Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  
magnifying glass
Advanced Search   Search Tips

Individual Taxpayer Identification Number Real-time Application Processing System (ITIN-RTS)

 

Privacy Impact Assessement - Individual Taxpayer Identification Number Real-time Application Processing System (ITIN-RTS)

(ITIN-RTS) System Overview

The Individual Taxpayer Identification Number (ITIN) Real-time Application Processing System will replace the current ITIN pipeline processing systems (ISRP, GMF and IDRS).  The new ITIN system will provide a one-stop service for ITIN (W-7 and Acceptance Agent) applications worked start to finish in a single integrated system: for ITIN application submission, application processing, ITIN issuance, and ITIN administration.  Only internal IRS users will have access to the new ITIN Real-time system which will provide the means for on-line ITIN application processing via the web-based EUP portal.  No web access is provided for the general public.  A key feature to the ITIN Real-time System is that upon W-7 data input, it systematically processes W-7’s in real-time, assigns the Document Locator Number (DLN) and a  unique ITIN or creates reject/suspense correspondence as per automated business rules.  The applicant or the Acceptance Agent receives a CP565, ITIN Assignment Notice, by mail.

System of Records Number(s) (SORN) #: 
 
Treasury/IRS 34.037 IRS Audit Trail and Security Records System
Treasury/IRS 22.034 Individual Returns Files, Adjustments and Miscellaneous Documents
Treasury/DO .114--Foreign Assets Control Enforcement Records
Treasury/DO .118--Foreign Assets Control Licensing Records
Treasury/IRS 46.002--Criminal Investigation Management Information System (CIMIS)
Treasury/IRS46.009-Centralized Evaluation and Processing of Information Items (CEPIIs), Evaluation and Processing of Information (EOI), Criminal Investigation Division


Data in the System

Describe the information (data elements and fields) available in the system in the following categories:

 Taxpayer
 Employee
 Audit Trail Information (including employee log-in info)
 Other (Describe) 
  
Taxpayer 
Applicant Individual Taxpayer Identification  
Number (ITIN)
 Applicant Legal First Name
Applicant Legal Middle Name
Applicant Legal Last Name
Applicant Legal Suffix
Applicant First Name at birth
Applicant Middle Name at birth
Applicant Last Name at birth
Applicant Suffix at birth
Applicant Date of Birth
Applicant Country of Birth
Applicant State/Province of Birth
Applicant Gender
Applicant Country of Citizenship
Applicant Other Country of Citizenship
Tax Identification Number in Country of Residence
Applicant Foreign Country Code
Applicant’s Current Mailing Address 1
Applicant’s Current Mailing Address 2
Applicant’s Current Mailing City
Applicant’s Current Mailing State/Province
Applicant’s Current Country Code
Applicant’s Current Mailing Zip Code
Applicant’s Current Mailing Postal Code
Applicant’s Tax Address
Identification Document Submitted
ID State
Does the Applicant Name match the name on the documentation?
Further Translation Needed?
Issuing Country
ID Number
Document Expiration Date
U.S. Entry Date
Visa Type
Is the ID Valid?
Name of College/University or Company
City
Length of Stay
State
Allow a Third Party Designee to discuss this return with the IRS?
Third Party Designee’s Name
Third Party Designee’s Phone Number
Application Signature
Date Signed
Phone Number
Name of Delegate

Employee Data

Username (SEID) and password

Audit Trail

Access to systems through the EUP is fully tracked through the SAAS system.  A full description of all information tracked is available in EUP documentation.  Tracking includes at minimum login attempts (successful and unsuccessful) and specific application access.  Login information is time and date stamped.  Audit information is traceable directly to the employee's Standard Security Employe enterprise Identification number (SEID).

Other: Acceptance Agent Data

Enrolled Agent Number
Applicant’s Legal Name
EFIN
EIN
Name of Responsible Officer/Official or Owner of the Business
Title of Responsible Officer/Official or Owner of the Business
Date of Birth
Social Security Number
Office Code
Home Street Address
Home State/Province
Home City
Home Zip/Postal Code
Home Country
U.S. Status
Convicted of a Crime
Explanation
Company Doing Business As (DBA) Name
Business Location Address
Business State/Province
Business City
Business Zip/Postal Code
Business Country
Business Phone Number
Business Phone Number Extension
Business Fax Number
Business Fax Number Extension
Mailing Street Address
Mailing City
Mailing Zip/Postal Code
Mailing State/Province
Mailing Country
Open for Business 12 months a year?
Other Street Address
Other City
Other State/Province
Other Zip/Postal Code
Other Country
Other Phone Number
Other Phone Number Extension
Other Fax Number
Other Fax Number Extension
Primary Contact Number
Primary Title
Primary Email Address
Primary Phone Number
Primary Phone Number Extension
Primary Fax Number
Primary Fax Number Extension
Alternate Contact Name
Alternate Title
Alternate Email Address
Alternate Phone Number
Alternate Phone Number Extension
Alternate Fax Number
Alternate Fax Number Extension
Programs/Activities Planned
Public List?
ERO Approved Date
Agreement Signed Date
Agreement Expiration Date
Date Agreement Mailed
Termination Date

Describe/identify which data elements are obtained from files, databases, individuals, or any other sources.

IRS
Taxpayer
Employee
Other Federal Agencies (List agency)
State and Local Agencies (List agency)
Other third party sources (Describe)
 
IRS
IRS databases
IDRS using Command Codes ITDLN, NAMES, ENTCK, NMADD, TNDLN

Taxpayer - Form W-7 submission data

Employee - Username and password

Other Federal Agencies (List Agency)
Treasury’s Office of Foreign Asset Control  (OFAC)
Name
Tax Identification Number in Country of Residence
Passport

State and Local Agencies (List Agency) - Other

Other third party sources (Describe) -  N/A

Is each data item required for the business purpose of the system?  Explain.
 
Yes.  This application is tailored for a very specific purpose and only those data elements which are needed to fulfill that purpose are requested and/or displayed.

How will each data item be verified for accuracy, timeliness, and completeness?
 
All data collected from and displayed to the user will be verified against or displayed from existing IRS and Treasury information systems in real time. 

Is there another source for the data?  Explain how that source is or is not used.
 
 No, there is no other source from which to obtain necessary information.

Generally, how will data be retrieved by the user?
 
Data will be retrieved from IRS records by IRS employees through the web front-end portion of the application using a standard 128-bit SSL encryption capable web browser application such as Internet Explorer or Netscape Navigator.  Users will have no direct access to IRS systems beyond the front end web server.  Users shall only have such access to the web server as is necessary to provide ITIN RT with information to perform its intended purpose and view the resulting information display.

Is the data retrievable by a personal identifier such as name, SSN, or other unique identifier?
 
 The ITIN RT application retrieves personal taxpayer information from the Integrated Data Retrieval System (IDRS) based on the name, TIN and other data from the Form W-7.

Access to the Data

Who will have access to the data in the system (Users, Managers, System Administrators, Developers, Others)?
 
Primary access of data in the system will be by IRS employees. Role based security will be implemented.  Access will be restricted to those IRS Employees or designated contractor representatives that have a valid authorized Online 5081 on file. 

Primary users will include: ITIN Unit Managers, ITIN Unit Examiners, ITIN clerical  personnel, Accounts Management Toll-Free Customer Service Representatives and Field Assistance.  Designated Systems Administrators (SA) will have access to the data in the course of performing their SA duties (backup, maintenance, etc.).  SA system/data access will also be controlled through the Online 5081 system.  Systems will be fully secured against unauthorized access via IRS compliant mechanisms for Windows NT/2003 and Unix (Solaris).

How is access to the data by a user determined and by whom?

System/Data Access Control for users is via Online 5081 and the Employee User Portal access control mechanisms (fully documented in EUP documentation).

Do other IRS systems provide, receive, or share data in the system?  If YES, list the system(s) and describe which data is shared.  If NO, continue to Question 12.
 
Yes.  The data in Section 1A of this PIA is shared with the Integrated Data Retrieval System (IDRS) through the Command Codes (ITDLN, NAMES, ENTCK, NMADD, TNDLN), End Of Day (EOD10 batch) and the DM1 batch update.  Security and Communications System (SACS) provides access to IDRS CC’s NAMES and ENTCK.

Treasury’s Office of Foreign Assets Control (OFAC) provides the Specially Designated Nationals (SDN) Blocked List which is used to generate matches for the IRS Criminal Investigation Division.  National Print Strategy (NPS) receives letter/notice batch requests via IAP.  Business Operating Division Notice (BODNOT) Server will receive the number of print requests by BOD Application Messaging and Data Access Services (AMDAS) provides secure messaging.  Security Audit and Analysis System (SAAS) provides audit logging.

Have the IRS systems described in Item 10 received an approved Security Certification and Privacy Impact Assessment?  Yes.

Will other agencies provide, receive, or share data in any form with this system?
 
Yes.  Treasury’s Office of Foreign Assets Control (OFAC) provides the Specially Designated Nationals (SDN) Blocked List which is used to generate matches for the IRS Criminal Investigation Division.  Data is not provided back to OFAC.

Administrative Controls of Data

What are the procedures for eliminating the data at the end of the retention period?
 
After the retention period is over, the media is reused and the data is overwritten.

Will this system use technology in a new way?  If "YES" describe.  If "NO" go to Question 15.  No.

Will this system be used to identify or locate individuals or groups?  If so, describe the business purpose for this capability.
 
Yes. The Treasury’s Office of Foreign Assets Control (OFAC) provides the Specially Designated Nationals (SDN) Blocked List which is used to generate matches for the IRS CI Division. The OFAC process was initiated following recommendations from the ITIN Task Force as part of maximizing security screening of ITIN applicants.  The current matching routine is a three stage process.  The system checks for matches against a name key, then foreign tax ID, then passport, in that order, from data input from the  Form W-7.  If at any point we determine a match, the application, all documentation and case files are pulled and forwarded to CI Operations in  Garden City, New York for the OFAC process to continue.

Will this system provide the capability to monitor individuals or groups?  If yes, describe the business purpose for this capability and the controls established to prevent unauthorized monitoring.  No.

Can use of the system allow IRS to treat taxpayers, employees, or others, differently?  Explain.  No.

Does the system ensure "due process" by allowing affected parties to respond to any negative determination, prior to final action?
 
Yes. Suspense notices are issued, allowing 75 days to respond before further action (to include 15 day front-end and back-end time for foreign mail), before rejecting the Form W-7 application.  If this happens, a CP567 Rejection Notice is sent to the applicant’s address of record or to the Acceptance Agent.

If the system is web-based, does it use persistent cookies or other tracking devices to identify web visitors?
 
Only internal IRS employees will use the system. User (employee) actions are tracked by SEID by SAAS.  Session cookies contain a unique identifier which can allow the EUP web server to properly identify the user’s web client application only.  The value of the cookie usually resembles a randomly generated string of characters and in nonsensical to humans.  No personally identifiable or sensitive information is stored in client-side cookies.  The session cookie is destroyed when the user (employee) terminates their web browser client, logs out of the application, or when the session timeout period has elapsed due to inactivity, whichever occurs first.


 
 


Page Last Reviewed or Updated: October 02, 2007