Privacy Impact Assessment - Returns Inventory and Classification System - Compliance Decision Analytics (RICS-CDA)
(RICS-CDA) System Overview
The TE/GE RICS-CDA Compliance Decision Analytics (CDA) Project will develop a comprehensive set of tools/capabiliti¬es to provide decision support, including replacing manual or outdated and incomplete classification processes such as: automated ranking, issue scoring, issue selection, workload selection capabilities. It will further develop case building functionality, provide additional data sets and Compliance Data Store, develop an automated process to execute Risk Models for case selection, and provide enterprise tools for sharing information across the TE/GE organization. The RICS-CDA project will provide the case selection functionality necessary for the TE/GE Accelerated Case Building (ACB) project that will greatly improve the selection of the appropriate cases for exam, thus reducing cycle time and the no claim rate.
Systems of Records Notice (SORN)#:
Treasury/IRS 34.037 IRS Audit Trail and Security Records System
Treasury/IRS 50.222 Tax Exempt/Government Entities (TE/GE) Case Management Records
Treasury/IRS 42.021 (for compliance project records)
Data in the System
Describe the information (data elements and fields) available in the system in the following categories:
Taxpayer
Employee
Audit Trail Information (including employee log-in info)
Other (Describe)
Taxpayer - The taxpayer information available is primarily on organizational and business taxpayers, with the exception of taxpayer data available on Form 5330 (which includes individual information). This information includes data elements from the following forms:
WebRICS Forms and Information
Form 5500- Annual Report of Employee Benefit Plan
Name of Plan Sponsor (individual)
Name of Plan Administrator (individual)
Employee Identification Number (EIN)
Administrator’s EIN
Preparer’s Information and EIN
Form 941-Employer’s Quarterly Federal Tax Return
EIN
Contact name and phone
Forms 8038- Arbitrage Rebate Provisions
Issuer’s name, and title
EIN
Form 8328- Activity of Unused Private Activity Bonds
Reporting Authority’s EIN
Name and Title of Authorized Public Official
Form 945 -Annual Return of Withheld federal Income Tax
Contact name, address and title
EIN
Form 990 Return of Organization Exempt from Income Tax:
Organization name
Employer Identification Number (EIN)
Organization address
Organization e-mail
Organization representative contact
Organization custodian of records
Form 990 (including Schedule B) Return of Organization Exempt from Income Tax:
Organization type (e.g., 527)
Organization gross receipts and revenue
Organization Expenditures
Organization Balance Sheet data
Names of organization officers, title, and address
Contributors’ names, mailing addresses, and zip codes
Contributors’ employers, occupations, and aggregate annual contributions
Amount of contributions
Individual taxpayer data is only available from Form 5330. All other data represents business, organizations and pension plans.
Form 5330 Return of Excise Taxes Related to Employee Benefit Plan:
Name of filer
Filer’s identifying Number (EIN) or SSN
Address of Filer
Filer telephone number
DB2 Database Forms and Information:
11 990 4136 8038
720 1041 4626 8050
730 1042 4720 8288
940 1065 4952 8328
941 1096 5227 8804
943 1120 5330 8871
944 2290 5500 8872
945 3892 5800 W2
The above forms (including applicable schedules) are contained within the DB2 database of the RICS-CDA system and may contain the following elements:
Address
EIN
IN
Name
Phone
PTN
SSN
TIN
Employee - WebRICS users are identified uniquely by their Standard Employee Identifier (SEID).
An employee audit trail notes the following events:
Username
Date
Time
Table(s) queried
Audit Trail - RICS-CDA maintains an audit log which details the user identifier associated with what events occurred, the date and time of the events, and the outcome of the events.
WebRICS Audit Trail:
Date
Time
Username
Table(s) queried
DB2 Database Audit Trail:
EIN MFT_CD
Plan number Mode code
Document code Exam code
Tax period NON_EXAM_DT
Condition code Org code
Creation DT Org GEN code
Document Locator Number Project code
Error code Purpose code
File name Seed text
Form count Source code
Select Code Status code
Issue codes User ID code
Creation Time
Other (Describe) - Employee Plans (EP) Master File and Return File (also known as CFOL (Corporate Files Online file)
Business Master File and Return file
Audit Information Management Systems (AIMS) Data from Detroit Computing Center (DCC) (BIMF)
Categories of organizations
Describe/identify which data elements are obtained from files, databases, individuals, or any other sources.
IRS
Taxpayer
Employee
Other Federal Agencies (List agency)
State and Local Agencies (List agency)
Other third party sources (Describe)
IRS - All data available is from the IRS: EP master File, Business Master File, and AIMS data. EO is included in BMF.
Taxpayer - None All data elements come from IRS systems.
Employee - None
Other Federal Agencies (List Agencies) - None
State and Local Agencies (List Agencies) - None
Other Third Party Sources (Describe) - None
Is each data item required for the business purpose of the system? Explain.
The availability of each data item within RICS-CDA allows for an easier and faster method to examine the level of compliance from its customers. The selection of data through RICS-CDA allows the user to group forms into categories, allowing easy assignment based on the project being worked. The data can be used to verify consistency of information between filings and other more complicated trend analysis. RICS-CDA is needed as a research tool to provide for consistency of information and trend analysis.
How will each data item be verified for accuracy, timeliness, and completeness?
RICS limits user inputs for designated fields within the application. The valid syntax of the application inputs (e.g., character set, length, numerical range, acceptable values) are in place to ensure that inputs match specified definitions for format and content.
Regularly scheduled batch processing and load programs (daily, weekly or monthly) are written to ensure data is in the correct syntax for RICS-CDA and confirm that the table structure allows only expected types (such as character, decimal, etc.).
RICS data is checked on quarterly basis. If errors are noticed outside of quarterly reviews they are addressed immediately.
Is there another source for the data? Explain how that source is or is not used.
No. No other source of data is necessary to complete the research purpose of RICS.
Generally, how will data be retrieved by the user?
A RICS-CDA user retrieves data via the web-based WebRICS application or via the BI/Query Module which provides access to the DB2 Database.
A BI/Query Module user accesses the data by logging into the mainframe using a network login to access data. The BI Query application that provides access to the DB2 database is a commercial off-the-shelf application loaded on each machine, running off the DB2 database.
Once in the system, a RICS-CDA user then retrieves data through creating their own selection criteria that is displayed in a form format. The final forms can be (1) printed; (2) viewed on the screen; (3) manually ordered from service campus files; and/or (4) randomly sampled to provide a statistically valid sample from which to base a study.
Is the data retrievable by a personal identifier such as name, SSN, or other unique identifier?
WebRICS users retrieve data by entering a unique Standard Employee Identifier (SEID). The WebRICS application grabs the user LAN login, so no additional input is needed for WebRICS access. Within the WebRICS the
TE/GE forms available in WebRICS can be:
printed electronically to a PDF file;
viewed on the screen;
sampled statistically; and marked for audit (may be sent to AIMS)
BI/Query module users are identified by the same unique username as their IRS LAN domain credentials. LAN credentials do not solely allow access. A RICS-CDA BI Query user must also must enter a 5 digit DB2 login (first two letters identify group (e.g. EP or EO) while the last three digits are assigned by security.
Within the BI Query module a user has capability to query the DB2 database off any field in the entire database.
Such fields include:
TIN
EIN
Name and address of organization
Period of which the return is for (eg. 2005, 2005)
Access to the Data
Who will have access to the data in the system (Users, Managers, System Administrators, Developers, Others)?
Only designated members of the General Support System (GSS) – MITS2 operations group has direct access to the RICS-CDA application server, and therefore are the only individuals authorized to perform application management functions.
Each RICS-CDA user is only permitted to access the data for their respective group (for example, RICS-CDA users within EO may only access EO data. See Question 9 for group descriptions). Permission to access WebRICS is separate from permission to access the DB2 Database within the BI Query Module. Access to the WebRICS or BI Query server is determined on a role basis.
The only third-party providers for RICS-CDA services are two (2) contractors, who both have High Risk= BI classified staff-like access. The contractors are both application programmers.
How is access to the data by a user determined and by whom?
TE/GE determines access based on user role/puts restrictions on. Users are given access credentials through OL5081.
Users are only granted access to the RICS-CDA as necessary to fulfil the duties of their role. A TE/GE user’s manager determines the level of access appropriate for the user. Through the access control mechanisms employed, the application establishes appropriate division of responsibility and separation of duties to eliminate conflict of interest in the responsibilities and duties of individuals. The role-based access groups defined within the RICS-CDA application enforce the most restrictive set of right/privileges or access needed by users to perform their tasks, thereby, enforcing least privileges. To clarify: an EO user only has access to EO data, and an EP user only has access to EP data.
The WebRICS application employs the following five (5) access groups (modes):
EP- Employee Plans
EO- Exempt Organizations
FSLG- Federal, State and Local Governments
TEB- Tax Exempt Bonds
and/or ITG- Indian Tribal Governments
Access to the DB2 database:
Two levels control access to the data in the DB2 database. One is on DB2 side (groups listed below) and the other is done by group level and individual level. People with an EP in front of their user ID would not have the same privileges as another EP user. Within that the BI broker server and WebRICs restrict it further based on roles. The DB2 Mainframe employs the following access groups:
EP - Employee Plans
EO - Exempt Organizations
BO - Tax Exempt Bonds
IT - Indian Tribal Governments
FS – Federal, State,& Local Governments
MI - RICS-CDA Programmers
RW - RICS-CDA Program (Batch and WebRICS)
Do other IRS systems provide, receive, or share data in the system? If YES, list the system(s) and describe which data is shared. If NO, continue to Question 12.
The following are RICS-CDA system interfaces. Please see attachment for a description of shared data types.
Data provided to RICS:
Business Master File Executive Control (BMF 701 Exec)
Coordinated Examination Management Information System (CEMIS)
Base Inventory Master File (DIMF-BIMF)
Employee Plans Exempt Organizations Determination System (EDS)
Employee Plans Master File On-Line Processing (EMFOL/EPMFOL)
Employee Plan Return Transaction File / On-Line (EPMF RTFOL)
Headquarters Employee Plans technical Division (HQEP)
MeF
W2 INPUT
Statistics of Income (SOI)
ACCOMP
Information Returns Transcript File On-Line (IRPTR)
1096
Data from RICS:
Audit Information Management System (AIMS)
EP-EO Return Inventory Control System (ERICS)
The RICS-CDA application itself does not directly connect with any other applications. Information systems connections do not occur at the application level on RICS. Data is shared with RICS-CDA from other sources within the IRS via FTP. The sources are approved to use FTP to upload files to the Mainframe. Data is FTP’d to the mainframe. Mainframe has batch process codes that take the files and then input into RICS-CDA database.
Have the IRS systems described in Item 10 received an approved Security Certification and Privacy Impact Assessment?
ACCOMP
No previous PIA
No previous C&A
Annual Summary and Transmittal of U.S. Information Returns (1096)
No previous PIA
No previous C&A
Audit Information management System (AIMS)
PIA Completed 4/10/06
No previous C&A
Base Inventory Master File (DIMF-BIMF)
PIA Completed 3/29/06
C&A included in GSS
Business Master File Executive Control (BMF 701 EXEC)
No previous PIA
C&A completed 8/16/04, expires 9/10/06
Coordinated Examination Management Information System (CEMIS)
No previous PIA
C&A included in GSS
Employee Master File On-Line (EMFOL/EPMFOL)
PIA completed 1/23/06, expires 1/23/09
C&A completed 8/13/04, expires 9/9/06
Employee Plans-Exempt Organizations Determination System (EDS)
PIA completed 3/8/05, expires 3/8/08
C&A included in GSS, ATO - 7/28/2003, expires 8/11/05
Employee Plans Master File Returns Transaction File On-Line Processing (EPMF/RTFOL)
No previous PIA
C&A completed 8/13/04, expires 9/9/06
EP-EO Returns Inventory Control System (ERICS)
PIA Completed 4/20/06
C&A included in GSS
Headquarters Employee Plans (HQEP)
PIA Completed 2/28/06
C&A included in GSS
Will other agencies provide, receive, or share data in any form with this system? No.
Administrative Controls of Data
What are the procedures for eliminating the data at the end of the retention period?
User identifiers that are inactive for a period of 90 days are disabled.
The existing RICS does not have a mechanism to eliminate records. This weakness will be remediated.
Records will be maintained in RICS-CDA in accordance with Records Management and Disposition policy, IRM 1.15. The Records Control Schedule for TE/GE is published in IRM 1.15.24, and the disposition guidance is located in 1.15.3.
Will this system use technology in a new way? If "YES" describe. If "NO" go to Question 15. No.
Will this system be used to identify or locate individuals or groups? If so, describe the business purpose for this capability.
Yes. For all entities RICS-CDA does have location and address information which can be used to locate an organization or business. Examiners use the system to determine current address information. It is possible to monitor individuals because Form 5330 provides the name and contact phone of the filing individual.
Will this system provide the capability to monitor individuals or groups? If yes, describe the business purpose for this capability and the controls established to prevent unauthorized monitoring.
Yes. However, the role of RICS-CDA is only to make the data available and pull queries but not to do actual monitoring. RICS-CDA does provide the capability through data analysis; however, the analysis is not to specifically monitor an individual or organization.
Can use of the system allow IRS to treat taxpayers, employees, or others, differently? Explain.
No. RICS-CDA is only a research tool and cannot treat taxpayers or employees disparately.
Does the system ensure "due process" by allowing affected parties to respond to any negative determination, prior to final action?
The system does not have the ability to confer a negative determination.
If the system is web-based, does it use persistent cookies or other tracking devices to identify web visitors?
No. Within WebRICS neither session nor persistent cookies are utilized. The data viewed during a session is temporary and is inaccessible after a user has disconnected.
|