Approved - May 30, 2008
System Overview
The WMSP applet provides taxpayers who have filed a 2007 tax return the status and amount of their 2008 Economic Stimulus Payment. The taxpayer will authenticate using shared secrets from their return. Shared secrets are knowledge based data items that should be known to both the IRS and the taxpayer. In this case, the WMSP applet looks for the user’s social security number (SSN), their 2007 tax return filing status, and their 2007 tax return number of filed exemptions. A user must have filed their 2007 tax return in order to be eligible for the rebate.
System of Records Numbers
-
IRS 24.030--CADE Individual Master File (IMF), (Formerly: Individual Master File (IMF))
-
IRS 24.046--CADE Business Master File (BMF) (Formerly: Business Master File (BMF))
-
IRS 34.037--IRS Audit Trail and Security Records System
Data in the System
1. Describe the information (data elements and fields) available in the system in the following categories:
A. Taxpayer
B. Employee
C. Audit Trail Information (including employee log-in info)
D. Other (Describe)
A. Taxpayer
-
SSN
-
2007 tax return filing status
-
2007 tax return number of filed exemptions
-
Economic Stimulus Payment Amount
-
Payment date
-
Payment method
B. Employee
No IRS employee data is required in the WMSP applet because IRS employees will not use the WMSP applet to process requests.
C. Audit trail information (including employee login info)
WMSP audit data is captured by the Security Audit and Analysis System (SAAS). Audit trail logging for the applet is sent to SAAS via Application Messaging and Data Access Services (AMDAS) for each transaction that reaches the back-end. SAAS will receive the SSN for the taxpayer trying to authenticate to the WMSP applet.
D. Other
N/A
2. Describe/identify which data elements are obtained from files, databases, individuals, or any other sources.
A. IRS
B. Taxpayer
C. Employee
D. Other Federal Agencies (List agency)
E. State and Local Agencies (List agency)
F. Other third party sources (Describe)
A. IRS
Taxpayer information comes from Individual Master File (IMF). IMF provides:
-
SSN
-
2007 tax return filing status
-
2007 tax return number of filed exemptions
-
Economic Stimulus Payment Amount
-
Payment date
-
Payment method
Taxpayer information comes from Customer Account Data Engine (CADE). CADE provides:
B. Taxpayer
The Taxpayer provides the following information:
C. Employee
No data is obtained from employees.
D. Other Federal Agencies
No data is obtained from any federal agencies.
E. State or Local Agencies
No data is obtained from any state or local agencies.
F. Other Third Party Sources
No data is obtained from any other third party sources agencies.
3. Is each data item required for the business purpose of the system? Explain.
Yes. All data items are necessary to authenticate the user and provide the user with their Economic Stimulus Payment.
4. How will each data item be verified for accuracy, timeliness, and completeness?
WMSP restricts user input through the use of multiple mechanisms. The WMSP applet restricts user input through the use of JavaScript that notifies the user if sections of the form were left blank or the input was a different type than what is acceptable for the field. Radio buttons are also used to collect user responses for application defined answers. This adds control to the values that can be stored or processed by the system.
The system also provides the taxpayer through the use of “on screen” thumbnail examples of where to find the information on a sample filed tax return.
Data received through IMF and CADE are verified by the business web application server (BWAS) for correct format and completeness prior to it going into production.
5. Is there another source for the data? Explain how that source is or is not used.
No. There are no other sources of data.
6. Generally, how will data be retrieved by the user?
The data is retrieved via a query using the Social Security Number (SSN).
7. Is the data retrievable by a personal identifier such as name, SSN, or other unique identifier?
Yes, the data is retrievable by Social Security Number (SSN).
Access to the Data
8. Who will have access to the data in the system (Users, Managers, System Administrators, Developers, Others)?
The users for this applet will be the taxpayers. All data in the system is read-only. Information is stored on a flat file from data retrieved from the CADE and IMF systems. System and Database administrators will have access to maintain the application and the underlying hosting environment, but not modify the data.
Contractors, including Developers, will not have direct access to the WMSP production system or database.
9. How is access to the data by a user determined and by whom?
All taxpayers are granted access to their own data through the applet front end. Taxpayers must have filed their 2007 tax return in order to use the system. The WMSP applet uses shared secrets (SSN, 2007 tax return filing status, 2007 tax return number of filed exemptions) known only to the taxpayer and the IRS.
Backend user access, such as developers and system and database administrators, are determined by the manager based on a user’s position and need-to-know. The manager will request a user be added. They must complete an Information System User Registration/Change Request in Online 5081 to request access to the application. A user’s access to the data terminates when it is no longer required. Criteria, procedures, controls, and responsibilities regarding access are documented in the Information Systems Security Rules in Online 5081.
Contractors do not have access to the data on the system.
10. Do other IRS systems provide, receive, or share data in the system? If YES, list the system(s) and describe which data is shared. If NO, continue to Question 12.
Taxpayer information is extracted from IMF and CADE. The data is transferred to the WMSP applet via EFTU. Data transfers occur daily for CADE and weekly for IMF.
Desktop Integration also retrieves data from the BWAS server to provide information to the Customer Service Representatives. This transfer occurs behind three firewalls using the User Datagram Protocol (UDP) packets. The information is transmitted on an ad hoc basis.
11. Have the IRS systems described in Item 10 received an approved Security Certification and Privacy Impact Assessment?
Customer Account Data Engine (CADE)
-
C&A - 2/26/2008
-
PIA - 2/22/2008
Individual Master File (IMF)
-
C&A - 6/21/2007
-
PIA - 6/07/2007
12. Will other agencies provide, receive, or share data in any form with this system?
Treasury Inspector General for Tax Administration (TIGTA) and Government Accountability Office (GAO) has audit authority, which allows them to conduct audits of WMSP information or the system itself at any time. Therefore, they will be allowed access to WMSP or its data, provided they follow the necessary steps to obtain the information. However, no information is automatically generated or delivered to either Agency.
Administrative Controls of Data
13. What are the procedures for eliminating the data at the end of the retention period?
All data will be retained in accordance with Internal Revenue Manual (IRM) 1.15.29. Data received through authentication is stored on the session and will not be retained for any period of time in WMSP. The system only uses “session-only” cookies. The session cookie is destroyed when the user terminates his/her web browser client; logs out of the application; or when the session timeout period has elapsed due to inactivity (20 minutes), whichever occurs first. However, invalid authentication attempts on the application will be stored in the WMSP authentication database for the remainder of that day. At the beginning of the next day (12:00 AM Eastern Time), the WMSP application will execute a script that purges and overwrites the data to ensure its deletion. It should be noted that this database maintains invalid session retries so that users are limited to a certain number of invalid authentication attempts per day.
14. Will this system use technology in a new way? If "YES”, describe. If "NO" go to Question 15.
No. WMSP does not use technology in a new way.
15. Will this system be used to identify or locate individuals or groups? If so, describe the business purpose for this capability.
No. WMSP only provides information to the taxpayer regarding the amount of their Economic Stimulus Payment and the date they can expect to receive it.
16. Will this system provide the capability to monitor individuals or groups? If yes, describe the business purpose for this capability and the controls established to prevent unauthorized monitoring.
No. WMSP does not provide the capability to monitor individuals or groups.
17. Can use of the system allow IRS to treat taxpayers, employees, or others, differently? Explain.
No. WMSP treats all taxpayers equally and provides an explanation of how the payment was calculated.
18. Does the system ensure "due process" by allowing affected parties to respond to any negative determination, prior to final action?
WMSP does not impact due process rights of taxpayers. WMSP only provides information to the taxpayer regarding the amount of their Economic Stimulus Payment and the date they can expect to receive it.
19. If the system is Web-based, does it use persistent cookies or other tracking devices to identify Web visitors?
No. The system only uses “session-only” cookies. The session cookie is destroyed when the user terminates his/her web browser client; logs out of the application; or when the session timeout period has elapsed due to inactivity (20 minutes), whichever occurs first.
View other PIAs on IRS.Gov
| 
