
All IORS users’ accesses to IDRS report data are controlled by predefined permissions and capabilities given to users based on their positions and their business organization approval for the individual to serve as either an IORS primary recipient or IDRS Unit Security Representative, as document in the IORS Systems Requirements Document, dated December 6, 2002. The Business organization managers identify who will have access to IORS. Access is limited to managers, Unit Security representatives, or IDRS coordinators who are involved with overseeing user activities on IDRS. Also, in Mission Assurance the IDRS security staffs have IORS access. The Categories of users is determined by the user’s job as identified by management.
The User Groups have access to reports, which are differentiated as follows:
* Category I users have access to all business organizations and campus reports. Only MS&SS IDRS National Program staff are in this category. Three users are category I users.
* Category II users have access to all reports but only for the IDRS units that are in their campus domain. Only MA&SS campus data security staffs are in this category. Thirty-five users are in category II.
* Category III users are authorized IDRS Unit Security Representatives or the managers of IDRS security reports. Individuals who are designated as the primary recipients have access to the six category 3 reports but only for their designated IDRS units. Non primary recipients have to be given permissions to view the reports from the primary recipient of the unit or from a category I or II user. IORS has about 3,800 category III users.
Business Organization Users
IRS policies and procedures including IRM 25.10.3 identify the responsibilities for IDRS Unit Security Representative (USR) and the managers of IDRS users. The responsibilities include the review and certification of various IDRS security reports. IORS has automated the distribution of, access to, and the ability to comment and certify security reports.
Mission Assurance & Security Services IORS Users
Mission Assurance & Security Services (MA&SS) IORS users come from either the IDRS National Program Office or the Campus Data Security Staffs. IDRS National Program Office staff may view reports for all campus and all IDRS units. This requirement is necessary to insure that the system is working as intended. The campus data security staffs are limited to reviewing report information for the IDRS units that are under their specific IDRS campus domain.
3. Will users have access to all data on the system or will the users’ access be restricted? Explain.
Proxy only receives the permissions of the granting primary recipient. Also the primary recipient designates how long the proxy will be in effect. The maximum time for a proxy is 60 days. The primary recipient can withdraw the proxy at anytime.
IORS has the capability for users’ (recipient of the reports) to give their permissions to another users (secondary recipient) when the primary user is not available for a period of time.
All IRS business organization’s staff accesses to IDRS reports as presented in IORS are limited by the users’ authorized IDRS units. Access to unit information is provided via three ways:
* User is designated as the primary recipient for one or more IDRS units by their business organization management. Primary recipients are automatically given the capability to view report information from the six category 3 reports for their designated units.
* User becomes a secondary recipient when that individual receives access to view a report and the information for an IDRS unit from a primary recipient. Until a secondary recipient is provided permission from a primary recipient, that individual is a “non recipient” in IORS and although he/she can access IORS, that individual can not review any report information.
* User is designated as a proxy recipient only when a primary recipient has designated an individual to perform their primary recipient responsibilities. When a user is given a proxy permission, the proxy recipient acquires all rights of the granting primary recipient and granting primary recipient loses their primary recipient permissions. In IORS a proxy can only be active for up to 60 days and the granting primary recipient can remove the proxy permissions at any time.
4. What controls are in place to prevent the misuse (for example, browsing) of data by those having access?
In IORS all auditable events are captured and can currently be retrieved by the System Administrator. A change request scheduled for implementation in September 2007 will allow auditable events to be retrieved by MA&SS security staff within IORS for a two year period and then the transactions would be stored off line for an additional three years. Only Mission Assurance security staff directly associated with IDRS security will be able to request IORS audit trails maintained off line which will be returned to IORS upon request. All accesses to IORS are recorded in IDRS and IORS audit trails in accordance with IRM 25.10.1.3.11. 5.
a. Do other systems share data or have access to data in this system? If yes, explain.
IORS receives formatted IDRS Security reports from the IDRS batch reports system. IORS does not provide data to any other system.
b. Who will be responsible for protecting the privacy rights of the taxpayers and employees affected by the interface?
IORS is reporting on the security and access transactions performed by security personnel and users of IDRS. Taxpayer data is only reported to show that an employee or employee’s spouse account was accessed. Controls in IORS prevent IORS from viewing reports and data that they are not authorized to view.
6. a. Will other agencies (international, Federal, State, Local, or other) share data or have access to data in this system?
No international, Federal except for the Treasury Inspector General for Tax Administration (TIGTA), State, or Local Agency share or have access to the data on a regular basis. TIGTA users are on IDRS; therefore, their managers have access to IORS to review their user IDRS activities. Also temporary access to IORS could be given to GAO and TIGTA auditor to support a specific audit objective. In addition, temporary access is given to TIGTA and GAO when these organizations are performing audits that require the review of IDRS security reports or if IORS is being review directly.
b. How will the data be used by the agency?
TIGTA managers are reviewing their user activities on IDRS via the IDRS security reports in IORS. GAO access is limited to assessing IRS managers and security staffs review of the IDRS Security reports.
c. Who is responsible for assuring proper use of the data?
TIGTA managers only see the IDRS security reports that relate to their employee activities. GAO’s interests are limited to ensuring that IRS managers and security staffs are properly reviewing IDRS security reports. These accesses are only provided when an approved audit is in effect.
d. How will the system ensure that agencies only get the information they are entitled to under IRC 6103?
See response above.
Attributes of the Data
1. Is the use of the data both relevant and necessary to the purpose for which the system is being designed?
The data elements are relevant and necessary, because they will allow the security personnel and IRS managers of IDRS users to review specific activities that have been documented in the IDRS audit trail that require validation or follow-up in order to comply with Internal Revenue Manual (IRM), Section 25.10.1.3.11, Managers of System Users Must Review Audit Trails and Reports.
2. a. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected?
IORS allows the security personnel to enter comments and actions taken as a result of a reported activity and provides a structured query capability that allows for the IORS users to identify predefined events and patterns or behavior over a period of time.
b. Will the new data be placed in the individual's record (taxpayer or employee)?
Report data for employees who have been identified as possibly committing unauthorized or inappropriate actions will get forwarded to IRS Labor Relations or TIGTA for additional follow-up. No report data is added to an employee’s file without additional follow-up by authorized personnel. All referrals to LR are done by regular mail or secured e-mail.
c. Can the system make determinations about taxpayers or employees that would not be possible without the new data?
No. IORS will not make determinations about taxpayers or employees. Aggregated data may be used by IRS Managers or security personnel in accordance with IRS policies for further analysis.
d. How will the new data be verified for relevance and accuracy?
IORS not verify the aggregate data. TIGTA, Labor Relations, security personnel and the managers of IDRS users will verify that aggregate data produced by the IDRS Reports for relevance and accuracy in accordance with IRS policies and IRM 25.10.1.3.11. 3.
e. If data is being consolidated, what controls are in place to protect the data from unauthorized access or use?
Consolidated data created by designated IRS managers and security personnel is protected by IRS rules of behavior and IRS End-User Equipment & Services (EUES) desktop procedures and security controls.
f. If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain.
No known processes are being consolidated.
4. How will the data be retrieved? Can it be retrieved by a personal identifier? If yes, explain.
In IORS all activity listed on a report must be access using the IDRS unit number which represents the first five digits of the employees IDRS number. After the unit number has been identified all employee activities in that unit are grouped under that unit number. Each employee has an additional 5 digit number referred to as employee sequence number. The unit number and the employee sequence number represent the unique IDRS employee number for that user. Because all IDRS users are identified by employee number, obtaining information on an employee’s activities can only be done using the unit number first, even when the employee’s name or SEID are on the report. After the selection of the unit number, report information can be sorted or searched to find the user’s name or SEID. The SEID was added to IDRS to support a specific business requirement to enable an IDRS user to locate another IDRS user who has entered a case control against a taxpayer’s accounts. When an IDRS user’s 10 digit employee number is entered along with the command code FIEMP ( find employee), IDRS returns the employee’s name, SEID, phone number, and whether the employee’s account is active on IDRS, This is an IDRS screen and is not a report in IORS. However, the IDRS user’s data is retained in the IDRS Master Register file.
What are the potential effects on the due process rights of taxpayers and employees of:
a. consolidation and linkage of files and systems?
There are no consolidations or linkage of files or systems by IORS that identify information abut taxpayers.
b. derivation of data?
There is no derivation of data by the IDRS Online Reports Services application.
c. accelerated information processing and decision making?
IDRS Online Reports Services supports accelerated information processing and decision making. Due process rights of taxpayers and employees are preserved through IRS processes and procedures.
d. use of new technologies?
IORS uses existing technology that has been certified and accredited including the application of operational controls as defined in IRM 25.10.1.3.11.
How are the effects to be mitigated?
IORS has no adverse effects on the due process rights of taxpayers and employees that require mitigation. The taxpayers and employees can use the Appeals processes that are already in place.
Maintenance of Administrative Controls
1. a. Explain how the system and its use will ensure equitable treatment of taxpayers and employees.
The system makes no differentiation regarding the treatment of taxpayers and employees. Extracts from the audit trail data are collected based solely on user security actions and summaries of user activities. The IRS Security reports are focused on users with security permissions; IDRS users who access their own/spouse accounts or other employee tax accounts, and users who attempt to perform non permitted IDRS accesses such as use of a non-authorized command code. IDRS Security reports do not address accesses made to the general public’s tax accounts.
b. If the system is operated at more than one site, how will consistent use of the system and data be maintained in all sites?
IORS is operated from one site. Mission Assurance & Security Services staff is responsible for controlling use of IORS. All users must have been approved to access IDRS as supported by their managers approval and must be approved to access IORS as controlled by the security command code “REPT” that can only be put into a user IDRS profile by a Mission Assurance & Security Services authorized user.
c. Explain any possibility of disparate treatment of individuals or groups.
They is no possibility of disparate treatment. All individuals or groups are treated equitably.
2. a. What are the retention periods of data in this system?
IORS retains IDRS security reports in an online status based on the type and frequency of reports. Daily reports are online for 31 days, Weekly reports for 13 weeks, Monthly reports 4 months, and Quarterly reports for 5 quarters. After the defined online status ends, the reports are transferred to an online archive status. All reports will stay in the online archive for the remainder of the year that they were transferred to the archive and all of the following year. Afterwards the reports with user comments are moved offline until the 60 month period from creation is completed. User transactions of activities within IORS will be moved to offline storage 24 months after the creation date. User transactions will be retained for a period of 60 months from the date of creation of which 36 months will be in offline storage. The data is retained in accordance with Internal Revenue Manual 1.15.2, Records Disposition Handbook, chapters 5 and 10, respectively.
b. What are the procedures for eliminating the data at the end of the retention period? Where are the procedures documented?
Procedures for eliminating IORS data at the end of the applicable retention periods are defined in Enterprise Computing Center – Martinsburg’s standard operating procedures and comply with Internal Revenue Manual 1.15.2, Records Disposition Handbook, chapters 5 and 10, respectively.
c. While the data is retained in the system, what are the requirements for determining if the data is still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations?
IORS contains extracts of SACS/IDRS audit trail data. IORS users can not modify this data. Thus, transactions ensure that query results are accurate, relevant, timely, and complete.
3. a. Is the system using technologies in ways that the IRS has not previously employed (for example, caller ID)?
IORS uses no new technologies.
b. How does the use of this technology affect taxpayer/employee privacy?
Not applicable, because the IDRS Online Reports Services is using extracts of audit trail data to report who, what, when, and how data is accessed.
4. a. Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain.
Yes. Report data and queries associated with the IDRS Online Reports application allow managers and security personnel to view specific actions of IRS employees on IDRS by their IDRS employee number. Audit data indicates the dates and times employees performed specific types of transactions. However because the reports do not contain all the transactional data from the IDRS SACS audit trail, information about when and how long a user is logged on to IDRS and what taxpayer accounts were accessed other than other employee accounts can not be determined.
b. Will this system provide the capability to identify, locate, and monitor groups of people? If yes, explain.
The purpose of the system is to identify IDRS users group that potentially perform inappropriate activities. IORS is showing reports that identify some IDRS user transactions.
c. What controls will be used to prevent unauthorized monitoring?
Access to IORS is supported by user authentication that is performed by SACS. IORS access controls are designed to only allow authorized users to see their segments of the IDRS security reports. Authorization is based on the user role as identified by their IRS business management.
5. a. Under which Systems of Records Notice (SORN) does the system operate? Provide number and name.
IDRS Online Reports Services is part of the IDRS Security application and is covered by Privacy Act Systems of Record Notice Treasury/IRS 34.037, IRS Audit Trail and Security Records.
b. If the system is being modified, will the SORN require amendment or revision?
No. IDRS Online Reports Services applications adds no new data to the report information that is not covered by the existing SORN. User actions and certifications are associated with the security reports.
|
