Privacy Impact Assessment – Internet Refund Trace (IRTRC)
IRTRC System Overview
IRTRC will provide the ability for taxpayers to initiate a Refund Trace (or re-issuance of their refund check). Taxpayers may access the IRTRC via the Internet Refund Fact of Filing (IRFOF) application by clicking on a link on the IRS home page, http://www.irs.gov. The IRFOF application will authenticate user input “shared secrets,” (i.e., Taxpayer Identification Number (TIN), filing status, expected refund amount) and display read-only refund status information. If the taxpayer’s refund status indicates that their check was mailed beyond the waiting period time (i.e., > 28 days), the IRFOF application will give the taxpayer the option to execute the IRTRC application. The IRTRC application will take the taxpayer through a second round of authentication by prompting them for their address dwelling number. If the taxpayer passes authentication, they will then be given the ability to request that a Refund Trace be initiated.
System of Records Number(s)
Treasury/IRS 24.030--CADE Individual Master File (IMF), (Formerly: Individual
Master File (IMF))
Treasury/IRS 24.046--CADE Business Master File (BMF) (Formerly: Business
Master File (BMF))
Treasury/IRS 34.037--IRS Audit Trail and Security Records System
Data in the System
1. Describe the information (data elements and fields) available in the system in the following categories:
A. Taxpayer
B. Employee
C. Audit Trail Information (including employee log-in info)
D. Other (Describe)
A. Taxpayer information which is accessed and which must be provided to the system includes the following: Taxpayer Identification Number, Filing Status, Expected Refund Amount, Address Dwelling Number.
B. N/A
C. The system will collect MIS information related to the taxpayer’s use of the application (e.g., how many hits encountered, how many taxpayers successfully initiated a trace, what links were followed, etc.)
D. N/A
2. Describe/identify which data elements are obtained from files, databases, individuals, or any other sources.
A. IRS
B. Taxpayer
C. Employee
D. Other Federal Agencies (List agency)
E. State and Local Agencies (List agency)
F. Other third party sources (Describe)
A. IDRS
B. Refund Trace eligibility indicator, and address dwelling number information
C. N/A
D. N/A
E. N/A
F. N/A
3. Is each data item required for the business purpose of the system? Explain.
Yes. This application is tailored for a very specific purpose and only those data elements which are needed to fulfill that purpose are requested and / or displayed. A positive match must be made between information for all 3 user-entered fields (the “shared secret” information) and IRS information systems in order to ensure the true identity of the taxpayer requesting the information about their Refund. Three shared secret credentials are matched to prevent unauthorized parties from randomly guessing any 1 specific credential (such as TIN), thereby gaining unlawful access to data other than their own. In addition, the taxpayer’s address dwelling number is requested as a secondary authentication. Passing this level of authentication will give the taxpayer the ability to initiate a Refund Trace.
4. How will each data item be verified for accuracy, timeliness, and completeness?
All data collected from and displayed to the user will be verified against or displayed from existing IRS information systems in real time. The maintenance and upkeep of those systems and the data contained therein is beyond the scope of this application and this document.
5. Is there another source for the data? Explain how that source is or is not used.
No, there is no other source from which to obtain necessary information.
6. Generally, how will data be retrieved by the user?
Data will be retrieved from IRS records by the user through the publicly available web front-end portion of the application XXXXX XXXXX XXXXX XXXX XXX XXXX XXX web browser application such as Internet Explorer or Netscape Navigator. Users will have no direct access to IRS systems beyond the front end web server. Users shall only have such access to the web server as is necessary to provide IRTRC with information to perform its intended purpose and view the resulting information display.
7. Is the data retrievable by a personal identifier such as name, SSN, or other unique identifier?
IRTRC retrieves personal taxpayer information based on TIN/SSN, filing status, expected refund amount, and address dwelling number. Taken on its own, the TIN/SSN is enough to identify an individual however, the system will not provide any information unless the user also correctly enters both the correct filing status, expected refund amount they declared on their current tax return, and their address dwelling number. Taken either on their own or together, without the TIN/SSN, the filing status expected refund amount, and address dwelling number are meaningless and cannot personally identify any single person.
Correct matches must be found on all 4 data fields taken as a whole before the system will allow the user to request a refund trace.
Access to the Data
8. Who will have access to the data in the system (Users, Managers, System Administrators, Developers, Others)?
Primary access of data in the system will be by individual taxpayers. The developers will collect MIS information related to the taxpayer’s use of the application (e.g., how many hits encountered, how many taxpayers successfully received EITC information, what links were followed, etc.) No taxpayer data will be collected.
9. How is access to the data by a user determined and by whom?
Access to the data is determined automatically by the system depending on whether the user correctly entered shared secret information or if any data was successfully retrievable given a set of shared secret credentials.
10. Do other IRS systems provide, receive, or share data in the system? If YES, list the system(s) and describe which data is shared. If NO, continue to Question 12.
Yes. This information is provided by Integrated Data Retrieval System (IDRS) through the Customer Communications Interactive Processor (CCIP) interface.
11. Have the IRS systems described in Item 10 received an approved Security Certification and Privacy Impact Assessment? Yes.
12. Will other agencies provide, receive, or share data in any form with this system? No.
Administrative Controls of Data
13. What are the procedures for eliminating the data at the end of the retention period?
No personally sensitive data is stored by the IRTRC application for longer than whichever is former of the user’s period of use or the automatic session timeout as explained in the above section labeled “Purpose of the System.” Maintenance and upkeep of the information systems from which this system derives its data is beyond the scope of this application and this document.
14. Will this system use technology in a new way? If "YES" describe. If "NO" go to Question 15.
Yes, to automate via the internet, the processing of taxpayer requests for refund traces.
15. Will this system be used to identify or locate individuals or groups? If so, describe the business purpose for this capability. No.
16. Will this system provide the capability to monitor individuals or groups? If yes, describe the business purpose for this capability and the controls established to prevent unauthorized monitoring. No.
17. Can use of the system allow IRS to treat taxpayers, employees, or others, differently? Explain. No.
18. Does the system ensure "due process" by allowing affected parties to respond to any negative determination, prior to final action? N/A
19. If the system is web-based, does it use persistent cookies or other tracking devices to identify web visitors?
The system uses “session cookies” only. The cookie contains a unique identifier which can allow the web server to properly identify the user’s web client application only. The value of the cookie usually resembles a randomly generated string of characters and in nonsensical to humans. No personally identifiable or sensitive information is stored in client-side cookies. The session cookie is destroyed when the user terminates their web browser client, logs out of the application, or when the session timeout period has elapsed due to inactivity, whichever occurs first.
|
