Accessibility Skip to Top Navigation Skip to Main Content Home  |  Change Text Size  |  Contact IRS  |  About IRS  |  Site Map  |  Español  |  Help  

Part 11. Communications and Liaison

Chapter 2. Privacy Advocate

Section 1. Privacy Advocate

11.2.1  Privacy Advocate

11.2.1.1  (05-15-2002)
Basic Principles of Privacy

  1. The Internal Revenue Service is fully committed to protecting the privacy of taxpayers and employees. Among the most basic of taxpayer and employee expectations is that the Service will protect the privacy of personal information, including financial and employment information. Taxpayers and employees also expect that the Service will collect, maintain, use, and disseminate personal information only as authorized by law and as necessary to fulfill agency responsibilities. The Service is dedicated to meeting these expectations.

  2. Privacy refers to a taxpayer's or employee's freedom from unnecessary collection or use of personal information. Personal information is defined as information pertaining to an identifiable party.

  3. Privacy protection within the Internal Revenue Service includes adherence by all IRS employees to the following 10 principles:

    1. Protecting taxpayer privacy and safeguarding confidential taxpayer information is a public trust.

    2. No information will be collected or used with respect to taxpayers that is not necessary and relevant for tax administration and other legally mandated or authorized purposes.

    3. Information will be collected, to the greatest extent practicable, directly from the taxpayer to which it relates.

    4. Information about taxpayers collected from third parties will be verified to the greatest extent practicable with the taxpayers themselves before action is taken against them.

    5. Personally identifiable taxpayer information will be used only for the purpose for which it was collected, unless other uses are specifically authorized or mandated by law.

    6. Personally identifiable taxpayer information will be disposed of at the end of the retention period required by law or regulation.

    7. Taxpayer information will be kept confidential and will not be discussed with, nor disclosed to, any person within or outside the IRS other than as authorized by law and in the performance of official duties.

    8. Browsing, or any unauthorized access of taxpayer information by any IRS employee, constitutes a serious breach of the confidentiality of that information and will not be tolerated.

    9. Requirements governing the accuracy, reliability, completeness, and timeliness of taxpayer information will be such as to ensure fair treatment of all taxpayers.

    10. The privacy rights of taxpayers will be respected at all times and every taxpayer will be treated honestly, fairly, and respectfully.

  4. In addition, as part of the Internal Revenue Service's commitment to privacy protection:

    1. A Privacy Impact Assessment shall be developed and reviewed for each new or substantially modified information system or application;

    2. Procedures addressing the storage, retrievability, accessibility, retention, and disposal of personal information shall be established, maintained, and enforced; and

    3. Safeguards shall be provided to protect against the unauthorized collection, use, and dissemination of taxpayer and employee data.

11.2.1.1.1  (05-15-2002)
Privacy Legislation and Guidance

  1. The IRS Privacy Program has its foundation in federal statutes, Office of Management and Budget directives, and IRS guidance including, but not limited to, the authorities described below.

11.2.1.1.1.1  (05-15-2002)
IRS Policy Statement on Taxpayer Privacy Rights

  1. Policy Statement on Taxpayer Privacy Rights, Policy Statement P-1-1, October 1994. This policy statement serves as a bill of privacy rights for the taxpayer.

11.2.1.1.1.2  (05-15-2002)
IRS Declaration of Privacy Principles

  1. Declaration of Privacy Principles, issued by the IRS Commissioner, May 1994. These principles establish how the IRS will conduct its business in order to ensure the taxpayer's privacy is protected.

11.2.1.1.1.3  (05-15-2002)
Office of Management and Budget Memorandum (OMB) 01-05

  1. OMB Memorandum 01-05, Guidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy, dated December 20, 2000, provides a set of privacy principles in conducting inter-agency data sharing.

11.2.1.1.1.4  (05-15-2002)
Office of Management and Budget Memorandum 00-13

  1. OMB Memorandum 00-13, Privacy Policies and Data Collection on Federal Web Sites, dated June 22, 2000, requires that agencies comply with the guidance of OMB Memorandum 99-18 regarding web site privacy policies and prohibits the use of persistent "cookies" on Federal web sites.

11.2.1.1.1.5  (05-15-2002)
Office of Management and Budget Memorandum 99-18

  1. OMB Memorandum 99-18, Privacy Policies on Federal Web Sites, dated June 2, 1999, provides guidance and model language for Federal web site privacy policies.

11.2.1.1.1.6  (05-15-2002)
Internal Revenue Code Section 6103

  1. Internal Revenue Code Section 6103, Confidentiality and Disclosure of Return and Return Information, protects tax returns and return information.

11.2.1.1.1.7  (05-15-2002)
IRS Reform and Restructuring Act of 1998

  1. The IRS Reform and Restructuring Act of 1998 (Public Law No.105-206), dated July 22, 1998, directs the Internal Revenue Service to revise its mission statement to provide greater emphasis on serving the public and meeting the needs of taxpayers.

11.2.1.1.1.8  (05-15-2002)
Taxpayer Browsing Protection Act of 1997

  1. The Taxpayer Browsing Protection Act (Public Law No.105-35), dated August 5, 1997, amends the Internal Revenue Code of 1986 to prohibit the unauthorized inspection of tax returns and return information.

11.2.1.1.1.9  (05-15-2002)
Office of Management and Budget Circular No. A-130

  1. OMB Circular A-130, Management of Federal Information Resources, dated February 8, 1996, requires Federal agencies to protect an individual's privacy when they collect personal information.

11.2.1.1.1.10  (05-15-2002)
Privacy Act of 1974

  1. The Privacy Act of 1974 (5 USC § 552a, as amended) affords individuals the right to privacy in records that are maintained and used by Federal agencies.

11.2.1.1.1.11  (05-15-2002)
Freedom of Information Act

  1. The Freedom of Information Act (5 USC § 552, as amended) provides for the disclosure of information maintained by Federal agencies and permits withholding of personal information.

11.2.1.2  (05-15-2002)
Roles and Responsibilities

  1. The Internal Revenue Service Privacy Program includes roles and responsibilities for all Service employees as described in the following sub-sections.

11.2.1.2.1  (05-15-2002)
IRS Employees

  1. As users of IRS systems and taxpayer records, whether electronic or paper, IRS employees shall:

    1. Access records containing tax and personal information only when the information is needed to carry out their official duties; and

    2. Disclose tax and personal information about taxpayers or employees and contractors only in accordance with applicable laws, regulations, and IRS policies and procedures.

11.2.1.2.2  (05-15-2002)
Privacy Advocate

  1. The Privacy Advocate shall:

    1. Act as an advocate for the privacy interests of taxpayers and employees;

    2. Administer the Privacy Impact Assessment process to ensure all IRS information programs address and resolve privacy issues;

    3. Promulgate privacy policies, including IRS web site policy, in consultation with affected Business Owners;

    4. Review and approve privacy notices for IRS Internet and Intranet web sites;

    5. Develop and implement appropriate privacy education and training for all IRS employees and contractors; and

    6. Communicate and publicize IRS privacy practices to employees, contractors, taxpayers, other government agencies, and the public at large.

11.2.1.2.3  (05-15-2002)
IRS Business Owners

  1. IRS Business Owners shall:

    1. Follow applicable laws, regulations, and IRS policies and procedures in the development, implementation, and operation of all information systems under their control;

    2. Ensure that only personal information that is necessary and relevant for tax administration and other legally mandated or authorized purposes is collected;

    3. Ensure that all new information systems, systems under development, or systems undergoing major modifications that contain personal information have an approved Privacy Impact Assessment;

    4. Ensure that all personal information is protected and disposed of in accordance with applicable laws, regulations, and IRS policies and procedures;

    5. Use information collected from taxpayers, employees, or contractors only for the purposes for which it was collected, unless other purposes are legally mandated or authorized; and

    6. Ensure that the privacy of taxpayers and employees is respected at all times.

11.2.1.2.4  (05-15-2002)
IRS System Developers

  1. IRS System Developers shall:

    1. Follow applicable laws, regulations, and IRS policies and procedures in the development, implementation, and operation of information systems under their control;

    2. Review their data collection to ensure that the minimum amount of personal information is collected, used, and maintained;

    3. Establish and maintain physical, electronic, and administrative access controls on personal information;

    4. Dispose of personal information at the required time and in accordance with IRS policies and procedures; and

    5. Ensure that all new information systems, systems under development, or systems undergoing major modifications that contain personal information have an approved Privacy Impact Assessment.

11.2.1.3  (05-15-2002)
Privacy in the Information System's Life Cycle

  1. The Internal Revenue Service recognizes the importance of protecting the privacy of taxpayers and employees, especially as it modernizes its taxpayer and employee information systems. Privacy issues must be addressed when systems are being developed or updated, and privacy protections must be integrated into the life cycle of these automated systems. The vehicle for addressing privacy issues in a system is the Privacy Impact Assessment (PIA). The PIA process also provides a means to monitor compliance with applicable laws and regulations governing taxpayer and employee privacy.

11.2.1.3.1  (05-15-2002)
Privacy Impact Assessment

  1. The Privacy Impact Assessment (PIA) is a process used to evaluate privacy in information systems. The process is designed to guide Business Owners and System Developers in evaluating privacy risks through the stages of system development. The PIA process consists of the following steps:

    1. Business Owners and System Developers answer the questions in Section V of the PIA about the system design and information collection, maintenance, and access. (Document 9927).

    2. The Office of the Privacy Advocate answers questions about the PIA, provides training, and serves as an agency resource on privacy issues.

    3. Business Owners and System Developers submit the completed PIA to the Privacy Advocate for review.

    4. The Office of the Privacy Advocate reviews the completed PIA to identify privacy risks and to ensure only relevant and necessary information is collected and used.

    5. The Business Owner, System Developer, and the Privacy Advocate reach agreement on design requirements to resolve all identified risks. If an agreement cannot be reached, the unresolved issues will be presented to the Chief Information Officer for his decision.

    6. The Business Owner and System Developer incorporate the agreed upon design requirements to resolve the identified risks.

    7. The Business Owner and System Developer conduct the system's life cycle review to ensure satisfactory resolution of identified privacy risks and obtain formal approval from the Privacy Advocate.

11.2.1.3.1.1  (05-15-2002)
Privacy Impact Assessment Roles and Responsibilities

  1. The Privacy Impact Assessment process consists of the following roles and responsibilities.

11.2.1.3.1.1.1  (05-15-2002)
IRS Business Owners

  1. IRS Business Owners and System Owners shall:

    1. Review their data collection to ensure that the minimum amount of relevant and necessary information is collected, used, and maintained;

    2. Work with the System Developers to complete the Privacy Impact Assessment; and

    3. Answer what data is to be used, how the data is to be used, and who will use the data.

11.2.1.3.1.1.2  (05-15-2002)
System Developers

  1. System Developers shall:

    1. Work with the Business Owners to complete the Privacy Impact Assessment; and

    2. Address whether the technical implementation of the Business Owners' requirements compromises personal privacy.

11.2.1.3.1.1.3  (05-15-2002)
Office of the Privacy Advocate

  1. The Office of the Privacy Advocate shall:

    1. Review the Privacy Impact Assessment (PIA) submitted by the Business Owner and System Developer;

    2. Work with the Business Owner and System Developer to develop design requirements that resolve risks identified by the PIA;

    3. Provide training on privacy-enhancing strategies; and

    4. Present risks that cannot be resolved to the Chief Information Officer for resolution.

11.2.1.3.1.2  (05-15-2002)
Privacy Impact Assessment Process

  1. Owners of new systems, systems under development, or systems undergoing major modifications are required to complete a Privacy Impact Assessment (PIA). The Privacy Advocate reserves the right to request that a PIA be completed on any existing system that the Privacy Advocate determines may have privacy risks.

  2. The purpose of the PIA is to identify privacy risks in the system and limit the information collected and used to only what is relevant to achieve a legitimate business purpose. The Business Owner and System Developer must initiate the PIA in the early stages of the development of a system and complete it as part of the system's required Enterprise Life Cycle review. Privacy must be considered when requirements are being analyzed and decisions are being made about data use and system design

  3. The Business Owner and System Developer must submit the completed PIA to the Office of the Privacy Advocate for review and approval.

  4. Details of the PIA process are described in Document 9927, Privacy Impact Assessment, Version 1.3, dated December 17, 1996.

11.2.1.4  (05-15-2002)
Internet Web Site Privacy Notices and Data Collection

  1. Privacy notices are used to inform the public of the information collection procedures and the privacy measures in place at a particular Internet web site or activity.

  2. The IRS privacy policy notice must be posted at every major entry point to the Internet site as well as on any web page collecting substantial personal information from the public.

  3. The IRS privacy policy notice is an overview of IRS privacy practices, a description of any information collected and stored automatically by the system and how this information will be used, an explanation of how IRS will use any personally identifiable information submitted by the Internet visitor, and notice that security and intrusion protection measures are in place. The notice is available at http://cl.no.irs.gov/privacy/webpolicy.html or from the Office of the Privacy Advocate.

  4. Any IRS Internet web site that links to external sites must post a departure notice. This notice alerts Internet visitors that they are about to leave the IRS web site and its privacy practices and advises them to review the web site privacy practices on the web site they are about to enter. Notices for government links and non-government links are available at http://cl.no.irs.gov/privacy/webpolicy.html or from the Office of the Privacy Advocate.

  5. Persistent "cookies" or other tracking devices to monitor the public's visits may not be used on an IRS Internet site.

11.2.1.5  (05-15-2002)
Intranet Web Site Privacy Notices and Data Collection

  1. Privacy notices are used to inform employees of the information collection procedures and the privacy measures in place at a particular Intranet web site or activity.

  2. The IRS privacy policy notice must be posted at every major entry point to an Intranet site as well as on any web page collecting personal information from an employee.

  3. The IRS privacy policy notice is an overview of IRS privacy practices, a description of any information collected and stored automatically by the system and how this information will be used, an explanation of how the IRS will use any personally identifiable information submitted by the employee, and notice that security and intrusion protection measures are in place. The notice is available at http://cl.no.irs.gov/privacy/webpolicy.html or from the Office of the Privacy Advocate.

  4. Any IRS Intranet web site or page that link to external sites must post a departure notice. This notice alerts employees that they are about to leave the IRS web site and its privacy practices and advises them to review the privacy practices on the web site that they are about to enter. Notices for government links and non-government links are available at http://cl.no.irs.gov/privacy/webpolicy.html or from the Office of the Privacy Advocate.

  5. Persistent "cookies" or other tracking devices to monitor an employee's visits to IRS Intranet sites may not be used.


More Internal Revenue Manual