Privacy Impact Assessment – Internet Refund Address Change (IRADDR)
IRADDR System Overview
IRADDR will provide the ability for taxpayers to initiate a change to their address based on a Refund Status that indicates the Refund Check was undeliverable. Taxpayers may access the IRADDR via the Internet Refund Fact of Filing (IRFOF) application by clicking on a link on the IRS home page, http://www.irs.gov. The IRFOF application will authenticate user input “shared secrets,” (i.e., Taxpayer Identification Number (TIN), filing status, expected refund amount) and display read-only refund status information. If the taxpayer’s refund status indicates that their check was undeliverable, the IRFOF application will give the taxpayer the option to execute the IRADDR application. The IRADDR application will take the taxpayer through a second round of authentication by prompting them for their Adjusted Gross Income (AGI). If the taxpayer passes authentication, they will then be given the ability to submit corrections to their address.
System of Records Number(s)
Treasury/IRS 24.030 CADE Individual Master File (IMF), (Formerly: Individual
Master File (IMF))
IRS 24.046 CADE Business Master File (BMF) (Formerly: Business Master File (BMF))
IRS 34.037 IRS Audit Trail and Security Records System
Data in the System
1. Describe the information (data elements and fields) available in the system in the following categories:
A. Taxpayer
B. Employee
C. Audit Trail Information (including employee log-in info)
D. Other (Describe)
A. Taxpayer information which is accessed and which must be provided to the system includes the following: Taxpayer Identification Number, Filing Status, Expected Refund Amount, Adjusted Gross Income (AGI).
B. N/A
C. The system will collect MIS information related to the taxpayer’s use of the application (e.g., how many hits encountered, how many taxpayers successfully submitted an address change, what links were followed, etc.)
D. N/A
2. Describe/identify which data elements are obtained from files, databases, individuals, or any other sources.
A. IRS
B. Taxpayer
C. Employee
D. Other Federal Agencies (List agency)
E. State and Local Agencies (List agency)
F. Other third party sources (Describe)
A. IDRS
B. Address change eligibility indicator, current address information and AGI information
C. N/A
D. N/A
E. N/A
F. N/A
3. Is each data item required for the business purpose of the system? Explain.
Yes. This application is tailored for a very specific purpose and only those data elements which are needed to fulfill that purpose are requested and / or displayed. A positive match must be made between information for all 3 user-entered fields (the “shared secret” information) and IRS information systems in order to ensure the true identity of the taxpayer requesting the information about their Refund. Three shared secret credentials are matched to prevent unauthorized parties from randomly guessing any 1 specific credential (such as TIN), thereby gaining unlawful access to data other than their own. In addition, the taxpayer’s AGI is requested as a secondary authentication. Passing this level of authentication will give the taxpayer the ability to submit an address change.
4. How will each data item be verified for accuracy, timeliness, and completeness?
All data collected from and displayed to the user will be verified against or displayed from existing IRS information systems in real time. The maintenance and upkeep of those systems and the data contained therein is beyond the scope of this application and this document.
5. Is there another source for the data? Explain how that source is or is not used.
No, there is no other source from which to obtain necessary information.
6. Generally, how will data be retrieved by the user?
Data will be retrieved from IRS records by the user through the publicly available web front-end portion of the application using XXXXX XXXXX XXXX XXXX XXXX XXXXX web browser application such as Internet Explorer or Netscape Navigator. Users will have no direct access to IRS systems beyond the front end web server. Users shall only have such access to the web server as is necessary to provide IRADDR with information to perform its intended purpose and view the resulting information display.
7. Is the data retrievable by a personal identifier such as name, SSN, or other unique identifier?
IRADDR retrieves personal taxpayer information based on TIN / SSN, filing status, expected refund amount, and AGI from the Integrated Data Retrieval System (IDRS). Taken on its own, the TIN / SSN is enough to identify an individual however, the system will not provide any information unless the user also correctly enters both the correct filing status, expected refund amount, and the AGI they declared on their current tax return. Taken either on their own or together, without the TIN / SSN, the filing status expected refund amount, and AGI declared are meaningless and cannot personally identify any single person.
Correct matches must be found on all 4 data fields taken as a whole before the system will allow the user to submit an address change.
Access to the Data
8. Who will have access to the data in the system (Users, Managers, System Administrators, Developers, Others)?
Primary access of data in the system will be by individual taxpayers.
9. How is access to the data by a user determined and by whom?
Access to the data is determined automatically by the system depending on whether the user correctly entered shared secret information or if any data was successfully retrievable given a set of shared secret credentials.
10. Do other IRS systems provide, receive, or share data in the system? If YES, list the system(s) and describe which data is shared. If NO, continue to Question 12.
Yes. This information is provided by the Integrated Data Retrieval System (IDRS) through the Customer Communications Interactive Processor (CCIP) interface.
11. Have the IRS systems described in Item 10 received an approved Security Certification and Privacy Impact Assessment? Yes.
12. Will other agencies provide, receive, or share data in any form with this system? No.
Administrative Controls of Data
13. What are the procedures for eliminating the data at the end of the retention period?
No personally sensitive data is stored by the IRADDR application for longer than whichever is former of the user’s period of use or the automatic session timeout as explained in the above section labeled “Purpose of the System.” Maintenance and upkeep of the information systems from which this system derives its data is beyond the scope of this application and this document.
14. Will this system use technology in a new way? If "YES" describe. If "NO" go to Question 15.
Yes, to automate via the internet, the processing of taxpayer corrections to their addresses.
15. Will this system be used to identify or locate individuals or groups? If so, describe the business purpose for this capability. No.
16. Will this system provide the capability to monitor individuals or groups? If yes, describe the business purpose for this capability and the controls established to prevent unauthorized monitoring. No.
17. Can use of the system allow IRS to treat taxpayers, employees, or others, differently? Explain. No.
18. Does the system ensure "due process" by allowing affected parties to respond to any negative determination, prior to final action? N/A
19. If the system is web-based, does it use persistent cookies or other tracking devices to identify web visitors?
The system uses “session cookies” only. The cookie contains a unique identifier which can allow the web server to properly identify the user’s web client application only. The value of the cookie usually resembles a randomly generated string of characters and is nonsensical to humans. No personally identifiable or sensitive information is stored in client-side cookies. The session cookie is destroyed when the user terminates their web browser client, logs out of the application, or when the session timeout period has elapsed due to inactivity, whichever occurs first.
|
