Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  
magnifying glass
Advanced Search   Search Tips

Letter and Information Network User-Fee System

 

Privacy Impact Assessment – Letter and Information Network User-fee System

LINUS System Overview:

LINUS identifies Exempt Organizations/Employee Plans (EP/EO) application receipts or other cases established by the Cincinnati Sub-processing Center (CSPC) prior to the information rolling to the Employee Plans-Exempt Organizations Determination System (EDS).  The information entered into this application includes: User fee records, Generated acknowledgment letters and Generated determination case (Document Locator Number) DLNs.

Applicants manually submit an Application for Determination for Adopters of Master or Prototype or Volume Submitter Plans Form (Form 5307) to Tax Exempt Determination System (TEDS) in Covington, KY.  A User Fee is also provided by the applicant with the application for processing.  The User Fee is processed and an acknowledgement letter is sent to the user indicating the status of  the payment.  Following successful payment of User Fees, the Receipts and Controls Operations group for Small Business / Self-Employed (SB/SE) in Cincinnati manually inputs information from the forms.  This information is then pushed into LINUS.

LINUS users consist of approximately 30 in the Receipts and Controls Operations group and an additional small group of approximately 10 at the 550 Main Street building in Cincinnati that handle adjustments (refunds, insufficient funds, etc.) if a person doesn’t qualify for a user fee or sends a wrong amount.

Systems of Records Notice(s):

Treasury/IRS 50.222 - Tax Exempt/Government Entities (TE/GE) Case Management Records

Data in the System

1. Describe the information (data elements and fields) available in the system in the following categories:
A. Taxpayer
B. Employee
C. Audit Trail Information (including employee log-in info)
D. Other (Describe)

A. Taxpayer:
* name
* social security number
* address
* refund amount
* vendor name
* vendor ID
* user fee records
* accounts payable data
* accounts receivable data
* amount owed to vendor
* due date
* discount points/percentage
* payment authorization authority
* used equipment resale amount
* acknowledgement letters
* document locator numbers
* employer identification numbers

B. Employee:

There is no employee information processed in LINUS beyond user login (User ID and Password) information.

C. Audit Trail Information:

The User Fee record and every Refund record added to LINUS contains the TAX Examiner (TE)

D. Other:  N/A. 

2. Describe/identify which data elements are obtained from files, databases, individuals, or any other sources.
A. IRS
B. Taxpayer
C. Employee
D. Other Federal Agencies (List agency)
E. State and Local Agencies (List agency)
F. Other third-party sources (Describe)

A. LINUS does not contain IRS-specific data.

B. Taxpayer data listed in item 1.A. is transferred to LINUS from the Tax Exempt Determination System (TEDS) which relays data to the Employee Plans-Exempt Organizations Determination System (EDS).

C. LINUS does not contain employee data.
D. LINUS does not contain other Federal Agencies data.
E. LINUS does not contain data from State or local agencies.
F. No other third-party sources provide data to LINUS.

3. Is each data item required for the business purpose of the system?  Explain.

Yes, all information is essential.  All data in LINUS is necessary for its business functions, as well as the data that comes into LINUS from TEDS and the information that is transferred to EDS.  No data is redundant or unnecessary.

4. How will each data item be verified for accuracy, timeliness, and completeness?

LINUS limits user inputs for designated fields within the application. The valid syntax of the application inputs (e.g., character set, length, numerical range, acceptable values) are in place to ensure that inputs match specified definitions for format and content. For example, date fields are limited to date formats (e.g. MM/DD/YYYY).  The application has a mechanism in place to check for accuracy, completeness, and validity. 

The LINUS application provides built-in error handling functions that notify the user with a response corresponding to the user performed action. The user error messages generated by the application provide timely and useful information to users without revealing information that could be exploited by adversaries. The responses are contingent upon how the database administrator configured the application to accept/respond to inputs into the application.  The application server uses an internal logging system for security issues or application-level errors and notifies the user(s) accordingly.

5. Is there another source for the data?  Explain how that source is or is not used.

No.  TEDS is the only system feeding data into LINUS.  LINUS currently transfers data to EDS, but will terminate this function in April 2006.

6. Generally, how will data be retrieved by the user? 

Users can access and save LINUS data at their workstations.  Users have been trained on handling sensitive information and are allowed to use the information only for TE/GE business purposes.  All communications, documents, media, etc. follow IRS media protection policies.

7. Is the data retrievable by a personal identifier such as name, SSN, or other unique identifier? 

No.  Personal identifiers will not retrieve data. An Employer Identification Number (EIN) or Document Locator Number (DLN) is required to access data on this system.

Access to the Data

8. Who will have access to the data in the system (Users, Managers, System Administrators, Developers, Others)?

Only authorized users within IRS have access to information contained within LINUS.  Any data removed from LINUS, such as reports, raw data, or digital media, is handled using established IRS policies. 

LINUS users consist of approximately 30 in the Receipts and Controls Operations group and an additional small group of approximately 10 at the EO Processing Adjustment Unit in Cincinnati that handle adjustments (refunds, insufficient funds, etc.) if a person doesn’t qualify for a user fee or sends a wrong amount.

The role-based access groups defined within the SQL Server database enforces the most restrictive set of right/privileges or access needed by users to perform their tasks; thereby, enforcing least privilege.  Users are only granted access to roles that are necessary to perform the tasks associated with their job.  

The following list displays the breakdown of the user groups:
* Administration Users
* User Fee Users
* Refund, Dishonored, & Follow-up Users
* Research Users
* * MITS-9 System Administrator (* This is a GSS Administrator role which is not within the boundaries of the LINUS application directly nor the scope of this assessment.)
* Database Administrator/Application Programmer

Contractors do not access the system.

9. How is access to the data by a user determined and by whom? 

The LINUS application relies on the GSS for user identification and authentication (login and password) mechanism.  Users are identified uniquely by the SEID from their IRS LAN domain credentials.  A user with IRS LAN domain credentials can only obtain access to the application if the user has been assigned a role within the LINUS SQL Server (provided by the MITS-9 GSS operations group) and the user has the client-side module installed on their workstation. 

TE/GE management authorizes all accounts that are established, activated, modified, disabled, and removed via the OL5081 process.  Users are required to complete an OL5081, Information System User Registration/Change Request Form, which lists mandatory rules for users of IRS information and information systems.  When a user has been approved for access to the application by his/her manager, the OL5081 system sends an email to the user, providing an approval notification.  The user then logs into the OL5081 system, reads the Rules of Behavior, and provides an “electronic signature,” acknowledging that he/she has read, understands, and agrees to abide by the Rules of Behavior.

Contractors do not access the system. 

10. Do other IRS systems provide, receive, or share data in the system?  If YES, list the system(s) and describe which data is shared.  If NO, continue to Question 12.

The LINUS application itself does not directly connect with any other applications or information systems outside the IRS Domain.  TE/GE approved all LINUS connections to TEDS and EDS and the business unit owners for all three applications fall within TE/GE.  Data is shared with LINUS from TEDS and EDS within the IRS via FTP.  LINUS relies on IRS GSS's for many of its security controls.  The management of system interconnections is performed at the GSS level as well. 

11. Have the IRS systems described in Item 10 received an approved Security Certification and Privacy Impact Assessment?

Certification and Accreditation (C&A):
* TEDS:  TEDS holds a valid C&A received on 8-13-2004, which will expire on 8-13-2007.
* EDS:  EDS does not hold a current C&A.  (EDS will terminate all data exchange with LINUS in April 2006)

Privacy Impact Assessment (PIA):
* TEDS:  TEDS holds a valid PIA receive on 3-22-2005, which will expire on 3-22-2008.
* EDS: EDS does not hold a current PIA.  (EDS will terminate all data exchange with LINUS in April 2006)

12.  Will other agencies provide, receive, or share data in any form with this system?  No.

Administrative Controls of Data

13.  What are the procedures for eliminating the data at the end of the retention period?

An administrator archives all data after 10 years.  Once the data has been archived, there is limited access to the data by system owners and administrators.

Retention periods adhere to Records Control Schedule, IRM 1.15 Chapter 22, Item 255 (1).

14.  Will this system use technology in a new way?  If "YES" describe.  If "NO" go to Question 15. No.

15.  Will this system be used to identify or locate individuals or groups?  If so, describe the business purpose for this capability.  No.

16. Will this system provide the capability to monitor individuals or groups? If yes, describe the business purpose for this capability and the controls established to prevent unauthorized monitoring.  No.

17. Can use of the system allow IRS to treat taxpayers, employees, or others, differently?  Explain.  No.

18.  Does the system ensure "due process" by allowing affected parties to respond to any negative determination, prior to final action?

LINUS does not deny individuals a refund or result in any negative determinations.

19.  If the system is Web-based, does it use persistent cookies or other tracking devices to identify web visitors?

No.  LINUS is not a Web-based system.
 


Page Last Reviewed or Updated: October 04, 2006