Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  
magnifying glass
Advanced Search   Search Tips

Data Passed to Private Collection Agencies (F&PC)

 

Privacy Impact Assessment – Data Passed to Private Collection Agencies (PCAs) in the Filing & Payment Compliance Project Release 1.0

Data Passed to PCAs/F&PC System Overview

This PIA addresses the taxpayer account data that will be passed from the F&PC System to the PCAs, and received back from the PCAs. This PIA is for F&PC Release 1.0; separate PIAs will be prepared for Releases 2 and 3.

The new F&PC System will serve as an inventory management system to assign, exchange, monitor, control and update delinquent taxpayer accounts between the IRS Authoritative Data Source (ADS) and the Private Collection Agencies with whom IRS will contract. 

More specifically, the F&PC System will provide inventory management and tools to determine PCA case assignment and potential resolution. The new system will assign and deliver delinquent taxpayer account data to PCAs (using secure email for Release 1.1 and Registered User Portal (RUP) for subsequent releases) and provide tax account updates on a daily and weekly basis. Case attributes will be effectively identified, segmented, and prioritized to select and prioritize taxpayer cases with a greater probability of paying the tax liabilities in full or through installment agreements.  

System of Records Number(s)

Treasury/IRS 26.055 (proposed) Filing and Payment Compliance
Treasury/IRS 26.019 Taxpayer Delinquent Account (TDA) Files
Treasury/IRS 26.020 Taxpayer Delinquency Investigation (TDI) Files
Treasury/IRS 26.055 Filing and Payment Compliance (draft in process)
Treasury/IRS 34.037 IRS Audit Trail and Security Records System

DATA IN THE SYSTEM

1. Describe the information (data elements and fields) available in the system in the following categories:

A. TAXPAYER: 
The IRS Authoritative Data Source (ADS) will identify potential delinquent accounts for PCA placement and send them to the F&PC System.  The F&PC System will send the eligible accounts to the assigned PCA for action. 

For this PIA, the necessary data elements that will be sent to PCAs via secure (encrypted) email are:
* Taxpayer Name(s) and Address
* Primary and Secondary Taxpayer Identification Number (TIN) and TIN Cross-reference TIN if applicable
* Type of Tax, e.g. 1040
* Filing Status
* Balance Due Amount
* Source and Date of Assessment(s), i.e., TC 150, 300, 290)
* Assessed Penalty and Interest
* Accrued Penalty and Interest
* Collection Statute Expiration Date (CSED)
* Last three payment dates and amounts (including withholding, estimated tax payments, federal tax deposits, refund offsets, reversed or unpostable payments, etc.)
* Undelivered Mail Indicator
* Business Operating Division (BOD) indicator
* Current and prior PCA (Private Collection Agency) indicator
* Power of Attorney Name and Address
* Subsequent penalty, interest, balance, entity and assessment updates.

In order to answer basic, but important questions that a taxpayer may have regarding their liability, PCAs would only receive the necessary information regarding a taxpayer and the taxpayer’s outstanding tax liability.  PCAs would not receive information regarding a taxpayer’s total or adjusted income, sources of income, results of IRS examinations, delinquency history for liabilities not being handled by the PCA, or employer information. PCAs would not be permitted to address questions about the validity or basis of the liability.

B.  IRS EMPLOYEE: 
IRS F&PC Referral Unit and Oversight Group employees will have authority to access accounts in the F&PC System for case review and processing. These employees will complete Form 5081, Information System User Registration/Change Request.  Their authorization profile will include their User Identification, role designation and Standard Employee Identifier (SEID). 

C.  AUDIT TRAIL INFORMATION:
A permanent, online audit trail will be maintained on every case accessed by a user, including user ID, time of access, taxpayer’s TIN, time on the case, and counts of various transactions performed during the case access.  

A permanent, online audit trail will be maintained on every update of table-based parameters and reference tables (including the user table), including user ID, time of activity, type of table updated, and details of the update.
 
The audit trails will be reviewed and validated using reports.   F&PC project management is looking at the methodology to accomplish Negative TIN checking in a future F&PC release.

D.  OTHER:

PCAs will send back event transactions and data transactions with updated levy source information.

2. Describe/identify which data elements are obtained from files, databases, individuals, or any other sources.

A. IRS
B. Taxpayer
C. Employee
D. Other Federal Agencies (List agency)    None.
E. State and Local Agencies (List agency)  None.
F. Other third party sources (Describe)

The IRS Authoritative Data Source (ADS) contains data derived directly from the taxpayer via recent filings and/or the most current correspondence.

Third parties identified as levy sources will be secured from the taxpayer or verified by the taxpayer.  IRS will not use unverified sources of levy.  PCAs will not have access to IRS levy sources.

Other agency and public sources of data will be used if available but no action can be taken without corroborative verification.

3.  Is each data item required for the business purpose of the system?  Explain.

Yes.  This data will provide PCAs with the basic but necessary information to help them discuss and resolve a delinquent taxpayer account.  This will allow the PCAs to effectively discuss the taxpayer’s delinquency, answer related questions, and effect resolution.  In addition, this will minimize referrals back to the IRS and minimize taxpayer burden by providing information that will most likely be required to discuss and resolve the delinquency.

It is important to note that a pilot program in 1996 over-restricted the amount of information that could be provided to PCAs for purposes of collecting outstanding liabilities.  This resulted in many unresolved cases due to the PCAs’ inability to respond to straightforward questions about a taxpayer liability.  Having more complete data will allow the PCAs and the taxpayers to work together to more effectively resolve the liability and close the case.

4. How will each data item be verified for accuracy, timeliness, and completeness?

The IRS data and data sources have been reviewed and corrected, and therefore are considered accurate and complete by the time the collection process reaches this phase.  Also, taxpayer data will be current as of the latest submitted returns, taxpayer correspondence and/or payments to IRS and updated to the ADS.  

Taxpayer information collected from third parties will be verified to the greatest extent practicable.  This process is designed to include a validation investigation/review of the data collection, storage and transfer mechanisms.  Once this validation process is complete, only validated data sources will be used. 

If a taxpayer informs a PCA that some or all of their information is incorrect, the PCA will pass the corrected information to the IRS Referral Unit for verification.

Other data integrity checks will be performed by the application as incoming data is processed through the application’s data import interface.  Data that conforms to business rules and integrity checks will be posted.  Non-conforming data will be posted to a suspense file for examination and resubmission upon correction.

5. Is there another source for the data?  Explain how that source is or is not used.  No.

6. Generally, how will data be retrieved by the user?  

IRS Authoritative Data Source will pass delinquent taxpayer account data to the new F&PC System which will reside on an IRS platform in a secure facility.   

The new F&PC System inventory management application will receive delinquent account information from the ADS and will route and control these accounts via Electronic File Transfer Utility (EFTU) to the Common Communications Gateway (CCG), File Transfer Protocol (FTP), to the PCA locations.  For subsequent releases, data will be sent to an IRS Secure Object Repository (SOR) and PCAs will retrieve the information via a secure Registered User Portal (RUP).

7. Is the data retrievable by a personal identifier such as name, SSN, or other unique identifier? 

Yes.  IRS retrieves individual taxpayer accounts by the Social Security Number (SSN) they use to file their federal income tax returns.

ACCESS TO THE DATA

8. Who will have access to the data in the system (Users, Managers, System Administrators, Developers, Others)?

Access will be allowed strictly on approved security roles based on job responsibilities and need-to-know.  Specific roles will be assigned to groups of users who will be granted access based on individual authority. 

A.  IRS:
Employees assigned to the IRS F&PC Oversight group and the IRS F&PC Referral group will have access to the data in the F&PC System data according to their job requirements.  Access will be restricted to only that data needed to perform their assigned duties.  All IRS rules and regulations against browsing and unauthorized access will be reemphasized and monitored.  Procedures will be in place to deter and detect browsing and unauthorized access. 

Specific roles will be assigned to the following job categories; employees in these groups will have whole or partial access to data based on their need to know and individual authorization. 
* IRS Referral Unit employees
* Policy, Program, Research, Reports and Quality Analysts
* Manager
* System Administrator
* Database Administrator
* System Developer
* Security Specialists
* Contracting Officer’s Technical Representative (COTR)
* Taxpayer Advocate Service employees

B.  F&PC System 
The F&PC System will reside on an IRS platform in a secure facility (for Release 1.1, the system will be in a secure room at the New Carrollton Federal Building (NCFB); for subsequent releases it will be in a modernized environment).

COTS Contractor employees will need access to the F&PC System and data in order to effectively implement and manage F&PC System software and to provide requisite support to IRS.  Theses employees must successfully pass a Personnel Screening and Investigation (PS&I) appropriate to their job responsibilities.  Examples of these individuals include System Developers and System Testers.

C.  PCA (Collection Contractor) Employees
PCA managers, caseworkers and system administrators will have access to the data only for the purposes they are authorized.  Appropriate Contractor employees must successfully pass a Personnel Screening and Investigation and be trained on IRS security, safeguards and privacy policies and procedures, including the consequences for violations.  They will be held to the same ethical standards regarding disclosure and privacy as IRS employees.

Audit trails, logs and user profiles will be used to protect the integrity of F&PC System and the F&PC project.  Enterprise access-control security mechanisms, policies and procedures will be leveraged to protect all data.

No PCA employee will be given more information than is needed to perform his/her duties.  To avoid inadvertent disclosures, PCA employees shall keep Federal tax data separate from other PCA accounts or information.  Any PCA employee receiving return information for an authorized use may not use the returns or information in any manner or for any purpose not consistent with that authorized use.  An unauthorized secondary use is specifically prohibited and may result in discontinuation of disclosures to the PCA Contractor and imposition of civil or criminal penalties on the responsible officials and their employees.

9. How is access to the data by a user determined and by whom? 

PCA employees will only have access to cases assigned to them.  PCA managers will only have access to cases and information assigned to their employees.  Information system administrators and others will have access based on their authorized duties. 

Appropriate PCA managers and employees must successfully pass a Personnel Screening and Investigation and be trained on IRS security and privacy policies and awareness, including the consequences for violations.  The PCAs will be required to submit verification of the successful PS&I and copies of the non-disclosure forms to the IRS before they can have access to the taxpayer data. 

These PCA managers and employees must complete IRS-certified Privacy, Safeguard and Disclosure awareness training and must certify in writing that they have successfully completed this training before they can work on a delinquent taxpayer account.

Audit trails, logs and user profiles will be used to protect the integrity of the systems.

Taxpayer confidentiality will be maintained at all times through a combination of training and strict oversight.  The IRS will evaluate the integrity of thea PCAs’ computer systems to protect against browsing of taxpayer information.  PCAs’ systems will be required to maintain a log of when taxpayer information is accessed, which will be audited periodically by the IRS.  On-site security reviews will be performed to ensure that PCAs implement appropriate access controls to segregated areas where IRS work will be performed.

10. Do other IRS systems provide, receive, or share data in the system?  If YES, list the system(s) and describe which data is shared.  If NO, continue to Question 12.

No.  This PIA addresses the taxpayer data that is passed to, and received back from, private collection agencies. 

11. Have the IRS systems described in Item 10 received an approved Security Certification and Privacy Impact Assessment?  Yes.

12.  Will other agencies provide, receive, or share data in any form with this system?

Yes, the Treasury Inspector General for Tax Administration (TIGTA) which provides independent oversight of IRS activities and administration of the internal revenue laws.

Other agencies will not provide, receive or share data with this system.  However, subsequent uses of the data as may be required or allowed by law fall outside the scope of this project.

ADMINISTRATIVE CONTROLS OF DATA

13.  What are the procedures for eliminating the data at the end of the retention period?

Upon completion of a contract, PCAs must follow procedures for retention and destruction of data outlined in their Task Order (Contract) with IRS.  Data destruction will comply with IRS safeguards and NIST National Archives (NARA) requirements.

14.  Will this system use technology in a new way?  If "YES" describe.  If "NO" go to Question 15.   No. 

15.  Will this system be used to identify or locate individuals or groups?  If so, describe the business purpose for this capability.

The F&PC System is an inventory management system and is not capable of physically locating individuals or groups.  PCAs, however, will attempt to locate individual taxpayers through their external information sources and other available public and private databases.  Only IRS Referral Unit employees can validate new demographic information secured by the PCAs and upload it to the F&PC System.

16. Will this system provide the capability to monitor individuals or groups? If yes, describe the business purpose for this capability and the controls established to prevent unauthorized monitoring.  No. 

17. Can use of the system allow IRS to treat taxpayers, employees, or others, differently?  Explain.  No.
 
18. Does the system ensure "due process" by allowing affected parties to respond to any negative determination, prior to final action?

Taxpayers will have the same due process rights as if their case were worked by an IRS employee.  PCAs can only ask for full payment, establish a repayment plan, or ask the taxpayer to file a delinquent return.   If the taxpayer cannot comply, the case will be returned to the IRS Referral Unit for final determination and resolution. 

Taxpayers may also seek assistance from the Taxpayer Advocate Service (TAS).  PCAs must immediately refer to the IRS designated point of contact any case where such assistance is requested or where the taxpayer describes a significant hardship to the IRS designated point of contact.

Also, Taxpayers who wish to file a complaint about the Contractor will be given the address of the IRS COTR, in writing as part of the account assignment privacy notification letter from the PCAs to the taxpayers.  This information also will be provided verbally, and as verbally if appropriate, during conversations with taxpayers.

19.  If the system is Web-based, does it use persistent cookies or other tracking devices to identify web visitors?

No tracking technologies or persistent cookies are used other than those voluntarily provided by the registered or authorized users of the system.  Appropriate Privacy notices will be posted in each instance as users log-in and are requested to provide personally identifiable information, as required by the E-Government Act of 2002, OMB Guidelines, and IRS policies and procedures. 
 


Page Last Reviewed or Updated: January 03, 2007